├── .gitattributes
├── .gitignore
├── Bins
├── P2S_x64.exe
└── P2S_x86.exe
├── PE2Shellcode.sln
├── PE2Shellcode
├── PE2Shellcode.rc
├── PE2Shellcode.vcxproj
├── PE2Shellcode.vcxproj.filters
├── PePacket.cpp
├── PePacket.h
├── ProccessData.cpp
├── ProccessData.h
├── main.cpp
├── resource.h
├── x64.bin
└── x86.bin
├── PELoader
├── PELoader.vcxproj
├── PELoader.vcxproj.filters
├── Readme.md
├── Source.cpp
├── func.asm
├── mapfile
├── mapfile64
└── order.txt
├── Readme.md
├── Test
├── Test.vcxproj
├── Test.vcxproj.filters
└── main.cpp
└── TestBin
├── TestBin.vcxproj
├── TestBin.vcxproj.filters
└── main.cpp
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 |
13 | # Build results
14 | [Dd]ebug/
15 | [Dd]ebugPublic/
16 | [Rr]elease/
17 | [Rr]eleases/
18 | x64/
19 | x86/
20 | bld/
21 | [Bb]in/
22 | [Oo]bj/
23 | [Ll]og/
24 |
25 | # Visual Studio 2015 cache/options directory
26 | .vs/
27 | # Uncomment if you have tasks that create the project's static files in wwwroot
28 | #wwwroot/
29 |
30 | # MSTest test Results
31 | [Tt]est[Rr]esult*/
32 | [Bb]uild[Ll]og.*
33 |
34 | # NUNIT
35 | *.VisualState.xml
36 | TestResult.xml
37 |
38 | # Build Results of an ATL Project
39 | [Dd]ebugPS/
40 | [Rr]eleasePS/
41 | dlldata.c
42 |
43 | # DNX
44 | project.lock.json
45 | project.fragment.lock.json
46 | artifacts/
47 |
48 | *_i.c
49 | *_p.c
50 | *_i.h
51 | *.ilk
52 | *.meta
53 | *.obj
54 | *.pch
55 | *.pdb
56 | *.pgc
57 | *.pgd
58 | *.rsp
59 | *.sbr
60 | *.tlb
61 | *.tli
62 | *.tlh
63 | *.tmp
64 | *.tmp_proj
65 | *.log
66 | *.vspscc
67 | *.vssscc
68 | .builds
69 | *.pidb
70 | *.svclog
71 | *.scc
72 |
73 | # Chutzpah Test files
74 | _Chutzpah*
75 |
76 | # Visual C++ cache files
77 | ipch/
78 | *.aps
79 | *.ncb
80 | *.opendb
81 | *.opensdf
82 | *.sdf
83 | *.cachefile
84 | *.VC.db
85 | *.VC.VC.opendb
86 |
87 | # Visual Studio profiler
88 | *.psess
89 | *.vsp
90 | *.vspx
91 | *.sap
92 |
93 | # TFS 2012 Local Workspace
94 | $tf/
95 |
96 | # Guidance Automation Toolkit
97 | *.gpState
98 |
99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 |
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 |
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 |
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 |
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 |
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 |
122 | # Web workbench (sass)
123 | .sass-cache/
124 |
125 | # Installshield output folder
126 | [Ee]xpress/
127 |
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 |
138 | # Click-Once directory
139 | publish/
140 |
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 |
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 |
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 |
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 |
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 |
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 |
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 |
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 |
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 |
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 |
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 |
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 |
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 |
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 |
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 |
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 |
231 | # Visual Studio 6 build log
232 | *.plg
233 |
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 |
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 |
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 |
249 | # FAKE - F# Make
250 | .fake/
251 |
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 |
256 | # CodeRush
257 | .cr/
258 |
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc
--------------------------------------------------------------------------------
/Bins/P2S_x64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r00tkiter/PE2Shellcode/28c510994a77c7976a64b44877849b8d6e893037/Bins/P2S_x64.exe
--------------------------------------------------------------------------------
/Bins/P2S_x86.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r00tkiter/PE2Shellcode/28c510994a77c7976a64b44877849b8d6e893037/Bins/P2S_x86.exe
--------------------------------------------------------------------------------
/PE2Shellcode.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.902
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PE2Shellcode", "PE2Shellcode\PE2Shellcode.vcxproj", "{E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PELoader", "PELoader\PELoader.vcxproj", "{1BFE8FDC-A162-4ACA-9964-535BC853DD9F}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Test", "Test\Test.vcxproj", "{0B7FEBF4-FBCE-46E7-B864-398625233D5C}"
11 | EndProject
12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestBin", "TestBin\TestBin.vcxproj", "{4A4DA453-788F-4D22-9A09-2134143DA1E3}"
13 | EndProject
14 | Global
15 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
16 | Debug|x64 = Debug|x64
17 | Debug|x86 = Debug|x86
18 | Release|x64 = Release|x64
19 | Release|x86 = Release|x86
20 | EndGlobalSection
21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Debug|x64.ActiveCfg = Debug|x64
23 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Debug|x64.Build.0 = Debug|x64
24 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Debug|x86.ActiveCfg = Debug|Win32
25 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Debug|x86.Build.0 = Debug|Win32
26 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Release|x64.ActiveCfg = Release|x64
27 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Release|x64.Build.0 = Release|x64
28 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Release|x86.ActiveCfg = Release|Win32
29 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}.Release|x86.Build.0 = Release|Win32
30 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Debug|x64.ActiveCfg = Debug|x64
31 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Debug|x64.Build.0 = Debug|x64
32 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Debug|x86.ActiveCfg = Debug|Win32
33 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Debug|x86.Build.0 = Debug|Win32
34 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Release|x64.ActiveCfg = Release|x64
35 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Release|x64.Build.0 = Release|x64
36 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Release|x86.ActiveCfg = Release|Win32
37 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}.Release|x86.Build.0 = Release|Win32
38 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Debug|x64.ActiveCfg = Debug|x64
39 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Debug|x64.Build.0 = Debug|x64
40 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Debug|x86.ActiveCfg = Debug|Win32
41 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Debug|x86.Build.0 = Debug|Win32
42 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Release|x64.ActiveCfg = Release|x64
43 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Release|x64.Build.0 = Release|x64
44 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Release|x86.ActiveCfg = Release|Win32
45 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}.Release|x86.Build.0 = Release|Win32
46 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Debug|x64.ActiveCfg = Debug|x64
47 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Debug|x64.Build.0 = Debug|x64
48 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Debug|x86.ActiveCfg = Debug|Win32
49 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Debug|x86.Build.0 = Debug|Win32
50 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Release|x64.ActiveCfg = Release|x64
51 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Release|x64.Build.0 = Release|x64
52 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Release|x86.ActiveCfg = Release|Win32
53 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}.Release|x86.Build.0 = Release|Win32
54 | EndGlobalSection
55 | GlobalSection(SolutionProperties) = preSolution
56 | HideSolutionNode = FALSE
57 | EndGlobalSection
58 | GlobalSection(ExtensibilityGlobals) = postSolution
59 | SolutionGuid = {AF919E2B-7D17-417B-9C97-56573C7C3D3B}
60 | EndGlobalSection
61 | EndGlobal
62 |
--------------------------------------------------------------------------------
/PE2Shellcode/PE2Shellcode.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r00tkiter/PE2Shellcode/28c510994a77c7976a64b44877849b8d6e893037/PE2Shellcode/PE2Shellcode.rc
--------------------------------------------------------------------------------
/PE2Shellcode/PE2Shellcode.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {E1A5BE0D-F978-45C7-BEF3-8F010D65EA82}
24 | Win32Proj
25 | PE2Shellcode
26 | 10.0.18362.0
27 | PE2Shellcode
28 |
29 |
30 |
31 | Application
32 | true
33 | v141
34 | Unicode
35 |
36 |
37 | Application
38 | false
39 | v141
40 | true
41 | Unicode
42 |
43 |
44 | Application
45 | true
46 | v141
47 | Unicode
48 |
49 |
50 | Application
51 | false
52 | v141
53 | true
54 | Unicode
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | true
79 |
80 |
81 | false
82 |
83 |
84 | false
85 |
86 |
87 |
88 | Level3
89 | Disabled
90 | true
91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 | MultiThreaded
94 |
95 |
96 | true
97 | Console
98 |
99 |
100 |
101 |
102 | Level3
103 | Disabled
104 | true
105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | true
110 | Console
111 |
112 |
113 |
114 |
115 | Level3
116 | MaxSpeed
117 | true
118 | true
119 | true
120 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 | MultiThreaded
123 |
124 |
125 | true
126 | true
127 | false
128 | Console
129 |
130 |
131 |
132 |
133 | Level3
134 | MaxSpeed
135 | true
136 | true
137 | true
138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
139 | true
140 | MultiThreaded
141 |
142 |
143 | true
144 | true
145 | false
146 | Console
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
--------------------------------------------------------------------------------
/PE2Shellcode/PE2Shellcode.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 | 源文件
23 |
24 |
25 | 源文件
26 |
27 |
28 |
29 |
30 | 头文件
31 |
32 |
33 | 头文件
34 |
35 |
36 | 头文件
37 |
38 |
39 |
40 |
41 | 资源文件
42 |
43 |
44 |
45 |
46 | 资源文件
47 |
48 |
49 | 资源文件
50 |
51 |
52 |
--------------------------------------------------------------------------------
/PE2Shellcode/PePacket.cpp:
--------------------------------------------------------------------------------
1 | #include "PePacket.h"
2 | #include "ProccessData.h"
3 | #include "resource.h"
4 | CPePacket::CPePacket()
5 | {
6 | rc4Flag = FALSE;
7 | cmpFlag = FALSE;
8 | data = NULL;
9 | head = NULL;
10 | shellcode = NULL;
11 | dataSize = 0;
12 | }
13 | CPePacket::~CPePacket()
14 | {
15 | if (data != NULL)
16 | delete data;
17 | data = NULL;
18 |
19 | if (head != NULL)
20 | delete head;
21 | head = NULL;
22 |
23 | if (shellcode != NULL)
24 | delete shellcode;
25 | shellcode = NULL;
26 |
27 | dataSize = 0;
28 | headSize = 0;
29 | shellSize = 0;
30 | }
31 |
32 |
33 | int CPePacket::ParsePara(int argc, wchar_t ** argv)
34 | {
35 | if (argc <= 2)
36 | {
37 | printf("Used : PE2Shellcode.exe [output path] [-?]\n");
38 | printf("[-r] Rc4 encrypt\n");
39 | printf("[-c] Compress PE file\n");
40 | return 1;
41 | }
42 |
43 | srcExePath = argv[1];
44 | targetBinPath = argv[2];
45 |
46 | if (argc > 2)
47 | {
48 | for (int i = 3; i < argc; i++)
49 | {
50 | if (wcscmp(L"-r", argv[i]) == 0 && wcslen(argv[i]) == 2)
51 | rc4Flag = true;
52 |
53 | else if (wcscmp(L"-c", argv[i]) == 0 && wcslen(argv[i]) == 2)
54 | cmpFlag = true;
55 | }
56 | }
57 |
58 | return 0;
59 | }
60 |
61 | BOOL CPePacket::IsExeFile()
62 | {
63 | #ifdef _WIN64
64 | int bit = 64;
65 | #else
66 | int bit = 32;
67 | #endif
68 |
69 |
70 | PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)data;
71 |
72 | PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(data + pDos->e_lfanew);
73 |
74 | if (pDos->e_magic != IMAGE_DOS_SIGNATURE)
75 | {
76 | printf("[!] The file is not PE file.\n");
77 | return 1;
78 | }
79 | if (pNt->Signature != IMAGE_NT_SIGNATURE)
80 | {
81 | printf("[!] The file is not PE file.\n");
82 | return 1;
83 | }
84 |
85 | if ((pNt->FileHeader.Characteristics & IMAGE_FILE_DLL) == IMAGE_FILE_DLL)
86 | {
87 | printf("[!] DLL file is not supported.\n");
88 | return 1;
89 | }
90 |
91 | DWORD offsetDonet = pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress;
92 | if (offsetDonet)
93 | {
94 | printf("[!] .NET applications are not supported.\n");
95 | return 1;
96 | }
97 |
98 | if (pNt->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 && bit == 32)
99 | {
100 | return 0;
101 | }
102 | else if ((pNt->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 ||
103 | pNt->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) && bit == 64)
104 | {
105 | return 0;
106 | }
107 |
108 | printf("[!] Bits of PE file is not match.\n");
109 | return 1;
110 | }
111 |
112 | int CPePacket::ReadFileContent()
113 | {
114 |
115 | char buffer[1024];
116 | DWORD filesize;
117 | DWORD dwReadBytes;
118 | int Result = 0;
119 |
120 |
121 | HANDLE hFile = INVALID_HANDLE_VALUE;
122 | do
123 | {
124 | hFile = CreateFileW(srcExePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
125 | if (hFile == INVALID_HANDLE_VALUE)
126 | {
127 | Result = GetLastError();
128 | printf("[-] Open src file failed.ErrorCode:%d\n", Result);
129 | break;
130 | }
131 | filesize = GetFileSize(hFile, NULL);
132 | data = new char[filesize];
133 | char *p = data;
134 | while (1)
135 | {
136 | if (!ReadFile(hFile, buffer, 1024, &dwReadBytes, NULL))
137 | {
138 | Result = GetLastError();
139 | printf("[-] ReadFile failed.ErrorCode:%d\n", Result);
140 | break;
141 | }
142 | if (dwReadBytes == 0)
143 | break;
144 | memcpy(p, buffer, dwReadBytes);
145 | p += dwReadBytes;
146 | dataSize += dwReadBytes;
147 | }
148 | } while (FALSE);
149 | if (hFile != INVALID_HANDLE_VALUE)
150 | CloseHandle(hFile);
151 |
152 | return Result;
153 | }
154 |
155 | int CPePacket::CreateBinFile()
156 | {
157 |
158 | HANDLE hFile = INVALID_HANDLE_VALUE;
159 | DWORD dwWriteBytes;
160 | int Result = 0;
161 | do
162 | {
163 | hFile = CreateFileW(targetBinPath, GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
164 | if (hFile == INVALID_HANDLE_VALUE)
165 | {
166 | Result = GetLastError();
167 | printf("[-] Create bin file failed. ErrorCode:%d\n", Result);
168 | break;
169 | }
170 | if (!WriteFile(hFile, shellcode, shellSize, &dwWriteBytes, NULL) ||
171 | !WriteFile(hFile, head, headSize, &dwWriteBytes, NULL) ||
172 | !WriteFile(hFile, data, dataSize, &dwWriteBytes, NULL)
173 | )
174 | {
175 | Result = GetLastError();
176 | printf("[-] Write bin file failed. ErrorCode:%d\n", Result);
177 | break;
178 | }
179 |
180 | } while (FALSE);
181 |
182 |
183 | if(hFile != INVALID_HANDLE_VALUE)
184 | CloseHandle(hFile);
185 | return Result;
186 | }
187 |
188 |
189 | int CPePacket::GetCustomHead()
190 | {
191 | PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)data;
192 |
193 | PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(data + pDos->e_lfanew);
194 |
195 | customHead.size = dataSize;
196 | customHead.numberOfSection = pNt->FileHeader.NumberOfSections;
197 | customHead.entryPoint = pNt->OptionalHeader.AddressOfEntryPoint;
198 | customHead.offsetImportTable = pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
199 | customHead.offsetRelocation = pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
200 | customHead.offsetSection = (DA)((char *)IMAGE_FIRST_SECTION(pNt) - (char *)data);
201 | customHead.imageAddr = pNt->OptionalHeader.ImageBase;
202 |
203 | //clear DOS head and NT head
204 | memset(data, 0, customHead.offsetSection);
205 | return 0;
206 | }
207 |
208 | int CPePacket::GenerateShellCode()
209 | {
210 | if (
211 | ReadFileContent() ||
212 | IsExeFile() ||
213 | GetCustomHead() ||
214 | ProcessData() ||
215 | GetResourceFile() ||
216 | PacthCustomHead() ||
217 | CreateBinFile()
218 | )
219 | {
220 | printf("[-] Generate failed.\n");
221 | }
222 | else
223 | {
224 | printf("[+] Generate success.\n");
225 | }
226 |
227 |
228 | return 0;
229 | }
230 |
231 | int CPePacket::ProcessData()
232 | {
233 | if (cmpFlag)
234 | {
235 | if (CProcsData::CompressData(data, dataSize, data, dataSize))
236 | {
237 | printf("[-] Compress PE failed.\n");
238 | return 1;
239 | }
240 | else
241 | {
242 | customHead.flag1 = 1;
243 | customHead.compressSize = dataSize;
244 | }
245 | }
246 |
247 | if (rc4Flag)
248 | {
249 | if (CProcsData::Rc4Encrypt(data, dataSize, rc4Key, RC4_KEY_SIZE))
250 | {
251 | printf("[-] Rc4 encrypt failed.\n");
252 | return 1;
253 | }
254 | else
255 | {
256 | customHead.flag2 = 1;
257 | customHead.rc4Size = dataSize;
258 | }
259 | }
260 |
261 |
262 | return 0;
263 | }
264 |
265 | int CPePacket::GetResourceFile()
266 | {
267 | HRSRC hRsrc = NULL;
268 | DWORD dwSize = 0;
269 | HGLOBAL hGlobal = NULL;
270 | LPVOID pBuffer = NULL;
271 | int Result = 0;
272 | do
273 | {
274 | #ifdef _WIN64
275 | hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_BIN2), L"BIN");
276 | #else
277 | hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_BIN1), L"BIN");
278 | #endif // _WIN64
279 |
280 | if (hRsrc == NULL)
281 | {
282 | Result = GetLastError();
283 | printf("[-] Find resource failed. ErrCode:%d\n", Result);
284 | }
285 |
286 | DWORD dwSize = SizeofResource(NULL, hRsrc);
287 | if (dwSize == 0)
288 | {
289 | Result = GetLastError();
290 | printf("[-] Get resource size failed. ErrCode:%d\n", Result);
291 | }
292 |
293 |
294 | hGlobal = LoadResource(NULL, hRsrc);
295 | if (hGlobal == NULL)
296 | {
297 | Result = GetLastError();
298 | printf("[-] Load resource failed. ErrCode:%d\n", Result);
299 | }
300 |
301 | pBuffer = LockResource(hGlobal);
302 |
303 | if (pBuffer == NULL)
304 | {
305 | Result = GetLastError();
306 | printf("[-] Lock resource failed. ErrCode:%d\n", Result);
307 | }
308 |
309 |
310 | shellcode = new char[dwSize];
311 |
312 | memcpy(shellcode, pBuffer, dwSize);
313 | shellSize = dwSize;
314 |
315 | } while (FALSE);
316 |
317 | if(hGlobal != NULL)
318 | GlobalUnlock(hGlobal);
319 |
320 |
321 | return Result;
322 | }
323 |
324 |
325 | int CPePacket::PacthCustomHead()
326 | {
327 | //patch head
328 | head = new char[headSize];
329 | unsigned char sign[] = { '\xaa','\xbb', '\xcc', '\xdd', '\x01', '\x01', '\x01', '\x01'};
330 | memcpy(head, sign, 8);
331 | memcpy(head + 8, &customHead, sizeof(CustomHead));
332 | memcpy(head + 8 + sizeof(CustomHead), rc4Key, sizeof(rc4Key));
333 | return 0;
334 | }
335 |
--------------------------------------------------------------------------------
/PE2Shellcode/PePacket.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | /*
8 | shellcode struct
9 |
10 | +------------+
11 | | PE Load |
12 | +------------+
13 | | Head | <--- sign + struct CustomHead + rc4key
14 | +------------+
15 | | |
16 | | exe |
17 | | |
18 | +------------+
19 |
20 | */
21 | #pragma pack(push, 1)
22 | #ifdef _WIN64
23 | typedef ULONG64 QWORD;
24 | typedef QWORD DA;
25 | typedef struct CustomHead
26 | {
27 | QWORD size;//PE size
28 | QWORD offsetSection;
29 | QWORD numberOfSection;
30 | QWORD offsetRelocation;
31 | QWORD imageAddr;
32 | QWORD offsetImportTable;
33 | QWORD entryPoint;
34 | QWORD flag1;
35 | QWORD compressSize;
36 | QWORD flag2;
37 | QWORD rc4Size;
38 | }*pCustomHead;
39 | #else
40 | typedef DWORD DA;
41 | typedef struct CustomHead
42 | {
43 | DWORD size;//PE size
44 | DWORD offsetSection;
45 | DWORD numberOfSection;
46 | DWORD offsetRelocation;
47 | DWORD imageAddr;
48 | DWORD offsetImportTable;
49 | DWORD entryPoint;
50 | DWORD flag1;
51 | DWORD compressSize;
52 | DWORD flag2;
53 | DWORD rc4Size;
54 | }*pCustomHead;
55 | #endif // _WIN64
56 | #pragma pack(pop)
57 |
58 | #define SIGN_SIZE 8
59 | #define RC4_KEY_SIZE 16
60 |
61 | class CPePacket
62 | {
63 | public:
64 | CPePacket();
65 | ~CPePacket();
66 |
67 |
68 | int ParsePara(int argc, wchar_t ** argv);
69 |
70 | BOOL IsExeFile();
71 |
72 | int ReadFileContent();
73 |
74 | int CreateBinFile();
75 |
76 | int PacthCustomHead();
77 |
78 | int GetCustomHead();
79 |
80 | int GenerateShellCode();
81 |
82 | int ProcessData();
83 |
84 | int GetResourceFile();
85 |
86 | private:
87 | wchar_t *srcExePath;
88 | wchar_t *targetBinPath;
89 |
90 | BOOL rc4Flag;
91 | BOOL cmpFlag;
92 |
93 | char * head;
94 | int headSize = SIGN_SIZE + RC4_KEY_SIZE + sizeof(CustomHead);
95 | char * data;
96 | int dataSize;
97 | char * shellcode;
98 | int shellSize;
99 | unsigned char rc4Key[RC4_KEY_SIZE];
100 | CustomHead customHead;
101 | };
102 |
--------------------------------------------------------------------------------
/PE2Shellcode/ProccessData.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include "ProccessData.h"
5 |
6 | int CProcsData::Rc4Encrypt(char * org, int size, unsigned char * rc4Key, int keySize)
7 | {
8 | //create key
9 | srand((int)time(0));
10 | int i = 0;
11 | while (1) {
12 | unsigned char r = rand() % 255;
13 | if (0x30 <= r && r <= 0x39 || 0x41 <= r && r <= 0x5a || 0x61 <= r && r <= 0x7a)
14 | {
15 | rc4Key[i++] = r;
16 | }
17 | if (i > keySize) break;
18 | }
19 |
20 |
21 | unsigned char box[256];
22 | unsigned int index_i = 0;
23 | unsigned int index_j = 0;
24 |
25 | //init box
26 | for (int i = 0; i < 256; i++)
27 | {
28 | box[i] = i;
29 | }
30 |
31 | int j = 0;
32 | unsigned char tmp;
33 | for (int i = 0; i < 256; i++)
34 | {
35 | j = (j + box[i] + rc4Key[i % 16]) % 256;
36 | tmp = box[i];
37 | box[i] = box[j];
38 | box[j] = tmp;
39 | }
40 |
41 | for (unsigned long k = 0; k < size; k++)
42 | {
43 | index_i = (index_i + 1) % 256;
44 | index_j = (index_j + box[index_i]) % 256;
45 |
46 | tmp = box[index_i];
47 | box[index_i] = box[index_j];
48 | box[index_j] = tmp;
49 |
50 | DWORD r = (box[index_i] + box[index_j]) % 256;
51 | org[k] ^= box[r];
52 | }
53 | return 0;
54 | }
55 |
56 | int CProcsData::CompressData(char * src, int size, char * retData, int & retSize)
57 | {
58 |
59 | DWORD dwCompressionFormat = COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_MAXIMUM;
60 | DWORD dwCompress;
61 | DWORD unKnow;
62 |
63 | pRtlCompressBuffer f_RtlCompressBuffer = (pRtlCompressBuffer)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlCompressBuffer");
64 | pRtlGetCompressionWorkSpaceSize f_RelGetCompressionWorkApacesize = (pRtlGetCompressionWorkSpaceSize)GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlGetCompressionWorkSpaceSize");
65 | if (f_RtlCompressBuffer == NULL || f_RelGetCompressionWorkApacesize == NULL)
66 | {
67 | printf("[-] Get Function failed.\n");
68 | return 1;
69 | }
70 |
71 |
72 | f_RelGetCompressionWorkApacesize(dwCompressionFormat, &dwCompress, &unKnow);
73 |
74 | char *tempMem = new char[dwCompress];
75 | char *tempData = new char[size];
76 |
77 | DWORD ret = f_RtlCompressBuffer(
78 | dwCompressionFormat,
79 | src,
80 | size,
81 | tempData,
82 | size,
83 | unKnow,
84 | &dwCompress,
85 | tempMem
86 | );
87 |
88 | if (ret == 0)
89 | {
90 | retSize = dwCompress;
91 | memcpy(retData, tempData, retSize);
92 |
93 | }
94 | else
95 | {
96 | printf("[-] Compress PE failed.\n");
97 | }
98 |
99 | delete tempMem;
100 | delete tempData;
101 | return ret;
102 | }
103 |
--------------------------------------------------------------------------------
/PE2Shellcode/ProccessData.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | typedef DWORD(__stdcall *pRtlCompressBuffer)(
3 | IN ULONG CompressionFormat,
4 | IN PVOID SourceBuffer,
5 | IN ULONG SourceBufferLength,
6 | OUT PVOID DestinationBuffer,
7 | IN ULONG DestinationBufferLength,
8 | IN ULONG Unknown,
9 | OUT PULONG pDestinationSize,
10 | IN PVOID WorkspaceBuffer);
11 |
12 |
13 | typedef DWORD(__stdcall *pRtlGetCompressionWorkSpaceSize)(
14 | IN ULONG CompressionFormat,
15 | OUT PULONG pNeededBufferSize,
16 | OUT PULONG pUnknown);
17 |
18 | namespace CProcsData
19 | {
20 |
21 | int Rc4Encrypt(char * org, int size, unsigned char * rc4Key, int keySize);
22 |
23 | int CompressData(char *org, int size, char * retData ,int & retSize);
24 | }
--------------------------------------------------------------------------------
/PE2Shellcode/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | #include "PePacket.h"
5 |
6 | int wmain(int argc, wchar_t * argv[])
7 | {
8 |
9 | CPePacket pePacket;
10 |
11 | if (pePacket.ParsePara(argc, argv))
12 | {
13 | printf("Invaild para\n");
14 | exit(0);
15 | }
16 |
17 | pePacket.GenerateShellCode();
18 |
19 | return 0;
20 | }
--------------------------------------------------------------------------------
/PE2Shellcode/resource.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r00tkiter/PE2Shellcode/28c510994a77c7976a64b44877849b8d6e893037/PE2Shellcode/resource.h
--------------------------------------------------------------------------------
/PE2Shellcode/x64.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r00tkiter/PE2Shellcode/28c510994a77c7976a64b44877849b8d6e893037/PE2Shellcode/x64.bin
--------------------------------------------------------------------------------
/PE2Shellcode/x86.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r00tkiter/PE2Shellcode/28c510994a77c7976a64b44877849b8d6e893037/PE2Shellcode/x86.bin
--------------------------------------------------------------------------------
/PELoader/PELoader.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {1BFE8FDC-A162-4ACA-9964-535BC853DD9F}
24 | Win32Proj
25 | PELoader
26 | 10.0.18362.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v141
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v141
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v141
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v141
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | true
78 |
79 |
80 | false
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | MinSpace
89 | false
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 | false
93 | false
94 | true
95 | true
96 | OnlyExplicitInline
97 | Default
98 |
99 |
100 | true
101 | Console
102 | true
103 | true
104 | mapfile
105 | order.txt
106 |
107 |
108 |
109 |
110 | Level3
111 | MinSpace
112 | false
113 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
114 | true
115 | false
116 | Default
117 | false
118 | OnlyExplicitInline
119 | true
120 | false
121 | EditAndContinue
122 | true
123 |
124 |
125 | true
126 | Console
127 | true
128 | true
129 | mapfile64
130 | order.txt
131 |
132 |
133 |
134 |
135 | Level3
136 | MaxSpeed
137 | true
138 | true
139 | true
140 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
141 | true
142 |
143 |
144 | true
145 | true
146 | true
147 | Console
148 |
149 |
150 |
151 |
152 | Level3
153 | MaxSpeed
154 | true
155 | true
156 | true
157 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
158 | true
159 |
160 |
161 | true
162 | true
163 | true
164 | Console
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 | true
173 | Document
174 |
175 |
176 |
177 |
178 | ml64 /Fo $(IntDir)%(fileName).obj /c %(fileName).asm
179 | $(IntDir)%(fileName).obj
180 |
181 |
182 |
183 |
184 |
185 |
--------------------------------------------------------------------------------
/PELoader/PELoader.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
23 |
24 | 资源文件
25 |
26 |
27 |
--------------------------------------------------------------------------------
/PELoader/Readme.md:
--------------------------------------------------------------------------------
1 | # PELoader
2 |
3 | Binary source code embedded in the program. PE loader is not written with pure assembly, but is generated by Visual Stdiotdio 2017 and extracted. The extraction method can refer to the following information.
4 |
5 | PS: you can try to write with pure assembly, which can reduce the size of shellcode again.
6 |
7 | ## Reference
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/PELoader/Source.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | #pragma pack(push, 1)
6 | #ifdef _WIN64
7 | typedef ULONG64 QWORD;
8 | typedef QWORD DA;
9 | typedef struct CustomHead
10 | {
11 | QWORD size;//PE size
12 | QWORD offsetSection;
13 | QWORD numberOfSection;
14 | QWORD offsetRelocation;
15 | QWORD imageAddr;
16 | QWORD offsetImportTable;
17 | QWORD entryPoint;
18 | QWORD flag1;
19 | QWORD compressSize;
20 | QWORD flag2;
21 | QWORD rc4Size;
22 |
23 | }*pCustomHead;
24 | #else
25 | typedef DWORD DA;
26 | typedef struct CustomHead
27 | {
28 | DWORD size;//PE size
29 | DWORD offsetSection;
30 | DWORD numberOfSection;
31 | DWORD offsetRelocation;
32 | DWORD imageAddr;
33 | DWORD offsetImportTable;
34 | DWORD entryPoint;
35 | DWORD flag1;
36 | DWORD compressSize;
37 | DWORD flag2;
38 | DWORD rc4Size;
39 | }*pCustomHead;
40 | #endif // _WIN64
41 | #pragma pack(pop)
42 |
43 | typedef DWORD(__stdcall *pRtlDecompressBuffer)(
44 | IN ULONG CompressionFormat,
45 | OUT PVOID DestinationBuffer,
46 | IN ULONG DestinationBufferLength,
47 | IN PVOID SourceBuffer,
48 | IN ULONG SourceBufferLength,
49 | OUT PULONG pDestinationSize);
50 |
51 |
52 |
53 | DWORD getHash(const char *str)
54 | {
55 |
56 | DWORD h = 0;
57 | while (*str)
58 | {
59 | h = (h >> 12) | (h << (32 - 12));
60 | h += *str >= 'a' ? *str - 32 : *str;
61 | str++;
62 | }
63 | return h;
64 |
65 | }
66 |
67 | DWORD getUnicodeHash(const wchar_t * str)
68 | {
69 | DWORD h = 0;
70 | PWORD ptr = (PWORD)str;
71 | while (*ptr)
72 | {
73 | h = (h >> 12) | (h << (32 - 12));
74 | h += (BYTE)(*ptr) >= 'a' ? (BYTE)(*ptr) - 32 : (BYTE)(*ptr);
75 | ptr++;
76 | }
77 | return h;
78 | }
79 |
80 | void MemCopy(char * det, char * src, DWORD size)
81 | {
82 | while(size--)
83 | {
84 | *det++ = *src++;
85 | }
86 | }
87 | DWORD MemCmp(char *buf1, char *buf2, DWORD size)
88 | {
89 | while (size--)
90 | {
91 | if (*buf1++ != *buf2++)
92 | return size;
93 | }
94 | return 0;
95 | }
96 |
97 |
98 | void Rc4Decrypt(char * buff, int size, unsigned char *key)
99 | {
100 | unsigned char box[256];
101 | unsigned int index_i = 0;
102 | unsigned int index_j = 0;
103 |
104 |
105 | //init
106 | for (int i = 0; i < 256; i++)
107 | {
108 | box[i] = i;
109 | }
110 |
111 | int j = 0;
112 | unsigned char tmp;
113 | for (int i = 0; i < 256; i++)
114 | {
115 | j = (j + box[i] + key[i % 16]) % 256;
116 | tmp = box[i];
117 | box[i] = box[j];
118 | box[j] = tmp;
119 | }
120 |
121 | for (unsigned long k = 0; k < size; k++)
122 | {
123 | index_i = (index_i + 1) % 256; // a
124 | index_j = (index_j + box[index_i]) % 256; // b
125 |
126 | tmp = box[index_i];
127 | box[index_i] = box[index_j];
128 | box[index_j] = tmp;
129 |
130 | DWORD r = (box[index_i] + box[index_j]) % 256;
131 | buff[k] ^= box[r];
132 | }
133 |
134 | }
135 |
136 | char * GetFunction(DWORD DLLhash,DWORD APIhash)
137 | {
138 | _PEB *peb = NtCurrentTeb()->ProcessEnvironmentBlock;
139 |
140 | LIST_ENTRY *first = peb->Ldr->InMemoryOrderModuleList.Flink;
141 |
142 | LIST_ENTRY *ptr = first;
143 | char *func = NULL;
144 | do {
145 | #ifdef _WIN64
146 | LDR_DATA_TABLE_ENTRY *pLdr = (LDR_DATA_TABLE_ENTRY*)((BYTE*)ptr - 0x10);
147 | #else // _WIN64
148 | LDR_DATA_TABLE_ENTRY *pLdr = (LDR_DATA_TABLE_ENTRY*)((BYTE*)ptr - 0x8);
149 | #endif
150 | BYTE * baseAddr = (BYTE *)pLdr->DllBase;
151 |
152 | ptr = ptr->Flink;
153 |
154 | if (!baseAddr)
155 | continue;
156 |
157 |
158 | PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)(baseAddr);
159 | PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(baseAddr + pDos->e_lfanew);
160 | PIMAGE_EXPORT_DIRECTORY pExport = (PIMAGE_EXPORT_DIRECTORY)(baseAddr + pNt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
161 | if (!pExport)
162 | {
163 | continue;
164 | }
165 |
166 | if (getUnicodeHash(((decltype(pLdr->FullDllName)*)(DWORD*)&(pLdr->Reserved4))->Buffer) == DLLhash) {
167 | DWORD* nameRVAs = (DWORD*)(baseAddr + pExport->AddressOfNames);
168 |
169 | for (DWORD i = 0; i < pExport->NumberOfNames; i++)
170 | {
171 | char* funName = (char*)(baseAddr + nameRVAs[i]);
172 | //get address of function
173 | if (func == NULL && getHash(funName) == APIhash)
174 | {
175 | WORD ordinal = ((WORD*)(baseAddr + pExport->AddressOfNameOrdinals))[i];
176 | DWORD functionRVA = ((DWORD*)(baseAddr + pExport->AddressOfFunctions))[ordinal];
177 | func = (char*)(baseAddr + functionRVA);
178 | break;
179 | }
180 | }
181 | }
182 | if (func != NULL) break;
183 | } while (ptr != first);
184 |
185 | return func;
186 | }
187 |
188 |
189 |
190 | #ifdef _WIN64
191 | extern "C" char * getCurrAddr(void);
192 | #else
193 | DWORD * getCurrAddr()
194 | {
195 | DWORD *p = NULL;
196 | _asm {
197 | call fun;
198 | fun:
199 | pop eax;
200 | mov p, eax;
201 | }
202 | return p;
203 | }
204 | #endif // _WIN64
205 |
206 | char * ReadFileContent(
207 | pCustomHead &head,
208 | unsigned char ** rc4Key
209 | )
210 | {
211 |
212 | #ifdef _WIN64
213 | char *curAddr = getCurrAddr();
214 | #else
215 | char * curAddr = (char *)getCurrAddr();
216 | #endif
217 |
218 | char sign[] = {'\xaa', '\xbb', '\xcc', '\xdd', '\x01' , '\x01', '\x01', '\x01', '\x00' };
219 | while(curAddr ++ )
220 | {
221 | if (MemCmp(curAddr, sign, 8) == 0)
222 | {
223 | curAddr += 8;
224 | break;
225 | }
226 | }
227 |
228 | head = (pCustomHead)curAddr;
229 | curAddr += sizeof(CustomHead);
230 |
231 | *rc4Key = (unsigned char *)curAddr;
232 | curAddr += 16;
233 |
234 | return curAddr;
235 | }
236 |
237 |
238 | char* ApplySpace
239 | (
240 | char * pData,
241 | decltype(VirtualAlloc)* pVirtualAlloc,
242 | pCustomHead pustomHead
243 | )
244 | {
245 | char * baseAddress = NULL;
246 |
247 | PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)(pData + pustomHead->offsetSection);
248 |
249 | pSection += pustomHead->numberOfSection - 1;
250 |
251 | baseAddress = (char *)pVirtualAlloc(
252 | (char*)pustomHead->imageAddr,
253 | pSection->SizeOfRawData + pSection->VirtualAddress,
254 | MEM_COMMIT | MEM_RESERVE,
255 | PAGE_EXECUTE_READWRITE);
256 |
257 | if (NULL == baseAddress)
258 | {
259 | baseAddress = (char *)pVirtualAlloc(
260 | NULL,
261 | pSection->SizeOfRawData + pSection->VirtualAddress,
262 | MEM_COMMIT | MEM_RESERVE,
263 | PAGE_EXECUTE_READWRITE);
264 | }
265 |
266 | return baseAddress;
267 | }
268 |
269 |
270 |
271 | void CopyToMemory(
272 | char*pData,
273 | char*address,
274 | pCustomHead pcustomHead
275 | )
276 | {
277 |
278 | PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)(pData + pcustomHead->offsetSection);
279 |
280 |
281 | for (int i = 0; i < pcustomHead->numberOfSection; i++)
282 | {
283 | if ((0 == pSection->VirtualAddress) || (0 == pSection->SizeOfRawData))
284 | {
285 | pSection++;
286 | continue;
287 | }
288 |
289 | DA* chSrcMem = (DA *)((DA)pData + pSection->PointerToRawData);
290 | DA* chDestMem = (DA *)((DA)address + pSection->VirtualAddress);
291 | DA dwSizeOfRawData = pSection->SizeOfRawData;
292 | MemCopy((char*)chDestMem, (char *)chSrcMem, dwSizeOfRawData);
293 |
294 | pSection++;
295 | }
296 |
297 | }
298 |
299 | void Reloaction(char *address, pCustomHead pcustomHead) {
300 | PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)address;
301 |
302 | PIMAGE_BASE_RELOCATION pRel = (PIMAGE_BASE_RELOCATION)(address + pcustomHead->offsetRelocation);
303 |
304 | if ((DA*)pRel == (DA*)pDos)
305 | return;
306 |
307 |
308 | while ((pRel->VirtualAddress + pRel->SizeOfBlock) != 0)
309 | {
310 |
311 | WORD *pLocData = (WORD*)((PBYTE)pRel + sizeof(IMAGE_BASE_RELOCATION));
312 | int numberOfReloc = (pRel->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
313 |
314 | for (int i = 0; i < numberOfReloc; i++)
315 | {
316 |
317 | #ifdef _WIN64
318 | if ((DWORD)(pLocData[i] & 0xf000) == 0xa000) {
319 | #else
320 | if ((DWORD)(pLocData[i] & 0xf000) == 0x3000) {
321 | #endif
322 | DA *pAddress = (DA*)((DA)pDos + pRel->VirtualAddress + ((DWORD)pLocData[i] & 0x0fff));
323 | DA dwDelta = (DA)pDos - pcustomHead->imageAddr;
324 | *pAddress += dwDelta;
325 | }
326 |
327 |
328 | }
329 | pRel = (PIMAGE_BASE_RELOCATION)((PBYTE)pRel + pRel->SizeOfBlock);
330 | }
331 | return;
332 | }
333 |
334 | void LoadDll(
335 | char *address,
336 | decltype(GetModuleHandleA) * myGetModuleHandleA,
337 | decltype(LoadLibraryA) * myLoadLibraryA,
338 | decltype(GetProcAddress) *myGetProcAddress,
339 | pCustomHead pcustomHead
340 | )
341 | {
342 |
343 | PIMAGE_IMPORT_DESCRIPTOR pImportTable = (PIMAGE_IMPORT_DESCRIPTOR)(address + pcustomHead->offsetImportTable);
344 |
345 | char *lpDllName = NULL;
346 | HMODULE hDll = NULL;
347 |
348 | PIMAGE_THUNK_DATA lpImportNameArray = NULL;
349 | PIMAGE_IMPORT_BY_NAME lpImportByName = NULL;
350 | PIMAGE_THUNK_DATA lpImportFuncAddrArray = NULL;
351 | FARPROC lpFuncAddress = NULL;
352 | DA i = 0;
353 |
354 | while (TRUE)
355 | {
356 | if (0 == pImportTable->OriginalFirstThunk)
357 | break;
358 |
359 |
360 | //load dll, get hmoudle
361 | lpDllName = (char *)((DA)address + pImportTable->Name);
362 | hDll = myGetModuleHandleA(lpDllName);
363 | if (hDll == NULL)
364 | {
365 | hDll = myLoadLibraryA(lpDllName);
366 | if (hDll == NULL)
367 | {
368 | pImportTable++;
369 | continue;
370 | }
371 | }
372 |
373 |
374 | i = 0;
375 | lpImportNameArray = (PIMAGE_THUNK_DATA)((DA)address + pImportTable->OriginalFirstThunk);
376 | lpImportFuncAddrArray = (PIMAGE_THUNK_DATA)((DA)address + pImportTable->FirstThunk);
377 | while (TRUE)
378 | {
379 | if (lpImportNameArray[i].u1.AddressOfData == 0)
380 | break;
381 |
382 |
383 | lpImportByName = (PIMAGE_IMPORT_BY_NAME)((DA)address + lpImportNameArray[i].u1.AddressOfData);
384 |
385 | if (0x80000000 & lpImportNameArray[i].u1.Ordinal)
386 | {
387 | lpFuncAddress = myGetProcAddress(hDll, (LPCSTR)(lpImportNameArray[i].u1.Ordinal & 0x0000FFFF));
388 | }
389 | else
390 | {
391 | lpFuncAddress = myGetProcAddress(hDll, (LPCSTR)lpImportByName->Name);
392 | }
393 | lpImportFuncAddrArray[i].u1.Function = (DA)lpFuncAddress;
394 | i++;
395 | }
396 |
397 | pImportTable++;
398 | }
399 |
400 | }
401 |
402 | void Run(pCustomHead pcustomHead, char *address)
403 | {
404 |
405 | DA * ExeEntry = (DA*)(address + pcustomHead->entryPoint);
406 |
407 | ((void(*) (void)) ExeEntry)();
408 |
409 | }
410 |
411 | char * DeCompress(
412 | char *buff,
413 | pCustomHead pcustomHead,
414 | decltype(VirtualAlloc)* pVirtualAlloc,
415 | pRtlDecompressBuffer f_RtlDecompressBuffer
416 | )
417 | {
418 | char *outData = NULL;
419 | DWORD CompressionFormat = COMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_MAXIMUM;
420 |
421 | outData = (char *)pVirtualAlloc(NULL, pcustomHead->size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
422 | DWORD dwDeCompress;
423 | f_RtlDecompressBuffer(
424 | CompressionFormat,
425 | outData,
426 | pcustomHead->size,
427 | buff,
428 | pcustomHead->compressSize,
429 | &dwDeCompress);
430 |
431 | return outData;
432 | }
433 |
434 | void func() {
435 |
436 | pCustomHead pCustomHead = NULL;
437 | unsigned char *rc4Key = NULL;
438 |
439 | DWORD Hash_Kernel = 0xe616dcd1;
440 | DWORD Hash_Ntdll = 0x2911895d;
441 | DWORD Hash_VirtualAlloc = 0x6b56ea61;
442 | DWORD Hash_RtlDecompressBuffer = 0xd75e613c;
443 | DWORD Hash_GetProcAddress = 0xabddce5c;
444 | DWORD Hash_GetModuleHandleA = 0xc74459e6;
445 | DWORD Hash_LoadLibraryA = 0x22f765ae;
446 |
447 | pRtlDecompressBuffer f_RtlDecompressBuffer = (pRtlDecompressBuffer)GetFunction(Hash_Ntdll, Hash_RtlDecompressBuffer);
448 | decltype(VirtualAlloc)* pVirtualAlloc = (decltype(VirtualAlloc)*) GetFunction(Hash_Kernel, Hash_VirtualAlloc);
449 | decltype(GetProcAddress) *pGetProcAddress = (decltype(GetProcAddress) *)GetFunction(Hash_Kernel, Hash_GetProcAddress);
450 | decltype(GetModuleHandleA) *pGetModuleHandleA = (decltype(GetModuleHandleA)*)GetFunction(Hash_Kernel, Hash_GetModuleHandleA);
451 | decltype(LoadLibraryA) * pLoadLibraryA = (decltype(LoadLibraryA) *)GetFunction(Hash_Kernel, Hash_LoadLibraryA);
452 |
453 |
454 |
455 | char *pDataBuff = ReadFileContent(pCustomHead, &rc4Key);
456 |
457 | if (pCustomHead->flag2)
458 | Rc4Decrypt(pDataBuff, pCustomHead->rc4Size, rc4Key);
459 |
460 | if (pCustomHead->flag1)
461 | pDataBuff = DeCompress(pDataBuff, pCustomHead, pVirtualAlloc, f_RtlDecompressBuffer);
462 |
463 | char *baseAddress = ApplySpace(pDataBuff, pVirtualAlloc ,pCustomHead);
464 |
465 | CopyToMemory(pDataBuff, baseAddress, pCustomHead);
466 |
467 | Reloaction(baseAddress, pCustomHead);
468 |
469 | LoadDll(baseAddress, pGetModuleHandleA, pLoadLibraryA, pGetProcAddress, pCustomHead);
470 |
471 | Run(pCustomHead, baseAddress);
472 |
473 | }
474 |
475 |
476 | int main(int argc, char *argv[], char ** envp)
477 | {
478 |
479 | func();
480 |
481 | return 0;
482 | }
483 |
--------------------------------------------------------------------------------
/PELoader/func.asm:
--------------------------------------------------------------------------------
1 | public getCurrAddr
2 |
3 | _TEXT SEGMENT
4 | getCurrAddr PROC
5 | call f;
6 | f:
7 | pop rax;
8 | ret;
9 | getCurrAddr ENDP
10 |
11 | _TEXT ENDS
12 |
13 | END
--------------------------------------------------------------------------------
/PELoader/mapfile:
--------------------------------------------------------------------------------
1 | PELoader
2 |
3 | Timestamp is 5e17372e (Thu Jan 9 22:22:38 2020)
4 |
5 | Preferred load address is 00400000
6 |
7 | Start Length Name Class
8 | 0001:00000000 00001d87H .text$mn CODE
9 | 0002:00000000 000000b8H .idata$5 DATA
10 | 0002:000000b8 00000004H .00cfg DATA
11 | 0002:000000bc 00000004H .CRT$XCA DATA
12 | 0002:000000c0 00000004H .CRT$XCAA DATA
13 | 0002:000000c4 00000004H .CRT$XCZ DATA
14 | 0002:000000c8 00000004H .CRT$XIA DATA
15 | 0002:000000cc 00000004H .CRT$XIAA DATA
16 | 0002:000000d0 00000004H .CRT$XIAC DATA
17 | 0002:000000d4 00000004H .CRT$XIZ DATA
18 | 0002:000000d8 00000004H .CRT$XPA DATA
19 | 0002:000000dc 00000004H .CRT$XPZ DATA
20 | 0002:000000e0 00000004H .CRT$XTA DATA
21 | 0002:000000e4 0000000cH .CRT$XTZ DATA
22 | 0002:000000e8 00000000H .gfids$y DATA
23 | 0002:000000f0 00000110H .rdata DATA
24 | 0002:00000200 00000004H .rdata$sxdata DATA
25 | 0002:00000204 000002b0H .rdata$zzzdbg DATA
26 | 0002:000004b4 00000004H .rtc$IAA DATA
27 | 0002:000004b8 00000004H .rtc$IZZ DATA
28 | 0002:000004bc 00000004H .rtc$TAA DATA
29 | 0002:000004c0 00000008H .rtc$TZZ DATA
30 | 0002:000004c8 0000003cH .xdata$x DATA
31 | 0002:00000504 00000000H .edata DATA
32 | 0002:00000504 0000003cH .idata$2 DATA
33 | 0002:00000540 00000014H .idata$3 DATA
34 | 0002:00000554 000000b8H .idata$4 DATA
35 | 0002:0000060c 000003a2H .idata$6 DATA
36 | 0003:00000000 00000018H .data DATA
37 | 0003:00000018 00000374H .bss DATA
38 | 0004:00000000 00000060H .rsrc$01 DATA
39 | 0004:00000060 00000180H .rsrc$02 DATA
40 |
41 | Address Publics by Value Rva+Base Lib:Object
42 |
43 | 0000:00000000 ___dynamic_value_reloc_table 00000000
44 | 0000:00000000 ___hybrid_code_map 00000000
45 | 0000:00000000 ___guard_fids_table 00000000
46 | 0000:00000000 ___guard_longjmp_table 00000000
47 | 0000:00000000 ___volatile_metadata 00000000
48 | 0000:00000000 ___guard_fids_count 00000000
49 | 0000:00000000 ___enclave_config 00000000
50 | 0000:00000000 ___guard_iat_table 00000000
51 | 0000:00000000 ___guard_longjmp_count 00000000
52 | 0000:00000000 ___guard_iat_count 00000000
53 | 0000:00000000 ___hybrid_auxiliary_iat 00000000
54 | 0000:00000000 ___hybrid_code_map_count 00000000
55 | 0000:00000001 ___safe_se_handler_count 00000001
56 | 0000:00000100 ___guard_flags 00000100
57 | 0000:00000000 ___ImageBase 00400000
58 | 0001:00000000 ?func@@YAXXZ 00401000 f Source.obj
59 | 0001:000000d7 ?ApplySpace@@YAPADPADP6GPAXPAXKKK@ZPAUCustomHead@@@Z 004010d7 f Source.obj
60 | 0001:0000011b ?CopyToMemory@@YAXPAD0PAUCustomHead@@@Z 0040111b f Source.obj
61 | 0001:00000164 ?DeCompress@@YAPADPADPAUCustomHead@@P6GPAXPAXKKK@ZP6GKK2K2KPAK@Z@Z 00401164 f Source.obj
62 | 0001:00000197 ?GetFunction@@YAPADKK@Z 00401197 f Source.obj
63 | 0001:0000024f ?LoadDll@@YAXPADP6GPAUHINSTANCE__@@PBD@Z2P6GP6GHXZPAU1@1@ZPAUCustomHead@@@Z 0040124f f Source.obj
64 | 0001:000002e9 ?MemCmp@@YAKPAD0K@Z 004012e9 f Source.obj
65 | 0001:00000316 ?MemCopy@@YAXPAD0K@Z 00401316 f Source.obj
66 | 0001:00000337 ?Rc4Decrypt@@YAXPADHPAE@Z 00401337 f Source.obj
67 | 0001:0000040d ?ReadFileContent@@YAPADAAPAUCustomHead@@PAPAE@Z 0040140d f Source.obj
68 | 0001:00000460 ?Reloaction@@YAXPADPAUCustomHead@@@Z 00401460 f Source.obj
69 | 0001:000004ce ?Run@@YAXPAUCustomHead@@PAD@Z 004014ce f Source.obj
70 | 0001:000004dd ?__empty_global_delete@@YAXPAXI@Z 004014dd f i Source.obj
71 | 0001:000004dd ?__empty_global_delete@@YAXPAX@Z 004014dd f i Source.obj
72 | 0001:000004de ?getCurrAddr@@YAPAKXZ 004014de f Source.obj
73 | 0001:000004f4 ?getHash@@YAKPBD@Z 004014f4 f Source.obj
74 | 0001:0000051e ?getUnicodeHash@@YAKPB_W@Z 0040151e f Source.obj
75 | 0001:0000054d _main 0040154d f Source.obj
76 | 0001:00000870 ?configure_argv@__scrt_narrow_argv_policy@@SAHXZ 00401870 f i MSVCRTD:exe_main.obj
77 | 0001:00000890 ?initialize_environment@__scrt_narrow_environment_policy@@SAHXZ 00401890 f i MSVCRTD:exe_main.obj
78 | 0001:000008d0 ?set_app_type@__scrt_main_policy@@SAXXZ 004018d0 f i MSVCRTD:exe_main.obj
79 | 0001:000008e0 ?set_commode@__scrt_file_policy@@SAXXZ 004018e0 f i MSVCRTD:exe_main.obj
80 | 0001:00000900 ?set_fmode@__scrt_file_policy@@SAXXZ 00401900 f i MSVCRTD:exe_main.obj
81 | 0001:00000920 _mainCRTStartup 00401920 f MSVCRTD:exe_main.obj
82 | 0001:00000930 ??$__crt_fast_decode_pointer@PAP6AXXZ@@YAPAP6AXXZQAP6AXXZ@Z 00401930 f i MSVCRTD:utility.obj
83 | 0001:00000960 ??$__crt_fast_encode_pointer@PAP6AXXZ@@YAPAP6AXXZQAP6AXXZ@Z 00401960 f i MSVCRTD:utility.obj
84 | 0001:00000990 ?__crt_rotate_pointer_value@@YAIIH@Z 00401990 f i MSVCRTD:utility.obj
85 | 0001:00000aa0 _NtCurrentTeb 00401aa0 f i MSVCRTD:utility.obj
86 | 0001:00000ab0 ___scrt_acquire_startup_lock 00401ab0 f MSVCRTD:utility.obj
87 | 0001:00000b00 ___scrt_dllmain_after_initialize_c 00401b00 f MSVCRTD:utility.obj
88 | 0001:00000b30 ___scrt_dllmain_before_initialize_c 00401b30 f MSVCRTD:utility.obj
89 | 0001:00000b50 ___scrt_dllmain_crt_thread_attach 00401b50 f MSVCRTD:utility.obj
90 | 0001:00000b80 ___scrt_dllmain_crt_thread_detach 00401b80 f MSVCRTD:utility.obj
91 | 0001:00000ba0 ___scrt_dllmain_exception_filter 00401ba0 f MSVCRTD:utility.obj
92 | 0001:00000bf0 ___scrt_dllmain_uninitialize_c 00401bf0 f MSVCRTD:utility.obj
93 | 0001:00000c20 ___scrt_dllmain_uninitialize_critical 00401c20 f MSVCRTD:utility.obj
94 | 0001:00000c40 ___scrt_initialize_crt 00401c40 f MSVCRTD:utility.obj
95 | 0001:00000c90 ___scrt_initialize_onexit_tables 00401c90 f MSVCRTD:utility.obj
96 | 0001:00000d70 ___scrt_is_nonwritable_in_current_image 00401d70 f MSVCRTD:utility.obj
97 | 0001:00000ea0 ___scrt_release_startup_lock 00401ea0 f MSVCRTD:utility.obj
98 | 0001:00000ed0 ___scrt_uninitialize_crt 00401ed0 f MSVCRTD:utility.obj
99 | 0001:00000f10 __onexit 00401f10 f MSVCRTD:utility.obj
100 | 0001:00000f80 _at_quick_exit 00401f80 f MSVCRTD:utility.obj
101 | 0001:00000fd0 _atexit 00401fd0 f MSVCRTD:utility.obj
102 | 0001:00001070 ___security_init_cookie 00402070 f MSVCRTD:gs_support.obj
103 | 0001:000010f0 __get_startup_new_mode 004020f0 f MSVCRTD:new_mode.obj
104 | 0001:000010f0 __matherr 004020f0 f MSVCRTD:matherr.obj
105 | 0001:000010f0 ___scrt_stub_for_initialize_mta 004020f0 f MSVCRTD:utility_desktop.obj
106 | 0001:000010f0 __get_startup_thread_locale_mode 004020f0 f MSVCRTD:thread_locale.obj
107 | 0001:000010f0 ___scrt_initialize_winrt 004020f0 f MSVCRTD:utility_desktop.obj
108 | 0001:000010f0 __get_startup_commit_mode 004020f0 f MSVCRTD:commit_mode.obj
109 | 0001:000010f0 ___scrt_stub_for_is_c_termination_complete 004020f0 f MSVCRTD:ucrt_stubs.obj
110 | 0001:000010f0 ___scrt_exe_initialize_mta 004020f0 f MSVCRTD:utility_desktop.obj
111 | 0001:000010f0 __is_c_termination_complete 004020f0 f MSVCRTD:ucrt_stubs.obj
112 | 0001:00001100 __get_startup_argv_mode 00402100 f MSVCRTD:argv_mode.obj
113 | 0001:00001110 __get_startup_file_mode 00402110 f MSVCRTD:file_mode.obj
114 | 0001:00001120 ?__scrt_initialize_type_info@@YAXXZ 00402120 f MSVCRTD:tncleanup.obj
115 | 0001:00001130 ?__scrt_uninitialize_type_info@@YAXXZ 00402130 f MSVCRTD:tncleanup.obj
116 | 0001:00001150 ___vcrt_initialize 00402150 f MSVCRTD:ucrt_stubs.obj
117 | 0001:00001150 ___vcrt_thread_detach 00402150 f MSVCRTD:ucrt_stubs.obj
118 | 0001:00001150 ___acrt_thread_attach 00402150 f MSVCRTD:ucrt_stubs.obj
119 | 0001:00001150 ___acrt_uninitialize 00402150 f MSVCRTD:ucrt_stubs.obj
120 | 0001:00001150 ___scrt_stub_for_acrt_thread_attach 00402150 f MSVCRTD:ucrt_stubs.obj
121 | 0001:00001150 ___vcrt_thread_attach 00402150 f MSVCRTD:ucrt_stubs.obj
122 | 0001:00001150 ___scrt_stub_for_acrt_uninitialize 00402150 f MSVCRTD:ucrt_stubs.obj
123 | 0001:00001150 __should_initialize_environment 00402150 f MSVCRTD:env_mode.obj
124 | 0001:00001150 ___vcrt_uninitialize_critical 00402150 f MSVCRTD:ucrt_stubs.obj
125 | 0001:00001150 ___vcrt_uninitialize 00402150 f MSVCRTD:ucrt_stubs.obj
126 | 0001:00001150 ___scrt_stub_for_acrt_thread_detach 00402150 f MSVCRTD:ucrt_stubs.obj
127 | 0001:00001150 ___acrt_thread_detach 00402150 f MSVCRTD:ucrt_stubs.obj
128 | 0001:00001150 ___acrt_initialize 00402150 f MSVCRTD:ucrt_stubs.obj
129 | 0001:00001150 ___acrt_uninitialize_critical 00402150 f MSVCRTD:ucrt_stubs.obj
130 | 0001:00001150 ___scrt_stub_for_acrt_uninitialize_critical 00402150 f MSVCRTD:ucrt_stubs.obj
131 | 0001:00001150 ___scrt_stub_for_acrt_initialize 00402150 f MSVCRTD:ucrt_stubs.obj
132 | 0001:00001160 __initialize_default_precision 00402160 f MSVCRTD:default_precision.obj
133 | 0001:00001190 __initialize_denormal_control 00402190 f MSVCRTD:denormal_control.obj
134 | 0001:00001190 __initialize_invalid_parameter_handler 00402190 f MSVCRTD:invalid_parameter_handler.obj
135 | 0001:000011a0 ___local_stdio_printf_options 004021a0 f i MSVCRTD:default_local_stdio_options.obj
136 | 0001:000011b0 ___local_stdio_scanf_options 004021b0 f i MSVCRTD:default_local_stdio_options.obj
137 | 0001:000011c0 ___scrt_initialize_default_local_stdio_options 004021c0 f MSVCRTD:default_local_stdio_options.obj
138 | 0001:00001200 ___scrt_is_user_matherr_present 00402200 f MSVCRTD:matherr_detection.obj
139 | 0001:00001230 ___scrt_get_dyn_tls_init_callback 00402230 f MSVCRTD:dyn_tls_init.obj
140 | 0001:00001240 ___scrt_get_dyn_tls_dtor_callback 00402240 f MSVCRTD:dyn_tls_dtor.obj
141 | 0001:00001250 ___scrt_fastfail 00402250 f MSVCRTD:utility_desktop.obj
142 | 0001:00001390 ___scrt_get_show_window_mode 00402390 f MSVCRTD:utility_desktop.obj
143 | 0001:000013d0 ___scrt_initialize_mta 004023d0 f MSVCRTD:utility_desktop.obj
144 | 0001:000013e0 ___scrt_is_managed_app 004023e0 f MSVCRTD:utility_desktop.obj
145 | 0001:00001470 ___scrt_set_unhandled_exception_filter 00402470 f MSVCRTD:utility_desktop.obj
146 | 0001:00001480 ___scrt_unhandled_exception_filter@4 00402480 f MSVCRTD:utility_desktop.obj
147 | 0001:000014e0 __crt_debugger_hook 004024e0 f MSVCRTD:utility_desktop.obj
148 | 0001:000014f0 __RTC_Initialize 004024f0 f MSVCRTD:initsect.obj
149 | 0001:00001520 __RTC_Terminate 00402520 f MSVCRTD:initsect.obj
150 | 0001:00001550 __except_handler4 00402550 f MSVCRTD:chandler4gs.obj
151 | 0001:00001580 @_guard_check_icall_nop@4 00402580 f i MSVCRTD:guard_support.obj
152 | 0001:00001590 _ReadNoFence 00402590 f i MSVCRTD:guard_support.obj
153 | 0001:000015b0 _ReadPointerNoFence 004025b0 f i MSVCRTD:guard_support.obj
154 | 0001:000015d0 __guard_icall_checks_enforced 004025d0 f i MSVCRTD:guard_support.obj
155 | 0001:00001600 ___isa_available_init 00402600 f MSVCRTD:cpu_disp.obj
156 | 0001:000018e0 ___scrt_is_ucrt_dll_in_use 004028e0 f MSVCRTD:ucrt_detection.obj
157 | 0001:00001910 @__security_check_cookie@4 00402910 f MSVCRTD:secchk.obj
158 | 0001:00001930 ___raise_securityfailure 00402930 f MSVCRTD:gs_report.obj
159 | 0001:00001960 ___report_gsfailure 00402960 f MSVCRTD:gs_report.obj
160 | 0001:00001a70 ___report_rangecheckfailure 00402a70 f MSVCRTD:gs_report.obj
161 | 0001:00001a80 ___report_securityfailure 00402a80 f MSVCRTD:gs_report.obj
162 | 0001:00001b60 ___report_securityfailureEx 00402b60 f MSVCRTD:gs_report.obj
163 | 0001:00001c85 ___std_type_info_destroy_list 00402c85 f vcruntimed:VCRUNTIME140D.dll
164 | 0001:00001c8b _memset 00402c8b f vcruntimed:VCRUNTIME140D.dll
165 | 0001:00001c91 __except_handler4_common 00402c91 f vcruntimed:VCRUNTIME140D.dll
166 | 0001:00001c97 __seh_filter_exe 00402c97 f ucrtd:ucrtbased.dll
167 | 0001:00001c9d __set_app_type 00402c9d f ucrtd:ucrtbased.dll
168 | 0001:00001ca3 ___setusermatherr 00402ca3 f ucrtd:ucrtbased.dll
169 | 0001:00001ca9 __configure_narrow_argv 00402ca9 f ucrtd:ucrtbased.dll
170 | 0001:00001caf __initialize_narrow_environment 00402caf f ucrtd:ucrtbased.dll
171 | 0001:00001cb5 __get_initial_narrow_environment 00402cb5 f ucrtd:ucrtbased.dll
172 | 0001:00001cbb __initterm 00402cbb f ucrtd:ucrtbased.dll
173 | 0001:00001cc1 __initterm_e 00402cc1 f ucrtd:ucrtbased.dll
174 | 0001:00001cc7 _exit 00402cc7 f ucrtd:ucrtbased.dll
175 | 0001:00001ccd __exit 00402ccd f ucrtd:ucrtbased.dll
176 | 0001:00001cd3 __set_fmode 00402cd3 f ucrtd:ucrtbased.dll
177 | 0001:00001cd9 ___p___argc 00402cd9 f ucrtd:ucrtbased.dll
178 | 0001:00001cdf ___p___argv 00402cdf f ucrtd:ucrtbased.dll
179 | 0001:00001ce5 __cexit 00402ce5 f ucrtd:ucrtbased.dll
180 | 0001:00001ceb __c_exit 00402ceb f ucrtd:ucrtbased.dll
181 | 0001:00001cf1 __register_thread_local_exe_atexit_callback 00402cf1 f ucrtd:ucrtbased.dll
182 | 0001:00001cf7 __configthreadlocale 00402cf7 f ucrtd:ucrtbased.dll
183 | 0001:00001cfd __set_new_mode 00402cfd f ucrtd:ucrtbased.dll
184 | 0001:00001d03 ___p__commode 00402d03 f ucrtd:ucrtbased.dll
185 | 0001:00001d09 __seh_filter_dll 00402d09 f ucrtd:ucrtbased.dll
186 | 0001:00001d0f __initialize_onexit_table 00402d0f f ucrtd:ucrtbased.dll
187 | 0001:00001d15 __register_onexit_function 00402d15 f ucrtd:ucrtbased.dll
188 | 0001:00001d1b __execute_onexit_table 00402d1b f ucrtd:ucrtbased.dll
189 | 0001:00001d21 __crt_atexit 00402d21 f ucrtd:ucrtbased.dll
190 | 0001:00001d27 __crt_at_quick_exit 00402d27 f ucrtd:ucrtbased.dll
191 | 0001:00001d2d __controlfp_s 00402d2d f ucrtd:ucrtbased.dll
192 | 0001:00001d33 _terminate 00402d33 f ucrtd:ucrtbased.dll
193 | 0001:00001d39 _QueryPerformanceCounter@4 00402d39 f kernel32:KERNEL32.dll
194 | 0001:00001d3f _GetCurrentProcessId@0 00402d3f f kernel32:KERNEL32.dll
195 | 0001:00001d45 _GetCurrentThreadId@0 00402d45 f kernel32:KERNEL32.dll
196 | 0001:00001d4b _GetSystemTimeAsFileTime@4 00402d4b f kernel32:KERNEL32.dll
197 | 0001:00001d51 _InitializeSListHead@4 00402d51 f kernel32:KERNEL32.dll
198 | 0001:00001d57 _IsDebuggerPresent@0 00402d57 f kernel32:KERNEL32.dll
199 | 0001:00001d5d _UnhandledExceptionFilter@4 00402d5d f kernel32:KERNEL32.dll
200 | 0001:00001d63 _SetUnhandledExceptionFilter@4 00402d63 f kernel32:KERNEL32.dll
201 | 0001:00001d69 _GetStartupInfoW@4 00402d69 f kernel32:KERNEL32.dll
202 | 0001:00001d6f _IsProcessorFeaturePresent@4 00402d6f f kernel32:KERNEL32.dll
203 | 0001:00001d75 _GetModuleHandleW@4 00402d75 f kernel32:KERNEL32.dll
204 | 0001:00001d7b _GetCurrentProcess@0 00402d7b f kernel32:KERNEL32.dll
205 | 0001:00001d81 _TerminateProcess@8 00402d81 f kernel32:KERNEL32.dll
206 | 0002:00000000 __imp__SetUnhandledExceptionFilter@4 00403000 kernel32:KERNEL32.dll
207 | 0002:00000004 __imp__GetCurrentProcessId@0 00403004 kernel32:KERNEL32.dll
208 | 0002:00000008 __imp__GetCurrentThreadId@0 00403008 kernel32:KERNEL32.dll
209 | 0002:0000000c __imp__TerminateProcess@8 0040300c kernel32:KERNEL32.dll
210 | 0002:00000010 __imp__GetCurrentProcess@0 00403010 kernel32:KERNEL32.dll
211 | 0002:00000014 __imp__GetModuleHandleW@4 00403014 kernel32:KERNEL32.dll
212 | 0002:00000018 __imp__IsProcessorFeaturePresent@4 00403018 kernel32:KERNEL32.dll
213 | 0002:0000001c __imp__GetStartupInfoW@4 0040301c kernel32:KERNEL32.dll
214 | 0002:00000020 __imp__QueryPerformanceCounter@4 00403020 kernel32:KERNEL32.dll
215 | 0002:00000024 __imp__UnhandledExceptionFilter@4 00403024 kernel32:KERNEL32.dll
216 | 0002:00000028 __imp__IsDebuggerPresent@0 00403028 kernel32:KERNEL32.dll
217 | 0002:0000002c __imp__InitializeSListHead@4 0040302c kernel32:KERNEL32.dll
218 | 0002:00000030 __imp__GetSystemTimeAsFileTime@4 00403030 kernel32:KERNEL32.dll
219 | 0002:00000034 \177KERNEL32_NULL_THUNK_DATA 00403034 kernel32:KERNEL32.dll
220 | 0002:00000038 __imp__memset 00403038 vcruntimed:VCRUNTIME140D.dll
221 | 0002:0000003c __imp___except_handler4_common 0040303c vcruntimed:VCRUNTIME140D.dll
222 | 0002:00000040 __imp____std_type_info_destroy_list 00403040 vcruntimed:VCRUNTIME140D.dll
223 | 0002:00000044 \177VCRUNTIME140D_NULL_THUNK_DATA 00403044 vcruntimed:VCRUNTIME140D.dll
224 | 0002:00000048 __imp___c_exit 00403048 ucrtd:ucrtbased.dll
225 | 0002:0000004c __imp___register_thread_local_exe_atexit_callback 0040304c ucrtd:ucrtbased.dll
226 | 0002:00000050 __imp___configthreadlocale 00403050 ucrtd:ucrtbased.dll
227 | 0002:00000054 __imp___set_new_mode 00403054 ucrtd:ucrtbased.dll
228 | 0002:00000058 __imp____p__commode 00403058 ucrtd:ucrtbased.dll
229 | 0002:0000005c __imp____p___argv 0040305c ucrtd:ucrtbased.dll
230 | 0002:00000060 __imp___initialize_onexit_table 00403060 ucrtd:ucrtbased.dll
231 | 0002:00000064 __imp___register_onexit_function 00403064 ucrtd:ucrtbased.dll
232 | 0002:00000068 __imp___execute_onexit_table 00403068 ucrtd:ucrtbased.dll
233 | 0002:0000006c __imp___crt_atexit 0040306c ucrtd:ucrtbased.dll
234 | 0002:00000070 __imp___crt_at_quick_exit 00403070 ucrtd:ucrtbased.dll
235 | 0002:00000074 __imp___controlfp_s 00403074 ucrtd:ucrtbased.dll
236 | 0002:00000078 __imp__terminate 00403078 ucrtd:ucrtbased.dll
237 | 0002:0000007c __imp___seh_filter_dll 0040307c ucrtd:ucrtbased.dll
238 | 0002:00000080 __imp____p___argc 00403080 ucrtd:ucrtbased.dll
239 | 0002:00000084 __imp___set_fmode 00403084 ucrtd:ucrtbased.dll
240 | 0002:00000088 __imp___exit 00403088 ucrtd:ucrtbased.dll
241 | 0002:0000008c __imp__exit 0040308c ucrtd:ucrtbased.dll
242 | 0002:00000090 __imp___initterm_e 00403090 ucrtd:ucrtbased.dll
243 | 0002:00000094 __imp___initterm 00403094 ucrtd:ucrtbased.dll
244 | 0002:00000098 __imp___get_initial_narrow_environment 00403098 ucrtd:ucrtbased.dll
245 | 0002:0000009c __imp___initialize_narrow_environment 0040309c ucrtd:ucrtbased.dll
246 | 0002:000000a0 __imp___configure_narrow_argv 004030a0 ucrtd:ucrtbased.dll
247 | 0002:000000a4 __imp____setusermatherr 004030a4 ucrtd:ucrtbased.dll
248 | 0002:000000a8 __imp___set_app_type 004030a8 ucrtd:ucrtbased.dll
249 | 0002:000000ac __imp___seh_filter_exe 004030ac ucrtd:ucrtbased.dll
250 | 0002:000000b0 __imp___cexit 004030b0 ucrtd:ucrtbased.dll
251 | 0002:000000b4 \177ucrtbased_NULL_THUNK_DATA 004030b4 ucrtd:ucrtbased.dll
252 | 0002:000000b8 ___guard_check_icall_fptr 004030b8 MSVCRTD:guard_support.obj
253 | 0002:000000bc ___xc_a 004030bc MSVCRTD:initializers.obj
254 | 0002:000000c4 ___xc_z 004030c4 MSVCRTD:initializers.obj
255 | 0002:000000c8 ___xi_a 004030c8 MSVCRTD:initializers.obj
256 | 0002:000000d4 ___xi_z 004030d4 MSVCRTD:initializers.obj
257 | 0002:000000d8 ___xp_a 004030d8 MSVCRTD:initializers.obj
258 | 0002:000000dc ___xp_z 004030dc MSVCRTD:initializers.obj
259 | 0002:000000e0 ___xt_a 004030e0 MSVCRTD:initializers.obj
260 | 0002:000000e4 ___xt_z 004030e4 MSVCRTD:initializers.obj
261 | 0002:00000158 __load_config_used 00403158 MSVCRTD:loadcfg.obj
262 | 0002:00000200 ___safe_se_handler_table 00403200
263 | 0002:000004b4 ___rtc_iaa 004034b4 MSVCRTD:initsect.obj
264 | 0002:000004b8 ___rtc_izz 004034b8 MSVCRTD:initsect.obj
265 | 0002:000004bc ___rtc_taa 004034bc MSVCRTD:initsect.obj
266 | 0002:000004c0 ___rtc_tzz 004034c0 MSVCRTD:initsect.obj
267 | 0002:00000504 __IMPORT_DESCRIPTOR_VCRUNTIME140D 00403504 vcruntimed:VCRUNTIME140D.dll
268 | 0002:00000518 __IMPORT_DESCRIPTOR_ucrtbased 00403518 ucrtd:ucrtbased.dll
269 | 0002:0000052c __IMPORT_DESCRIPTOR_KERNEL32 0040352c kernel32:KERNEL32.dll
270 | 0002:00000540 __NULL_IMPORT_DESCRIPTOR 00403540 vcruntimed:VCRUNTIME140D.dll
271 | 0003:00000000 ___scrt_native_dllmain_reason 00404000 MSVCRTD:utility.obj
272 | 0003:00000004 ___scrt_default_matherr 00404004 MSVCRTD:matherr.obj
273 | 0003:00000008 ___security_cookie_complement 00404008 MSVCRTD:gs_cookie.obj
274 | 0003:0000000c ___security_cookie 0040400c MSVCRTD:gs_cookie.obj
275 | 0003:00000010 ___isa_enabled 00404010 MSVCRTD:cpu_disp.obj
276 | 0003:00000014 ___scrt_ucrt_dll_is_in_use 00404014 MSVCRTD:ucrt_stubs.obj
277 | 0003:00000018 ___scrt_current_native_startup_state 00404018 MSVCRTD:utility.obj
278 | 0003:0000001c ___scrt_native_startup_lock 0040401c MSVCRTD:utility.obj
279 | 0003:00000040 ?__type_info_root_node@@3U__type_info_node@@A 00404040 MSVCRTD:tncleanup.obj
280 | 0003:00000048 ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA 00404048 MSVCRTD:default_local_stdio_options.obj
281 | 0003:00000050 ?_OptionsStorage@?1??__local_stdio_scanf_options@@9@4_KA 00404050 MSVCRTD:default_local_stdio_options.obj
282 | 0003:00000058 ___scrt_debugger_hook_flag 00404058 MSVCRTD:utility_desktop.obj
283 | 0003:0000005c ___isa_available 0040405c MSVCRTD:cpu_disp.obj
284 | 0003:00000060 ___favor 00404060 MSVCRTD:cpu_disp.obj
285 | 0003:00000384 ___dyn_tls_dtor_callback 00404384
286 | 0003:00000388 ___dyn_tls_init_callback 00404388
287 |
288 | entry point at 0001:00000920
289 |
290 | Static symbols
291 |
292 | 0002:ffffcfff __guard_fids__ 1003fffff MSVCRTD:guard_support.obj
293 | 0002:ffffcfff __guard_fids___guard_icall_checks_enforced 1003fffff MSVCRTD:guard_support.obj
294 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
295 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
296 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
297 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
298 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
299 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
300 | 0002:ffffd000 __guard_fids__ 00400000 MSVCRTD:exe_main.obj
301 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
302 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
303 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
304 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
305 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
306 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
307 | 0000:ffff9000 .debug$S 00400000 kernel32:KERNEL32.dll
308 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
309 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
310 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
311 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
312 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
313 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
314 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
315 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
316 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
317 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
318 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
319 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
320 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
321 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
322 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
323 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
324 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
325 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
326 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
327 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
328 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
329 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
330 | 0002:ffffd000 __guard_fids___except_handler4 00400000 MSVCRTD:chandler4gs.obj
331 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
332 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
333 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
334 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
335 | 0002:ffffd000 __guard_fids____scrt_set_unhandled_exception_filter 00400000 MSVCRTD:utility_desktop.obj
336 | 0000:ffff9000 .debug$S 00400000 vcruntimed:VCRUNTIME140D.dll
337 | 0000:ffff9000 .debug$S 00400000 vcruntimed:VCRUNTIME140D.dll
338 | 0000:ffff9000 .debug$S 00400000 vcruntimed:VCRUNTIME140D.dll
339 | 0002:ffffd000 __guard_fids_?pre_c_initialization@@YAHXZ 00400000 MSVCRTD:exe_main.obj
340 | 0000:ffff9000 .debug$S 00400000 ucrtd:ucrtbased.dll
341 | 0002:ffffd004 __guard_fids__ 00400004 MSVCRTD:exe_main.obj
342 | 0002:ffffd008 __guard_fids__ 00400008 MSVCRTD:exe_main.obj
343 | 0001:00000560 ?pre_c_initialization@@YAHXZ 00401560 f MSVCRTD:exe_main.obj
344 | 0001:00000610 ?post_pgo_initialization@@YAHXZ 00401610 f MSVCRTD:exe_main.obj
345 | 0001:00000620 ?pre_cpp_initialization@@YAXXZ 00401620 f MSVCRTD:exe_main.obj
346 | 0001:00000640 ?__scrt_common_main@@YAHXZ 00401640 f MSVCRTD:exe_main.obj
347 | 0001:00000650 ?__scrt_common_main_seh@@YAHXZ 00401650 f MSVCRTD:exe_main.obj
348 | 0001:000008a0 ?invoke_main@@YAHXZ 004018a0 f MSVCRTD:exe_main.obj
349 | 0001:000009a0 ?find_pe_section@@YAPAU_IMAGE_SECTION_HEADER@@QAEI@Z 004019a0 f MSVCRTD:utility.obj
350 | 0001:00000a30 ?is_potentially_valid_image_base@@YA_NQAX@Z 00401a30 f MSVCRTD:utility.obj
351 | 0001:00001000 ___get_entropy 00402000 f MSVCRTD:gs_support.obj
352 | 0002:000000c0 ?pre_cpp_initializer@@3P6AXXZA 004030c0 MSVCRTD:exe_main.obj
353 | 0002:000000cc ?pre_c_initializer@@3P6AHXZA 004030cc MSVCRTD:exe_main.obj
354 | 0002:000000d0 ?post_pgo_initializer@@3P6AHXZA 004030d0 MSVCRTD:exe_main.obj
355 | 0002:000000f0 _GS_ExceptionPointers 004030f0 MSVCRTD:gs_report.obj
356 | 0002:000004c8 __sehtable$?__scrt_common_main_seh@@YAHXZ 004034c8 MSVCRTD:exe_main.obj
357 | 0002:000004e8 __sehtable$___scrt_is_nonwritable_in_current_image 004034e8 MSVCRTD:utility.obj
358 | 0002:00000650 .idata$6 00403650 vcruntimed:VCRUNTIME140D.dll
359 | 0002:00000864 .idata$6 00403864 ucrtd:ucrtbased.dll
360 | 0002:000009a0 .idata$6 004039a0 kernel32:KERNEL32.dll
361 | 0003:00000020 ?is_initialized_as_dll@@3_NA 00404020 MSVCRTD:utility.obj
362 | 0003:00000021 ?module_local_atexit_table_initialized@@3_NA 00404021 MSVCRTD:utility.obj
363 | 0003:00000024 ?module_local_atexit_table@@3U_onexit_table_t@@A 00404024 MSVCRTD:utility.obj
364 | 0003:00000030 ?module_local_at_quick_exit_table@@3U_onexit_table_t@@A 00404030 MSVCRTD:utility.obj
365 | 0003:00000068 _GS_ExceptionRecord 00404068 MSVCRTD:gs_report.obj
366 | 0003:000000b8 _GS_ContextRecord 004040b8 MSVCRTD:gs_report.obj
367 | 0004:00000060 $R000000 00405060 * linker generated manifest res *
368 |
--------------------------------------------------------------------------------
/PELoader/mapfile64:
--------------------------------------------------------------------------------
1 | PELoader
2 |
3 | Timestamp is 5e11f470 (Sun Jan 5 22:36:32 2020)
4 |
5 | Preferred load address is 0000000140000000
6 |
7 | Start Length Name Class
8 | 0001:00000000 00002390H .text$mn CODE
9 | 0001:00002390 00000020H .text$mn$00 CODE
10 | 0001:000023b0 0000006dH .text$x CODE
11 | 0002:00000000 00000178H .idata$5 DATA
12 | 0002:00000178 00000010H .00cfg DATA
13 | 0002:00000188 00000008H .CRT$XCA DATA
14 | 0002:00000190 00000008H .CRT$XCAA DATA
15 | 0002:00000198 00000008H .CRT$XCZ DATA
16 | 0002:000001a0 00000008H .CRT$XIA DATA
17 | 0002:000001a8 00000008H .CRT$XIAA DATA
18 | 0002:000001b0 00000008H .CRT$XIAC DATA
19 | 0002:000001b8 00000008H .CRT$XIZ DATA
20 | 0002:000001c0 00000008H .CRT$XPA DATA
21 | 0002:000001c8 00000008H .CRT$XPZ DATA
22 | 0002:000001d0 00000008H .CRT$XTA DATA
23 | 0002:000001d8 00000008H .CRT$XTZ DATA
24 | 0002:000001e0 00000000H .gfids$y DATA
25 | 0002:000001e0 00000170H .rdata DATA
26 | 0002:00000350 000002d0H .rdata$zzzdbg DATA
27 | 0002:00000620 00000008H .rtc$IAA DATA
28 | 0002:00000628 00000008H .rtc$IZZ DATA
29 | 0002:00000630 00000008H .rtc$TAA DATA
30 | 0002:00000638 00000008H .rtc$TZZ DATA
31 | 0002:00000640 000001dcH .xdata DATA
32 | 0002:0000081c 00000000H .edata DATA
33 | 0002:0000081c 0000003cH .idata$2 DATA
34 | 0002:00000858 00000018H .idata$3 DATA
35 | 0002:00000870 00000178H .idata$4 DATA
36 | 0002:000009e8 000003c8H .idata$6 DATA
37 | 0003:00000000 00000040H .data DATA
38 | 0003:00000040 00000600H .bss DATA
39 | 0004:00000000 00000378H .pdata DATA
40 | 0005:00000000 00000060H .rsrc$01 DATA
41 | 0005:00000060 00000180H .rsrc$02 DATA
42 |
43 | Address Publics by Value Rva+Base Lib:Object
44 |
45 | 0000:00000000 __guard_iat_table 0000000000000000
46 | 0000:00000000 __dynamic_value_reloc_table 0000000000000000
47 | 0000:00000000 __volatile_metadata 0000000000000000
48 | 0000:00000000 __enclave_config 0000000000000000
49 | 0000:00000000 __guard_iat_count 0000000000000000
50 | 0000:00000000 __guard_longjmp_count 0000000000000000
51 | 0000:00000000 __hybrid_auxiliary_iat 0000000000000000
52 | 0000:00000000 ___safe_se_handler_table 0000000000000000
53 | 0000:00000000 __guard_fids_count 0000000000000000
54 | 0000:00000000 __hybrid_code_map 0000000000000000
55 | 0000:00000000 ___safe_se_handler_count 0000000000000000
56 | 0000:00000000 __hybrid_code_map_count 0000000000000000
57 | 0000:00000000 __guard_fids_table 0000000000000000
58 | 0000:00000000 __guard_longjmp_table 0000000000000000
59 | 0000:00000100 __guard_flags 0000000000000100
60 | 0000:00000000 __ImageBase 0000000140000000
61 | 0001:00000000 ?func@@YAXXZ 0000000140001000 f Source.obj
62 | 0001:00000120 getCurrAddr 0000000140001120 f func.obj
63 | 0001:00000128 ?ApplySpace@@YAPEADPEADP6APEAXPEAX_KKK@ZPEAUCustomHead@@@Z 0000000140001128 f Source.obj
64 | 0001:00000198 ?CopyToMemory@@YAXPEAD0PEAUCustomHead@@@Z 0000000140001198 f Source.obj
65 | 0001:00000214 ?DeCompress@@YAPEADPEADPEAUCustomHead@@P6APEAXPEAX_KKK@ZP6AKK2K2KPEAK@Z@Z 0000000140001214 f Source.obj
66 | 0001:00000288 ?GetFunction@@YAPEADKK@Z 0000000140001288 f Source.obj
67 | 0001:00000370 ?LoadDll@@YAXPEADP6APEAUHINSTANCE__@@PEBD@Z2P6AP6A_JXZPEAU1@1@ZPEAUCustomHead@@@Z 0000000140001370 f Source.obj
68 | 0001:00000440 ?MemCmp@@YAKPEAD0K@Z 0000000140001440 f Source.obj
69 | 0001:00000468 ?MemCopy@@YAXPEAD0K@Z 0000000140001468 f Source.obj
70 | 0001:00000480 ?Rc4Decrypt@@YAXPEADHPEAE@Z 0000000140001480 f Source.obj
71 | 0001:0000057c ?ReadFileContent@@YAPEADAEAPEAUCustomHead@@PEAPEAE@Z 000000014000157c f Source.obj
72 | 0001:000005fc ?Reloaction@@YAXPEADPEAUCustomHead@@@Z 00000001400015fc f Source.obj
73 | 0001:00000698 ?Run@@YAXPEAUCustomHead@@PEAD@Z 0000000140001698 f Source.obj
74 | 0001:000006b0 _initialize_invalid_parameter_handler 00000001400016b0 f i MSVCRTD:invalid_parameter_handler.obj
75 | 0001:000006b0 ?__empty_global_delete@@YAXPEAX_K@Z 00000001400016b0 f i Source.obj
76 | 0001:000006b0 _initialize_denormal_control 00000001400016b0 f i MSVCRTD:denormal_control.obj
77 | 0001:000006b0 ?__empty_global_delete@@YAXPEAX@Z 00000001400016b0 f i Source.obj
78 | 0001:000006b4 ?getHash@@YAKPEBD@Z 00000001400016b4 f Source.obj
79 | 0001:000006e0 ?getUnicodeHash@@YAKPEB_W@Z 00000001400016e0 f Source.obj
80 | 0001:0000070c main 000000014000170c f Source.obj
81 | 0001:000009d0 ?configure_argv@__scrt_narrow_argv_policy@@SAHXZ 00000001400019d0 f i MSVCRTD:exe_main.obj
82 | 0001:000009f0 ?initialize_environment@__scrt_narrow_environment_policy@@SAHXZ 00000001400019f0 f i MSVCRTD:exe_main.obj
83 | 0001:00000a40 ?set_app_type@__scrt_main_policy@@SAXXZ 0000000140001a40 f i MSVCRTD:exe_main.obj
84 | 0001:00000a60 ?set_commode@__scrt_file_policy@@SAXXZ 0000000140001a60 f i MSVCRTD:exe_main.obj
85 | 0001:00000a80 ?set_fmode@__scrt_file_policy@@SAXXZ 0000000140001a80 f i MSVCRTD:exe_main.obj
86 | 0001:00000aa0 mainCRTStartup 0000000140001aa0 f MSVCRTD:exe_main.obj
87 | 0001:00000ab0 ??$__crt_fast_decode_pointer@PEAP6AXXZ@@YAPEAP6AXXZQEAP6AXXZ@Z 0000000140001ab0 f i MSVCRTD:utility.obj
88 | 0001:00000af0 ??$__crt_fast_encode_pointer@PEAP6AXXZ@@YAPEAP6AXXZQEAP6AXXZ@Z 0000000140001af0 f i MSVCRTD:utility.obj
89 | 0001:00000b30 ?__crt_rotate_pointer_value@@YA_K_KH@Z 0000000140001b30 f i MSVCRTD:utility.obj
90 | 0001:00000cb0 NtCurrentTeb 0000000140001cb0 f i MSVCRTD:utility.obj
91 | 0001:00000cc0 __scrt_acquire_startup_lock 0000000140001cc0 f MSVCRTD:utility.obj
92 | 0001:00000d30 __scrt_dllmain_after_initialize_c 0000000140001d30 f MSVCRTD:utility.obj
93 | 0001:00000d60 __scrt_dllmain_before_initialize_c 0000000140001d60 f MSVCRTD:utility.obj
94 | 0001:00000d80 __scrt_dllmain_crt_thread_attach 0000000140001d80 f MSVCRTD:utility.obj
95 | 0001:00000db0 __scrt_dllmain_crt_thread_detach 0000000140001db0 f MSVCRTD:utility.obj
96 | 0001:00000dd0 __scrt_dllmain_exception_filter 0000000140001dd0 f MSVCRTD:utility.obj
97 | 0001:00000e30 __scrt_dllmain_uninitialize_c 0000000140001e30 f MSVCRTD:utility.obj
98 | 0001:00000e60 __scrt_dllmain_uninitialize_critical 0000000140001e60 f MSVCRTD:utility.obj
99 | 0001:00000e80 __scrt_initialize_crt 0000000140001e80 f MSVCRTD:utility.obj
100 | 0001:00000ed0 __scrt_initialize_onexit_tables 0000000140001ed0 f MSVCRTD:utility.obj
101 | 0001:00000fe0 __scrt_is_nonwritable_in_current_image 0000000140001fe0 f MSVCRTD:utility.obj
102 | 0001:00001070 __scrt_release_startup_lock 0000000140002070 f MSVCRTD:utility.obj
103 | 0001:000010a0 __scrt_uninitialize_crt 00000001400020a0 f MSVCRTD:utility.obj
104 | 0001:000010e0 _onexit 00000001400020e0 f MSVCRTD:utility.obj
105 | 0001:00001170 at_quick_exit 0000000140002170 f MSVCRTD:utility.obj
106 | 0001:000011c0 atexit 00000001400021c0 f MSVCRTD:utility.obj
107 | 0001:000012c0 __security_init_cookie 00000001400022c0 f MSVCRTD:gs_support.obj
108 | 0001:00001340 _matherr 0000000140002340 f MSVCRTD:matherr.obj
109 | 0001:00001350 _get_startup_argv_mode 0000000140002350 f MSVCRTD:argv_mode.obj
110 | 0001:00001360 _get_startup_thread_locale_mode 0000000140002360 f MSVCRTD:thread_locale.obj
111 | 0001:00001360 __scrt_exe_initialize_mta 0000000140002360 f MSVCRTD:utility_desktop.obj
112 | 0001:00001360 _guard_rf_checks_enforced 0000000140002360 f MSVCRTD:guard_support.obj
113 | 0001:00001360 __scrt_initialize_winrt 0000000140002360 f MSVCRTD:utility_desktop.obj
114 | 0001:00001360 _get_startup_new_mode 0000000140002360 f MSVCRTD:new_mode.obj
115 | 0001:00001360 __scrt_stub_for_is_c_termination_complete 0000000140002360 f MSVCRTD:ucrt_stubs.obj
116 | 0001:00001360 _is_c_termination_complete 0000000140002360 f MSVCRTD:ucrt_stubs.obj
117 | 0001:00001360 __scrt_stub_for_initialize_mta 0000000140002360 f MSVCRTD:utility_desktop.obj
118 | 0001:00001360 _get_startup_commit_mode 0000000140002360 f MSVCRTD:commit_mode.obj
119 | 0001:00001370 _get_startup_file_mode 0000000140002370 f MSVCRTD:file_mode.obj
120 | 0001:00001380 ?__scrt_initialize_type_info@@YAXXZ 0000000140002380 f MSVCRTD:tncleanup.obj
121 | 0001:000013a0 ?__scrt_uninitialize_type_info@@YAXXZ 00000001400023a0 f MSVCRTD:tncleanup.obj
122 | 0001:000013c0 __acrt_initialize 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
123 | 0001:000013c0 __vcrt_thread_attach 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
124 | 0001:000013c0 __scrt_stub_for_acrt_initialize 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
125 | 0001:000013c0 _should_initialize_environment 00000001400023c0 f MSVCRTD:env_mode.obj
126 | 0001:000013c0 __acrt_thread_attach 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
127 | 0001:000013c0 __acrt_thread_detach 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
128 | 0001:000013c0 __scrt_stub_for_acrt_thread_detach 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
129 | 0001:000013c0 __vcrt_thread_detach 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
130 | 0001:000013c0 __vcrt_initialize 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
131 | 0001:000013c0 __scrt_stub_for_acrt_thread_attach 00000001400023c0 f MSVCRTD:ucrt_stubs.obj
132 | 0001:000013d0 __local_stdio_printf_options 00000001400023d0 f i MSVCRTD:default_local_stdio_options.obj
133 | 0001:000013e0 __local_stdio_scanf_options 00000001400023e0 f i MSVCRTD:default_local_stdio_options.obj
134 | 0001:000013f0 __scrt_initialize_default_local_stdio_options 00000001400023f0 f MSVCRTD:default_local_stdio_options.obj
135 | 0001:00001440 __scrt_is_user_matherr_present 0000000140002440 f MSVCRTD:matherr_detection.obj
136 | 0001:00001470 __scrt_get_dyn_tls_init_callback 0000000140002470 f MSVCRTD:dyn_tls_init.obj
137 | 0001:00001480 __scrt_get_dyn_tls_dtor_callback 0000000140002480 f MSVCRTD:dyn_tls_dtor.obj
138 | 0001:00001490 __crt_debugger_hook 0000000140002490 f MSVCRTD:utility_desktop.obj
139 | 0001:000014a0 __scrt_fastfail 00000001400024a0 f MSVCRTD:utility_desktop.obj
140 | 0001:00001640 __scrt_get_show_window_mode 0000000140002640 f MSVCRTD:utility_desktop.obj
141 | 0001:000016a0 __scrt_initialize_mta 00000001400026a0 f MSVCRTD:utility_desktop.obj
142 | 0001:000016b0 __scrt_is_managed_app 00000001400026b0 f MSVCRTD:utility_desktop.obj
143 | 0001:00001760 __scrt_set_unhandled_exception_filter 0000000140002760 f MSVCRTD:utility_desktop.obj
144 | 0001:00001780 __scrt_unhandled_exception_filter 0000000140002780 f MSVCRTD:utility_desktop.obj
145 | 0001:00001800 _RTC_Initialize 0000000140002800 f MSVCRTD:initsect.obj
146 | 0001:00001850 _RTC_Terminate 0000000140002850 f MSVCRTD:initsect.obj
147 | 0001:000018a0 _guard_check_icall_nop 00000001400028a0 f i MSVCRTD:guard_support.obj
148 | 0001:000018b0 ReadNoFence64 00000001400028b0 f i MSVCRTD:guard_support.obj
149 | 0001:000018d0 ReadPointerNoFence 00000001400028d0 f i MSVCRTD:guard_support.obj
150 | 0001:000018f0 _guard_icall_checks_enforced 00000001400028f0 f i MSVCRTD:guard_support.obj
151 | 0001:00001930 __isa_available_init 0000000140002930 f MSVCRTD:cpu_disp.obj
152 | 0001:00001c80 __scrt_is_ucrt_dll_in_use 0000000140002c80 f MSVCRTD:ucrt_detection.obj
153 | 0001:00001cb0 __GSHandlerCheck 0000000140002cb0 f MSVCRTD:gshandler.obj
154 | 0001:00001cf0 __GSHandlerCheckCommon 0000000140002cf0 f MSVCRTD:gshandler.obj
155 | 0001:00001e00 __security_check_cookie 0000000140002e00 f MSVCRTD:amdsecgs.obj
156 | 0001:00001e30 __raise_securityfailure 0000000140002e30 f MSVCRTD:gs_report.obj
157 | 0001:00001e70 __report_gsfailure 0000000140002e70 f MSVCRTD:gs_report.obj
158 | 0001:00001f50 __report_rangecheckfailure 0000000140002f50 f MSVCRTD:gs_report.obj
159 | 0001:00001f70 __report_securityfailure 0000000140002f70 f MSVCRTD:gs_report.obj
160 | 0001:00002010 __report_securityfailureEx 0000000140003010 f MSVCRTD:gs_report.obj
161 | 0001:00002272 __C_specific_handler 0000000140003272 f vcruntimed:VCRUNTIME140D.dll
162 | 0001:00002278 __std_type_info_destroy_list 0000000140003278 f vcruntimed:VCRUNTIME140D.dll
163 | 0001:0000227e _seh_filter_exe 000000014000327e f ucrtd:ucrtbased.dll
164 | 0001:00002284 _set_app_type 0000000140003284 f ucrtd:ucrtbased.dll
165 | 0001:0000228a __setusermatherr 000000014000328a f ucrtd:ucrtbased.dll
166 | 0001:00002290 _configure_narrow_argv 0000000140003290 f ucrtd:ucrtbased.dll
167 | 0001:00002296 _initialize_narrow_environment 0000000140003296 f ucrtd:ucrtbased.dll
168 | 0001:0000229c _get_initial_narrow_environment 000000014000329c f ucrtd:ucrtbased.dll
169 | 0001:000022a2 _initterm 00000001400032a2 f ucrtd:ucrtbased.dll
170 | 0001:000022a8 _initterm_e 00000001400032a8 f ucrtd:ucrtbased.dll
171 | 0001:000022ae exit 00000001400032ae f ucrtd:ucrtbased.dll
172 | 0001:000022b4 _exit 00000001400032b4 f ucrtd:ucrtbased.dll
173 | 0001:000022ba _set_fmode 00000001400032ba f ucrtd:ucrtbased.dll
174 | 0001:000022c0 __p___argc 00000001400032c0 f ucrtd:ucrtbased.dll
175 | 0001:000022c6 __p___argv 00000001400032c6 f ucrtd:ucrtbased.dll
176 | 0001:000022cc _cexit 00000001400032cc f ucrtd:ucrtbased.dll
177 | 0001:000022d2 _c_exit 00000001400032d2 f ucrtd:ucrtbased.dll
178 | 0001:000022d8 _register_thread_local_exe_atexit_callback 00000001400032d8 f ucrtd:ucrtbased.dll
179 | 0001:000022de _configthreadlocale 00000001400032de f ucrtd:ucrtbased.dll
180 | 0001:000022e4 _set_new_mode 00000001400032e4 f ucrtd:ucrtbased.dll
181 | 0001:000022ea __p__commode 00000001400032ea f ucrtd:ucrtbased.dll
182 | 0001:000022f0 _seh_filter_dll 00000001400032f0 f ucrtd:ucrtbased.dll
183 | 0001:000022f6 _initialize_onexit_table 00000001400032f6 f ucrtd:ucrtbased.dll
184 | 0001:000022fc _register_onexit_function 00000001400032fc f ucrtd:ucrtbased.dll
185 | 0001:00002302 _execute_onexit_table 0000000140003302 f ucrtd:ucrtbased.dll
186 | 0001:00002308 _crt_atexit 0000000140003308 f ucrtd:ucrtbased.dll
187 | 0001:0000230e _crt_at_quick_exit 000000014000330e f ucrtd:ucrtbased.dll
188 | 0001:00002314 terminate 0000000140003314 f ucrtd:ucrtbased.dll
189 | 0001:0000231a QueryPerformanceCounter 000000014000331a f kernel32:KERNEL32.dll
190 | 0001:00002320 GetCurrentProcessId 0000000140003320 f kernel32:KERNEL32.dll
191 | 0001:00002326 GetCurrentThreadId 0000000140003326 f kernel32:KERNEL32.dll
192 | 0001:0000232c GetSystemTimeAsFileTime 000000014000332c f kernel32:KERNEL32.dll
193 | 0001:00002332 InitializeSListHead 0000000140003332 f kernel32:KERNEL32.dll
194 | 0001:00002338 RtlCaptureContext 0000000140003338 f kernel32:KERNEL32.dll
195 | 0001:0000233e RtlLookupFunctionEntry 000000014000333e f kernel32:KERNEL32.dll
196 | 0001:00002344 RtlVirtualUnwind 0000000140003344 f kernel32:KERNEL32.dll
197 | 0001:0000234a IsDebuggerPresent 000000014000334a f kernel32:KERNEL32.dll
198 | 0001:00002350 UnhandledExceptionFilter 0000000140003350 f kernel32:KERNEL32.dll
199 | 0001:00002356 SetUnhandledExceptionFilter 0000000140003356 f kernel32:KERNEL32.dll
200 | 0001:0000235c GetStartupInfoW 000000014000335c f kernel32:KERNEL32.dll
201 | 0001:00002362 IsProcessorFeaturePresent 0000000140003362 f kernel32:KERNEL32.dll
202 | 0001:00002368 GetModuleHandleW 0000000140003368 f kernel32:KERNEL32.dll
203 | 0001:0000236e GetCurrentProcess 000000014000336e f kernel32:KERNEL32.dll
204 | 0001:00002374 TerminateProcess 0000000140003374 f kernel32:KERNEL32.dll
205 | 0001:00002380 __acrt_uninitialize_critical 0000000140003380 f MSVCRTD:ucrt_stubs.obj
206 | 0001:00002380 __scrt_stub_for_acrt_uninitialize_critical 0000000140003380 f MSVCRTD:ucrt_stubs.obj
207 | 0001:00002380 __acrt_uninitialize 0000000140003380 f MSVCRTD:ucrt_stubs.obj
208 | 0001:00002380 __vcrt_uninitialize_critical 0000000140003380 f MSVCRTD:ucrt_stubs.obj
209 | 0001:00002380 __vcrt_uninitialize 0000000140003380 f MSVCRTD:ucrt_stubs.obj
210 | 0001:00002380 __scrt_stub_for_acrt_uninitialize 0000000140003380 f MSVCRTD:ucrt_stubs.obj
211 | 0001:000023a0 _guard_dispatch_icall_nop 00000001400033a0 f MSVCRTD:guard_dispatch.obj
212 | 0002:00000000 __imp_IsDebuggerPresent 0000000140004000 kernel32:KERNEL32.dll
213 | 0002:00000008 __imp_GetCurrentProcessId 0000000140004008 kernel32:KERNEL32.dll
214 | 0002:00000010 __imp_TerminateProcess 0000000140004010 kernel32:KERNEL32.dll
215 | 0002:00000018 __imp_GetCurrentProcess 0000000140004018 kernel32:KERNEL32.dll
216 | 0002:00000020 __imp_GetModuleHandleW 0000000140004020 kernel32:KERNEL32.dll
217 | 0002:00000028 __imp_IsProcessorFeaturePresent 0000000140004028 kernel32:KERNEL32.dll
218 | 0002:00000030 __imp_GetStartupInfoW 0000000140004030 kernel32:KERNEL32.dll
219 | 0002:00000038 __imp_SetUnhandledExceptionFilter 0000000140004038 kernel32:KERNEL32.dll
220 | 0002:00000040 __imp_UnhandledExceptionFilter 0000000140004040 kernel32:KERNEL32.dll
221 | 0002:00000048 __imp_QueryPerformanceCounter 0000000140004048 kernel32:KERNEL32.dll
222 | 0002:00000050 __imp_RtlVirtualUnwind 0000000140004050 kernel32:KERNEL32.dll
223 | 0002:00000058 __imp_RtlLookupFunctionEntry 0000000140004058 kernel32:KERNEL32.dll
224 | 0002:00000060 __imp_RtlCaptureContext 0000000140004060 kernel32:KERNEL32.dll
225 | 0002:00000068 __imp_InitializeSListHead 0000000140004068 kernel32:KERNEL32.dll
226 | 0002:00000070 __imp_GetSystemTimeAsFileTime 0000000140004070 kernel32:KERNEL32.dll
227 | 0002:00000078 __imp_GetCurrentThreadId 0000000140004078 kernel32:KERNEL32.dll
228 | 0002:00000080 \177KERNEL32_NULL_THUNK_DATA 0000000140004080 kernel32:KERNEL32.dll
229 | 0002:00000088 __imp___std_type_info_destroy_list 0000000140004088 vcruntimed:VCRUNTIME140D.dll
230 | 0002:00000090 __imp___C_specific_handler 0000000140004090 vcruntimed:VCRUNTIME140D.dll
231 | 0002:00000098 \177VCRUNTIME140D_NULL_THUNK_DATA 0000000140004098 vcruntimed:VCRUNTIME140D.dll
232 | 0002:000000a0 __imp__set_new_mode 00000001400040a0 ucrtd:ucrtbased.dll
233 | 0002:000000a8 __imp___p__commode 00000001400040a8 ucrtd:ucrtbased.dll
234 | 0002:000000b0 __imp__seh_filter_dll 00000001400040b0 ucrtd:ucrtbased.dll
235 | 0002:000000b8 __imp__register_thread_local_exe_atexit_callback 00000001400040b8 ucrtd:ucrtbased.dll
236 | 0002:000000c0 __imp__register_onexit_function 00000001400040c0 ucrtd:ucrtbased.dll
237 | 0002:000000c8 __imp__execute_onexit_table 00000001400040c8 ucrtd:ucrtbased.dll
238 | 0002:000000d0 __imp__crt_atexit 00000001400040d0 ucrtd:ucrtbased.dll
239 | 0002:000000d8 __imp__crt_at_quick_exit 00000001400040d8 ucrtd:ucrtbased.dll
240 | 0002:000000e0 __imp_terminate 00000001400040e0 ucrtd:ucrtbased.dll
241 | 0002:000000e8 __imp__configthreadlocale 00000001400040e8 ucrtd:ucrtbased.dll
242 | 0002:000000f0 __imp__c_exit 00000001400040f0 ucrtd:ucrtbased.dll
243 | 0002:000000f8 __imp__cexit 00000001400040f8 ucrtd:ucrtbased.dll
244 | 0002:00000100 __imp___p___argv 0000000140004100 ucrtd:ucrtbased.dll
245 | 0002:00000108 __imp___p___argc 0000000140004108 ucrtd:ucrtbased.dll
246 | 0002:00000110 __imp__set_fmode 0000000140004110 ucrtd:ucrtbased.dll
247 | 0002:00000118 __imp__exit 0000000140004118 ucrtd:ucrtbased.dll
248 | 0002:00000120 __imp_exit 0000000140004120 ucrtd:ucrtbased.dll
249 | 0002:00000128 __imp__initterm_e 0000000140004128 ucrtd:ucrtbased.dll
250 | 0002:00000130 __imp__initterm 0000000140004130 ucrtd:ucrtbased.dll
251 | 0002:00000138 __imp__get_initial_narrow_environment 0000000140004138 ucrtd:ucrtbased.dll
252 | 0002:00000140 __imp__initialize_narrow_environment 0000000140004140 ucrtd:ucrtbased.dll
253 | 0002:00000148 __imp__configure_narrow_argv 0000000140004148 ucrtd:ucrtbased.dll
254 | 0002:00000150 __imp___setusermatherr 0000000140004150 ucrtd:ucrtbased.dll
255 | 0002:00000158 __imp__set_app_type 0000000140004158 ucrtd:ucrtbased.dll
256 | 0002:00000160 __imp__seh_filter_exe 0000000140004160 ucrtd:ucrtbased.dll
257 | 0002:00000168 __imp__initialize_onexit_table 0000000140004168 ucrtd:ucrtbased.dll
258 | 0002:00000170 \177ucrtbased_NULL_THUNK_DATA 0000000140004170 ucrtd:ucrtbased.dll
259 | 0002:00000178 __guard_check_icall_fptr 0000000140004178 MSVCRTD:guard_support.obj
260 | 0002:00000180 __guard_dispatch_icall_fptr 0000000140004180 MSVCRTD:guard_support.obj
261 | 0002:00000188 __xc_a 0000000140004188 MSVCRTD:initializers.obj
262 | 0002:00000198 __xc_z 0000000140004198 MSVCRTD:initializers.obj
263 | 0002:000001a0 __xi_a 00000001400041a0 MSVCRTD:initializers.obj
264 | 0002:000001b8 __xi_z 00000001400041b8 MSVCRTD:initializers.obj
265 | 0002:000001c0 __xp_a 00000001400041c0 MSVCRTD:initializers.obj
266 | 0002:000001c8 __xp_z 00000001400041c8 MSVCRTD:initializers.obj
267 | 0002:000001d0 __xt_a 00000001400041d0 MSVCRTD:initializers.obj
268 | 0002:000001d8 __xt_z 00000001400041d8 MSVCRTD:initializers.obj
269 | 0002:00000250 _load_config_used 0000000140004250 MSVCRTD:loadcfg.obj
270 | 0002:00000620 __rtc_iaa 0000000140004620 MSVCRTD:initsect.obj
271 | 0002:00000628 __rtc_izz 0000000140004628 MSVCRTD:initsect.obj
272 | 0002:00000630 __rtc_taa 0000000140004630 MSVCRTD:initsect.obj
273 | 0002:00000638 __rtc_tzz 0000000140004638 MSVCRTD:initsect.obj
274 | 0002:0000081c __IMPORT_DESCRIPTOR_VCRUNTIME140D 000000014000481c vcruntimed:VCRUNTIME140D.dll
275 | 0002:00000830 __IMPORT_DESCRIPTOR_ucrtbased 0000000140004830 ucrtd:ucrtbased.dll
276 | 0002:00000844 __IMPORT_DESCRIPTOR_KERNEL32 0000000140004844 kernel32:KERNEL32.dll
277 | 0002:00000858 __NULL_IMPORT_DESCRIPTOR 0000000140004858 vcruntimed:VCRUNTIME140D.dll
278 | 0003:00000000 __scrt_native_dllmain_reason 0000000140005000 MSVCRTD:utility.obj
279 | 0003:00000004 __scrt_default_matherr 0000000140005004 MSVCRTD:matherr.obj
280 | 0003:00000008 __isa_available 0000000140005008 MSVCRTD:cpu_disp.obj
281 | 0003:0000000c __isa_enabled 000000014000500c MSVCRTD:cpu_disp.obj
282 | 0003:00000010 __memcpy_nt_iters 0000000140005010 MSVCRTD:cpu_disp.obj
283 | 0003:00000018 __security_cookie_complement 0000000140005018 MSVCRTD:gs_cookie.obj
284 | 0003:00000020 __security_cookie 0000000140005020 MSVCRTD:gs_cookie.obj
285 | 0003:00000030 __scrt_ucrt_dll_is_in_use 0000000140005030 MSVCRTD:ucrt_stubs.obj
286 | 0003:00000040 __scrt_current_native_startup_state 0000000140005040 MSVCRTD:utility.obj
287 | 0003:00000048 __scrt_native_startup_lock 0000000140005048 MSVCRTD:utility.obj
288 | 0003:00000090 ?__type_info_root_node@@3U__type_info_node@@A 0000000140005090 MSVCRTD:tncleanup.obj
289 | 0003:000000a0 ?_OptionsStorage@?1??__local_stdio_printf_options@@9@4_KA 00000001400050a0 MSVCRTD:default_local_stdio_options.obj
290 | 0003:000000a8 ?_OptionsStorage@?1??__local_stdio_scanf_options@@9@4_KA 00000001400050a8 MSVCRTD:default_local_stdio_options.obj
291 | 0003:000000b0 __scrt_debugger_hook_flag 00000001400050b0 MSVCRTD:utility_desktop.obj
292 | 0003:000000b4 __favor 00000001400050b4 MSVCRTD:cpu_disp.obj
293 | 0003:00000630 __dyn_tls_dtor_callback 0000000140005630
294 | 0003:00000638 __dyn_tls_init_callback 0000000140005638
295 |
296 | entry point at 0001:00000aa0
297 |
298 | Static symbols
299 |
300 | 0002:ffffbfff __guard_fids__guard_icall_checks_enforced 000000023fffffff MSVCRTD:guard_support.obj
301 | 0002:ffffbfff __guard_fids__ 000000023fffffff MSVCRTD:guard_support.obj
302 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
303 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
304 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
305 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
306 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
307 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
308 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
309 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
310 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
311 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
312 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
313 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
314 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
315 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
316 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
317 | 0000:ffff7000 .debug$S 0000000140000000 kernel32:KERNEL32.dll
318 | 0004:ffffa000 $pdata$?initialize_environment@__scrt_narrow_environment_policy@@SAHXZ 0000000140000000 MSVCRTD:utility.obj
319 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
320 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
321 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
322 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
323 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
324 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
325 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
326 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
327 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
328 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
329 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
330 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
331 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
332 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
333 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
334 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
335 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
336 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
337 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
338 | 0002:ffffc000 __guard_fids_?pre_c_initialization@@YAHXZ 0000000140000000 MSVCRTD:exe_main.obj
339 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
340 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
341 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
342 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
343 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
344 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
345 | 0002:ffffc000 $unwind$?initialize_environment@__scrt_narrow_environment_policy@@SAHXZ 0000000140000000 MSVCRTD:utility.obj
346 | 0000:ffff7000 .debug$S 0000000140000000 vcruntimed:VCRUNTIME140D.dll
347 | 0000:ffff7000 .debug$S 0000000140000000 vcruntimed:VCRUNTIME140D.dll
348 | 0004:ffffa000 $pdata$?configure_argv@__scrt_narrow_argv_policy@@SAHXZ 0000000140000000 MSVCRTD:utility.obj
349 | 0002:ffffc000 $unwind$?configure_argv@__scrt_narrow_argv_policy@@SAHXZ 0000000140000000 MSVCRTD:utility.obj
350 | 0002:ffffc000 __guard_fids___scrt_set_unhandled_exception_filter 0000000140000000 MSVCRTD:utility_desktop.obj
351 | 0000:ffff7000 .debug$S 0000000140000000 ucrtd:ucrtbased.dll
352 | 0002:ffffc000 __guard_fids__ 0000000140000000 MSVCRTD:exe_main.obj
353 | 0002:ffffc004 __guard_fids__ 0000000140000004 MSVCRTD:exe_main.obj
354 | 0002:ffffc008 __guard_fids__ 0000000140000008 MSVCRTD:exe_main.obj
355 | 0001:00000720 ?pre_c_initialization@@YAHXZ 0000000140001720 f MSVCRTD:exe_main.obj
356 | 0001:000007e0 ?post_pgo_initialization@@YAHXZ 00000001400017e0 f MSVCRTD:exe_main.obj
357 | 0001:000007f0 ?pre_cpp_initialization@@YAXXZ 00000001400017f0 f MSVCRTD:exe_main.obj
358 | 0001:00000810 ?__scrt_common_main@@YAHXZ 0000000140001810 f MSVCRTD:exe_main.obj
359 | 0001:00000830 ?__scrt_common_main_seh@@YAHXZ 0000000140001830 f MSVCRTD:exe_main.obj
360 | 0001:00000a00 ?invoke_main@@YAHXZ 0000000140001a00 f MSVCRTD:exe_main.obj
361 | 0001:00000b50 ?find_pe_section@@YAPEAU_IMAGE_SECTION_HEADER@@QEAE_K@Z 0000000140001b50 f MSVCRTD:utility.obj
362 | 0001:00000c20 ?is_potentially_valid_image_base@@YA_NQEAX@Z 0000000140001c20 f MSVCRTD:utility.obj
363 | 0001:00001200 __get_entropy 0000000140002200 f MSVCRTD:gs_support.obj
364 | 0001:00001df0 $$000000 0000000140002df0 MSVCRTD:amdsecgs.obj
365 | 0001:00002120 capture_current_context 0000000140003120 f MSVCRTD:gs_report.obj
366 | 0001:000021c0 capture_previous_context 00000001400031c0 f MSVCRTD:gs_report.obj
367 | 0001:00002390 $$000000 0000000140003390 MSVCRTD:guard_dispatch.obj
368 | 0001:000023b0 ?filt$0@?0??__scrt_common_main_seh@@YAHXZ@4HA 00000001400033b0 f MSVCRTD:exe_main.obj
369 | 0001:000023e0 __scrt_is_nonwritable_in_current_image$filt$0 00000001400033e0 f MSVCRTD:utility.obj
370 | 0002:00000190 ?pre_cpp_initializer@@3P6AXXZEA 0000000140004190 MSVCRTD:exe_main.obj
371 | 0002:000001a8 ?pre_c_initializer@@3P6AHXZEA 00000001400041a8 MSVCRTD:exe_main.obj
372 | 0002:000001b0 ?post_pgo_initializer@@3P6AHXZEA 00000001400041b0 MSVCRTD:exe_main.obj
373 | 0002:000001e0 GS_ExceptionPointers 00000001400041e0 MSVCRTD:gs_report.obj
374 | 0002:00000640 $unwind$?func@@YAXXZ 0000000140004640 Source.obj
375 | 0002:00000658 $unwind$?Rc4Decrypt@@YAXPEADHPEAE@Z 0000000140004658 Source.obj
376 | 0002:00000674 $unwind$?GetFunction@@YAPEADKK@Z 0000000140004674 Source.obj
377 | 0002:00000690 $unwind$?ReadFileContent@@YAPEADAEAPEAUCustomHead@@PEAPEAE@Z 0000000140004690 Source.obj
378 | 0002:000006a0 $unwind$?ApplySpace@@YAPEADPEADP6APEAXPEAX_KKK@ZPEAUCustomHead@@@Z 00000001400046a0 Source.obj
379 | 0002:000006b0 $unwind$?CopyToMemory@@YAXPEAD0PEAUCustomHead@@@Z 00000001400046b0 Source.obj
380 | 0002:000006c8 $unwind$?Reloaction@@YAXPEADPEAUCustomHead@@@Z 00000001400046c8 Source.obj
381 | 0002:000006d4 $unwind$?LoadDll@@YAXPEADP6APEAUHINSTANCE__@@PEBD@Z2P6AP6A_JXZPEAU1@1@ZPEAUCustomHead@@@Z 00000001400046d4 Source.obj
382 | 0002:000006ec $unwind$?DeCompress@@YAPEADPEADPEAUCustomHead@@P6APEAXPEAX_KKK@ZP6AKK2K2KPEAK@Z@Z 00000001400046ec Source.obj
383 | 0002:00000700 $unwind$?post_pgo_initialization@@YAHXZ 0000000140004700 MSVCRTD:exe_main.obj
384 | 0002:00000700 $unwind$?pre_cpp_initialization@@YAXXZ 0000000140004700 MSVCRTD:exe_main.obj
385 | 0002:00000700 $unwind$?__scrt_common_main@@YAHXZ 0000000140004700 MSVCRTD:exe_main.obj
386 | 0002:00000700 $unwind$?configure_argv@__scrt_narrow_argv_policy@@SAHXZ 0000000140004700 MSVCRTD:exe_main.obj
387 | 0002:00000700 $unwind$mainCRTStartup 0000000140004700 MSVCRTD:exe_main.obj
388 | 0002:00000700 $unwind$__report_rangecheckfailure 0000000140004700 MSVCRTD:gs_report.obj
389 | 0002:00000700 $unwind$?__scrt_initialize_type_info@@YAXXZ 0000000140004700 MSVCRTD:tncleanup.obj
390 | 0002:00000700 $unwind$?pre_c_initialization@@YAHXZ 0000000140004700 MSVCRTD:exe_main.obj
391 | 0002:00000700 $unwind$__scrt_dllmain_before_initialize_c 0000000140004700 MSVCRTD:utility.obj
392 | 0002:00000700 $unwind$__scrt_dllmain_after_initialize_c 0000000140004700 MSVCRTD:utility.obj
393 | 0002:00000700 $unwind$__scrt_dllmain_uninitialize_c 0000000140004700 MSVCRTD:utility.obj
394 | 0002:00000700 $unwind$__scrt_dllmain_uninitialize_critical 0000000140004700 MSVCRTD:utility.obj
395 | 0002:00000700 $unwind$__scrt_dllmain_crt_thread_attach 0000000140004700 MSVCRTD:utility.obj
396 | 0002:00000700 $unwind$__scrt_set_unhandled_exception_filter 0000000140004700 MSVCRTD:utility_desktop.obj
397 | 0002:00000700 $unwind$?initialize_environment@__scrt_narrow_environment_policy@@SAHXZ 0000000140004700 MSVCRTD:exe_main.obj
398 | 0002:00000700 $unwind$__scrt_dllmain_crt_thread_detach 0000000140004700 MSVCRTD:utility.obj
399 | 0002:00000700 $unwind$__scrt_initialize_mta 0000000140004700 MSVCRTD:utility_desktop.obj
400 | 0002:00000700 $unwind$?set_app_type@__scrt_main_policy@@SAXXZ 0000000140004700 MSVCRTD:exe_main.obj
401 | 0002:00000700 $unwind$main 0000000140004700 Source.obj
402 | 0002:00000700 $unwind$?set_fmode@__scrt_file_policy@@SAXXZ 0000000140004700 MSVCRTD:exe_main.obj
403 | 0002:00000700 $unwind$?__scrt_uninitialize_type_info@@YAXXZ 0000000140004700 MSVCRTD:tncleanup.obj
404 | 0002:00000708 $unwind$?invoke_main@@YAHXZ 0000000140004708 MSVCRTD:exe_main.obj
405 | 0002:00000708 $unwind$__security_init_cookie 0000000140004708 MSVCRTD:gs_support.obj
406 | 0002:00000708 $unwind$__scrt_initialize_default_local_stdio_options 0000000140004708 MSVCRTD:default_local_stdio_options.obj
407 | 0002:00000708 $unwind$?set_commode@__scrt_file_policy@@SAXXZ 0000000140004708 MSVCRTD:exe_main.obj
408 | 0002:00000708 $unwind$_guard_icall_checks_enforced 0000000140004708 MSVCRTD:guard_support.obj
409 | 0002:00000708 $unwind$__scrt_is_managed_app 0000000140004708 MSVCRTD:utility_desktop.obj
410 | 0002:00000710 $unwind$?__scrt_common_main_seh@@YAHXZ 0000000140004710 MSVCRTD:exe_main.obj
411 | 0002:00000730 $unwind$?filt$0@?0??__scrt_common_main_seh@@YAHXZ@4HA 0000000140004730 MSVCRTD:exe_main.obj
412 | 0002:00000730 $unwind$__scrt_is_nonwritable_in_current_image$filt$0 0000000140004730 MSVCRTD:utility.obj
413 | 0002:00000738 $unwind$__report_gsfailure 0000000140004738 MSVCRTD:gs_report.obj
414 | 0002:00000738 $unwind$atexit 0000000140004738 MSVCRTD:utility.obj
415 | 0002:00000738 $unwind$__scrt_unhandled_exception_filter 0000000140004738 MSVCRTD:utility_desktop.obj
416 | 0002:00000738 $unwind$at_quick_exit 0000000140004738 MSVCRTD:utility.obj
417 | 0002:00000740 $unwind$_onexit 0000000140004740 MSVCRTD:utility.obj
418 | 0002:00000748 $unwind$__scrt_is_nonwritable_in_current_image 0000000140004748 MSVCRTD:utility.obj
419 | 0002:00000768 $unwind$__scrt_acquire_startup_lock 0000000140004768 MSVCRTD:utility.obj
420 | 0002:00000770 $unwind$__scrt_release_startup_lock 0000000140004770 MSVCRTD:utility.obj
421 | 0002:00000770 $unwind$__scrt_initialize_crt 0000000140004770 MSVCRTD:utility.obj
422 | 0002:00000770 $unwind$__report_securityfailure 0000000140004770 MSVCRTD:gs_report.obj
423 | 0002:00000778 $unwind$__scrt_uninitialize_crt 0000000140004778 MSVCRTD:utility.obj
424 | 0002:00000780 $unwind$__scrt_initialize_onexit_tables 0000000140004780 MSVCRTD:utility.obj
425 | 0002:0000078c $unwind$__scrt_dllmain_exception_filter 000000014000478c MSVCRTD:utility.obj
426 | 0002:00000794 $unwind$__raise_securityfailure 0000000140004794 MSVCRTD:gs_report.obj
427 | 0002:00000794 $unwind$?is_potentially_valid_image_base@@YA_NQEAX@Z 0000000140004794 MSVCRTD:utility.obj
428 | 0002:00000794 $unwind$??$__crt_fast_encode_pointer@PEAP6AXXZ@@YAPEAP6AXXZQEAP6AXXZ@Z 0000000140004794 MSVCRTD:utility.obj
429 | 0002:00000794 $unwind$ReadPointerNoFence 0000000140004794 MSVCRTD:guard_support.obj
430 | 0002:00000794 $unwind$??$__crt_fast_decode_pointer@PEAP6AXXZ@@YAPEAP6AXXZQEAP6AXXZ@Z 0000000140004794 MSVCRTD:utility.obj
431 | 0002:0000079c $unwind$?find_pe_section@@YAPEAU_IMAGE_SECTION_HEADER@@QEAE_K@Z 000000014000479c MSVCRTD:utility.obj
432 | 0002:000007a4 $unwind$__get_entropy 00000001400047a4 MSVCRTD:gs_support.obj
433 | 0002:000007ac $unwind$__scrt_is_user_matherr_present 00000001400047ac MSVCRTD:matherr_detection.obj
434 | 0002:000007ac $unwind$__scrt_is_ucrt_dll_in_use 00000001400047ac MSVCRTD:ucrt_detection.obj
435 | 0002:000007b4 $unwind$__scrt_get_show_window_mode 00000001400047b4 MSVCRTD:utility_desktop.obj
436 | 0002:000007c0 $unwind$__scrt_fastfail 00000001400047c0 MSVCRTD:utility_desktop.obj
437 | 0002:000007cc $unwind$_RTC_Terminate 00000001400047cc MSVCRTD:initsect.obj
438 | 0002:000007cc $unwind$_RTC_Initialize 00000001400047cc MSVCRTD:initsect.obj
439 | 0002:000007d8 $unwind$ReadNoFence64 00000001400047d8 MSVCRTD:guard_support.obj
440 | 0002:000007e0 $unwind$__isa_available_init 00000001400047e0 MSVCRTD:cpu_disp.obj
441 | 0002:000007f0 $xdatasym 00000001400047f0 MSVCRTD:guard_dispatch.obj
442 | 0002:000007f4 $unwind$__GSHandlerCheckCommon 00000001400047f4 MSVCRTD:gshandler.obj
443 | 0002:000007fc $unwind$__GSHandlerCheck 00000001400047fc MSVCRTD:gshandler.obj
444 | 0002:00000808 $xdatasym 0000000140004808 MSVCRTD:amdsecgs.obj
445 | 0002:0000080c $unwind$__report_securityfailureEx 000000014000480c MSVCRTD:gs_report.obj
446 | 0002:00000814 $unwind$capture_current_context 0000000140004814 MSVCRTD:gs_report.obj
447 | 0002:00000814 $unwind$capture_previous_context 0000000140004814 MSVCRTD:gs_report.obj
448 | 0002:00000a20 .idata$6 0000000140004a20 vcruntimed:VCRUNTIME140D.dll
449 | 0002:00000c24 .idata$6 0000000140004c24 ucrtd:ucrtbased.dll
450 | 0002:00000da2 .idata$6 0000000140004da2 kernel32:KERNEL32.dll
451 | 0003:00000050 ?is_initialized_as_dll@@3_NA 0000000140005050 MSVCRTD:utility.obj
452 | 0003:00000051 ?module_local_atexit_table_initialized@@3_NA 0000000140005051 MSVCRTD:utility.obj
453 | 0003:00000058 ?module_local_atexit_table@@3U_onexit_table_t@@A 0000000140005058 MSVCRTD:utility.obj
454 | 0003:00000070 ?module_local_at_quick_exit_table@@3U_onexit_table_t@@A 0000000140005070 MSVCRTD:utility.obj
455 | 0003:000000c0 GS_ExceptionRecord 00000001400050c0 MSVCRTD:gs_report.obj
456 | 0003:00000160 GS_ContextRecord 0000000140005160 MSVCRTD:gs_report.obj
457 | 0004:00000000 $pdata$?Rc4Decrypt@@YAXPEADHPEAE@Z 0000000140006000 Source.obj
458 | 0004:0000000c $pdata$?GetFunction@@YAPEADKK@Z 000000014000600c Source.obj
459 | 0004:00000018 $pdata$?ReadFileContent@@YAPEADAEAPEAUCustomHead@@PEAPEAE@Z 0000000140006018 Source.obj
460 | 0004:00000024 $pdata$?ApplySpace@@YAPEADPEADP6APEAXPEAX_KKK@ZPEAUCustomHead@@@Z 0000000140006024 Source.obj
461 | 0004:00000030 $pdata$?CopyToMemory@@YAXPEAD0PEAUCustomHead@@@Z 0000000140006030 Source.obj
462 | 0004:0000003c $pdata$?Reloaction@@YAXPEADPEAUCustomHead@@@Z 000000014000603c Source.obj
463 | 0004:00000048 $pdata$?LoadDll@@YAXPEADP6APEAUHINSTANCE__@@PEBD@Z2P6AP6A_JXZPEAU1@1@ZPEAUCustomHead@@@Z 0000000140006048 Source.obj
464 | 0004:00000054 $pdata$?DeCompress@@YAPEADPEADPEAUCustomHead@@P6APEAXPEAX_KKK@ZP6AKK2K2KPEAK@Z@Z 0000000140006054 Source.obj
465 | 0004:00000060 $pdata$?func@@YAXXZ 0000000140006060 Source.obj
466 | 0004:0000006c $pdata$main 000000014000606c Source.obj
467 | 0004:00000078 $pdata$?configure_argv@__scrt_narrow_argv_policy@@SAHXZ 0000000140006078 MSVCRTD:exe_main.obj
468 | 0004:00000084 $pdata$?initialize_environment@__scrt_narrow_environment_policy@@SAHXZ 0000000140006084 MSVCRTD:exe_main.obj
469 | 0004:00000090 $pdata$?set_app_type@__scrt_main_policy@@SAXXZ 0000000140006090 MSVCRTD:exe_main.obj
470 | 0004:0000009c $pdata$?set_fmode@__scrt_file_policy@@SAXXZ 000000014000609c MSVCRTD:exe_main.obj
471 | 0004:000000a8 $pdata$?set_commode@__scrt_file_policy@@SAXXZ 00000001400060a8 MSVCRTD:exe_main.obj
472 | 0004:000000b4 $pdata$?invoke_main@@YAHXZ 00000001400060b4 MSVCRTD:exe_main.obj
473 | 0004:000000c0 $pdata$?pre_c_initialization@@YAHXZ 00000001400060c0 MSVCRTD:exe_main.obj
474 | 0004:000000cc $pdata$?post_pgo_initialization@@YAHXZ 00000001400060cc MSVCRTD:exe_main.obj
475 | 0004:000000d8 $pdata$?pre_cpp_initialization@@YAXXZ 00000001400060d8 MSVCRTD:exe_main.obj
476 | 0004:000000e4 $pdata$?__scrt_common_main_seh@@YAHXZ 00000001400060e4 MSVCRTD:exe_main.obj
477 | 0004:000000f0 $pdata$?filt$0@?0??__scrt_common_main_seh@@YAHXZ@4HA 00000001400060f0 MSVCRTD:exe_main.obj
478 | 0004:000000fc $pdata$?__scrt_common_main@@YAHXZ 00000001400060fc MSVCRTD:exe_main.obj
479 | 0004:00000108 $pdata$mainCRTStartup 0000000140006108 MSVCRTD:exe_main.obj
480 | 0004:00000114 $pdata$atexit 0000000140006114 MSVCRTD:utility.obj
481 | 0004:00000120 $pdata$_onexit 0000000140006120 MSVCRTD:utility.obj
482 | 0004:0000012c $pdata$at_quick_exit 000000014000612c MSVCRTD:utility.obj
483 | 0004:00000138 $pdata$__scrt_is_nonwritable_in_current_image 0000000140006138 MSVCRTD:utility.obj
484 | 0004:00000144 $pdata$__scrt_is_nonwritable_in_current_image$filt$0 0000000140006144 MSVCRTD:utility.obj
485 | 0004:00000150 $pdata$__scrt_acquire_startup_lock 0000000140006150 MSVCRTD:utility.obj
486 | 0004:0000015c $pdata$__scrt_release_startup_lock 000000014000615c MSVCRTD:utility.obj
487 | 0004:00000168 $pdata$__scrt_initialize_crt 0000000140006168 MSVCRTD:utility.obj
488 | 0004:00000174 $pdata$__scrt_uninitialize_crt 0000000140006174 MSVCRTD:utility.obj
489 | 0004:00000180 $pdata$__scrt_initialize_onexit_tables 0000000140006180 MSVCRTD:utility.obj
490 | 0004:0000018c $pdata$__scrt_dllmain_exception_filter 000000014000618c MSVCRTD:utility.obj
491 | 0004:00000198 $pdata$__scrt_dllmain_before_initialize_c 0000000140006198 MSVCRTD:utility.obj
492 | 0004:000001a4 $pdata$__scrt_dllmain_after_initialize_c 00000001400061a4 MSVCRTD:utility.obj
493 | 0004:000001b0 $pdata$__scrt_dllmain_uninitialize_c 00000001400061b0 MSVCRTD:utility.obj
494 | 0004:000001bc $pdata$__scrt_dllmain_uninitialize_critical 00000001400061bc MSVCRTD:utility.obj
495 | 0004:000001c8 $pdata$__scrt_dllmain_crt_thread_attach 00000001400061c8 MSVCRTD:utility.obj
496 | 0004:000001d4 $pdata$__scrt_dllmain_crt_thread_detach 00000001400061d4 MSVCRTD:utility.obj
497 | 0004:000001e0 $pdata$?is_potentially_valid_image_base@@YA_NQEAX@Z 00000001400061e0 MSVCRTD:utility.obj
498 | 0004:000001ec $pdata$?find_pe_section@@YAPEAU_IMAGE_SECTION_HEADER@@QEAE_K@Z 00000001400061ec MSVCRTD:utility.obj
499 | 0004:000001f8 $pdata$??$__crt_fast_decode_pointer@PEAP6AXXZ@@YAPEAP6AXXZQEAP6AXXZ@Z 00000001400061f8 MSVCRTD:utility.obj
500 | 0004:00000204 $pdata$??$__crt_fast_encode_pointer@PEAP6AXXZ@@YAPEAP6AXXZQEAP6AXXZ@Z 0000000140006204 MSVCRTD:utility.obj
501 | 0004:00000210 $pdata$__security_init_cookie 0000000140006210 MSVCRTD:gs_support.obj
502 | 0004:0000021c $pdata$__get_entropy 000000014000621c MSVCRTD:gs_support.obj
503 | 0004:00000228 $pdata$?__scrt_initialize_type_info@@YAXXZ 0000000140006228 MSVCRTD:tncleanup.obj
504 | 0004:00000234 $pdata$?__scrt_uninitialize_type_info@@YAXXZ 0000000140006234 MSVCRTD:tncleanup.obj
505 | 0004:00000240 $pdata$__scrt_initialize_default_local_stdio_options 0000000140006240 MSVCRTD:default_local_stdio_options.obj
506 | 0004:0000024c $pdata$__scrt_is_user_matherr_present 000000014000624c MSVCRTD:matherr_detection.obj
507 | 0004:00000258 $pdata$__scrt_get_show_window_mode 0000000140006258 MSVCRTD:utility_desktop.obj
508 | 0004:00000264 $pdata$__scrt_is_managed_app 0000000140006264 MSVCRTD:utility_desktop.obj
509 | 0004:00000270 $pdata$__scrt_initialize_mta 0000000140006270 MSVCRTD:utility_desktop.obj
510 | 0004:0000027c $pdata$__scrt_set_unhandled_exception_filter 000000014000627c MSVCRTD:utility_desktop.obj
511 | 0004:00000288 $pdata$__scrt_fastfail 0000000140006288 MSVCRTD:utility_desktop.obj
512 | 0004:00000294 $pdata$__scrt_unhandled_exception_filter 0000000140006294 MSVCRTD:utility_desktop.obj
513 | 0004:000002a0 $pdata$_RTC_Initialize 00000001400062a0 MSVCRTD:initsect.obj
514 | 0004:000002ac $pdata$_RTC_Terminate 00000001400062ac MSVCRTD:initsect.obj
515 | 0004:000002b8 $pdata$ReadNoFence64 00000001400062b8 MSVCRTD:guard_support.obj
516 | 0004:000002c4 $pdata$ReadPointerNoFence 00000001400062c4 MSVCRTD:guard_support.obj
517 | 0004:000002d0 $pdata$_guard_icall_checks_enforced 00000001400062d0 MSVCRTD:guard_support.obj
518 | 0004:000002dc $pdata$__isa_available_init 00000001400062dc MSVCRTD:cpu_disp.obj
519 | 0004:000002e8 $pdata$__scrt_is_ucrt_dll_in_use 00000001400062e8 MSVCRTD:ucrt_detection.obj
520 | 0004:00000300 $pdata$__GSHandlerCheckCommon 0000000140006300 MSVCRTD:gshandler.obj
521 | 0004:0000030c $pdata$__GSHandlerCheck 000000014000630c MSVCRTD:gshandler.obj
522 | 0004:00000324 $pdata$__report_securityfailure 0000000140006324 MSVCRTD:gs_report.obj
523 | 0004:00000330 $pdata$__report_securityfailureEx 0000000140006330 MSVCRTD:gs_report.obj
524 | 0004:0000033c $pdata$__report_rangecheckfailure 000000014000633c MSVCRTD:gs_report.obj
525 | 0004:00000348 $pdata$__report_gsfailure 0000000140006348 MSVCRTD:gs_report.obj
526 | 0004:00000354 $pdata$capture_current_context 0000000140006354 MSVCRTD:gs_report.obj
527 | 0004:00000360 $pdata$capture_previous_context 0000000140006360 MSVCRTD:gs_report.obj
528 | 0004:0000036c $pdata$__raise_securityfailure 000000014000636c MSVCRTD:gs_report.obj
529 | 0005:00000060 $R000000 0000000140007060 * linker generated manifest res *
530 |
--------------------------------------------------------------------------------
/PELoader/order.txt:
--------------------------------------------------------------------------------
1 | ?func@@YAXXZ
--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
1 | # PE2Shellcode
2 |
3 | Converts PE so that it can be then injected just like a normal shellcode.
4 |
5 | # How to use
6 |
7 | Optional parameter.
8 |
9 | > P2S.exe < path of PE> [output path] [-?]
10 | > [-r] Rc4 encrypt
11 | > [-c] Compress PE file
12 |
13 | i.e.
14 | > P2S_x86.exe test.exe test_x86.bin -c -r
15 | > P2S_x64.exe test64.exe test_x64.bin -r
16 |
--------------------------------------------------------------------------------
/Test/Test.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {0B7FEBF4-FBCE-46E7-B864-398625233D5C}
24 | Win32Proj
25 | Test
26 | 10.0.18362.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v141
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v141
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v141
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v141
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | true
78 |
79 |
80 | false
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | Disabled
89 | true
90 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | true
95 | Console
96 |
97 |
98 |
99 |
100 | Level3
101 | Disabled
102 | true
103 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | true
108 | Console
109 |
110 |
111 |
112 |
113 | Level3
114 | MaxSpeed
115 | true
116 | true
117 | true
118 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
119 | true
120 |
121 |
122 | true
123 | true
124 | true
125 | Console
126 |
127 |
128 |
129 |
130 | Level3
131 | MaxSpeed
132 | true
133 | true
134 | true
135 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
136 | true
137 |
138 |
139 | true
140 | true
141 | true
142 | Console
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
--------------------------------------------------------------------------------
/Test/Test.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 资源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/Test/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int main()
5 | {
6 | MessageBoxA(0, "suc", "------", 0);
7 | return 0;
8 | }
--------------------------------------------------------------------------------
/TestBin/TestBin.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {4A4DA453-788F-4D22-9A09-2134143DA1E3}
24 | Win32Proj
25 | TestBin
26 | 10.0.18362.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v141
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v141
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v141
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v141
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | true
78 |
79 |
80 | false
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | Disabled
89 | true
90 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | true
95 | Console
96 |
97 |
98 |
99 |
100 | Level3
101 | Disabled
102 | true
103 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | true
108 | Console
109 |
110 |
111 |
112 |
113 | Level3
114 | MaxSpeed
115 | true
116 | true
117 | true
118 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
119 | true
120 |
121 |
122 | true
123 | true
124 | true
125 | Console
126 |
127 |
128 |
129 |
130 | Level3
131 | MaxSpeed
132 | true
133 | true
134 | true
135 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
136 | true
137 |
138 |
139 | true
140 | true
141 | true
142 | Console
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
--------------------------------------------------------------------------------
/TestBin/TestBin.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 资源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/TestBin/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | int wmain(int argc, char **argv)
5 | {
6 |
7 | #ifdef _WIN64
8 | HANDLE hFile = CreateFileA("test_x64.bin", GENERIC_READ, 0, 0, OPEN_EXISTING, NULL, NULL);
9 | #else
10 | HANDLE hFile = CreateFileA("test_x86.bin", GENERIC_READ, 0, 0, OPEN_EXISTING, NULL, NULL);
11 | #endif // _WIN64
12 |
13 |
14 | DWORD fileSize = GetFileSize(hFile, NULL);
15 |
16 | void * base = VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
17 |
18 | DWORD dw;
19 | ReadFile(hFile, base, fileSize, &dw, NULL);
20 |
21 | ((void(*)(void))base)();
22 |
23 | return 0;
24 | }
--------------------------------------------------------------------------------