├── MyDll ├── stdafx.cpp ├── MyDll.cpp ├── MyDll.vcxproj.user ├── targetver.h ├── stdafx.h ├── dllmain.cpp ├── MyDll.vcxproj.filters └── MyDll.vcxproj ├── .gitattributes ├── snapshot1.jpg ├── Loader ├── loader.cpp ├── Loader.vcxproj.user ├── Loader.vcxproj.filters └── Loader.vcxproj ├── driver_inject.cpp ├── driver_inject.v12.suo ├── bin └── driver_inject_x64.sys ├── Input_dll ├── Input_dll.vcxproj.user ├── Input_dll.vcxproj.filters ├── main.cpp └── Input_dll.vcxproj ├── misc.h ├── pe.h ├── ntdll.h ├── ssdt.h ├── driver_inject.vcxproj.user ├── .gitignore ├── readme.md ├── _global.h ├── hooklib.h ├── misc.cpp ├── _global.cpp ├── hooklib.cpp ├── driver_inject.vcxproj.filters ├── ntdll.cpp ├── undocumented.h ├── driver_inject.sln ├── pe.cpp ├── driver_inject.vcxproj ├── ssdt.cpp ├── undocumented.cpp └── MemLoadDll.h /MyDll/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.h linguist-language=c++ 2 | *.cpp linguist-language=c++ 3 | -------------------------------------------------------------------------------- /snapshot1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielkrupinski/DriverInjectDll/HEAD/snapshot1.jpg -------------------------------------------------------------------------------- /MyDll/MyDll.cpp: -------------------------------------------------------------------------------- 1 | // MyDll.cpp : 定义 DLL 应用程序的导出函数。 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | 7 | -------------------------------------------------------------------------------- /Loader/loader.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielkrupinski/DriverInjectDll/HEAD/Loader/loader.cpp -------------------------------------------------------------------------------- /driver_inject.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielkrupinski/DriverInjectDll/HEAD/driver_inject.cpp -------------------------------------------------------------------------------- /driver_inject.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielkrupinski/DriverInjectDll/HEAD/driver_inject.v12.suo -------------------------------------------------------------------------------- /bin/driver_inject_x64.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danielkrupinski/DriverInjectDll/HEAD/bin/driver_inject_x64.sys -------------------------------------------------------------------------------- /Loader/Loader.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /MyDll/MyDll.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Input_dll/Input_dll.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /MyDll/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // 包括 SDKDDKVer.h 将定义可用的最高版本的 Windows 平台。 4 | 5 | // 如果要为以前的 Windows 平台生成应用程序，请包括 WinSDKVer.h，并 6 | // 将 _WIN32_WINNT 宏设置为要支持的平台，然后再包括 SDKDDKVer.h。 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /misc.h: -------------------------------------------------------------------------------- 1 | #ifndef _MISC_H 2 | #define _MISC_H 3 | 4 | #include "_global.h" 5 | 6 | class Misc 7 | { 8 | public: 9 | static ULONG GetProcessIDFromProcessHandle(HANDLE ProcessHandle); 10 | static ULONG GetProcessIDFromThreadHandle(HANDLE ThreadHandle); 11 | }; 12 | 13 | #endif -------------------------------------------------------------------------------- /MyDll/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h: 标准系统包含文件的包含文件， 2 | // 或是经常使用但不常更改的 3 | // 项目特定的包含文件 4 | // 5 | 6 | #pragma once 7 | 8 | #define _CRT_SECURE_NO_WARNINGS 9 | 10 | #include "targetver.h" 11 | 12 | #define WIN32_LEAN_AND_MEAN // 从 Windows 头文件中排除极少使用的内容 13 | // Windows 头文件 14 | #include 15 | 16 | 17 | 18 | // 在此处引用程序需要的其他标头 19 | -------------------------------------------------------------------------------- /pe.h: -------------------------------------------------------------------------------- 1 | #ifndef _PE_H 2 | #define _PE_H 3 | 4 | #include "_global.h" 5 | 6 | #define PE_ERROR_VALUE (ULONG)-1 7 | 8 | class PE 9 | { 10 | public: 11 | static PVOID GetPageBase(PVOID lpHeader, ULONG* Size, PVOID ptr); 12 | static ULONG GetExportOffset(const unsigned char* FileData, ULONG FileSize, const char* ExportName); 13 | }; 14 | 15 | #endif -------------------------------------------------------------------------------- /ntdll.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTDLL_H 2 | #define _NTDLL_H 3 | 4 | #include "_global.h" 5 | 6 | class NTDLL 7 | { 8 | public: 9 | static NTSTATUS Initialize(); 10 | static void Deinitialize(); 11 | static int GetExportSsdtIndex(const char* ExportName); 12 | 13 | private: 14 | static unsigned char* FileData; 15 | static ULONG FileSize; 16 | }; 17 | 18 | #endif //_NTDLL_H -------------------------------------------------------------------------------- /ssdt.h: -------------------------------------------------------------------------------- 1 | #ifndef _SSDT_H 2 | #define _SSDT_H 3 | 4 | #include "_global.h" 5 | #include "hooklib.h" 6 | 7 | class SSDT 8 | { 9 | public: 10 | static PVOID GetFunctionAddress(const char* apiname); 11 | static HOOK Hook(const char* apiname, void* newfunc); 12 | static void Hook(HOOK hHook); 13 | static void Unhook(HOOK hHook, bool free = false); 14 | }; 15 | 16 | #endif -------------------------------------------------------------------------------- /driver_inject.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Off 5 | 6 | 7 | Off 8 | 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | .vs/ 34 | Temp/ 35 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # DriverInjectDll 2 | 3 | ## Introduction 4 | 5 | Using Driver Global Injection dll, it can hide DLL modules. You need to determine the process name you want in DllMain 6 | 7 | ## Develop 8 | 9 | #### DriverInjectDll 10 | driver program 11 | 12 | #### Input_dll 13 | Tell the driver to inject DLL binary data 14 | 15 | #### Loader 16 | Shelcode for Memory Loaded DLL 17 | 18 | #### MyDll 19 | TODO: Judging Injected Process Name in DLLMain 20 | 21 | # Build 22 | vs2008-vs2017 23 | 24 | wdk7-wdk10 25 | 26 | # How Use 27 | step1: install and start driver program 28 | 29 | step2: run Input_dll.exe 30 | 31 | # screen snapshot 32 | ![avatar](./snapshot1.jpg) 33 | 34 | ## Support 35 | 36 | Win7-Win10 x64 -------------------------------------------------------------------------------- /_global.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_H 2 | #define _GLOBAL_H 3 | 4 | #ifndef _WIN32_WINNT 5 | #define _WIN32_WINNT 0x0501 6 | #endif 7 | 8 | #ifdef __cplusplus 9 | extern "C" 10 | { 11 | #endif 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #ifdef __cplusplus 21 | } 22 | #endif 23 | 24 | 25 | #ifdef DBG 26 | #define DPRINT(...) DbgPrint(__VA_ARGS__) 27 | #else 28 | #define DPRINT(...) 29 | #endif 30 | 31 | void* RtlAllocateMemory(bool InZeroMemory, SIZE_T InSize); 32 | void RtlFreeMemory(void* InPointer); 33 | NTSTATUS RtlSuperCopyMemory(IN VOID UNALIGNED* Destination, IN CONST VOID UNALIGNED* Source, IN ULONG Length); 34 | 35 | #endif -------------------------------------------------------------------------------- /hooklib.h: -------------------------------------------------------------------------------- 1 | #ifndef _HOOKLIB_H_ 2 | #define _HOOKLIB_H_ 3 | 4 | #include "_global.h" 5 | 6 | #pragma pack(push,1) 7 | struct HOOKOPCODES 8 | { 9 | #ifdef _WIN64 10 | unsigned short int mov; 11 | #else 12 | unsigned char mov; 13 | #endif 14 | ULONG_PTR addr; 15 | unsigned char push; 16 | unsigned char ret; 17 | }; 18 | #pragma pack(pop) 19 | 20 | typedef struct HOOKSTRUCT 21 | { 22 | ULONG_PTR addr; 23 | HOOKOPCODES hook; 24 | unsigned char orig[sizeof(HOOKOPCODES)]; 25 | //SSDT extension 26 | int SSDTindex; 27 | LONG SSDTold; 28 | LONG SSDTnew; 29 | ULONG_PTR SSDTaddress; 30 | }* HOOK; 31 | 32 | class Hooklib 33 | { 34 | public: 35 | static HOOK Hook(PVOID api, void* newfunc); 36 | static bool Hook(HOOK hook); 37 | static bool Unhook(HOOK hook, bool free = false); 38 | }; 39 | 40 | #endif //_HOOKLIB_H_ 41 | -------------------------------------------------------------------------------- /Loader/Loader.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /Input_dll/Input_dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /misc.cpp: -------------------------------------------------------------------------------- 1 | #include "misc.h" 2 | #include "undocumented.h" 3 | 4 | ULONG Misc::GetProcessIDFromProcessHandle(HANDLE ProcessHandle) 5 | { 6 | PROCESS_BASIC_INFORMATION PBI; 7 | if(NT_SUCCESS(Undocumented::ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &PBI, sizeof(PBI), NULL))) 8 | return (ULONG)PBI.UniqueProcessId; 9 | else 10 | return 0; 11 | } 12 | 13 | ULONG Misc::GetProcessIDFromThreadHandle(HANDLE ThreadHandle) 14 | { 15 | typedef struct _THREAD_BASIC_INFORMATION 16 | { 17 | NTSTATUS ExitStatus; 18 | PVOID TebBaseAddress; 19 | CLIENT_ID ClientId; 20 | KAFFINITY AffinityMask; 21 | KPRIORITY Priority; 22 | KPRIORITY BasePriority; 23 | } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; 24 | THREAD_BASIC_INFORMATION TBI; 25 | if(NT_SUCCESS(Undocumented::ZwQueryInformationThread(ThreadHandle, ThreadBasicInformation, &TBI, sizeof(TBI), NULL))) 26 | return PtrToUlong(TBI.ClientId.UniqueProcess); 27 | else 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /MyDll/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : 定义 DLL 应用程序的入口点。 2 | #include "stdafx.h" 3 | #include 4 | #include 5 | 6 | #pragma comment(lib,"Shlwapi.lib") 7 | 8 | DWORD __stdcall WorkThread(LPVOID lpram) 9 | { 10 | TCHAR modulePtah[MAX_PATH]; 11 | TCHAR exeName[MAX_PATH]; 12 | GetModuleFileName(NULL, modulePtah, MAX_PATH); 13 | _tcscat(modulePtah, _T(" -> Inject OK!")); 14 | MessageBox(NULL, modulePtah, _T("Info"), MB_ICONINFORMATION); 15 | 16 | _tcscpy(exeName, modulePtah); 17 | PathStripPath(exeName); 18 | if (_tcsicmp(exeName, _T("xxxxxxx.exe")) != 0) 19 | { 20 | return 0; 21 | } 22 | 23 | // 24 | // TODO 25 | // 26 | 27 | 28 | 29 | 30 | return 0; 31 | } 32 | 33 | BOOL APIENTRY DllMain( HMODULE hModule, 34 | DWORD ul_reason_for_call, 35 | LPVOID lpReserved 36 | ) 37 | { 38 | switch (ul_reason_for_call) 39 | { 40 | case DLL_PROCESS_ATTACH: 41 | { 42 | HANDLE hTread = CreateThread(NULL, NULL, WorkThread, NULL, NULL, NULL); 43 | if (hTread) 44 | { 45 | CloseHandle(hTread); 46 | } 47 | break; 48 | } 49 | case DLL_THREAD_ATTACH: 50 | case DLL_THREAD_DETACH: 51 | case DLL_PROCESS_DETACH: 52 | break; 53 | } 54 | return TRUE; 55 | } 56 | 57 | -------------------------------------------------------------------------------- /_global.cpp: -------------------------------------------------------------------------------- 1 | #include "_global.h" 2 | 3 | void* RtlAllocateMemory(bool InZeroMemory, SIZE_T InSize) 4 | { 5 | void* Result = ExAllocatePoolWithTag(NonPagedPool, InSize, 'HIDE'); 6 | if(InZeroMemory && (Result != NULL)) 7 | RtlZeroMemory(Result, InSize); 8 | return Result; 9 | } 10 | 11 | void RtlFreeMemory(void* InPointer) 12 | { 13 | ExFreePool(InPointer); 14 | } 15 | 16 | //Based on: http://leguanyuan.blogspot.nl/2013/09/x64-inline-hook-zwcreatesection.html 17 | NTSTATUS RtlSuperCopyMemory(IN VOID UNALIGNED* Destination, IN CONST VOID UNALIGNED* Source, IN ULONG Length) 18 | { 19 | //Change memory properties. 20 | PMDL g_pmdl = IoAllocateMdl(Destination, Length, 0, 0, NULL); 21 | if(!g_pmdl) 22 | return STATUS_UNSUCCESSFUL; 23 | MmBuildMdlForNonPagedPool(g_pmdl); 24 | unsigned int* Mapped = (unsigned int*)MmMapLockedPages(g_pmdl, KernelMode); 25 | if(!Mapped) 26 | { 27 | IoFreeMdl(g_pmdl); 28 | return STATUS_UNSUCCESSFUL; 29 | } 30 | KIRQL kirql = KeRaiseIrqlToDpcLevel(); 31 | RtlCopyMemory(Mapped, Source, Length); 32 | KeLowerIrql(kirql); 33 | //Restore memory properties. 34 | MmUnmapLockedPages((PVOID)Mapped, g_pmdl); 35 | IoFreeMdl(g_pmdl); 36 | return STATUS_SUCCESS; 37 | } -------------------------------------------------------------------------------- /MyDll/MyDll.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 头文件 20 | 21 | 22 | 头文件 23 | 24 | 25 | 26 | 27 | 源文件 28 | 29 | 30 | 源文件 31 | 32 | 33 | 源文件 34 | 35 | 36 | -------------------------------------------------------------------------------- /hooklib.cpp: -------------------------------------------------------------------------------- 1 | #include "hooklib.h" 2 | 3 | 4 | static HOOK hook_internal(ULONG_PTR addr, void* newfunc) 5 | { 6 | //allocate structure 7 | HOOK hook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT)); 8 | //set hooking address 9 | hook->addr = addr; 10 | //set hooking opcode 11 | #ifdef _WIN64 12 | hook->hook.mov = 0xB848; 13 | #else 14 | hook->hook.mov = 0xB8; 15 | #endif 16 | hook->hook.addr = (ULONG_PTR)newfunc; 17 | hook->hook.push = 0x50; 18 | hook->hook.ret = 0xc3; 19 | //set original data 20 | RtlCopyMemory(&hook->orig, (const void*)addr, sizeof(HOOKOPCODES)); 21 | if(!NT_SUCCESS(RtlSuperCopyMemory((void*)addr, &hook->hook, sizeof(HOOKOPCODES)))) 22 | { 23 | RtlFreeMemory(hook); 24 | return 0; 25 | } 26 | return hook; 27 | } 28 | 29 | HOOK Hooklib::Hook(PVOID api, void* newfunc) 30 | { 31 | ULONG_PTR addr = (ULONG_PTR)api; 32 | if(!addr) 33 | return 0; 34 | DPRINT("[DeugMessage] hook(0x%p, 0x%p)\r\n", addr, newfunc); 35 | return hook_internal(addr, newfunc); 36 | } 37 | 38 | bool Hooklib::Hook(HOOK hook) 39 | { 40 | if(!hook) 41 | return false; 42 | return (NT_SUCCESS(RtlSuperCopyMemory((void*)hook->addr, &hook->hook, sizeof(HOOKOPCODES)))); 43 | } 44 | 45 | bool Hooklib::Unhook(HOOK hook, bool free) 46 | { 47 | if(!hook || !hook->addr) 48 | return false; 49 | if(NT_SUCCESS(RtlSuperCopyMemory((void*)hook->addr, hook->orig, sizeof(HOOKOPCODES)))) 50 | { 51 | if(free) 52 | RtlFreeMemory(hook); 53 | return true; 54 | } 55 | return false; 56 | } 57 | -------------------------------------------------------------------------------- /driver_inject.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files 52 | 53 | 54 | Source Files 55 | 56 | 57 | Source Files 58 | 59 | 60 | Source Files 61 | 62 | 63 | Source Files 64 | 65 | 66 | Source Files 67 | 68 | 69 | Source Files 70 | 71 | 72 | -------------------------------------------------------------------------------- /Input_dll/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define IOCTL_SET_INJECT_X86DLL \ 6 | CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_IN_DIRECT, FILE_ANY_ACCESS) 7 | 8 | #define IOCTL_SET_INJECT_X64DLL \ 9 | CTL_CODE(FILE_DEVICE_UNKNOWN, 0x901, METHOD_IN_DIRECT, FILE_ANY_ACCESS) 10 | 11 | 12 | PVOID MyReadFile(WCHAR* fileName, PULONG fileSize) 13 | { 14 | HANDLE fileHandle = NULL; 15 | DWORD readd = 0; 16 | PVOID fileBufPtr = NULL; 17 | 18 | fileHandle = CreateFile( 19 | fileName, 20 | GENERIC_READ, 21 | FILE_SHARE_READ, 22 | NULL, 23 | OPEN_EXISTING, 24 | FILE_ATTRIBUTE_NORMAL, 25 | NULL); 26 | 27 | if (fileHandle == INVALID_HANDLE_VALUE) 28 | { 29 | *fileSize = 0; 30 | return NULL; 31 | } 32 | 33 | *fileSize = GetFileSize(fileHandle, NULL); 34 | 35 | fileBufPtr = calloc(1, *fileSize); 36 | 37 | if (!ReadFile(fileHandle, fileBufPtr, *fileSize, &readd, NULL)) 38 | { 39 | free(fileBufPtr); 40 | fileBufPtr = NULL; 41 | *fileSize = 0; 42 | } 43 | 44 | CloseHandle(fileHandle); 45 | return fileBufPtr; 46 | 47 | } 48 | 49 | 50 | int main() 51 | { 52 | BOOL result; 53 | DWORD returnLen; 54 | char output; 55 | 56 | HANDLE hDevice = NULL; 57 | 58 | PVOID dllx64Ptr = NULL; 59 | PVOID dllx86Ptr = NULL; 60 | 61 | ULONG dllx64Size = 0; 62 | ULONG dllx86Size = 0; 63 | 64 | hDevice = CreateFile(L"\\\\.\\CrashDumpUpload", 65 | NULL, 66 | NULL, 67 | NULL, 68 | OPEN_EXISTING, 69 | NULL, 70 | NULL); 71 | 72 | if (hDevice == INVALID_HANDLE_VALUE) 73 | { 74 | std::cout << "connect device fail." << std::endl; 75 | goto __exit; 76 | } 77 | 78 | 79 | dllx64Ptr = MyReadFile(L"MyDll_x64.dll", &dllx64Size); 80 | if (dllx64Ptr == NULL) 81 | { 82 | std::cout << "can not read MyDll_x64.dll." << std::endl; 83 | goto __exit; 84 | } 85 | 86 | dllx86Ptr = MyReadFile(L"MyDll_x86.dll", &dllx86Size); 87 | if (dllx86Ptr == NULL) 88 | { 89 | std::cout << "can not read MyDll_x86.dll." << std::endl; 90 | goto __exit; 91 | } 92 | 93 | result = DeviceIoControl( 94 | hDevice, 95 | IOCTL_SET_INJECT_X86DLL, 96 | dllx86Ptr, 97 | dllx86Size, 98 | &output, 99 | sizeof(char), 100 | &returnLen, 101 | NULL); 102 | 103 | std::cout << (result ? "ok x86dll" : "fail x86dll") << std::endl; 104 | 105 | result = DeviceIoControl( 106 | hDevice, 107 | IOCTL_SET_INJECT_X64DLL, 108 | dllx64Ptr, 109 | dllx64Size, 110 | &output, 111 | sizeof(char), 112 | &returnLen, 113 | NULL); 114 | 115 | std::cout << (result ? "ok x64dll" : "fail x64dll") << std::endl; 116 | 117 | 118 | __exit: 119 | if (hDevice != NULL) 120 | { 121 | CloseHandle(hDevice); 122 | } 123 | if (dllx64Ptr) 124 | { 125 | free(dllx64Ptr); 126 | } 127 | if (dllx86Ptr) 128 | { 129 | free(dllx86Ptr); 130 | } 131 | getchar(); 132 | return 0; 133 | } -------------------------------------------------------------------------------- /ntdll.cpp: -------------------------------------------------------------------------------- 1 | #include "ntdll.h" 2 | 3 | #include "pe.h" 4 | 5 | unsigned char* NTDLL::FileData = 0; 6 | ULONG NTDLL::FileSize = 0; 7 | 8 | NTSTATUS NTDLL::Initialize() 9 | { 10 | UNICODE_STRING FileName; 11 | OBJECT_ATTRIBUTES ObjectAttributes; 12 | RtlInitUnicodeString(&FileName, L"\\SystemRoot\\system32\\ntdll.dll"); 13 | InitializeObjectAttributes(&ObjectAttributes, &FileName, 14 | OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 15 | NULL, NULL); 16 | 17 | if(KeGetCurrentIrql() != PASSIVE_LEVEL) 18 | { 19 | #ifdef _DEBUG 20 | DPRINT("[DeugMessage] KeGetCurrentIrql != PASSIVE_LEVEL!\n"); 21 | #endif 22 | return STATUS_UNSUCCESSFUL; 23 | } 24 | 25 | HANDLE FileHandle; 26 | IO_STATUS_BLOCK IoStatusBlock; 27 | NTSTATUS NtStatus = ZwCreateFile(&FileHandle, 28 | GENERIC_READ, 29 | &ObjectAttributes, 30 | &IoStatusBlock, NULL, 31 | FILE_ATTRIBUTE_NORMAL, 32 | FILE_SHARE_READ, 33 | FILE_OPEN, 34 | FILE_SYNCHRONOUS_IO_NONALERT, 35 | NULL, 0); 36 | if(NT_SUCCESS(NtStatus)) 37 | { 38 | FILE_STANDARD_INFORMATION StandardInformation = { 0 }; 39 | NtStatus = ZwQueryInformationFile(FileHandle, &IoStatusBlock, &StandardInformation, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); 40 | if(NT_SUCCESS(NtStatus)) 41 | { 42 | FileSize = StandardInformation.EndOfFile.LowPart; 43 | DPRINT("[DeugMessage] FileSize of ntdll.dll is %08X!\r\n", StandardInformation.EndOfFile.LowPart); 44 | FileData = (unsigned char*)RtlAllocateMemory(true, FileSize); 45 | 46 | LARGE_INTEGER ByteOffset; 47 | ByteOffset.LowPart = ByteOffset.HighPart = 0; 48 | NtStatus = ZwReadFile(FileHandle, 49 | NULL, NULL, NULL, 50 | &IoStatusBlock, 51 | FileData, 52 | FileSize, 53 | &ByteOffset, NULL); 54 | 55 | if(!NT_SUCCESS(NtStatus)) 56 | { 57 | RtlFreeMemory(FileData); 58 | DPRINT("[DeugMessage] ZwReadFile failed with status %08X...\r\n", NtStatus); 59 | } 60 | } 61 | else 62 | DPRINT("[DeugMessage] ZwQueryInformationFile failed with status %08X...\r\n", NtStatus); 63 | ZwClose(FileHandle); 64 | } 65 | else 66 | DPRINT("[DeugMessage] ZwCreateFile failed with status %08X...\r\n", NtStatus); 67 | return NtStatus; 68 | } 69 | 70 | void NTDLL::Deinitialize() 71 | { 72 | RtlFreeMemory(FileData); 73 | } 74 | 75 | int NTDLL::GetExportSsdtIndex(const char* ExportName) 76 | { 77 | ULONG_PTR ExportOffset = PE::GetExportOffset(FileData, FileSize, ExportName); 78 | if(ExportOffset == PE_ERROR_VALUE) 79 | return -1; 80 | 81 | int SsdtOffset = -1; 82 | unsigned char* ExportData = FileData + ExportOffset; 83 | for(int i = 0; i < 32 && ExportOffset + i < FileSize; i++) 84 | { 85 | if(ExportData[i] == 0xC2 || ExportData[i] == 0xC3) //RET 86 | break; 87 | if(ExportData[i] == 0xB8) //mov eax,X 88 | { 89 | SsdtOffset = *(int*)(ExportData + i + 1); 90 | break; 91 | } 92 | } 93 | 94 | if(SsdtOffset == -1) 95 | { 96 | DPRINT("[DeugMessage] SSDT Offset for %s not found...\r\n", ExportName); 97 | } 98 | 99 | return SsdtOffset; 100 | } -------------------------------------------------------------------------------- /undocumented.h: -------------------------------------------------------------------------------- 1 | #ifndef _UNDOCUMENTED_H 2 | #define _UNDOCUMENTED_H 3 | 4 | #include "_global.h" 5 | 6 | //structures 7 | typedef struct _OBJECT_TYPE_INFORMATION 8 | { 9 | UNICODE_STRING TypeName; 10 | ULONG TotalNumberOfHandles; 11 | ULONG TotalNumberOfObjects; 12 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 13 | 14 | typedef struct _OBJECT_ALL_INFORMATION 15 | { 16 | ULONG NumberOfObjects; 17 | OBJECT_TYPE_INFORMATION ObjectTypeInformation[1]; 18 | } OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION; 19 | 20 | /* 21 | //enums 22 | typedef enum _OBJECT_INFORMATION_CLASS 23 | { 24 | ObjectTypeInformation = 2, 25 | ObjectTypesInformation = 3 26 | } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; 27 | */ 28 | 29 | typedef enum _SYSTEM_INFORMATION_CLASS 30 | { 31 | SystemModuleInformation = 11, 32 | SystemKernelDebuggerInformation = 35 33 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 34 | 35 | typedef enum _SYSDBG_COMMAND 36 | { 37 | SysDbgGetTriageDump = 29, 38 | } SYSDBG_COMMAND, *PSYSDBG_COMMAND; 39 | 40 | class Undocumented 41 | { 42 | public: 43 | static NTSTATUS NTAPI ZwQueryInformationProcess( 44 | IN HANDLE ProcessHandle, 45 | IN PROCESSINFOCLASS ProcessInformationClass, 46 | OUT PVOID ProcessInformation, 47 | IN ULONG ProcessInformationLength, 48 | OUT PULONG ReturnLength OPTIONAL); 49 | 50 | static NTSTATUS NTAPI ZwQueryInformationThread( 51 | IN HANDLE ThreadHandle, 52 | IN THREADINFOCLASS ThreadInformationClass, 53 | IN OUT PVOID ThreadInformation, 54 | IN ULONG ThreadInformationLength, 55 | OUT PULONG ReturnLength OPTIONAL); 56 | 57 | static NTSTATUS NTAPI NtQueryObject( 58 | IN HANDLE Handle OPTIONAL, 59 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 60 | OUT PVOID ObjectInformation OPTIONAL, 61 | IN ULONG ObjectInformationLength, 62 | OUT PULONG ReturnLength OPTIONAL); 63 | 64 | static NTSTATUS NTAPI ZwQuerySystemInformation( 65 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 66 | OUT PVOID SystemInformation, 67 | IN ULONG SystemInformationLength, 68 | OUT PULONG ReturnLength OPTIONAL); 69 | 70 | static NTSTATUS NTAPI NtQuerySystemInformation( 71 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 72 | OUT PVOID SystemInformation, 73 | IN ULONG SystemInformationLength, 74 | OUT PULONG ReturnLength OPTIONAL); 75 | 76 | static NTSTATUS NTAPI NtClose( 77 | IN HANDLE Handle); 78 | 79 | static NTSTATUS NTAPI NtSetContextThread( 80 | IN HANDLE ThreadHandle, 81 | IN PCONTEXT Context); 82 | 83 | static NTSTATUS NTAPI NtContinue( 84 | IN PCONTEXT Context, 85 | BOOLEAN RaiseAlert); 86 | 87 | static NTSTATUS NTAPI NtDuplicateObject( 88 | IN HANDLE SourceProcessHandle, 89 | IN HANDLE SourceHandle, 90 | IN HANDLE TargetProcessHandle, 91 | OUT PHANDLE TargetHandle, 92 | IN ACCESS_MASK DesiredAccess OPTIONAL, 93 | IN ULONG HandleAttributes, 94 | IN ULONG Options); 95 | 96 | static NTSTATUS NTAPI KeRaiseUserException( 97 | IN NTSTATUS ExceptionCode); 98 | 99 | static NTSTATUS NTAPI NtSetInformationThread( 100 | IN HANDLE ThreadHandle, 101 | IN THREADINFOCLASS ThreadInformationClass, 102 | IN PVOID ThreadInformation, 103 | IN ULONG ThreadInformationLength); 104 | 105 | static NTSTATUS NTAPI NtSetInformationProcess( 106 | IN HANDLE ProcessHandle, 107 | IN PROCESSINFOCLASS ProcessInformationClass, 108 | IN PVOID ProcessInformation, 109 | IN ULONG ProcessInformationLength); 110 | 111 | static NTSTATUS NTAPI NtQueryInformationProcess( 112 | IN HANDLE ProcessHandle, 113 | IN PROCESSINFOCLASS ProcessInformationClass, 114 | OUT PVOID ProcessInformation, 115 | IN ULONG ProcessInformationLength, 116 | OUT PULONG ReturnLength OPTIONAL); 117 | 118 | static NTSTATUS NTAPI NtSystemDebugControl( 119 | IN SYSDBG_COMMAND Command, 120 | IN PVOID InputBuffer OPTIONAL, 121 | IN ULONG InputBufferLength OPTIONAL, 122 | OUT PVOID OutputBuffer, 123 | IN ULONG OutputBufferLength, 124 | OUT PULONG ReturnLength OPTIONAL); 125 | 126 | static bool UndocumentedInit(); 127 | static PVOID GetKernelBase(PULONG pImageSize = NULL); 128 | }; 129 | 130 | #endif 131 | -------------------------------------------------------------------------------- /Input_dll/Input_dll.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637} 15 | Win32Proj 16 | Input_dll 17 | 10.0.17763.0 18 | 19 | 20 | 21 | Application 22 | true 23 | v141 24 | Unicode 25 | 26 | 27 | Application 28 | false 29 | v141 30 | true 31 | Unicode 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | true 45 | $(SolutionDir)\Bin\ 46 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 47 | $(ProjectName)_d 48 | 49 | 50 | false 51 | $(SolutionDir)\Bin\ 52 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 53 | 54 | 55 | 56 | 57 | 58 | Level3 59 | Disabled 60 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 61 | MultiThreadedDebug 62 | 63 | 64 | Console 65 | true 66 | 67 | 68 | 69 | 70 | Level3 71 | 72 | 73 | MaxSpeed 74 | true 75 | true 76 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 77 | MultiThreaded 78 | 79 | 80 | Console 81 | false 82 | true 83 | true 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /driver_inject.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.168 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver_inject", "driver_inject.vcxproj", "{95EEC86A-C34A-4076-A55C-859BE9BFBDBF}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Input_dll", "Input_dll\Input_dll.vcxproj", "{4B797ED2-6D2A-41A8-AF02-FD3F41F43637}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MyDll", "MyDll\MyDll.vcxproj", "{F6721DAC-1A78-4272-AD2E-A5F0189CF384}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|x64 = Debug|x64 15 | Debug|x86 = Debug|x86 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | Win7 Debug|x64 = Win7 Debug|x64 19 | Win7 Debug|x86 = Win7 Debug|x86 20 | Win7 Release|x64 = Win7 Release|x64 21 | Win7 Release|x86 = Win7 Release|x86 22 | EndGlobalSection 23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 24 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x64.ActiveCfg = Win7 Debug|x64 25 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x64.Build.0 = Win7 Debug|x64 26 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x64.Deploy.0 = Win7 Debug|x64 27 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x86.ActiveCfg = Win7 Release|x64 28 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x86.Build.0 = Win7 Release|x64 29 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x86.Deploy.0 = Win7 Release|x64 30 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x64.ActiveCfg = Win7 Release|x64 31 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x64.Build.0 = Win7 Release|x64 32 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x64.Deploy.0 = Win7 Release|x64 33 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x86.ActiveCfg = Win7 Release|x64 34 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x86.Build.0 = Win7 Release|x64 35 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x86.Deploy.0 = Win7 Release|x64 36 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64 37 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x64.Build.0 = Win7 Debug|x64 38 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64 39 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x86.ActiveCfg = Win7 Debug|x64 40 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x64.ActiveCfg = Win7 Release|x64 41 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x64.Build.0 = Win7 Release|x64 42 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x64.Deploy.0 = Win7 Release|x64 43 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x86.ActiveCfg = Win7 Release|x64 44 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Debug|x64.ActiveCfg = Debug|Win32 45 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Debug|x86.ActiveCfg = Debug|Win32 46 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Debug|x86.Build.0 = Debug|Win32 47 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Release|x64.ActiveCfg = Release|Win32 48 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Release|x86.ActiveCfg = Release|Win32 49 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Release|x86.Build.0 = Release|Win32 50 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Debug|x64.ActiveCfg = Debug|Win32 51 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Debug|x86.ActiveCfg = Debug|Win32 52 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Debug|x86.Build.0 = Debug|Win32 53 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Release|x64.ActiveCfg = Release|Win32 54 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Release|x86.ActiveCfg = Release|Win32 55 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Release|x86.Build.0 = Release|Win32 56 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Debug|x64.ActiveCfg = Debug|x64 57 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Debug|x64.Build.0 = Debug|x64 58 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Debug|x86.ActiveCfg = Debug|Win32 59 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Debug|x86.Build.0 = Debug|Win32 60 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Release|x64.ActiveCfg = Release|x64 61 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Release|x64.Build.0 = Release|x64 62 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Release|x86.ActiveCfg = Release|Win32 63 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Release|x86.Build.0 = Release|Win32 64 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Debug|x64.ActiveCfg = Debug|x64 65 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Debug|x64.Build.0 = Debug|x64 66 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Debug|x86.ActiveCfg = Debug|Win32 67 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Debug|x86.Build.0 = Debug|Win32 68 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Release|x64.ActiveCfg = Release|x64 69 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Release|x64.Build.0 = Release|x64 70 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Release|x86.ActiveCfg = Release|Win32 71 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384}.Win7 Release|x86.Build.0 = Release|Win32 72 | EndGlobalSection 73 | GlobalSection(SolutionProperties) = preSolution 74 | HideSolutionNode = FALSE 75 | EndGlobalSection 76 | GlobalSection(ExtensibilityGlobals) = postSolution 77 | SolutionGuid = {EAA1E363-62BE-4F35-B9BC-8B8C3D1C08C1} 78 | EndGlobalSection 79 | EndGlobal 80 | -------------------------------------------------------------------------------- /pe.cpp: -------------------------------------------------------------------------------- 1 | #include "pe.h" 2 | 3 | 4 | static ULONG RvaToSection(IMAGE_NT_HEADERS* pNtHdr, ULONG dwRVA) 5 | { 6 | USHORT wSections; 7 | PIMAGE_SECTION_HEADER pSectionHdr; 8 | pSectionHdr = IMAGE_FIRST_SECTION(pNtHdr); 9 | wSections = pNtHdr->FileHeader.NumberOfSections; 10 | for(int i = 0; i < wSections; i++) 11 | { 12 | if(pSectionHdr[i].VirtualAddress <= dwRVA) 13 | if((pSectionHdr[i].VirtualAddress + pSectionHdr[i].Misc.VirtualSize) > dwRVA) 14 | { 15 | return i; 16 | } 17 | } 18 | return (ULONG) - 1; 19 | } 20 | 21 | static ULONG RvaToOffset(PIMAGE_NT_HEADERS pnth, ULONG Rva, ULONG FileSize) 22 | { 23 | PIMAGE_SECTION_HEADER psh = IMAGE_FIRST_SECTION(pnth); 24 | USHORT NumberOfSections = pnth->FileHeader.NumberOfSections; 25 | for(int i = 0; i < NumberOfSections; i++) 26 | { 27 | if(psh->VirtualAddress <= Rva) 28 | { 29 | if((psh->VirtualAddress + psh->Misc.VirtualSize) > Rva) 30 | { 31 | Rva -= psh->VirtualAddress; 32 | Rva += psh->PointerToRawData; 33 | return Rva < FileSize ? Rva : PE_ERROR_VALUE; 34 | } 35 | } 36 | psh++; 37 | } 38 | return PE_ERROR_VALUE; 39 | } 40 | 41 | ULONG PE::GetExportOffset(const unsigned char* FileData, ULONG FileSize, const char* ExportName) 42 | { 43 | //Verify DOS Header 44 | PIMAGE_DOS_HEADER pdh = (PIMAGE_DOS_HEADER)FileData; 45 | if(pdh->e_magic != IMAGE_DOS_SIGNATURE) 46 | { 47 | DPRINT("[DeugMessage] Invalid IMAGE_DOS_SIGNATURE!\r\n"); 48 | return PE_ERROR_VALUE; 49 | } 50 | 51 | //Verify PE Header 52 | PIMAGE_NT_HEADERS pnth = (PIMAGE_NT_HEADERS)(FileData + pdh->e_lfanew); 53 | if(pnth->Signature != IMAGE_NT_SIGNATURE) 54 | { 55 | DPRINT("[DeugMessage] Invalid IMAGE_NT_SIGNATURE!\r\n"); 56 | return PE_ERROR_VALUE; 57 | } 58 | 59 | //Verify Export Directory 60 | PIMAGE_DATA_DIRECTORY pdd = NULL; 61 | if(pnth->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) 62 | pdd = ((PIMAGE_NT_HEADERS64)pnth)->OptionalHeader.DataDirectory; 63 | else 64 | pdd = ((PIMAGE_NT_HEADERS32)pnth)->OptionalHeader.DataDirectory; 65 | ULONG ExportDirRva = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 66 | ULONG ExportDirSize = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 67 | ULONG ExportDirOffset = RvaToOffset(pnth, ExportDirRva, FileSize); 68 | if(ExportDirOffset == PE_ERROR_VALUE) 69 | { 70 | DPRINT("[DeugMessage] Invalid Export Directory!\r\n"); 71 | return PE_ERROR_VALUE; 72 | } 73 | 74 | //Read Export Directory 75 | PIMAGE_EXPORT_DIRECTORY ExportDir = (PIMAGE_EXPORT_DIRECTORY)(FileData + ExportDirOffset); 76 | ULONG NumberOfNames = ExportDir->NumberOfNames; 77 | ULONG AddressOfFunctionsOffset = RvaToOffset(pnth, ExportDir->AddressOfFunctions, FileSize); 78 | ULONG AddressOfNameOrdinalsOffset = RvaToOffset(pnth, ExportDir->AddressOfNameOrdinals, FileSize); 79 | ULONG AddressOfNamesOffset = RvaToOffset(pnth, ExportDir->AddressOfNames, FileSize); 80 | if(AddressOfFunctionsOffset == PE_ERROR_VALUE || 81 | AddressOfNameOrdinalsOffset == PE_ERROR_VALUE || 82 | AddressOfNamesOffset == PE_ERROR_VALUE) 83 | { 84 | DPRINT("[DeugMessage] Invalid Export Directory Contents!\r\n"); 85 | return PE_ERROR_VALUE; 86 | } 87 | ULONG* AddressOfFunctions = (ULONG*)(FileData + AddressOfFunctionsOffset); 88 | USHORT* AddressOfNameOrdinals = (USHORT*)(FileData + AddressOfNameOrdinalsOffset); 89 | ULONG* AddressOfNames = (ULONG*)(FileData + AddressOfNamesOffset); 90 | 91 | //Find Export 92 | ULONG ExportOffset = PE_ERROR_VALUE; 93 | for(ULONG i = 0; i < NumberOfNames; i++) 94 | { 95 | ULONG CurrentNameOffset = RvaToOffset(pnth, AddressOfNames[i], FileSize); 96 | if(CurrentNameOffset == PE_ERROR_VALUE) 97 | continue; 98 | const char* CurrentName = (const char*)(FileData + CurrentNameOffset); 99 | ULONG CurrentFunctionRva = AddressOfFunctions[AddressOfNameOrdinals[i]]; 100 | if(CurrentFunctionRva >= ExportDirRva && CurrentFunctionRva < ExportDirRva + ExportDirSize) 101 | continue; //we ignore forwarded exports 102 | if(!strcmp(CurrentName, ExportName)) //compare the export name to the requested export 103 | { 104 | ExportOffset = RvaToOffset(pnth, CurrentFunctionRva, FileSize); 105 | break; 106 | } 107 | } 108 | 109 | if(ExportOffset == PE_ERROR_VALUE) 110 | { 111 | DPRINT("[DeugMessage] Export %s not found in export table!\r\n", ExportName); 112 | } 113 | 114 | return ExportOffset; 115 | } 116 | 117 | PVOID PE::GetPageBase(PVOID lpHeader, ULONG* Size, PVOID ptr) 118 | { 119 | if((unsigned char*)ptr < (unsigned char*)lpHeader) 120 | return 0; 121 | ULONG dwRva = (ULONG)((unsigned char*)ptr - (unsigned char*)lpHeader); 122 | IMAGE_DOS_HEADER* pdh = (IMAGE_DOS_HEADER*)lpHeader; 123 | if(pdh->e_magic != IMAGE_DOS_SIGNATURE) 124 | return 0; 125 | IMAGE_NT_HEADERS* pnth = (IMAGE_NT_HEADERS*)((unsigned char*)lpHeader + pdh->e_lfanew); 126 | if(pnth->Signature != IMAGE_NT_SIGNATURE) 127 | return 0; 128 | IMAGE_SECTION_HEADER* psh = IMAGE_FIRST_SECTION(pnth); 129 | int section = RvaToSection(pnth, dwRva); 130 | if(section == -1) 131 | return 0; 132 | if(Size) 133 | *Size = psh[section].SizeOfRawData; 134 | return (PVOID)((unsigned char*)lpHeader + psh[section].VirtualAddress); 135 | } -------------------------------------------------------------------------------- /driver_inject.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Win7 Debug 6 | x64 7 | 8 | 9 | Win7 Release 10 | x64 11 | 12 | 13 | 14 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF} 15 | {1bc93793-694f-48fe-9372-81e2b05556fd} 16 | v4.5 17 | 11.0 18 | Win8.1 Debug 19 | Win32 20 | TitanHide 21 | driver_inject 22 | $(LatestTargetPlatformVersion) 23 | 24 | 25 | 26 | Windows7 27 | true 28 | WindowsKernelModeDriver10.0 29 | Driver 30 | WDM 31 | 32 | 33 | Windows7 34 | false 35 | WindowsKernelModeDriver10.0 36 | Driver 37 | WDM 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | DbgengKernelDebugger 49 | $(SolutionDir)\bin\ 50 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 51 | $(TargetName.Replace(' ',''))_x64_d 52 | false 53 | 54 | 55 | DbgengKernelDebugger 56 | $(TargetName.Replace(' ',''))_x64 57 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 58 | $(SolutionDir)\bin\ 59 | false 60 | 61 | 62 | 63 | false 64 | trace.h 65 | true 66 | false 67 | _DEBUG;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions) 68 | 69 | 70 | 5.01 71 | 72 | 73 | false 74 | 75 | 76 | 77 | 78 | false 79 | trace.h 80 | true 81 | false 82 | 83 | 84 | 5.01 85 | 86 | 87 | false 88 | false 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | -------------------------------------------------------------------------------- /Loader/Loader.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {29392CD7-AAFC-434B-8395-A7016A677011} 23 | Win32Proj 24 | Loader 25 | 26 | 27 | 28 | Application 29 | true 30 | v120 31 | Unicode 32 | 33 | 34 | Application 35 | true 36 | v120 37 | Unicode 38 | 39 | 40 | Application 41 | false 42 | v120_xp 43 | true 44 | Unicode 45 | 46 | 47 | Application 48 | false 49 | v120_xp 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | true 71 | $(SolutionDir)\Bin\ 72 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 73 | $(TargetName.Replace(' ',''))_d 74 | 75 | 76 | true 77 | $(SolutionDir)\Bin\ 78 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 79 | $(TargetName.Replace(' ',''))_x64_d 80 | 81 | 82 | false 83 | $(SolutionDir)\Bin\ 84 | $(SolutionDir)\Temp\$(Configuration)\ 85 | $(TargetName.Replace(' ','')) 86 | 87 | 88 | false 89 | $(SolutionDir)\Bin\ 90 | $(SolutionDir)\Temp\$(Configuration)\ 91 | $(TargetName.Replace(' ',''))_x64 92 | 93 | 94 | 95 | 96 | 97 | Level3 98 | Disabled 99 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 100 | 101 | 102 | Windows 103 | true 104 | 105 | 106 | 107 | 108 | 109 | 110 | Level3 111 | Disabled 112 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 113 | 114 | 115 | Windows 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | 123 | 124 | Disabled 125 | true 126 | false 127 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 128 | false 129 | false 130 | MultiThreaded 131 | 132 | 133 | Windows 134 | true 135 | true 136 | true 137 | false 138 | Loader 139 | 140 | 141 | 142 | 143 | Level3 144 | 145 | 146 | Disabled 147 | true 148 | false 149 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 150 | false 151 | false 152 | MultiThreaded 153 | 154 | 155 | Windows 156 | true 157 | true 158 | true 159 | false 160 | Loader 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | -------------------------------------------------------------------------------- /ssdt.cpp: -------------------------------------------------------------------------------- 1 | #include "ssdt.h" 2 | #include "undocumented.h" 3 | #include "pe.h" 4 | 5 | #include "ntdll.h" 6 | 7 | //structures 8 | struct SSDTStruct 9 | { 10 | LONG* pServiceTable; 11 | PVOID pCounterTable; 12 | #ifdef _WIN64 13 | ULONGLONG NumberOfServices; 14 | #else 15 | ULONG NumberOfServices; 16 | #endif 17 | PCHAR pArgumentTable; 18 | }; 19 | 20 | //Based on: https://github.com/hfiref0x/WinObjEx64 21 | static SSDTStruct* SSDTfind() 22 | { 23 | static SSDTStruct* SSDT = 0; 24 | if(!SSDT) 25 | { 26 | #ifndef _WIN64 27 | //x86 code 28 | UNICODE_STRING routineName; 29 | RtlInitUnicodeString(&routineName, L"KeServiceDescriptorTable"); 30 | SSDT = (SSDTStruct*)MmGetSystemRoutineAddress(&routineName); 31 | #else 32 | //x64 code 33 | ULONG kernelSize; 34 | ULONG_PTR kernelBase = (ULONG_PTR)Undocumented::GetKernelBase(&kernelSize); 35 | if(kernelBase == 0 || kernelSize == 0) 36 | return NULL; 37 | 38 | // Find KiSystemServiceStart 39 | const unsigned char KiSystemServiceStartPattern[] = { 0x8B, 0xF8, 0xC1, 0xEF, 0x07, 0x83, 0xE7, 0x20, 0x25, 0xFF, 0x0F, 0x00, 0x00 }; 40 | const ULONG signatureSize = sizeof(KiSystemServiceStartPattern); 41 | bool found = false; 42 | ULONG KiSSSOffset; 43 | for(KiSSSOffset = 0; KiSSSOffset < kernelSize - signatureSize; KiSSSOffset++) 44 | { 45 | if(RtlCompareMemory(((unsigned char*)kernelBase + KiSSSOffset), KiSystemServiceStartPattern, signatureSize) == signatureSize) 46 | { 47 | found = true; 48 | break; 49 | } 50 | } 51 | if(!found) 52 | return NULL; 53 | 54 | // lea r10, KeServiceDescriptorTable 55 | ULONG_PTR address = kernelBase + KiSSSOffset + signatureSize; 56 | LONG relativeOffset = 0; 57 | if((*(unsigned char*)address == 0x4c) && 58 | (*(unsigned char*)(address + 1) == 0x8d) && 59 | (*(unsigned char*)(address + 2) == 0x15)) 60 | { 61 | relativeOffset = *(LONG*)(address + 3); 62 | } 63 | if(relativeOffset == 0) 64 | return NULL; 65 | 66 | SSDT = (SSDTStruct*)(address + relativeOffset + 7); 67 | #endif 68 | } 69 | return SSDT; 70 | } 71 | 72 | 73 | PVOID SSDT::GetFunctionAddress(const char* apiname) 74 | { 75 | //read address from SSDT 76 | SSDTStruct* SSDT = SSDTfind(); 77 | if(!SSDT) 78 | { 79 | DPRINT("[DeugMessage] SSDT not found...\r\n"); 80 | return 0; 81 | } 82 | ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable; 83 | if(!SSDTbase) 84 | { 85 | DPRINT("[DeugMessage] ServiceTable not found...\r\n"); 86 | return 0; 87 | } 88 | ULONG readOffset = NTDLL::GetExportSsdtIndex(apiname); 89 | if(readOffset == -1) 90 | return 0; 91 | if(readOffset >= SSDT->NumberOfServices) 92 | { 93 | DPRINT("[DeugMessage] Invalid read offset...\r\n"); 94 | return 0; 95 | } 96 | #ifdef _WIN64 97 | return (PVOID)((SSDT->pServiceTable[readOffset] >> 4) + SSDTbase); 98 | #else 99 | return (PVOID)SSDT->pServiceTable[readOffset]; 100 | #endif 101 | } 102 | 103 | static void InterlockedSet(LONG* Destination, LONG Source) 104 | { 105 | //Change memory properties. 106 | PMDL g_pmdl = IoAllocateMdl(Destination, sizeof(LONG), 0, 0, NULL); 107 | if(!g_pmdl) 108 | return; 109 | MmBuildMdlForNonPagedPool(g_pmdl); 110 | LONG* Mapped = (LONG*)MmMapLockedPages(g_pmdl, KernelMode); 111 | if(!Mapped) 112 | { 113 | IoFreeMdl(g_pmdl); 114 | return; 115 | } 116 | InterlockedExchange(Mapped, Source); 117 | //Restore memory properties. 118 | MmUnmapLockedPages((PVOID)Mapped, g_pmdl); 119 | IoFreeMdl(g_pmdl); 120 | } 121 | 122 | #ifdef _WIN64 123 | static PVOID FindCaveAddress(PVOID CodeStart, ULONG CodeSize, ULONG CaveSize) 124 | { 125 | unsigned char* Code = (unsigned char*)CodeStart; 126 | 127 | for(unsigned int i = 0, j = 0; i < CodeSize; i++) 128 | { 129 | if(Code[i] == 0x90 || Code[i] == 0xCC) //NOP or INT3 130 | j++; 131 | else 132 | j = 0; 133 | if(j == CaveSize) 134 | return (PVOID)((ULONG_PTR)CodeStart + i - CaveSize + 1); 135 | } 136 | return 0; 137 | } 138 | #endif //_WIN64 139 | 140 | HOOK SSDT::Hook(const char* apiname, void* newfunc) 141 | { 142 | SSDTStruct* SSDT = SSDTfind(); 143 | if(!SSDT) 144 | { 145 | DPRINT("[DeugMessage] SSDT not found...\r\n"); 146 | return 0; 147 | } 148 | ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable; 149 | if(!SSDTbase) 150 | { 151 | DPRINT("[DeugMessage] ServiceTable not found...\r\n"); 152 | return 0; 153 | } 154 | int FunctionIndex = NTDLL::GetExportSsdtIndex(apiname); 155 | if(FunctionIndex == -1) 156 | return 0; 157 | if((ULONGLONG)FunctionIndex >= SSDT->NumberOfServices) 158 | { 159 | DPRINT("[DeugMessage] Invalid API offset...\r\n"); 160 | return 0; 161 | } 162 | 163 | HOOK hHook = 0; 164 | LONG oldValue = SSDT->pServiceTable[FunctionIndex]; 165 | LONG newValue; 166 | 167 | #ifdef _WIN64 168 | /* 169 | x64 SSDT Hook; 170 | 1) find API addr 171 | 2) get code page+size 172 | 3) find cave address 173 | 4) hook cave address (using hooklib) 174 | 5) change SSDT value 175 | */ 176 | 177 | static ULONG CodeSize = 0; 178 | static PVOID CodeStart = 0; 179 | if(!CodeStart) 180 | { 181 | ULONG_PTR Lowest = SSDTbase; 182 | ULONG_PTR Highest = Lowest + 0x0FFFFFFF; 183 | UNREFERENCED_PARAMETER(Highest); 184 | DPRINT("[DeugMessage] Range: 0x%p-0x%p\r\n", Lowest, Highest); 185 | CodeSize = 0; 186 | CodeStart = PE::GetPageBase(Undocumented::GetKernelBase(), &CodeSize, (PVOID)((oldValue >> 4) + SSDTbase)); 187 | if(!CodeStart || !CodeSize) 188 | { 189 | DPRINT("[DeugMessage] PeGetPageBase failed...\r\n"); 190 | return 0; 191 | } 192 | DPRINT("[DeugMessage] CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize); 193 | if((ULONG_PTR)CodeStart < Lowest) //start of the page is out of range (impossible, but whatever) 194 | { 195 | CodeSize -= (ULONG)(Lowest - (ULONG_PTR)CodeStart); 196 | CodeStart = (PVOID)Lowest; 197 | DPRINT("[DeugMessage] CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize); 198 | } 199 | DPRINT("[DeugMessage] Range: 0x%p-0x%p\r\n", CodeStart, (ULONG_PTR)CodeStart + CodeSize); 200 | } 201 | 202 | PVOID CaveAddress = FindCaveAddress(CodeStart, CodeSize, sizeof(HOOKOPCODES)); 203 | if(!CaveAddress) 204 | { 205 | DPRINT("[DeugMessage] FindCaveAddress failed...\r\n"); 206 | return 0; 207 | } 208 | DPRINT("[DeugMessage] CaveAddress: 0x%p\r\n", CaveAddress); 209 | 210 | hHook = Hooklib::Hook(CaveAddress, (void*)newfunc); 211 | if(!hHook) 212 | return 0; 213 | 214 | newValue = (LONG)((ULONG_PTR)CaveAddress - SSDTbase); 215 | newValue = (newValue << 4) | oldValue & 0xF; 216 | 217 | //update HOOK structure 218 | hHook->SSDTindex = FunctionIndex; 219 | hHook->SSDTold = oldValue; 220 | hHook->SSDTnew = newValue; 221 | hHook->SSDTaddress = (oldValue >> 4) + SSDTbase; 222 | 223 | #else 224 | /* 225 | x86 SSDT Hook: 226 | 1) change SSDT value 227 | */ 228 | newValue = (ULONG)newfunc; 229 | 230 | hHook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT)); 231 | 232 | //update HOOK structure 233 | hHook->SSDTindex = FunctionIndex; 234 | hHook->SSDTold = oldValue; 235 | hHook->SSDTnew = newValue; 236 | hHook->SSDTaddress = oldValue; 237 | 238 | #endif 239 | 240 | InterlockedSet(&SSDT->pServiceTable[FunctionIndex], newValue); 241 | 242 | DPRINT("[DeugMessage] SSDThook(%s:0x%p, 0x%p)\r\n", apiname, hHook->SSDTold, hHook->SSDTnew); 243 | 244 | return hHook; 245 | } 246 | 247 | void SSDT::Hook(HOOK hHook) 248 | { 249 | if(!hHook) 250 | return; 251 | SSDTStruct* SSDT = SSDTfind(); 252 | if(!SSDT) 253 | { 254 | DPRINT("[DeugMessage] SSDT not found...\r\n"); 255 | return; 256 | } 257 | LONG* SSDT_Table = SSDT->pServiceTable; 258 | if(!SSDT_Table) 259 | { 260 | DPRINT("[DeugMessage] ServiceTable not found...\r\n"); 261 | return; 262 | } 263 | InterlockedSet(&SSDT_Table[hHook->SSDTindex], hHook->SSDTnew); 264 | } 265 | 266 | void SSDT::Unhook(HOOK hHook, bool free) 267 | { 268 | if(!hHook) 269 | return; 270 | SSDTStruct* SSDT = SSDTfind(); 271 | if(!SSDT) 272 | { 273 | DPRINT("[DeugMessage] SSDT not found...\r\n"); 274 | return; 275 | } 276 | LONG* SSDT_Table = SSDT->pServiceTable; 277 | if(!SSDT_Table) 278 | { 279 | DPRINT("[DeugMessage] ServiceTable not found...\r\n"); 280 | return; 281 | } 282 | InterlockedSet(&SSDT_Table[hHook->SSDTindex], hHook->SSDTold); 283 | #ifdef _WIN64 284 | if(free) 285 | Hooklib::Unhook(hHook, true); 286 | #else 287 | if(free) 288 | RtlFreeMemory(hHook); 289 | #endif 290 | } -------------------------------------------------------------------------------- /MyDll/MyDll.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {F6721DAC-1A78-4272-AD2E-A5F0189CF384} 24 | Win32Proj 25 | MyDll 26 | 10.0.17763.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | false 75 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 76 | $(SolutionDir)\bin\ 77 | $(ProjectName)_x64 78 | 79 | 80 | true 81 | $(ProjectName)_x86 82 | $(SolutionDir)\bin\ 83 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 84 | 85 | 86 | true 87 | $(SolutionDir)\bin\ 88 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 89 | $(ProjectName)_x64 90 | 91 | 92 | false 93 | $(ProjectName)_x86 94 | $(SolutionDir)\bin\ 95 | $(SolutionDir)\Temp\$(ProjectName)\$(Configuration)\ 96 | 97 | 98 | 99 | Use 100 | Level3 101 | MaxSpeed 102 | true 103 | true 104 | true 105 | NDEBUG;MYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 106 | true 107 | MultiThreaded 108 | 109 | 110 | Windows 111 | true 112 | true 113 | true 114 | 115 | 116 | 117 | 118 | Use 119 | Level3 120 | Disabled 121 | true 122 | WIN32;_DEBUG;MYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 123 | true 124 | MultiThreadedDebug 125 | 126 | 127 | Windows 128 | true 129 | 130 | 131 | 132 | 133 | Use 134 | Level3 135 | Disabled 136 | true 137 | _DEBUG;MYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 138 | true 139 | MultiThreadedDebug 140 | 141 | 142 | Windows 143 | true 144 | 145 | 146 | 147 | 148 | Use 149 | Level3 150 | MaxSpeed 151 | true 152 | true 153 | true 154 | WIN32;NDEBUG;MYDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 155 | true 156 | MultiThreaded 157 | 158 | 159 | Windows 160 | true 161 | true 162 | true 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | Create 174 | Create 175 | Create 176 | Create 177 | 178 | 179 | 180 | 181 | 182 | -------------------------------------------------------------------------------- /undocumented.cpp: -------------------------------------------------------------------------------- 1 | #include "undocumented.h" 2 | #include "ssdt.h" 3 | 4 | 5 | typedef NTSTATUS(NTAPI* ZWQUERYINFORMATIONPROCESS)( 6 | IN HANDLE ProcessHandle, 7 | IN PROCESSINFOCLASS ProcessInformationClass, 8 | OUT PVOID ProcessInformation, 9 | IN ULONG ProcessInformationLength, 10 | OUT PULONG ReturnLength OPTIONAL 11 | ); 12 | 13 | typedef NTSTATUS(NTAPI* ZWQUERYINFORMATIONTHREAD)( 14 | IN HANDLE ThreadHandle, 15 | IN THREADINFOCLASS ThreadInformationClass, 16 | IN OUT PVOID ThreadInformation, 17 | IN ULONG ThreadInformationLength, 18 | OUT PULONG ReturnLength OPTIONAL 19 | ); 20 | 21 | typedef NTSTATUS(NTAPI* NTQUERYOBJECT)( 22 | IN HANDLE Handle OPTIONAL, 23 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 24 | OUT PVOID ObjectInformation OPTIONAL, 25 | IN ULONG ObjectInformationLength, 26 | OUT PULONG ReturnLength OPTIONAL 27 | ); 28 | 29 | typedef NTSTATUS(NTAPI* ZWQUERYSYSTEMINFORMATION)( 30 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 31 | OUT PVOID SystemInformation, 32 | IN ULONG SystemInformationLength, 33 | OUT PULONG ReturnLength OPTIONAL 34 | ); 35 | 36 | typedef NTSTATUS(NTAPI* NTQUERYSYSTEMINFORMATION)( 37 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 38 | OUT PVOID SystemInformation, 39 | IN ULONG SystemInformationLength, 40 | OUT PULONG ReturnLength OPTIONAL 41 | ); 42 | 43 | typedef NTSTATUS(NTAPI* NTCLOSE)( 44 | IN HANDLE Handle 45 | ); 46 | 47 | typedef NTSTATUS(NTAPI* NTSETCONTEXTTHREAD)( 48 | IN HANDLE ThreadHandle, 49 | IN PCONTEXT Context 50 | ); 51 | 52 | typedef NTSTATUS(NTAPI* NTCONTINUE)( 53 | IN PCONTEXT Context, 54 | BOOLEAN RaiseAlert 55 | ); 56 | 57 | typedef NTSTATUS(NTAPI* NTDUPLICATEOBJECT)( 58 | IN HANDLE SourceProcessHandle, 59 | IN HANDLE SourceHandle, 60 | IN HANDLE TargetProcessHandle, 61 | OUT PHANDLE TargetHandle, 62 | IN ACCESS_MASK DesiredAccess OPTIONAL, 63 | IN ULONG HandleAttributes, 64 | IN ULONG Options 65 | ); 66 | 67 | typedef NTSTATUS(NTAPI* KERAISEUSEREXCEPTION)( 68 | IN NTSTATUS ExceptionCode 69 | ); 70 | 71 | typedef NTSTATUS(NTAPI* NTSETINFORMATIONTHREAD)( 72 | IN HANDLE ThreadHandle, 73 | IN THREADINFOCLASS ThreadInformationClass, 74 | IN PVOID ThreadInformation, 75 | IN ULONG ThreadInformationLength 76 | ); 77 | 78 | typedef NTSTATUS(NTAPI* NTSETINFORMATIONPROCESS)( 79 | IN HANDLE ProcessHandle, 80 | IN PROCESSINFOCLASS ProcessInformationClass, 81 | IN PVOID ProcessInformation, 82 | IN ULONG ProcessInformationLength 83 | ); 84 | 85 | typedef NTSTATUS(NTAPI* NTQUERYINFORMATIONPROCESS)( 86 | IN HANDLE ProcessHandle, 87 | IN PROCESSINFOCLASS ProcessInformationClass, 88 | OUT PVOID ProcessInformation, 89 | IN ULONG ProcessInformationLength, 90 | OUT PULONG ReturnLength OPTIONAL 91 | ); 92 | 93 | typedef NTSTATUS(NTAPI* NTSYSTEMDEBUGCONTROL)( 94 | IN SYSDBG_COMMAND Command, 95 | IN PVOID InputBuffer OPTIONAL, 96 | IN ULONG InputBufferLength, 97 | OUT PVOID OutputBuffer OPTIONAL, 98 | IN ULONG OutputBufferLength, 99 | OUT PULONG ReturnLength OPTIONAL 100 | ); 101 | 102 | static ZWQUERYINFORMATIONPROCESS ZwQIP = 0; 103 | static ZWQUERYINFORMATIONTHREAD ZwQIT = 0; 104 | static NTQUERYOBJECT NtQO = 0; 105 | static ZWQUERYSYSTEMINFORMATION ZwQSI = 0; 106 | static NTQUERYSYSTEMINFORMATION NtQSI = 0; 107 | static NTCLOSE NtClo = 0; 108 | static NTSETCONTEXTTHREAD NtSCT = 0; 109 | static NTCONTINUE NtCon = 0; 110 | static NTDUPLICATEOBJECT NtDO = 0; 111 | static KERAISEUSEREXCEPTION KeRUE = 0; 112 | static NTSETINFORMATIONTHREAD NtSIT = 0; 113 | static NTSETINFORMATIONPROCESS NtSIP = 0; 114 | static NTQUERYINFORMATIONPROCESS NtQIP = 0; 115 | static NTSYSTEMDEBUGCONTROL NtSDBC = 0; 116 | 117 | NTSTATUS NTAPI Undocumented::ZwQueryInformationProcess( 118 | IN HANDLE ProcessHandle, 119 | IN PROCESSINFOCLASS ProcessInformationClass, 120 | OUT PVOID ProcessInformation, 121 | IN ULONG ProcessInformationLength, 122 | OUT PULONG ReturnLength OPTIONAL) 123 | { 124 | return ZwQIP(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength); 125 | } 126 | 127 | NTSTATUS NTAPI Undocumented::ZwQueryInformationThread( 128 | IN HANDLE ThreadHandle, 129 | IN THREADINFOCLASS ThreadInformationClass, 130 | IN OUT PVOID ThreadInformation, 131 | IN ULONG ThreadInformationLength, 132 | OUT PULONG ReturnLength OPTIONAL) 133 | { 134 | return ZwQIT(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength, ReturnLength); 135 | } 136 | 137 | NTSTATUS NTAPI Undocumented::NtQueryObject( 138 | IN HANDLE Handle OPTIONAL, 139 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 140 | OUT PVOID ObjectInformation OPTIONAL, 141 | IN ULONG ObjectInformationLength, 142 | OUT PULONG ReturnLength OPTIONAL) 143 | { 144 | return NtQO(Handle, ObjectInformationClass, ObjectInformation, ObjectInformationLength, ReturnLength); 145 | } 146 | 147 | NTSTATUS NTAPI Undocumented::ZwQuerySystemInformation( 148 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 149 | OUT PVOID SystemInformation, 150 | IN ULONG SystemInformationLength, 151 | OUT PULONG ReturnLength OPTIONAL) 152 | { 153 | return ZwQSI(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); 154 | } 155 | 156 | NTSTATUS NTAPI Undocumented::NtQuerySystemInformation( 157 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 158 | OUT PVOID SystemInformation, 159 | IN ULONG SystemInformationLength, 160 | OUT PULONG ReturnLength OPTIONAL) 161 | { 162 | return NtQSI(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); 163 | } 164 | 165 | NTSTATUS NTAPI Undocumented::NtClose( 166 | IN HANDLE Handle) 167 | { 168 | return NtClo(Handle); 169 | } 170 | 171 | NTSTATUS NTAPI Undocumented::NtSetContextThread( 172 | IN HANDLE ThreadHandle, 173 | IN PCONTEXT Context) 174 | { 175 | return NtSCT(ThreadHandle, Context); 176 | } 177 | 178 | NTSTATUS NTAPI Undocumented::NtContinue( 179 | IN PCONTEXT Context, 180 | BOOLEAN RaiseAlert) 181 | { 182 | return NtCon(Context, RaiseAlert); 183 | } 184 | 185 | NTSTATUS NTAPI Undocumented::NtDuplicateObject( 186 | IN HANDLE SourceProcessHandle, 187 | IN HANDLE SourceHandle, 188 | IN HANDLE TargetProcessHandle, 189 | OUT PHANDLE TargetHandle, 190 | IN ACCESS_MASK DesiredAccess OPTIONAL, 191 | IN ULONG HandleAttributes, 192 | IN ULONG Options) 193 | { 194 | return NtDO(SourceProcessHandle, SourceHandle, TargetProcessHandle, TargetHandle, DesiredAccess, HandleAttributes, Options); 195 | } 196 | 197 | NTSTATUS NTAPI Undocumented::KeRaiseUserException( 198 | IN NTSTATUS ExceptionCode) 199 | { 200 | return KeRUE(ExceptionCode); 201 | } 202 | 203 | NTSTATUS NTAPI Undocumented::NtSetInformationThread( 204 | IN HANDLE ThreadHandle, 205 | IN THREADINFOCLASS ThreadInformationClass, 206 | IN PVOID ThreadInformation, 207 | IN ULONG ThreadInformationLength) 208 | { 209 | return NtSIT(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength); 210 | } 211 | 212 | NTSTATUS NTAPI Undocumented::NtSetInformationProcess( 213 | IN HANDLE ProcessHandle, 214 | IN PROCESSINFOCLASS ProcessInformationClass, 215 | IN PVOID ProcessInformation, 216 | IN ULONG ProcessInformationLength) 217 | { 218 | return NtSIP(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength); 219 | } 220 | 221 | NTSTATUS NTAPI Undocumented::NtQueryInformationProcess( 222 | IN HANDLE ProcessHandle, 223 | IN PROCESSINFOCLASS ProcessInformationClass, 224 | OUT PVOID ProcessInformation, 225 | IN ULONG ProcessInformationLength, 226 | OUT PULONG ReturnLength OPTIONAL) 227 | { 228 | return NtQIP(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength); 229 | } 230 | 231 | NTSTATUS NTAPI Undocumented::NtSystemDebugControl( 232 | IN SYSDBG_COMMAND Command, 233 | IN PVOID InputBuffer, 234 | IN ULONG InputBufferLength, 235 | OUT PVOID OutputBuffer, 236 | IN ULONG OutputBufferLength, 237 | OUT PULONG ReturnLength) 238 | { 239 | return NtSDBC(Command, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, ReturnLength); 240 | } 241 | 242 | bool Undocumented::UndocumentedInit() 243 | { 244 | //Exported kernel functions after this 245 | if(!ZwQIP) 246 | { 247 | UNICODE_STRING routineName; 248 | RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess"); 249 | ZwQIP = (ZWQUERYINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName); 250 | if(!ZwQIP) 251 | return false; 252 | } 253 | if(!ZwQIT) 254 | { 255 | UNICODE_STRING routineName; 256 | RtlInitUnicodeString(&routineName, L"ZwQueryInformationThread"); 257 | ZwQIT = (ZWQUERYINFORMATIONTHREAD)MmGetSystemRoutineAddress(&routineName); 258 | if(!ZwQIT) 259 | return false; 260 | } 261 | if(!ZwQSI) 262 | { 263 | UNICODE_STRING routineName; 264 | RtlInitUnicodeString(&routineName, L"ZwQuerySystemInformation"); 265 | ZwQSI = (ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&routineName); 266 | if(!ZwQSI) 267 | return false; 268 | } 269 | if(!NtQSI) 270 | { 271 | UNICODE_STRING routineName; 272 | RtlInitUnicodeString(&routineName, L"NtQuerySystemInformation"); 273 | NtQSI = (NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&routineName); 274 | if(!NtQSI) 275 | return false; 276 | } 277 | if(!NtClo) 278 | { 279 | UNICODE_STRING routineName; 280 | RtlInitUnicodeString(&routineName, L"NtClose"); 281 | NtClo = (NTCLOSE)MmGetSystemRoutineAddress(&routineName); 282 | if(!NtClo) 283 | return false; 284 | } 285 | if(!NtDO) 286 | { 287 | UNICODE_STRING routineName; 288 | RtlInitUnicodeString(&routineName, L"NtDuplicateObject"); 289 | NtDO = (NTDUPLICATEOBJECT)MmGetSystemRoutineAddress(&routineName); 290 | if(!NtDO) 291 | return false; 292 | } 293 | if(!KeRUE) 294 | { 295 | UNICODE_STRING routineName; 296 | RtlInitUnicodeString(&routineName, L"KeRaiseUserException"); 297 | KeRUE = (KERAISEUSEREXCEPTION)MmGetSystemRoutineAddress(&routineName); 298 | if(!KeRUE) 299 | return false; 300 | } 301 | if(!NtSIT) 302 | { 303 | UNICODE_STRING routineName; 304 | RtlInitUnicodeString(&routineName, L"NtSetInformationThread"); 305 | NtSIT = (NTSETINFORMATIONTHREAD)MmGetSystemRoutineAddress(&routineName); 306 | if(!NtSIT) 307 | return false; 308 | } 309 | if(!NtSIP) 310 | { 311 | UNICODE_STRING routineName; 312 | RtlInitUnicodeString(&routineName, L"NtSetInformationProcess"); 313 | NtSIP = (NTSETINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName); 314 | if(!NtSIP) 315 | return false; 316 | } 317 | if(!NtQIP) 318 | { 319 | UNICODE_STRING routineName; 320 | RtlInitUnicodeString(&routineName, L"NtQueryInformationProcess"); 321 | NtQIP = (NTQUERYINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName); 322 | if(!NtQIP) 323 | return false; 324 | } 325 | //SSDT-only functions after this 326 | if(!NtQO) 327 | { 328 | NtQO = (NTQUERYOBJECT)SSDT::GetFunctionAddress("NtQueryObject"); 329 | if(!NtQO) 330 | return false; 331 | } 332 | if(!NtSCT) 333 | { 334 | NtSCT = (NTSETCONTEXTTHREAD)SSDT::GetFunctionAddress("NtSetContextThread"); 335 | if(!NtSCT) 336 | return false; 337 | } 338 | if(!NtCon) 339 | { 340 | NtCon = (NTCONTINUE)SSDT::GetFunctionAddress("NtContinue"); 341 | if(!NtCon) 342 | return false; 343 | } 344 | if(!NtSDBC) 345 | { 346 | NtSDBC = (NTSYSTEMDEBUGCONTROL)SSDT::GetFunctionAddress("NtSystemDebugControl"); 347 | if(!NtSDBC) 348 | return false; 349 | } 350 | return true; 351 | } 352 | 353 | //Based on: http://alter.org.ua/docs/nt_kernel/procaddr 354 | PVOID Undocumented::GetKernelBase(PULONG pImageSize) 355 | { 356 | typedef struct _SYSTEM_MODULE_ENTRY 357 | { 358 | HANDLE Section; 359 | PVOID MappedBase; 360 | PVOID ImageBase; 361 | ULONG ImageSize; 362 | ULONG Flags; 363 | USHORT LoadOrderIndex; 364 | USHORT InitOrderIndex; 365 | USHORT LoadCount; 366 | USHORT OffsetToFileName; 367 | UCHAR FullPathName[256]; 368 | } SYSTEM_MODULE_ENTRY, *PSYSTEM_MODULE_ENTRY; 369 | 370 | #pragma warning(disable:4200) 371 | typedef struct _SYSTEM_MODULE_INFORMATION 372 | { 373 | ULONG Count; 374 | SYSTEM_MODULE_ENTRY Module[0]; 375 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 376 | 377 | PVOID pModuleBase = NULL; 378 | PSYSTEM_MODULE_INFORMATION pSystemInfoBuffer = NULL; 379 | 380 | ULONG SystemInfoBufferSize = 0; 381 | 382 | NTSTATUS status = Undocumented::ZwQuerySystemInformation(SystemModuleInformation, 383 | &SystemInfoBufferSize, 384 | 0, 385 | &SystemInfoBufferSize); 386 | 387 | if(!SystemInfoBufferSize) 388 | { 389 | DPRINT("[DeugMessage] ZwQuerySystemInformation (1) failed...\r\n"); 390 | return NULL; 391 | } 392 | 393 | pSystemInfoBuffer = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool(NonPagedPool, SystemInfoBufferSize * 2); 394 | 395 | if(!pSystemInfoBuffer) 396 | { 397 | DPRINT("[DeugMessage] ExAllocatePool failed...\r\n"); 398 | return NULL; 399 | } 400 | 401 | memset(pSystemInfoBuffer, 0, SystemInfoBufferSize * 2); 402 | 403 | status = Undocumented::ZwQuerySystemInformation(SystemModuleInformation, 404 | pSystemInfoBuffer, 405 | SystemInfoBufferSize * 2, 406 | &SystemInfoBufferSize); 407 | 408 | if(NT_SUCCESS(status)) 409 | { 410 | pModuleBase = pSystemInfoBuffer->Module[0].ImageBase; 411 | if(pImageSize) 412 | *pImageSize = pSystemInfoBuffer->Module[0].ImageSize; 413 | } 414 | else 415 | DPRINT("[DeugMessage] ZwQuerySystemInformation (2) failed...\r\n"); 416 | 417 | ExFreePool(pSystemInfoBuffer); 418 | 419 | return pModuleBase; 420 | } 421 | -------------------------------------------------------------------------------- /MemLoadDll.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _MEMLOAD_SHELLCODE_H 3 | #define _MEMLOAD_SHELLCODE_H 4 | 5 | unsigned char MemLoadShellcode_x86[] = { 6 | 7 | 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x54, 0xC7, 0x45, 0xC4, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xC0, 8 | 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xCC, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xBC, 0x00, 0x00, 9 | 0x00, 0x00, 0x8B, 0x45, 0x08, 0x0F, 0xB7, 0x08, 0x81, 0xF9, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x07, 10 | 0x33, 0xC0, 0xE9, 0xEE, 0x06, 0x00, 0x00, 0x8B, 0x55, 0x08, 0x8B, 0x45, 0x08, 0x03, 0x42, 0x3C, 11 | 0x89, 0x45, 0xD8, 0x8B, 0x4D, 0xD8, 0x81, 0x39, 0x50, 0x45, 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 12 | 0xE9, 0xD0, 0x06, 0x00, 0x00, 0x64, 0x8B, 0x15, 0x30, 0x00, 0x00, 0x00, 0x89, 0x55, 0xF8, 0x8B, 13 | 0x45, 0xF8, 0x8B, 0x48, 0x0C, 0x89, 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x8B, 0x42, 0x14, 0x89, 0x45, 14 | 0xF4, 0x83, 0x7D, 0xF4, 0x00, 0x0F, 0x84, 0x89, 0x02, 0x00, 0x00, 0x8B, 0x4D, 0xF4, 0x8B, 0x51, 15 | 0x28, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xF4, 0x66, 0x8B, 0x48, 0x24, 0x66, 0x89, 0x4D, 0xFC, 0xC7, 16 | 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x55, 0xF0, 0x52, 0xE8, 0xD1, 0x06, 0x00, 0x00, 0x83, 17 | 0xC4, 0x04, 0x89, 0x45, 0xF0, 0x8B, 0x45, 0xE8, 0x0F, 0xB6, 0x08, 0x83, 0xF9, 0x61, 0x7C, 0x12, 18 | 0x8B, 0x55, 0xE8, 0x0F, 0xB6, 0x02, 0x8B, 0x4D, 0xF0, 0x8D, 0x54, 0x01, 0xE0, 0x89, 0x55, 0xF0, 19 | 0xEB, 0x0C, 0x8B, 0x45, 0xE8, 0x0F, 0xB6, 0x08, 0x03, 0x4D, 0xF0, 0x89, 0x4D, 0xF0, 0x8B, 0x55, 20 | 0xE8, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xE8, 0x66, 0x8B, 0x45, 0xFC, 0x66, 0x83, 0xE8, 0x01, 0x66, 21 | 0x89, 0x45, 0xFC, 0x0F, 0xB7, 0x4D, 0xFC, 0x85, 0xC9, 0x75, 0xAB, 0x81, 0x7D, 0xF0, 0x5B, 0xBC, 22 | 0x4A, 0x6A, 0x0F, 0x85, 0x11, 0x01, 0x00, 0x00, 0x8B, 0x55, 0xF4, 0x8B, 0x42, 0x10, 0x89, 0x45, 23 | 0xF8, 0x8B, 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xE4, 0xB8, 0x08, 0x00, 24 | 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xE4, 0x8D, 0x44, 0x0A, 0x78, 0x89, 0x45, 0xE0, 0x8B, 25 | 0x4D, 0xE0, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x4D, 0xF8, 26 | 0x03, 0x48, 0x20, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x24, 0x89, 27 | 0x45, 0xD0, 0xB9, 0x03, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0xFC, 0x0F, 0xB7, 0x55, 0xFC, 0x85, 28 | 0xD2, 0x0F, 0x8E, 0xAD, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xE0, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x51, 29 | 0xE8, 0xCB, 0x05, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xD4, 0x81, 0x7D, 0xD4, 0x8E, 0x4E, 30 | 0x0E, 0xEC, 0x74, 0x12, 0x81, 0x7D, 0xD4, 0xAA, 0xFC, 0x0D, 0x7C, 0x74, 0x09, 0x81, 0x7D, 0xD4, 31 | 0x54, 0xCA, 0xAF, 0x91, 0x75, 0x67, 0x8B, 0x55, 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x1C, 0x89, 32 | 0x45, 0xDC, 0x8B, 0x4D, 0xD0, 0x0F, 0xB7, 0x11, 0x8B, 0x45, 0xDC, 0x8D, 0x0C, 0x90, 0x89, 0x4D, 33 | 0xDC, 0x81, 0x7D, 0xD4, 0x8E, 0x4E, 0x0E, 0xEC, 0x75, 0x0D, 0x8B, 0x55, 0xDC, 0x8B, 0x45, 0xF8, 34 | 0x03, 0x02, 0x89, 0x45, 0xC4, 0xEB, 0x2A, 0x81, 0x7D, 0xD4, 0xAA, 0xFC, 0x0D, 0x7C, 0x75, 0x0D, 35 | 0x8B, 0x4D, 0xDC, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xC0, 0xEB, 0x14, 0x81, 0x7D, 0xD4, 36 | 0x54, 0xCA, 0xAF, 0x91, 0x75, 0x0B, 0x8B, 0x45, 0xDC, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x89, 0x4D, 37 | 0xCC, 0x66, 0x8B, 0x55, 0xFC, 0x66, 0x83, 0xEA, 0x01, 0x66, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xE0, 38 | 0x83, 0xC0, 0x04, 0x89, 0x45, 0xE0, 0x8B, 0x4D, 0xD0, 0x83, 0xC1, 0x02, 0x89, 0x4D, 0xD0, 0xE9, 39 | 0x47, 0xFF, 0xFF, 0xFF, 0xE9, 0xD4, 0x00, 0x00, 0x00, 0x81, 0x7D, 0xF0, 0x5D, 0x68, 0xFA, 0x3C, 40 | 0x0F, 0x85, 0xC7, 0x00, 0x00, 0x00, 0x8B, 0x55, 0xF4, 0x8B, 0x42, 0x10, 0x89, 0x45, 0xF8, 0x8B, 41 | 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xE4, 0xB8, 0x08, 0x00, 0x00, 0x00, 42 | 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xE4, 0x8D, 0x44, 0x0A, 0x78, 0x89, 0x45, 0xE0, 0x8B, 0x4D, 0xE0, 43 | 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x4D, 0xF8, 0x03, 0x48, 44 | 0x20, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x24, 0x89, 0x45, 0xD0, 45 | 0xB9, 0x01, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0xFC, 0x0F, 0xB7, 0x55, 0xFC, 0x85, 0xD2, 0x7E, 46 | 0x6C, 0x8B, 0x45, 0xE0, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x51, 0xE8, 0xB1, 0x04, 0x00, 0x00, 0x83, 47 | 0xC4, 0x04, 0x89, 0x45, 0xD4, 0x81, 0x7D, 0xD4, 0xB8, 0x0A, 0x4C, 0x53, 0x75, 0x3B, 0x8B, 0x55, 48 | 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x1C, 0x89, 0x45, 0xDC, 0x8B, 0x4D, 0xD0, 0x0F, 0xB7, 0x11, 49 | 0x8B, 0x45, 0xDC, 0x8D, 0x0C, 0x90, 0x89, 0x4D, 0xDC, 0x81, 0x7D, 0xD4, 0xB8, 0x0A, 0x4C, 0x53, 50 | 0x75, 0x0B, 0x8B, 0x55, 0xDC, 0x8B, 0x45, 0xF8, 0x03, 0x02, 0x89, 0x45, 0xBC, 0x66, 0x8B, 0x4D, 51 | 0xFC, 0x66, 0x83, 0xE9, 0x01, 0x66, 0x89, 0x4D, 0xFC, 0x8B, 0x55, 0xE0, 0x83, 0xC2, 0x04, 0x89, 52 | 0x55, 0xE0, 0x8B, 0x45, 0xD0, 0x83, 0xC0, 0x02, 0x89, 0x45, 0xD0, 0xEB, 0x8C, 0x83, 0x7D, 0xC4, 53 | 0x00, 0x74, 0x14, 0x83, 0x7D, 0xC0, 0x00, 0x74, 0x0E, 0x83, 0x7D, 0xCC, 0x00, 0x74, 0x08, 0x83, 54 | 0x7D, 0xBC, 0x00, 0x74, 0x02, 0xEB, 0x0D, 0x8B, 0x4D, 0xF4, 0x8B, 0x11, 0x89, 0x55, 0xF4, 0xE9, 55 | 0x6D, 0xFD, 0xFF, 0xFF, 0x8B, 0x45, 0x08, 0x0F, 0xB7, 0x08, 0x81, 0xF9, 0x4D, 0x5A, 0x00, 0x00, 56 | 0x74, 0x07, 0x33, 0xC0, 0xE9, 0x0C, 0x04, 0x00, 0x00, 0x8B, 0x55, 0x08, 0x8B, 0x45, 0x08, 0x03, 57 | 0x42, 0x3C, 0x89, 0x45, 0xD8, 0x8B, 0x4D, 0xD8, 0x81, 0x39, 0x50, 0x45, 0x00, 0x00, 0x74, 0x07, 58 | 0x33, 0xC0, 0xE9, 0xEE, 0x03, 0x00, 0x00, 0x6A, 0x40, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8B, 0x55, 59 | 0xD8, 0x8B, 0x42, 0x50, 0x50, 0x6A, 0x00, 0xFF, 0x55, 0xCC, 0x89, 0x45, 0xF8, 0x8B, 0x4D, 0xD8, 60 | 0x8B, 0x51, 0x54, 0x89, 0x55, 0xF4, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xE8, 0x8B, 0x4D, 0xF8, 0x89, 61 | 0x4D, 0xF0, 0x8B, 0x55, 0xF4, 0x89, 0x55, 0xB8, 0x8B, 0x45, 0xF4, 0x83, 0xE8, 0x01, 0x89, 0x45, 62 | 0xF4, 0x83, 0x7D, 0xB8, 0x00, 0x74, 0x1E, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xE8, 0x8A, 0x02, 0x88, 63 | 0x01, 0x8B, 0x4D, 0xF0, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xF0, 0x8B, 0x55, 0xE8, 0x83, 0xC2, 0x01, 64 | 0x89, 0x55, 0xE8, 0xEB, 0xCD, 0x8B, 0x45, 0xD8, 0x0F, 0xB7, 0x48, 0x14, 0x8B, 0x55, 0xD8, 0x8D, 65 | 0x44, 0x0A, 0x18, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xD8, 0x0F, 0xB7, 0x51, 0x06, 0x89, 0x55, 0xC8, 66 | 0x8B, 0x45, 0xC8, 0x89, 0x45, 0xB4, 0x8B, 0x4D, 0xC8, 0x83, 0xE9, 0x01, 0x89, 0x4D, 0xC8, 0x83, 67 | 0x7D, 0xB4, 0x00, 0x74, 0x5F, 0x8B, 0x55, 0xF4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x0C, 0x89, 0x45, 68 | 0xE8, 0x8B, 0x4D, 0xF4, 0x8B, 0x55, 0x08, 0x03, 0x51, 0x14, 0x89, 0x55, 0xF0, 0x8B, 0x45, 0xF4, 69 | 0x8B, 0x48, 0x10, 0x89, 0x4D, 0xEC, 0x8B, 0x55, 0xEC, 0x89, 0x55, 0xB0, 0x8B, 0x45, 0xEC, 0x83, 70 | 0xE8, 0x01, 0x89, 0x45, 0xEC, 0x83, 0x7D, 0xB0, 0x00, 0x74, 0x1E, 0x8B, 0x4D, 0xE8, 0x8B, 0x55, 71 | 0xF0, 0x8A, 0x02, 0x88, 0x01, 0x8B, 0x4D, 0xE8, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xE8, 0x8B, 0x55, 72 | 0xF0, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xF0, 0xEB, 0xCD, 0x8B, 0x45, 0xF4, 0x83, 0xC0, 0x28, 0x89, 73 | 0x45, 0xF4, 0xEB, 0x8C, 0xB9, 0x08, 0x00, 0x00, 0x00, 0xC1, 0xE1, 0x00, 0x8B, 0x55, 0xD8, 0x8D, 74 | 0x44, 0x0A, 0x78, 0x89, 0x45, 0xE8, 0x8B, 0x4D, 0xE8, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 75 | 0xF0, 0x8B, 0x45, 0xF0, 0x83, 0x78, 0x0C, 0x00, 0x0F, 0x84, 0xEB, 0x00, 0x00, 0x00, 0x8B, 0x4D, 76 | 0xF0, 0x8B, 0x55, 0xF8, 0x03, 0x51, 0x0C, 0x52, 0xFF, 0x55, 0xC4, 0x89, 0x45, 0x08, 0x8B, 0x45, 77 | 0xF0, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x89, 0x4D, 0xEC, 0x8B, 0x55, 0xF0, 0x8B, 0x45, 0xF8, 0x03, 78 | 0x42, 0x10, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xF4, 0x83, 0x39, 0x00, 0x0F, 0x84, 0xAA, 0x00, 0x00, 79 | 0x00, 0x83, 0x7D, 0xEC, 0x00, 0x74, 0x69, 0x8B, 0x55, 0xEC, 0x8B, 0x02, 0x25, 0x00, 0x00, 0x00, 80 | 0x80, 0x74, 0x5D, 0x8B, 0x4D, 0x08, 0x8B, 0x55, 0x08, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xE4, 0xB8, 81 | 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xE4, 0x8D, 0x44, 0x0A, 0x78, 0x89, 0x45, 82 | 0xE0, 0x8B, 0x4D, 0xE0, 0x8B, 0x55, 0x08, 0x03, 0x11, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 83 | 0x4D, 0x08, 0x03, 0x48, 0x1C, 0x89, 0x4D, 0xDC, 0x8B, 0x55, 0xEC, 0x8B, 0x02, 0x25, 0xFF, 0xFF, 84 | 0x00, 0x00, 0x8B, 0x4D, 0xE4, 0x2B, 0x41, 0x10, 0x8B, 0x55, 0xDC, 0x8D, 0x04, 0x82, 0x89, 0x45, 85 | 0xDC, 0x8B, 0x4D, 0xDC, 0x8B, 0x55, 0x08, 0x03, 0x11, 0x8B, 0x45, 0xF4, 0x89, 0x10, 0xEB, 0x1E, 86 | 0x8B, 0x4D, 0xF4, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 87 | 0x02, 0x50, 0x8B, 0x4D, 0x08, 0x51, 0xFF, 0x55, 0xC0, 0x8B, 0x55, 0xF4, 0x89, 0x02, 0x8B, 0x45, 88 | 0xF4, 0x83, 0xC0, 0x04, 0x89, 0x45, 0xF4, 0x83, 0x7D, 0xEC, 0x00, 0x74, 0x09, 0x8B, 0x4D, 0xEC, 89 | 0x83, 0xC1, 0x04, 0x89, 0x4D, 0xEC, 0xE9, 0x4A, 0xFF, 0xFF, 0xFF, 0x8B, 0x55, 0xF0, 0x83, 0xC2, 90 | 0x14, 0x89, 0x55, 0xF0, 0xE9, 0x08, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xD8, 0x8B, 0x4D, 0xF8, 0x2B, 91 | 0x48, 0x34, 0x89, 0x4D, 0x08, 0xBA, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x05, 0x8B, 0x4D, 0xD8, 92 | 0x8D, 0x54, 0x01, 0x78, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xE8, 0x83, 0x78, 0x04, 0x00, 0x0F, 0x84, 93 | 0x9E, 0x01, 0x00, 0x00, 0x8B, 0x4D, 0xE8, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xF0, 0x8B, 94 | 0x45, 0xF0, 0x83, 0x78, 0x04, 0x00, 0x0F, 0x84, 0x86, 0x01, 0x00, 0x00, 0x8B, 0x4D, 0xF0, 0x8B, 95 | 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xF4, 0x8B, 0x45, 0xF0, 0x8B, 0x48, 0x04, 0x83, 0xE9, 0x08, 96 | 0xD1, 0xE9, 0x89, 0x4D, 0xE8, 0x8B, 0x55, 0xF0, 0x83, 0xC2, 0x08, 0x89, 0x55, 0xEC, 0x8B, 0x45, 97 | 0xE8, 0x89, 0x45, 0xAC, 0x8B, 0x4D, 0xE8, 0x83, 0xE9, 0x01, 0x89, 0x4D, 0xE8, 0x83, 0x7D, 0xAC, 98 | 0x00, 0x0F, 0x84, 0x3A, 0x01, 0x00, 0x00, 0x8B, 0x55, 0xEC, 0x66, 0x8B, 0x02, 0x66, 0xC1, 0xE8, 99 | 0x0C, 0x66, 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC8, 0x83, 0xF9, 0x0A, 0x75, 0x30, 0xBA, 0xFF, 0x0F, 100 | 0x00, 0x00, 0x8B, 0x45, 0xEC, 0x66, 0x23, 0x10, 0x0F, 0xB7, 0xCA, 0x8B, 0x55, 0xF4, 0x8B, 0x04, 101 | 0x0A, 0x03, 0x45, 0x08, 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x55, 0xEC, 0x66, 0x23, 0x0A, 0x0F, 102 | 0xB7, 0xC9, 0x8B, 0x55, 0xF4, 0x89, 0x04, 0x0A, 0xE9, 0xE6, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xEC, 103 | 0x66, 0x8B, 0x08, 0x66, 0xC1, 0xE9, 0x0C, 0x66, 0x83, 0xE1, 0x0F, 0x0F, 0xB7, 0xD1, 0x83, 0xFA, 104 | 0x03, 0x75, 0x30, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x23, 0x01, 0x0F, 0xB7, 105 | 0xD0, 0x8B, 0x45, 0xF4, 0x8B, 0x0C, 0x10, 0x03, 0x4D, 0x08, 0xBA, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 106 | 0x45, 0xEC, 0x66, 0x23, 0x10, 0x0F, 0xB7, 0xD2, 0x8B, 0x45, 0xF4, 0x89, 0x0C, 0x10, 0xE9, 0xA0, 107 | 0x00, 0x00, 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x8B, 0x11, 0x66, 0xC1, 0xEA, 0x0C, 0x66, 0x83, 0xE2, 108 | 0x0F, 0x0F, 0xB7, 0xC2, 0x83, 0xF8, 0x01, 0x75, 0x3D, 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x55, 109 | 0xEC, 0x66, 0x23, 0x0A, 0x0F, 0xB7, 0xC1, 0x8B, 0x4D, 0x08, 0xC1, 0xE9, 0x10, 0x81, 0xE1, 0xFF, 110 | 0xFF, 0x00, 0x00, 0x0F, 0xB7, 0xD1, 0x8B, 0x4D, 0xF4, 0x0F, 0xB7, 0x04, 0x01, 0x03, 0xC2, 0xB9, 111 | 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x55, 0xEC, 0x66, 0x23, 0x0A, 0x0F, 0xB7, 0xC9, 0x8B, 0x55, 0xF4, 112 | 0x66, 0x89, 0x04, 0x0A, 0xEB, 0x4D, 0x8B, 0x45, 0xEC, 0x66, 0x8B, 0x08, 0x66, 0xC1, 0xE9, 0x0C, 113 | 0x66, 0x83, 0xE1, 0x0F, 0x0F, 0xB7, 0xD1, 0x83, 0xFA, 0x02, 0x75, 0x37, 0xB8, 0xFF, 0x0F, 0x00, 114 | 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x23, 0x01, 0x0F, 0xB7, 0xD0, 0x8B, 0x45, 0x08, 0x25, 0xFF, 0xFF, 115 | 0x00, 0x00, 0x0F, 0xB7, 0xC8, 0x8B, 0x45, 0xF4, 0x0F, 0xB7, 0x14, 0x10, 0x03, 0xD1, 0xB8, 0xFF, 116 | 0x0F, 0x00, 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x23, 0x01, 0x0F, 0xB7, 0xC0, 0x8B, 0x4D, 0xF4, 0x66, 117 | 0x89, 0x14, 0x01, 0x8B, 0x55, 0xEC, 0x83, 0xC2, 0x02, 0x89, 0x55, 0xEC, 0xE9, 0xAD, 0xFE, 0xFF, 118 | 0xFF, 0x8B, 0x45, 0xF0, 0x8B, 0x4D, 0xF0, 0x03, 0x48, 0x04, 0x89, 0x4D, 0xF0, 0xE9, 0x6D, 0xFE, 119 | 0xFF, 0xFF, 0x8B, 0x55, 0xD8, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x28, 0x89, 0x45, 0xF4, 0x6A, 0x00, 120 | 0x6A, 0x00, 0x6A, 0xFF, 0xFF, 0x55, 0xBC, 0x6A, 0x00, 0x6A, 0x01, 0x8B, 0x4D, 0xF8, 0x51, 0xFF, 121 | 0x55, 0xF4, 0x8B, 0x45, 0xF8, 0x8B, 0xE5, 0x5D, 0xC2, 0x04, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 122 | 0x55, 0x8B, 0xEC, 0x51, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0x50, 0xE8, 123 | 0x2C, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0x08, 0x0F, 0xBE, 0x11, 124 | 0x03, 0x55, 0xFC, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0x08, 0x83, 0xC0, 0x01, 0x89, 0x45, 0x08, 0x8B, 125 | 0x4D, 0x08, 0x0F, 0xBE, 0x11, 0x85, 0xD2, 0x75, 0xD2, 0x8B, 0x45, 0xFC, 0x8B, 0xE5, 0x5D, 0xC3, 126 | 0x55, 0x8B, 0xEC, 0x8B, 0x45, 0x08, 0xC1, 0xC8, 0x0D, 0x5D, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 127 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 128 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 129 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 130 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 131 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 132 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 133 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 134 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 135 | 136 | 137 | }; 138 | 139 | 140 | unsigned char MemLoadShellcode_x64[] = { 141 | 142 | 143 | 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x81, 0xEC, 0xD8, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 144 | 0x98, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 145 | 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 146 | 0x48, 0xC7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 147 | 0xE0, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x00, 0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 148 | 0xE9, 0x19, 0x0B, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x63, 0x40, 149 | 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 150 | 0x89, 0x44, 0x24, 0x70, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x81, 0x38, 0x50, 0x45, 0x00, 0x00, 0x74, 151 | 0x07, 0x33, 0xC0, 0xE9, 0xE6, 0x0A, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 152 | 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x40, 0x18, 0x48, 153 | 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x40, 0x20, 0x48, 0x89, 0x44, 154 | 0x24, 0x30, 0x48, 0x83, 0x7C, 0x24, 0x30, 0x00, 0x0F, 0x84, 0xF1, 0x03, 0x00, 0x00, 0x48, 0x8B, 155 | 0x44, 0x24, 0x30, 0x48, 0x8B, 0x40, 0x50, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 156 | 0x30, 0x0F, 0xB7, 0x40, 0x48, 0x66, 0x89, 0x44, 0x24, 0x20, 0x48, 0xC7, 0x44, 0x24, 0x38, 0x00, 157 | 0x00, 0x00, 0x00, 0x8B, 0x4C, 0x24, 0x38, 0xE8, 0xF4, 0x0A, 0x00, 0x00, 0x8B, 0xC0, 0x48, 0x89, 158 | 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB6, 0x00, 0x83, 0xF8, 0x61, 0x7C, 0x1F, 159 | 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB6, 0x00, 0x83, 0xE8, 0x20, 0x48, 0x98, 0x48, 0x8B, 0x4C, 160 | 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0xEB, 0x18, 0x48, 161 | 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB6, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 162 | 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC0, 0x48, 163 | 0x89, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0xFF, 0xC8, 0x66, 0x89, 0x44, 0x24, 164 | 0x20, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x85, 0xC0, 0x75, 0x89, 0x81, 0x7C, 0x24, 0x38, 0x5B, 0xBC, 165 | 0x4A, 0x6A, 0x0F, 0x85, 0xB1, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x40, 166 | 0x20, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 167 | 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xB8, 168 | 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x8D, 0x84, 169 | 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 170 | 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 171 | 0x58, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 172 | 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 173 | 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 174 | 0x78, 0xB8, 0x03, 0x00, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x20, 0x0F, 0xB7, 0x44, 0x24, 0x20, 175 | 0x85, 0xC0, 0x0F, 0x8E, 0x0C, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 0x48, 176 | 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0xC8, 0xE8, 0x5E, 0x09, 177 | 0x00, 0x00, 0x89, 0x44, 0x24, 0x50, 0x81, 0x7C, 0x24, 0x50, 0x8E, 0x4E, 0x0E, 0xEC, 0x74, 0x18, 178 | 0x81, 0x7C, 0x24, 0x50, 0xAA, 0xFC, 0x0D, 0x7C, 0x74, 0x0E, 0x81, 0x7C, 0x24, 0x50, 0x54, 0xCA, 179 | 0xAF, 0x91, 0x0F, 0x85, 0xAB, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x1C, 180 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 181 | 0x48, 0x8B, 0x44, 0x24, 0x78, 0x0F, 0xB7, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x8D, 0x04, 182 | 0x81, 0x48, 0x89, 0x44, 0x24, 0x68, 0x81, 0x7C, 0x24, 0x50, 0x8E, 0x4E, 0x0E, 0xEC, 0x75, 0x1C, 183 | 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 184 | 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0xEB, 0x4A, 0x81, 0x7C, 0x24, 0x50, 185 | 0xAA, 0xFC, 0x0D, 0x7C, 0x75, 0x1C, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 186 | 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 187 | 0xEB, 0x24, 0x81, 0x7C, 0x24, 0x50, 0x54, 0xCA, 0xAF, 0x91, 0x75, 0x1A, 0x48, 0x8B, 0x44, 0x24, 188 | 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 189 | 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0xFF, 0xC8, 0x66, 0x89, 190 | 0x44, 0x24, 0x20, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x83, 0xC0, 0x04, 0x48, 0x89, 0x44, 0x24, 191 | 0x60, 0x48, 0x8B, 0x44, 0x24, 0x78, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, 0x24, 0x78, 0xE9, 192 | 0xE7, 0xFE, 0xFF, 0xFF, 0xE9, 0x56, 0x01, 0x00, 0x00, 0x81, 0x7C, 0x24, 0x38, 0x5D, 0x68, 0xFA, 193 | 0x3C, 0x0F, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x40, 0x20, 194 | 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 195 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xB8, 0x08, 196 | 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x8D, 0x84, 0x01, 197 | 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 198 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 199 | 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 200 | 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x24, 201 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x78, 202 | 0xB8, 0x01, 0x00, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x20, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x85, 203 | 0xC0, 0x0F, 0x8E, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 0x48, 0x8B, 204 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0xC8, 0xE8, 0x9F, 0x07, 0x00, 205 | 0x00, 0x89, 0x44, 0x24, 0x50, 0x81, 0x7C, 0x24, 0x50, 0xB8, 0x0A, 0x4C, 0x53, 0x75, 0x5F, 0x48, 206 | 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 207 | 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, 0x24, 0x78, 0x0F, 0xB7, 0x00, 0x48, 208 | 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x8D, 0x04, 0x81, 0x48, 0x89, 0x44, 0x24, 0x68, 0x81, 0x7C, 0x24, 209 | 0x50, 0xB8, 0x0A, 0x4C, 0x53, 0x75, 0x1A, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 210 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x88, 0x00, 0x00, 211 | 0x00, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0xFF, 0xC8, 0x66, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8B, 212 | 0x44, 0x24, 0x60, 0x48, 0x83, 0xC0, 0x04, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 213 | 0x78, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, 0x24, 0x78, 0xE9, 0x4B, 0xFF, 0xFF, 0xFF, 0x48, 214 | 0x83, 0xBC, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x74, 0x23, 0x48, 0x83, 0xBC, 0x24, 0x80, 0x00, 215 | 0x00, 0x00, 0x00, 0x74, 0x18, 0x48, 0x83, 0xBC, 0x24, 0x90, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0D, 216 | 0x48, 0x83, 0xBC, 0x24, 0x88, 0x00, 0x00, 0x00, 0x00, 0x74, 0x02, 0xEB, 0x12, 0x48, 0x8B, 0x44, 217 | 0x24, 0x30, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0xE9, 0x03, 0xFC, 0xFF, 0xFF, 0x48, 218 | 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x00, 0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74, 219 | 0x07, 0x33, 0xC0, 0xE9, 0xA6, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 220 | 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 221 | 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x81, 0x38, 0x50, 0x45, 222 | 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 0xE9, 0x73, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x70, 223 | 0x8B, 0x40, 0x50, 0x41, 0xB9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xB8, 0x00, 0x30, 0x00, 0x00, 0x8B, 224 | 0xD0, 0x33, 0xC9, 0xFF, 0x94, 0x24, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 225 | 0x8B, 0x44, 0x24, 0x70, 0x8B, 0x40, 0x54, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x84, 0x24, 226 | 0xE0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x89, 227 | 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x89, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 228 | 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x83, 0xBC, 229 | 0x24, 0xA8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x2B, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x4C, 230 | 0x24, 0x48, 0x0F, 0xB6, 0x09, 0x88, 0x08, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0xFF, 0xC0, 0x48, 231 | 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 232 | 0x48, 0xEB, 0xB0, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x0F, 0xB7, 0x40, 0x14, 0x48, 0x8B, 0x4C, 0x24, 233 | 0x70, 0x48, 0x8D, 0x44, 0x01, 0x18, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x70, 234 | 0x0F, 0xB7, 0x40, 0x06, 0x48, 0x89, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 235 | 0xA0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 236 | 0xA0, 0x00, 0x00, 0x00, 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48, 237 | 0x83, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xA3, 0x00, 0x00, 0x00, 0x48, 0x8B, 238 | 0x44, 0x24, 0x30, 0x8B, 0x40, 0x0C, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 239 | 0xC1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x8B, 0x40, 0x14, 0x48, 0x8B, 240 | 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 241 | 0x38, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x8B, 0x40, 0x10, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 242 | 0x44, 0x24, 0x40, 0x48, 0x89, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 243 | 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x83, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 244 | 0x00, 0x74, 0x2B, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x0F, 0xB6, 0x09, 245 | 0x88, 0x08, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 246 | 0x8B, 0x44, 0x24, 0x38, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x38, 0xEB, 0xB0, 0x48, 0x8B, 247 | 0x44, 0x24, 0x30, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x89, 0x44, 0x24, 0x30, 0xE9, 0x2B, 0xFF, 0xFF, 248 | 0xFF, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x01, 0x48, 0x8B, 0x4C, 0x24, 0x70, 0x48, 249 | 0x8D, 0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 250 | 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 251 | 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x83, 0x78, 0x0C, 0x00, 0x0F, 0x84, 0xB9, 0x01, 252 | 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x40, 0x0C, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 253 | 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0xC8, 0xFF, 0x94, 0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 254 | 0x89, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x00, 0x48, 0x8B, 255 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 256 | 0x44, 0x24, 0x38, 0x8B, 0x40, 0x10, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 257 | 0xC1, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x83, 0x38, 0x00, 0x0F, 258 | 0x84, 0x43, 0x01, 0x00, 0x00, 0x48, 0x83, 0x7C, 0x24, 0x40, 0x00, 0x0F, 0x84, 0xD3, 0x00, 0x00, 259 | 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 260 | 0x48, 0x8B, 0x00, 0x48, 0x23, 0xC1, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0xB5, 0x00, 0x00, 0x00, 0x48, 261 | 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 262 | 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xB8, 0x08, 263 | 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x8D, 0x84, 0x01, 264 | 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 265 | 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 266 | 0x44, 0x24, 0x58, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 267 | 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 268 | 0x44, 0x24, 0x40, 0x48, 0x8B, 0x00, 0x48, 0x25, 0xFF, 0xFF, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 269 | 0x58, 0x8B, 0x49, 0x10, 0x48, 0x2B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x8D, 0x04, 0x81, 270 | 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x8C, 0x24, 271 | 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 272 | 0x89, 0x01, 0xEB, 0x3B, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 273 | 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 274 | 0x48, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x8B, 0xD0, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 275 | 0xFF, 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x89, 0x01, 0x48, 276 | 0x8B, 0x44, 0x24, 0x30, 0x48, 0x83, 0xC0, 0x08, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x83, 0x7C, 277 | 0x24, 0x40, 0x00, 0x74, 0x0E, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x83, 0xC0, 0x08, 0x48, 0x89, 278 | 0x44, 0x24, 0x40, 0xE9, 0xAE, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x83, 0xC0, 279 | 0x14, 0x48, 0x89, 0x44, 0x24, 0x38, 0xE9, 0x38, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x70, 280 | 0x48, 0x8B, 0x40, 0x30, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x2B, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 281 | 0x89, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x05, 282 | 0x48, 0x8B, 0x4C, 0x24, 0x70, 0x48, 0x8D, 0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 283 | 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x83, 0x78, 0x04, 0x00, 0x0F, 0x84, 0x5C, 0x02, 0x00, 284 | 0x00, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 285 | 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x83, 0x78, 0x04, 286 | 0x00, 0x0F, 0x84, 0x36, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x00, 0x48, 0x8B, 287 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 288 | 0x44, 0x24, 0x38, 0x8B, 0x40, 0x04, 0x48, 0x83, 0xE8, 0x08, 0x33, 0xD2, 0xB9, 0x02, 0x00, 0x00, 289 | 0x00, 0x48, 0xF7, 0xF1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x83, 290 | 0xC0, 0x08, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0x89, 0x84, 0x24, 291 | 0xC0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x44, 0x24, 292 | 0x48, 0x48, 0x83, 0xBC, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xB0, 0x01, 0x00, 0x00, 293 | 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 0x83, 0xE0, 0x0F, 294 | 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x0A, 0x75, 0x4B, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x4C, 295 | 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 0xC0, 0x48, 0x8B, 296 | 0x4C, 0x24, 0x30, 0x48, 0x8B, 0x04, 0x01, 0x48, 0x03, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xB9, 297 | 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 0x23, 0xD1, 0x0F, 298 | 0xB7, 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x48, 0x89, 0x04, 0x0A, 0xE9, 0x3A, 299 | 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 300 | 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x03, 0x75, 0x48, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 301 | 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 302 | 0xC0, 0x48, 0x8B, 0x4C, 0x24, 0x30, 0x8B, 0x04, 0x01, 0x03, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 303 | 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 0x23, 0xD1, 304 | 0x0F, 0xB7, 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x89, 0x04, 0x0A, 0xE9, 0xDA, 305 | 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 306 | 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x01, 0x75, 0x58, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 307 | 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 308 | 0xC0, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xE9, 0x10, 0x48, 0x81, 0xE1, 309 | 0xFF, 0xFF, 0x00, 0x00, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x0F, 0xB7, 0x04, 0x02, 310 | 0x03, 0xC1, 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 311 | 0x23, 0xD1, 0x0F, 0xB7, 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x66, 0x89, 0x04, 312 | 0x0A, 0xEB, 0x6A, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 313 | 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x02, 0x75, 0x52, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 314 | 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 315 | 0xC0, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xE1, 0xFF, 0xFF, 0x00, 0x00, 316 | 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x0F, 0xB7, 0x04, 0x02, 0x03, 0xC1, 0xB9, 0xFF, 317 | 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 0x23, 0xD1, 0x0F, 0xB7, 318 | 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x66, 0x89, 0x04, 0x0A, 0x48, 0x8B, 0x44, 319 | 0x24, 0x40, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, 0x24, 0x40, 0xE9, 0x27, 0xFE, 0xFF, 0xFF, 320 | 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x40, 0x04, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 321 | 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0xE9, 0xBB, 0xFD, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 322 | 0x24, 0x70, 0x8B, 0x40, 0x28, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 323 | 0x48, 0x89, 0x44, 0x24, 0x30, 0x45, 0x33, 0xC0, 0x33, 0xD2, 0x48, 0xC7, 0xC1, 0xFF, 0xFF, 0xFF, 324 | 0xFF, 0xFF, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC0, 0xBA, 0x01, 0x00, 0x00, 0x00, 325 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0xFF, 0x54, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x81, 326 | 0xC4, 0xD8, 0x00, 0x00, 0x00, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 327 | 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x83, 0xEC, 0x38, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 328 | 0x00, 0x8B, 0x4C, 0x24, 0x20, 0xE8, 0x46, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8B, 329 | 0x44, 0x24, 0x40, 0x0F, 0xBE, 0x00, 0x8B, 0x4C, 0x24, 0x20, 0x03, 0xC8, 0x8B, 0xC1, 0x89, 0x44, 330 | 0x24, 0x20, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 331 | 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x75, 0xC6, 0x8B, 0x44, 0x24, 0x20, 0x48, 332 | 0x83, 0xC4, 0x38, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 333 | 0x89, 0x4C, 0x24, 0x08, 0x8B, 0x44, 0x24, 0x08, 0xC1, 0xC8, 0x0D, 0xC3, 0x00, 0x00, 0x00, 0x00, 334 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 335 | 0x00, 0x00, 0x00, 0x00, 0x24, 0xD9, 0x29, 0x5B, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 336 | 0x54, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0x38, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 337 | 0x24, 0xD9, 0x29, 0x5B, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 338 | 0x8C, 0x20, 0x00, 0x00, 0x8C, 0x10, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, 0x45, 0x16, 0xB7, 0x56, 339 | 0x5A, 0x59, 0xCF, 0x4A, 0xA1, 0xCD, 0xB1, 0xA7, 0xB6, 0x5E, 0x15, 0xCE, 0x02, 0x00, 0x00, 0x00 340 | 341 | 342 | }; 343 | 344 | 345 | #endif --------------------------------------------------------------------------------