├── deobf_bitpaymer.py ├── deobf_bitpaymer_cutter.py ├── deobf_synack.py ├── filter_dionaea_db.py ├── pastebin_scraper ├── README.md ├── binaries │ └── sample ├── config.yml.default ├── database.sqlite ├── db_script.sql ├── find_cc.py └── scraper.py └── whack_a_proc └── README.md /deobf_bitpaymer.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | 3 | IMMEDIATE_TYPE = 5 4 | 5 | dlls = [ 6 | b"KERNEL32", 7 | b"NTDLL", 8 | b"ADVAPI32", 9 | b"SHELL32", 10 | b"CRYPT32", 11 | b"SHLWAPI", 12 | ] 13 | 14 | ntdll_funcs = [ 15 | b"A_SHAFinal", b"A_SHAInit", b"A_SHAUpdate", b"AitFireParentUsageEvent", b"AitLogFeatureUsageByApp", b"AlpcAdjustCompletionListConcurrencyCount", b"AlpcFreeCompletionListMessage", b"AlpcGetCompletionListLastMessageInformation", b"AlpcGetCompletionListMessageAttributes", b"AlpcGetHeaderSize", b"AlpcGetMessageAttribute", b"AlpcGetMessageFromCompletionList", b"AlpcGetOutstandingCompletionListMessageCount", b"AlpcInitializeMessageAttribute", b"AlpcMaxAllowedMessageLength", b"AlpcRegisterCompletionList", b"AlpcRegisterCompletionListWorkerThread", b"AlpcRundownCompletionList", b"AlpcUnregisterCompletionList", b"AlpcUnregisterCompletionListWorkerThread", b"ApiSetQueryApiSetPresence", b"CsrAllocateCaptureBuffer", b"CsrAllocateCapturePointer", b"CsrAllocateMessagePointer", b"CsrCaptureMessageBuffer", b"CsrCaptureMessageMultiUnicodeStringsInPlace", b"CsrCaptureMessageString", b"CsrCaptureTimeout", b"CsrClientCallServer", b"CsrClientConnectToServer", b"CsrClientMaxMessage", b"CsrClientSendMessage", b"CsrClientThreadConnect", b"CsrFreeCaptureBuffer", b"CsrGetProcessId", b"CsrIdentifyAlertableThread", b"CsrNewThread", b"CsrProbeForRead", b"CsrProbeForWrite", b"CsrSetPriorityClass", b"CsrVerifyRegion", b"CsrpProcessCallbackRequest", b"DbgBreakPoint", b"DbgPrint", b"DbgPrintEx", b"DbgPrintReturnControlC", b"DbgPrompt", b"DbgQueryDebugFilterState", b"DbgSetDebugFilterState", b"DbgSsHandleKmApiMsg", b"DbgSsInitialize", b"DbgUiConnectToDbg", b"DbgUiContinue", b"DbgUiConvertStateChangeStructure", b"DbgUiConvertStateChangeStructureEx", b"DbgUiDebugActiveProcess", b"DbgUiGetThreadDebugObject", b"DbgUiIssueRemoteBreakDbgUiRemoteBreakDbgUiSetThreadDebugObject", b"DbgUiStopDebugging", b"DbgUiWaitStateChange", b"DbgUserBreakPoint", b"EtwControlTraceA", b"EtwControlTraceW", b"EtwCreateTraceInstanceId", b"EtwDeliverDataBlock", b"EtwEnableTrace", b"EtwEnumerateProcessRegGuids", b"EtwEnumerateTraceGuids", b"EtwEventActivityIdControl", b"EtwEventEnabled", b"EtwEventProviderEnabled", b"EtwEventRegister", b"EtwEventSetInformation", b"EtwEventUnregister", b"EtwEventWrite", b"EtwEventWriteEndScenario", b"EtwEventWriteEx", b"EtwEventWriteFull", b"EtwEventWriteNoRegistration", b"EtwEventWriteStartScenario", b"EtwEventWriteString", b"EtwEventWriteTransfer", b"EtwFlushTraceA", b"EtwFlushTraceW", b"EtwGetTraceEnableFlags", b"EtwGetTraceEnableLevel", b"EtwGetTraceLoggerHandle", b"EtwLogTraceEvent", b"EtwNotificationRegister", b"EtwNotificationRegistrationA", b"EtwNotificationRegistrationW", b"EtwNotificationUnregister", b"EtwProcessPrivateLoggerRequest", b"EtwQueryAllTracesA", b"EtwQueryAllTracesW", b"EtwQueryTraceA", b"EtwQueryTraceW", b"EtwReceiveNotificationsA", b"EtwReceiveNotificationsW", b"EtwRegisterSecurityProvider", b"EtwRegisterTraceGuidsA", b"EtwRegisterTraceGuidsW", b"EtwReplyNotification", b"EtwSendNotification", b"EtwSetMark", b"EtwStartTraceA", b"EtwStartTraceW", b"EtwStopTraceA", b"EtwStopTraceW", b"EtwTraceEvent", b"EtwTraceEventInstance", b"EtwTraceMessage", b"EtwTraceMessageVa", b"EtwUnregisterTraceGuids", b"EtwUpdateTraceA", b"EtwUpdateTraceW", b"EtwWriteUMSecurityEvent", b"EtwpCreateEtwThread", b"EtwpGetCpuSpeed", b"EtwpGetTraceBuffer", b"EtwpNotificationThread", b"EtwpSetHWConfigFunction", b"EvtIntReportAuthzEventAndSourceAsync", b"EvtIntReportEventAndSourceAsync", b"ExpInterlockedPopEntrySListEnd", b"ExpInterlockedPopEntrySListEnd8", b"ExpInterlockedPopEntrySListEnd16", b"ExpInterlockedPopEntrySListFault", b"ExpInterlockedPopEntrySListFault8", b"ExpInterlockedPopEntrySListFault16", b"ExpInterlockedPopEntrySListResume", b"ExpInterlockedPopEntrySListResume8", b"ExpInterlockedPopEntrySListResume16", b"KiFastSystemCall", b"KiFastSystemCallRet", b"KiIntSystemCall", b"KiRaiseUserExceptionDispatcher", b"KiUserApcDispatcher", b"KiUserCallbackDispatcher", b"KiUserExceptionDispatcher", b"KiUserInvertedFunctionTable", b"LdrAccessOutOfProcessResource", b"LdrAccessResource", b"LdrAddDllDirectory", b"LdrAddLoadAsDataTable", b"LdrAddRefDll", b"LdrAlternateResourcesEnabled", b"LdrAppxHandleIntegrityFailure", b"LdrCreateOutOfProcessImage", b"LdrDestroyOutOfProcessImage", b"LdrDisableThreadCalloutsForDll", b"LdrEnumResources", b"LdrEnumerateLoadedModules", b"LdrFastFailInLoaderCallout", b"LdrFindCreateProcessManifest", b"LdrFindEntryForAddress", b"LdrFindResourceDirectory_U", b"LdrFindResourceEx_U", b"LdrFindResource_U", b"LdrFlushAlternateResourceModules", b"LdrGetDllDirectory", b"LdrGetDllFullName", b"LdrGetDllHandle", b"LdrGetDllHandleByMapping", b"LdrGetDllHandleByName", b"LdrGetDllHandleEx", b"LdrGetDllPath", b"LdrGetFailureData", b"LdrGetFileNameFromLoadAsDataTable", b"LdrGetKnownDllSectionHandle", b"LdrGetProcedureAddress", b"LdrGetProcedureAddressEx", b"LdrGetProcedureAddressForCaller", b"LdrHotPatchRoutine", b"LdrInitShimEngineDynamic", b"LdrInitializeThunk", b"LdrLoadAlternateResourceModule", b"LdrLoadAlternateResourceModuleEx", b"LdrLoadDll", b"LdrLockLoaderLock", b"LdrOpenImageFileOptionsKey", b"LdrProcessInitializationComplete", b"LdrProcessRelocationBlock", b"LdrProcessRelocationBlockEx", b"LdrQueryImageFileExecutionOptions", b"LdrQueryImageFileExecutionOptionsEx", b"LdrQueryImageFileKeyOption", b"LdrQueryModuleServiceTags", b"LdrQueryOptionalDelayLoadedAPI", b"LdrQueryProcessModuleInformation", b"LdrRegisterDllNotification", b"LdrRemoveDllDirectory", b"LdrRemoveLoadAsDataTable", b"LdrResFindResource", b"LdrResFindResourceDirectory", b"LdrResGetRCConfig", b"LdrResRelease", b"LdrResSearchResource", b"LdrResolveDelayLoadedAPI", b"LdrResolveDelayLoadsFromDll", b"LdrRscIsTypeExist", b"LdrSetAppCompatDllRedirectionCallback", b"LdrSetDefaultDllDirectories", b"LdrSetDllDirectory", b"LdrSetDllManifestProber", b"LdrSetImplicitPathOptions", b"LdrSetMUICacheType", b"LdrShutdownProcess", b"LdrShutdownThread", b"LdrStandardizeSystemPath", b"LdrSystemDllInitBlock", b"LdrUnloadAlternateResourceModule", b"LdrUnloadAlternateResourceModuleEx", b"LdrUnloadDll", b"LdrUnlockLoaderLock", b"LdrUnregisterDllNotification", b"LdrVerifyImageMatchesChecksum", b"LdrVerifyImageMatchesChecksumEx", b"LdrWx86FormatVirtualImage", b"LdrpResGetMappingSize", b"LdrpResGetRCConfig", b"LdrpResGetResourceDirectory", b"MD4Final", b"MD4Init", b"MD4Update", b"MD5Final", b"MD5Init", b"MD5Update", b"NPXEMULATORTABLE", b"NlsAnsiCodePage", b"NlsMbCodePageTag", b"NlsMbOemCodePageTag", b"NtAcceptConnectPort", b"NtAccessCheck", b"NtAccessCheckAndAuditAlarm", b"NtAccessCheckByType", b"NtAccessCheckByTypeAndAuditAlarm", b"NtAccessCheckByTypeResultList", b"NtAccessCheckByTypeResultListAndAuditAlarm", b"NtAccessCheckByTypeResultListAndAuditAlarmByHandle", b"NtAcquireCMFViewOwnership", b"NtAddAtom", b"NtAddAtomEx", b"NtAddBootEntry", b"NtAddDriverEntry", b"NtAdjustGroupsToken", b"NtAdjustPrivilegesToken", b"NtAdjustTokenClaimsAndDeviceGroups", b"NtAlertResumeThread", b"NtAlertThread", b"NtAlertThreadByThreadId", b"NtAllocateLocallyUniqueId", b"NtAllocateReserveObject", b"NtAllocateUserPhysicalPages", b"NtAllocateUuids", b"NtAllocateVirtualMemory", b"NtAlpcAcceptConnectPort", b"NtAlpcCancelMessage", b"NtAlpcConnectPort", b"NtAlpcConnectPortEx", b"NtAlpcCreatePort", b"NtAlpcCreatePortSection", b"NtAlpcCreateResourceReserve", b"NtAlpcCreateSectionView", b"NtAlpcCreateSecurityContext", b"NtAlpcDeletePortSection", b"NtAlpcDeleteResourceReserve", b"NtAlpcDeleteSectionView", b"NtAlpcDeleteSecurityContext", b"NtAlpcDisconnectPort", b"NtAlpcImpersonateClientContainerOfPort", b"NtAlpcImpersonateClientOfPort", b"NtAlpcOpenSenderProcess", b"NtAlpcOpenSenderThread", b"NtAlpcQueryInformation", b"NtAlpcQueryInformationMessage", b"NtAlpcRevokeSecurityContext", b"NtAlpcSendWaitReceivePort", b"NtAlpcSetInformation", b"NtApphelpCacheControl", b"NtAreMappedFilesTheSame", b"NtAssignProcessToJobObject", b"NtAssociateWaitCompletionPacket", b"NtCallbackReturn", b"NtCancelDeviceWakeupRequest", b"NtCancelIoFile", b"NtCancelIoFileEx", b"NtCancelSynchronousIoFile", b"NtCancelTimer", b"NtCancelTimer2", b"NtCancelWaitCompletionPacket", b"NtClearAllSavepointsTransaction", b"NtClearEvent", b"NtClearSavepointTransaction", b"NtClose", b"NtCloseObjectAuditAlarm", b"NtCommitComplete", b"NtCommitEnlistment", b"NtCommitTransaction", b"NtCompactKeys", b"NtCompareObjects", b"NtCompareTokens", b"NtCompleteConnectPort", b"NtCompressKey", b"NtConnectPort", b"NtContinue", b"NtCreateChannel", b"NtCreateDebugObject", b"NtCreateDirectoryObject", b"NtCreateDirectoryObjectEx", b"NtCreateEnlistment", b"NtCreateEvent", b"NtCreateEventPair", b"NtCreateFile", b"NtCreateIRTimer", b"NtCreateIoCompletion", b"NtCreateJobObject", b"NtCreateJobSet", b"NtCreateKey", b"NtCreateKeyTransacted", b"NtCreateKeyedEvent", b"NtCreateLowBoxToken", b"NtCreateMailslotFile", b"NtCreateMutant", b"NtCreateNamedPipeFile", b"NtCreatePagingFile", b"NtCreatePartition", b"NtCreatePort", b"NtCreatePrivateNamespace", b"NtCreateProcess", b"NtCreateProcessEx", b"NtCreateProfile", b"NtCreateProfileEx", b"NtCreateResourceManager", b"NtCreateSection", b"NtCreateSemaphore", b"NtCreateSymbolicLinkObject", b"NtCreateThread", b"NtCreateThreadEx", b"NtCreateTimer", b"NtCreateTimer2", b"NtCreateToken", b"NtCreateTokenEx", b"NtCreateTransaction", b"NtCreateTransactionManager", b"NtCreateUserProcess", b"NtCreateWaitCompletionPacket", b"NtCreateWaitablePort", b"NtCreateWnfStateName", b"NtCreateWorkerFactory", b"NtCurrentTeb", b"NtDebugActiveProcess", b"NtDebugContinue", b"NtDelayExecution", b"NtDeleteAtom", b"NtDeleteBootEntry", b"NtDeleteDriverEntry", b"NtDeleteFile", b"NtDeleteKey", b"NtDeleteObjectAuditAlarm", b"NtDeletePrivateNamespace", b"NtDeleteValueKey", b"NtDeleteWnfStateData", b"NtDeleteWnfStateName", b"NtDeviceIoControlFile", b"NtDisableLastKnownGood", b"NtDisplayString", b"NtDrawText", b"NtDuplicateObject", b"NtDuplicateToken", b"NtEnableLastKnownGood", b"NtEnumerateBootEntries", b"NtEnumerateBus", b"NtEnumerateDriverEntries", b"NtEnumerateKey", b"NtEnumerateSystemEnvironmentValuesEx", b"NtEnumerateTransactionObject", b"NtEnumerateValueKey", b"NtExtendSection", b"NtFilterBootOption", b"NtFilterToken", b"NtFilterTokenEx", b"NtFindAtom", b"NtFlushBuffersFile", b"NtFlushBuffersFileEx", b"NtFlushInstallUILanguage", b"NtFlushInstructionCache", b"NtFlushKey", b"NtFlushProcessWriteBuffers", b"NtFlushVirtualMemory", b"NtFlushWriteBuffer", b"NtFreeUserPhysicalPages", b"NtFreeVirtualMemory", b"NtFreezeRegistry", b"NtFreezeTransactions", b"NtFsControlFile", b"NtGetCachedSigningLevel", b"NtGetCompleteWnfStateSubscription", b"NtGetContextThread", b"NtGetCurrentProcessorNumber", b"NtGetCurrentProcessorNumberEx", b"NtGetDevicePowerState", b"NtGetMUIRegistryInfo", b"NtGetNextProcess", b"NtGetNextThread", b"NtGetNlsSectionPtr", b"NtGetNotificationResourceManager", b"NtGetPlugPlayEvent", b"NtGetTickCount", b"NtGetWriteWatch", b"NtImpersonateAnonymousToken", b"NtImpersonateClientOfPort", b"NtImpersonateThread", b"NtInitializeNlsFiles", b"NtInitializeRegistry", b"NtInitiatePowerAction", b"NtIsProcessInJob", b"NtIsSystemResumeAutomatic", b"NtIsUILanguageComitted", b"NtListTransactions", b"NtListenChannel", b"NtListenPort", b"NtLoadDriver", b"NtLoadKey", b"NtLoadKey2", b"NtLoadKeyEx", b"NtLockFile", b"NtLockProductActivationKeys", b"NtLockRegistryKey", b"NtLockVirtualMemory", b"NtMakePermanentObject", b"NtMakeTemporaryObject", b"NtManagePartition", b"NtMapCMFModule", b"NtMapUserPhysicalPages", b"NtMapUserPhysicalPagesScatter", b"NtMapViewOfSection", b"NtMarshallTransaction", b"NtModifyBootEntry", b"NtModifyDriverEntry", b"NtNotifyChangeDirectoryFile", b"NtNotifyChangeKey", b"NtNotifyChangeMultipleKeys", b"NtNotifyChangeSession", b"NtOpenChannel", b"NtOpenDirectoryObject", b"NtOpenEnlistment", b"NtOpenEvent", b"NtOpenEventPair", b"NtOpenFile", b"NtOpenIoCompletion", b"NtOpenJobObject", b"NtOpenKey", b"NtOpenKeyEx", b"NtOpenKeyTransacted", b"NtOpenKeyTransactedEx", b"NtOpenKeyedEvent", b"NtOpenMutant", b"NtOpenObjectAuditAlarm", b"NtOpenPartition", b"NtOpenPrivateNamespace", b"NtOpenProcess", b"NtOpenProcessToken", b"NtOpenProcessTokenEx", b"NtOpenResourceManager", b"NtOpenSection", b"NtOpenSemaphore", b"NtOpenSession", b"NtOpenSymbolicLinkObject", b"NtOpenThread", b"NtOpenThreadToken", b"NtOpenThreadTokenEx", b"NtOpenTimer", b"NtOpenTransaction", b"NtOpenTransactionManager", b"NtPlugPlayControl", b"NtPowerInformation", b"NtPrePrepareComplete", b"NtPrePrepareEnlistment", b"NtPrepareComplete", b"NtPrepareEnlistment", b"NtPrivilegeCheck", b"NtPrivilegeObjectAuditAlarm", b"NtPrivilegedServiceAuditAlarm", b"NtPropagationComplete", b"NtPropagationFailed", b"NtProtectVirtualMemory", b"NtPullTransaction", b"NtPulseEvent", b"NtQueryAttributesFile", b"NtQueryBootEntryOrder", b"NtQueryBootOptions", b"NtQueryDebugFilterState", b"NtQueryDefaultLocale", b"NtQueryDefaultUILanguage", b"NtQueryDirectoryFile", b"NtQueryDirectoryObject", b"NtQueryDriverEntryOrder", b"NtQueryEaFile", b"NtQueryEvent", b"NtQueryFullAttributesFile", b"NtQueryInformationAtom", b"NtQueryInformationEnlistment", b"NtQueryInformationFile", b"NtQueryInformationJobObject", b"NtQueryInformationPort", b"NtQueryInformationProcess", b"NtQueryInformationResourceManager", b"NtQueryInformationThread", b"NtQueryInformationToken", b"NtQueryInformationTransaction", b"NtQueryInformationTransactionManager", b"NtQueryInformationWorkerFactory", b"NtQueryInstallUILanguage", b"NtQueryIntervalProfile", b"NtQueryIoCompletion", b"NtQueryKey", b"NtQueryLicenseValue", b"NtQueryMultipleValueKey", b"NtQueryMutant", b"NtQueryObject", b"NtQueryOleDirectoryFile", b"NtQueryOpenSubKeys", b"NtQueryOpenSubKeysEx", b"NtQueryPerformanceCounter", b"NtQueryPortInformationProcess", b"NtQueryQuotaInformationFile", b"NtQuerySection", b"NtQuerySecurityAttributesToken", b"NtQuerySecurityObject", b"NtQuerySemaphore", b"NtQuerySymbolicLinkObject", b"NtQuerySystemEnvironmentValue", b"NtQuerySystemEnvironmentValueEx", b"NtQuerySystemInformation", b"NtQuerySystemInformationEx", b"NtQuerySystemTime", b"NtQueryTimer", b"NtQueryTimerResolution", b"NtQueryValueKey", b"NtQueryVirtualMemory", b"NtQueryVolumeInformationFile", b"NtQueryWnfStateData", b"NtQueryWnfStateNameInformation", b"NtQueueApcThread", b"NtQueueApcThreadEx", b"NtRaiseException", b"NtRaiseHardError", b"NtReadFile", b"NtReadFileScatter", b"NtReadOnlyEnlistment", b"NtReadRequestData", b"NtReadVirtualMemory", b"NtRecoverEnlistment", b"NtRecoverResourceManager", b"NtRecoverTransactionManager", b"NtRegisterNewDevice", b"NtRegisterProtocolAddressInformation", b"NtRegisterThreadTerminatePort", b"NtReleaseCMFViewOwnership", b"NtReleaseKeyedEvent", b"NtReleaseMutant", b"NtReleaseProcessMutant", b"NtReleaseSemaphore", b"NtReleaseWorkerFactoryWorker", b"NtRemoveIoCompletion", b"NtRemoveIoCompletionEx", b"NtRemoveProcessDebug", b"NtRenameKey", b"NtRenameTransactionManager", b"NtReplaceKey", b"NtReplacePartitionUnit", b"NtReplyPort", b"NtReplyWaitReceivePort", b"NtReplyWaitReceivePortEx", b"NtReplyWaitReplyPort", b"NtReplyWaitSendChannel", b"NtRequestDeviceWakeup", b"NtRequestPort", b"NtRequestWaitReplyPort", b"NtRequestWakeupLatency", b"NtResetEvent", b"NtResetWriteWatch", b"NtRestoreKey", b"NtResumeProcess", b"NtResumeThread", b"NtRevertContainerImpersonation", b"NtRollbackComplete", b"NtRollbackEnlistment", b"NtRollbackSavepointTransaction", b"NtRollbackTransaction", b"NtRollforwardTransactionManager", b"NtSaveKey", b"NtSaveKeyEx", b"NtSaveMergedKeys", b"NtSavepointComplete", b"NtSavepointTransaction", b"NtSecureConnectPort", b"NtSendWaitReplyChannel", b"NtSerializeBoot", b"NtSetBootEntryOrder", b"NtSetBootOptions", b"NtSetCachedSigningLevel", b"NtSetContextChannel", b"NtSetContextThread", b"NtSetDebugFilterState", b"NtSetDefaultHardErrorPort", b"NtSetDefaultLocale", b"NtSetDefaultUILanguage", b"NtSetDriverEntryOrder", b"NtSetEaFile", b"NtSetEvent", b"NtSetEventBoostPriority", b"NtSetHighEventPair", b"NtSetHighWaitLowEventPair", b"NtSetHighWaitLowThread", b"NtSetIRTimer", b"NtSetInformationDebugObject", b"NtSetInformationEnlistment", b"NtSetInformationFile", b"NtSetInformationJobObject", b"NtSetInformationKey", b"NtSetInformationObject", b"NtSetInformationProcess", b"NtSetInformationResourceManager", b"NtSetInformationSymbolicLink", b"NtSetInformationThread", b"NtSetInformationToken", b"NtSetInformationTransaction", b"NtSetInformationTransactionManager", b"NtSetInformationVirtualMemory", b"NtSetInformationWorkerFactory", b"NtSetIntervalProfile", b"NtSetIoCompletion", b"NtSetIoCompletionEx", b"NtSetLdtEntries", b"NtSetLowEventPair", b"NtSetLowWaitHighEventPair", b"NtSetLowWaitHighThread", b"NtSetQuotaInformationFile", b"NtSetSecurityObject", b"NtSetSystemEnvironmentValue", b"NtSetSystemEnvironmentValueEx", b"NtSetSystemInformation", b"NtSetSystemPowerState", b"NtSetSystemTime", b"NtSetThreadExecutionState", b"NtSetTimer", b"NtSetTimer2", b"NtSetTimerEx", b"NtSetTimerResolution", b"NtSetUuidSeed", b"NtSetValueKey", b"NtSetVolumeInformationFile", b"NtSetWnfProcessNotificationEvent", b"NtShutdownSystem", b"NtShutdownWorkerFactory", b"NtSignalAndWaitForSingleObject", b"NtSinglePhaseReject", b"NtStartProfile", b"NtStartTm", b"NtStopProfile", b"NtSubscribeWnfStateChange", b"NtSuspendProcess", b"NtSuspendThread", b"NtSystemDebugControl", b"NtTerminateJobObject", b"NtTerminateProcess", b"NtTerminateThread", b"NtTestAlert", b"NtThawRegistry", b"NtThawTransactions", b"NtTraceControl", b"NtTraceEvent", b"NtTranslateFilePath", b"NtUmsThreadYield", b"NtUnloadDriver", b"NtUnloadKey", b"NtUnloadKey2", b"NtUnloadKeyEx", b"NtUnlockFile", b"NtUnlockVirtualMemory", b"NtUnmapViewOfSection", b"NtUnmapViewOfSectionEx", b"NtUnsubscribeWnfStateChange", b"NtUpdateWnfStateData", b"NtVdmControl", b"NtW32Call", b"NtWaitForAlertByThreadId", b"NtWaitForDebugEvent", b"NtWaitForKeyedEvent", b"NtWaitForMultipleObjects", b"NtWaitForMultipleObjects32", b"NtWaitForProcessMutant", b"NtWaitForSingleObject", b"NtWaitForWnfNotifications", b"NtWaitForWorkViaWorkerFactory", b"NtWaitHighEventPair", b"NtWaitLowEventPair", b"NtWorkerFactoryWorkerReady", b"NtWow64AllocateVirtualMemory64", b"NtWow64CallFunction64", b"NtWow64CsrAllocateCaptureBuffer", b"NtWow64CsrAllocateMessagePointer", b"NtWow64CsrCaptureMessageBuffer", b"NtWow64CsrCaptureMessageString", b"NtWow64CsrClientCallServer", b"NtWow64CsrClientConnectToServer", b"NtWow64CsrFreeCaptureBuffer", b"NtWow64CsrGetProcessId", b"NtWow64CsrIdentifyAlertableThread", b"NtWow64CsrNewThread", b"NtWow64CsrSetPriorityClass", b"NtWow64CsrVerifyRegion", b"NtWow64DebuggerCall", b"NtWow64GetCurrentProcessorNumberEx", b"NtWow64GetNativeSystemInformation", b"NtWow64InterlockedPopEntrySList", b"NtWow64IsProcessorFeaturePresent", b"NtWow64QueryInformationProcess64", b"NtWow64QueryVirtualMemory64", b"NtWow64ReadVirtualMemory64", b"NtWow64WriteVirtualMemory64", b"NtWriteFile", b"NtWriteFileGather", b"NtWriteRequestData", b"NtWriteVirtualMemory", b"NtYieldExecution", b"NtdllDefWindowProc_A", b"NtdllDefWindowProc_W", b"NtdllDialogWndProc_A", b"NtdllDialogWndProc_W", b"PfxFindPrefix", b"PfxInitialize", b"PfxInsertPrefix", b"PfxRemovePrefix", b"PssNtCaptureSnapshot", b"PssNtDuplicateSnapshot", b"PssNtFreeRemoteSnapshot", b"PssNtFreeSnapshot", b"PssNtFreeWalkMarker", b"PssNtQuerySnapshot", b"PssNtValidateDescriptor", b"PssNtWalkSnapshot", b"PropertyLengthAsVariant", b"ResCCloseRuntimeView", b"ResCCompareCacheIDs", b"ResCCreateCultureMap", b"ResCCreateDefaultCultureMap", b"ResCCreateRuntimeView", b"ResCDirectoryCreateAndPopulate", b"ResCDirectoryCreateMapping", b"ResCDirectoryFree", b"ResCDirectoryGetBaseFolder", b"ResCDirectoryGetEntry", b"ResCDirectoryGetEntryCopy", b"ResCDirectoryGetEntryEx", b"ResCDirectoryGetEntryExCopy", b"ResCDirectoryGetEntryIndex", b"ResCDirectoryGetEntryIndexEx", b"ResCDirectoryGetFirstEntry", b"ResCDirectoryGetFirstEntryIndex", b"ResCDirectoryGetSegmentIndex", b"ResCDirectoryGetSegmentName", b"ResCDirectoryLoadFixedSize", b"ResCDirectoryOpenMapping", b"ResCFreeCultureMap", b"ResCGetCacheIndices", b"ResCGetCultureID", b"ResCGetCultureIndex", b"ResCGetCultureName", b"ResCGetHighestCacheIndex", b"ResCGetHighestConsecutiveCacheIndex", b"ResCGetIndexedName", b"ResCGetName", b"ResCGetRegistryBaseFolder", b"ResCGetRegistryConfig", b"ResCGetRegistryLatestIndex", b"ResCGetRegistryMappingPrefix", b"ResCGetRegistryStatus", b"ResCGetSubIndexedName", b"ResCInitRuntimeView", b"ResCInitRuntimeViewEx", b"ResCKeDirectoryOpenMapping", b"ResCKeGetBaseFolder", b"ResCKeGetCacheIndices", b"ResCKeInitRuntimeViewEx", b"ResCKeSegmentOpenMapping", b"ResCLoadCultureMap", b"ResCOpenRegistryKey", b"ResCOpenRuntimeView", b"ResCReleaseInitMutex", b"ResCReloadCultureMap", b"ResCRequestInitMutex", b"ResCRuntimeGetAnySegmentData", b"ResCRuntimeGetCultureID", b"ResCRuntimeGetEntryData", b"ResCRuntimeGetEntryDataEx", b"ResCRuntimeGetResourceData", b"ResCRuntimeGetResourceDataEx", b"ResCRuntimeGetResourceDataForCulture", b"ResCRuntimeGetSegmentData", b"ResCRuntimeGetSegmentDataEx", b"ResCRuntimeViewLoadCultureMap", b"ResCSaveRegistryBaseFolder", b"ResCSaveRegistryConfig", b"ResCSaveRegistryLatestIndex", b"ResCSaveRegistryStatus", b"ResCSegmentCreateAndPopulate", b"ResCSegmentCreateMapping", b"ResCSegmentFree", b"ResCSegmentGetData", b"ResCSegmentLoadFixedSize", b"ResCSegmentOpenMapping", b"ResCSegmentReserveMapping", b"ResCSetCacheSecurityType", b"RestoreEm87Context", b"RtlAbortRXact", b"RtlAbsoluteToSelfRelativeSD", b"RtlAcquirePebLock", b"RtlAcquirePrivilege", b"RtlAcquireReleaseSRWLockExclusive", b"RtlAcquireResourceExclusive", b"RtlAcquireResourceShared", b"RtlAcquireSRWLockExclusive", b"RtlAcquireSRWLockShared", b"RtlActivateActivationContext", b"RtlActivateActivationContextEx", b"RtlActivateActivationContextUnsafeFast", b"RtlAddAccessAllowedAce", b"RtlAddAccessAllowedAceEx", b"RtlAddAccessAllowedObjectAce", b"RtlAddAccessDeniedAce", b"RtlAddAccessDeniedAceEx", b"RtlAddAccessDeniedObjectAce", b"RtlAddAce", b"RtlAddActionToRXact", b"RtlAddAtomToAtomTable", b"RtlAddAttributeActionToRXact", b"RtlAddAuditAccessAce", b"RtlAddAuditAccessAceEx", b"RtlAddAuditAccessObjectAce", b"RtlAddCompoundAce", b"RtlAddFunctionTable", b"RtlAddGrowableFunctionTable", b"RtlAddIntegrityLabelToBoundaryDescriptor", b"RtlAddMandatoryAce", b"RtlAddProcessTrustLabelAce", b"RtlAddRange", b"RtlAddRefActivationContext", b"RtlAddRefMemoryStream", b"RtlAddResourceAttributeAce", b"RtlAddSIDToBoundaryDescriptor", b"RtlAddScopedPolicyIDAce", b"RtlAddVectoredContinueHandler", b"RtlAddVectoredExceptionHandler", b"RtlAddressInSectionTable", b"RtlAdjustPrivilege", b"RtlAllocateActivationContextStack", b"RtlAllocateAndInitializeSid", b"RtlAllocateAndInitializeSidEx", b"RtlAllocateHandle", b"RtlAllocateHeap", b"RtlAllocateMemoryBlockLookaside", b"RtlAllocateMemoryZone", b"RtlAllocateWnfSerializationGroup", b"RtlAnsiCharToUnicodeChar", b"RtlAnsiStringToUnicodeSize", b"RtlAnsiStringToUnicodeString", b"RtlAppendAsciizToString", b"RtlAppendPathElement", b"RtlAppendStringToString", b"RtlAppendUnicodeStringToString", b"RtlAppendUnicodeToString", b"RtlApplicationVerifierStop", b"RtlApplyRXact", b"RtlApplyRXactNoFlush", b"RtlAppxIsFileOwnedByTrustedInstaller", b"RtlAreAllAccessesGranted", b"RtlAreAnyAccessesGranted", b"RtlAreBitsClear", b"RtlAreBitsSet", b"RtlAssert", b"RtlAssert2", b"RtlAvlInsertNodeEx", b"RtlAvlRemoveNode", b"RtlBarrier", b"RtlBarrierForDelete", b"RtlCallbackLpcClient", b"RtlCancelTimer", b"RtlCanonicalizeDomainName", b"RtlCapabilityCheck", b"RtlCaptureContext", b"RtlCaptureStackBackTrace", b"RtlCaptureStackContext", b"RtlCharToInteger", b"RtlCheckForOrphanedCriticalSections", b"RtlCheckPortableOperatingSystem", b"RtlCheckProcessParameters", b"RtlCheckRegistryKey", b"RtlCheckSandboxedToken", b"RtlCheckTokenCapability", b"RtlCheckTokenMembership", b"RtlCheckTokenMembershipEx", b"RtlCleanUpTEBLangLists", b"RtlClearAllBits", b"RtlClearBit", b"RtlClearBits", b"RtlCloneMemoryStream", b"RtlCloneUserProcess", b"RtlClosePropertySet", b"RtlCmDecodeMemIoResource", b"RtlCmEncodeMemIoResource", b"RtlCommitDebugInfo", b"RtlCommitMemoryStream", b"RtlCompactHeap", b"RtlCompareAltitudes", b"RtlCompareMemory", b"RtlCompareMemoryUlong", b"RtlCompareString", b"RtlCompareUnicodeString", b"RtlCompareUnicodeStrings", b"RtlCompareVariants", b"RtlCompleteProcessCloning", b"RtlCompressBuffer", b"RtlComputeCrc32", b"RtlComputeImportTableHash", b"RtlComputePrivatizedDllName_U", b"RtlConnectToSm", b"RtlConsoleMultiByteToUnicodeN", b"RtlContractHashTable", b"RtlConvertDeviceFamilyInfoToString", b"RtlConvertExclusiveToShared", b"RtlConvertLCIDToString", b"RtlConvertLongToLargeInteger", b"RtlConvertPropertyToVariant", b"RtlConvertSRWLockExclusiveToShared", b"RtlConvertSharedToExclusive", b"RtlConvertSidToUnicodeString", b"RtlConvertToAutoInheritSecurityObject", b"RtlConvertUiListToApiList", b"RtlConvertUlongToLargeInteger", b"RtlConvertVariantToProperty", b"RtlCopyBitMap", b"RtlCopyContext", b"RtlCopyExtendedContext", b"RtlCopyLuid", b"RtlCopyLuidAndAttributesArray", b"RtlCopyMappedMemory", b"RtlCopyMemory", b"RtlCopyMemoryNonTemporal", b"RtlCopyMemoryStreamTo", b"RtlCopyOutOfProcessMemoryStreamTo", b"RtlCopyRangeList", b"RtlCopySecurityDescriptor", b"RtlCopySid", b"RtlCopySidAndAttributesArray", b"RtlCopyString", b"RtlCopyUnicodeString", b"RtlCrc32", b"RtlCrc64", b"RtlCreateAcl", b"RtlCreateActivationContext", b"RtlCreateAndSetSD", b"RtlCreateAtomTable", b"RtlCreateBootStatusDataFile", b"RtlCreateBoundaryDescriptor", b"RtlCreateEnvironment", b"RtlCreateEnvironmentEx", b"RtlCreateHashTable", b"RtlCreateHashTableEx", b"RtlCreateHeap", b"RtlCreateLpcServer", b"RtlCreateMemoryBlockLookaside", b"RtlCreateMemoryZone", b"RtlCreateProcessParameters", b"RtlCreateProcessParametersEx", b"RtlCreateProcessReflection", b"RtlCreatePropertySet", b"RtlCreateQueryDebugBuffer", b"RtlCreateRegistryKey", b"RtlCreateSecurityDescriptor", b"RtlCreateServiceSid", b"RtlCreateSystemVolumeInformationFolder", b"RtlCreateTagHeap", b"RtlCreateTimer", b"RtlCreateTimerQueue", b"RtlCreateUmsCompletionList", b"RtlCreateUmsThread", b"RtlCreateUmsThreadContext", b"RtlCreateUnicodeString", b"RtlCreateUnicodeStringFromAsciiz", b"RtlCreateUserProcess", b"RtlCreateUserSecurityObject", b"RtlCreateUserStack", b"RtlCreateUserThread", b"RtlCreateVirtualAccountSid", b"RtlCultureNameToLCID", b"RtlCustomCPToUnicodeN", b"RtlCutoverTimeToSystemTime", b"RtlDeCommitDebugInfo", b"RtlDeNormalizeProcessParams", b"RtlDeactivateActivationContext", b"RtlDeactivateActivationContextUnsafeFast", b"RtlDebugPrintTimes", b"RtlDecodePointer", b"RtlDecodeRemotePointer", b"RtlDecodeSystemPointer", b"RtlDecompressBuffer", b"RtlDecompressBufferEx", b"RtlDecompressFragment", b"RtlDefaultNpAcl", b"RtlDelete", b"RtlDeleteAce", b"RtlDeleteAtomFromAtomTable", b"RtlDeleteBarrier", b"RtlDeleteBoundaryDescriptor", b"RtlDeleteCriticalSection", b"RtlDeleteElementGenericTable", b"RtlDeleteElementGenericTableAvl", b"RtlDeleteElementGenericTableAvlEx", b"RtlDeleteFunctionTable", b"RtlDeleteGrowableFunctionTable", b"RtlDeleteHashTable", b"RtlDeleteNoSplay", b"RtlDeleteOwnersRanges", b"RtlDeleteRange", b"RtlDeleteRegistryValue", b"RtlDeleteResource", b"RtlDeleteSecurityObject", b"RtlDeleteTimer", b"RtlDeleteTimerQueue", b"RtlDeleteTimerQueueEx", b"RtlDeleteUmsCompletionList", b"RtlDeleteUmsThreadContext", b"RtlDequeueUmsCompletionListItems", b"RtlDeregisterSecureMemoryCacheCallback", b"RtlDeregisterWait", b"RtlDeregisterWaitEx", b"RtlDeriveCapabilitySidsFromName", b"RtlDestroyAtomTable", b"RtlDestroyEnvironment", b"RtlDestroyHandleTable", b"RtlDestroyHeap", b"RtlDestroyMemoryBlockLookaside", b"RtlDestroyMemoryZone", b"RtlDestroyProcessParameters", b"RtlDestroyQueryDebugBuffer", b"RtlDetectHeapLeaks", b"RtlDetermineDosPathNameType_U", b"RtlDisableThreadProfiling", b"RtlDispatchAPC", b"RtlDllShutdownInProgress", b"RtlDnsHostNameToComputerName", b"RtlDoesFileExists_U", b"RtlDosApplyFileIsolationRedirection_Ustr", b"RtlDosPathNameToNtPathName_U", b"RtlDosPathNameToNtPathName_U_WithStatus", b"RtlDosPathNameToRelativeNtPathName_U", b"RtlDosPathNameToRelativeNtPathName_U_WithStatus", b"RtlDosSearchPath_U", b"RtlDosSearchPath_Ustr", b"RtlDowncaseUnicodeChar", b"RtlDowncaseUnicodeString", b"RtlDumpResource", b"RtlDuplicateUnicodeString", b"RtlEmptyAtomTable", b"RtlEnableEarlyCriticalSectionEventCreation", b"RtlEnableThreadProfiling", b"RtlEncodePointer", b"RtlEncodeRemotePointer", b"RtlEncodeSystemPointer", b"RtlEndEnumerationHashTable", b"RtlEndStrongEnumerationHashTable", b"RtlEndWeakEnumerationHashTable", b"RtlEnlargedIntegerMultiply", b"RtlEnlargedUnsignedDivide", b"RtlEnlargedUnsignedMultiply", b"RtlEnterCriticalSection", b"RtlEnterUmsSchedulingMode", b"RtlEnumProcessHeaps", b"RtlEnumerateEntryHashTable", b"RtlEnumerateGenericTable", b"RtlEnumerateGenericTableAvl", b"RtlEnumerateGenericTableLikeADirectory", b"RtlEnumerateGenericTableWithoutSplaying", b"RtlEnumerateGenericTableWithoutSplayingAvl", b"RtlEnumerateProperties", b"RtlEqualComputerName", b"RtlEqualDomainName", b"RtlEqualLuid", b"RtlEqualPrefixSid", b"RtlEqualSid", b"RtlEqualString", b"RtlEqualUnicodeString", b"RtlEqualWnfChangeStamps", b"RtlEraseUnicodeString", b"RtlEthernetAddressToStringA", b"RtlEthernetAddressToStringW", b"RtlEthernetStringToAddressA", b"RtlEthernetStringToAddressW", b"RtlExecuteUmsThread", b"RtlExitUserProcess", b"RtlExitUserThread", b"RtlExpandEnvironmentStrings", b"RtlExpandEnvironmentStrings_U", b"RtlExpandHashTable", b"RtlExtendHeap", b"RtlExtendMemoryBlockLookaside", b"RtlExtendMemoryZone", b"RtlExtendedIntegerMultiply", b"RtlExtendedLargeIntegerDivide", b"RtlExtendedMagicDivide", b"RtlExtractBitMap", b"RtlFillMemory", b"RtlFillMemoryUlong", b"RtlFillMemoryUlonglong", b"RtlFinalReleaseOutOfProcessMemoryStream", b"RtlFindAceByType", b"RtlFindActivationContextSectionGuid", b"RtlFindActivationContextSectionString", b"RtlFindCharInUnicodeString", b"RtlFindClearBits", b"RtlFindClearBitsAndSet", b"RtlFindClearRuns", b"RtlFindClosestEncodableLength", b"RtlFindLastBackwardRunClear", b"RtlFindLeastSignificantBit", b"RtlFindLongestRunClear", b"RtlFindLongestRunSet", b"RtlFindMessage", b"RtlFindMostSignificantBit", b"RtlFindNextForwardRunClear", b"RtlFindRange", b"RtlFindSetBits", b"RtlFindSetBitsAndClear", b"RtlFindUnicodeSubstring", b"RtlFirstEntrySList", b"RtlFirstFreeAce", b"RtlFlsAlloc", b"RtlFlsFree", b"RtlFlushHeaps", b"RtlFlushPropertySet", b"RtlFlushSecureMemoryCache", b"RtlFormatCurrentUserKeyPath", b"RtlFormatMessage", b"RtlFormatMessageEx", b"RtlFreeActivationContextStack", b"RtlFreeAnsiString", b"RtlFreeHandle", b"RtlFreeHeap", b"RtlFreeMemoryBlockLookaside", b"RtlFreeOemString", b"RtlFreeRangeList", b"RtlFreeSid", b"RtlFreeThreadActivationContextStack", b"RtlFreeUnicodeString", b"RtlFreeUserStack", b"RtlFreeUserThreadStack", b"RtlGUIDFromString", b"RtlGenerate8dot3Name", b"RtlGetAce", b"RtlGetActiveActivationContext", b"RtlGetAppContainerNamedObjectPath", b"RtlGetAppContainerParent", b"RtlGetAppContainerSidType", b"RtlGetCallersAddress", b"RtlGetCompressionWorkSpaceSize", b"RtlGetControlSecurityDescriptor", b"RtlGetCriticalSectionRecursionCount", b"RtlGetCurrentDirectory_U", b"RtlGetCurrentPeb", b"RtlGetCurrentProcessorNumber", b"RtlGetCurrentProcessorNumberEx", b"RtlGetCurrentTransaction", b"RtlGetCurrentUmsThread", b"RtlGetDaclSecurityDescriptor", b"RtlGetDeviceFamilyInfoEnum", b"RtlGetElementGenericTable", b"RtlGetElementGenericTableAvl", b"RtlGetEnabledExtendedFeatures", b"RtlGetExepath", b"RtlGetExtendedContextLength", b"RtlGetExtendedFeaturesMask", b"RtlGetFileMUIPath", b"RtlGetFirstRange", b"RtlGetFrame", b"RtlGetFullPathName_U", b"RtlGetFullPathname_UEx", b"RtlGetFullPathName_UstrEx", b"RtlGetFunctionTableListHead", b"RtlGetGroupSecurityDescriptor", b"RtlGetIntegerAtom", b"RtlGetInterruptTimePrecise", b"RtlGetLastNtStatus", b"RtlGetLastWin32Error", b"RtlGetLengthWithoutLastFullDosOrNtPathElement", b"RtlGetLengthWithoutTrailingPathSeperators", b"RtlGetLocaleFileMappingAddress", b"RtlGetLongestNtPathLength", b"RtlGetNativeSystemInformation", b"RtlGetNextEntryHashTable", b"RtlGetNextRange", b"RtlGetNextUmsListItem", b"RtlGetNtGlobalFlags", b"RtlGetNtProductType", b"RtlGetNtVersionNumbers", b"RtlGetOwnerSecurityDescriptor", b"RtlGetParentLocaleName", b"RtlGetProcessHeaps", b"RtlGetProcessPreferredUILanguages", b"RtlGetProductInfo", b"RtlGetSaclSecurityDescriptor", b"RtlGetSearchPath", b"RtlGetSecurityDescriptorRMControl", b"RtlGetSetBootStatusData", b"RtlGetSystemPreferredUILanguages", b"RtlGetSystemTimePrecise", b"RtlGetThreadErrorMode", b"RtlGetThreadLangIdByIndex", b"RtlGetThreadPreferredUILanguages", b"RtlGetUILanguageInfo", b"RtlGetUmsCompletionListEvent", b"RtlGetUnloadEventTrace", b"RtlGetUnloadEventTraceEx", b"RtlGetUserInfoHeap", b"RtlGetUserPreferredUILanguages", b"RtlGetVersion", b"RtlGrowFunctionTable", b"RtlGuidToPropertySetName", b"RtlHashUnicodeString", b"RtlHeapTrkInitialize", b"RtlIdentifierAuthoritySid", b"RtlIdnToAscii", b"RtlIdnToNameprepUnicode", b"RtlIdnToUnicode", b"RtlImageDirectoryEntryToData", b"RtlImageNtHeader", b"RtlImageNtHeaderEx", b"RtlImageRvaToSection", b"RtlImageRvaToVa", b"RtlImpersonateLpcClient", b"RtlImpersonateSelf", b"RtlImpersonateSelfEx", b"RtlInitAnsiString", b"RtlInitAnsiStringEx", b"RtlInitBarrier", b"RtlInitCodePageTable", b"RtlInitEnumerationHashTable", b"RtlInitMemoryStream", b"RtlInitNlsTables", b"RtlInitOutOfProcessMemoryStream", b"RtlInitString", b"RtlInitStringEx", b"RtlInitStrongEnumerationHashTable", b"RtlInitUnicodeString", b"RtlInitUnicodeStringEx", b"RtlInitWeakEnumerationHashTable", b"RtlInitializeAtomPackage", b"RtlInitializeBitMap", b"RtlInitializeConditionVariable", b"RtlInitializeContext", b"RtlInitializeCriticalSection", b"RtlInitializeCriticalSectionAndSpinCount", b"RtlInitializeCriticalSectionEx", b"RtlInitializeExceptionChaRtlInitializeExtendedContext", b"RtlInitializeGenericTable", b"RtlInitializeGenericTableAvl", b"RtlInitializeHandleTable", b"RtlInitializeNtUserPfn", b"RtlInitializeRXact", b"RtlInitializeRangeList", b"RtlInitializeResource", b"RtlInitializeSListHead", b"RtlInitializeSRWLock", b"RtlInitializeSid", b"RtlInitializeSidEx", b"RtlInitializeStackTraceDatabase", b"RtlInsertElementGenericTable", b"RtlInsertElementGenericTableAvl", b"RtlInsertElementGenericTableFull", b"RtlInsertElementGenericTableFullAvl", b"RtlInsertEntryHashTable", b"RtlInstallFunctionTableCallback", b"RtlInt64ToUnicodeString", b"RtlIntegerToChar", b"RtlIntegerToUnicodeString", b"RtlInterlockedClearBitRun", b"RtlInterlockedCompareExchange64", b"RtlInterlockedFlushSList", b"RtlInterlockedPopEntrySList", b"RtlInterlockedPushEntrySList", b"RtlInterlockedPushListSList", b"RtlInterlockedPushListSListEx", b"RtlInterlockedSetBitRun", b"RtlInvertRangeList", b"RtlIoDecodeMemIoResource", b"RtlIoEncodeMemIoResource", b"RtlIpv4AddressToStringA", b"RtlIpv4AddressToStringExA", b"RtlIpv4AddressToStringExW", b"RtlIpv4AddressToStringW", b"RtlIpv4StringToAddressA", b"RtlIpv4StringToAddressExA", b"RtlIpv4StringToAddressExW", b"RtlIpv4StringToAddressW", b"RtlIpv6AddressToStringA", b"RtlIpv6AddressToStringExA", b"RtlIpv6AddressToStringExW", b"RtlIpv6AddressToStringW", b"RtlIpv6StringToAddressA", b"RtlIpv6StringToAddressExA", b"RtlIpv6StringToAddressExW", b"RtlIpv6StringToAddressW", b"RtlIsActivationContextActive", b"RtlIsCapabilitySid", b"RtlIsCriticalSectionLocked", b"RtlIsCriticalSectionLockedByThread", b"RtlIsCurrentThreadAttachExempt", b"RtlIsDosDeviceName_U", b"RtlIsGenericTableEmpty", b"RtlIsGenericTableEmptyAvl", b"RtlIsMultiSessionSku", b"RtlIsNameInExpression", b"RtlIsNameLegalDOS8Dot3", b"RtlIsNormalizedString", b"RtlIsPackageSid", b"RtlIsParentOfChildAppContainer", b"RtlIsProcessorFeaturePresent", b"RtlIsRangeAvailable", b"RtlIsTextUnicode", b"RtlIsThreadWithinLoaderCallout", b"RtlIsUntrustedObject", b"RtlIsValidHandle", b"RtlIsValidIndexHandle", b"RtlIsValidLocaleName", b"RtlIsValidProcessTrustLabelSid", b"RtlKnownExceptionFilter", b"RtlLCIDToCultureName", b"RtlLargeIntegerAdd", b"RtlLargeIntegerArithmeticShift", b"RtlLargeIntegerDivide", b"RtlLargeIntegerNegate", b"RtlLargeIntegerShiftLeft", b"RtlLargeIntegerShiftRight", b"RtlLargeIntegerSubtract", b"RtlLargeIntegerToChar", b"RtlLcidToLocaleName", b"RtlLeaveCriticalSection", b"RtlLengthRequiredSid", b"RtlLengthSecurityDescriptor", b"RtlLengthSid", b"RtlLengthSidAsUnicodeString", b"RtlLoadString", b"RtlLocalTimeToSystemTime", b"RtlLocaleNameToLcid", b"RtlLocateExtendedFeature", b"RtlLocateLegacyContext", b"RtlLockBootStatusData", b"RtlLockCurrentThread", b"RtlLockHeap", b"RtlLockMemoryBlockLookaside", b"RtlLockMemoryStreamRegion", b"RtlLockMemoryZone", b"RtlLockModuleSection", b"RtlLogStackBackTrace", b"RtlLookupAtomInAtomTable", b"RtlLookupElementGenericTable", b"RtlLookupElementGenericTableAvl", b"RtlLookupElementGenericTableFull", b"RtlLookupElementGenericTableFullAvl", b"RtlLookupEntryHashTable", b"RtlLookupFunctionEntry", b"RtlLookupFunctionTable", b"RtlMakeSelfRelativeSD", b"RtlMapGenericMask", b"RtlMapSecurityErrorToNtStatus", b"RtlMergeRangeLists", b"RtlMoveMemory", b"RtlMultiAppendUnicodeStringBuffer", b"RtlMultiByteToUnicodeN", b"RtlMultiByteToUnicodeSize", b"RtlMultipleAllocateHeap", b"RtlMultipleFreeHeap", b"RtlNewInstanceSecurityObject", b"RtlNewSecurityGrantedAccess", b"RtlNewSecurityObject", b"RtlNewSecurityObjectEx", b"RtlNewSecurityObjectWithMultipleInheritance", b"RtlNormalizeProcessParams", b"RtlNormalizeString", b"RtlNtPathNameToDosPathName", b"RtlNtStatusToDosError", b"RtlNtStatusToDosErrorNoTeb", b"RtlNtdllName", b"RtlNumberGenericTableElements", b"RtlNumberGenericTableElementsAvl", b"RtlNumberOfClearBits", b"RtlNumberOfClearBitsInRange", b"RtlNumberOfSetBits", b"RtlNumberOfSetBitsInRange", b"RtlNumberOfSetBitsUlongPtr", b"RtlOemStringToUnicodeSize", b"RtlOemStringToUnicodeString", b"RtlOemToUnicodeN", b"RtlOnMappedStreamEvent", b"RtlOpenCurrentUser", b"RtlOsDeploymentState", b"RtlOwnerAcesPresent", b"RtlPcToFileHeader", b"RtlPinAtomInAtomTable", b"RtlPopFrame", b"RtlPrefixString", b"RtlPrefixUnicodeString", b"RtlPrepareForProcessCloning", b"RtlProcessFlsData", b"RtlPropertySetNameToGuid", b"RtlProtectHeap", b"RtlPublishWnfStateData", b"RtlPushFrame", b"RtlQueryActivationContextApplicationSettings", b"RtlQueryAtomInAtomTable", b"RtlQueryCriticalSectionOwner", b"RtlQueryDepthSList", b"RtlQueryDynamicTimeZoneInformation", b"RtlQueryElevationFlags", b"RtlQueryEnvironmentVariable", b"RtlQueryEnvironmentVariable_U", b"RtlQueryHeapInformation", b"RtlQueryInformationAcl", b"RtlQueryInformationActivationContext", b"RtlQueryInformationActiveActivationContext", b"RtlQueryInterfaceMemoryStream", b"RtlQueryModuleInformation", b"RtlQueryPackageClaims", b"RtlQueryPackageIdentity", b"RtlQueryPackageIdentityEx", b"RtlQueryPerformanceCounter", b"RtlQueryPerformanceFrequency", b"RtlQueryProcessBackTraceInformation", b"RtlQueryProcessDebugInformation", b"RtlQueryProcessHeapInformation", b"RtlQueryProcessLockInformation", b"RtlQueryProperties", b"RtlQueryPropertyNames", b"RtlQueryPropertySet", b"RtlQueryProtectedPolicy", b"RtlQueryRegistryValues", b"RtlQueryRegistryValuesEx", b"RtlQueryResourcePolicy", b"RtlQuerySecurityObject", b"RtlQueryTagHeap", b"RtlQueryThreadProfiling", b"RtlQueryTimeZoneInformation", b"RtlQueryUmsThreadInformation", b"RtlQueryUnbiasedInterruptTime", b"RtlQueryValidationRunlevel", b"RtlQueryWnfMetaNotification", b"RtlQueryWnfStateData", b"RtlQueryWnfStateDataWithExplicitScope", b"RtlQueueApcWow64Thread", b"RtlQueueWorkItem", b"RtlRaiseException", b"RtlRaiseStatus", b"RtlRandom", b"RtlRandomEx", b"RtlRbInsertNodeEx", b"RtlRbRemoveNode", b"RtlReAllocateHeap", b"RtlReadMemoryStream", b"RtlReadOutOfProcessMemoryStream", b"RtlReadThreadProfilingData", b"RtlRealPredecessor", b"RtlRealSuccessor", b"RtlRegisterForWnfMetaNotification", b"RtlRegisterSecureMemoryCacheCallback", b"RtlRegisterThreadWithCsrss", b"RtlRegisterWait", b"RtlReleaseActivationContext", b"RtlReleaseMemoryStream", b"RtlReleasePath", b"RtlReleasePebLock", b"RtlReleasePrivilege", b"RtlReleaseRelativeName", b"RtlReleaseResource", b"RtlReleaseSRWLockExclusive", b"RtlReleaseSRWLockShared", b"RtlRemoteCall", b"RtlRemoveEntryHashTable", b"RtlRemovePrivileges", b"RtlRemoveVectoredContinueHandler", b"RtlRemoveVectoredExceptionHandler", b"RtlReplaceSidInSd", b"RtlReportException", b"RtlReportSilentProcessExit", b"RtlReportSqmEscalation", b"RtlResetMemoryBlockLookaside", b"RtlResetMemoryZone", b"RtlResetNtUserPfn", b"RtlResetRtlTranslations", b"RtlRestoreContext", b"RtlRestoreLastWin32Error", b"RtlRetrieveNtUserPfn", b"RtlRevertMemoryStream", b"RtlRunDecodeUnicodeString", b"RtlRunEncodeUnicodeString", b"RtlRunOnceBeginInitialize", b"RtlRunOnceComplete", b"RtlRunOnceExecuteOnce", b"RtlRunOnceInitialize", b"RtlSecondsSince1970ToTime", b"RtlSecondsSince1980ToTime", b"RtlSeekMemoryStream", b"RtlSelfRelativeToAbsoluteSD", b"RtlSelfRelativeToAbsoluteSD2", b"RtlSendMsgToSm", b"RtlSetAllBits", b"RtlSetAttributesSecurityDescriptor", b"RtlSetBit", b"RtlSetBits", b"RtlSetControlSecurityDescriptor", b"RtlSetCriticalSectionSpinCount", b"RtlSetCurrentDirectory_U", b"RtlSetCurrentEnvironment", b"RtlSetCurrentTransaction", b"RtlSetDaclSecurityDescriptor", b"RtlSetDynamicTimeZoneInformation", b"RtlSetEnvironmentStrings", b"RtlSetEnvironmentVar", b"RtlSetEnvironmentVariable", b"RtlSetExtendedFeaturesMask", b"RtlSetGroupSecurityDescriptor", b"RtlSetHeapInformation", b"RtlSetInformationAcl", b"RtlSetIoCompletionCallback", b"RtlSetLastWin32Error", b"RtlSetLastWin32ErrorAndNtStatusFromNtStatus", b"RtlSetMemoryStreamSize", b"RtlSetOwnerSecurityDescriptor", b"RtlSetPortableOperatingSystem", b"RtlSetProcessDebugInformation", b"RtlSetProcessIsCritical", b"RtlSetProcessPreferredUILanguages", b"RtlSetProperties", b"RtlSetPropertyNames", b"RtlSetPropertySetClassId", b"RtlSetProtectedPolicy", b"RtlSetSaclSecurityDescriptor", b"RtlSetSearchPathMode", b"RtlSetSecurityDescriptorRMControl", b"RtlSetSecurityObject", b"RtlSetSecurityObjectEx", b"RtlSetThreadErrorMode", b"RtlSetThreadIsCritical", b"RtlSetThreadPoolStartFunc", b"RtlSetThreadPreferredUILanguages", b"RtlSetThreadSubProcessTag", b"RtlSetTimeZoneInformation", b"RtlSetTimer", b"RtlSetUmsThreadInformation", b"RtlSetUnhandledExceptionFilter", b"RtlSetUnicodeCallouts", b"RtlSetUserCallbackExceptionFilter", b"RtlSetUserFlagsHeap", b"RtlSetUserValueHeap", b"RtlShutdownLpcServer", b"RtlSidDominates", b"RtlSidDominatesForTrust", b"RtlSidEqualLevel", b"RtlSidHashInitialize", b"RtlSidHashLookup", b"RtlSidIsHigherLevel", b"RtlSizeHeap", b"RtlSleepConditionVariableCS", b"RtlSleepConditionVariableSRW", b"RtlSplay", b"RtlStartRXact", b"RtlStatMemoryStream", b"RtlStringFromGUID", b"RtlStringFromGUIDEx", b"RtlStronglyEnumerateEntryHashTable", b"RtlSubAuthorityCountSid", b"RtlSubAuthoritySid", b"RtlSubscribeWnfStateChangeNotification", b"RtlSubtreePredecessor", b"RtlSubtreeSuccessor", b"RtlSwitchedVVI", b"RtlSystemTimeToLocalTime", b"RtlTestAndPublishWnfStateData", b"RtlTestBit", b"RtlTestProtectedAccess", b"RtlTimeFieldsToTime", b"RtlTimeToElapsedTimeFields", b"RtlTimeToSecondsSince1970", b"RtlTimeToSecondsSince1980", b"RtlTimeToTimeFields", b"RtlTraceDatabaseAdd", b"RtlTraceDatabaseCreate", b"RtlTraceDatabaseDestroy", b"RtlTraceDatabaseEnumerate", b"RtlTraceDatabaseFind", b"RtlTraceDatabaseLock", b"RtlTraceDatabaseUnlock", b"RtlTraceDatabaseValidate", b"RtlTryAcquirePebLock", b"RtlTryAcquireSRWLockExclusive", b"RtlTryAcquireSRWLockShared", b"RtlTryConvertSRWLockSharedToExclusiveOrRelease", b"RtlTryEnterCriticalSection", b"RtlUTF8ToUnicodeN", b"RtlUlongByteSwap", b"RtlUlonglongByteSwap", b"RtlUmsThreadYield", b"RtlUnhandledExceptionFilter", b"RtlUnhandledExceptionFilter2", b"RtlUnicodeStringToAnsiSize", b"RtlUnicodeStringToAnsiString", b"RtlUnicodeStringToCountedOemString", b"RtlUnicodeStringToInteger", b"RtlUnicodeStringToOemSize", b"RtlUnicodeStringToOemString", b"RtlUnicodeToCustomCPN", b"RtlUnicodeToMultiByteN", b"RtlUnicodeToMultiByteSize", b"RtlUnicodeToOemN", b"RtlUnicodeToUTF8N", b"RtlUniform", b"RtlUnlockBootStatusData", b"RtlUnlockCurrentThread", b"RtlUnlockHeap", b"RtlUnlockMemoryBlockLookaside", b"RtlUnlockMemoryStreamRegion", b"RtlUnlockMemoryZone", b"RtlUnlockModuleSection", b"RtlUnsubscribeWnfNotificationWaitForCompletion", b"RtlUnsubscribeWnfNotificationWithCompletionCallback", b"RtlUnsubscribeWnfChangeNotification", b"RtlUnwind", b"RtlUnwindEx", b"RtlUpcaseUnicodeChar", b"RtlUpcaseUnicodeString", b"RtlUpcaseUnicodeStringToAnsiString", b"RtlUpcaseUnicodeStringToCountedOemString", b"RtlUpcaseUnicodeStringToOemString", b"RtlUpcaseUnicodeToCustomCPN", b"RtlUpcaseUnicodeToMultiByteN", b"RtlUpcaseUnicodeToOemN", b"RtlUpdateClonedCriticalSection", b"RtlUpdateClonedSRWLock", b"RtlUpdateTimer", b"RtlUpperChar", b"RtlUpperString", b"RtlUsageHeap", b"RtlUserThreadStart", b"RtlUshortByteSwap", b"RtlValidAcl", b"RtlValidProcessProtection", b"RtlValidRelativeSecurityDescriptor", b"RtlValidSecurityDescriptor", b"RtlValidSid", b"RtlValidateHeap", b"RtlValidateProcessHeaps", b"RtlValidateUnicodeString", b"RtlVerifyVersionInfo", b"RtlVirtualUnwind", b"RtlWaitForWnfMetaNotification", b"RtlWaitOnAddress", b"RtlWakeAddressAll", b"RtlWakeAddressAllNoFence", b"RtlWakeAddressSingle", b"RtlWakeAddressSingleNoFence", b"RtlWakeAllConditionVariable", b"RtlWakeConditionVariable", b"RtlWalkFrameChaRtlWalkHeap", b"RtlWeaklyEnumerateEntryHashTable", b"RtlWerpReportException", b"RtlWnfCompareChangeStamp", b"RtlWnfDllUnloadCallback", b"RtlWoW64GetCpuAreaInfo", b"RtlWoW64GetCurrentCpuArea", b"RtlWow64CallFunction64", b"RtlWow64EnableFsRedirection", b"RtlWow64EnableFsRedirectionEx", b"RtlWow64GetThreadContext", b"RtlWow64GetThreadSelectorEntry", b"RtlWow64LogMessageInEventLogger", b"RtlWow64SetThreadContext", b"RtlWow64SuspendThread", b"RtlWow64SuspendThreadEx", b"RtlWriteMemoryStream", b"RtlWriteRegistryValue", b"RtlZeroHeap", b"RtlZeroMemory", b"RtlZombifyActivationContext", b"RtlpApplyLengthFunction", b"RtlpCheckDynamicTimeZoneInformation", b"RtlpCleanupRegistryKeys", b"RtlpConvertAbsoluteToRelativeSecurityAttribute", b"RtlpConvertCultureNamesToLCIDs", b"RtlpConvertLCIDsToCultureNames", b"RtlpConvertRelativeToAbsoluteSecurityAttribute", b"RtlpCreateProcessRegistryInfo", b"RtlpEnsureBufferSize", b"RtlpExecuteUmsThread", b"RtlpFreezeTimeBias", b"RtlpGetDeviceFamilyInfoEnum", b"RtlpGetLCIDFromLangInfoNode", b"RtlpGetNameFromLangInfoNode", b"RtlpGetSystemDefaultUILanguage", b"RtlpGetUserOrMachineUILanguage4NLS", b"RtlpInitializeLangRegistryInfo", b"RtlpInitializeRtl", b"RtlpInterlockedPopEntrySeqSListEnd", b"RtlpInterlockedPopEntrySeqSListFault", b"RtlpInterlockedPopEntrySeqSListResume", b"RtlpIsQualifiedLanguage", b"RtlpLoadMachineUIByPolicy", b"RtlpLoadUserUIByPolicy", b"RtlpMergeSecurityAttributeInformation", b"RtlpMuiFreeLangRegistryInfo", b"RtlpMuiRegCreateRegistryInfo", b"RtlpMuiRegFreeRegistryInfo", b"RtlpMuiRegLoadRegistryInfo", b"RtlpNotOwnerCriticalSection", b"RtlpNtCreateKey", b"RtlpNtEnumerateSubKey", b"RtlpNtMakeTemporaryKey", b"RtlpNtOpenKey", b"RtlpNtQueryValueKey", b"RtlpNtSetValueKey", b"RtlpQueryDefaultUILanguage", b"RtlpQueryProcessDebugInformationFromWow64", b"RtlpQueryProcessDebugInformationRemote", b"RtlpRefreshCachedUILanguage", b"RtlpSetInstallLanguage", b"RtlpSetPreferredUILanguages", b"RtlpSetUserPreferredUILanguages", b"RtlpUmsExecuteYieldThreadEnd", b"RtlpUmsThreadYield", b"RtlpUnWaitCriticalSection", b"RtlpVerifyAndCommitUILanguageSettings", b"RtlpWaitForCriticalSection", b"RtlpWnfNotificationThread", b"RtlxAnsiStringToUnicodeSize", b"RtlxOemStringToUnicodeSize", b"RtlxUnicodeStringToAnsiSize", b"RtlxUnicodeStringToOemSize", b"SaveEm87Context", b"SbExecuteProcedure", b"SbSelectProcedure", b"SbtDisableForCurrentProcess", b"SbtLogDllMapping", b"SbtLogExeInitializing", b"SbtLogSystemUsageByParent", b"SbtLogSystemUsageByStack", b"ShipAssert", b"ShipAssertGetBufferInfo", b"ShipAssertMsgA", b"ShipAssertMsgW", b"TpAllocAlpcCompletion", b"TpAllocAlpcCompletionEx", b"TpAllocCleanupGroup", b"TpAllocIoCompletion", b"TpAllocJobNotification", b"TpAllocPool", b"TpAllocTimer", b"TpAllocWait", b"TpAllocWork", b"TpAlpcRegisterCompletionList", b"TpAlpcUnregisterCompletionList", b"TpCallbackDetectedUnrecoverableError", b"TpCallbackIndependent", b"TpCallbackLeaveCriticalSectionOnCompletion", b"TpCallbackMayRunLong", b"TpCallbackReleaseMutexOnCompletion", b"TpCallbackReleaseSemaphoreOnCompletion", b"TpCallbackSendAlpcMessageOnCompletion", b"TpCallbackSendPendingAlpcMessage", b"TpCallbackSetEventOnCompletion", b"TpCallbackUnloadDllOnCompletion", b"TpCancelAsyncIoOperation", b"TpCaptureCaller", b"TpCheckTerminateWorker", b"TpDbgDumpHeapUsage", b"TpDbgGetFreeInfo", b"TpDbgSetLogRoutine", b"TpDisablePoolCallbackChecks", b"TpDisassociateCallback", b"TpIsTimerSet", b"TpPoolFreeUnusedNodes", b"TpPostWork", b"TpQueryPoolStackInformation", b"TpReleaseAlpcCompletion", b"TpReleaseCleanupGroup", b"TpReleaseCleanupGroupMembers", b"TpReleaseIoCompletion", b"TpReleaseJobNotification", b"TpReleasePool", b"TpReleaseTimer", b"TpReleaseWait", b"TpReleaseWork", b"TpSetDefaultPoolMaxThreads", b"TpSetDefaultPoolStackInformation", b"TpSetPoolMaxThreads", b"TpSetPoolMaxThreadsSoftLimit", b"TpSetPoolMinThreads", b"TpSetPoolStackInformation", b"TpSetPoolThreadBasePriority", b"TpSetPoolWorkerThreadIdleTimeout", b"TpSetTimer", b"TpSetTimerEx", b"TpSetWait", b"TpSetWaitEx", b"TpSimpleTryPost", b"TpStartAsyncIoOperation", b"TpTimerOutstandingCallbackCount", b"TpTrimPools", b"TpWaitForAlpcCompletion", b"TpWaitForIoCompletion", b"TpWaitForJobNotification", b"TpWaitForTimer", b"TpWaitForWait", b"TpWaitForWork", b"VerSetConditionMask", b"WerCheckEventEscalation", b"WerReportSQMEvent", b"WerReportWatsonEvent", b"WinSqmAddToAverageDWORD", b"WinSqmAddToStream", b"WinSqmAddToStreamEx", b"WinSqmCheckEscalationAddToStreamEx", b"WinSqmCheckEscalationSetDWORD", b"WinSqmCheckEscalationSetDWORD64", b"WinSqmCheckEscalationSetString", b"WinSqmCommonDatapointDelete", b"WinSqmCommonDatapointSetDWORD", b"WinSqmCommonDatapointSetDWORD64", b"WinSqmCommonDatapointSetStreamEx", b"WinSqmCommonDatapointSetString", b"WinSqmEndSession", b"WinSqmEventEnabled", b"WinSqmEventWrite", b"WinSqmGetEscalationRuleStatus", b"WinSqmGetInstrumentationProperty", b"WinSqmIncrementDWORD", b"WinSqmIsOptedWinSqmIsOptedInEx", b"WinSqmIsSessionDisabled", b"WinSqmSetDWORD", b"WinSqmSetDWORD64", b"WinSqmSetEscalationInfo", b"WinSqmSetIfMaxDWORD", b"WinSqmSetIfMinDWORD", b"WinSqmSetString", b"WinSqmStartSession", b"WinSqmStartSessionForPartner", b"WinSqmStartSqmOptinListener", b"ZwAcceptConnectPort", b"ZwAccessCheck", b"ZwAccessCheckAndAuditAlarm", b"ZwAccessCheckByType", b"ZwAccessCheckByTypeAndAuditAlarm", b"ZwAccessCheckByTypeResultList", b"ZwAccessCheckByTypeResultListAndAuditAlarm", b"ZwAccessCheckByTypeResultListAndAuditAlarmByHandle", b"ZwAcquireCMFViewOwnership", b"ZwAddAtom", b"ZwAddAtomEx", b"ZwAddBootEntry", b"ZwAddDriverEntry", b"ZwAdjustGroupsToken", b"ZwAdjustPrivilegesToken", b"ZwAdjustTokenClaimsAndDeviceGroups", b"ZwAlertResumeThread", b"ZwAlertThread", b"ZwAlertThreadByThreadId", b"ZwAllocateLocallyUniqueId", b"ZwAllocateReserveObject", b"ZwAllocateUserPhysicalPages", b"ZwAllocateUuids", b"ZwAllocateVirtualMemory", b"ZwAlpcAcceptConnectPort", b"ZwAlpcCancelMessage", b"ZwAlpcConnectPort", b"ZwAlpcConnectPortEx", b"ZwAlpcCreatePort", b"ZwAlpcCreatePortSection", b"ZwAlpcCreateResourceReserve", b"ZwAlpcCreateSectionView", b"ZwAlpcCreateSecurityContext", b"ZwAlpcDeletePortSection", b"ZwAlpcDeleteResourceReserve", b"ZwAlpcDeleteSectionView", b"ZwAlpcDeleteSecurityContext", b"ZwAlpcDisconnectPort", b"ZwAlpcImpersonateClientContainerOfPort", b"ZwAlpcImpersonateClientOfPort", b"ZwAlpcOpenSenderProcess", b"ZwAlpcOpenSenderThread", b"ZwAlpcQueryInformation", b"ZwAlpcQueryInformationMessage", b"ZwAlpcRevokeSecurityContext", b"ZwAlpcSendWaitReceivePort", b"ZwAlpcSetInformation", b"ZwApphelpCacheControl", b"ZwAreMappedFilesTheSame", b"ZwAssignProcessToJobObject", b"ZwAssociateWaitCompletionPacket", b"ZwCallbackReturn", b"ZwCancelDeviceWakeupRequest", b"ZwCancelIoFile", b"ZwCancelIoFileEx", b"ZwCancelSynchronousIoFile", b"ZwCancelTimer", b"ZwCancelTimer2", b"ZwCancelWaitCompletionPacket", b"ZwClearAllSavepointsTransaction", b"ZwClearEvent", b"ZwClearSavepointTransaction", b"ZwClose", b"ZwCloseObjectAuditAlarm", b"ZwCommitComplete", b"ZwCommitEnlistment", b"ZwCommitTransaction", b"ZwCompactKeys", b"ZwCompareObjects", b"ZwCompareTokens", b"ZwCompleteConnectPort", b"ZwCompressKey", b"ZwConnectPort", b"ZwContinue", b"ZwCreateChannel", b"ZwCreateDebugObject", b"ZwCreateDirectoryObject", b"ZwCreateDirectoryObjectEx", b"ZwCreateEnlistment", b"ZwCreateEvent", b"ZwCreateEventPair", b"ZwCreateFile", b"ZwCreateIRTimer", b"ZwCreateIoCompletion", b"ZwCreateJobObject", b"ZwCreateJobSet", b"ZwCreateKey", b"ZwCreateKeyTransacted", b"ZwCreateKeyedEvent", b"ZwCreateLowBoxToken", b"ZwCreateMailslotFile", b"ZwCreateMutant", b"ZwCreateNamedPipeFile", b"ZwCreatePagingFile", b"ZwCreatePartition", b"ZwCreatePort", b"ZwCreatePrivateNamespace", b"ZwCreateProcess", b"ZwCreateProcessEx", b"ZwCreateProfile", b"ZwCreateProfileEx", b"ZwCreateResourceManager", b"ZwCreateSection", b"ZwCreateSemaphore", b"ZwCreateSymbolicLinkObject", b"ZwCreateThread", b"ZwCreateThreadEx", b"ZwCreateTimer", b"ZwCreateTimer2", b"ZwCreateToken", b"ZwCreateTokenEx", b"ZwCreateTransaction", b"ZwCreateTransactionManager", b"ZwCreateUserProcess", b"ZwCreateWaitCompletionPacket", b"ZwCreateWaitablePort", b"ZwCreateWnfStateName", b"ZwCreateWorkerFactory", b"ZwDebugActiveProcess", b"ZwDebugContinue", b"ZwDelayExecution", b"ZwDeleteAtom", b"ZwDeleteBootEntry", b"ZwDeleteDriverEntry", b"ZwDeleteFile", b"ZwDeleteKey", b"ZwDeleteObjectAuditAlarm", b"ZwDeletePrivateNamespace", b"ZwDeleteValueKey", b"ZwDeleteWnfStateData", b"ZwDeleteWnfStateName", b"ZwDeviceIoControlFile", b"ZwDisableLastKnownGood", b"ZwDisplayString", b"ZwDrawText", b"ZwDuplicateObject", b"ZwDuplicateToken", b"ZwEnableLastKnownGood", b"ZwEnumerateBootEntries", b"ZwEnumerateBus", b"ZwEnumerateDriverEntries", b"ZwEnumerateKey", b"ZwEnumerateSystemEnvironmentValuesEx", b"ZwEnumerateTransactionObject", b"ZwEnumerateValueKey", b"ZwExtendSection", b"ZwFilterBootOption", b"ZwFilterToken", b"ZwFilterTokenEx", b"ZwFindAtom", b"ZwFlushBuffersFile", b"ZwFlushBuffersFileEx", b"ZwFlushInstallUILanguage", b"ZwFlushInstructionCache", b"ZwFlushKey", b"ZwFlushProcessWriteBuffers", b"ZwFlushVirtualMemory", b"ZwFlushWriteBuffer", b"ZwFreeUserPhysicalPages", b"ZwFreeVirtualMemory", b"ZwFreezeRegistry", b"ZwFreezeTransactions", b"ZwFsControlFile", b"ZwGetCachedSigningLevel", b"ZwGetCompleteWnfStateSubscription", b"ZwGetContextThread", b"ZwGetCurrentProcessorNumber", b"ZwGetCurrentProcessorNumberEx", b"ZwGetDevicePowerState", b"ZwGetMUIRegistryInfo", b"ZwGetNextProcess", b"ZwGetNextThread", b"ZwGetNlsSectionPtr", b"ZwGetNotificationResourceManager", b"ZwGetPlugPlayEvent", b"ZwGetTickCount", b"ZwGetWriteWatch", b"ZwImpersonateAnonymousToken", b"ZwImpersonateClientOfPort", b"ZwImpersonateThread", b"ZwInitializeNlsFiles", b"ZwInitializeRegistry", b"ZwInitiatePowerAction", b"ZwIsProcessInJob", b"ZwIsSystemResumeAutomatic", b"ZwIsUILanguageComitted", b"ZwListTransactions", b"ZwListenChannel", b"ZwListenPort", b"ZwLoadDriver", b"ZwLoadKey", b"ZwLoadKey2", b"ZwLoadKeyEx", b"ZwLockFile", b"ZwLockProductActivationKeys", b"ZwLockRegistryKey", b"ZwLockVirtualMemory", b"ZwMakePermanentObject", b"ZwMakeTemporaryObject", b"ZwManagePartition", b"ZwMapCMFModule", b"ZwMapUserPhysicalPages", b"ZwMapUserPhysicalPagesScatter", b"ZwMapViewOfSection", b"ZwMarshallTransaction", b"ZwModifyBootEntry", b"ZwModifyDriverEntry", b"ZwNotifyChangeDirectoryFile", b"ZwNotifyChangeKey", b"ZwNotifyChangeMultipleKeys", b"ZwNotifyChangeSession", b"ZwOpenChannel", b"ZwOpenDirectoryObject", b"ZwOpenEnlistment", b"ZwOpenEvent", b"ZwOpenEventPair", b"ZwOpenFile", b"ZwOpenIoCompletion", b"ZwOpenJobObject", b"ZwOpenKey", b"ZwOpenKeyEx", b"ZwOpenKeyTransacted", b"ZwOpenKeyTransactedEx", b"ZwOpenKeyedEvent", b"ZwOpenMutant", b"ZwOpenObjectAuditAlarm", b"ZwOpenPartition", b"ZwOpenPrivateNamespace", b"ZwOpenProcess", b"ZwOpenProcessToken", b"ZwOpenProcessTokenEx", b"ZwOpenResourceManager", b"ZwOpenSection", b"ZwOpenSemaphore", b"ZwOpenSession", b"ZwOpenSymbolicLinkObject", b"ZwOpenThread", b"ZwOpenThreadToken", b"ZwOpenThreadTokenEx", b"ZwOpenTimer", b"ZwOpenTransaction", b"ZwOpenTransactionManager", b"ZwPlugPlayControl", b"ZwPowerInformation", b"ZwPrePrepareComplete", b"ZwPrePrepareEnlistment", b"ZwPrepareComplete", b"ZwPrepareEnlistment", b"ZwPrivilegeCheck", b"ZwPrivilegeObjectAuditAlarm", b"ZwPrivilegedServiceAuditAlarm", b"ZwPropagationComplete", b"ZwPropagationFailed", b"ZwProtectVirtualMemory", b"ZwPullTransaction", b"ZwPulseEvent", b"ZwQueryAttributesFile", b"ZwQueryBootEntryOrder", b"ZwQueryBootOptions", b"ZwQueryDebugFilterState", b"ZwQueryDefaultLocale", b"ZwQueryDefaultUILanguage", b"ZwQueryDirectoryFile", b"ZwQueryDirectoryObject", b"ZwQueryDriverEntryOrder", b"ZwQueryEaFile", b"ZwQueryEvent", b"ZwQueryFullAttributesFile", b"ZwQueryInformationAtom", b"ZwQueryInformationEnlistment", b"ZwQueryInformationFile", b"ZwQueryInformationJobObject", b"ZwQueryInformationPort", b"ZwQueryInformationProcess", b"ZwQueryInformationResourceManager", b"ZwQueryInformationThread", b"ZwQueryInformationToken", b"ZwQueryInformationTransaction", b"ZwQueryInformationTransactionManager", b"ZwQueryInformationWorkerFactory", b"ZwQueryInstallUILanguage", b"ZwQueryIntervalProfile", b"ZwQueryIoCompletion", b"ZwQueryKey", b"ZwQueryLicenseValue", b"ZwQueryMultipleValueKey", b"ZwQueryMutant", b"ZwQueryObject", b"ZwQueryOleDirectoryFile", b"ZwQueryOpenSubKeys", b"ZwQueryOpenSubKeysEx", b"ZwQueryPerformanceCounter", b"ZwQueryPortInformationProcess", b"ZwQueryQuotaInformationFile", b"ZwQuerySection", b"ZwQuerySecurityAttributesToken", b"ZwQuerySecurityObject", b"ZwQuerySemaphore", b"ZwQuerySymbolicLinkObject", b"ZwQuerySystemEnvironmentValue", b"ZwQuerySystemEnvironmentValueEx", b"ZwQuerySystemInformation", b"ZwQuerySystemInformationEx", b"ZwQuerySystemTime", b"ZwQueryTimer", b"ZwQueryTimerResolution", b"ZwQueryValueKey", b"ZwQueryVirtualMemory", b"ZwQueryVolumeInformationFile", b"ZwQueryWnfStateData", b"ZwQueryWnfStateNameInformation", b"ZwQueueApcThread", b"ZwQueueApcThreadEx", b"ZwRaiseException", b"ZwRaiseHardError", b"ZwReadFile", b"ZwReadFileScatter", b"ZwReadOnlyEnlistment", b"ZwReadRequestData", b"ZwReadVirtualMemory", b"ZwRecoverEnlistment", b"ZwRecoverResourceManager", b"ZwRecoverTransactionManager", b"ZwRegisterNewDevice", b"ZwRegisterProtocolAddressInformation", b"ZwRegisterThreadTerminatePort", b"ZwReleaseCMFViewOwnership", b"ZwReleaseKeyedEvent", b"ZwReleaseMutant", b"ZwReleaseProcessMutant", b"ZwReleaseSemaphore", b"ZwReleaseWorkerFactoryWorker", b"ZwRemoveIoCompletion", b"ZwRemoveIoCompletionEx", b"ZwRemoveProcessDebug", b"ZwRenameKey", b"ZwRenameTransactionManager", b"ZwReplaceKey", b"ZwReplacePartitionUnit", b"ZwReplyPort", b"ZwReplyWaitReceivePort", b"ZwReplyWaitReceivePortEx", b"ZwReplyWaitReplyPort", b"ZwReplyWaitSendChannel", b"ZwRequestDeviceWakeup", b"ZwRequestPort", b"ZwRequestWaitReplyPort", b"ZwRequestWakeupLatency", b"ZwResetEvent", b"ZwResetWriteWatch", b"ZwRestoreKey", b"ZwResumeProcess", b"ZwResumeThread", b"ZwRevertContainerImpersonation", b"ZwRollbackComplete", b"ZwRollbackEnlistment", b"ZwRollbackSavepointTransaction", b"ZwRollbackTransaction", b"ZwRollforwardTransactionManager", b"ZwSaveKey", b"ZwSaveKeyEx", b"ZwSaveMergedKeys", b"ZwSavepointComplete", b"ZwSavepointTransaction", b"ZwSecureConnectPort", b"ZwSendWaitReplyChannel", b"ZwSerializeBoot", b"ZwSetBootEntryOrder", b"ZwSetBootOptions", b"ZwSetCachedSigningLevel", b"ZwSetContextChannel", b"ZwSetContextThread", b"ZwSetDebugFilterState", b"ZwSetDefaultHardErrorPort", b"ZwSetDefaultLocale", b"ZwSetDefaultUILanguage", b"ZwSetDriverEntryOrder", b"ZwSetEaFile", b"ZwSetEvent", b"ZwSetEventBoostPriority", b"ZwSetHighEventPair", b"ZwSetHighWaitLowEventPair", b"ZwSetHighWaitLowThread", b"ZwSetIRTimer", b"ZwSetInformationDebugObject", b"ZwSetInformationEnlistment", b"ZwSetInformationFile", b"ZwSetInformationJobObject", b"ZwSetInformationKey", b"ZwSetInformationObject", b"ZwSetInformationProcess", b"ZwSetInformationResourceManager", b"ZwSetInformationSymbolicLink", b"ZwSetInformationThread", b"ZwSetInformationToken", b"ZwSetInformationTransaction", b"ZwSetInformationTransactionManager", b"ZwSetInformationVirtualMemory", b"ZwSetInformationWorkerFactory", b"ZwSetIntervalProfile", b"ZwSetIoCompletion", b"ZwSetIoCompletionEx", b"ZwSetLdtEntries", b"ZwSetLowEventPair", b"ZwSetLowWaitHighEventPair", b"ZwSetLowWaitHighThread", b"ZwSetQuotaInformationFile", b"ZwSetSecurityObject", b"ZwSetSystemEnvironmentValue", b"ZwSetSystemEnvironmentValueEx", b"ZwSetSystemInformation", b"ZwSetSystemPowerState", b"ZwSetSystemTime", b"ZwSetThreadExecutionState", b"ZwSetTimer", b"ZwSetTimer2", b"ZwSetTimerEx", b"ZwSetTimerResolution", b"ZwSetUuidSeed", b"ZwSetValueKey", b"ZwSetVolumeInformationFile", b"ZwSetWnfProcessNotificationEvent", b"ZwShutdownSystem", b"ZwShutdownWorkerFactory", b"ZwSignalAndWaitForSingleObject", b"ZwSinglePhaseReject", b"ZwStartProfile", b"ZwStartTm", b"ZwStopProfile", b"ZwSubscribeWnfStateChange", b"ZwSuspendProcess", b"ZwSuspendThread", b"ZwSystemDebugControl", b"ZwTerminateJobObject", b"ZwTerminateProcess", b"ZwTerminateThread", b"ZwTestAlert", b"ZwThawRegistry", b"ZwThawTransactions", b"ZwTraceControl", b"ZwTraceEvent", b"ZwTranslateFilePath", b"ZwUmsThreadYield", b"ZwUnloadDriver", b"ZwUnloadKey", b"ZwUnloadKey2", b"ZwUnloadKeyEx", b"ZwUnlockFile", b"ZwUnlockVirtualMemory", b"ZwUnmapViewOfSection", b"ZwUnmapViewOfSectionEx", b"ZwUnsubscribeWnfStateChange", b"ZwUpdateWnfStateData", b"ZwVdmControl", b"ZwW32Call", b"ZwWaitForAlertByThreadId", b"ZwWaitForDebugEvent", b"ZwWaitForKeyedEvent", b"ZwWaitForMultipleObjects", b"ZwWaitForMultipleObjects32", b"ZwWaitForProcessMutant", b"ZwWaitForSingleObject", b"ZwWaitForWnfNotifications", b"ZwWaitForWorkViaWorkerFactory", b"ZwWaitHighEventPair", b"ZwWaitLowEventPair", b"ZwWorkerFactoryWorkerReady", b"ZwWow64AllocateVirtualMemory64", b"ZwWow64CallFunction64", b"ZwWow64CsrAllocateCaptureBuffer", b"ZwWow64CsrAllocateMessagePointer", b"ZwWow64CsrCaptureMessageBuffer", b"ZwWow64CsrCaptureMessageString", b"ZwWow64CsrClientCallServer", b"ZwWow64CsrClientConnectToServer", b"ZwWow64CsrFreeCaptureBuffer", b"ZwWow64CsrGetProcessId", b"ZwWow64CsrIdentifyAlertableThread", b"ZwWow64CsrNewThread", b"ZwWow64CsrSetPriorityClass", b"ZwWow64CsrVerifyRegion", b"ZwWow64DebuggerCall", b"ZwWow64GetCurrentProcessorNumberEx", b"ZwWow64GetNativeSystemInformation", b"ZwWow64InterlockedPopEntrySList", b"ZwWow64IsProcessorFeaturePresent", b"ZwWow64QueryInformationProcess64", b"ZwWow64QueryVirtualMemory64", b"ZwWow64ReadVirtualMemory64", b"ZwWow64WriteVirtualMemory64", b"ZwWriteFile", b"ZwWriteFileGather", b"ZwWriteRequestData", b"ZwWriteVirtualMemory", b"ZwYieldExecution", b"_CIcos", b"_CIlog", b"_CIpow", b"_CIs_CIsqrt", b"_ResCGetRegistryFlags", b"_ResCMatchFlags", b"_ResCSaveRegistryFlags", b"__C_specific_handler", b"__chkstk", b"__eCommonExceptions", b"__eEmulatorInit", b"__eF2XM1", b"__eFABS", b"__eFADD32", b"__eFADD64", b"__eFADDPreg", b"__eFADDreg", b"__eFADDtop", b"__eFCHS", b"__eFCOM", b"__eFCOM32", b"__eFCOM64", b"__eFCOMP", b"__eFCOMP32", b"__eFCOMP64", b"__eFCOMPP", b"__eFCOS", b"__eFDECSTP", b"__eFDIV32", b"__eFDIV64", b"__eFDIVPreg", b"__eFDIVR32", b"__eFDIVR64", b"__eFDIVRPreg", b"__eFDIVRreg", b"__eFDIVRtop", b"__eFDIVreg", b"__eFDIVtop", b"__eFFREE", b"__eFIADD16", b"__eFIADD32", b"__eFICOM16", b"__eFICOM32", b"__eFICOMP16", b"__eFICOMP32", b"__eFIDIV16", b"__eFIDIV32", b"__eFIDIVR16", b"__eFIDIVR32", b"__eFILD16", b"__eFILD32", b"__eFILD64", b"__eFIMUL16", b"__eFIMUL32", b"__eFINCSTP", b"__eFINIT", b"__eFIST16", b"__eFIST32", b"__eFISTP16", b"__eFISTP32", b"__eFISTP64", b"__eFISUB16", b"__eFISUB32", b"__eFISUBR16", b"__eFISUBR32", b"__eFLD1", b"__eFLD32", b"__eFLD64", b"__eFLD80", b"__eFLDCW", b"__eFLDENV", b"__eFLDL2E", b"__eFLDLN2", b"__eFLDPI", b"__eFLDZ", b"__eFMUL32", b"__eFMUL64", b"__eFMULPreg", b"__eFMULreg", b"__eFMULtop", b"__eFPATAN", b"__eFPREM", b"__eFPREM1", b"__eFPTAN", b"__eFRNDINT", b"__eFRSTOR", b"__eFSAVE", b"__eFSCALE", b"__eFS__eFSQRT", b"__eFST", b"__eFST32", b"__eFST64", b"__eFSTCW", b"__eFSTENV", b"__eFSTP", b"__eFSTP32", b"__eFSTP64", b"__eFSTP80", b"__eFSTSW", b"__eFSUB32", b"__eFSUB64", b"__eFSUBPreg", b"__eFSUBR32", b"__eFSUBR64", b"__eFSUBRPreg", b"__eFSUBRreg", b"__eFSUBRtop", b"__eFSUBreg", b"__eFSUBtop", b"__eFTST", b"__eFUCOM", b"__eFUCOMP", b"__eFUCOMPP", b"__eFXAM", b"__eFXCH", b"__eFXTRACT", b"__eFYL2X", b"__eFYL2XP1", b"__eGetStatusWord", b"__isascii", b"__iscsym", b"__iscsymf", b"__misaligned_access", b"__toascii", b"_alldiv", b"_alldvrm", b"_allmul", b"_alloca_probe", b"_alloca_probe_16", b"_alloca_probe_8", b"_allrem", b"_allshl", b"_allshr", b"_atoi64", b"_aulldiv", b"_aulldvrm", b"_aullrem", b"_aullshr", b"_chkstk", b"_errno", b"_except_handler4_common", b"_fltused", b"_ftol", b"ftol2", b"ftol2_sse", b"_i64toa", b"_i64toa_s", b"_i64tow", b"_i64tow_s", b"_itoa", b"_itoa_s", b"_itow", b"_itow_s", b"_lfind", b"_local_unwind", b"_local_unwind4", b"_ltoa", b"_ltoa_s", b"_ltow", b"_ltow_s", b"_makepath_s", b"_memccpy", b"_memicmp", b"_setjmp", b"_setjmpex", b"_snprintf", b"_snprintf_s", b"_snscanf_s", b"_snwprintf", b"_snwprintf_s", b"_snwscanf_s", b"_splitpath", b"_splitpath_s", b"_strcmpi", b"_stricmp", b"_strlwr", b"_strlwr_s", b"_strnicmp", b"_strnset_s", b"_strset_s", b"_strupr", b"_strupr_s", b"_swprintf", b"_tolower", b"_toupper", b"_ui64toa", b"_ui64toa_s", b"_ui64tow", b"_ui64tow_s", b"_ultoa", b"_ultoa_s", b"_ultow", b"_ultow_s", b"_vscwprintf", b"_vsnprintf", b"_vsnprintf_s", b"_vsnwprintf", b"_vsnwprintf_s", b"_vswprintf", b"_wcsicmp", b"_wcslwr", b"_wcslwr_s", b"_wcsnicmp", b"_wcsnset_s", b"_wcsset_s", b"_wcstoi64", b"_wcstoui64", b"_wcsupr", b"_wcsupr_s", b"_wmakepath_s", b"_wsplitpath_s", b"_wtoi", b"_wtoi64", b"_wtol", b"abs", b"atan", b"atan2", b"atoi", b"atol", b"bsearch", b"ceil", b"cos", b"fabs", b"floor", b"isalnum", b"isalpha", b"iscntrl", b"isdigit", b"isgraph", b"islower", b"isprint", b"ispunct", b"isspace", b"isupper", b"iswalnum", b"iswalpha", b"iswascii", b"iswctype", b"iswdigit", b"iswgraph", b"iswlower", b"iswprint", b"iswspace", b"iswxdigit", b"isxdigit", b"labs", b"log", b"longjmp", b"mbstowcs", b"memchr", b"memcmp", b"memcpy", b"memcpy_s", b"memmove", b"memmove_s", b"memset", b"pow", b"qsort", b"qsort_s", b"ssprintf", b"sprintf_s", b"sqrt", b"sscanf", b"sscanf_s", b"strcat", b"strcat_s", b"strchr", b"strcmp", b"strcpy", b"strcpy_s", b"strcspn", b"strlen", b"strncat", b"strncat_s", b"strncmp", b"strncpy", b"strncpy_s", b"strnlen", b"strpbrk", b"strrchr", b"strspn", b"strstr", b"strtok_s", b"strtol", b"strtoul", b"swprintf", b"swprintf_s", b"swscanf_s", b"tan", b"tolower", b"toupper", b"towlower", b"towupper", b"vDbgPrintEx", b"vDbgPrintExWithPrefix", b"vsprintf", b"vsprintf_s", b"vswprintf_s", b"wcscat", b"wcscat_s", b"wcschr", b"wcscmp", b"wcscpy", b"wcscpy_s", b"wcscspn", b"wcslen", b"wcsncat", b"wcsncat_s", b"wcsncmp", b"wcsncpy", b"wcsncpy_s", b"wcsnlen", b"wcspbrk", b"wcsrchr", b"wcsspn", b"wcsstr", b"wcstok", b"wcstok_s", b"wcstol", b"wcstombs", b"wcstoul", 16 | ] 17 | 18 | kernel32_funcs = [ 19 | b"AcquireSRWLockExclusive", b"AcquireSRWLockShared", b"AcquireStateLock", b"ActivateActCtx", b"ActivateActCtxWorker", b"AddAtomA", b"AddAtomW", b"AddConsoleAliasA", b"AddConsoleAliasW", b"AddDllDirectory", b"AddIntegrityLabelToBoundaryDescriptor", b"AddLocalAlternateComputerNameA", b"AddLocalAlternateComputerNameW", b"AddRefActCtx", b"AddRefActCtxWorker", b"AddResourceAttributeAce", b"AddSIDToBoundaryDescriptor", b"AddScopedPolicyIDAce", b"AddSecureMemoryCacheCallback", b"AddVectoredContinueHandler", b"AddVectoredExceptionHandler", b"AdjustCalendarDate", b"AllocConsole", b"AllocLSCallback", b"AllocMappedBuffer", b"AllocSLCallback", b"AllocateUserPhysicalPages", b"AllocateUserPhysicalPagesNuma", b"AppContainerDeriveSidFromMoniker", b"AppContainerFreeMemory", b"AppContainerLookupDisplayNameMrtReference", b"AppContainerLookupMoniker", b"AppContainerRegisterSid", b"AppContainerUnregisterSid", b"AppXFreeMemory", b"AppXGetApplicationData", b"AppXGetDevelopmentMode", b"AppXGetOSMaxVersionTested", b"AppXGetOSMinVersion", b"AppXGetPackageCapabilities", b"AppXGetPackageSid", b"AppXGetPackageState", b"AppXLookupDisplayName", b"AppXLookupMoniker", b"AppXSetPackageState", b"ApplicationRecoveryFinished", b"ApplicationRecoveryInProgress", b"AreFileApisANSI", b"AssignProcessToJobObject", b"AttachConsole", b"BackupRead", b"BackupSeek", b"BackupWrite", b"BaseAttachCompleteThunk", b"BaseCheckAppcompatCache", b"BaseCheckAppcompatCacheEx", b"BaseCheckAppcompatCacheExWorker", b"BaseCheckAppcompatCacheWorker", b"BaseCheckElevation", b"BaseCheckRunApp", b"BaseCleanupAppcompatCache", b"BaseCleanupAppcompatCacheSupport", b"BaseCleanupAppcompatCacheSupportWorker", b"BaseDestroyVDMEnvironment", b"BaseDllReadWriteIniFile", b"BaseDumpAppcompatCache", b"BaseDumpAppcompatCacheWorker", b"BaseElevationPostProcessing", b"BaseFlushAppcompatCache", b"BaseFlushAppcompatCacheWorker", b"BaseFormatObjectAttributes", b"BaseFormatTimeOut", b"BaseFreeAppCompatDataForProcessWorker", b"BaseGenerateAppCompatData", b"BaseGetNamedObjectDirectory", b"BaseInitAppcompatCache", b"BaseInitAppcompatCacheSupport", b"BaseInitAppcompatCacheSupportWorker", b"BaseIsAppcompatInfrastructureDisabled", b"BaseIsAppcompatInfrastructureDisabledWorker", b"BaseIsDosApplication", b"BaseProcessInitPostImport", b"BaseProcessStart", b"BaseQueryModuleData", b"BaseReadAppCompatDataForProcessWorker", b"BaseSetLastNTError", b"BaseThreadInitThunk", b"BaseThreadStart", b"BaseUpdateAppcompatCache", b"BaseUpdateAppcompatCacheWorker", b"BaseUpdateVDMEntry", b"BaseVerifyUnicodeString", b"BaseWriteErrorElevationRequiredEvent", b"Basep8BitStringToDynamicUnicodeString", b"BasepAllocateActivationContextActivationBlock", b"BasepAnsiStringToDynamicUnicodeString", b"BasepAppCompatHookDLL", b"BasepAppContainerEnvironmentExtension", b"BasepAppXExtension", b"BasepCheckAppCompat", b"BasepCheckBadapp", b"BasepCheckWebBladeHashes", b"BasepCheckWinSaferRestrictions", b"BasepConstructSxsCreateProcessMessage", b"BasepCopyEncryption", b"BasepFreeActivationContextActivationBlock", b"BasepFreeAppCompatData", b"BasepGetAppCompatData", b"BasepGetComputerNameFromNtPath", b"BasepGetExeArchType", b"BasepIsProcessAllowed", b"BasepMapModuleHandle", b"BasepNotifyLoadStringResource", b"BasepPostSuccessAppXExtension", b"BasepProcessInvalidImage", b"BasepQueryAppCompat", b"BasepReleaseAppXContext", b"BasepReleaseSxsCreateProcessUtilityStruct", b"BasepReportFault", b"BasepSetFileEncryptionCompression", b"Beep", b"BeginUpdateResourceA", b"BeginUpdateResourceW", b"BindIoCompletionCallback", b"BoostFileCache", b"BuildCommDCBA", b"BuildCommDCBAndTimeoutsA", b"BuildCommDCBAndTimeoutsW", b"BuildCommDCBW", b"CallNamedPipeA", b"CallNamedPipeW", b"CalloutOnFiberStack", b"CancelDeviceWakeupRequest", b"CancelIo", b"CancelIoEx", b"CancelSynchronousIo", b"CancelThreadpoolIo", b"CancelTimerQueueTimer", b"CancelWaitableTimer", b"CeipIsOptedIn", b"ChangeTimerQueueTimer", b"CheckAllowDecryptedRemoteDestinationPolicy", b"CheckElevation", b"CheckElevationEnabled", b"CheckForReadOnlyResource", b"CheckForReadOnlyResourceFilter", b"CheckNameLegalDOS8Dot3A", b"CheckNameLegalDOS8Dot3W", b"CheckRemoteDebuggerPresent", b"CheckTokenCapability", b"CheckTokenMembershipEx", b"ClearCommBreak", b"ClearCommError", b"CloseConsoleHandle", b"CloseHandle", b"ClosePackageInfo", b"ClosePrivateNamespace", b"CloseProfileUserMapping", b"CloseState", b"CloseStateAtom", b"CloseStateChangeNotification", b"CloseStateContainer", b"CloseStateLock", b"CloseSystemHandle", b"CloseThreadpool", b"CloseThreadpoolCleanupGroup", b"CloseThreadpoolCleanupGroupMembers", b"CloseThreadpoolIo", b"CloseThreadpoolTimer", b"CloseThreadpoolWait", b"CloseThreadpoolWork", b"CmdBatNotification", b"CommConfigDialogA", b"CommConfigDialogW", b"CommitStateAtom", b"Common32ThkLS", b"CommonUnimpStub", b"CompareCalendarDates", b"CompareFileTime", b"CompareStringA", b"CompareStringEx", b"CompareStringOrdinal", b"CompareStringW", b"ConnectNamedPipe", b"ConsoleIMERoutine", b"ConsoleMenuControl", b"ContinueDebugEvent", b"ConvertCalDateTimeToSystemTime", b"ConvertDefaultLocale", b"ConvertFiberToThread", b"ConvertNLSDayOfWeekToWin32DayOfWeek", b"ConvertSystemTimeToCalDateTime", b"ConvertThreadToFiber", b"ConvertThreadToFiberEx", b"ConvertToGlobalHandle", b"CopyContext", b"CopyExtendedContext", b"CopyFile2", b"CopyFileA", b"CopyFileExA", b"CopyFileExW", b"CopyFileTransactedA", b"CopyFileTransactedW", b"CopyFileW", b"CopyLZFile", b"CreateActCtxA", b"CreateActCtxW", b"CreateActCtxWWorker", b"CreateBoundaryDescriptorA", b"CreateBoundaryDescriptorW", b"CreateConsoleScreenBuffer", b"CreateDirectoryA", b"CreateDirectoryExA", b"CreateDirectoryExW", b"CreateDirectoryTransactedA", b"CreateDirectoryTransactedW", b"CreateDirectoryW", b"CreateEventA", b"CreateEventExA", b"CreateEventExW", b"CreateEventW", b"CreateFiber", b"CreateFiberEx", b"CreateFile2", b"CreateFileA", b"CreateFileMappingA", b"CreateFileMappingFromApp", b"CreateFileMappingNumaA", b"CreateFileMappingNumaW", b"CreateFileMappingW", b"CreateFileTransactedA", b"CreateFileTransactedW", b"CreateFileW", b"CreateHardLinkA", b"CreateHardLinkTransactedA", b"CreateHardLinkTransactedW", b"CreateHardLinkW", b"CreateIoCompletionPort", b"CreateJobObjectA", b"CreateJobObjectW", b"CreateJobSet", b"CreateKernelThread", b"CreateMailslotA", b"CreateMailslotW", b"CreateMemoryResourceNotification", b"CreateMutexA", b"CreateMutexExA", b"CreateMutexExW", b"CreateMutexW", b"CreateNamedPipeA", b"CreateNamedPipeW", b"CreateNlsSecurityDescriptor", b"CreatePipe", b"CreatePrivateNamespaceA", b"CreatePrivateNamespaceW", b"CreateProcessA", b"CreateProcessAsUserA", b"CreateProcessAsUserW", b"CreateProcessInternalA", b"CreateProcessInternalW", b"CreateProcessInternalWSecure", b"CreateProcessW", b"CreateRemoteThread", b"CreateRemoteThreadEx", b"CreateSemaphoreA", b"CreateSemaphoreExA", b"CreateSemaphoreExW", b"CreateSemaphoreW", b"CreateSocketHandle", b"CreateStateAtom", b"CreateStateChangeNotification", b"CreateStateContainer", b"CreateStateLock", b"CreateStateSubcontainer", b"CreateSymbolicLinkA", b"CreateSymbolicLinkTransactedA", b"CreateSymbolicLinkTransactedW", b"CreateSymbolicLinkW", b"CreateTapePartition", b"CreateThread", b"CreateThreadpool", b"CreateThreadpoolCleanupGroup", b"CreateThreadpoolIo", b"CreateThreadpoolTimer", b"CreateThreadpoolWait", b"CreateThreadpoolWork", b"CreateTimerQueue", b"CreateTimerQueueTimer", b"CreateToolhelp32Snapshot", b"CreateUmsCompletionList", b"CreateUmsThreadContext", b"CreateVirtualBuffer", b"CreateWaitableTimerA", b"CreateWaitableTimerExA", b"CreateWaitableTimerExW", b"CreateWaitableTimerW", b"CtrlRoutine", b"DeactivateActCtx", b"DeactivateActCtxWorker", b"DebugActiveProcess", b"DebugActiveProcessStop", b"DebugBreak", b"DebugBreakProcess", b"DebugSetProcessKillOnExit", b"DecodePointer", b"DecodeSystemPointer", b"DefineDosDeviceA", b"DefineDosDeviceW", b"DelayLoadFailureHook", b"DeleteAtom", b"DeleteBoundaryDescriptor", b"DeleteCriticalSection", b"DeleteFiber", b"DeleteFileA", b"DeleteFileTransactedA", b"DeleteFileTransactedW", b"DeleteFileW", b"DeleteProcThreadAttributeList", b"DeleteStateAtomValue", b"DeleteStateContainer", b"DeleteStateContainerValue", b"DeleteSynchronizationBarrier", b"DeleteTimerQueue", b"DeleteTimerQueueEx", b"DeleteTimerQueueTimer", b"DeleteUmsCompletionList", b"DeleteUmsThreadContext", b"DeleteVolumeMountPointA", b"DeleteVolumeMountPointW", b"DequeueUmsCompletionListItems", b"DeviceIoControl", b"DisableThreadLibraryCalls", b"DisableThreadProfiling", b"DisassociateCurrentThreadFromCallback", b"DiscardVirtualMemory", b"DisconnectNamedPipe", b"DisposeLZ32Handle", b"DnsHostnameToComputerNameA", b"DnsHostnameToComputerNameExW", b"DnsHostnameToComputerNameW", b"DosDateTimeToFileTime", b"DosFileHandleToWin32Handle", b"DosPathToSessionPathA", b"DosPathToSessionPathW", b"DuplicateConsoleHandle", b"DuplicateEncryptionInfoFileExt", b"DuplicateHandle", b"DuplicateStateContainerHandle", b"EnableThreadProfiling", b"EncodePointer", b"EncodeSystemPointer", b"EndUpdateResourceA", b"EndUpdateResourceW", b"EnterCriticalSection", b"EnterSynchronizationBarrier", b"EnterUmsSchedulingMode", b"EnumCalendarInfoA", b"EnumCalendarInfoExA", b"EnumCalendarInfoExEx", b"EnumCalendarInfoExW", b"EnumCalendarInfoW", b"EnumDateFormatsA", b"EnumDateFormatsExA", b"EnumDateFormatsExEx", b"EnumDateFormatsExW", b"EnumDateFormatsW", b"EnumLanguageGroupLocalesA", b"EnumLanguageGroupLocalesW", b"EnumResourceLanguagesA", b"EnumResourceLanguagesExA", b"EnumResourceLanguagesExW", b"EnumResourceLanguagesW", b"EnumResourceNamesA", b"EnumResourceNamesExA", b"EnumResourceNamesExW", b"EnumResourceNamesW", b"EnumResourceTypesA", b"EnumResourceTypesExA", b"EnumResourceTypesExW", b"EnumResourceTypesW", b"EnumSystemCodePagesA", b"EnumSystemCodePagesW", b"EnumSystemFirmwareTables", b"EnumSystemGeoID", b"EnumSystemLanguageGroupsA", b"EnumSystemLanguageGroupsW", b"EnumSystemLocalesA", b"EnumSystemLocalesEx", b"EnumSystemLocalesW", b"EnumTimeFormatsA", b"EnumTimeFormatsEx", b"EnumTimeFormatsW", b"EnumUILanguagesA", b"EnumUILanguagesW", b"EnumerateLocalComputerNamesA", b"EnumerateLocalComputerNamesW", b"EnumerateStateAtomValues", b"EnumerateStateContainerItems", b"EraseTape", b"EscapeCommFunction", b"ExecuteUmsThread", b"ExitProcess", b"ExitThread", b"ExitVDM", b"ExpandEnvironmentStringsA", b"ExpandEnvironmentStringsW", b"ExpungeConsoleCommandHistoryA", b"ExpungeConsoleCommandHistoryW", b"ExtendVirtualBuffer", b"FatalAppExitA", b"FatalAppExitW", b"FatalExit", b"FileTimeToDosDateTime", b"FileTimeToLocalFileTime", b"FileTimeToSystemTime", b"FillConsoleOutputAttribute", b"FillConsoleOutputCharacterA", b"FillConsoleOutputCharacterW", b"FindActCtxSectionGuid", b"FindActCtxSectionGuidWorker", b"FindActCtxSectionStringA", b"FindActCtxSectionStringW", b"FindActCtxSectionStringWWorker", b"FindAtomA", b"FindAtomW", b"FindClose", b"FindCloseChangeNotification", b"FindFirstChangeNotificationA", b"FindFirstChangeNotificationW", b"FindFirstFileA", b"FindFirstFileExA", b"FindFirstFileExW", b"FindFirstFileNameTransactedW", b"FindFirstFileNameW", b"FindFirstFileTransactedA", b"FindFirstFileTransactedW", b"FindFirstFileW", b"FindFirstStreamTransactedW", b"FindFirstStreamW", b"FindFirstVolumeA", b"FindFirstVolumeMountPointA", b"FindFirstVolumeMountPointW", b"FindFirstVolumeW", b"FindNLSString", b"FindNLSStringEx", b"FindNextChangeNotification", b"FindNextFileA", b"FindNextFileNameW", b"FindNextFileW", b"FindNextStreamW", b"FindNextVolumeA", b"FindNextVolumeMountPointA", b"FindNextVolumeMountPointW", b"FindNextVolumeW", b"FindPackagesByPackageFamily", b"FindResourceA", b"FindResourceExA", b"FindResourceExW", b"FindResourceW", b"FindStringOrdinal", b"FindVolumeClose", b"FindVolumeMountPointClose", b"FlsAlloc", b"FlsFree", b"FlsGetValue", b"FlsSetValue", b"FlushConsoleInputBuffer", b"FlushFileBuffers", b"FlushInstructionCache", b"FlushProcessWriteBuffers", b"FlushViewOfFile", b"FoldStringA", b"FoldStringW", b"FormatApplicationUserModelId", b"FormatMessageA", b"FormatMessageW", b"FreeConsole", b"FreeEnvironmentStringsA", b"FreeEnvironmentStringsW", b"FreeLSCallback", b"FreeLibrary", b"FreeLibrary16", b"FreeLibraryAndExitThread", b"FreeLibraryWhenCallbackReturns", b"FreeMappedBuffer", b"FreeMemoryJobObject", b"FreeResource", b"FreeSLCallback", b"FreeUserPhysicalPages", b"FreeVirtualBuffer", b"GDIReallyCares", b"GenerateConsoleCtrlEvent", b"GetACP", b"GetActiveProcessorCount", b"GetActiveProcessorGroupCount", b"GetAppContainerAce", b"GetAppContainerNamedObjectPath", b"GetApplicationRecoveryCallback", b"GetApplicationRecoveryCallbackWorker", b"GetApplicationRestartSettings", b"GetApplicationRestartSettingsWorker", b"GetApplicationUserModelId", b"GetAtomNameA", b"GetAtomNameW", b"GetBinaryType", b"GetBinaryTypeA", b"GetBinaryTypeW", b"GetCPFileNameFromRegistry", b"GetCPInfo", b"GetCPInfoExA", b"GetCPInfoExW", b"GetCachedSigningLevel", b"GetCalendarDateFormat", b"GetCalendarDateFormatEx", b"GetCalendarDaysInMonth", b"GetCalendarDifferenceInDays", b"GetCalendarInfoA", b"GetCalendarInfoEx", b"GetCalendarInfoW", b"GetCalendarMonthsInYear", b"GetCalendarSupportedDateRange", b"GetCalendarWeekNumber", b"GetComPlusPackageInstallStatus", b"GetCommConfig", b"GetCommMask", b"GetCommModemStatus", b"GetCommProperties", b"GetCommState", b"GetCommTimeouts", b"GetCommandLineA", b"GetCommandLineW", b"GetCompressedFileSizeA", b"GetCompressedFileSizeTransactedA", b"GetCompressedFileSizeTransactedW", b"GetCompressedFileSizeW", b"GetComputerNameA", b"GetComputerNameExA", b"GetComputerNameExW", b"GetComputerNameW", b"GetConsoleAliasA", b"GetConsoleAliasExesA", b"GetConsoleAliasExesLengthA", b"GetConsoleAliasExesLengthW", b"GetConsoleAliasExesW", b"GetConsoleAliasW", b"GetConsoleAliasesA", b"GetConsoleAliasesLengthA", b"GetConsoleAliasesLengthW", b"GetConsoleAliasesW", b"GetConsoleCP", b"GetConsoleCharType", b"GetConsoleCommandHistoryA", b"GetConsoleCommandHistoryLengthA", b"GetConsoleCommandHistoryLengthW", b"GetConsoleCommandHistoryW", b"GetConsoleCursorInfo", b"GetConsoleCursorMode", b"GetConsoleDisplayMode", b"GetConsoleFontInfo", b"GetConsoleFontSize", b"GetConsoleHardwareState", b"GetConsoleHistoryInfo", b"GetConsoleInputExeNameA", b"GetConsoleInputExeNameW", b"GetConsoleInputWaitHandle", b"GetConsoleKeyboardLayoutNameA", b"GetConsoleKeyboardLayoutNameW", b"GetConsoleMode", b"GetConsoleNlsMode", b"GetConsoleOriginalTitleA", b"GetConsoleOriginalTitleW", b"GetConsoleOutputCP", b"GetConsoleProcessList", b"GetConsoleScreenBufferInfo", b"GetConsoleScreenBufferInfoEx", b"GetConsoleSelectionInfo", b"GetConsoleTitleA", b"GetConsoleTitleW", b"GetConsoleWindow", b"GetCryptApiExponentValue", b"GetCurrencyFormatA", b"GetCurrencyFormatEx", b"GetCurrencyFormatW", b"GetCurrentActCtx", b"GetCurrentActCtxWorker", b"GetCurrentApplicationUserModelId", b"GetCurrentConsoleFont", b"GetCurrentConsoleFontEx", b"GetCurrentDirectoryA", b"GetCurrentDirectoryW", b"GetCurrentPackageFamilyName", b"GetCurrentPackageFullName", b"GetCurrentPackageId", b"GetCurrentPackageInfo", b"GetCurrentPackagePath", b"GetCurrentProcess", b"GetCurrentProcessId", b"GetCurrentProcessorNumber", b"GetCurrentProcessorNumberEx", b"GetCurrentThread", b"GetCurrentThreadId", b"GetCurrentThreadStackLimits", b"GetCurrentUmsThread", b"GetDateFormatA", b"GetDateFormatAWorker", b"GetDateFormatEx", b"GetDateFormatW", b"GetDateFormatWWorker", b"GetDaylightFlag", b"GetDefaultCommConfigA", b"GetDefaultCommConfigW", b"GetDefaultSortKeySize", b"GetDevicePowerState", b"GetDiskFreeSpaceA", b"GetDiskFreeSpaceExA", b"GetDiskFreeSpaceExW", b"GetDiskFreeSpaceW", b"GetDllDirectoryA", b"GetDllDirectoryW", b"GetDriveTypeA", b"GetDriveTypeW", b"GetDurationFormat", b"GetDurationFormatEx", b"GetDynamicTimeZoneInformation", b"GetEnabledExtendedFeatures", b"GetEnabledXStateFeatures", b"GetEncryptedFileVersionExt", b"GetEnvironmentStrings", b"GetEnvironmentStringsA", b"GetEnvironmentStringsW", b"GetEnvironmentVariableA", b"GetEnvironmentVariableW", b"GetEraNameCountedString", b"GetErrorMode", b"6.0", b"GetExitCodeProcess", b"GetExitCodeThread", b"GetExpandedNameA", b"GetExpandedNameW", b"GetExtendedContextLength", b"GetExtendedFeaturesMask", b"GetFileAttributesA", b"GetFileAttributesExA", b"GetFileAttributesExW", b"GetFileAttributesTransactedA", b"GetFileAttributesTransactedW", b"GetFileAttributesW", b"GetFileBandwidthReservation", b"GetFileInformationByHandle", b"GetFileInformationByHandleEx", b"GetFileMUIInfo", b"GetFileMUIPath", b"GetFileSize", b"GetFileSizeEx", b"GetFileTime", b"GetFileType", b"GetFinalPathNameByHandleA", b"GetFinalPathNameByHandleW", b"GetFirmwareEnvironmentVariableA", b"GetFirmwareEnvironmentVariableExA", b"GetFirmwareEnvironmentVariableExW", b"GetFirmwareEnvironmentVariableW", b"GetFirmwareType", b"GetFullPathNameA", b"GetFullPathNameTransactedA", b"GetFullPathNameTransactedW", b"GetFullPathNameW", b"GetGeoInfoA", b"GetGeoInfoW", b"GetHandleContext", b"GetHandleInformation", b"GetHivePath", b"GetLSCallbackTarget", b"GetLSCallbackTemplate", b"GetLargePageMinimum", b"GetLargestConsoleWindowSize", b"GetLastError", b"GetLinguistLangSize", b"GetLocalTime", b"GetLocaleInfoA", b"GetLocaleInfoEx", b"GetLocaleInfoW", b"GetLogicalDriveStringsA", b"GetLogicalDriveStringsW", b"GetLogicalDrives", b"GetLogicalProcessorInformation", b"GetLogicalProcessorInformationEx", b"GetLongPathNameA", b"GetLongPathNameTransactedA", b"GetLongPathNameTransactedW", b"GetLongPathNameW", b"GetMailslotInfo", b"GetMaximumProcessorCount", b"GetMaximumProcessorGroupCount", b"GetMemoryErrorHandlingCapabilities", b"GetModuleFileNameA", b"GetModuleFileNameW", b"GetModuleHandleA", b"GetModuleHandleExA", b"GetModuleHandleExW", b"GetModuleHandleW", b"GetModuleNameFromProc", b"GetNLSVersion", b"GetNLSVersionEx", b"GetNamedPipeAttribute", b"GetNamedPipeClientComputerNameA", b"GetNamedPipeClientComputerNameW", b"GetNamedPipeClientProcessId", b"GetNamedPipeClientSessionId", b"GetNamedPipeHandleStateA", b"GetNamedPipeHandleStateW", b"GetNamedPipeInfo", b"GetNamedPipeServerProcessId", b"GetNamedPipeServerSessionId", b"GetNativeSystemInfo", b"GetNextUmsListItem", b"GetNextVDMCommand", b"GetNlsSectionName", b"GetNumaAvailableMemory", b"GetNumaAvailableMemoryNode", b"GetNumaAvailableMemoryNodeEx", b"GetNumaHighestNodeNumber", b"GetNumaNodeNumberFromHandle", b"GetNumaNodeProcessorMask", b"GetNumaNodeProcessorMaskEx", b"GetNumaProcessorMap", b"GetNumaProcessorNode", b"GetNumaProcessorNodeEx", b"GetNumaProximityNode", b"GetNumaProximityNodeEx", b"GetNumberFormatA", b"GetNumberFormatEx", b"GetNumberFormatW", b"GetNumberOfConsoleFonts", b"GetNumberOfConsoleInputEvents", b"GetNumberOfConsoleMouseButtons", b"GetOEMCP", b"GetOverlappedResult", b"GetOverlappedResultEx", b"GetPK16SysVar", b"GetPackageApplicationIds", b"GetPackageFamilyName", b"GetPackageFullName", b"GetPackageId", b"GetPackageInfo", b"GetPackagePath", b"GetPackagePathByFullName", b"GetPackagesByPackageFamily", b"GetPhysicallyInstalledSystemMemory", b"GetPriorityClass", b"GetPrivateProfileIntA", b"GetPrivateProfileIntW", b"GetPrivateProfileSectionA", b"GetPrivateProfileSectionNamesA", b"GetPrivateProfileSectionNamesW", b"GetPrivateProfileSectionW", b"GetPrivateProfileStringA", b"GetPrivateProfileStringW", b"GetPrivateProfileStructA", b"GetPrivateProfileStructW", b"GetProcAddress", b"GetProcAddress16", b"GetProcessAffinityMask", b"GetProcessDEPPolicy", b"GetProcessDefaultCpuSets", b"GetProcessDword", b"GetProcessFlags", b"GetProcessGroupAffinity", b"GetProcessHandleCount", b"GetProcessHeap", b"GetProcessHeaps", b"GetProcessId", b"GetProcessIdOfThread", b"GetProcessInformation", b"GetProcessIoCounters", b"GetProcessMitigationPolicy", b"GetProcessPreferredUILanguages", b"GetProcessPriorityBoost", b"GetProcessShutdownParameters", b"GetProcessTimes", b"GetProcessUserModeExceptionPolicy", b"GetProcessVersion", b"GetProcessWorkingSetSize", b"GetProcessWorkingSetSizeEx", b"GetProcessorSystemCycleTime", b"GetProductInfo", b"GetProductName", b"GetProfileIntA", b"GetProfileIntW", b"GetProfileSectionA", b"GetProfileSectionW", b"GetProfileStringA", b"GetProfileStringW", b"GetQueuedCompletionStatus", b"GetQueuedCompletionStatusEx", b"GetRoamingLastObservedChangeTime", b"GetSLCallbackTarget", b"GetSLCallbackTemplate", b"GetSerializedAtomBytes", b"GetShortPathNameA", b"GetShortPathNameW", b"GetStagedPackagePathByFullName", b"GetStartupInfoA", b"GetStartupInfoW", b"GetStateContainerDepth", b"GetStateFolder", b"GetStateRootFolder", b"GetStateSettingsFolder", b"GetStateVersion", b"GetStdHandle", b"GetStringScripts", b"GetStringTypeA", b"GetStringTypeExA", b"GetStringTypeExW", b"GetStringTypeW", b"GetSystemAppDataFolder", b"GetSystemAppDataKey", b"GetSystemCpuSetInformation", b"GetSystemDEPPolicy", b"GetSystemDefaultLCID", b"GetSystemDefaultLangID", b"GetSystemDefaultLocaleName", b"GetSystemDefaultUILanguage", b"GetSystemDirectoryA", b"GetSystemDirectoryW", b"GetSystemFileCacheSize", b"GetSystemFirmwareTable", b"GetSystemInfo", b"GetSystemPowerStatus", b"GetSystemPreferredUILanguages", b"GetSystemRegistryQuota", b"GetSystemTime", b"GetSystemTimeAdjustment", b"GetSystemTimeAsFileTime", b"GetSystemTimePreciseAsFileTime", b"GetSystemTimes", b"GetSystemWindowsDirectoryA", b"GetSystemWindowsDirectoryW", b"GetSystemWow64DirectoryA", b"GetSystemWow64DirectoryW", b"GetTapeParameters", b"GetTapePosition", b"GetTapeStatus", b"GetTempFileNameA", b"GetTempFileNameW", b"GetTempPathA", b"GetTempPathW", b"GetThreadContext", b"GetThreadErrorMode", b"GetThreadGroupAffinity", b"GetThreadIOPendingFlag", b"GetThreadId", b"GetThreadIdealProcessorEx", b"GetThreadInformation", b"GetThreadLocale", b"GetThreadPreferredUILanguages", b"GetThreadPriority", b"GetThreadPriorityBoost", b"GetThreadSelectedCpuSets", b"GetThreadSelectorEntry", b"GetThreadTimes", b"GetThreadUILanguage", b"GetThunkBuff", b"GetThunkStuff", b"GetTickCount", b"GetTickCount64", b"GetTimeFormatA", b"GetTimeFormatAWorker", b"GetTimeFormatEx", b"GetTimeFormatW", b"GetTimeFormatWWorker", b"GetTimeZoneInformation", b"GetTimeZoneInformationForYear", b"GetUILanguageInfo", b"GetUmsCompletionListEvent", b"GetUmsSystemThreadInformation", b"GetUserDefaultLCID", b"GetUserDefaultLangID", b"GetUserDefaultLocaleName", b"GetUserDefaultUILanguage", b"GetUserGeoID", b"GetUserPreferredUILanguages", b"GetVDMCurrentDirectories", b"GetVersion", b"GetVersionExA", b"GetVersionExW", b"GetVolumeInformationA", b"GetVolumeInformationByHandleW", b"GetVolumeInformationW", b"GetVolumeNameForVolumeMountPointA", b"GetVolumeNameForVolumeMountPointW", b"GetVolumePathNameA", b"GetVolumePathNameW", b"GetVolumePathNamesForVolumeNameA", b"GetVolumePathNamesForVolumeNameW", b"GetWin16DOSEnv", b"GetWindowsDirectoryA", b"GetWindowsDirectoryW", b"GetWriteWatch", b"GetXStateFeaturesMask", b"GetpWin16Lock", b"GlobalAddAtomA", b"GlobalAddAtomExA", b"GlobalAddAtomExW", b"GlobalAddAtomW", b"GlobalAlloc", b"GlobalAlloc16", b"GlobalCompact", b"GlobalDeleteAtom", b"GlobalFindAtomA", b"GlobalFindAtomW", b"GlobalFix", b"GlobalFix16", b"GlobalFlags", b"GlobalFree", b"GlobalFree16", b"GlobalGetAtomNameA", b"GlobalGetAtomNameW", b"GlobalHandle", b"GlobalLock", b"GlobalLock16", b"GlobalMemoryStatus", b"GlobalMemoryStatusEx", b"GlobalReAlloc", b"GlobalSize", b"GlobalSize16", b"GlobalUnWire", b"GlobalUnWire16", b"GlobalUnfix", b"GlobalUnfix16", b"GlobalUnlock", b"GlobalUnlock16", b"GlobalWire", b"GlobalWire16", b"Heap32First", b"Heap32ListFirst", b"Heap32ListNext", b"Heap32Next", b"HeapAlloc", b"HeapCompact", b"HeapCreate", b"HeapCreateTagsW", b"HeapDestroy", b"HeapExtend", b"HeapFree", b"HeapLock", b"HeapQueryInformation", b"HeapQueryTagW", b"HeapReAlloc", b"HeapSetFlags", b"HeapSetInformation", b"HeapSize", b"HeapSummary", b"HeapUnlock", b"HeapUsage", b"HeapValidate", b"HeapWalk", b"HouseCleanLogicallyDeadHandles", b"IdnToAscii", b"IdnToNameprepUnicode", b"IdnToUnicode", b"InitAtomTable", b"InitOnceBeginInitialize", b"InitOnceComplete", b"InitOnceExecuteOnce", b"InitOnceInitialize", b"InitializeConditionVariable", b"InitializeContext", b"InitializeCriticalSection", b"InitializeCriticalSectionAndSpinCount", b"InitializeCriticalSectionEx", b"InitializeExtendedContext", b"InitializeProcThreadAttributeList", b"InitializeSListHead", b"InitializeSRWLock", b"InitializeSynchronizationBarrier", b"InstallELAMCertificateInfo", b"InterlockedCompareExchange", b"InterlockedCompareExchange64", b"InterlockedDecrement", b"InterlockedExchange", b"InterlockedExchangeAdd", b"InterlockedFlushSList", b"InterlockedIncrement", b"InterlockedPopEntrySList", b"InterlockedPushEntrySList", b"InterlockedPushListSList", b"InterlockedPushListSListEx", b"InvalidateConsoleDIBits", b"InvalidateNLSCache", b"IsBadCodePtr", b"IsBadHugeReadPtr", b"IsBadHugeWritePtr", b"IsBadReadPtr", b"IsBadStringPtrA", b"IsBadStringPtrW", b"IsBadWritePtr", b"IsCalendarLeapDay", b"IsCalendarLeapMonth", b"IsCalendarLeapYear", b"IsDBCSLeadByte", b"IsDBCSLeadByteEx", b"IsDebuggerPresent", b"IsLSCallback", b"IsNLSDefinedString", b"IsNativeVhdBoot", b"IsNormalizedString", b"IsProcessCritical", b"IsProcessInJob", b"IsProcessorFeaturePresent", b"IsSLCallback", b"IsSystemResumeAutomatic", b"IsThreadAFiber", b"IsThreadId", b"IsThreadpoolTimerSet", b"IsTimeZoneRedirectionEnabled", b"IsValidCalDateTime", b"IsValidCodePage", b"IsValidLanguageGroup", b"IsValidLocale", b"IsValidLocaleName", b"IsValidNLSVersion", b"IsValidUILanguage", b"IsWow64Process", b"K32EmptyWorkingSet", b"K32EnumDeviceDrivers", b"K32EnumPageFilesA", b"K32EnumPageFilesW", b"K32EnumProcessModules", b"K32EnumProcessModulesEx", b"K32EnumProcesses", b"K32GetDeviceDriverBaseNameA", b"K32GetDeviceDriverBaseNameW", b"K32GetDeviceDriverFileNameA", b"K32GetDeviceDriverFileNameW", b"K32GetMappedFileNameA", b"K32GetMappedFileNameW", b"K32GetModuleBaseNameA", b"K32GetModuleBaseNameW", b"K32GetModuleFileNameExA", b"K32GetModuleFileNameExW", b"K32GetModuleInformation", b"K32GetPerformanceInfo", b"K32GetProcessImageFileNameA", b"K32GetProcessImageFileNameW", b"K32GetProcessMemoryInfo", b"K32GetWsChanges", b"K32GetWsChangesEx", b"K32InitializeProcessForWsWatch", b"K32QueryWorkingSet", b"K32QueryWorkingSetEx", b"K32Thk1632Epilog", b"K32Thk1632Prolog", b"K32_NtCreateFile", b"K32_RtlNtStatusToDosError", b"LCIDToLocaleName", b"LCMapStringA", b"LCMapStringEx", b"LCMapStringW", b"LZClose", b"LZCloseFile", b"LZCopy", b"LZCreateFileW", b"LZDone", b"LZInit", b"LZOpenFileA", b"LZOpenFileW", b"LZRead", b"LZSeek", b"LZStart", b"LeaveCriticalSection", b"LeaveCriticalSectionWhenCallbackReturns", b"LoadAppInitDlls", b"LoadLibrary16", b"LoadLibraryA", b"LoadLibraryExA", b"LoadLibraryExW", b"LoadLibraryW", b"LoadModule", b"LoadPackagedLibrary", b"LoadResource", b"LoadStringBaseExW", b"LoadStringBaseW", b"LocalAlloc", b"LocalCompact", b"LocalFileTimeToFileTime", b"LocalFlags", b"LocalFree", b"LocalHandle", b"LocalLock", b"LocalReAlloc", b"LocalShrink", b"LocalSize", b"LocalUnlock", b"LocaleNameToLCID", b"LocateExtendedFeature", b"LocateLegacyContext", b"LocateXStateFeature", b"LockFile", b"LockFileEx", b"LockResource", b"LogApiThkLSF", b"LogApiThkSL", b"LogCBThkSL", b"MakeCriticalSectionGlobal", b"MapHInstLS", b"MapHInstLS_PN", b"MapHInstSL", b"MapHInstSL_PN", b"MapHModuleLS", b"MapHModuleSL", b"MapSL", b"MapSLFix", b"MapUserPhysicalPages", b"MapUserPhysicalPagesScatter", b"MapViewOfFile", b"MapViewOfFileEx", b"MapViewOfFileExNuma", b"MapViewOfFileFromApp", b"Module32First", b"Module32FirstW", b"Module32Next", b"Module32NextW", b"MoveFileA", b"MoveFileExA", b"MoveFileExW", b"MoveFileTransactedA", b"MoveFileTransactedW", b"MoveFileW", b"MoveFileWithProgressA", b"MoveFileWithProgressW", b"MulDiv", b"MultiByteToWideChar", b"NeedCurrentDirectoryForExePathA", b"NeedCurrentDirectoryForExePathW", b"NlsCheckPolicy", b"NlsConvertIntegerToString", b"NlsEventDataDescCreate", b"NlsGetCacheUpdateCount", b"NlsResetProcessLocale", b"NlsUpdateLocale", b"NlsUpdateSystemLocale", b"NlsWriteEtwEvent", b"NormalizeString", b"NotifyMountMgr", b"NotifyNLSUserCache", b"NotifyUILanguageChange", b"NtVdm64CreateProcessInternalW", b"NumaVirtualQueryNode", b"OOBEComplete", b"OT_32ThkLSF", b"OfferVirtualMemory", b"OpenConsoleW", b"OpenConsoleWStub", b"OpenDataFile", b"OpenEventA", b"OpenEventW", b"OpenFile", b"OpenFileById", b"OpenFileMappingA", b"OpenFileMappingW", b"OpenJobObjectA", b"OpenJobObjectW", b"OpenMutexA", b"OpenMutexW", b"OpenPackageInfoByFullName", b"OpenPrivateNamespaceA", b"OpenPrivateNamespaceW", b"OpenProcess", b"OpenProcessToken", b"OpenProfileUserMapping", b"OpenSemaphoreA", b"OpenSemaphoreW", b"OpenState", b"OpenStateAtom", b"OpenStateExplicit", b"OpenThread", b"OpenThreadToken", b"OpenVxDHandle", b"OpenWaitableTimerA", b"OpenWaitableTimerW", b"OutputDebugStringA", b"OutputDebugStringW", b"OverrideRoamingDataModificationTimesInRange", b"PK16FNF", b"PackageFamilyNameFromFullName", b"PackageFamilyNameFromId", b"PackageFullNameFromId", b"PackageIdFromFullName", b"PackageNameAndPublisherIdFromFamilyName", b"ParseApplicationUserModelId", b"PeekConsoleInputA", b"PeekConsoleInputW", b"PeekNamedPipe", b"PostQueuedCompletionStatus", b"PowerClearRequest", b"PowerCreateRequest", b"PowerSetRequest", b"PrefetchVirtualMemory", b"PrepareTape", b"PrivCopyFileExW", b"PrivMoveFileIdentityW", b"Process32First", b"Process32FirstW", b"Process32Next", b"Process32NextW", b"ProcessIdToSessionId", b"PssCaptureSnapshot", b"PssDuplicateSnapshot", b"PssFreeSnapshot", b"PssQuerySnapshot", b"PssWalkMarkerCreate", b"PssWalkMarkerFree", b"PssWalkMarkerGetPosition", b"PssWalkMarkerRewind", b"PssWalkMarkerSeek", b"PssWalkMarkerSeekToBeginning", b"PssWalkMarkerSetPosition", b"PssWalkMarkerTell", b"PssWalkSnapshot", b"PublishStateChangeNotification", b"PulseEvent", b"PurgeComm", b"QT_Thunk", b"QT_ThunkPrime", b"QueryActCtxSettingsW", b"QueryActCtxSettingsWWorker", b"QueryActCtxW", b"QueryActCtxWWorker", b"QueryDepthSList", b"QueryDosDeviceA", b"QueryDosDeviceW", b"QueryFullProcessImageNameA", b"QueryFullProcessImageNameW", b"QueryIdleProcessorCycleTime", b"QueryIdleProcessorCycleTimeEx", b"QueryInformationJobObject", b"QueryIoRateControlInformationJobObject", b"QueryMemoryResourceNotification", b"QueryNumberOfEventLogRecords", b"QueryOldestEventLogRecord", b"QueryPerformanceCounter", b"QueryPerformanceFrequency", b"QueryProcessAffinityUpdateMode", b"QueryProcessCycleTime", b"QueryProtectedPolicy", b"QueryStateAtomValueInfo", b"QueryStateContainerItemInfo", b"QueryThreadCycleTime", b"QueryThreadProfiling", b"QueryThreadpoolStackInformation", b"QueryUmsThreadInformation", b"QueryUnbiasedInterruptTime", b"QueueUserAPC", b"QueueUserWorkItem", b"QueryWin31IniFilesMappedToRegistry", b"QuirkGetData2Worker", b"QuirkGetDataWorker", b"QuirkIsEnabled2Worker", b"QuirkIsEnabled3Worker", b"QuirkIsEnabledForPackage2Worker", b"QuirkIsEnabledForPackage3Worker", b"QuirkIsEnabledForPackage4Worker", b"QuirkIsEnabledForPackageWorker", b"QuirkIsEnabledForProcessWorker", b"QuirkIsEnabledWorker", b"RPCHACKORAMA", b"RaiseException", b"RaiseFailFastException", b"RaiseInvalid16BitExeError", b"ReOpenFile", b"ReadConsoleA", b"ReadConsoleInputA", b"ReadConsoleInputExA", b"ReadConsoleInputExW", b"ReadConsoleInputW", b"ReadConsoleOutputA", b"ReadConsoleOutputAttribute", b"ReadConsoleOutputCharacterA", b"ReadConsoleOutputCharacterW", b"ReadConsoleOutputW", b"ReadConsoleW", b"ReadDirectoryChangesW", b"ReadFile", b"ReadFileEx", b"ReadFileScatter", b"ReadProcessMemory", b"ReadStateAtomValue", b"ReadStateContainerValue", b"ReadThreadProfilingData", b"ReclaimVirtualMemory", b"RefreshDaylightInformation", b"RegCloseKey", b"RegCopyTreeW", b"RegCreateKeyExA", b"RegCreateKeyExW", b"RegDeleteKeyExA", b"RegDeleteKeyExW", b"RegDeleteTreeA", b"RegDeleteTreeW", b"RegDeleteValueA", b"RegDeleteValueW", b"RegDisablePredefinedCacheEx", b"RegEnumKeyExA", b"RegEnumKeyExW", b"RegEnumValueA", b"RegEnumValueW", b"RegFlushKey", b"RegGetKeySecurity", b"RegGetValueA", b"RegGetValueW", b"RegKrnGetGlobalState", b"RegKrnInitialize", b"RegLoadKeyA", b"RegLoadKeyW", b"RegLoadMUIStringA", b"RegLoadMUIStringW", b"RegNotifyChangeKeyValue", b"RegOpenCurrentUser", b"RegOpenKeyExA", b"RegOpenKeyExW", b"RegOpenUserClassesRoot", b"RegQueryInfoKeyA", b"RegQueryInfoKeyW", b"RegQueryValueExA", b"RegQueryValueExW", b"RegRestoreKeyA", b"RegRestoreKeyW", b"RegSaveKeyExA", b"RegSaveKeyExW", b"RegSetKeySecurity", b"RegSetValueExA", b"RegSetValueExW", b"RegUnLoadKeyA", b"RegUnLoadKeyW", b"RegisterApplicationRecoveryCallback", b"RegisterApplicationRestart", b"RegisterBadMemoryNotification", b"RegisterConsoleIME", b"RegisterConsoleOS2", b"RegisterConsoleVDM", b"NT", b"RegisterServiceProcess", b"RegisterStateChangeNotification", b"RegisterStateLock", b"RegisterSysMsgHandler", b"RegisterWaitForInputIdle", b"RegisterWaitForSingleObject", b"RegisterWaitForSingleObjectEx", b"RegisterWaitUntilOOBECompleted", b"RegisterWowBaseHandlers", b"RegisterWowExec", b"ReinitializeCriticalSection", b"ReleaseActCtx", b"ReleaseActCtxWorker", b"ReleaseMutex", b"ReleaseMutexWhenCallbackReturns", b"ReleaseSRWLockExclusive", b"ReleaseSRWLockShared", b"ReleaseSemaphore", b"ReleaseSemaphoreWhenCallbackReturns", b"ReleaseStateLock", b"ReleaseThunkLock", b"RemoveDirectoryA", b"RemoveDirectoryTransactedA", b"RemoveDirectoryTransactedW", b"RemoveDirectoryW", b"RemoveDllDirectory", b"RemoveLocalAlternateComputerNameA", b"RemoveLocalAlternateComputerNameW", b"RemoveSecureMemoryCacheCallback", b"RemoveVectoredContinueHandler", b"RemoveVectoredExceptionHandler", b"ReplaceFile", b"ReplaceFileA", b"ReplaceFileW", b"ReplacePartitionUnit", b"RequestDeviceWakeup", b"RequestWakeupLatency", b"ResetEvent", b"ResetNLSUserInfoCache", b"ResetState", b"ResetWriteWatch", b"ResolveDelayLoadedAPI", b"ResolveDelayLoadsFromDll", b"ResolveLocaleName", b"RestoreLastError", b"RestoreThunkLock", b"ResumeThread", b"RtlAddFunctionTable", b"RtlCaptureContext", b"RtlCaptureStackBackTrace", b"RtlCompareMemory", b"RtlCopyMemory", b"RtlConvertLongToLargeInteger", b"RtlConvertUlongToLargeInteger", b"RtlDeleteFunctionTable", b"RtlEnlargedIntegerDivide", b"RtlEnlargedIntegerMultiply", b"RtlEnlargedUnsignedDivide", b"RtlEnlargedUnsignedMultiply", b"RtlExtendedIntegerMultiply", b"RtlExtendedMagicDivide", b"RtlFillMemory", b"RtlInstallFunctionTableCallback", b"RtlLargeIntegerAdd", b"RtlLargeIntegerArithmeticShift", b"RtlLargeIntegerNegate", b"RtlLargeIntegerShiftLeft", b"RtlLargeIntegerShiftRight", b"RtlLargeIntegerSubtract", b"RtlLookupFunctionEntry", b"RtlMoveMemory", b"RtlPcToFileHeader", b"RtlRaiseException", b"RtlRestoreContext", b"RtlUnwind", b"RtlUnwindEx", b"RtlVirtualUnwind", b"RtlZeroMemory", b"SMapLS", b"SMapLS_IP_EBP_12", b"SMapLS_IP_EBP_16", b"SMapLS_IP_EBP_20", b"SMapLS_IP_EBP_24", b"SMapLS_IP_EBP_28", b"SMapLS_IP_EBP_32", b"SMapLS_IP_EBP_36", b"SMapLS_IP_EBP_40", b"SMapLS_IP_EBP_8", b"SSCall", b"SSOnBigStack", b"SUnMapLS", b"SUnMapLS_IP_EBP_12", b"SUnMapLS_IP_EBP_16", b"SUnMapLS_IP_EBP_20", b"SUnMapLS_IP_EBP_24", b"SUnMapLS_IP_EBP_28", b"SUnMapLS_IP_EBP_32", b"SUnMapLS_IP_EBP_36", b"SUnMapLS_IP_EBP_40", b"SUnMapLS_IP_EBP_8", b"ScrollConsoleScreenBufferA", b"ScrollConsoleScreenBufferW", b"SearchPathA", b"SearchPathW", b"SetCPGlobal", b"SetCachedSigningLevel", b"SetCalendarInfoA", b"SetCalendarInfoW", b"SetClientTimeZoneInformation", b"SetComPlusPackageInstallStatus", b"SetCommBreak", b"SetCommConfig", b"SetCommMask", b"SetCommState", b"SetCommTimeouts", b"SetComputerNameA", b"SetComputerNameEx2W", b"SetComputerNameExA", b"SetComputerNameExW", b"SetComputerNameW", b"SetConsoleActiveScreenBuffer", b"SetConsoleCP", b"SetConsoleCommandHistoryMode", b"SetConsoleCtrlHandler", b"SetConsoleCursor", b"SetConsoleCursorInfo", b"SetConsoleCursorMode", b"SetConsoleCursorPosition", b"SetConsoleDisplayMode", b"SetConsoleFont", b"SetConsoleHardwareState", b"SetConsoleHistoryInfo", b"SetConsoleIcon", b"SetConsoleInputExeNameA", b"SetConsoleInputExeNameW", b"SetConsoleKeyShortcuts", b"SetConsoleLocalEUDC", b"SetConsoleMaximumWindowSize", b"SetConsoleMenuClose", b"SetConsoleMode", b"SetConsoleNlsMode", b"SetConsoleNumberOfCommandsA", b"SetConsoleNumberOfCommandsW", b"SetConsoleOS2OemFormat", b"SetConsoleOutputCP", b"SetConsolePalette", b"SetConsoleScreenBufferInfoEx", b"SetConsoleScreenBufferSize", b"SetConsoleTextAttribute", b"SetConsoleTitleA", b"SetConsoleTitleW", b"SetConsoleWindowInfo", b"SetCriticalSectionSpinCount", b"SetCurrentConsoleFontEx", b"SetCurrentDirectoryA", b"SetCurrentDirectoryW", b"SetDaylightFlag", b"SetDefaultCommConfigA", b"SetDefaultCommConfigW", b"SetDefaultDllDirectories", b"SetDllDirectoryA", b"SetDllDirectoryW", b"SetDynamicTimeZoneInformation", b"SetEndOfFile", b"SetEnvironmentStringsA", b"SetEnvironmentStringsW", b"SetEnvironmentVariableA", b"SetEnvironmentVariableW", b"SetErrorMode", b"SetEvent", b"SetEventWhenCallbackReturns", b"SetExtendedFeaturesMask", b"SetFileApisToANSI", b"SetFileApisToOEM", b"SetFileAttributesA", b"SetFileAttributesTransactedA", b"SetFileAttributesTransactedW", b"SetFileAttributesW", b"SetFileBandwidthReservation", b"SetFileCompletionNotificationModes", b"SetFileInformationByHandle", b"SetFileIoOverlappedRange", b"SetFilePointer", b"SetFilePointerEx", b"SetFileShortNameA", b"SetFileShortNameW", b"SetFileTime", b"SetFileValidData", b"SetFirmwareEnvironmentVariableA", b"SetFirmwareEnvironmentVariableExA", b"SetFirmwareEnvironmentVariableExW", b"SetFirmwareEnvironmentVariableW", b"SetHandleContext", b"SetHandleCount", b"SetHandleInformation", b"SetInformationJobObject", b"SetIoRateControlInformationJobObject", b"SetLastConsoleEventActive", b"SetLastError", b"SetLocalPrimaryComputerNameA", b"SetLocalPrimaryComputerNameW", b"SetLocalTime", b"SetLocaleInfoA", b"SetLocaleInfoW", b"SetMailslotInfo", b"SetMessageWaitingIndicator", b"SetNamedPipeAttribute", b"SetNamedPipeHandleState", b"SetPriorityClass", b"SetProcessAffinityMask", b"SetProcessAffinityUpdateMode", b"SetProcessDEPPolicy", b"SetProcessDefaultCpuSets", b"SetProcessInformation", b"SetProcessMitigationPolicy", b"SetProcessPreferredUILanguages", b"SetProcessPriorityBoost", b"SetProcessShutdownParameters", b"SetProcessUserModeExceptionPolicy", b"SetProcessWorkingSetSize", b"SetProcessWorkingSetSizeEx", b"SetProtectedPolicy", b"SetRoamingLastObservedChangeTime", b"SetSearchPathMode", b"SetStateVersion", b"SetStdHandle", b"SetStdHandleEx", b"SetSystemFileCacheSize", b"SetSystemPowerState", b"SetSystemTime", b"SetSystemTimeAdjustment", b"SetTapeParameters", b"SetTapePosition", b"SetTaskmonControl", b"SetTermsrvAppInstallMode", b"SetThreadAffinityMask", b"SetThreadContext", b"SetThreadErrorMode", b"SetThreadExecutionState", b"SetThreadGroupAffinity", b"SetThreadIdealProcessor", b"SetThreadIdealProcessorEx", b"SetThreadInformation", b"SetThreadLocale", b"SetThreadPreferredUILanguages", b"SetThreadPriority", b"SetThreadPriorityBoost", b"SetThreadSelectedCpuSets", b"SetThreadStackGuarantee", b"SetThreadToken", b"SetThreadUILanguage", b"SetThreadpoolStackInformation", b"SetThreadpoolThreadMaximum", b"SetThreadpoolThreadMinimum", b"SetThreadpoolTimer", b"SetThreadpoolTimerEx", b"SetThreadpoolWait", b"SetThreadpoolWaitEx", b"SetTimeZoneInformation", b"SetTimerQueueTimer", b"SetUmsThreadInformation", b"SetUnhandledExceptionFilter", b"SetUserGeoID", b"SetVDMCurrentDirectories", b"SetVolumeLabelA", b"SetVolumeLabelW", b"SetVolumeMountPointA", b"SetVolumeMountPointW", b"SetVolumeMountPointWStub", b"SetWaitableTimer", b"SetWaitableTimerEx", b"SetXStateFeaturesMask", b"SetupComm", b"ShowConsoleCursor", b"SignalObjectAndWait", b"SignalSysMsgHandlers", b"SizeofResource", b"Sleep", b"SleepConditionVariableCS", b"SleepConditionVariableSRW", b"SleepEx", b"SortCloseHandle", b"SortGetHandle", b"StartThreadpoolIo", b"SubmitThreadpoolWork", b"SubscribeStateChangeNotification", b"SuspendThread", b"SwitchToFiber", b"SwitchToThread", b"SystemTimeToFileTime", b"SystemTimeToTzSpecificLocalTime", b"SystemTimeToTzSpecificLocalTimeEx", b"TerminateJobObject", b"TerminateProcess", b"TerminateThread", b"TerminateThreadEx", b"TermsrvAppInstallMode", b"TermsrvConvertSysRootToUserDir", b"TermsrvCreateRegEntry", b"TermsrvDeleteKey", b"TermsrvDeleteValue", b"TermsrvGetPreSetValue", b"TermsrvGetWindowsDirectoryA", b"TermsrvGetWindowsDirectoryW", b"TermsrvOpenRegEntry", b"TermsrvOpenUserClasses", b"TermsrvRestoreKey", b"TermsrvSetKeySecurity", b"TermsrvSetValueKey", b"TermsrvSyncUserIniFileExt", b"Thread32First", b"Thread32Next", b"ThunkConnect32", b"ThunkConnect32NonLocking", b"ThunkInitLS", b"ThunkInitLSF", b"ThunkInitSL", b"ThunkTheTemplateHandle", b"TlsAlloc", b"TlsAllocGlobal", b"TlsAllocInternal", b"TlsFree", b"TlsFreeGlobal", b"TlsFreeInternal", b"TlsGetValue", b"TlsSetValue", b"Toolhelp32ReadProcessMemory", b"TransactNamedPipe", b"TransmitCommChar", b"TrimVirtualBuffer", b"TryAcquireSRWLockExclusive", b"TryAcquireSRWLockShared", b"TryEnterCriticalSection", b"TrySubmitThreadpoolCallback", b"TzSpecificLocalTimeToSystemTime", b"TzSpecificLocalTimeToSystemTimeEx", b"UTRegister", b"UTUnRegister", b"UmsThreadYield", b"UnMapLS", b"UnMapLSFixArray", b"UnhandledExceptionFilter", b"UninitializeCriticalSection", b"UnlockFile", b"UnlockFileEx", b"UnmapViewOfFile", b"UnmapViewOfFileEx", b"UnregisterApplicationRecoveryCallback", b"UnregisterApplicationRestart", b"UnregisterBadMemoryNotification", b"UnregisterConsoleIME", b"UnregisterStateChangeNotification", b"UnregisterStateLock", b"UnregisterWait", b"UnregisterWaitEx", b"UnregisterWaitUntilOOBECompleted", b"UnsubscribeStateChangeNotification", b"UpdateCalendarDayOfWeek", b"UpdateProcThreadAttribute", b"UpdateResourceA", b"UpdateResourceW", b"VDMConsoleOperation", b"VDMOperationStarted", b"ValidateLCType", b"ValidateLocale", b"VerLanguageNameA", b"VerLanguageNameW", b"VerSetConditionMask", b"VerifyConsoleIoHandle", b"VerifyScripts", b"VerifyVersionInfoA", b"VerifyVersionInfoW", b"VirtualAlloc", b"VirtualAllocEx", b"VirtualAllocExNuma", b"VirtualBufferExceptionHandler", b"VirtualFree", b"VirtualFreeEx", b"VirtualLock", b"VirtualProtect", b"VirtualProtectEx", b"VirtualQuery", b"VirtualQueryEx", b"VirtualUnlock", b"W32S_BackTo32", b"WOWCallback16", b"WOWCallback16Ex", b"WOWDirectedYield16", b"WOWGetDescriptor", b"WOWGetVDMPointer", b"WOWGetVDMPointerFix", b"WOWGetVDMPointerUnfix", b"WOWGlobalAlloc16", b"WOWGlobalAllocLock16", b"WOWGlobalFree16", b"WOWGlobalLock16", b"WOWGlobalLockSize16", b"WOWGlobalUnlock16", b"WOWGlobalUnlockFree16", b"WOWHandle16", b"WOWHandle32", b"WOWYield16", b"WTSGetActiveConsoleSessionId", b"WaitCommEvent", b"WaitForDebugEvent", b"WaitForDebugEventEx", b"WaitForMultipleObjects", b"WaitForMultipleObjectsEx", b"WaitForSingleObject", b"WaitForSingleObjectEx", b"WaitForThreadpoolIoCallbacks", b"WaitForThreadpoolTimerCallbacks", b"WaitForThreadpoolWaitCallbacks", b"WaitForThreadpoolWorkCallbacks", b"WaitNamedPipeA", b"WaitNamedPipeW", b"WakeAllConditionVariable", b"WakeConditionVariable", b"WerGetFlags", b"WerGetFlagsWorker", b"WerRegisterFile", b"WerRegisterFileWorker", b"WerRegisterMemoryBlock", b"WerRegisterMemoryBlockWorker", b"WerRegisterRuntimeExceptionModule", b"WerRegisterRuntimeExceptionModuleWorker", b"WerSetFlags", b"WerSetFlagsWorker", b"WerUnregisterFile", b"WerUnregisterFileWorker", b"WerUnregisterMemoryBlock", b"WerUnregisterMemoryBlockWorker", b"WerUnregisterRuntimeExceptionModule", b"WerUnregisterRuntimeExceptionModuleWorker", b"WerpCleanupMessageMapping", b"WerpGetDebugger", b"WerpInitiateRemoteRecovery", b"WerpLaunchAeDebug", b"WerpNotifyLoadStringResource", b"WerpNotifyLoadStringResourceEx", b"WerpNotifyLoadStringResourceWorker", b"WerpNotifyUseStringResource", b"WerpNotifyUseStringResourceWorker", b"WerpStringLookup", b"WideCharToMultiByte", b"Win32HandleToDosFileHandle", b"WinExec", b"Wow64DisableWow64FsRedirection", b"Wow64EnableWow64FsRedirection", b"Wow64GetThreadContext", b"Wow64GetThreadSelectorEntry", b"Wow64RevertWow64FsRedirection", b"Wow64SetThreadContext", b"Wow64SuspendThread", b"WriteConsoleA", b"WriteConsoleInputA", b"WriteConsoleInputVDMA", b"WriteConsoleInputVDMW", b"WriteConsoleInputW", b"WriteConsoleOutputA", b"WriteConsoleOutputAttribute", b"WriteConsoleOutputCharacterA", b"WriteConsoleOutputCharacterW", b"WriteConsoleOutputW", b"WriteConsoleW", b"WriteFile", b"WriteFileEx", b"WriteFileGather", b"WritePrivateProfileSectionA", b"WritePrivateProfileSectionW", b"WritePrivateProfileStringA", b"WritePrivateProfileStringW", b"WritePrivateProfileStructA", b"WritePrivateProfileStructW", b"WriteProcessMemory", b"WriteProfileSectionA", b"WriteProfileSectionW", b"WriteProfileStringA", b"WriteProfileStringW", b"WriteStateAtomValue", b"WriteStateContainerValue", b"WriteTapemark", b"ZombifyActCtx", b"ZombifyActCtxWorker ",] 20 | 21 | advapi32_funcs = [ 22 | b"A_SHAFinal", b"A_SHAInit", b"A_SHAUpdate", b"AbortSystemShutdownA", b"AbortSystemShutdownW", b"AccessCheck", b"AccessCheckAndAuditAlarmA", b"AccessCheckAndAuditAlarmW", b"AccessCheckByType", b"AccessCheckByTypeAndAuditAlarmA", b"AccessCheckByTypeAndAuditAlarmW", b"AccessCheckByTypeResultList", b"AccessCheckByTypeResultListAndAuditAlarmA", b"AccessCheckByTypeResultListAndAuditAlarmByHandleA", b"AccessCheckByTypeResultListAndAuditAlarmByHandleW", b"AccessCheckByTypeResultListAndAuditAlarmW", b"AddAccessAllowedAce", b"AddAccessAllowedAceEx", b"AddAccessAllowedObjectAce", b"AddAccessDeniedAce", b"AddAccessDeniedAceEx", b"AddAccessDeniedObjectAce", b"AddAce", b"AddAuditAccessAce", b"AddAuditAccessAceEx", b"AddAuditAccessObjectAce", b"AddConditionalAce", b"AddMandatoryAce", b"AddUsersToEncryptedFile", b"AddUsersToEncryptedFileEx", b"AdjustTokenGroups", b"AdjustTokenPrivileges", b"AllocateAndInitializeSid", b"AllocateLocallyUniqueId", b"AreAllAccessesGranted", b"AreAnyAccessesGranted", b"AuditComputeEffectivePolicyBySid", b"AuditComputeEffectivePolicyByToken", b"AuditEnumerateCategories", b"AuditEnumeratePerUserPolicy", b"AuditEnumerateSubCategories", b"AuditFree", b"AuditLookupCategoryGuidFromCategoryId", b"AuditLookupCategoryIdFromCategoryGuid", b"AuditLookupCategoryNameA", b"AuditLookupCategoryNameW", b"AuditLookupSubCategoryNameA", b"AuditLookupSubCategoryNameW", b"AuditQueryGlobalSaclA", b"AuditQueryGlobalSaclW", b"AuditQueryPerUserPolicy", b"AuditQuerySecurity", b"AuditQuerySystemPolicy", b"AuditSetGlobalSaclA", b"AuditSetGlobalSaclW", b"AuditSetPerUserPolicy", b"AuditSetSecurity", b"AuditSetSystemPolicy", b"BackupEventLogA", b"BackupEventLogW", b"BaseRegCloseKey", b"BaseRegCreateKey", b"BaseRegDeleteKeyEx", b"BaseRegDeleteValue", b"BaseRegFlushKey", b"BaseRegGetVersion", b"BaseRegLoadKey", b"BaseRegOpenKey", b"BaseRegRestoreKey", b"BaseRegSaveKeyEx", b"BaseRegSetKeySecurity", b"BaseRegSetValue", b"BaseRegUnLoadKey", b"BuildAccessRequestA", b"BuildAccessRequestW", b"BuildExplicitAccessWithNameA", b"BuildExplicitAccessWithNameW", b"BuildImpersonateExplicitAccessWithNameA", b"BuildImpersonateExplicitAccessWithNameW", b"BuildImpersonateTrusteeA", b"BuildImpersonateTrusteeW", b"BuildSecurityDescriptorA", b"BuildSecurityDescriptorW", b"BuildTrusteeWithNameA", b"BuildTrusteeWithNameW", b"BuildTrusteeWithObjectsAndNameA", b"BuildTrusteeWithObjectsAndNameW", b"BuildTrusteeWithObjectsAndSidA", b"BuildTrusteeWithObjectsAndSidW", b"BuildTrusteeWithSidA", b"BuildTrusteeWithSidW", b"CancelOverlappedAccess", b"ChangeServiceConfig2A", b"ChangeServiceConfig2W", b"ChangeServiceConfigA", b"ChangeServiceConfigW", b"CheckAppInitBlockedServiceIdentity", b"CheckForHiberboot", b"CheckTokenMembership", b"ClearEventLogA", b"ClearEventLogW", b"CloseCodeAuthzLevel", b"CloseEncryptedFileRaw", b"CloseEventLog", b"CloseServiceHandle", b"CloseThreadWaitChainSession", b"CloseTrace", b"CommandLineFromMsiDescriptor", b"ComputeAccessTokenFromCodeAuthzLevel", b"ControlService", b"ControlServiceExA", b"ControlServiceExW", b"ControlTraceA", b"ControlTraceW", b"ConvertAccessToSecurityDescriptorA", b"ConvertAccessToSecurityDescriptorW", b"ConvertSDToStringSDDomainW", b"ConvertSDToStringSDRootDomainA", b"ConvertSDToStringSDRootDomainW", b"ConvertSecurityDescriptorToAccessA", b"ConvertSecurityDescriptorToAccessW", b"ConvertSecurityDescriptorToAccessNamedA", b"ConvertSecurityDescriptorToAccessNamedW", b"ConvertSecurityDescriptorToStringSecurityDescriptorA", b"ConvertSecurityDescriptorToStringSecurityDescriptorW", b"ConvertSidToStringSidA", b"ConvertSidToStringSidW", b"ConvertStringSDToSDDomainA", b"ConvertStringSDToSDDomainW", b"ConvertStringSDToSDRootDomainA", b"ConvertStringSDToSDRootDomainW", b"ConvertStringSecurityDescriptorToSecurityDescriptorA", b"ConvertStringSecurityDescriptorToSecurityDescriptorW", b"ConvertStringSidToSidA", b"ConvertStringSidToSidW", b"ConvertToAutoInheritPrivateObjectSecurity", b"CopySid", b"CreateCodeAuthzLevel", b"CreatePrivateObjectSecurity", b"CreatePrivateObjectSecurityEx", b"CreatePrivateObjectSecurityWithMultipleInheritance", b"CreateProcessAsUserA", b"CreateProcessAsUserSecure", b"CreateProcessAsUserW", b"CreateProcessWithLogonW", b"CreateProcessWithTokenW", b"CreateRestrictedToken", b"CreateServiceA", b"CreateServiceW", b"CreateTraceInstanceId", b"CreateWellKnownSid", b"CredBackupCredentials", b"CredDeleteA", b"CredDeleteW", b"CredEncryptAndMarshalBinaryBlob", b"CredEnumerateA", b"CredEnumerateW", b"CredFindBestCredentialA", b"CredFindBestCredentialW", b"CredFree", b"CredGetSessionTypes", b"CredGetTargetInfoA", b"CredGetTargetInfoW", b"CredIsMarshaledCredentialA", b"CredIsMarshaledCredentialW", b"CredIsProtectedA", b"CredIsProtectedW", b"CredMarshalCredentialA", b"CredMarshalCredentialW", b"CredProfileLoaded", b"CredProfileLoadedEx", b"CredProfileUnloaded", b"CredProtectA", b"CredProtectW", b"CredReadA", b"CredReadByTokenHandle", b"CredReadDomainCredentialsA", b"CredReadDomainCredentialsW", b"CredReadW", b"CredRenameA", b"CredRenameW", b"CredRestoreCredentials", b"CredUnmarshalCredentialA", b"CredUnmarshalCredentialW", b"CredUnprotectA", b"CredUnprotectW", b"CredWriteA", b"CredWriteDomainCredentialsA", b"CredWriteDomainCredentialsW", b"CredWriteW", b"CredpConvertCredential", b"CredpConvertOneCredentialSize", b"CredpConvertTargetInfo", b"CredpDecodeCredential", b"CredpEncodeCredential", b"CredpEncodeSecret", b"CryptAcquireContextA", b"CryptAcquireContextW", b"CryptContextAddRef", b"CryptCreateHash", b"CryptDecrypt", b"CryptDeriveKey", b"CryptDestroyHash", b"CryptDestroyKey", b"CryptDuplicateHash", b"CryptDuplicateKey", b"CryptEncrypt", b"CryptEnumProviderTypesA", b"CryptEnumProviderTypesW", b"CryptEnumProvidersA", b"CryptEnumProvidersW", b"CryptExportKey", b"CryptGenKey", b"CryptGenRandom", b"CryptGetDefaultProviderA", b"CryptGetDefaultProviderW", b"CryptGetHashParam", b"CryptGetKeyParam", b"CryptGetLocalKeyLimits", b"CryptGetProvParam", b"CryptGetUserKey", b"CryptHashData", b"CryptHashSessionKey", b"CryptImportKey", b"CryptReleaseContext", b"CryptSetHashParam", b"CryptSetKeyParam", b"CryptSetProvParam", b"CryptSetProviderA", b"CryptSetProviderExA", b"CryptSetProviderExW", b"CryptSetProviderW", b"CryptSignHashA", b"CryptSignHashW", b"CryptVerifySignatureA", b"CryptVerifySignatureW", b"DecryptFileA", b"DecryptFileW", b"DeleteAce", b"DeleteService", b"DenyAccessRightsA", b"DenyAccessRightsW", b"DeregisterEventSource", b"DestroyPrivateObjectSecurity", b"DuplicateEncryptionInfoFile", b"DuplicateToken", b"DuplicateTokenEx", b"ElfBackupEventLogFileA", b"ElfBackupEventLogFileW", b"ElfChangeNotify", b"ElfClearEventLogFileA", b"ElfClearEventLogFileW", b"ElfCloseEventLog", b"ElfDeregisterEventSource", b"ElfFlushEventLog", b"5.0", b"5.1", b"ElfNumberOfRecords", b"ElfOldestRecord", b"ElfOpenBackupEventLogA", b"ElfOpenBackupEventLogW", b"ElfOpenEventLogA", b"ElfOpenEventLogW", b"ElfReadEventLogA", b"ElfReadEventLogW", b"ElfRegisterEventSourceA", b"ElfRegisterEventSourceW", b"ElfReportEventA", b"ElfReportEventAndSourceW", b"ElfReportEventW", b"EnableTrace", b"EnableTraceEx", b"EnableTraceEx2", b"EncryptedFileKeyInfo", b"EncryptFileA", b"EncryptFileW", b"EncryptionDisable", b"EnumDependentServicesA", b"EnumDependentServicesW", b"EnumDynamicTimeZoneInformation", b"EnumServiceGroupW", b"EnumServicesStatusA", b"EnumServicesStatusExA", b"EnumServicesStatusExW", b"EnumServicesStatusW", b"EnumerateTraceGuids", b"EnumerateTraceGuidsEx", b"EqualDomainSid", b"EqualPrefixSid", b"EqualSid", b"EtwLogSysConfigExtension", b"EventAccessControl", b"EventAccessQuery", b"EventAccessRemove", b"EventActivityIdControl", b"EventEnabled", b"EventProviderEnabled", b"EventRegister", b"EventSetInformation", b"EventUnregister", b"EventWrite", b"EventWriteEndScenario", b"EventWriteEx", b"EventWriteStartScenario", b"EventWriteString", b"EventWriteTransfer", b"FileEncryptionStatusA", b"FileEncryptionStatusW", b"FindFirstFreeAce", b"FlushEfsCache", b"FlushTraceA", b"FlushTraceW", b"FreeEncryptedFileKeyInfo", b"FreeEncryptedFileMetadata", b"FreeEncryptionCertificateHashList", b"FreeInheritedFromArray", b"FreeSid", b"GetAccessPermissionsForObjectA", b"GetAccessPermissionsForObjectW", b"GetAce", b"GetAclInformation", b"GetAuditedPermissionsFromAclA", b"GetAuditedPermissionsFromAclW", b"GetAuditedPermissionsFromSDA", b"GetAuditedPermissionsFromSDW", b"GetCurrentHwProfileA", b"GetCurrentHwProfileW", b"GetDynamicTimeZoneInformationEffectiveYears", b"GetEffectiveAccessRightsA", b"GetEffectiveAccessRightsW", b"GetEffectiveRightsFromAclA", b"GetEffectiveRightsFromAclW", b"GetEffectiveRightsFromSDA", b"GetEffectiveRightsFromSDW", b"GetEncryptedFileMetadata", b"GetEventLogInformation", b"GetExplicitAccessRightsA", b"GetExplicitAccessRightsW", b"GetExplicitEntriesFromAclA", b"GetExplicitEntriesFromAclW", b"GetFileSecurityA", b"GetFileSecurityW", b"GetInformationCodeAuthzLevelW", b"GetInformationCodeAuthzPolicyW", b"GetInheritanceSourceA", b"GetInheritanceSourceW", b"GetKernelObjectSecurity", b"GetLengthSid", b"GetLocalManagedApplicationData", b"GetLocalManagedApplications", b"GetManagedApplicationCategories", b"GetManagedApplications", b"GetMangledSiteSid", b"GetMultipleTrusteeA", b"GetMultipleTrusteeOperationA", b"GetMultipleTrusteeOperationW", b"GetMultipleTrusteeW", b"GetNamedSecurityInfoA", b"GetNamedSecurityInfoExA", b"GetNamedSecurityInfoExW", b"GetNamedSecurityInfoW", b"GetNumberOfEventLogRecords", b"GetOldestEventLogRecord", b"GetOverlappedAccessResults", b"GetPrivateObjectSecurity", b"GetSecurityDescriptorControl", b"GetSecurityDescriptorDacl", b"GetSecurityDescriptorGroup", b"GetSecurityDescriptorLength", b"GetSecurityDescriptorOwner", b"GetSecurityDescriptorRMControl", b"GetSecurityDescriptorSacl", b"GetSecurityInfo", b"GetSecurityInfoExA", b"GetSecurityInfoExW", b"GetServiceDisplayNameA", b"GetServiceDisplayNameW", b"GetServiceKeyNameA", b"GetServiceKeyNameW", b"GetSidIdentifierAuthority", b"GetSidLengthRequired", b"GetSidSubAuthority", b"GetSidSubAuthorityCount", b"GetSiteDirectoryA", b"GetSiteDirectoryW", b"GetSiteNameFromSid", b"GetSiteSidFromToken", b"GetSiteSidFromUrl", b"GetStringConditionFromBinary", b"GetThreadWaitChain", b"GetTokenInformation", b"GetTraceEnableFlags", b"GetTraceEnableLevel", b"GetTraceLoggerHandle", b"GetTrusteeFormA", b"GetTrusteeFormW", b"GetTrusteeNameA", b"GetTrusteeNameW", b"GetTrusteeTypeA", b"GetTrusteeTypeW", b"GetUserNameA", b"GetUserNameW", b"GetWindowsAccountDomainSid", b"GrantAccessRightsA", b"GrantAccessRightsW", b"I_QueryTagInformation", b"I_ScGetCurrentGroupStateW", b"I_ScIsSecurityProcess", b"I_ScPnPGetServiceName", b"I_ScQueryServiceConfig", b"I_ScRegisterPreshutdownRestart", b"I_ScSendPnPMessage", b"I_ScSendTSMessage", b"I_ScSetServiceBitsA", b"I_ScSetServiceBitsW", b"I_ScValidatePnPService", b"IdentifyCodeAuthzLevelW", b"ImpersonateAnonymousToken", b"ImpersonateLoggedOnUser", b"ImpersonateNamedPipeClient", b"ImpersonateSelf", b"InitializeAcl", b"InitializeSecurityDescriptor", b"InitializeSid", b"InitiateShutdownA", b"InitiateShutdownW", b"InitiateSystemShutdownA", b"InitiateSystemShutdownExA", b"InitiateSystemShutdownExW", b"InitiateSystemShutdownW", b"InstallApplication", b"IsAccessPermittedA", b"IsAccessPermittedW", b"IsInSandbox", b"IsProcessRestricted", b"IsTextUnicode", b"IsTokenRestricted", b"IsTokenUntrusted", b"IsValidAcl", b"IsValidRelativeSecurityDescriptor", b"IsValidSecurityDescriptor", b"IsValidSid", b"IsWellKnownSid", b"LockServiceDatabase", b"LogonUserA", b"LogonUserExA", b"LogonUserExExW", b"LogonUserExW", b"LogonUserW", b"LookupAccountNameA", b"LookupAccountNameW", b"LookupAccountSidA", b"LookupAccountSidW", b"LookupPrivilegeDisplayNameA", b"LookupPrivilegeDisplayNameW", b"LookupPrivilegeNameA", b"LookupPrivilegeNameW", b"LookupPrivilegeValueA", b"LookupPrivilegeValueW", b"LookupSecurityDescriptorPartsA", b"LookupSecurityDescriptorPartsW", b"LsaAddAccountRights", b"LsaAddPrivilegesToAccount", b"LsaClearAuditLog", b"LsaClose", b"LsaCreateAccount", b"LsaCreateSecret", b"LsaCreateTrustedDomain", b"LsaCreateTrustedDomainEx", b"LsaDelete", b"LsaDeleteTrustedDomain", b"LsaEnumerateAccountRights", b"LsaEnumerateAccounts", b"LsaEnumerateAccountsWithUserRight", b"LsaEnumeratePrivileges", b"LsaEnumeratePrivilegesOfAccount", b"LsaEnumerateTrustedDomains", b"LsaEnumerateTrustedDomainsEx", b"LsaFreeMemory", b"LsaGetAppliedCAPIDs", b"LsaGetQuotasForAccount", b"LsaGetRemoteUserName", b"LsaGetSystemAccessAccount", b"LsaGetUserName", b"LsaICLookupNames", b"LsaICLookupNamesWithCreds", b"LsaICLookupSids", b"LsaICLookupSidsWithCreds", b"LsaLookupNames", b"LsaLookupNames2", b"LsaLookupPrivilegeDisplayName", b"LsaLookupPrivilegeName", b"LsaLookupPrivilegeValue", b"LsaLookupSids", b"LsaLookupSids2", b"LsaManageSidNameMapping", b"LsaNtStatusToWinError", b"LsaOpenAccount", b"LsaOpenPolicy", b"LsaOpenPolicySce", b"LsaOpenSecret", b"LsaOpenTrustedDomain", b"LsaOpenTrustedDomainByName", b"LsaQueryCAPs", b"LsaQueryDomainInformationPolicy", b"LsaQueryForestTrustInformation", b"LsaQueryInfoTrustedDomain", b"LsaQueryInformationPolicy", b"LsaQuerySecret", b"LsaQuerySecurityObject", b"LsaQueryTrustedDomainInfo", b"LsaQueryTrustedDomainInfoByName", b"LsaRemoveAccountRights", b"LsaRemovePrivilegesFromAccount", b"LsaRetrievePrivateData", b"LsaSetCAPs", b"LsaSetDomainInformationPolicy", b"LsaSetForestTrustInformation", b"LsaSetInformationPolicy", b"LsaSetInformationTrustedDomain", b"LsaSetQuotasForAccount", b"LsaSetSecret", b"LsaSetSecurityObject", b"LsaSetSystemAccessAccount", b"LsaSetTrustedDomainInfoByName", b"LsaSetTrustedDomainInformation", b"LsaStorePrivateData", b"MD4Final", b"MD4Init", b"MD4Update", b"MD5Final", b"MD5Init", b"MD5Update", b"MIDL_user_free_Ext", b"MSChapSrvChangePassword", b"MSChapSrvChangePassword2", b"MakeAbsoluteSD", b"MakeAbsoluteSD2", b"MakeSelfRelativeSD", b"MapGenericMask", b"NTAccessMaskToProvAccessRights", b"NotifyBootConfigStatus", b"NotifyChangeEventLog", b"NotifyServiceStatusChange", b"NotifyServiceStatusChangeA", b"NotifyServiceStatusChangeW", b"NpGetUserName", b"ObjectCloseAuditAlarmA", b"ObjectCloseAuditAlarmW", b"ObjectDeleteAuditAlarmA", b"ObjectDeleteAuditAlarmW", b"ObjectOpenAuditAlarmA", b"ObjectOpenAuditAlarmW", b"ObjectPrivilegeAuditAlarmA", b"ObjectPrivilegeAuditAlarmW", b"OpenBackupEventLogA", b"OpenBackupEventLogW", b"OpenEncryptedFileRawA", b"OpenEncryptedFileRawW", b"OpenEventLogA", b"OpenEventLogW", b"OpenProcessToken", b"OpenSCManagerA", b"OpenSCManagerW", b"OpenServiceA", b"OpenServiceW", b"OpenThreadToken", b"OpenThreadWaitChainSession", b"OpenTraceA", b"OpenTraceW", b"OperationEnd", b"OperationStart", b"PerfAddCounters", b"PerfCloseQueryHandle", b"PerfCreateInstance", b"PerfDecrementULongCounterValue", b"PerfDecrementULongLongCounterValue", b"PerfDeleteCounters", b"PerfDeleteInstance", b"PerfEnumerateCounterSet", b"PerfEnumerateCounterSetInstances", b"PerfIncrementULongCounterValue", b"PerfIncrementULongLongCounterValue", b"PerfOpenQueryHandle", b"PerfQueryCounterData", b"PerfQueryCounterInfo", b"PerfQueryCounterSetRegistrationInfo", b"PerfQueryInstance", b"PerfRegCloseKey", b"PerfRegEnumKey", b"PerfRegEnumValue", b"PerfRegQueryInfoKey", b"PerfRegQueryValue", b"PerfRegSetValue", b"PerfSetCounterRefValue", b"PerfSetCounterSetInfo", b"PerfSetULongCounterValue", b"PerfSetULongLongCounterValue", b"PerfStartProvider", b"PerfStartProviderEx", b"PerfStopProvider", b"PrivilegeCheck", b"PrivilegedServiceAuditAlarmA", b"PrivilegedServiceAuditAlarmW", b"ProcessIdleTasks", b"ProcessIdleTasksW", b"ProcessTrace", b"ProvAccessRightsToNTAccessMask", b"PsmActivateApplication", b"PsmAdjustActivationToken", b"PsmQueryBackgroundActivationType", b"PsmRegisterApplicationProcess", b"QueryAllTracesA", b"QueryAllTracesW", b"QueryRecoveryAgentsOnEncryptedFile", b"QuerySecurityAccessMask", b"QueryServiceConfig2A", b"QueryServiceConfig2W", b"QueryServiceConfigA", b"QueryServiceConfigW", b"QueryServiceDynamicInformation", b"QueryServiceLockStatusA", b"QueryServiceLockStatusW", b"QueryServiceObjectSecurity", b"QueryServiceStatus", b"QueryServiceStatusEx", b"QueryTraceA", b"QueryTraceW", b"QueryUsersOnEncryptedFile", b"QueryWindows31FilesMigration", b"ReadEncryptedFileRaw", b"ReadEventLogA", b"ReadEventLogW", b"RegCloseKey", b"RegConnectRegistryA", b"RegConnectRegistryW", b"RegConnectRegistryExA", b"RegConnectRegistryExW", b"RegCopyTreeA", b"RegCopyTreeW", b"RegCreateKeyA", b"RegCreateKeyExA", b"RegCreateKeyExW", b"RegCreateKeyTransactedA", b"RegCreateKeyTransactedW", b"RegCreateKeyW", b"RegDeleteKeyA", b"RegDeleteKeyExA", b"RegDeleteKeyExW", b"RegDeleteKeyTransactedA", b"RegDeleteKeyTransactedW", b"RegDeleteKeyValueA", b"RegDeleteKeyValueW", b"RegDeleteKeyW", b"RegDeleteTreeA", b"RegDeleteTreeW", b"RegDeleteValueA", b"RegDeleteValueW", b"RegDisablePredefinedCache", b"RegDisablePredefinedCacheEx", b"RegDisableReflectionKey", b"RegEnableReflectionKey", b"RegEnumKeyA", b"RegEnumKeyExA", b"RegEnumKeyExW", b"RegEnumKeyW", b"RegEnumValueA", b"RegEnumValueW", b"RegFlushKey", b"RegGetKeySecurity", b"RegGetValueA", b"RegGetValueW", b"RegLoadAppKeyA", b"RegLoadAppKeyW", b"RegLoadKeyA", b"RegLoadKeyW", b"RegLoadMUIStringA", b"RegLoadMUIStringW", b"RegNotifyChangeKeyValue", b"RegOpenCurrentUser", b"RegOpenKeyA", b"RegOpenKeyExA", b"RegOpenKeyExW", b"RegOpenKeyTransactedA", b"RegOpenKeyTransactedW", b"RegOpenKeyW", b"RegOpenUserClassesRoot", b"RegOverridePredefKey", b"RegQueryInfoKeyA", b"RegQueryInfoKeyW", b"RegQueryMultipleValuesA", b"RegQueryMultipleValuesW", b"RegQueryReflectionKey", b"RegQueryValueA", b"RegQueryValueExA", b"RegQueryValueExW", b"RegQueryValueW", b"RegRemapPreDefKey", b"RegRenameKey", b"RegReplaceKeyA", b"RegReplaceKeyW", b"RegRestoreKeyA", b"RegRestoreKeyW", b"RegSaveKeyA", b"RegSaveKeyExA", b"RegSaveKeyExW", b"RegSaveKeyW", b"RegSetKeySecurity", b"RegSetKeyValueA", b"RegSetKeyValueW", b"RegSetValueA", b"RegSetValueExA", b"RegSetValueExW", b"RegSetValueW", b"RegUnLoadKeyA", b"RegUnLoadKeyW", b"RegisterEventSourceA", b"RegisterEventSourceW", b"RegisterIdleTask", b"RegisterServiceCtrlHandlerA", b"RegisterServiceCtrlHandlerExA", b"RegisterServiceCtrlHandlerExW", b"RegisterServiceCtrlHandlerW", b"RegisterTraceGuidsA", b"RegisterTraceGuidsW", b"RegisterWaitChainCOMCallback", b"RemoteRegEnumKeyWrapper", b"RemoteRegEnumValueWrapper", b"RemoteRegQueryInfoKeyWrapper", b"RemoteRegQueryValueWrapper", b"RemoveTraceCallback", b"RemoveUsersFromEncryptedFile", b"ReplaceAllAccessRightsA", b"ReplaceAllAccessRightsW", b"ReportEventA", b"ReportEventW", b"RevertToSelf", b"RevokeExplicitAccessRightsA", b"RevokeExplicitAccessRightsW", b"SafeBaseRegGetKeySecurity", b"SaferCloseLevel", b"SaferComputeTokenFromLevel", b"SaferCreateLevel", b"SaferGetLevelInformation", b"SaferGetPolicyInformation", b"SaferIdentifyLevel", b"SaferRecordEventLogEntry", b"SaferSetLevelInformation", b"SaferSetPolicyInformation", b"SaferiChangeRegistryScope", b"SaferiCompareTokenLevels", b"SaferiIsDllAllowed", b"SaferiIsExecutableFileType", b"SaferiPopulateDefaultsInRegistry", b"SaferiRecordEventLogEntry", b"SaferiRegisterExtensionDll", b"SaferiReplaceProcessThreadTokens", b"SaferiSearchMatchingHashRules", b"SetAccessRightsA", b"SetAccessRightsW", b"SetAclInformation", b"SetEncryptedFileMetadata", b"SetEntriesInAccessListA", b"SetEntriesInAccessListW", b"SetEntriesInAclA", b"SetEntriesInAclW", b"SetEntriesInAuditListA", b"SetEntriesInAuditListW", b"SetFileSecurityA", b"SetFileSecurityW", b"SetInformationCodeAuthzLevelW", b"SetInformationCodeAuthzPolicyW", b"SetKernelObjectSecurity", b"SetNamedSecurityInfoA", b"SetNamedSecurityInfoExA", b"SetNamedSecurityInfoExW", b"SetNamedSecurityInfoW", b"SetPrivateObjectSecurity", b"SetPrivateObjectSecurityEx", b"SetSecurityAccessMask", b"SetSecurityDescriptorControl", b"SetSecurityDescriptorDacl", b"SetSecurityDescriptorGroup", b"SetSecurityDescriptorOwner", b"SetSecurityDescriptorRMControl", b"SetSecurityDescriptorSacl", b"SetSecurityInfo", b"SetSecurityInfoExA", b"SetSecurityInfoExW", b"SetServiceBits", b"SetServiceObjectSecurity", b"SetServiceStatus", b"SetThreadToken", b"SetTokenInformation", b"SetTraceCallback", b"SetUserFileEncryptionKey", b"SetUserFileEncryptionKeyEx", b"StartServiceA", b"StartServiceCtrlDispatcherA", b"StartServiceCtrlDispatcherW", b"StartServiceW", b"StartTraceA", b"StartTraceW", b"StopTraceA", b"StopTraceW", b"SynchronizeWindows31FilesAndWindowsNTRegistry", b"SystemFunction001", b"SystemFunction002", b"SystemFunction003", b"SystemFunction004", b"SystemFunction005", b"SystemFunction006", b"SystemFunction007", b"SystemFunction008", b"SystemFunction009", b"SystemFunction010", b"SystemFunction011", b"SystemFunction012", b"SystemFunction013", b"SystemFunction014", b"SystemFunction015", b"SystemFunction016", b"SystemFunction017", b"SystemFunction018", b"SystemFunction019", b"SystemFunction020", b"SystemFunction021", b"SystemFunction022", b"SystemFunction023", b"SystemFunction024", b"SystemFunction025", b"SystemFunction026", b"SystemFunction027", b"SystemFunction028", b"SystemFunction029", b"SystemFunction030", b"SystemFunction031", b"SystemFunction032", b"SystemFunction033", b"SystemFunction034", b"SystemFunction035", b"SystemFunction036", b"SystemFunction040", b"SystemFunction041", b"TraceEvent", b"TraceEventInstance", b"TraceMessage", b"TraceMessageVa", b"TraceQueryInformation", b"TraceSetInformation", b"TreeResetNamedSecurityInfoA", b"TreeResetNamedSecurityInfoW", b"TreeSetNamedSecurityInfoA", b"TreeSetNamedSecurityInfoW", b"TrusteeAccessToObjectA", b"TrusteeAccessToObjectW", b"UninstallApplication", b"UnlockServiceDatabase", b"UnregisterIdleTask", b"UnregisterTraceGuids", b"UpdateTraceA", b"UpdateTraceW", b"UsePinForEncryptedFilesA", b"UsePinForEncryptedFilesW", b"WaitServiceState", b"WdmWmiServiceMain", b"WmiCloseBlock", b"WmiCloseTraceWithCursor", b"WmiConvertTimestamp", b"WmiDevInstToInstanceNameA", b"WmiDevInstToInstanceNameW", b"WmiEnumerateGuids", b"WmiExecuteMethodA", b"WmiExecuteMethodW", b"WmiFileHandleToInstanceNameA", b"WmiFileHandleToInstanceNameW", b"WmiFreeBuffer", b"WmiGetFirstTraceOffset", b"WmiGetNextEvent", b"WmiGetTraceHeader", b"WmiMofEnumerateResourcesA", b"WmiMofEnumerateResourcesW", b"WmiNotificationRegistrationA", b"WmiNotificationRegistrationW", b"WmiOpenBlock", b"WmiOpenTraceWithCursor", b"WmiParseTraceEvent", b"WmiQueryAllDataA", b"WmiQueryAllDataMultipleA", b"WmiQueryAllDataMultipleW", b"WmiQueryAllDataW", b"WmiQueryGuidInformation", b"WmiQuerySingleInstanceA", b"WmiQuerySingleInstanceMultipleA", b"WmiQuerySingleInstanceMultipleW", b"WmiQuerySingleInstanceW", b"WmiReceiveNotificationsA", b"WmiReceiveNotificationsW", b"WmiSetSingleInstanceA", b"WmiSetSingleInstanceW", b"WmiSetSingleItemA", b"WmiSetSingleItemW", b"Wow64Win32ApiEntry", b"WriteEncryptedFileRaw", 23 | ] 24 | 25 | shell32_funcs = [ 26 | b"Activate_RunDLL", b"AddCommasW", b"AddToRecentDocs", b"AppCompat_RunDLLW", b"ArrangeWindows", b"AssocCreateElemeAssocCreateForClasses", b"AssocCreateListForClasses", b"AssocGetDetailsOfPropKey", b"AssocGetPropListForExt", b"CallCPLEntry16", b"CDefFolderMenu_Create", b"CDefFolderMenu_Create2", b"CDefFolderMenu_MergeMenu", b"CheckDiskSpace", b"CheckEscapesA", b"CheckEscapesW", b"CheckStagingArea", b"CheckWinIniForAssocs", b"CIDLData_CreateFromIDArray", b"ClearDestinationsForAllApps", b"ClearStartMenuItem", b"CommandLineToArgvW", b"Control_FillCache_RunDLL", b"Control_FillCache_RunDLLA", b"Control_FillCache_RunDLLW", b"Control_RunDLL", b"Control_RunDLLA", b"Control_RunDLLW", b"Control_RunDLLAsUserW", b"Control_RunDLLNoFallback", b"CopyStreamUI", b"CPL_ExecuteTask", b"CPL_CreateCondition", b"Create_IEnumUICommand", b"Create_IEnumUICommandFromDefArray", b"Create_IUICommandFromDef", b"Create_IUIElemeCreateAutoListParser", b"CreateConditionRange", b"CreateInfoTipFromItem", b"CreateInfoTipFromItem2", b"CreateSingleVisibleInList", b"CreateVisibleInDescription", b"CreateVisibleInList", b"DAD_AutoScroll", b"DAD_DragEnter", b"DAD_DragEnterEx", b"DAD_DragEnterEx2", b"DAD_DragLeave", b"DAD_DragMove", b"DAD_SetDragImage", b"DAD_SetDragImageFromListView", b"DAD_ShowDragImage", b"DDECreatePostNotify", b"DDEHandleViewFolderNotify", b"DeleteFileThumbnail", b"Desktop_UpdateBriefcaseOnEveDisconnectWindowsDialog", b"DisplayNameOfW", b"DllCanUnloadNow", b"DllGetClassObject", b"DllGetVersion", b"DllInstall", b"DllRegisterServer", b"DllUnregisterServer", b"DoEnvironmentSubstA", b"DoEnvironmentSubstW", b"DragAcceptFiles", b"DragFinish", b"DragQueryFile", b"DragQueryFileA", b"DragQueryFileW", b"DragQueryFileAorW", b"DragQueryInfo", b"DragQueryPoiDrawMenuItem", b"DriveType", b"DUI_Shell32_StartDeferUninitialization", b"DUI_Shell32_EndDeferUninitialization", b"DuplicateIcon", b"EnumCommonTasks", b"ExitWindowsDialog", b"ExtractAssociatedIconA", b"ExtractAssociatedIconW", b"ExtractAssociatedIconExA", b"ExtractAssociatedIconExW", b"ExtractIcon", b"ExtractIconA", b"ExtractIconW", b"ExtractIconEx", b"ExtractIconExA", b"ExtractIconExW", b"ExtractIconResInfoA", b"ExtractIconResInfoW", b"ExtractVersionResource16W", b"FileIconInit", b"FileMenu_AbortInitMenu", b"FileMenu_AddFilesForPidl", b"FileMenu_AppendFilesForPidl", b"FileMenu_AppendItem", b"FileMenu_Create", b"FileMenu_CreateFromMenu", b"FileMenu_DelayedInvalidate", b"FileMenu_DeleteAllItems", b"FileMenu_DeleteItemByCmd", b"FileMenu_DeleteItemByIndex", b"FileMenu_DeleteMenuItemByFirstID", b"FileMenu_DeleteSeparator", b"FileMenu_Destroy", b"FileMenu_DrawItem", b"FileMenu_EditMode", b"FileMenu_EnableItemByCmd", b"FileMenu_FindSubMenuByPidl", b"FileMenu_GetItemExteFileMenu_GetLastSelectedItemPidls", b"FileMenu_GetPidl", b"FileMenu_HandleMenuChar", b"FileMenu_HandleMenuSelect", b"FileMenu_HandleNotify", b"FileMenu_InsertItem", b"FileMenu_InitMenuPopup", b"FileMenu_InsertSeparator", b"FileMenu_InsertUsingPidl", b"FileMenu_Invalidate", b"FileMenu_IsDelayedInvalid", b"FileMenu_IsFileMenu", b"FileMenu_IsUnexpanded", b"FileMenu_MeasureItem", b"FileMenu_ProcessCommand", b"FileMenu_ReplaceUsingPidl", b"FileMenu_TrackPopupMenuEx", b"FindExecutable", b"FindExecutableA", b"FindExecutableW", b"FindExeDlgProc", b"FirstUserLogon", b"FixupOptionalComponents", b"FreeIconList", b"GetAppIDRoot", b"GetAppPathFromLink", b"GetCurrentProcessExplicitAppUserModelID", b"GetDataIndexFromFolderType", b"GetFileDescriptor", b"GetFileNameFromBrowse", b"GetSqmableFileName", b"GetTryHarderIDList", b"GUIDFromStringA", b"GUIDFromStringW", b"ILAppendID", b"ILClone", b"ILCloneFirst", b"ILCombine", b"ILCreateFromPath", b"ILCreateFromPathA", b"ILCreateFromPathW", b"ILFindChild", b"ILFindLastID", b"ILFree", b"ILGetDisplayName", b"ILGetDisplayNameEx", b"ILGetNext", b"ILGetPseudoNameW", b"ILGetSize", b"ILGlobalClone", b"ILGlobalFree", b"ILIsEqual", b"ILIsPareILLoadFromStream", b"ILLoadFromStreamEx", b"ILRemoveLastID", b"ILSaveToStream", b"InitializeStartMenuItem", b"InitNetworkAddressControl", b"Int64ToString", b"InternalExtractIconListA", b"InternalExtractIconListW", b"InvalidateDriveType", b"IsElevationRequired", b"IsLFNDrive", b"IsLFNDriveA", b"IsLFNDriveW", b"IsNetDrive", b"IsSearchEnabled", b"IsShellItemInSearchIndex", b"IsSuspendAllowed", b"IsUserAnAdmin", b"LargeIntegerToString", b"LaunchMSHelp_RunDLLW", b"LegacyEnumSpecialTasksByType", b"LegacyEnumTasks", b"LinkWindow_RegisterClass", b"LinkWindow_UnregisterClass", b"Link_AddExtraDataSection", b"Link_ReadExtraDataSection", b"Link_RemoveExtraDataSection", b"LogoffWindowsDialog", b"MakeDestinationItem", b"MakeShellURLFromPathA", b"MakeShellURLFromPathW", b"MeasureMenuItem", b"NTSHChangeNotifyDeregister", b"NTSHChangeNotifyRegister", b"OCInstall", b"OldReadCabinetState", b"OleStrToStrN", b"OpenAs_RunDLL", b"OpenAs_RunDLLA", b"OpenAs_RunDLLW", b"OpenRegStream", b"Options_RunDLL", b"Options_RunDLLA", b"Options_RunDLLW", b"ParseField", b"PathAddBackslash", b"PathAppend", b"PathBuildRoot", b"PathCleanupSpec", b"PathCombine", b"PathComparePaths", b"PathFileExists", b"PathFindExtension", b"PathFindFileName", b"PathFindOnPath", b"PathGetArgs", b"PathGetDriveNumber", b"PathGetExtension", b"PathGetPathDisplayName", b"PathGetPathDisplayNameAlloc", b"PathGetShortPath", b"PathIsDirectory", b"PathIsEqualOrSubFolder", b"PathIsExe", b"PathIsRelative", b"PathIsRoot", b"PathIsSameRoot", b"PathIsSlowA", b"PathIsSlowW", b"PathIsTemporaryA", b"PathIsTemporaryW", b"PathIsUNC", b"PathIsURL", b"PathMakeUniqueName", b"PathMatchSpec", b"PathParseIconLocation", b"PathProcessCommand", b"PathQualify", b"PathQuoteSpaces", b"PathRemoveArgs", b"PathRemoveBlanks", b"PathRemoveExtension", b"PathRemoveFileSpec", b"PathResolve", b"PathSetDlgItemPath", b"PathStripPath", b"PathStripToRoot", b"PathUnquoteSpaces", b"PathYetAnotherMakeUniqueName", b"PickIconDlg", b"PifMgr_CloseProperties", b"PifMgr_GetProperties", b"PifMgr_OpenProperties", b"PifMgr_SetProperties", b"PlaceTasksUnderHeader", b"POOBE_CreateIndirectGraphic", b"PrepareDiscForBurnRunDllW", b"PrepareURLForDisplayUTF8W", b"PrintersGetCommand_RunDLL", b"PrintersGetCommand_RunDLLA", b"PrintersGetCommand_RunDLLW", b"Printers_GetPidl", b"Printers_RegisterWindowW", b"Printers_UnregisterWindow", b"Printer_AddPrinterPropPages", b"Printer_LoadIconsW", b"ReadCabinetState", b"RealDriveType", b"RealDriveTypeFlags", b"RealShellExecuteA", b"RealShellExecuteW", b"RealShellExecuteExA", b"RealShellExecuteExW", b"ReceiveAddToRecentDocs", b"RefreshBrowserLayout", b"RegenerateUserEnvironmeRegisterShellHook", b"RestartDialog", b"RestartDialogEx", b"RLBuildListOfPaths", b"RunAsNewUser_RunDLLW", b"RunDll_CallEntry16", b"RunFileDlg", b"RunInstallUninstallStubs", b"SaveTopViewSettings", b"SetAppStartingCursor", b"SetCurrentProcessExplicitAppUserModelID", b"SetExplorerServerMode", b"SetWindowRelaunchProperties", b"SHAbortInvokeCommand", b"SHAddDefaultPropertiesByExt", b"SHAddFromPropSheetExtArray", b"SHAddToRecentDocs", b"SHAlloc", b"SHAllocShared", b"SHAppBarMessage", b"SHApplyPropertiesToItem", b"SHAssocEnumHandlers", b"SHAssocEnumHandlersForProtocolByApplication", b"SHBindToFolderIDListPareSHBindToFolderIDListParentEx", b"SHBindToObject", b"SHBindToPareSHBrowseForFolder", b"SHBrowseForFolderA", b"SHBrowseForFolderW", b"SHChangeNotification_Lock", b"SHChangeNotification_Unlock", b"SHChangeNotify", b"SHChangeNotifyDeregister", b"SHChangeNotifyDeregisterWindow", b"SHChangeNotifyReceive", b"SHChangeNotifyRegister", b"SHChangeNotifyRegisterThread", b"SHChangeNotifySuspendResume", b"SHChangeNotifyUpdateEntryList", b"SHChangeRegistrationReceive", b"SHCloneSpecialIDList", b"SHCLSIDFromString", b"SHCoCreateInstance", b"SHCombineMultipleConditions", b"SHCombineMultipleConditionsEx", b"SHCompareIDsFull", b"SHConfirmOperation", b"SHCopyMonikerToTemp", b"SHCopyStreamWithProgress", b"SHCreateAndOrCondition", b"SHCreateAndOrConditionEx", b"SHCreateAssociationRegistration", b"SHCreateAutoList", b"SHCreateAutoListWithID", b"SHCreateCategoryEnum", b"SHCreateConditionFactory", b"SHCreateDataObject", b"SHCreateDefaultContextMenu", b"SHCreateDefaultExtractIcon", b"SHCreateDefaultPropertiesOp", b"SHCreateDefClassObject", b"SHCreateDesktop", b"SHCreateDirectory", b"SHCreateDirectoryExA", b"SHCreateDirectoryExW", b"SHCreateFileDataObject", b"SHCreateFileExtractIconW", b"SHCreateFilter", b"SHCreateFilterFromFullText", b"SHCreateInstance", b"SHCreateItemFromIDList", b"SHCreateItemFromParsingName", b"SHCreateItemFromRelativeName", b"SHCreateItemInKnownFolder", b"SHCreateItemWithPareSHCreateKindFilter", b"SHCreateLeafCondition", b"SHCreateLeafConditionEx", b"SHCreateLinks", b"SHCreateLinksEx", b"SHCreateLocalServerRunDll", b"SHCreateNotCondition", b"SHCreateNotConditionEx", b"SHCreateProcessAsUserW", b"SHCreatePropertyBag", b"SHCreatePropSheetExtArray", b"SHCreatePropSheetExtArrayEx", b"SHCreateQueryCancelAutoPlayMoniker", b"SHCreateRelatedItem", b"SHCreateRelatedItemFromIDList", b"SHCreateRelatedItemWithPareSHCreateScopeFromIDLists", b"SHCreateScopeFromShellItemArray", b"SHCreateScopeItemFromIDList", b"SHCreateScopeItemFromKnownFolder", b"SHCreateScopeItemFromShellItem", b"SHCreateSearchIDList", b"SHCreateSearchIDListFromAutoList", b"SHCreateSessionKey", b"SHCreateShellFolderView", b"SHCreateShellFolderViewEx", b"SHCreateShellItem", b"SHCreateShellItemArray", b"SHCreateShellItemArrayFromDataObject", b"SHCreateShellItemArrayFromIDLists", b"SHCreateShellItemArrayFromShellItem", b"SHCreateStdEnumFmtEtc", b"SHCreateThreadUndoManager", b"SHCreateTransientVFolderIDList", b"SHDefExtractIconA", b"SHDefExtractIconW", b"SHDesktopMessageLoop", b"SHDestroyPropSheetExtArray", b"SHDisplayNameFromScopeAndSubQueries", b"SHDoDragDrop", b"SHDoDragDropWithPreferredEffect", b"SheChangeDirA", b"SheChangeDirW", b"SheChangeDirExA", b"SheChangeDirExW", b"SheConvertPathW", b"SheFullPathA", b"SheFullPathW", b"SheGetCurDrive", b"SheGetDirA", b"SheGetDirW", b"SheGetDirExW", b"SheGetPathOffsetW", b"Shell_GetCachedImageIndex", b"Shell_GetCachedImageIndexA", b"Shell_GetCachedImageIndexW", b"Shell_GetImageLists", b"Shell_MergeMenus", b"Shell_NotifyIcon", b"Shell_NotifyIconA", b"Shell_NotifyIconGetRect", b"Shell_NotifyIconW", b"ShellAbout", b"ShellAboutA", b"ShellAboutW", b"ShellDDEInit", b"ShellExec_RunDLL", b"ShellExec_RunDLLA", b"ShellExec_RunDLLW", b"ShellExecCmdLine", b"ShellExecPidl", b"ShellExecute", b"ShellExecuteA", b"ShellExecuteW", b"ShellExecuteEx", b"ShellExecuteExA", b"ShellExecuteExW", b"ShellHookProc", b"ShellMessageBoxA", b"ShellMessageBoxW", b"SHEmptyRecycleBinA", b"SHEmptyRecycleBinW", b"SHEnableServiceObject", b"SHEnumClassesOfCategories", b"SHEnumerateUnreadMailAccountsW", b"SheRemoveQuotesA", b"SheRemoveQuotesW", b"SheSetCurDrive", b"SheShortenPathA", b"SheShortenPathW", b"SHEvaluateSystemCommandTemplate", b"SHExitWindowsEx", b"Windows", b"SHExtCoCreateInstance", b"SHExtCoCreateInstanceCheckCategory", b"SHExtractIconsW", b"SHFileOperation", b"SHFileOperationA", b"SHFileOperationW", b"SHFileSysBindToStorage", b"SHFilterConditionFromString", b"SHFilterConditionToString", b"SHFind_InitMenuPopup", b"SHFindComputer", b"SHFindFiles", b"SHFlushClipboard", b"SHFlushSFCache", b"SHFormatDrive", b"SHFree", b"SHFreeNameMappings", b"SHFreeShared", b"SHFreeUnusedLibraries", b"SHGetActiveConsoleSessionId", b"SHGetAppCompatFlags", b"SHGetAssocKeys", b"SHGetAttributesFromDataObject", b"SHGetComputerDisplayNameW", b"SHGetCorrectOwnerSid", b"SHGetDataFromIDListA", b"SHGetDataFromIDListW", b"SHGetDefaultUserPicture", b"SHGetDesktopFolder", b"SHGetDiskFreeSpaceA", b"SHGetDiskFreeSpaceExA", b"SHGetDiskFreeSpaceExW", b"SHGetDriveMedia", b"SHGetFileIcon", b"SHGetFileInfo", b"SHGetFileInfoA", b"SHGetFileInfoW", b"SHGetFolderLocation", b"SHGetFolderPathA", b"SHGetFolderPathW", b"SHGetFolderPathAndSubDirA", b"SHGetFolderPathAndSubDirW", b"SHGetFolderPathEx", b"SHGetFolderTypeDescription", b"SHGetFolderTypeFromCanonicalName", b"SHGetIconOverlayIndexA", b"SHGetIconOverlayIndexW", b"SHGetIdentifyItem", b"SHGetIDListFromObject", b"SHGetImageList", b"SHGetInstanceExplorer", b"SHGetItemFromDataObject", b"SHGetItemFromObject", b"SHGetKnownFolderIDList", b"SHGetKnownFolderItem", b"SHGetKnownFolderPath", b"SHGetLocalizedName", b"SHGetMalloc", b"SHGetNameFromIDList", b"SHGetNetResource", b"SHGetNewLinkInfo", b"SHGetNewLinkInfoA", b"SHGetNewLinkInfoW", b"SHGetNoAssocIconIndex", b"SHGetPathFromIDList", b"SHGetPathFromIDListA", b"SHGetPathFromIDListW", b"SHGetPathFromIDListEx", b"SHGetProcessDword", b"SHGetPropertyStoreForWindow", b"SHGetPropertyStoreFromIDList", b"SHGetPropertyStoreFromParsingName", b"SHGetRealIDL", b"SHGetSetFolderCustomSettingsA", b"SHGetSetFolderCustomSettingsW", b"SHGetSetSettings", b"SHGetSettings", b"SHGetShellFolderViewCB", b"SHGetShellStyleHInstance", b"SHGetSpecialFolderLocation", b"SHGetSpecialFolderPathA", b"SHGetSpecialFolderPathW", b"SHGetStockIconInfo", b"SHGetTemporaryPropertyForItem", b"SHGetThreadUndoManager", b"SHGetTopViewDescription", b"SHGetUnreadMailCountW", b"SHGetUserDisplayName", b"SHGetUserPicturePath", b"SHGetUserPicturePathW", b"SHGetUserSessionId", b"SHGetUserPicturePathEx", b"SHGlobalDefect", b"SHHandleDiskFull", b"SHHandleUpdateImage", b"SHHelpShortcuts_RunDLL", b"SHHelpShortcuts_RunDLLA", b"SHHelpShortcuts_RunDLLW", b"SHIconIndexFromPIDL", b"SHILCreateFromPath", b"SHInitializeControlPanelRegkeys", b"SHInvokePrinterCommandA", b"SHInvokePrinterCommandW", b"SHInvokePrivilegedFunctionW", b"SHIsBadInterfacePtr", b"SHIsCurrentProcessConsoleSession", b"SHIsFileAvailableOffline", b"SHIsLegacyAnsiProperty", b"SHIsTempDisplayMode", b"SHKnownFolderFromCSIDL", b"SHKnownFolderToCSIDL", b"Shl1632_ThunkData32", b"Shl3216_ThunkData32", b"SHLaunchSearch", b"SHLaunchSearch", b"SHLimitInputCombo", b"SHLimitInputEdit", b"SHLimitInputEditWithFlags", b"SHLimitInputEndSubclass", b"SHLoadFilterFromStream", b"SHLoadInProc", b"SHLoadNonloadedIconOverlayIdentifiers", b"SHLoadOLE", b"SHLocalAlloc", b"SHLocalFree", b"SHLocalReAlloc", b"SHLockShared", b"SHLogILFromFSIL", b"SHLookupIconIndexA", b"SHLookupIconIndexW", b"SHMapIDListToImageListIndexAsync", b"SHMapIDListToSystemImageListIndexAsync", b"SHMapIDListToSystemImageListIndex", b"SHMapPIDLToSystemImageListIndex", b"SHMultiFileProperties", b"SHNetConnectionDialog", b"SHObjectProperties", b"SHOpenEffectiveToken", b"SHOpenFolderAndSelectItems", b"SHOpenPropSheetA", b"SHOpenPropSheetW", b"SHOpenWithDialog", b"ShortSizeFormatW", b"SHOutOfMemoryMessageBox", b"SHParseDarwinIDFromCacheW", b"SHParseDisplayName", b"SHPathPrepareForWriteA", b"SHPathPrepareForWriteW", b"SHPropStgCreate", b"SHPropStgReadMultiple", b"SHPropStgWriteMultiple", b"SHQueryRecycleBinA", b"SHQueryRecycleBinW", b"SHQueryUserNotificationState", b"SHRegCloseKey", b"SHRegDeleteKeyW", b"SHRegisterDarwinLink", b"SHRegisterDragDrop", b"SHRegOpenKeyA", b"SHRegOpenKeyW", b"SHRegQueryValueA", b"SHRegQueryValueW", b"SHRegQueryValueExA", b"SHRegQueryValueExW", b"SHRemoveLocalizedName", b"SHReplaceFromPropSheetExtArray", b"SHResolveLibrary", b"SHResolveUserNames", b"SHRestricted", b"SHReValidateDarwinCache", b"SHRevokeDragDrop", b"SHRunControlPanel", b"SHSetDefaultProperties", b"SHSetFolderPathA", b"SHSetFolderPathW", b"SHSetInstanceExplorer", b"SHSetKnownFolderPath", b"SHSetLocalizedName", b"SHSetShellWindowEx", b"SHSetTemporaryPropertyForItem", b"SHSettingsChanged", b"SHSetUnreadMailCountW", b"SHSetUserPicturePath", b"SHSetUserPicturePathW", b"SHShellFolderView_Message", b"SHShouldShowWizards", b"SHShowManageLibraryUI", b"SHSimpleIDListFromPath", b"SHSimulateDropOnClsid", b"SHStartNetConnectionDialog", b"SHStartNetConnectionDialogA", b"SHStartNetConnectionDialogW", b"SHStgOpenStorageA", b"SHStgOpenStorageW", b"SHTestTokenMembership", b"SHTestTokenPrivilegeW", b"SHUnlockShared", b"SHUpdateImageA", b"SHUpdateImageW", b"SHUpdateRecycleBinIcon", b"SHUserGetPasswordHiSHUserSetPasswordHiSHValidateUNC", b"SHWaitForFileToOpen", b"SHWaitOp_Operate", b"SHWinHelp", b"SHWriteClassesOfCategories", b"SignalFileOpen", b"StampIconForElevation", b"StgMakeUniqueName", 27 | ] 28 | 29 | crypt32_funcs = [ 30 | b"CertAddCRLContextToStore", b"CertAddCRLLinkToStore", b"CertAddCTLContextToStore", b"CertAddCTLLinkToStore", b"CertAddCertificateContextToStore", b"CertAddCertificateLinkToStore", b"CertAddEncodedCRLToStore", b"CertAddEncodedCTLToStore", b"CertAddEncodedCertificateToStore", b"CertAddEncodedCertificateToSystemStoreA", b"CertAddEncodedCertificateToSystemStoreW", b"CertAddEnhancedKeyUsageIdentifier", b"CertAddRefServerOcspResponse", b"CertAddRefServerOcspResponseContext", b"CertAddSerializedElementToStore", b"CertAddStoreToCollection", b"CertAlgIdToOID", b"CertCloseServerOcspResponse", b"CertCloseStore", b"CertCompareCertificate", b"CertCompareCertificateName", b"CertCompareIntegerBlob", b"CertComparePublicKeyInfo", b"CertControlStore", b"CertCreateCRLContext", b"CertCreateCTLContext", b"CertCreateCTLEntryFromCertificateContextProperties", b"CertCreateCertificateChainEngine", b"CertCreateCertificateContext", b"CertCreateContext", b"CertCreateSelfSignCertificate", b"CertDeleteCRLFromStore", b"CertDeleteCTLFromStore", b"CertDeleteCertificateFromStore", b"CertDuplicateCRLContext", b"CertDuplicateCTLContext", b"CertDuplicateCertificateChain", b"CertDuplicateCertificateContext", b"CertDuplicateStore", b"CertEnumCRLContextProperties", b"CertEnumCRLsInStore", b"CertEnumCTLContextProperties", b"CertEnumCTLsInStore", b"CertEnumCertificateContextProperties", b"CertEnumCertificatesInStore", b"CertEnumPhysicalStore", b"CertEnumSubjectInSortedCTL", b"CertEnumSystemStore", b"CertEnumSystemStoreLocation", b"CertFindAttribute", b"CertFindCRLInStore", b"CertFindCTLInStore", b"CertFindCertificateInCRL", b"CertFindCertificateInStore", b"CertFindChainInStore", b"CertFindExtension", b"CertFindRDNAttr", b"CertFindSubjectInCTL", b"CertFindSubjectInSortedCTL", b"CertFreeCRLContext", b"CertFreeCTLContext", b"CertFreeCertificateChain", b"CertFreeCertificateChainEngine", b"CertFreeCertificateChainList", b"CertFreeCertificateContext", b"CertFreeServerOcspResponseContext", b"CertGetCRLContextProperty", b"CertGetCRLFromStore", b"CertGetCTLContextProperty", b"CertGetCertificateChain", b"CertGetCertificateContextProperty", b"CertGetEnhancedKeyUsage", b"CertGetIntendedKeyUsage", b"CertGetIssuerCertificateFromStore", b"CertGetNameStringA", b"CertGetNameStringW", b"CertGetPublicKeyLength", b"CertGetServerOcspResponseContext", b"CertGetStoreProperty", b"CertGetSubjectCertificateFromStore", b"CertGetValidUsages", b"CertIsRDNAttrsInCertificateName", b"CertIsValidCRLForCertificate", b"CertNameToStrA", b"CertNameToStrW", b"CertOIDToAlgId", b"CertOpenServerOcspResponse", b"CertOpenStore", b"CertOpenSystemStoreA", b"CertOpenSystemStoreW", b"CertRDNValueToStrA", b"CertRDNValueToStrW", b"CertRegisterPhysicalStore", b"CertRegisterSystemStore", b"CertRemoveEnhancedKeyUsageIdentifier", b"CertRemoveStoreFromCollection", b"CertResyncCertificateChainEngine", b"CertRetrieveLogoOrBiometricInfo", b"CertSaveStore", b"CertSelectCertificateChains", b"CertSerializeCRLStoreElement", b"CertSerializeCTLStoreElement", b"CertSerializeCertificateStoreElement", b"CertSetCRLContextProperty", b"CertSetCTLContextProperty", b"CertSetCertificateContextPropertiesFromCTLEntry", b"CertSetCertificateContextProperty", b"CertSetEnhancedKeyUsage", b"CertSetStoreProperty", b"CertStrToNameA", b"CertStrToNameW", b"CertUnregisterPhysicalStore", b"CertUnregisterSystemStore", b"CertVerifyCRLRevocation", b"CertVerifyCRLTimeValidity", b"CertVerifyCTLUsage", b"CertVerifyCertificateChainPolicy", b"CertVerifyRevocation", b"CertVerifySubjectCertificateContext", b"CertVerifyTimeValidity", b"CertVerifyValidityNesting", b"CreateFileU", b"CryptAcquireCertificatePrivateKey", b"CryptAcquireContextU", b"CryptBinaryToStringA", b"CryptBinaryToStringW", b"CryptCloseAsyncHandle", b"CryptCreateAsyncHandle", b"CryptCreateKeyIdentifierFromCSP", b"CryptDecodeMessage", b"CryptDecodeObject", b"CryptDecodeObjectEx", b"CryptDecryptAndVerifyMessageSignature", b"CryptDecryptMessage", b"CryptEncodeObject", b"CryptEncodeObjectEx", b"CryptEncryptMessage", b"CryptEnumKeyIdentifierProperties", b"CryptEnumOIDFunction", b"CryptEnumOIDInfo", b"CryptEnumProvidersU", b"CryptExportPKCS8", b"CryptExportPublicKeyInfo", b"CryptExportPublicKeyInfoEx", b"CryptExportPublicKeyInfoFromBCryptKeyHandle", b"CryptFindCertificateKeyProvInfo", b"CryptFindLocalizedName", b"CryptFindOIDInfo", b"CryptFormatObject", b"CryptFreeOIDFunctionAddress", b"CryptGetAsyncParam", b"CryptGetDefaultOIDDllList", b"CryptGetDefaultOIDFunctionAddress", b"CryptGetKeyIdentifierProperty", b"CryptGetMessageCertificates", b"CryptGetMessageSignerCount", b"CryptGetOIDFunctionAddress", b"CryptGetOIDFunctionValue", b"CryptHashCertificate", b"CryptHashCertificate2", b"CryptHashMessage", b"CryptHashPublicKeyInfo", b"CryptHashToBeSigned", b"CryptImportPKCS8", b"CryptImportPublicKeyInfo", b"CryptImportPublicKeyInfoEx", b"CryptImportPublicKeyInfoEx2", b"CryptInitOIDFunctionSet", b"CryptInstallDefaultContext", b"CryptInstallOIDFunctionAddress", b"CryptLoadSip", b"CryptMemAlloc", b"CryptMemFree", b"CryptMemRealloc", b"CryptMsgCalculateEncodedLength", b"CryptMsgClose", b"CryptMsgControl", b"CryptMsgCountersign", b"CryptMsgCountersignEncoded", b"CryptMsgDuplicate", b"CryptMsgEncodeAndSignCTL", b"CryptMsgGetAndVerifySigner", b"CryptMsgGetParam", b"CryptMsgOpenToDecode", b"CryptMsgOpenToEncode", b"CryptMsgSignCTL", b"CryptMsgUpdate", b"CryptMsgVerifyCountersignatureEncoded", b"CryptMsgVerifyCountersignatureEncodedEx", b"CryptProtectData", b"CryptProtectMemory", b"CryptQueryObject", b"CryptRegisterDefaultOIDFunction", b"CryptRegisterOIDFunction", b"CryptRegisterOIDInfo", b"CryptRetrieveTimeStamp", b"CryptSIPAddProvider", b"CryptSIPCreateIndirectData", b"CryptSIPGetSignedDataMsg", b"CryptSIPLoad", b"CryptSIPPutSignedDataMsg", b"CryptSIPRemoveProvider", b"CryptSIPRemoveSignedDataMsg", b"CryptSIPRetrieveSubjectGuid", b"CryptSIPRetrieveSubjectGuidForCatalogFile", b"CryptSIPVerifyIndirectData", b"CryptSetAsyncParam", b"CryptSetKeyIdentifierProperty", b"CryptSetOIDFunctionValue", b"CryptSetProviderU", b"CryptSignAndEncodeCertificate", b"CryptSignAndEncryptMessage", b"CryptSignCertificate", b"CryptSignHashU", b"CryptSignMessage", b"CryptSignMessageWithKey", b"CryptStringToBinaryA", b"CryptStringToBinaryW", b"CryptUninstallDefaultContext", b"CryptUnprotectData", b"CryptUnprotectMemory", b"CryptUnregisterDefaultOIDFunction", b"CryptUnregisterOIDFunction", b"CryptUnregisterOIDInfo", b"CryptUpdateProtectedState", b"CryptVerifyCertificateSignature", b"CryptVerifyCertificateSignatureEx", b"CryptVerifyDetachedMessageHash", b"CryptVerifyDetachedMessageSignature", b"CryptVerifyMessageHash", b"CryptVerifyMessageSignature", b"CryptVerifyMessageSignatureWithKey", b"CryptVerifySignatureU", b"CryptVerifyTimeStampSignature", b"I_CertDiagControl", b"I_CertProtectFunction", b"I_CertSrvProtectFunction", b"I_CertSyncStore", b"I_CertUpdateStore", b"I_CryptAddRefLruEntry", b"I_CryptAddSmartCardCertToStore", b"I_CryptAllocTls", b"I_CryptCreateLruCache", b"I_CryptCreateLruEntry", b"I_CryptDetachTls", b"I_CryptDisableLruOfEntries", b"I_CryptEnableLruOfEntries", b"I_CryptEnumMatchingLruEntries", b"I_CryptFindLruEntry", b"I_CryptFindLruEntryData", b"I_CryptFindSmartCardCertInStore", b"I_CryptFlushLruCache", b"I_CryptFreeLruCache", b"I_CryptFreeTls", b"I_CryptGetAsn1Decoder", b"I_CryptGetAsn1Encoder", b"I_CryptGetDefaultCryptProv", b"I_CryptGetDefaultCryptProvForEncrypt", b"I_CryptGetFileVersion", b"I_CryptGetLruEntryData", b"I_CryptGetLruEntryIdentifier", b"I_CryptGetOssGlobal", b"I_CryptGetTls", b"I_CryptInsertLruEntry", b"I_CryptInstallAsn1Module", b"I_CryptInstallOssGlobal", b"I_CryptReadTrustedPublisherDWORDValueFromRegistry", b"I_CryptRegisterSmartCardStore", b"I_CryptReleaseLruEntry", b"I_CryptRemoveLruEntry", b"I_CryptSetTls", b"I_CryptTouchLruEntry", b"I_CryptUninstallAsn1Module", b"I_CryptUninstallOssGlobal", b"I_CryptUnregisterSmartCardStore", b"I_CryptWalkAllLruCacheEntries", b"PFXExportCertStore", b"PFXExportCertStore2", b"PFXExportCertStoreEx", b"PFXImportCertStore", b"PFXIsPFXBlob", b"PFXVerifyPassword", b"RegCreateHKCUKeyExU", b"RegCreateKeyExU", b"RegDeleteValueU", b"RegEnumValueU", b"RegOpenHKCUKeyExU", b"RegOpenKeyExU", b"RegQueryInfoKeyU", b"RegQueryValueExU", b"RegSetValueExU", 31 | ] 32 | 33 | shlwapi_funcs = [ 34 | b"AssocCreate", b"AssocGetPerceivedType", b"AssocIsDangerous", b"AssocQueryKeyA", b"AssocQueryKeyW", b"AssocQueryStringA", b"AssocQueryStringByKeyA", b"AssocQueryStringByKeyW", b"AssocQueryStringW", b"ChrCmpIA", b"ChrCmpIW", b"ColorAdjustLuma", b"ColorHLSToRGB", b"ColorRGBToHLS", b"ConnectToConnectionPoint", b"DelayLoadFailureHook", b"DllGetVersion", b"GetAcceptLanguagesA", b"GetAcceptLanguagesW", b"GetMenuPosFromID", b"HashData", b"IStream_Copy", b"IStream_Read", b"IStream_ReadPidl", b"IStream_ReadStr", b"IStream_Reset", b"IStream_Size", b"IStream_Write", b"IStream_WritePidl", b"IStream_WriteStr", b"IUnknown_AtomicRelease", b"IUnknown_GetSite", b"IUnknown_GetWindow", b"IUnknown_QueryService", b"IUnknown_Set", b"IUnknown_SetSite", b"IntlStrEqWorkerA", b"IntlStrEqWorkerW", b"IsCharSpaceA", b"IsCharSpaceW", b"IsInternetESCEnabled", b"IsOS", b"MLFreeLibrary", b"MLLoadLibraryA", b"MLLoadLibraryW", b"ParseURLA", b"ParseURLW", b"PathAddBackslashA", b"PathAddBackslashW", b"PathAddExtensionA", b"PathAddExtensionW", b"PathAppendA", b"PathAppendW", b"PathBuildRootA", b"PathBuildRootW", b"PathCanonicalizeA", b"PathCanonicalizeW", b"PathCombineA", b"PathCombineW", b"PathCommonPrefixA", b"PathCommonPrefixW", b"PathCompactPathA", b"PathCompactPathExA", b"PathCompactPathExW", b"PathCompactPathW", b"PathCreateFromUrlA", b"PathCreateFromUrlAlloc", b"PathCreateFromUrlW", b"PathFileExistsA", b"PathFileExistsW", b"PathFindExtensionA", b"PathFindExtensionW", b"PathFindFileNameA", b"PathFindFileNameW", b"PathFindNextComponentA", b"PathFindNextComponentW", b"PathFindOnPathA", b"PathFindOnPathW", b"PathFindSuffixArrayA", b"PathFindSuffixArrayW", b"PathGetArgsA", b"PathGetArgsW", b"PathGetCharTypeA", b"PathGetCharTypeW", b"PathGetDriveNumberA", b"PathGetDriveNumberW", b"PathIsContentTypeA", b"PathIsContentTypeW", b"PathIsDirectoryA", b"PathIsDirectoryEmptyA", b"PathIsDirectoryEmptyW", b"PathIsDirectoryW", b"PathIsFileSpecA", b"PathIsFileSpecW", b"PathIsLFNFileSpecA", b"PathIsLFNFileSpecW", b"PathIsNetworkPathA", b"PathIsNetworkPathW", b"PathIsPrefixA", b"PathIsPrefixW", b"PathIsRelativeA", b"PathIsRelativeW", b"PathIsRootA", b"PathIsRootW", b"PathIsSameRootA", b"PathIsSameRootW", b"PathIsSystemFolderA", b"PathIsSystemFolderW", b"PathIsUNCA", b"PathIsUNCServerA", b"PathIsUNCServerShareA", b"PathIsUNCServerShareW", b"PathIsUNCServerW", b"PathIsUNCW", b"PathIsURLA", b"PathIsURLW", b"PathMakePrettyA", b"PathMakePrettyW", b"PathMakeSystemFolderA", b"PathMakeSystemFolderW", b"PathMatchSpecA", b"PathMatchSpecExA", b"PathMatchSpecExW", b"PathMatchSpecW", b"PathParseIconLocationA", b"PathParseIconLocationW", b"PathQuoteSpacesA", b"PathQuoteSpacesW", b"PathRelativePathToA", b"PathRelativePathToW", b"PathRemoveArgsA", b"PathRemoveArgsW", b"PathRemoveBackslashA", b"PathRemoveBackslashW", b"PathRemoveBlanksA", b"PathRemoveBlanksW", b"PathRemoveExtensionA", b"PathRemoveExtensionW", b"PathRemoveFileSpecA", b"PathRemoveFileSpecW", b"PathRenameExtensionA", b"PathRenameExtensionW", b"PathSearchAndQualifyA", b"PathSearchAndQualifyW", b"PathSetDlgItemPathA", b"PathSetDlgItemPathW", b"PathSkipRootA", b"PathSkipRootW", b"PathStripPathA", b"PathStripPathW", b"PathStripToRootA", b"PathStripToRootW", b"PathUnExpandEnvStringsA", b"PathUnExpandEnvStringsW", b"PathUndecorateA", b"PathUndecorateW", b"PathUnmakeSystemFolderA", b"PathUnmakeSystemFolderW", b"PathUnquoteSpacesA", b"PathUnquoteSpacesW", b"QISearch", b"SHAllocShared", b"SHAnsiToAnsi", b"SHAnsiToUnicode", b"SHAutoComplete", b"SHCopyKeyA", b"SHCopyKeyW", b"SHCreateMemStream", b"SHCreateShellPalette", b"SHCreateStreamOnFileA", b"SHCreateStreamOnFileEx", b"SHCreateStreamOnFileW", b"SHCreateStreamWrapper", b"SHCreateThread", b"SHCreateThreadRef", b"SHCreateThreadWithHandle", b"SHDeleteEmptyKeyA", b"SHDeleteEmptyKeyW", b"SHDeleteKeyA", b"SHDeleteKeyW", b"SHDeleteOrphanKeyA", b"SHDeleteOrphanKeyW", b"SHDeleteValueA", b"SHDeleteValueW", b"SHEnumKeyExA", b"SHEnumKeyExW", b"SHEnumValueA", b"SHEnumValueW", b"SHFormatDateTimeA", b"SHFormatDateTimeW", b"SHFreeShared", b"SHGetInverseCMAP", b"SHGetThreadRef", b"SHGetValueA", b"SHGetValueW", b"SHGetViewStatePropertyBag", b"SHIsChildOrSelf", b"SHIsLowMemoryMachine", b"SHLoadIndirectString", b"SHLockShared", b"SHMessageBoxCheckA", b"SHMessageBoxCheckW", b"SHOpenRegStream2A", b"SHOpenRegStream2W", b"SHOpenRegStreamA", b"SHOpenRegStreamW", b"SHPropertyBag_ReadStrAlloc", b"SHPropertyBag_WriteBSTR", b"SHQueryInfoKeyA", b"SHQueryInfoKeyW", b"SHQueryValueExA", b"SHQueryValueExW", b"SHRegCloseUSKey", b"SHRegCreateUSKeyA", b"SHRegCreateUSKeyW", b"SHRegDeleteEmptyUSKeyA", b"SHRegDeleteEmptyUSKeyW", b"SHRegDeleteUSValueA", b"SHRegDeleteUSValueW", b"SHRegDuplicateHKey", b"SHRegEnumUSKeyA", b"SHRegEnumUSKeyW", b"SHRegEnumUSValueA", b"SHRegEnumUSValueW", b"SHRegGetBoolUSValueA", b"SHRegGetBoolUSValueW", b"SHRegGetIntW", b"SHRegGetPathA", b"SHRegGetPathW", b"SHRegGetUSValueA", b"SHRegGetUSValueW", b"SHRegGetValueA", b"SHRegGetValueW", b"SHRegOpenUSKeyA", b"SHRegOpenUSKeyW", b"SHRegQueryInfoUSKeyA", b"SHRegQueryInfoUSKeyW", b"SHRegQueryUSValueA", b"SHRegQueryUSValueW", b"SHRegSetPathA", b"SHRegSetPathW", b"SHRegSetUSValueA", b"SHRegSetUSValueW", b"SHRegWriteUSValueA", b"SHRegWriteUSValueW", b"SHRegisterValidateTemplate", b"SHReleaseThreadRef", b"SHRunIndirectRegClientCommand", b"SHSendMessageBroadcastA", b"SHSendMessageBroadcastW", b"SHSetThreadRef", b"SHSetValueA", b"SHSetValueW", b"SHSkipJunction", b"SHStrDupA", b"SHStrDupW", b"SHStripMneumonicA", b"SHStripMneumonicW", b"SHUnicodeToAnsi", b"SHUnicodeToUnicode", b"SHUnlockShared", b"ShellMessageBoxA", b"ShellMessageBoxW", b"StrCSpnA", b"StrCSpnIA", b"StrCSpnIW", b"StrCSpnW", b"StrCatBuffA", b"StrCatBuffW", b"StrCatChainW", b"StrCatW", b"StrChrA", b"StrChrIA", b"StrChrIW", b"StrChrNIW", b"StrChrNW", b"StrChrW", b"StrCmpCA", b"StrCmpCW", b"StrCmpICA", b"StrCmpICW", b"StrCmpIW", b"StrCmpLogicalW", b"StrCmpNA", b"StrCmpNCA", b"StrCmpNCW", b"StrCmpNIA", b"StrCmpNICA", b"StrCmpNICW", b"StrCmpNIW", b"StrCmpNW", b"StrCmpW", b"StrCpyNW", b"StrCpyW", b"StrDupA", b"StrDupW", b"StrFormatByteSize64A", b"StrFormatByteSizeA", b"StrFormatByteSizeEx", b"StrFormatByteSizeW", b"StrFormatKBSizeA", b"StrFormatKBSizeW", b"StrFromTimeIntervalA", b"StrFromTimeIntervalW", b"StrIsIntlEqualA", b"StrIsIntlEqualW", b"StrNCatA", b"StrNCatW", b"StrPBrkA", b"StrPBrkW", b"StrRChrA", b"StrRChrIA", b"StrRChrIW", b"StrRChrW", b"StrRStrIA", b"StrRStrIW", b"StrRetToBSTR", b"StrRetToBufA", b"StrRetToBufW", b"StrRetToStrA", b"StrRetToStrW", b"StrSpnA", b"StrSpnW", b"StrStrA", b"StrStrIA", b"StrStrIW", b"StrStrNIW", b"StrStrNW", b"StrStrW", b"StrToInt64ExA", b"StrToInt64ExW", b"StrToIntA", b"StrToIntExA", b"StrToIntExW", b"StrToIntW", b"StrTrimA", b"StrTrimW", b"UrlApplySchemeA", b"UrlApplySchemeW", b"UrlCanonicalizeA", b"UrlCanonicalizeW", b"UrlCombineA", b"UrlCombineW", b"UrlCompareA", b"UrlCompareW", b"UrlCreateFromPathA", b"UrlCreateFromPathW", b"UrlEscapeA", b"UrlEscapeW", b"UrlFixupW", b"UrlGetLocationA", b"UrlGetLocationW", b"UrlGetPartA", b"UrlGetPartW", b"UrlHashA", b"UrlHashW", b"UrlIsA", b"UrlIsNoHistoryA", b"UrlIsNoHistoryW", b"UrlIsOpaqueA", b"UrlIsOpaqueW", b"UrlIsW", b"UrlUnescapeA", b"UrlUnescapeW", b"WhichPlatform", b"wnsprintfA", b"wnsprintfW", b"wvnsprintfA", 35 | ] 36 | 37 | dll_dict = dict() 38 | for dll in dlls: 39 | hsh = (binascii.crc32(dll) ^ 0x0F0879796) & 0xffffffff 40 | dll_dict[hsh] = dll 41 | 42 | func_dict = dict() 43 | all_funcs = list() 44 | all_funcs.extend(ntdll_funcs) 45 | all_funcs.extend(kernel32_funcs) 46 | all_funcs.extend(advapi32_funcs) 47 | all_funcs.extend(shell32_funcs) 48 | all_funcs.extend(crypt32_funcs) 49 | all_funcs.extend(shlwapi_funcs) 50 | for func in all_funcs: 51 | hsh = (binascii.crc32(func) ^ 0x0F0879796) & 0xffffffff 52 | func_dict[hsh] = func 53 | 54 | func_refs = dict() 55 | 56 | refs = CodeRefsTo(0x100530B, False) 57 | for ref in refs: 58 | found_ecx = False 59 | found_edx = False 60 | cur = ref 61 | while not found_ecx or not found_edx: 62 | cur = PrevHead(cur, 0) 63 | if GetMnem(cur) == "mov": 64 | if GetOpnd(cur, 0) == "ecx": 65 | found_ecx = True 66 | if GetOpType(cur, 1) == IMMEDIATE_TYPE: 67 | hsh = GetOperandValue(cur, 1) 68 | if hsh in dll_dict: 69 | dll = dll_dict[hsh] 70 | MakeComm(cur, dll) 71 | else: 72 | print "Unknown dll at 0x%08x" % cur 73 | if GetOpnd(cur,0) == "edx": 74 | found_edx = True 75 | if GetOpType(cur, 1) == IMMEDIATE_TYPE: 76 | hsh = GetOperandValue(cur, 1) 77 | if hsh in func_dict: 78 | func = func_dict[hsh] 79 | MakeComm(cur, func) 80 | else: 81 | print "Unknown func at 0x%08x" % cur 82 | if func not in func_refs: 83 | func_refs[func] = list() 84 | ref_list = func_refs[func] 85 | ref_list.append(cur) 86 | print "----------------------------------------------------------------" 87 | 88 | refs = list() 89 | for key,value in func_refs.items(): 90 | refs.append((key,value)) 91 | refs = sorted(refs, key=lambda k:k[0]) 92 | for key,value in refs: 93 | print key + ": " + " ".join("0x%08x" % x for x in value) -------------------------------------------------------------------------------- /filter_dionaea_db.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import threading 4 | import sys 5 | import argparse 6 | import sqlite3 7 | import re 8 | from ipwhois import IPWhois 9 | 10 | #--------------------------------------------------------------------------------------------------- 11 | 12 | def get_key(item): 13 | return -item[1] 14 | 15 | #--------------------------------------------------------------------------------------------------- 16 | 17 | def print_usage(argv0): 18 | print "Usage: " 19 | 20 | #--------------------------------------------------------------------------------------------------- 21 | 22 | to_remove = [] 23 | count = 0 24 | do_isp_lock = threading.Lock() 25 | 26 | def do_isp_routine(rows, isp, total, tid): 27 | global to_remove, do_isp_lock, count 28 | 29 | local_to_remove = [] 30 | for row in rows: 31 | ip = str(row[0]) 32 | obj = IPWhois(ip) 33 | try: 34 | res = obj.lookup_whois(False) 35 | for net in res['nets']: 36 | if not net['name'] is None and net['name'].lower().find(isp) != -1: 37 | local_to_remove.append(ip) 38 | except: 39 | pass 40 | 41 | do_isp_lock.acquire() 42 | count += 1 43 | print "%d: %d out of %d (%d%%)" % (tid, count, total, count*100/total) 44 | do_isp_lock.release() 45 | 46 | 47 | if len(local_to_remove) > 0 : 48 | do_isp_lock.acquire() 49 | to_remove.extend(local_to_remove) 50 | do_isp_lock.release() 51 | 52 | #--------------------------------------------------------------------------------------------------- 53 | 54 | 55 | 56 | def do_isp(conn, isp_original, n_threads=10): 57 | 58 | global to_remove 59 | 60 | isp = isp_original.lower() 61 | expr = re.compile("^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$") 62 | 63 | c = conn.cursor() 64 | 65 | to_remove = [] 66 | 67 | c.execute("SELECT remote_host, count(*) FROM connections GROUP BY remote_host") 68 | tmp = c.fetchall() 69 | rows = [] 70 | for row in tmp: 71 | ip = str(row[0]) 72 | if row[1] > 1 and expr.match(ip): 73 | rows.append(row) 74 | 75 | rows = sorted(rows, key=get_key) 76 | 77 | threads = [] 78 | if len(rows)/n_threads % 1 == 0: 79 | partition_size = int(len(rows)/n_threads) 80 | else: 81 | partition_size = int(len(rows)/(n_threads-1)) + 1 82 | 83 | for i in range(0, n_threads): 84 | tmp = rows[i * partition_size : min((i+1) * partition_size, len(rows))] 85 | t = threading.Thread(target=do_isp_routine, args=(tmp, isp, len(rows), i)) 86 | threads.append(t) 87 | 88 | for t in threads: 89 | t.start() 90 | 91 | for t in threads: 92 | t.join() 93 | 94 | print "IPs found:" 95 | if len(to_remove) == 0: 96 | print "None!" 97 | else: 98 | print to_remove 99 | 100 | s = raw_input("Confirm deleting curresponding connections? (type 'yes') ") 101 | if s == "yes": 102 | print "Filtering db..." 103 | for ip in to_remove: 104 | c.execute("DELETE FROM connections WHERE remote_host=?", (ip,)) 105 | conn.commit() 106 | else: 107 | print "No action taken" 108 | 109 | #--------------------------------------------------------------------------------------------------- 110 | 111 | def do_lport(conn, lport): 112 | c = conn.cursor() 113 | s = raw_input("Confirm deleting curresponding connections? (type 'yes') ") 114 | if s == "yes": 115 | c.execute("DELETE FROM connections WHERE local_port=?", (lport,)) 116 | conn.commit() 117 | 118 | #--------------------------------------------------------------------------------------------------- 119 | 120 | if __name__ == "__main__" : 121 | parser = argparse.ArgumentParser(sys.argv[0]) 122 | parser.add_argument("db_file", action="store") 123 | parser.add_argument("--lport", action="store", type=int) 124 | parser.add_argument("--isp", action="store") 125 | 126 | args = parser.parse_args(sys.argv[1:]) 127 | 128 | conn = sqlite3.connect(args.db_file) 129 | 130 | do_something = False 131 | if not args.isp is None: 132 | do_isp(conn, args.isp) 133 | do_something = True 134 | 135 | if not args.lport is None: 136 | do_lport(conn, args.lport) 137 | do_something = True 138 | 139 | if not do_something: 140 | parser.print_help() 141 | 142 | 143 | conn.close() 144 | -------------------------------------------------------------------------------- /pastebin_scraper/README.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | Fill in the missing data in the configuration file and rename it to config.yml. 4 | From the tool's directory, run: 5 | 6 | python scraper.py 7 | 8 | Note: the database file is already setup correctly, but in case something wrong happens just delete it and recreate it using: 9 | 10 | sqlite3 -init db_script.sql database.sql 11 | -------------------------------------------------------------------------------- /pastebin_scraper/binaries/sample: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mauronz/malware_analysis/d16edf2cad1ea15552d66d7c77285a9a0015f1a8/pastebin_scraper/binaries/sample -------------------------------------------------------------------------------- /pastebin_scraper/config.yml.default: -------------------------------------------------------------------------------- 1 | scraper: 2 | monitor_user: *username* 3 | monitor_pwd: *password* 4 | vt_key: *API key* 5 | naming_av1: GData 6 | naming_av2: F-Secure 7 | -------------------------------------------------------------------------------- /pastebin_scraper/database.sqlite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mauronz/malware_analysis/d16edf2cad1ea15552d66d7c77285a9a0015f1a8/pastebin_scraper/database.sqlite -------------------------------------------------------------------------------- /pastebin_scraper/db_script.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE Binaries ( 2 | sha256 VARCHAR(64) NOT NULL, 3 | positives INTEGER, 4 | total INTEGER, 5 | name1 TEXT, 6 | name2 TEXT, 7 | scan_url TEXT, 8 | PRIMARY KEY (sha256) 9 | ); 10 | 11 | 12 | CREATE TABLE Dumps ( 13 | id VARCHAR(10) NOT NULL, 14 | time TEXT, 15 | sha256 VARCHAR(64), 16 | PRIMARY KEY (id), 17 | FOREIGN KEY (sha256) REFERENCES Binaries(sha256) 18 | ); 19 | -------------------------------------------------------------------------------- /pastebin_scraper/find_cc.py: -------------------------------------------------------------------------------- 1 | import os 2 | import re 3 | 4 | url_re = re.compile("([a-zA-Z0-9]\x00)+\.\x00([a-zA-Z0-9]\x00)+\.\x00([a-zA-Z]\x00){2,3}") 5 | ip_re = re.compile("([0-2]\x00)?([0-9]\x00){2}\.\x00([0-2]\x00)?([0-9]\x00){2}\.\x00([0-2]\x00)?([0-9]\x00){2}") 6 | 7 | for name in os.listdir("binaries/"): 8 | print name 9 | f = open("binaries/" + name, "r") 10 | data = f.read() 11 | #urls = url_re.findall(data) 12 | #if len(urls) > 0: 13 | # print urls 14 | # print "\tURLs:" 15 | # for url in urls: 16 | # print "\t\t" + url.replace("\x00", "") 17 | res = url_re.search(data) 18 | if not res is None: 19 | print "\t" + res.group().replace("\x00", "") 20 | 21 | res = ip_re.search(data) 22 | if not res is None: 23 | print "\t" + res.group().replace("\x00", "") 24 | 25 | -------------------------------------------------------------------------------- /pastebin_scraper/scraper.py: -------------------------------------------------------------------------------- 1 | import re 2 | import mechanize 3 | import hashlib 4 | import os.path 5 | import requests 6 | import time 7 | import sqlite3 8 | import yaml 9 | import binascii 10 | import urllib2 11 | from bs4 import BeautifulSoup 12 | from dateutil import parser 13 | 14 | req_count = 0 15 | 16 | def vt_add_comment(code): 17 | global req_count 18 | if req_count == 4: 19 | req_count = 0 20 | time.sleep(65) 21 | params = {'apikey': VT_KEY, 'resource': code, 'comment': "Found as a base64 encoded string in #pastebin using #pastemonitor"} 22 | response = requests.post('https://www.virustotal.com/vtapi/v2/comments/put', params=params) 23 | 24 | req_count += 1 25 | 26 | 27 | def vt_send_file(filename): 28 | global req_count 29 | if req_count == 4: 30 | req_count = 0 31 | time.sleep(65) 32 | params = {'apikey': VT_KEY} 33 | files = {'file': ("from_pastebin", open("binaries/" + filename, 'rb'))} 34 | response = requests.post('https://www.virustotal.com/vtapi/v2/file/scan', files=files, params=params) 35 | json_response = response.json() 36 | 37 | req_count += 1 38 | 39 | return json_response["scan_id"] 40 | 41 | 42 | def vt_request_report(code): 43 | global req_count 44 | if req_count == 4: 45 | req_count = 0 46 | time.sleep(65) 47 | params = {'apikey': VT_KEY, 'resource': code} 48 | headers = { "Accept-Encoding": "gzip, deflate", "User-Agent" : "gzip, My Python requests library example client or username" } 49 | response = requests.get('https://www.virustotal.com/vtapi/v2/file/report', params=params, headers=headers) 50 | json_response = response.json() 51 | 52 | req_count += 1 53 | 54 | return json_response 55 | 56 | 57 | def analyze_vt(hsh, conn): 58 | c = conn.cursor() 59 | 60 | is_new = False 61 | while True: 62 | json = vt_request_report(hsh) 63 | if json["response_code"] == 0: 64 | vt_send_file(hsh) 65 | is_new = True 66 | elif json["response_code"] == 1: 67 | print "\tDetection: %d/%d" % (json["positives"], json["total"]) 68 | name1 = "" 69 | name2 = "" 70 | if NAMING_AV1 in json["scans"]: 71 | name1 = json["scans"][NAMING_AV1]["result"] 72 | print "\tName: %s (%s)" % (name1, NAMING_AV1) 73 | if NAMING_AV2 in json["scans"]: 74 | name2 = json["scans"][NAMING_AV2]["result"] 75 | print "\tName: %s (%s)" % (name2, NAMING_AV2) 76 | 77 | c.execute("INSERT INTO Binaries(sha256, positives, total, name1, name2, scan_url) VALUES (?, ?, ?, ?, ?, ?)", (hsh, json["positives"], json["total"], name1, name2, json["permalink"])) 78 | conn.commit() 79 | 80 | if is_new: 81 | vt_add_comment(hsh) 82 | break 83 | elif json["response_code"] != -2: 84 | print "Unknow response code from VT: %d" % json["response_code"] 85 | break 86 | 87 | print "Report in queue" 88 | time.sleep(30) 89 | 90 | 91 | def analyze_page(br, conn): 92 | 93 | hashes = [] 94 | 95 | reg = re.compile("^/archive/a/.+$") 96 | c = conn.cursor() 97 | 98 | times = [] 99 | soup = BeautifulSoup(br.response().read(), "html.parser") 100 | for tag in soup.find_all("span", class_="specific-time"): 101 | date = parser.parse(tag["title"]) 102 | times.append("%d-%02d-%02d %02d:%02d:00" % (date.year, date.month, date.day, date.hour, date.minute)) 103 | 104 | count = 0 105 | for link in br.links(url_regex=reg): 106 | url_id = link.url[11:] 107 | c.execute("SELECT COUNT(*) FROM Dumps WHERE id=?", (url_id,)) 108 | res = int(c.fetchone()[0]) 109 | if res == 0: 110 | try: 111 | resp = br.follow_link(link) 112 | data = resp.get_data() 113 | f = open("cur_bas64.txt", "w") 114 | f.write(data) 115 | f.close() 116 | try: 117 | binary = data.decode("base64") 118 | except binascii.Error: 119 | print "Error decoding link %s" % (link.url) 120 | f = open("invalid/" + url_id, "w") 121 | f.write(data) 122 | f.close() 123 | c.execute("INSERT INTO Dumps(id, time, sha256) VALUES(?, ?, ?)", (url_id, times[count], "FALSE_POSITIVE")) 124 | count += 1 125 | conn.commit() 126 | br.back() 127 | continue 128 | 129 | if binary[0:2] != "MZ": 130 | print "False positive %s" % (link.url) 131 | f = open("invalid/" + url_id, "w") 132 | f.write(data) 133 | f.close() 134 | c.execute("INSERT INTO Dumps(id, time, sha256) VALUES(?, ?, ?)", (url_id, times[count], "FALSE_POSITIVE")) 135 | count += 1 136 | conn.commit() 137 | br.back() 138 | continue 139 | 140 | hsh = hashlib.sha256(binary).hexdigest() 141 | if not os.path.exists("binaries/" + hsh) : 142 | print "New file: %s" % hsh 143 | f = open("binaries/" + hsh, "w") 144 | f.write(binary) 145 | f.close() 146 | 147 | hashes.append(hsh) 148 | 149 | else: 150 | print "Already seen: %s" % hsh 151 | 152 | c.execute("INSERT INTO Dumps(id, time, sha256) VALUES(?, ?, ?)", (url_id, times[count], hsh)) 153 | count += 1 154 | conn.commit() 155 | 156 | br.back() 157 | except urllib2.HTTPError: 158 | count += 1 159 | pass 160 | 161 | return hashes 162 | 163 | 164 | if __name__ == "__main__": 165 | 166 | ymlfile = open("config.yml", 'r') 167 | cfg = yaml.load(ymlfile) 168 | MONITOR_USER = cfg["scraper"]["monitor_user"] 169 | MONITOR_PWD = cfg["scraper"]["monitor_pwd"] 170 | VT_KEY = cfg["scraper"]["vt_key"] 171 | NAMING_AV1 = cfg["scraper"]["naming_av1"] 172 | NAMING_AV2 = cfg["scraper"]["naming_av2"] 173 | 174 | 175 | while True: 176 | conn = sqlite3.connect("database.sqlite") 177 | 178 | br = mechanize.Browser() 179 | br.open("https://www.pastemonitor.com/account/login") 180 | form = br.forms()[0] 181 | br.form = form 182 | form["username"] = MONITOR_USER 183 | form["password"] = MONITOR_PWD 184 | resp = br.submit() 185 | if resp.geturl() == "https://www.pastemonitor.com/account/login": 186 | print "Error: Wrong credentials for pastemonitor" 187 | exit() 188 | 189 | #hashes = [] 190 | 191 | cur_page = 1 192 | while True: 193 | #hashes += analyze_page(br, conn) 194 | analyze_page(br, conn) 195 | try: 196 | link = br.find_link(url="/portal/i?p=%d" % (cur_page+1)) 197 | br.follow_link(link) 198 | cur_page += 1 199 | except mechanize.LinkNotFoundError: 200 | break 201 | 202 | #print "Pastemonitor scan completed: %d new samples" % len(hashes) 203 | print "Pastemonitor scan completed" 204 | print 205 | print "Starting the analysis of new samples..." 206 | 207 | c = conn.cursor() 208 | c.execute("SELECT DISTINCT sha256 FROM Dumps WHERE sha256<>\"FALSE_POSITIVE\" AND sha256 NOT IN (SELECT sha256 FROM Binaries)") 209 | 210 | tmp = c.fetchall() 211 | hashes = [] 212 | for row in tmp: 213 | hashes.append(row[0]) 214 | 215 | for i, hsh in enumerate(hashes): 216 | print "Sample %d of %d" % (i+1, len(hashes)) 217 | analyze_vt(hsh, conn) 218 | print 219 | 220 | conn.close() 221 | break 222 | 223 | 224 | 225 | 226 | -------------------------------------------------------------------------------- /whack_a_proc/README.md: -------------------------------------------------------------------------------- 1 | # whack-a-proc 2 | 3 | moved to: https://github.com/mauronz/whack_a_proc 4 | --------------------------------------------------------------------------------