├── Capture.PNG ├── Dll2Shellcode.sln ├── Dll2Shellcode ├── Dll2Shellcode.csproj ├── Form1.Designer.cs ├── Form1.cs ├── Form1.resx ├── Program.cs ├── Properties │ ├── Resources.Designer.cs │ ├── Resources.resx │ ├── Settings.Designer.cs │ └── Settings.settings └── sRDI.cs └── README.md /Capture.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/w1u0u1/Dll2Shellcode/f5951204fb123b6114844dc25842ceb8a1edf329/Capture.PNG -------------------------------------------------------------------------------- /Dll2Shellcode.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30907.101 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dll2Shellcode", "Dll2Shellcode\Dll2Shellcode.csproj", "{988C97F1-7ADC-4510-B342-FDCBA98B91E6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {988C97F1-7ADC-4510-B342-FDCBA98B91E6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {988C97F1-7ADC-4510-B342-FDCBA98B91E6}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {988C97F1-7ADC-4510-B342-FDCBA98B91E6}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {988C97F1-7ADC-4510-B342-FDCBA98B91E6}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {CEF3AEF6-498E-40B4-AA83-4A5470A38B5F} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /Dll2Shellcode/Dll2Shellcode.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {988C97F1-7ADC-4510-B342-FDCBA98B91E6} 8 | WinExe 9 | Dll2Shellcode 10 | Dll2Shellcode 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | none 28 | true 29 | ..\bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | true 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | Form 53 | 54 | 55 | Form1.cs 56 | 57 | 58 | 59 | 60 | Form1.cs 61 | 62 | 63 | ResXFileCodeGenerator 64 | Resources.Designer.cs 65 | Designer 66 | 67 | 68 | True 69 | Resources.resx 70 | 71 | 72 | SettingsSingleFileGenerator 73 | Settings.Designer.cs 74 | 75 | 76 | True 77 | Settings.settings 78 | True 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /Dll2Shellcode/Form1.Designer.cs: -------------------------------------------------------------------------------- 1 | namespace Dll2Shellcode 2 | { 3 | partial class Form1 4 | { 5 | ///

6 | /// Required designer variable. 7 | ///

8 | private System.ComponentModel.IContainer components = null; 9 | 10 | ///

11 | /// Clean up any resources being used. 12 | ///

13 | /// true if managed resources should be disposed; otherwise, false. 14 | protected override void Dispose(bool disposing) 15 | { 16 | if (disposing && (components != null)) 17 | { 18 | components.Dispose(); 19 | } 20 | base.Dispose(disposing); 21 | } 22 | 23 | #region Windows Form Designer generated code 24 | 25 | ///

26 | /// Required method for Designer support - do not modify 27 | /// the contents of this method with the code editor. 28 | ///

29 | private void InitializeComponent() 30 | { 31 | this.label1 = new System.Windows.Forms.Label(); 32 | this.label2 = new System.Windows.Forms.Label(); 33 | this.txtDll = new System.Windows.Forms.TextBox(); 34 | this.txtFunction = new System.Windows.Forms.TextBox(); 35 | this.label3 = new System.Windows.Forms.Label(); 36 | this.txtArgument = new System.Windows.Forms.TextBox(); 37 | this.btnBowser = new System.Windows.Forms.Button(); 38 | this.btnBuild = new System.Windows.Forms.Button(); 39 | this.btnCancel = new System.Windows.Forms.Button(); 40 | this.SuspendLayout(); 41 | // 42 | // label1 43 | // 44 | this.label1.AutoSize = true; 45 | this.label1.Location = new System.Drawing.Point(9, 30); 46 | this.label1.Name = "label1"; 47 | this.label1.Size = new System.Drawing.Size(22, 13); 48 | this.label1.TabIndex = 0; 49 | this.label1.Text = "Dll:"; 50 | // 51 | // label2 52 | // 53 | this.label2.AutoSize = true; 54 | this.label2.Location = new System.Drawing.Point(9, 63); 55 | this.label2.Name = "label2"; 56 | this.label2.Size = new System.Drawing.Size(45, 13); 57 | this.label2.TabIndex = 0; 58 | this.label2.Text = "Funtion:"; 59 | // 60 | // txtDll 61 | // 62 | this.txtDll.Location = new System.Drawing.Point(60, 26); 63 | this.txtDll.Name = "txtDll"; 64 | this.txtDll.Size = new System.Drawing.Size(385, 20); 65 | this.txtDll.TabIndex = 0; 66 | // 67 | // txtFunction 68 | // 69 | this.txtFunction.Location = new System.Drawing.Point(60, 59); 70 | this.txtFunction.Name = "txtFunction"; 71 | this.txtFunction.Size = new System.Drawing.Size(240, 20); 72 | this.txtFunction.TabIndex = 2; 73 | // 74 | // label3 75 | // 76 | this.label3.AutoSize = true; 77 | this.label3.Location = new System.Drawing.Point(9, 99); 78 | this.label3.Name = "label3"; 79 | this.label3.Size = new System.Drawing.Size(55, 13); 80 | this.label3.TabIndex = 0; 81 | this.label3.Text = "Argument:"; 82 | // 83 | // txtArgument 84 | // 85 | this.txtArgument.Location = new System.Drawing.Point(60, 99); 86 | this.txtArgument.Multiline = true; 87 | this.txtArgument.Name = "txtArgument"; 88 | this.txtArgument.Size = new System.Drawing.Size(429, 220); 89 | this.txtArgument.TabIndex = 3; 90 | // 91 | // btnBowser 92 | // 93 | this.btnBowser.Location = new System.Drawing.Point(449, 25); 94 | this.btnBowser.Name = "btnBowser"; 95 | this.btnBowser.Size = new System.Drawing.Size(40, 23); 96 | this.btnBowser.TabIndex = 1; 97 | this.btnBowser.Text = "..."; 98 | this.btnBowser.UseVisualStyleBackColor = true; 99 | this.btnBowser.Click += new System.EventHandler(this.BtnBowser_Click); 100 | // 101 | // btnBuild 102 | // 103 | this.btnBuild.Location = new System.Drawing.Point(284, 333); 104 | this.btnBuild.Name = "btnBuild"; 105 | this.btnBuild.Size = new System.Drawing.Size(75, 23); 106 | this.btnBuild.TabIndex = 4; 107 | this.btnBuild.Text = "Build"; 108 | this.btnBuild.UseVisualStyleBackColor = true; 109 | this.btnBuild.Click += new System.EventHandler(this.BtnBuild_Click); 110 | // 111 | // btnCancel 112 | // 113 | this.btnCancel.Location = new System.Drawing.Point(382, 333); 114 | this.btnCancel.Name = "btnCancel"; 115 | this.btnCancel.Size = new System.Drawing.Size(75, 23); 116 | this.btnCancel.TabIndex = 5; 117 | this.btnCancel.Text = "Cancel"; 118 | this.btnCancel.UseVisualStyleBackColor = true; 119 | this.btnCancel.Click += new System.EventHandler(this.BtnCancel_Click); 120 | // 121 | // Form1 122 | // 123 | this.AcceptButton = this.btnBuild; 124 | this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F); 125 | this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font; 126 | this.ClientSize = new System.Drawing.Size(507, 370); 127 | this.Controls.Add(this.btnCancel); 128 | this.Controls.Add(this.btnBuild); 129 | this.Controls.Add(this.btnBowser); 130 | this.Controls.Add(this.txtArgument); 131 | this.Controls.Add(this.txtFunction); 132 | this.Controls.Add(this.label3); 133 | this.Controls.Add(this.txtDll); 134 | this.Controls.Add(this.label2); 135 | this.Controls.Add(this.label1); 136 | this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedSingle; 137 | this.MaximizeBox = false; 138 | this.Name = "Form1"; 139 | this.StartPosition = System.Windows.Forms.FormStartPosition.CenterScreen; 140 | this.Text = "Dll2Shellcode 1.0"; 141 | this.ResumeLayout(false); 142 | this.PerformLayout(); 143 | 144 | } 145 | 146 | #endregion 147 | 148 | private System.Windows.Forms.Label label1; 149 | private System.Windows.Forms.Label label2; 150 | private System.Windows.Forms.TextBox txtDll; 151 | private System.Windows.Forms.TextBox txtFunction; 152 | private System.Windows.Forms.Label label3; 153 | private System.Windows.Forms.TextBox txtArgument; 154 | private System.Windows.Forms.Button btnBowser; 155 | private System.Windows.Forms.Button btnBuild; 156 | private System.Windows.Forms.Button btnCancel; 157 | } 158 | } 159 | 160 | -------------------------------------------------------------------------------- /Dll2Shellcode/Form1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Text; 4 | using System.Windows.Forms; 5 | 6 | namespace Dll2Shellcode 7 | { 8 | partial class Form1 : Form 9 | { 10 | public Form1() 11 | { 12 | InitializeComponent(); 13 | } 14 | 15 | private void BtnBowser_Click(object sender, EventArgs e) 16 | { 17 | OpenFileDialog ofd = new OpenFileDialog(); 18 | ofd.Filter = "Dll Files(*.dll)|*.dll|All Files(*.*)|*.*"; 19 | if (ofd.ShowDialog() == DialogResult.OK) 20 | { 21 | txtDll.Text = ofd.FileName; 22 | } 23 | } 24 | 25 | private void BtnBuild_Click(object sender, EventArgs e) 26 | { 27 | try 28 | { 29 | if(txtDll.Text.Length == 0 || !File.Exists(txtDll.Text)) 30 | { 31 | txtDll.Focus(); 32 | return; 33 | } 34 | 35 | SaveFileDialog sfd = new SaveFileDialog(); 36 | sfd.Filter = "Bin Files(*.bin)|*.bin|All Files(*.*)|*.*"; 37 | sfd.FileName = Path.GetFileNameWithoutExtension(txtDll.Text); 38 | if (sfd.ShowDialog() == DialogResult.OK) 39 | { 40 | byte[] userData = new byte[] { }; 41 | if (txtArgument.Text.Length > 0) 42 | userData = Encoding.Default.GetBytes(txtArgument.Text + "\0"); 43 | 44 | byte[] sc = null; 45 | if (txtFunction.Text.Length > 0) 46 | sc = sRDI.ConvertToShellcode(File.ReadAllBytes(txtDll.Text), txtFunction.Text, userData, 0); 47 | else 48 | sc = sRDI.ConvertToShellcode(File.ReadAllBytes(txtDll.Text), 0, userData, 0); 49 | 50 | File.WriteAllBytes(sfd.FileName, sc); 51 | } 52 | } 53 | catch(Exception ex) 54 | { 55 | MessageBox.Show(ex.Message); 56 | } 57 | } 58 | 59 | private void BtnCancel_Click(object sender, EventArgs e) 60 | { 61 | this.Close(); 62 | } 63 | } 64 | } -------------------------------------------------------------------------------- /Dll2Shellcode/Form1.resx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | text/microsoft-resx 110 | 111 | 112 | 2.0 113 | 114 | 115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | 118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 119 | 120 | -------------------------------------------------------------------------------- /Dll2Shellcode/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Windows.Forms; 3 | 4 | namespace Dll2Shellcode 5 | { 6 | static class Program 7 | { 8 | ///

9 | /// The main entry point for the application. 10 | ///

11 | [STAThread] 12 | static void Main() 13 | { 14 | Application.EnableVisualStyles(); 15 | Application.SetCompatibleTextRenderingDefault(false); 16 | Application.Run(new Form1()); 17 | } 18 | } 19 | } -------------------------------------------------------------------------------- /Dll2Shellcode/Properties/Resources.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace Dll2Shellcode.Properties 12 | { 13 | 14 | 15 | ///

16 | /// A strongly-typed resource class, for looking up localized strings, etc. 17 | ///

18 | // This class was auto-generated by the StronglyTypedResourceBuilder 19 | // class via a tool like ResGen or Visual Studio. 20 | // To add or remove a member, edit your .ResX file then rerun ResGen 21 | // with the /str option, or rebuild your VS project. 22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")] 23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] 24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 25 | internal class Resources 26 | { 27 | 28 | private static global::System.Resources.ResourceManager resourceMan; 29 | 30 | private static global::System.Globalization.CultureInfo resourceCulture; 31 | 32 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")] 33 | internal Resources() 34 | { 35 | } 36 | 37 | ///

38 | /// Returns the cached ResourceManager instance used by this class. 39 | ///

40 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 41 | internal static global::System.Resources.ResourceManager ResourceManager 42 | { 43 | get 44 | { 45 | if ((resourceMan == null)) 46 | { 47 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Dll2Shellcode.Properties.Resources", typeof(Resources).Assembly); 48 | resourceMan = temp; 49 | } 50 | return resourceMan; 51 | } 52 | } 53 | 54 | ///

55 | /// Overrides the current thread's CurrentUICulture property for all 56 | /// resource lookups using this strongly typed resource class. 57 | ///

58 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 59 | internal static global::System.Globalization.CultureInfo Culture 60 | { 61 | get 62 | { 63 | return resourceCulture; 64 | } 65 | set 66 | { 67 | resourceCulture = value; 68 | } 69 | } 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /Dll2Shellcode/Properties/Resources.resx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | text/microsoft-resx 107 | 108 | 109 | 2.0 110 | 111 | 112 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 113 | 114 | 115 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | -------------------------------------------------------------------------------- /Dll2Shellcode/Properties/Settings.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace Dll2Shellcode.Properties 12 | { 13 | 14 | 15 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 16 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "11.0.0.0")] 17 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase 18 | { 19 | 20 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings()))); 21 | 22 | public static Settings Default 23 | { 24 | get 25 | { 26 | return defaultInstance; 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /Dll2Shellcode/Properties/Settings.settings: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Dll2Shellcode/sRDI.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Runtime.InteropServices; 4 | using System.Reflection; 5 | 6 | namespace Dll2Shellcode 7 | { 8 | class Native 9 | { 10 | [Flags] 11 | public enum ProcessAccessFlags : uint 12 | { 13 | Terminate = 0x00000001, 14 | CreateThread = 0x00000002, 15 | VMOperation = 0x00000008, 16 | VMRead = 0x00000010, 17 | VMWrite = 0x00000020, 18 | DupHandle = 0x00000040, 19 | SetInformation = 0x00000200, 20 | QueryInformation = 0x00000400, 21 | Synchronize = 0x00100000, 22 | All = 0x001F0FFF 23 | } 24 | 25 | [DllImport("kernel32.dll")] 26 | public static extern IntPtr LoadLibrary(string dllToLoad); 27 | 28 | [DllImport("kernel32.dll")] 29 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, UInt32 flAllocationType, UInt32 flProtect); 30 | 31 | [DllImport("kernel32.dll")] 32 | public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect); 33 | 34 | [DllImport("msvcrt.dll")] 35 | public static extern IntPtr memcpy(IntPtr dest, IntPtr src, UIntPtr count); 36 | 37 | [DllImport("msvcrt.dll")] 38 | public static extern IntPtr memset(IntPtr dest, Int32 character, IntPtr count); 39 | 40 | [DllImport("kernel32.dll")] 41 | public static extern IntPtr GetProcAddress(IntPtr hModule, String procName); 42 | 43 | [DllImport("kernel32.dll")] 44 | public static extern Boolean VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, UInt32 dwFreeType); 45 | 46 | [DllImport("kernel32.dll")] 47 | public static extern Boolean VirtualFree(IntPtr lpAddress, UIntPtr dwSize, UInt32 dwFreeType); 48 | 49 | [DllImport("kernel32.dll")] 50 | public static extern Boolean VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect); 51 | 52 | [DllImport("kernel32.dll")] 53 | public static extern Boolean FreeLibrary(IntPtr hModule); 54 | 55 | [DllImport("kernel32.dll")] 56 | public static extern UInt32 WaitForSingleObject(IntPtr hModule, UInt32 timeout); 57 | 58 | [DllImport("kernel32.dll")] 59 | public static extern Boolean WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); 60 | 61 | [DllImport("kernel32.dll")] 62 | public static extern Boolean ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, UIntPtr nSize, out UIntPtr lpNumberOfBytesWritten); 63 | 64 | [DllImport("kernel32.dll")] 65 | public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, UInt32 dwCreationFlags, out IntPtr lpThreadID); 66 | 67 | [DllImport("kernel32.dll")] 68 | public static extern Boolean GetExitCodeThread(IntPtr hThread, Int32 exitCode); 69 | 70 | [DllImport("kernel32.dll")] 71 | public static extern Boolean OpenThreadToken(IntPtr ThreadHandle, UInt32 DesiredAccess, Boolean OpenAsSelf, out IntPtr TokenHandle); 72 | 73 | [DllImport("kernel32.dll")] 74 | public static extern IntPtr GetCurrentThread(); 75 | 76 | [DllImport("kernel32.dll")] 77 | public static extern Boolean CloseHandle(IntPtr handle); 78 | 79 | [DllImport("kernel32.dll")] 80 | public static extern IntPtr GetCurrentProcess(); 81 | 82 | [DllImport("kernel32.dll")] 83 | public static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, bool bInheritHandle, int dwProcessId); 84 | 85 | [DllImport("kernel32.dll")] 86 | public static extern UInt32 NtCreateThreadEx(out IntPtr hThread, UInt32 DesiredAccess, IntPtr ObjectAttributes, IntPtr ProcessHandle, IntPtr lpStartAddress, IntPtr lpParameter, Boolean CreateSuspended, UInt32 StackZeroBits, UInt32 SizeOfStackCommit, UInt32 SizeOfStackReserve, IntPtr lpBytesBuffer); 87 | 88 | [DllImport("kernel32.dll")] 89 | public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, IntPtr dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, UInt32 dwCreationFlags, out UInt32 lpThreadID); 90 | 91 | [DllImport("kernel32.dll")] 92 | public static extern Boolean AdjustTokenPrivileges(IntPtr TokenHandle, Boolean DisableAllPrivileges, IntPtr NewState, UInt32 BufferLength, IntPtr PreviousState, IntPtr ReturnLength); 93 | 94 | [DllImport("kernel32.dll")] 95 | public static extern Boolean IsWow64Process(Int32 hProcess); 96 | 97 | public const UInt64 MEM_COMMIT = 0x00001000; 98 | public const UInt64 MEM_RESERVE = 0x00002000; 99 | public const ushort PAGE_NOACCESS = 0x01; 100 | public const ushort PAGE_READONLY = 0x02; 101 | public const ushort PAGE_READWRITE = 0x04; 102 | public const ushort PAGE_WRITECOPY = 0x08; 103 | public const ushort PAGE_EXECUTE = 0x10; 104 | public const ushort PAGE_EXECUTE_READ = 0x20; 105 | public const ushort PAGE_EXECUTE_READWRITE = 0x40; 106 | public const ushort PAGE_EXECUTE_WRITECOPY = 0x80; 107 | public const UInt32 PAGE_NOCACHE = 0x200; 108 | public const UInt64 IMAGE_SCN_MEM_DISCARDABLE = 0x02000000; 109 | public const UInt64 IMAGE_SCN_MEM_EXECUTE = 0x20000000; 110 | public const UInt64 IMAGE_SCN_MEM_READ = 0x40000000; 111 | public const UInt64 IMAGE_SCN_MEM_WRITE = 0x80000000; 112 | public const UInt64 IMAGE_SCN_MEM_NOT_CACHED = 0x04000000; 113 | public const UInt32 MEM_DECOMMIT = 0x4000; 114 | public const UInt32 IMAGE_FILE_EXECUTABLE_IMAGE = 0x0002; 115 | public const UInt32 IMAGE_FILE_DLL = 0x2000; 116 | public const ushort IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x40; 117 | public const UInt32 IMAGE_DLLCHARACTERISTICS_NX_COMPAT = 0x100; 118 | public const UInt32 MEM_RELEASE = 0x8000; 119 | public const UInt32 TOKEN_QUERY = 0x0008; 120 | public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020; 121 | public const ushort SE_PRIVILEGE_ENABLED = 0x2; 122 | public const UInt32 ERROR_NO_TOKEN = 0x3f0; 123 | } 124 | 125 | class PE 126 | { 127 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 128 | struct IMAGE_DATA_DIRECTORY 129 | { 130 | public uint VirtualAddress; 131 | public uint Size; 132 | } 133 | 134 | //[StructLayout(LayoutKind.Sequential, Pack = 1)] 135 | [StructLayout(LayoutKind.Explicit)] 136 | unsafe struct IMAGE_SECTION_HEADER 137 | { 138 | [FieldOffset(0)] 139 | public fixed byte Name[8]; 140 | [FieldOffset(8)] 141 | public uint PhysicalAddress; 142 | [FieldOffset(8)] 143 | public uint VirtualSize; 144 | [FieldOffset(12)] 145 | public uint VirtualAddress; 146 | [FieldOffset(16)] 147 | public uint SizeOfRawData; 148 | [FieldOffset(20)] 149 | public uint PointerToRawData; 150 | [FieldOffset(24)] 151 | public uint PointerToRelocations; 152 | [FieldOffset(28)] 153 | public uint PointerToLinenumbers; 154 | [FieldOffset(32)] 155 | public ushort NumberOfRelocations; 156 | [FieldOffset(34)] 157 | public ushort NumberOfLinenumbers; 158 | [FieldOffset(36)] 159 | public uint Characteristics; 160 | } 161 | 162 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 163 | struct IMAGE_FILE_HEADER 164 | { 165 | public ushort Machine; 166 | public ushort NumberOfSections; 167 | public uint TimeDateStamp; 168 | public uint PointerToSymbolTable; 169 | public uint NumberOfSymbols; 170 | public ushort SizeOfOptionalHeader; 171 | public ushort Characteristics; 172 | } 173 | 174 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 175 | struct IMAGE_EXPORT_DIRECTORY 176 | { 177 | public uint Characteristics; 178 | public uint TimeDateStamp; 179 | public ushort MajorVersion; 180 | public ushort MinorVersion; 181 | public uint Name; 182 | public uint Base; 183 | public uint NumberOfFunctions; 184 | public uint NumberOfNames; 185 | public uint AddressOfFunctions; // RVA from base of image 186 | public uint AddressOfNames; // RVA from base of image 187 | public uint AddressOfNameOrdinals; // RVA from base of image 188 | } 189 | 190 | enum IMAGE_DOS_SIGNATURE : ushort 191 | { 192 | DOS_SIGNATURE = 0x5A4D, // MZ 193 | OS2_SIGNATURE = 0x454E, // NE 194 | OS2_SIGNATURE_LE = 0x454C, // LE 195 | } 196 | 197 | enum MagicType : ushort 198 | { 199 | IMAGE_NT_OPTIONAL_HDR32_MAGIC = 0x10b, 200 | IMAGE_NT_OPTIONAL_HDR64_MAGIC = 0x20b, 201 | } 202 | 203 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 204 | struct IMAGE_DOS_HEADER 205 | { 206 | public IMAGE_DOS_SIGNATURE e_magic; // Magic number 207 | public ushort e_cblp; // public bytes on last page of file 208 | public ushort e_cp; // Pages in file 209 | public ushort e_crlc; // Relocations 210 | public ushort e_cparhdr; // Size of header in paragraphs 211 | public ushort e_minalloc; // Minimum extra paragraphs needed 212 | public ushort e_maxalloc; // Maximum extra paragraphs needed 213 | public ushort e_ss; // Initial (relative) SS value 214 | public ushort e_sp; // Initial SP value 215 | public ushort e_csum; // Checksum 216 | public ushort e_ip; // Initial IP value 217 | public ushort e_cs; // Initial (relative) CS value 218 | public ushort e_lfarlc; // File address of relocation table 219 | public ushort e_ovno; // Overlay number 220 | [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)] 221 | public string e_res; // May contain 'Detours!' 222 | public ushort e_oemid; // OEM identifier (for e_oeminfo) 223 | public ushort e_oeminfo; // OEM information; e_oemid specific 224 | [MarshalAsAttribute(UnmanagedType.ByValArray, SizeConst = 10)] 225 | public ushort[] e_res2; // Reserved public ushorts 226 | public Int32 e_lfanew; // File address of new exe header 227 | } 228 | 229 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 230 | struct IMAGE_OPTIONAL_HEADER 231 | { 232 | // 233 | // Standard fields. 234 | // 235 | 236 | public MagicType Magic; 237 | public byte MajorLinkerVersion; 238 | public byte MinorLinkerVersion; 239 | public uint SizeOfCode; 240 | public uint SizeOfInitializedData; 241 | public uint SizeOfUninitializedData; 242 | public uint AddressOfEntryPoint; 243 | public uint BaseOfCode; 244 | public uint BaseOfData; 245 | public uint ImageBase; 246 | public uint SectionAlignment; 247 | public uint FileAlignment; 248 | public ushort MajorOperatingSystemVersion; 249 | public ushort MinorOperatingSystemVersion; 250 | public ushort MajorImageVersion; 251 | public ushort MinorImageVersion; 252 | public ushort MajorSubsystemVersion; 253 | public ushort MinorSubsystemVersion; 254 | public uint Win32VersionValue; 255 | public uint SizeOfImage; 256 | public uint SizeOfHeaders; 257 | public uint CheckSum; 258 | public ushort Subsystem; 259 | public ushort DllCharacteristics; 260 | public uint SizeOfStackReserve; 261 | public uint SizeOfStackCommit; 262 | public uint SizeOfHeapReserve; 263 | public uint SizeOfHeapCommit; 264 | public uint LoaderFlags; 265 | public uint NumberOfRvaAndSizes; 266 | public IMAGE_DATA_DIRECTORY ExportTable; 267 | public IMAGE_DATA_DIRECTORY ImportTable; 268 | public IMAGE_DATA_DIRECTORY ResourceTable; 269 | public IMAGE_DATA_DIRECTORY ExceptionTable; 270 | public IMAGE_DATA_DIRECTORY CertificateTable; 271 | public IMAGE_DATA_DIRECTORY BaseRelocationTable; 272 | public IMAGE_DATA_DIRECTORY Debug; 273 | public IMAGE_DATA_DIRECTORY Architecture; 274 | public IMAGE_DATA_DIRECTORY GlobalPtr; 275 | public IMAGE_DATA_DIRECTORY TLSTable; 276 | public IMAGE_DATA_DIRECTORY LoadConfigTable; 277 | public IMAGE_DATA_DIRECTORY BoundImport; 278 | public IMAGE_DATA_DIRECTORY IAT; 279 | public IMAGE_DATA_DIRECTORY DelayImportDescriptor; 280 | public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; 281 | public IMAGE_DATA_DIRECTORY Public; 282 | } 283 | 284 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 285 | struct IMAGE_OPTIONAL_HEADER64 286 | { 287 | public MagicType Magic; 288 | public byte MajorLinkerVersion; 289 | public byte MinorLinkerVersion; 290 | public uint SizeOfCode; 291 | public uint SizeOfInitializedData; 292 | public uint SizeOfUninitializedData; 293 | public uint AddressOfEntryPoint; 294 | public uint BaseOfCode; 295 | public ulong ImageBase; 296 | public uint SectionAlignment; 297 | public uint FileAlignment; 298 | public ushort MajorOperatingSystemVersion; 299 | public ushort MinorOperatingSystemVersion; 300 | public ushort MajorImageVersion; 301 | public ushort MinorImageVersion; 302 | public ushort MajorSubsystemVersion; 303 | public ushort MinorSubsystemVersion; 304 | public uint Win32VersionValue; 305 | public uint SizeOfImage; 306 | public uint SizeOfHeaders; 307 | public uint CheckSum; 308 | public ushort Subsystem; 309 | public ushort DllCharacteristics; 310 | public ulong SizeOfStackReserve; 311 | public ulong SizeOfStackCommit; 312 | public ulong SizeOfHeapReserve; 313 | public ulong SizeOfHeapCommit; 314 | public uint LoaderFlags; 315 | public uint NumberOfRvaAndSizes; 316 | public IMAGE_DATA_DIRECTORY ExportTable; 317 | public IMAGE_DATA_DIRECTORY ImportTable; 318 | public IMAGE_DATA_DIRECTORY ResourceTable; 319 | public IMAGE_DATA_DIRECTORY ExceptionTable; 320 | public IMAGE_DATA_DIRECTORY CertificateTable; 321 | public IMAGE_DATA_DIRECTORY BaseRelocationTable; 322 | public IMAGE_DATA_DIRECTORY Debug; 323 | public IMAGE_DATA_DIRECTORY Architecture; 324 | public IMAGE_DATA_DIRECTORY GlobalPtr; 325 | public IMAGE_DATA_DIRECTORY TLSTable; 326 | public IMAGE_DATA_DIRECTORY LoadConfigTable; 327 | public IMAGE_DATA_DIRECTORY BoundImport; 328 | public IMAGE_DATA_DIRECTORY IAT; 329 | public IMAGE_DATA_DIRECTORY DelayImportDescriptor; 330 | public IMAGE_DATA_DIRECTORY CLRRuntimeHeader; 331 | public IMAGE_DATA_DIRECTORY Public; 332 | } 333 | 334 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 335 | struct IMAGE_NT_HEADERS64 336 | { 337 | public uint Signature; 338 | public IMAGE_FILE_HEADER FileHeader; 339 | public IMAGE_OPTIONAL_HEADER64 OptionalHeader; 340 | } 341 | 342 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 343 | struct IMAGE_NT_HEADERS 344 | { 345 | public uint Signature; 346 | public IMAGE_FILE_HEADER FileHeader; 347 | public IMAGE_OPTIONAL_HEADER OptionalHeader; 348 | } 349 | public static IntPtr Rva2Offset(uint dwRva, IntPtr PEPointer) 350 | { 351 | bool is64Bit = false; 352 | ushort wIndex = 0; 353 | ushort wNumberOfSections = 0; 354 | IntPtr imageSectionPtr; 355 | IMAGE_SECTION_HEADER SectionHeader; 356 | int sizeOfSectionHeader = Marshal.SizeOf(typeof(IMAGE_SECTION_HEADER)); 357 | 358 | IMAGE_DOS_HEADER dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(PEPointer, typeof(IMAGE_DOS_HEADER)); 359 | 360 | IntPtr NtHeadersPtr = (IntPtr)((UInt64)PEPointer + (UInt64)dosHeader.e_lfanew); 361 | 362 | var imageNtHeaders32 = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(NtHeadersPtr, typeof(IMAGE_NT_HEADERS)); 363 | var imageNtHeaders64 = (IMAGE_NT_HEADERS64)Marshal.PtrToStructure(NtHeadersPtr, typeof(IMAGE_NT_HEADERS64)); 364 | 365 | if (imageNtHeaders64.OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC) is64Bit = true; 366 | 367 | 368 | if (is64Bit) 369 | { 370 | imageSectionPtr = (IntPtr)(((Int64)NtHeadersPtr + (Int64)Marshal.OffsetOf(typeof(IMAGE_NT_HEADERS64), "OptionalHeader") + (Int64)imageNtHeaders64.FileHeader.SizeOfOptionalHeader)); 371 | SectionHeader = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(imageSectionPtr, typeof(IMAGE_SECTION_HEADER)); 372 | wNumberOfSections = imageNtHeaders64.FileHeader.NumberOfSections; 373 | } 374 | else 375 | { 376 | imageSectionPtr = (IntPtr)(((Int64)NtHeadersPtr + (Int64)Marshal.OffsetOf(typeof(IMAGE_NT_HEADERS), "OptionalHeader") + (Int64)imageNtHeaders32.FileHeader.SizeOfOptionalHeader)); 377 | SectionHeader = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure(imageSectionPtr, typeof(IMAGE_SECTION_HEADER)); 378 | wNumberOfSections = imageNtHeaders32.FileHeader.NumberOfSections; 379 | } 380 | 381 | if (dwRva < SectionHeader.PointerToRawData) 382 | return (IntPtr)((UInt64)dwRva + (UInt64)PEPointer); 383 | 384 | for (wIndex = 0; wIndex < wNumberOfSections; wIndex++) 385 | { 386 | SectionHeader = (IMAGE_SECTION_HEADER)Marshal.PtrToStructure((IntPtr)((uint)imageSectionPtr + (uint)(sizeOfSectionHeader * (wIndex))), typeof(IMAGE_SECTION_HEADER)); 387 | if (dwRva >= SectionHeader.VirtualAddress && dwRva < (SectionHeader.VirtualAddress + SectionHeader.SizeOfRawData)) 388 | return (IntPtr)((UInt64)(dwRva - SectionHeader.VirtualAddress + SectionHeader.PointerToRawData) + (UInt64)PEPointer); 389 | } 390 | 391 | return IntPtr.Zero; 392 | } 393 | 394 | public static unsafe bool Is64BitDLL(byte[] dllBytes) 395 | { 396 | bool is64Bit = false; 397 | 398 | GCHandle scHandle = GCHandle.Alloc(dllBytes, GCHandleType.Pinned); 399 | IntPtr scPointer = scHandle.AddrOfPinnedObject(); 400 | 401 | Int32 headerOffset = Marshal.ReadInt32(scPointer, 60); 402 | UInt16 magic = (UInt16)Marshal.ReadInt16(scPointer, headerOffset + 4); 403 | 404 | if (magic == (UInt16)512 || magic == (UInt16)34404) 405 | is64Bit = true; 406 | 407 | scHandle.Free(); 408 | 409 | return is64Bit; 410 | } 411 | 412 | public static unsafe IntPtr GetProcAddressR(IntPtr PEPointer, string functionName) 413 | { 414 | bool is64Bit = false; 415 | 416 | IMAGE_DOS_HEADER dosHeader = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(PEPointer, typeof(IMAGE_DOS_HEADER)); 417 | 418 | IntPtr NtHeadersPtr = (IntPtr)((UInt64)PEPointer + (UInt64)dosHeader.e_lfanew); 419 | 420 | var imageNtHeaders64 = (IMAGE_NT_HEADERS64)Marshal.PtrToStructure(NtHeadersPtr, typeof(IMAGE_NT_HEADERS64)); 421 | var imageNtHeaders32 = (IMAGE_NT_HEADERS)Marshal.PtrToStructure(NtHeadersPtr, typeof(IMAGE_NT_HEADERS)); 422 | 423 | if (imageNtHeaders64.Signature != 0x00004550) 424 | throw new ApplicationException("Invalid IMAGE_NT_HEADER signature."); 425 | 426 | if (imageNtHeaders64.OptionalHeader.Magic == MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC) is64Bit = true; 427 | 428 | IntPtr ExportTablePtr; 429 | 430 | if (is64Bit) 431 | { 432 | if ((imageNtHeaders64.FileHeader.Characteristics & 0x2000) != 0x2000) 433 | throw new ApplicationException("File is not a DLL, Exiting."); 434 | 435 | ExportTablePtr = (IntPtr)((UInt64)PEPointer + (UInt64)imageNtHeaders64.OptionalHeader.ExportTable.VirtualAddress); 436 | } 437 | else 438 | { 439 | if ((imageNtHeaders32.FileHeader.Characteristics & 0x2000) != 0x2000) 440 | throw new ApplicationException("File is not a DLL, Exiting."); 441 | 442 | ExportTablePtr = (IntPtr)((UInt64)PEPointer + (UInt64)imageNtHeaders32.OptionalHeader.ExportTable.VirtualAddress); 443 | } 444 | 445 | IMAGE_EXPORT_DIRECTORY ExportTable = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(ExportTablePtr, typeof(IMAGE_EXPORT_DIRECTORY)); 446 | 447 | for (int i = 0; i < ExportTable.NumberOfNames; i++) 448 | { 449 | IntPtr NameOffsetPtr = (IntPtr)((ulong)PEPointer + (ulong)ExportTable.AddressOfNames + (ulong)(i * Marshal.SizeOf(typeof(UInt32)))); 450 | IntPtr NamePtr = (IntPtr)((ulong)PEPointer + (uint)Marshal.PtrToStructure(NameOffsetPtr, typeof(uint))); 451 | 452 | string Name = Marshal.PtrToStringAnsi(NamePtr); 453 | 454 | if (Name.Contains(functionName)) 455 | { 456 | IntPtr AddressOfFunctions = (IntPtr)((ulong)PEPointer + (ulong)ExportTable.AddressOfFunctions); 457 | IntPtr OrdinalRvaPtr = (IntPtr)((ulong)PEPointer + (ulong)(ExportTable.AddressOfNameOrdinals + (i * Marshal.SizeOf(typeof(UInt16))))); 458 | UInt16 FuncIndex = (UInt16)Marshal.PtrToStructure(OrdinalRvaPtr, typeof(UInt16)); 459 | IntPtr FuncOffsetLocation = (IntPtr)((ulong)AddressOfFunctions + (ulong)(FuncIndex * Marshal.SizeOf(typeof(UInt32)))); 460 | IntPtr FuncLocationInMemory = (IntPtr)((ulong)PEPointer + (uint)Marshal.PtrToStructure(FuncOffsetLocation, typeof(UInt32))); 461 | 462 | return FuncLocationInMemory; 463 | } 464 | } 465 | return IntPtr.Zero; 466 | } 467 | } 468 | 469 | class sRDI 470 | { 471 | [UnmanagedFunctionPointer(CallingConvention.StdCall)] 472 | delegate IntPtr ReflectiveLoader(); 473 | 474 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 475 | delegate bool ExportedFunction(IntPtr userData, uint userLength); 476 | 477 | static uint Ror(uint val, int r_bits, int max_bits) 478 | { 479 | return (val >> r_bits) | (val << (max_bits - r_bits)); 480 | } 481 | 482 | static uint HashFunction(string name) 483 | { 484 | uint functionHash = 0; 485 | 486 | name += "\x00"; 487 | 488 | foreach (char c in name) 489 | { 490 | functionHash = Ror(functionHash, 13, 32); 491 | functionHash += c; 492 | } 493 | 494 | return functionHash; 495 | } 496 | 497 | public static byte[] ConvertToShellcode(byte[] dllBytes, string functionName, byte[] userData, uint flags) 498 | { 499 | return ConvertToShellcode(dllBytes, HashFunction(functionName), userData, flags); 500 | } 501 | 502 | public static byte[] ConvertToShellcode(byte[] dllBytes, uint functionHash, byte[] userData, uint flags) 503 | { 504 | #if DEBUG 505 | byte[] rdiShellcode64 = System.IO.File.ReadAllBytes("../../../../bin/ShellcodeRDI_x64.bin"); 506 | byte[] rdiShellcode32 = System.IO.File.ReadAllBytes("../../../../bin/ShellcodeRDI_x86.bin"); 507 | #else 508 | //MARKER:S 509 | var rdiShellcode32 = new byte[] { 0x81,0xEC,0x14,0x01,0x00,0x00,0x53,0x55,0x56,0x57,0x6A,0x6B,0x58,0x6A,0x65,0x66,0x89,0x84,0x24,0xCC,0x00,0x00,0x00,0x33,0xED,0x58,0x6A,0x72,0x59,0x6A,0x6E,0x5B,0x6A,0x6C,0x5A,0x6A,0x33,0x66,0x89,0x84,0x24,0xCE,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xD4,0x00,0x00,0x00,0x58,0x6A,0x32,0x66,0x89,0x84,0x24,0xD8,0x00,0x00,0x00,0x58,0x6A,0x2E,0x66,0x89,0x84,0x24,0xDA,0x00,0x00,0x00,0x58,0x6A,0x64,0x66,0x89,0x84,0x24,0xDC,0x00,0x00,0x00,0x58,0x89,0xAC,0x24,0xB0,0x00,0x00,0x00,0x89,0x6C,0x24,0x34,0x89,0xAC,0x24,0xB8,0x00,0x00,0x00,0x89,0xAC,0x24,0xC4,0x00,0x00,0x00,0x89,0xAC,0x24,0xB4,0x00,0x00,0x00,0x89,0xAC,0x24,0xAC,0x00,0x00,0x00,0x89,0xAC,0x24,0xE0,0x00,0x00,0x00,0x66,0x89,0x8C,0x24,0xCC,0x00,0x00,0x00,0x66,0x89,0x9C,0x24,0xCE,0x00,0x00,0x00,0x66,0x89,0x94,0x24,0xD2,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xDA,0x00,0x00,0x00,0x66,0x89,0x94,0x24,0xDC,0x00,0x00,0x00,0x66,0x89,0x94,0x24,0xDE,0x00,0x00,0x00,0xC6,0x44,0x24,0x3C,0x53,0x88,0x54,0x24,0x3D,0x66,0xC7,0x44,0x24,0x3E,0x65,0x65,0xC6,0x44,0x24,0x40,0x70,0x66,0xC7,0x44,0x24,0x50,0x4C,0x6F,0xC6,0x44,0x24,0x52,0x61,0x88,0x44,0x24,0x53,0x66,0xC7,0x44,0x24,0x54,0x4C,0x69,0xC6,0x44,0x24,0x56,0x62,0x88,0x4C,0x24,0x57,0xC6,0x44,0x24,0x58,0x61,0x88,0x4C,0x24,0x59,0x66,0xC7,0x44,0x24,0x5A,0x79,0x41,0x66,0xC7,0x44,0x24,0x44,0x56,0x69,0x88,0x4C,0x24,0x46,0x66,0xC7,0x44,0x24,0x47,0x74,0x75,0xC6,0x44,0x24,0x49,0x61,0x88,0x54,0x24,0x4A,0xC6,0x44,0x24,0x4B,0x41,0x88,0x54,0x24,0x4C,0x88,0x54,0x24,0x4D,0x66,0xC7,0x44,0x24,0x4E,0x6F,0x63,0x66,0xC7,0x44,0x24,0x5C,0x56,0x69,0x88,0x4C,0x24,0x5E,0x66,0xC7,0x44,0x24,0x5F,0x74,0x75,0xC6,0x44,0x24,0x61,0x61,0x88,0x54,0x24,0x62,0xC6,0x44,0x24,0x63,0x50,0x88,0x4C,0x24,0x64,0xC7,0x44,0x24,0x65,0x6F,0x74,0x65,0x63,0xC6,0x44,0x24,0x69,0x74,0xC6,0x84,0x24,0x94,0x00,0x00,0x00,0x46,0x88,0x94,0x24,0x95,0x00,0x00,0x00,0xC7,0x84,0x24,0x96,0x00,0x00,0x00,0x75,0x73,0x68,0x49,0x88,0x9C,0x24,0x9A,0x00,0x00,0x00,0x66,0xC7,0x84,0x24,0x9B,0x00,0x00,0x00,0x73,0x74,0x88,0x8C,0x24,0x9D,0x00,0x00,0x00,0xC7,0x84,0x24,0x9E,0x00,0x00,0x00,0x75,0x63,0x74,0x69,0xC6,0x84,0x24,0xA2,0x00,0x00,0x00,0x6F,0x6A,0x65,0x59,0x88,0x8C,0x24,0xA8,0x00,0x00,0x00,0x88,0x4C,0x24,0x6D,0x88,0x4C,0x24,0x74,0x88,0x4C,0x24,0x79,0x88,0x8C,0x24,0x92,0x00,0x00,0x00,0xB9,0x13,0x9C,0xBF,0xBD,0x88,0x9C,0x24,0xA3,0x00,0x00,0x00,0xC7,0x84,0x24,0xA4,0x00,0x00,0x00,0x43,0x61,0x63,0x68,0xC6,0x44,0x24,0x6C,0x47,0xC7,0x44,0x24,0x6E,0x74,0x4E,0x61,0x74,0x66,0xC7,0x44,0x24,0x72,0x69,0x76,0xC7,0x44,0x24,0x75,0x53,0x79,0x73,0x74,0x66,0xC7,0x44,0x24,0x7A,0x6D,0x49,0x88,0x5C,0x24,0x7C,0x66,0xC7,0x44,0x24,0x7D,0x66,0x6F,0x66,0xC7,0x84,0x24,0x80,0x00,0x00,0x00,0x52,0x74,0x88,0x94,0x24,0x82,0x00,0x00,0x00,0xC6,0x84,0x24,0x83,0x00,0x00,0x00,0x41,0x88,0x84,0x24,0x84,0x00,0x00,0x00,0x88,0x84,0x24,0x85,0x00,0x00,0x00,0x66,0xC7,0x84,0x24,0x86,0x00,0x00,0x00,0x46,0x75,0x88,0x9C,0x24,0x88,0x00,0x00,0x00,0xC7,0x84,0x24,0x89,0x00,0x00,0x00,0x63,0x74,0x69,0x6F,0x88,0x9C,0x24,0x8D,0x00,0x00,0x00,0x66,0xC7,0x84,0x24,0x8E,0x00,0x00,0x00,0x54,0x61,0xC6,0x84,0x24,0x90,0x00,0x00,0x00,0x62,0x88,0x94,0x24,0x91,0x00,0x00,0x00,0xE8,0x77,0x08,0x00,0x00,0xB9,0xB5,0x41,0xD9,0x5E,0x8B,0xF0,0xE8,0x6B,0x08,0x00,0x00,0x8B,0xD8,0x8D,0x84,0x24,0xC8,0x00,0x00,0x00,0x6A,0x18,0x89,0x84,0x24,0xEC,0x00,0x00,0x00,0x58,0x66,0x89,0x84,0x24,0xE6,0x00,0x00,0x00,0x66,0x89,0x84,0x24,0xE4,0x00,0x00,0x00,0x8D,0x44,0x24,0x1C,0x50,0x8D,0x84,0x24,0xE8,0x00,0x00,0x00,0x89,0x5C,0x24,0x34,0x50,0x55,0x55,0xFF,0xD6,0x6A,0x0C,0x5F,0x8D,0x44,0x24,0x44,0x66,0x89,0x7C,0x24,0x14,0x89,0x44,0x24,0x18,0x8D,0x44,0x24,0x34,0x50,0x55,0x8D,0x44,0x24,0x1C,0x66,0x89,0x7C,0x24,0x1E,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x6A,0x0E,0x58,0x66,0x89,0x44,0x24,0x14,0x66,0x89,0x44,0x24,0x16,0x8D,0x44,0x24,0x5C,0x89,0x44,0x24,0x18,0x8D,0x84,0x24,0xB4,0x00,0x00,0x00,0x50,0x55,0x8D,0x44,0x24,0x1C,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x6A,0x15,0x58,0x66,0x89,0x44,0x24,0x14,0x66,0x89,0x44,0x24,0x16,0x8D,0x84,0x24,0x94,0x00,0x00,0x00,0x89,0x44,0x24,0x18,0x8D,0x84,0x24,0xB8,0x00,0x00,0x00,0x50,0x55,0x8D,0x44,0x24,0x1C,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x6A,0x13,0x5E,0x8D,0x44,0x24,0x6C,0x66,0x89,0x74,0x24,0x14,0x89,0x44,0x24,0x18,0x8D,0x84,0x24,0xC4,0x00,0x00,0x00,0x50,0x55,0x8D,0x44,0x24,0x1C,0x66,0x89,0x74,0x24,0x1E,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x6A,0x05,0x58,0x66,0x89,0x44,0x24,0x14,0x66,0x89,0x44,0x24,0x16,0x8D,0x44,0x24,0x3C,0x89,0x44,0x24,0x18,0x8D,0x84,0x24,0xAC,0x00,0x00,0x00,0x50,0x55,0x8D,0x44,0x24,0x1C,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x8D,0x84,0x24,0x80,0x00,0x00,0x00,0x66,0x89,0x74,0x24,0x14,0x89,0x44,0x24,0x18,0x8D,0x84,0x24,0xE0,0x00,0x00,0x00,0x50,0x55,0x8D,0x44,0x24,0x1C,0x66,0x89,0x74,0x24,0x1E,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x8D,0x44,0x24,0x50,0x66,0x89,0x7C,0x24,0x14,0x89,0x44,0x24,0x18,0x8D,0x84,0x24,0xB0,0x00,0x00,0x00,0x50,0x55,0x8D,0x44,0x24,0x1C,0x66,0x89,0x7C,0x24,0x1E,0x50,0xFF,0x74,0x24,0x28,0xFF,0xD3,0x39,0x6C,0x24,0x34,0x0F,0x84,0x00,0x07,0x00,0x00,0x39,0xAC,0x24,0xB4,0x00,0x00,0x00,0x0F,0x84,0xF3,0x06,0x00,0x00,0x39,0xAC,0x24,0xAC,0x00,0x00,0x00,0x0F,0x84,0xE6,0x06,0x00,0x00,0x39,0xAC,0x24,0xB8,0x00,0x00,0x00,0x0F,0x84,0xD9,0x06,0x00,0x00,0x8B,0xAC,0x24,0xC4,0x00,0x00,0x00,0x85,0xED,0x0F,0x84,0xCA,0x06,0x00,0x00,0x8B,0xBC,0x24,0x28,0x01,0x00,0x00,0x8B,0x77,0x3C,0x03,0xF7,0x81,0x3E,0x50,0x45,0x00,0x00,0x0F,0x85,0xB2,0x06,0x00,0x00,0xB8,0x4C,0x01,0x00,0x00,0x66,0x39,0x46,0x04,0x0F,0x85,0xA3,0x06,0x00,0x00,0xF6,0x46,0x38,0x01,0x0F,0x85,0x99,0x06,0x00,0x00,0x0F,0xB7,0x4E,0x14,0x33,0xDB,0x0F,0xB7,0x56,0x06,0x83,0xC1,0x24,0x85,0xD2,0x74,0x1E,0x03,0xCE,0x83,0x79,0x04,0x00,0x8B,0x46,0x38,0x0F,0x45,0x41,0x04,0x03,0x01,0x8D,0x49,0x28,0x3B,0xC3,0x0F,0x46,0xC3,0x8B,0xD8,0x83,0xEA,0x01,0x75,0xE4,0x8D,0x84,0x24,0x00,0x01,0x00,0x00,0x50,0xFF,0xD5,0x8B,0x8C,0x24,0x04,0x01,0x00,0x00,0x8D,0x51,0xFF,0x8D,0x69,0xFF,0xF7,0xD2,0x03,0x6E,0x50,0x8D,0x41,0xFF,0x03,0xC3,0x23,0xEA,0x23,0xC2,0x3B,0xE8,0x0F,0x85,0x3D,0x06,0x00,0x00,0x6A,0x04,0x68,0x00,0x30,0x00,0x00,0x55,0xFF,0x76,0x34,0xFF,0x54,0x24,0x44,0x8B,0xD8,0x89,0x5C,0x24,0x2C,0x85,0xDB,0x75,0x13,0x6A,0x04,0x68,0x00,0x30,0x00,0x00,0x55,0x50,0xFF,0x54,0x24,0x44,0x8B,0xD8,0x89,0x44,0x24,0x2C,0xF6,0x84,0x24,0x38,0x01,0x00,0x00,0x01,0x74,0x23,0x8B,0x47,0x3C,0x89,0x43,0x3C,0x8B,0x4F,0x3C,0x3B,0x4E,0x54,0x73,0x2E,0x8B,0xEF,0x8D,0x14,0x0B,0x2B,0xEB,0x8A,0x04,0x2A,0x41,0x88,0x02,0x42,0x3B,0x4E,0x54,0x72,0xF4,0xEB,0x19,0x33,0xED,0x39,0x6E,0x54,0x76,0x12,0x8B,0xD7,0x8B,0xCB,0x2B,0xD3,0x8A,0x04,0x11,0x45,0x88,0x01,0x41,0x3B,0x6E,0x54,0x72,0xF4,0x8B,0x6B,0x3C,0x33,0xC9,0x03,0xEB,0x89,0x4C,0x24,0x10,0x33,0xC0,0x89,0x6C,0x24,0x28,0x0F,0xB7,0x55,0x14,0x83,0xC2,0x28,0x66,0x3B,0x45,0x06,0x73,0x31,0x03,0xD5,0x33,0xF6,0x39,0x32,0x76,0x19,0x8B,0x42,0x04,0x8B,0x4A,0xFC,0x03,0xC6,0x03,0xCB,0x8A,0x04,0x38,0x88,0x04,0x31,0x46,0x3B,0x32,0x72,0xEB,0x8B,0x4C,0x24,0x10,0x0F,0xB7,0x45,0x06,0x41,0x83,0xC2,0x28,0x89,0x4C,0x24,0x10,0x3B,0xC8,0x72,0xD1,0x8B,0xC3,0xC7,0x84,0x24,0xBC,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x2B,0x45,0x34,0x89,0x44,0x24,0x24,0x0F,0x84,0xC4,0x00,0x00,0x00,0x83,0xBD,0xA4,0x00,0x00,0x00,0x00,0x0F,0x84,0xB7,0x00,0x00,0x00,0x8B,0xB5,0xA0,0x00,0x00,0x00,0x03,0xF3,0x83,0x3E,0x00,0x0F,0x84,0xA6,0x00,0x00,0x00,0x6A,0x02,0x8B,0xF8,0x5D,0x8D,0x56,0x08,0xEB,0x75,0x0F,0xB7,0x02,0x89,0x44,0x24,0x10,0x0F,0xB7,0xC8,0x66,0xC1,0xE8,0x0C,0x66,0x83,0xF8,0x0A,0x75,0x28,0x8B,0x16,0x8B,0x4C,0x24,0x10,0x81,0xE1,0xFF,0x0F,0x00,0x00,0x89,0x4C,0x24,0x10,0x8D,0x04,0x1A,0x8B,0x0C,0x08,0x8D,0x04,0x1A,0x8B,0x54,0x24,0x10,0x03,0xCF,0x89,0x0C,0x10,0x8B,0x54,0x24,0x24,0xEB,0x37,0x66,0x83,0xF8,0x03,0x75,0x0D,0x81,0xE1,0xFF,0x0F,0x00,0x00,0x03,0x0E,0x01,0x3C,0x19,0xEB,0x24,0x66,0x3B,0x84,0x24,0xBC,0x00,0x00,0x00,0x75,0x07,0x8B,0xC7,0xC1,0xE8,0x10,0xEB,0x08,0x66,0x3B,0xC5,0x75,0x0E,0x0F,0xB7,0xC7,0x81,0xE1,0xFF,0x0F,0x00,0x00,0x03,0x0E,0x01,0x04,0x19,0x03,0xD5,0x8B,0x46,0x04,0x03,0xC6,0x89,0x54,0x24,0x24,0x3B,0xD0,0x0F,0x85,0x7A,0xFF,0xFF,0xFF,0x83,0x3A,0x00,0x8B,0xF2,0x0F,0x85,0x6A,0xFF,0xFF,0xFF,0x8B,0x6C,0x24,0x28,0x8B,0xBC,0x24,0x28,0x01,0x00,0x00,0x83,0xBD,0x84,0x00,0x00,0x00,0x00,0x0F,0x84,0xD7,0x01,0x00,0x00,0x8B,0xB5,0x80,0x00,0x00,0x00,0x33,0xC0,0x89,0x44,0x24,0x10,0x8D,0x0C,0x1E,0x89,0x4C,0x24,0x24,0x83,0xC1,0x0C,0x39,0x01,0x74,0x0D,0x8D,0x49,0x14,0x40,0x83,0x39,0x00,0x75,0xF7,0x89,0x44,0x24,0x10,0x8B,0x8C,0x24,0x38,0x01,0x00,0x00,0x8B,0xD1,0x83,0xE2,0x04,0x89,0x54,0x24,0x38,0x8B,0xD6,0x0F,0x84,0xC3,0x00,0x00,0x00,0x83,0xF8,0x01,0x0F,0x86,0xBA,0x00,0x00,0x00,0x83,0xA4,0x24,0xBC,0x00,0x00,0x00,0x00,0xC1,0xE9,0x10,0x89,0x8C,0x24,0x38,0x01,0x00,0x00,0x8D,0x48,0xFF,0x89,0x8C,0x24,0xC0,0x00,0x00,0x00,0x85,0xC9,0x0F,0x84,0xA1,0x00,0x00,0x00,0x8B,0x74,0x24,0x24,0x8B,0xDE,0x8B,0xAC,0x24,0xBC,0x00,0x00,0x00,0x8B,0xC8,0x69,0xFF,0xFD,0x43,0x03,0x00,0x2B,0xCD,0x33,0xD2,0xB8,0xFF,0x7F,0x00,0x00,0xF7,0xF1,0x81,0xC7,0xC3,0x9E,0x26,0x00,0x33,0xD2,0x89,0xBC,0x24,0x28,0x01,0x00,0x00,0x6A,0x05,0x8D,0x48,0x01,0x8B,0xC7,0xC1,0xE8,0x10,0x8D,0xBC,0x24,0xF0,0x00,0x00,0x00,0x25,0xFF,0x7F,0x00,0x00,0xF7,0xF1,0x59,0x03,0xC5,0x6B,0xC0,0x14,0x6A,0x05,0x03,0xC6,0x45,0x8B,0xF0,0xF3,0xA5,0x59,0x8B,0xF3,0x8B,0xF8,0x8B,0x44,0x24,0x10,0xF3,0xA5,0x6A,0x05,0x8B,0xFB,0x8D,0xB4,0x24,0xF0,0x00,0x00,0x00,0x59,0xF3,0xA5,0x8B,0xBC,0x24,0x28,0x01,0x00,0x00,0x83,0xC3,0x14,0x8B,0x74,0x24,0x24,0x3B,0xAC,0x24,0xC0,0x00,0x00,0x00,0x72,0x87,0x8B,0x6C,0x24,0x28,0x8B,0x5C,0x24,0x2C,0x8B,0x95,0x80,0x00,0x00,0x00,0xEB,0x0B,0x8B,0x44,0x24,0x38,0x89,0x84,0x24,0x38,0x01,0x00,0x00,0x8D,0x3C,0x1A,0x8B,0x47,0x0C,0x89,0x7C,0x24,0x2C,0x85,0xC0,0x0F,0x84,0xB8,0x00,0x00,0x00,0x03,0xC3,0x50,0xFF,0x94,0x24,0xB4,0x00,0x00,0x00,0x8B,0xD0,0x89,0x54,0x24,0x1C,0x8B,0x37,0x8B,0x6F,0x10,0x03,0xF3,0x03,0xEB,0x8B,0x0E,0x85,0xC9,0x74,0x60,0x8B,0x7C,0x24,0x30,0x85,0xC9,0x79,0x09,0x0F,0xB7,0x06,0x55,0x50,0x6A,0x00,0xEB,0x36,0x83,0xC1,0x02,0x33,0xC0,0x03,0xCB,0x89,0x8C,0x24,0xC0,0x00,0x00,0x00,0x38,0x01,0x74,0x0E,0x40,0x41,0x80,0x39,0x00,0x75,0xF9,0x8B,0x8C,0x24,0xC0,0x00,0x00,0x00,0x55,0x66,0x89,0x44,0x24,0x18,0x66,0x89,0x44,0x24,0x1A,0x8D,0x44,0x24,0x18,0x6A,0x00,0x89,0x4C,0x24,0x20,0x50,0x52,0xFF,0xD7,0x83,0xC6,0x04,0x83,0xC5,0x04,0x8B,0x0E,0x85,0xC9,0x74,0x06,0x8B,0x54,0x24,0x1C,0xEB,0xA8,0x8B,0x7C,0x24,0x2C,0x83,0x7C,0x24,0x38,0x00,0x74,0x1C,0x33,0xC0,0x40,0x39,0x44,0x24,0x10,0x76,0x13,0x69,0x84,0x24,0x38,0x01,0x00,0x00,0xE8,0x03,0x00,0x00,0x50,0xFF,0x94,0x24,0xB0,0x00,0x00,0x00,0x8B,0x47,0x20,0x83,0xC7,0x14,0x89,0x7C,0x24,0x2C,0x85,0xC0,0x0F,0x85,0x4C,0xFF,0xFF,0xFF,0x8B,0x6C,0x24,0x28,0x83,0xBD,0xE4,0x00,0x00,0x00,0x00,0x0F,0x84,0xAD,0x00,0x00,0x00,0x8B,0x85,0xE0,0x00,0x00,0x00,0x83,0xC0,0x04,0x03,0xC3,0x89,0x44,0x24,0x10,0x8B,0x00,0x85,0xC0,0x0F,0x84,0x94,0x00,0x00,0x00,0x8B,0x6C,0x24,0x10,0x03,0xC3,0x50,0xFF,0x94,0x24,0xB4,0x00,0x00,0x00,0x8B,0xC8,0x89,0x4C,0x24,0x1C,0x8B,0x75,0x08,0x8B,0x7D,0x0C,0x03,0xF3,0x03,0xFB,0x83,0x3E,0x00,0x74,0x5B,0x8B,0x6C,0x24,0x30,0x8B,0x17,0x85,0xD2,0x79,0x09,0x56,0x0F,0xB7,0xC2,0x50,0x6A,0x00,0xEB,0x30,0x83,0xC2,0x02,0x33,0xC0,0x03,0xD3,0x89,0x54,0x24,0x38,0x38,0x02,0x74,0x0B,0x40,0x42,0x80,0x3A,0x00,0x75,0xF9,0x8B,0x54,0x24,0x38,0x56,0x66,0x89,0x44,0x24,0x18,0x66,0x89,0x44,0x24,0x1A,0x8D,0x44,0x24,0x18,0x6A,0x00,0x89,0x54,0x24,0x20,0x50,0x51,0xFF,0xD5,0x83,0xC6,0x04,0x83,0xC7,0x04,0x83,0x3E,0x00,0x74,0x06,0x8B,0x4C,0x24,0x1C,0xEB,0xAD,0x8B,0x6C,0x24,0x10,0x83,0xC5,0x20,0x89,0x6C,0x24,0x10,0x8B,0x45,0x00,0x85,0xC0,0x0F,0x85,0x74,0xFF,0xFF,0xFF,0x8B,0x6C,0x24,0x28,0x0F,0xB7,0x75,0x14,0x33,0xC0,0x83,0xC6,0x28,0x33,0xFF,0x66,0x3B,0x45,0x06,0x0F,0x83,0xE5,0x00,0x00,0x00,0x03,0xF5,0xBA,0x00,0x00,0x00,0x40,0x83,0x3E,0x00,0x0F,0x84,0xC5,0x00,0x00,0x00,0x8B,0x4E,0x14,0x8B,0xC1,0x25,0x00,0x00,0x00,0x20,0x75,0x0B,0x85,0xCA,0x75,0x07,0x85,0xC9,0x78,0x03,0x40,0xEB,0x62,0x85,0xC0,0x75,0x30,0x85,0xCA,0x75,0x08,0x85,0xC9,0x79,0x04,0x6A,0x08,0xEB,0x51,0x85,0xC0,0x75,0x20,0x85,0xCA,0x74,0x08,0x85,0xC9,0x78,0x04,0x6A,0x02,0xEB,0x41,0x85,0xC0,0x75,0x10,0x85,0xCA,0x74,0x08,0x85,0xC9,0x79,0x04,0x6A,0x04,0xEB,0x31,0x85,0xC0,0x74,0x4A,0x85,0xCA,0x75,0x08,0x85,0xC9,0x78,0x04,0x6A,0x10,0xEB,0x21,0x85,0xC0,0x74,0x3A,0x85,0xCA,0x75,0x0B,0x85,0xC9,0x79,0x07,0xB8,0x80,0x00,0x00,0x00,0xEB,0x0F,0x85,0xC0,0x74,0x27,0x85,0xCA,0x74,0x0D,0x85,0xC9,0x78,0x09,0x6A,0x20,0x58,0x89,0x44,0x24,0x20,0xEB,0x1A,0x85,0xC0,0x74,0x12,0x85,0xCA,0x74,0x0E,0x8B,0x44,0x24,0x20,0x85,0xC9,0x6A,0x40,0x5A,0x0F,0x48,0xC2,0xEB,0xE4,0x8B,0x44,0x24,0x20,0xF7,0x46,0x14,0x00,0x00,0x00,0x04,0x74,0x09,0x0D,0x00,0x02,0x00,0x00,0x89,0x44,0x24,0x20,0x8D,0x4C,0x24,0x20,0x51,0x50,0x8B,0x46,0xFC,0xFF,0x36,0x03,0xC3,0x50,0xFF,0x94,0x24,0xC4,0x00,0x00,0x00,0xBA,0x00,0x00,0x00,0x40,0x0F,0xB7,0x45,0x06,0x47,0x83,0xC6,0x28,0x3B,0xF8,0x0F,0x82,0x22,0xFF,0xFF,0xFF,0x6A,0x00,0x6A,0x00,0x6A,0xFF,0xFF,0x94,0x24,0xC4,0x00,0x00,0x00,0x83,0xBD,0xC4,0x00,0x00,0x00,0x00,0x74,0x26,0x8B,0x85,0xC0,0x00,0x00,0x00,0x8B,0x74,0x18,0x0C,0x8B,0x06,0x85,0xC0,0x74,0x16,0x33,0xED,0x45,0x6A,0x00,0x55,0x53,0xFF,0xD0,0x8D,0x76,0x04,0x8B,0x06,0x85,0xC0,0x75,0xF1,0x8B,0x6C,0x24,0x28,0x33,0xC0,0x40,0x50,0x50,0x8B,0x45,0x28,0x53,0x03,0xC3,0xFF,0xD0,0x83,0xBC,0x24,0x2C,0x01,0x00,0x00,0x00,0x0F,0x84,0xAB,0x00,0x00,0x00,0x83,0x7D,0x7C,0x00,0x0F,0x84,0xA1,0x00,0x00,0x00,0x8B,0x55,0x78,0x03,0xD3,0x8B,0x6A,0x18,0x85,0xED,0x0F,0x84,0x91,0x00,0x00,0x00,0x83,0x7A,0x14,0x00,0x0F,0x84,0x87,0x00,0x00,0x00,0x8B,0x7A,0x20,0x8B,0x4A,0x24,0x03,0xFB,0x83,0x64,0x24,0x30,0x00,0x03,0xCB,0x85,0xED,0x74,0x74,0x8B,0x37,0xC7,0x44,0x24,0x10,0x00,0x00,0x00,0x00,0x03,0xF3,0x74,0x66,0x8A,0x06,0x84,0xC0,0x74,0x1A,0x8B,0x6C,0x24,0x10,0x0F,0xBE,0xC0,0x03,0xE8,0xC1,0xCD,0x0D,0x46,0x8A,0x06,0x84,0xC0,0x75,0xF1,0x89,0x6C,0x24,0x10,0x8B,0x6A,0x18,0x8B,0x84,0x24,0x2C,0x01,0x00,0x00,0x3B,0x44,0x24,0x10,0x75,0x04,0x85,0xC9,0x75,0x15,0x8B,0x44,0x24,0x30,0x83,0xC7,0x04,0x40,0x83,0xC1,0x02,0x89,0x44,0x24,0x30,0x3B,0xC5,0x72,0xAE,0xEB,0x20,0x0F,0xB7,0x09,0x8B,0x42,0x1C,0xFF,0xB4,0x24,0x34,0x01,0x00,0x00,0xFF,0xB4,0x24,0x34,0x01,0x00,0x00,0x8D,0x04,0x88,0x8B,0x04,0x18,0x03,0xC3,0xFF,0xD0,0x59,0x59,0x8B,0xC3,0xEB,0x02,0x33,0xC0,0x5F,0x5E,0x5D,0x5B,0x81,0xC4,0x14,0x01,0x00,0x00,0xC3,0x83,0xEC,0x14,0x64,0xA1,0x30,0x00,0x00,0x00,0x53,0x55,0x56,0x8B,0x40,0x0C,0x57,0x89,0x4C,0x24,0x1C,0x8B,0x78,0x0C,0xE9,0xA5,0x00,0x00,0x00,0x8B,0x47,0x30,0x33,0xF6,0x8B,0x5F,0x2C,0x8B,0x3F,0x89,0x44,0x24,0x10,0x8B,0x42,0x3C,0x89,0x7C,0x24,0x14,0x8B,0x6C,0x10,0x78,0x89,0x6C,0x24,0x18,0x85,0xED,0x0F,0x84,0x80,0x00,0x00,0x00,0xC1,0xEB,0x10,0x33,0xC9,0x85,0xDB,0x74,0x2F,0x8B,0x7C,0x24,0x10,0x0F,0xBE,0x2C,0x0F,0xC1,0xCE,0x0D,0x80,0x3C,0x0F,0x61,0x89,0x6C,0x24,0x10,0x7C,0x09,0x8B,0xC5,0x83,0xC0,0xE0,0x03,0xF0,0xEB,0x04,0x03,0x74,0x24,0x10,0x41,0x3B,0xCB,0x72,0xDD,0x8B,0x7C,0x24,0x14,0x8B,0x6C,0x24,0x18,0x8B,0x44,0x2A,0x20,0x33,0xDB,0x8B,0x4C,0x2A,0x18,0x03,0xC2,0x89,0x4C,0x24,0x10,0x85,0xC9,0x74,0x34,0x8B,0x38,0x33,0xED,0x03,0xFA,0x83,0xC0,0x04,0x89,0x44,0x24,0x20,0x8A,0x0F,0xC1,0xCD,0x0D,0x0F,0xBE,0xC1,0x03,0xE8,0x47,0x84,0xC9,0x75,0xF1,0x8B,0x7C,0x24,0x14,0x8D,0x04,0x2E,0x3B,0x44,0x24,0x1C,0x74,0x20,0x8B,0x44,0x24,0x20,0x43,0x3B,0x5C,0x24,0x10,0x72,0xCC,0x8B,0x57,0x18,0x85,0xD2,0x0F,0x85,0x50,0xFF,0xFF,0xFF,0x33,0xC0,0x5F,0x5E,0x5D,0x5B,0x83,0xC4,0x14,0xC3,0x8B,0x74,0x24,0x18,0x8B,0x44,0x16,0x24,0x8D,0x04,0x58,0x0F,0xB7,0x0C,0x10,0x8B,0x44,0x16,0x1C,0x8D,0x04,0x88,0x8B,0x04,0x10,0x03,0xC2,0xEB,0xDB }; 510 | var rdiShellcode64 = new byte[] { 0x48,0x8B,0xC4,0x48,0x89,0x58,0x08,0x44,0x89,0x48,0x20,0x4C,0x89,0x40,0x18,0x89,0x50,0x10,0x55,0x56,0x57,0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x48,0x8D,0x6C,0x24,0x90,0x48,0x81,0xEC,0x70,0x01,0x00,0x00,0x45,0x33,0xFF,0xC7,0x45,0xD8,0x6B,0x00,0x65,0x00,0x48,0x8B,0xF1,0x4C,0x89,0x7D,0xF8,0xB9,0x13,0x9C,0xBF,0xBD,0x4C,0x89,0x7D,0xC8,0x4C,0x89,0x7D,0x08,0x45,0x8D,0x4F,0x65,0x4C,0x89,0x7D,0x10,0x44,0x88,0x4D,0xBC,0x44,0x88,0x4D,0xA2,0x4C,0x89,0x7D,0x00,0x4C,0x89,0x7D,0xF0,0x4C,0x89,0x7D,0x18,0x44,0x89,0x7D,0x24,0x44,0x89,0x7C,0x24,0x2C,0xC7,0x45,0xDC,0x72,0x00,0x6E,0x00,0xC7,0x45,0xE0,0x65,0x00,0x6C,0x00,0xC7,0x45,0xE4,0x33,0x00,0x32,0x00,0xC7,0x45,0xE8,0x2E,0x00,0x64,0x00,0xC7,0x45,0xEC,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x40,0x53,0x6C,0x65,0x65,0xC6,0x44,0x24,0x44,0x70,0xC7,0x44,0x24,0x58,0x4C,0x6F,0x61,0x64,0xC7,0x44,0x24,0x5C,0x4C,0x69,0x62,0x72,0xC7,0x44,0x24,0x60,0x61,0x72,0x79,0x41,0xC7,0x44,0x24,0x48,0x56,0x69,0x72,0x74,0xC7,0x44,0x24,0x4C,0x75,0x61,0x6C,0x41,0xC7,0x44,0x24,0x50,0x6C,0x6C,0x6F,0x63,0xC7,0x44,0x24,0x68,0x56,0x69,0x72,0x74,0xC7,0x44,0x24,0x6C,0x75,0x61,0x6C,0x50,0xC7,0x44,0x24,0x70,0x72,0x6F,0x74,0x65,0x66,0xC7,0x44,0x24,0x74,0x63,0x74,0xC7,0x45,0xA8,0x46,0x6C,0x75,0x73,0xC7,0x45,0xAC,0x68,0x49,0x6E,0x73,0xC7,0x45,0xB0,0x74,0x72,0x75,0x63,0xC7,0x45,0xB4,0x74,0x69,0x6F,0x6E,0xC7,0x45,0xB8,0x43,0x61,0x63,0x68,0xC7,0x44,0x24,0x78,0x47,0x65,0x74,0x4E,0xC7,0x44,0x24,0x7C,0x61,0x74,0x69,0x76,0xC7,0x45,0x80,0x65,0x53,0x79,0x73,0xC7,0x45,0x84,0x74,0x65,0x6D,0x49,0x66,0xC7,0x45,0x88,0x6E,0x66,0xC6,0x45,0x8A,0x6F,0xC7,0x45,0x90,0x52,0x74,0x6C,0x41,0xC7,0x45,0x94,0x64,0x64,0x46,0x75,0xC7,0x45,0x98,0x6E,0x63,0x74,0x69,0xC7,0x45,0x9C,0x6F,0x6E,0x54,0x61,0x66,0xC7,0x45,0xA0,0x62,0x6C,0xE8,0x7F,0x08,0x00,0x00,0xB9,0xB5,0x41,0xD9,0x5E,0x48,0x8B,0xD8,0xE8,0x72,0x08,0x00,0x00,0x4C,0x8B,0xE8,0x48,0x89,0x45,0xD0,0x48,0x8D,0x45,0xD8,0xC7,0x45,0x20,0x18,0x00,0x18,0x00,0x4C,0x8D,0x4C,0x24,0x38,0x48,0x89,0x45,0x28,0x4C,0x8D,0x45,0x20,0x33,0xD2,0x33,0xC9,0xFF,0xD3,0x48,0x8B,0x4C,0x24,0x38,0x48,0x8D,0x44,0x24,0x48,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x4C,0x8D,0x4D,0xC8,0xC7,0x44,0x24,0x28,0x0C,0x00,0x0C,0x00,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x48,0x8B,0x4C,0x24,0x38,0x48,0x8D,0x44,0x24,0x68,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x4C,0x8D,0x4D,0x00,0xC7,0x44,0x24,0x28,0x0E,0x00,0x0E,0x00,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x48,0x8D,0x45,0xA8,0xC7,0x44,0x24,0x28,0x15,0x00,0x15,0x00,0x48,0x8B,0x4C,0x24,0x38,0x4C,0x8D,0x4D,0x08,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x48,0x8B,0x4C,0x24,0x38,0x48,0x8D,0x44,0x24,0x78,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x4C,0x8D,0x4D,0x10,0xC7,0x44,0x24,0x28,0x13,0x00,0x13,0x00,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x48,0x8B,0x4C,0x24,0x38,0x48,0x8D,0x44,0x24,0x40,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x4C,0x8D,0x4D,0xF0,0xC7,0x44,0x24,0x28,0x05,0x00,0x05,0x00,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x48,0x8B,0x4C,0x24,0x38,0x48,0x8D,0x45,0x90,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x4C,0x8D,0x4D,0x18,0xC7,0x44,0x24,0x28,0x13,0x00,0x13,0x00,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x48,0x8B,0x4C,0x24,0x38,0x48,0x8D,0x44,0x24,0x58,0x45,0x33,0xC0,0x48,0x89,0x44,0x24,0x30,0x4C,0x8D,0x4D,0xF8,0xC7,0x44,0x24,0x28,0x0C,0x00,0x0C,0x00,0x48,0x8D,0x54,0x24,0x28,0x41,0xFF,0xD5,0x4C,0x39,0x7D,0xC8,0x0F,0x84,0x1D,0x07,0x00,0x00,0x4C,0x39,0x7D,0x00,0x0F,0x84,0x13,0x07,0x00,0x00,0x4C,0x39,0x7D,0xF0,0x0F,0x84,0x09,0x07,0x00,0x00,0x4C,0x39,0x7D,0x08,0x0F,0x84,0xFF,0x06,0x00,0x00,0x48,0x8B,0x55,0x10,0x48,0x85,0xD2,0x0F,0x84,0xF2,0x06,0x00,0x00,0x48,0x63,0x7E,0x3C,0x48,0x03,0xFE,0x81,0x3F,0x50,0x45,0x00,0x00,0x0F,0x85,0xDF,0x06,0x00,0x00,0xB8,0x64,0x86,0x00,0x00,0x66,0x39,0x47,0x04,0x0F,0x85,0xD0,0x06,0x00,0x00,0x45,0x8D,0x4F,0x01,0x44,0x84,0x4F,0x38,0x0F,0x85,0xC2,0x06,0x00,0x00,0x0F,0xB7,0x4F,0x14,0x41,0x8B,0xDF,0x48,0x83,0xC1,0x24,0x66,0x44,0x3B,0x7F,0x06,0x73,0x25,0x44,0x0F,0xB7,0x47,0x06,0x48,0x03,0xCF,0x44,0x39,0x79,0x04,0x8B,0x47,0x38,0x0F,0x45,0x41,0x04,0x03,0x01,0x48,0x8D,0x49,0x28,0x3B,0xC3,0x0F,0x46,0xC3,0x8B,0xD8,0x4D,0x2B,0xC1,0x75,0xE3,0x48,0x8D,0x4D,0x38,0xFF,0xD2,0x8B,0x55,0x3C,0x44,0x8B,0xC2,0x44,0x8D,0x72,0xFF,0xF7,0xDA,0x44,0x03,0x77,0x50,0x49,0x8D,0x48,0xFF,0x8B,0xC2,0x4C,0x23,0xF0,0x8B,0xC3,0x48,0x03,0xC8,0x49,0x8D,0x40,0xFF,0x48,0xF7,0xD0,0x48,0x23,0xC8,0x4C,0x3B,0xF1,0x0F,0x85,0x54,0x06,0x00,0x00,0x48,0x8B,0x4F,0x30,0x41,0xBC,0x00,0x30,0x00,0x00,0x45,0x8B,0xC4,0x41,0xB9,0x04,0x00,0x00,0x00,0x49,0x8B,0xD6,0xFF,0x55,0xC8,0x48,0x8B,0xD8,0x48,0x85,0xC0,0x75,0x12,0x44,0x8D,0x48,0x04,0x45,0x8B,0xC4,0x49,0x8B,0xD6,0x33,0xC9,0xFF,0x55,0xC8,0x48,0x8B,0xD8,0x44,0x8B,0xA5,0xD0,0x00,0x00,0x00,0x41,0xBB,0x01,0x00,0x00,0x00,0x45,0x84,0xE3,0x74,0x1D,0x8B,0x46,0x3C,0x89,0x43,0x3C,0x8B,0x56,0x3C,0xEB,0x0B,0x8B,0xCA,0x41,0x03,0xD3,0x8A,0x04,0x31,0x88,0x04,0x19,0x3B,0x57,0x54,0x72,0xF0,0xEB,0x19,0x41,0x8B,0xD7,0x44,0x39,0x7F,0x54,0x76,0x10,0x8B,0xCA,0x41,0x03,0xD3,0x8A,0x04,0x31,0x88,0x04,0x19,0x3B,0x57,0x54,0x72,0xF0,0x48,0x63,0x7B,0x3C,0x45,0x8B,0xD7,0x48,0x03,0xFB,0x48,0x89,0x7D,0x30,0x44,0x0F,0xB7,0x47,0x14,0x49,0x83,0xC0,0x28,0x66,0x44,0x3B,0x7F,0x06,0x73,0x3A,0x4C,0x03,0xC7,0x45,0x8B,0xCF,0x45,0x39,0x38,0x76,0x1F,0x41,0x8B,0x50,0x04,0x41,0x8B,0x48,0xFC,0x41,0x8B,0xC1,0x45,0x03,0xCB,0x48,0x03,0xC8,0x48,0x03,0xD0,0x8A,0x04,0x32,0x88,0x04,0x19,0x45,0x3B,0x08,0x72,0xE1,0x0F,0xB7,0x47,0x06,0x45,0x03,0xD3,0x49,0x83,0xC0,0x28,0x44,0x3B,0xD0,0x72,0xC9,0x4C,0x8B,0xF3,0x41,0xB8,0x02,0x00,0x00,0x00,0x4C,0x2B,0x77,0x30,0x0F,0x84,0xD6,0x00,0x00,0x00,0x44,0x39,0xBF,0xB4,0x00,0x00,0x00,0x0F,0x84,0xC9,0x00,0x00,0x00,0x44,0x8B,0x8F,0xB0,0x00,0x00,0x00,0x4C,0x03,0xCB,0x45,0x39,0x39,0x0F,0x84,0xB6,0x00,0x00,0x00,0x4D,0x8D,0x51,0x08,0xE9,0x91,0x00,0x00,0x00,0x45,0x0F,0xB7,0x1A,0x41,0x0F,0xB7,0xCB,0x41,0x0F,0xB7,0xC3,0x66,0xC1,0xE9,0x0C,0x66,0x83,0xF9,0x0A,0x75,0x29,0x45,0x8B,0x01,0x41,0x81,0xE3,0xFF,0x0F,0x00,0x00,0x4B,0x8D,0x04,0x18,0x48,0x8B,0x14,0x18,0x4B,0x8D,0x04,0x18,0x41,0xBB,0x01,0x00,0x00,0x00,0x49,0x03,0xD6,0x48,0x89,0x14,0x18,0x45,0x8D,0x43,0x01,0xEB,0x4F,0x41,0xBB,0x01,0x00,0x00,0x00,0x66,0x83,0xF9,0x03,0x75,0x0E,0x25,0xFF,0x0F,0x00,0x00,0x48,0x8D,0x0C,0x03,0x41,0x8B,0xC6,0xEB,0x2E,0x66,0x41,0x3B,0xCB,0x75,0x15,0x25,0xFF,0x0F,0x00,0x00,0x48,0x8D,0x0C,0x03,0x49,0x8B,0xC6,0x48,0xC1,0xE8,0x10,0x0F,0xB7,0xC0,0xEB,0x13,0x66,0x41,0x3B,0xC8,0x75,0x14,0x25,0xFF,0x0F,0x00,0x00,0x48,0x8D,0x0C,0x03,0x41,0x0F,0xB7,0xC6,0x41,0x8B,0x11,0x48,0x01,0x04,0x0A,0x4D,0x03,0xD0,0x41,0x8B,0x41,0x04,0x49,0x03,0xC1,0x4C,0x3B,0xD0,0x0F,0x85,0x5F,0xFF,0xFF,0xFF,0x4D,0x8B,0xCA,0x45,0x39,0x3A,0x0F,0x85,0x4A,0xFF,0xFF,0xFF,0x44,0x39,0xBF,0x94,0x00,0x00,0x00,0x0F,0x84,0x82,0x01,0x00,0x00,0x8B,0x8F,0x90,0x00,0x00,0x00,0x45,0x8B,0xEF,0x4C,0x8D,0x04,0x19,0x49,0x8D,0x40,0x0C,0xEB,0x07,0x45,0x03,0xEB,0x48,0x8D,0x40,0x14,0x44,0x39,0x38,0x75,0xF4,0x41,0x8B,0xC4,0x83,0xE0,0x04,0x89,0x45,0xC0,0x8B,0xC1,0x0F,0x84,0x89,0x00,0x00,0x00,0x45,0x3B,0xEB,0x0F,0x86,0x80,0x00,0x00,0x00,0x41,0xC1,0xEC,0x10,0x45,0x8D,0x5D,0xFF,0x45,0x8B,0xD7,0x45,0x85,0xDB,0x74,0x74,0x4D,0x8B,0xC8,0x41,0xBE,0xFF,0x7F,0x00,0x00,0x41,0x0F,0x10,0x01,0x33,0xD2,0x41,0x8B,0xCD,0x41,0x2B,0xCA,0x69,0xF6,0xFD,0x43,0x03,0x00,0x41,0x8B,0xC6,0xF7,0xF1,0x33,0xD2,0x81,0xC6,0xC3,0x9E,0x26,0x00,0x8D,0x48,0x01,0x8B,0xC6,0xC1,0xE8,0x10,0x41,0x23,0xC6,0xF7,0xF1,0x41,0x03,0xC2,0x41,0xFF,0xC2,0x48,0x8D,0x0C,0x80,0x41,0x8B,0x54,0x88,0x10,0x41,0x0F,0x10,0x0C,0x88,0x41,0x0F,0x11,0x04,0x88,0x41,0x8B,0x41,0x10,0x41,0x89,0x44,0x88,0x10,0x41,0x0F,0x11,0x09,0x41,0x89,0x51,0x10,0x4D,0x8D,0x49,0x14,0x45,0x3B,0xD3,0x72,0xA1,0x8B,0x87,0x90,0x00,0x00,0x00,0xEB,0x04,0x44,0x8B,0x65,0xC0,0x8B,0xF0,0x48,0x03,0xF3,0x8B,0x46,0x0C,0x85,0xC0,0x0F,0x84,0xB1,0x00,0x00,0x00,0x8B,0x7D,0xC0,0x8B,0xC8,0x48,0x03,0xCB,0xFF,0x55,0xF8,0x48,0x89,0x44,0x24,0x38,0x4C,0x8B,0xD0,0x44,0x8B,0x36,0x44,0x8B,0x7E,0x10,0x4C,0x03,0xF3,0x4C,0x03,0xFB,0x49,0x8B,0x0E,0x48,0x85,0xC9,0x74,0x5F,0x48,0x85,0xC9,0x79,0x08,0x45,0x0F,0xB7,0x06,0x33,0xD2,0xEB,0x32,0x48,0x8D,0x53,0x02,0x33,0xC0,0x48,0x03,0xD1,0x38,0x02,0x74,0x0E,0x48,0x8B,0xCA,0x48,0xFF,0xC1,0x48,0xFF,0xC0,0x80,0x39,0x00,0x75,0xF5,0x48,0x89,0x54,0x24,0x30,0x45,0x33,0xC0,0x48,0x8D,0x54,0x24,0x28,0x66,0x89,0x44,0x24,0x28,0x66,0x89,0x44,0x24,0x2A,0x4D,0x8B,0xCF,0x49,0x8B,0xCA,0xFF,0x55,0xD0,0x49,0x83,0xC6,0x08,0x49,0x83,0xC7,0x08,0x49,0x8B,0x0E,0x48,0x85,0xC9,0x74,0x07,0x4C,0x8B,0x54,0x24,0x38,0xEB,0xA1,0x45,0x33,0xFF,0x85,0xFF,0x74,0x10,0x41,0x83,0xFD,0x01,0x76,0x0A,0x41,0x69,0xCC,0xE8,0x03,0x00,0x00,0xFF,0x55,0xF0,0x8B,0x46,0x20,0x48,0x83,0xC6,0x14,0x85,0xC0,0x0F,0x85,0x56,0xFF,0xFF,0xFF,0x48,0x8B,0x7D,0x30,0x4C,0x8B,0x6D,0xD0,0x44,0x39,0xBF,0xF4,0x00,0x00,0x00,0x0F,0x84,0xA9,0x00,0x00,0x00,0x44,0x8B,0xBF,0xF0,0x00,0x00,0x00,0x49,0x83,0xC7,0x04,0x4C,0x03,0xFB,0x45,0x33,0xE4,0x41,0x8B,0x07,0x85,0xC0,0x0F,0x84,0x8A,0x00,0x00,0x00,0x8B,0xC8,0x48,0x03,0xCB,0xFF,0x55,0xF8,0x48,0x89,0x44,0x24,0x38,0x48,0x8B,0xC8,0x41,0x8B,0x77,0x08,0x45,0x8B,0x77,0x0C,0x48,0x03,0xF3,0x4C,0x03,0xF3,0x4C,0x39,0x26,0x74,0x5E,0x49,0x8B,0x16,0x48,0x85,0xD2,0x79,0x08,0x44,0x0F,0xB7,0xC2,0x33,0xD2,0xEB,0x34,0x4C,0x8D,0x43,0x02,0x49,0x8B,0xC4,0x4C,0x03,0xC2,0x45,0x38,0x20,0x74,0x0E,0x49,0x8B,0xD0,0x48,0xFF,0xC2,0x48,0xFF,0xC0,0x44,0x38,0x22,0x75,0xF5,0x4C,0x89,0x44,0x24,0x30,0x48,0x8D,0x54,0x24,0x28,0x45,0x33,0xC0,0x66,0x89,0x44,0x24,0x28,0x66,0x89,0x44,0x24,0x2A,0x4C,0x8B,0xCE,0x41,0xFF,0xD5,0x48,0x83,0xC6,0x08,0x49,0x83,0xC6,0x08,0x4C,0x39,0x26,0x74,0x07,0x48,0x8B,0x4C,0x24,0x38,0xEB,0xA2,0x49,0x83,0xC7,0x20,0xE9,0x6B,0xFF,0xFF,0xFF,0x45,0x33,0xFF,0x0F,0xB7,0x77,0x14,0x45,0x8B,0xF7,0x48,0x83,0xC6,0x28,0x41,0xBC,0x01,0x00,0x00,0x00,0x66,0x44,0x3B,0x7F,0x06,0x0F,0x83,0x0B,0x01,0x00,0x00,0x48,0x03,0xF7,0x44,0x39,0x3E,0x0F,0x84,0xEB,0x00,0x00,0x00,0x8B,0x46,0x14,0x8B,0xC8,0x81,0xE1,0x00,0x00,0x00,0x20,0x75,0x17,0x0F,0xBA,0xE0,0x1E,0x72,0x11,0x85,0xC0,0x78,0x0D,0x45,0x8B,0xC4,0x44,0x89,0x64,0x24,0x20,0xE9,0xA4,0x00,0x00,0x00,0x85,0xC9,0x75,0x3C,0x0F,0xBA,0xE0,0x1E,0x72,0x0A,0x85,0xC0,0x79,0x06,0x44,0x8D,0x41,0x08,0xEB,0x68,0x85,0xC9,0x75,0x28,0x0F,0xBA,0xE0,0x1E,0x73,0x0A,0x85,0xC0,0x78,0x06,0x44,0x8D,0x41,0x02,0xEB,0x54,0x85,0xC9,0x75,0x14,0x0F,0xBA,0xE0,0x1E,0x73,0x0A,0x85,0xC0,0x79,0x06,0x44,0x8D,0x41,0x04,0xEB,0x40,0x85,0xC9,0x74,0x5F,0x0F,0xBA,0xE0,0x1E,0x72,0x0C,0x85,0xC0,0x78,0x08,0x41,0xB8,0x10,0x00,0x00,0x00,0xEB,0x2A,0x85,0xC9,0x74,0x49,0x0F,0xBA,0xE0,0x1E,0x72,0x0C,0x85,0xC0,0x79,0x08,0x41,0xB8,0x80,0x00,0x00,0x00,0xEB,0x14,0x85,0xC9,0x74,0x33,0x0F,0xBA,0xE0,0x1E,0x73,0x11,0x85,0xC0,0x78,0x0D,0x41,0xB8,0x20,0x00,0x00,0x00,0x44,0x89,0x44,0x24,0x20,0xEB,0x21,0x85,0xC9,0x74,0x18,0x0F,0xBA,0xE0,0x1E,0x73,0x12,0x44,0x8B,0x44,0x24,0x20,0x85,0xC0,0xB9,0x40,0x00,0x00,0x00,0x44,0x0F,0x48,0xC1,0xEB,0xDD,0x44,0x8B,0x44,0x24,0x20,0xF7,0x46,0x14,0x00,0x00,0x00,0x04,0x74,0x0A,0x41,0x0F,0xBA,0xE8,0x09,0x44,0x89,0x44,0x24,0x20,0x8B,0x4E,0xFC,0x4C,0x8D,0x4C,0x24,0x20,0x8B,0x16,0x48,0x03,0xCB,0xFF,0x55,0x00,0x0F,0xB7,0x47,0x06,0x45,0x03,0xF4,0x48,0x83,0xC6,0x28,0x44,0x3B,0xF0,0x0F,0x82,0xF8,0xFE,0xFF,0xFF,0x45,0x33,0xC0,0x33,0xD2,0x48,0x83,0xC9,0xFF,0xFF,0x55,0x08,0x44,0x39,0xBF,0xD4,0x00,0x00,0x00,0x74,0x24,0x8B,0x87,0xD0,0x00,0x00,0x00,0x48,0x8B,0x74,0x18,0x18,0xEB,0x0F,0x45,0x33,0xC0,0x41,0x8B,0xD4,0x48,0x8B,0xCB,0xFF,0xD0,0x48,0x8D,0x76,0x08,0x48,0x8B,0x06,0x48,0x85,0xC0,0x75,0xE9,0x4C,0x8B,0x4D,0x18,0x4D,0x85,0xC9,0x74,0x2F,0x8B,0x87,0xA4,0x00,0x00,0x00,0x85,0xC0,0x74,0x25,0x8B,0xC8,0x4C,0x8B,0xC3,0x48,0xB8,0xAB,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0x48,0xF7,0xE1,0x8B,0x8F,0xA0,0x00,0x00,0x00,0x48,0xC1,0xEA,0x03,0x48,0x03,0xCB,0x41,0x2B,0xD4,0x41,0xFF,0xD1,0x8B,0x47,0x28,0x4D,0x8B,0xC4,0x48,0x03,0xC3,0x41,0x8B,0xD4,0x48,0x8B,0xCB,0xFF,0xD0,0x8B,0xB5,0xB8,0x00,0x00,0x00,0x85,0xF6,0x0F,0x84,0x97,0x00,0x00,0x00,0x44,0x39,0xBF,0x8C,0x00,0x00,0x00,0x0F,0x84,0x8A,0x00,0x00,0x00,0x8B,0x8F,0x88,0x00,0x00,0x00,0x48,0x03,0xCB,0x44,0x8B,0x59,0x18,0x45,0x85,0xDB,0x74,0x78,0x44,0x39,0x79,0x14,0x74,0x72,0x44,0x8B,0x49,0x20,0x41,0x8B,0xFF,0x8B,0x51,0x24,0x4C,0x03,0xCB,0x48,0x03,0xD3,0x45,0x85,0xDB,0x74,0x5D,0x45,0x8B,0x01,0x45,0x8B,0xD7,0x4C,0x03,0xC3,0x74,0x52,0xEB,0x0D,0x0F,0xBE,0xC0,0x44,0x03,0xD0,0x41,0xC1,0xCA,0x0D,0x4D,0x03,0xC4,0x41,0x8A,0x00,0x84,0xC0,0x75,0xEC,0x41,0x3B,0xF2,0x75,0x05,0x48,0x85,0xD2,0x75,0x12,0x41,0x03,0xFC,0x49,0x83,0xC1,0x04,0x48,0x83,0xC2,0x02,0x41,0x3B,0xFB,0x73,0x22,0xEB,0xC3,0x8B,0x41,0x1C,0x0F,0xB7,0x0A,0x48,0x03,0xC3,0x8B,0x95,0xC8,0x00,0x00,0x00,0x44,0x8B,0x04,0x88,0x48,0x8B,0x8D,0xC0,0x00,0x00,0x00,0x4C,0x03,0xC3,0x41,0xFF,0xD0,0x48,0x8B,0xC3,0xEB,0x02,0x33,0xC0,0x48,0x8B,0x9C,0x24,0xB0,0x01,0x00,0x00,0x48,0x81,0xC4,0x70,0x01,0x00,0x00,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x5F,0x5E,0x5D,0xC3,0xCC,0x48,0x8B,0xC4,0x48,0x89,0x58,0x08,0x48,0x89,0x68,0x10,0x48,0x89,0x70,0x18,0x48,0x89,0x78,0x20,0x41,0x56,0x48,0x83,0xEC,0x10,0x65,0x48,0x8B,0x04,0x25,0x60,0x00,0x00,0x00,0x8B,0xE9,0x45,0x33,0xF6,0x48,0x8B,0x50,0x18,0x4C,0x8B,0x4A,0x10,0x4D,0x8B,0x41,0x30,0x4D,0x85,0xC0,0x0F,0x84,0xB3,0x00,0x00,0x00,0x41,0x0F,0x10,0x41,0x58,0x49,0x63,0x40,0x3C,0x41,0x8B,0xD6,0x4D,0x8B,0x09,0xF3,0x0F,0x7F,0x04,0x24,0x46,0x8B,0x9C,0x00,0x88,0x00,0x00,0x00,0x45,0x85,0xDB,0x74,0xD2,0x48,0x8B,0x04,0x24,0x48,0xC1,0xE8,0x10,0x66,0x44,0x3B,0xF0,0x73,0x22,0x48,0x8B,0x4C,0x24,0x08,0x44,0x0F,0xB7,0xD0,0x0F,0xBE,0x01,0xC1,0xCA,0x0D,0x80,0x39,0x61,0x7C,0x03,0x83,0xC2,0xE0,0x03,0xD0,0x48,0xFF,0xC1,0x49,0x83,0xEA,0x01,0x75,0xE7,0x4F,0x8D,0x14,0x18,0x45,0x8B,0xDE,0x41,0x8B,0x7A,0x20,0x49,0x03,0xF8,0x45,0x39,0x72,0x18,0x76,0x8E,0x8B,0x37,0x41,0x8B,0xDE,0x49,0x03,0xF0,0x48,0x8D,0x7F,0x04,0x0F,0xBE,0x0E,0x48,0xFF,0xC6,0xC1,0xCB,0x0D,0x03,0xD9,0x84,0xC9,0x75,0xF1,0x8D,0x04,0x13,0x3B,0xC5,0x74,0x0E,0x41,0xFF,0xC3,0x45,0x3B,0x5A,0x18,0x72,0xD5,0xE9,0x5E,0xFF,0xFF,0xFF,0x41,0x8B,0x42,0x24,0x43,0x8D,0x0C,0x1B,0x49,0x03,0xC0,0x0F,0xB7,0x14,0x01,0x41,0x8B,0x4A,0x1C,0x49,0x03,0xC8,0x8B,0x04,0x91,0x49,0x03,0xC0,0xEB,0x02,0x33,0xC0,0x48,0x8B,0x5C,0x24,0x20,0x48,0x8B,0x6C,0x24,0x28,0x48,0x8B,0x74,0x24,0x30,0x48,0x8B,0x7C,0x24,0x38,0x48,0x83,0xC4,0x10,0x41,0x5E,0xC3 }; 511 | //MARKER:E 512 | #endif 513 | var newShellcode = new List(); 514 | 515 | uint dllOffset = 0; 516 | 517 | if (PE.Is64BitDLL(dllBytes)) 518 | { 519 | var rdiShellcode = rdiShellcode64; 520 | int bootstrapSize = 64; 521 | 522 | // call next instruction (Pushes next instruction address to stack) 523 | newShellcode.Add(0xe8); 524 | newShellcode.Add(0x00); 525 | newShellcode.Add(0x00); 526 | newShellcode.Add(0x00); 527 | newShellcode.Add(0x00); 528 | 529 | // Set the offset to our DLL from pop result 530 | dllOffset = (uint)(bootstrapSize - newShellcode.Count + rdiShellcode.Length); 531 | 532 | // pop rcx - Capture our current location in memory 533 | newShellcode.Add(0x59); 534 | 535 | // mov r8, rcx - copy our location in memory to r8 before we start modifying RCX 536 | newShellcode.Add(0x49); 537 | newShellcode.Add(0x89); 538 | newShellcode.Add(0xc8); 539 | 540 | // Setup the location of the DLL into RCX 541 | // add rcx, 542 | newShellcode.Add(0x48); 543 | newShellcode.Add(0x81); 544 | newShellcode.Add(0xc1); 545 | foreach (byte b in BitConverter.GetBytes(dllOffset)) 546 | newShellcode.Add(b); 547 | 548 | // mov edx, 549 | newShellcode.Add(0xba); 550 | foreach (byte b in BitConverter.GetBytes(functionHash)) 551 | newShellcode.Add(b); 552 | 553 | // Put the location of our user data in 554 | // add r8, + 555 | newShellcode.Add(0x49); 556 | newShellcode.Add(0x81); 557 | newShellcode.Add(0xc0); 558 | foreach (byte b in BitConverter.GetBytes((uint)(dllOffset + dllBytes.Length))) 559 | newShellcode.Add(b); 560 | 561 | // mov r9d, 562 | newShellcode.Add(0x41); 563 | newShellcode.Add(0xb9); 564 | foreach (byte b in BitConverter.GetBytes((uint)userData.Length)) 565 | newShellcode.Add(b); 566 | 567 | // push rsi - save original value 568 | newShellcode.Add(0x56); 569 | 570 | // mov rsi, rsp - store our current stack pointer for later 571 | newShellcode.Add(0x48); 572 | newShellcode.Add(0x89); 573 | newShellcode.Add(0xe6); 574 | 575 | // and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes 576 | newShellcode.Add(0x48); 577 | newShellcode.Add(0x83); 578 | newShellcode.Add(0xe4); 579 | newShellcode.Add(0xf0); 580 | 581 | // sub rsp, 0x30 - Create some breathing room on the stack 582 | newShellcode.Add(0x48); 583 | newShellcode.Add(0x83); 584 | newShellcode.Add(0xec); 585 | newShellcode.Add(6 * 8); // 32 bytes for shadow space + 8 bytes for last arg + 8 bytes for stack alignment 586 | 587 | // mov dword ptr [rsp + 0x20], - Push arg 5 just above shadow space 588 | newShellcode.Add(0xc7); 589 | newShellcode.Add(0x44); 590 | newShellcode.Add(0x24); 591 | newShellcode.Add(4 * 8); 592 | foreach (byte b in BitConverter.GetBytes((uint)flags)) 593 | newShellcode.Add(b); 594 | 595 | // call - Transfer execution to the RDI 596 | newShellcode.Add(0xe8); 597 | newShellcode.Add((byte)(bootstrapSize - newShellcode.Count - 4)); // Skip over the remainder of instructions 598 | newShellcode.Add(0x00); 599 | newShellcode.Add(0x00); 600 | newShellcode.Add(0x00); 601 | 602 | // mov rsp, rsi - Reset our original stack pointer 603 | newShellcode.Add(0x48); 604 | newShellcode.Add(0x89); 605 | newShellcode.Add(0xf4); 606 | 607 | // pop rsi - Put things back where we left them 608 | newShellcode.Add(0x5e); 609 | 610 | // ret - return to caller 611 | newShellcode.Add(0xc3); 612 | 613 | // Write the rest of RDI 614 | foreach (byte b in rdiShellcode) 615 | newShellcode.Add(b); 616 | 617 | // Write our DLL 618 | foreach (byte b in dllBytes) 619 | newShellcode.Add(b); 620 | 621 | // Write our userdata 622 | foreach (byte b in userData) 623 | newShellcode.Add(b); 624 | 625 | } 626 | else // 32 Bit 627 | { 628 | var rdiShellcode = rdiShellcode32; 629 | int bootstrapSize = 49; 630 | 631 | // call next instruction (Pushes next instruction address to stack) 632 | newShellcode.Add(0xe8); 633 | newShellcode.Add(0x00); 634 | newShellcode.Add(0x00); 635 | newShellcode.Add(0x00); 636 | newShellcode.Add(0x00); 637 | 638 | // Set the offset to our DLL from pop result 639 | dllOffset = (uint)(bootstrapSize - newShellcode.Count + rdiShellcode.Length); 640 | 641 | // pop eax - Capture our current location in memory 642 | newShellcode.Add(0x58); 643 | 644 | // push ebp 645 | newShellcode.Add(0x55); 646 | 647 | // mov ebp, esp 648 | newShellcode.Add(0x89); 649 | newShellcode.Add(0xe5); 650 | 651 | // mov edx, eax - copy our location in memory to ebx before we start modifying eax 652 | newShellcode.Add(0x89); 653 | newShellcode.Add(0xc2); 654 | 655 | // add eax, 656 | newShellcode.Add(0x05); 657 | foreach (byte b in BitConverter.GetBytes(dllOffset)) 658 | newShellcode.Add(b); 659 | 660 | // add edx, + 661 | newShellcode.Add(0x81); 662 | newShellcode.Add(0xc2); 663 | foreach (byte b in BitConverter.GetBytes((uint)(dllOffset + dllBytes.Length))) 664 | newShellcode.Add(b); 665 | 666 | // push 667 | newShellcode.Add(0x68); 668 | foreach (byte b in BitConverter.GetBytes(flags)) 669 | newShellcode.Add(b); 670 | 671 | // push 672 | newShellcode.Add(0x68); 673 | foreach (byte b in BitConverter.GetBytes((uint)userData.Length)) 674 | newShellcode.Add(b); 675 | 676 | // push edx 677 | newShellcode.Add(0x52); 678 | 679 | // push 680 | newShellcode.Add(0x68); 681 | foreach (byte b in BitConverter.GetBytes(functionHash)) 682 | newShellcode.Add(b); 683 | 684 | // push eax 685 | newShellcode.Add(0x50); 686 | 687 | // call - Transfer execution to the RDI 688 | newShellcode.Add(0xe8); 689 | newShellcode.Add((byte)(bootstrapSize - newShellcode.Count - 4)); // Skip over the remainder of instructions 690 | newShellcode.Add(0x00); 691 | newShellcode.Add(0x00); 692 | newShellcode.Add(0x00); 693 | 694 | // add esp, 0x14 695 | newShellcode.Add(0x83); 696 | newShellcode.Add(0xc4); 697 | newShellcode.Add(0x14); 698 | 699 | // leave 700 | newShellcode.Add(0xc9); 701 | 702 | // ret - return to caller 703 | newShellcode.Add(0xc3); 704 | 705 | //Write the rest of RDI 706 | foreach (byte b in rdiShellcode) 707 | newShellcode.Add(b); 708 | 709 | //Write our DLL 710 | dllBytes[0] = 0x00; 711 | dllBytes[1] = 0x00; 712 | foreach (byte b in dllBytes) 713 | newShellcode.Add(b); 714 | 715 | //Write our userdata 716 | foreach (byte b in userData) 717 | newShellcode.Add(b); 718 | } 719 | 720 | return newShellcode.ToArray(); 721 | } 722 | } 723 | } 724 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Dll2Shellcode 2 | Convert native dll to shellcode, and support exported function 3 | ![Screenshot](Capture.PNG) 4 | 5 | # basic 6 | vs2019 + net4.0 + c# 7 | 8 | # link 9 | https://github.com/monoxgas/sRDI 10 | --------------------------------------------------------------------------------