Last active
December 29, 2021 03:10
-
-
Save y0ug/b83fcf121f80d419c8d5eb342ca31a59 to your computer and use it in GitHub Desktop.
Using Qiling to resolve obfuscated import on windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Emulate sample to resolv obfuscated import with qiling | |
| # Just one way to do it, this method is kind of slow. | |
| # You need to have all the required DLL in the 'rootfs' | |
| # Classic getprocaddress by hash we hook after the call | |
| # read EAX and resolv the name from ql.loader.import_symbols | |
| # compute the address of the mov operand | |
| # generate the idapython code | |
| # python3 IAT_qiling.py sample.exe | tee addr_ida.py | |
| # idapython is in addr_ida.py at the end | |
| #.text:00406A0C push edi | |
| #.text:00406A0D mov esi, ebx | |
| #.text:00406A0F | |
| #.text:00406A0F loc_406A0F: ; CODE XREF: sub_406A02+28↓j | |
| #.text:00406A0F push dword_410FB0[esi] | |
| #.text:00406A15 call GetProcAddrCrc | |
| #.text:00406A1A mov dword_410FB0[esi], eax | |
| #.text:00406A20 add esi, 4 | |
| #.text:00406A23 pop ecx | |
| #.text:00406A24 cmp esi, 2A8h | |
| #.text:00406A2A jb short loc_406A0F | |
| #.text:00406A2C lea eax, [ebp+var_78] | |
| from qiling import * | |
| from qiling.const import D_INFO, D_RPRT, D_DRPT | |
| from capstone import Cs , CS_ARCH_X86, CS_MODE_32, CS_MODE_64 | |
| import sys | |
| import os | |
| targets = { | |
| 'dbg': [ 0x408ce4, 0x408cf6 ], | |
| 'def': [ 0x406a1a, 0x406a2c] | |
| } | |
| t = targets['def'] | |
| md = Cs(CS_ARCH_X86, CS_MODE_32) | |
| md.detail = True | |
| def addr_get_name(ql, addr): | |
| try: | |
| info = ql.loader.import_symbols[addr] | |
| return f'{info["dll"]}::{info["name"].decode()}' | |
| except Exception as ex: | |
| print(ex) | |
| return "error::error" | |
| def hook_code(ql, addr, size): | |
| if addr == t[0]: | |
| buf = ql.mem.read(addr, size) | |
| ins = list(md.disasm(buf, addr))[0] | |
| ql.nprint(f"[x] __ 0x{ins.address:x}:\t{ins.mnemonic}\t{ins.op_str}") | |
| eax = ql.reg.read("EAX") | |
| import_name = addr_get_name(ql,eax) | |
| ql.nprint(f"[x] eax: 0x{eax:08x} name: {import_name}") | |
| # get written addr | |
| # mov dword_410FB0[esi], eax | |
| write_reg = ins.reg_name(list(ins.operands)[0].value.mem.base) # ESI | |
| write_index = list(ins.operands)[0].value.mem.disp # 0x410fb0 | |
| write_addr = ql.reg.read(write_reg) + write_index # final addr | |
| ql.nprint(f'[x] import 0x{write_addr:08x} = {import_name}') | |
| print(f'idaapi.set_name(0x{write_addr:08x}, "{import_name}")', flush=True) | |
| elif addr == t[1]: | |
| ql.emu_stop() | |
| def sandbox(filepath): | |
| ql = Qiling([filepath], | |
| os.path.expandvars('$HOME/.local/src/qiling/examples/rootfs/x86_windows')) | |
| ql.hook_code(hook_code) | |
| ql.run() | |
| if __name__ == "__main__": | |
| sandbox(sys.argv[1]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| idaapi.set_name(0x00410fb0, "advapi32::OpenProcessToken") | |
| idaapi.set_name(0x00410fb4, "ntdll::RtlAllocateHeap") | |
| idaapi.set_name(0x00410fb8, "kernel32::GetCommandLineW") | |
| idaapi.set_name(0x00410fbc, "ntdll::RtlTimeToTimeFields") | |
| idaapi.set_name(0x00410fc0, "kernel32::DeleteFileW") | |
| idaapi.set_name(0x00410fc4, "advapi32::RegSetValueExW") | |
| idaapi.set_name(0x00410fc8, "kernel32::LocalAlloc") | |
| idaapi.set_name(0x00410fcc, "kernel32::GetSystemInfo") | |
| idaapi.set_name(0x00410fd0, "shlwapi::PathFindExtensionW") | |
| idaapi.set_name(0x00410fd4, "kernel32::OpenMutexW") | |
| idaapi.set_name(0x00410fd8, "shlwapi::PathFindFileNameW") | |
| idaapi.set_name(0x00410fdc, "kernel32::GetFileAttributesExW") | |
| idaapi.set_name(0x00410fe0, "gdi32::SetBkColor") | |
| idaapi.set_name(0x00410fe4, "gdi32::CreateFontW") | |
| idaapi.set_name(0x00410fe8, "kernel32::TerminateProcess") | |
| idaapi.set_name(0x00410fec, "kernel32::Process32NextW") | |
| idaapi.set_name(0x00410ff0, "gdi32::SetPixel") | |
| idaapi.set_name(0x00410ff4, "crypt32::CryptBinaryToStringW") | |
| idaapi.set_name(0x00410ff8, "winhttp::WinHttpReceiveResponse") | |
| idaapi.set_name(0x00410ffc, "ntdll::RtlDeleteCriticalSection") | |
| idaapi.set_name(0x00411000, "user32::GetDC") | |
| idaapi.set_name(0x00411004, "advapi32::CloseServiceHandle") | |
| idaapi.set_name(0x00411008, "advapi32::ImpersonateLoggedOnUser") | |
| idaapi.set_name(0x0041100c, "winmm::timeGetTime") | |
| idaapi.set_name(0x00411010, "gdi32::DeleteDC") | |
| idaapi.set_name(0x00411014, "ntdll::RtlLeaveCriticalSection") | |
| idaapi.set_name(0x00411018, "oleaut32::SysAllocString") | |
| idaapi.set_name(0x0041101c, "kernel32::FindClose") | |
| idaapi.set_name(0x00411020, "ntdll::ZwOpenFile") | |
| idaapi.set_name(0x00411024, "ntdll::RtlGetLastWin32Error") | |
| idaapi.set_name(0x00411028, "ntdll::RtlInitUnicodeString") | |
| idaapi.set_name(0x0041102c, "gdi32::GetStockObject") | |
| idaapi.set_name(0x00411030, "kernel32::GetProcessHeap") | |
| idaapi.set_name(0x00411034, "gdi32::SetTextColor") | |
| idaapi.set_name(0x00411038, "advapi32::EnumServicesStatusExW") | |
| idaapi.set_name(0x0041103c, "winhttp::WinHttpOpen") | |
| idaapi.set_name(0x00411040, "advapi32::OpenSCManagerW") | |
| idaapi.set_name(0x00411044, "advapi32::IsValidSid") | |
| idaapi.set_name(0x00411048, "rstrtmgr::RmEndSession") | |
| idaapi.set_name(0x0041104c, "kernel32::GetSystemDefaultUILanguage") | |
| idaapi.set_name(0x00411050, "crypt32::CryptStringToBinaryW") | |
| idaapi.set_name(0x00411054, "advapi32::ControlService") | |
| idaapi.set_name(0x00411058, "kernel32::GlobalAlloc") | |
| idaapi.set_name(0x0041105c, "shlwapi::SHDeleteValueW") | |
| idaapi.set_name(0x00411060, "gdi32::GetObjectW") | |
| idaapi.set_name(0x00411064, "kernel32::UnmapViewOfFile") | |
| idaapi.set_name(0x00411068, "advapi32::RevertToSelf") | |
| idaapi.set_name(0x0041106c, "winhttp::WinHttpConnect") | |
| idaapi.set_name(0x00411070, "ole32::CoSetProxyBlanket") | |
| idaapi.set_name(0x00411074, "shell32::ShellExecuteExW") | |
| idaapi.set_name(0x00411078, "kernel32::GlobalFree") | |
| idaapi.set_name(0x0041107c, "ntdll::ZwSetInformationProcess") | |
| idaapi.set_name(0x00411080, "kernel32::ExitProcess") | |
| idaapi.set_name(0x00411084, "ntdll::RtlEnterCriticalSection") | |
| idaapi.set_name(0x00411088, "advapi32::SetFileSecurityW") | |
| idaapi.set_name(0x0041108c, "ntdll::RtlFreeHeap") | |
| idaapi.set_name(0x00411090, "kernel32::WriteFile") | |
| idaapi.set_name(0x00411094, "kernel32::GetTempPathW") | |
| idaapi.set_name(0x00411098, "winhttp::WinHttpCrackUrl") | |
| idaapi.set_name(0x0041109c, "shlwapi::SHDeleteKeyW") | |
| idaapi.set_name(0x004110a0, "winhttp::WinHttpSendRequest") | |
| idaapi.set_name(0x004110a4, "mpr::WNetCloseEnum") | |
| idaapi.set_name(0x004110a8, "advapi32::RegCloseKey") | |
| idaapi.set_name(0x004110ac, "gdi32::GetDIBits") | |
| idaapi.set_name(0x004110b0, "ntdll::ZwQueryInformationFile") | |
| idaapi.set_name(0x004110b4, "kernel32::GetCurrentProcessId") | |
| idaapi.set_name(0x004110b8, "kernel32::GetQueuedCompletionStatus") | |
| idaapi.set_name(0x004110bc, "kernel32::GetVolumeInformationW") | |
| idaapi.set_name(0x004110c0, "kernel32::ReleaseMutex") | |
| idaapi.set_name(0x004110c4, "rstrtmgr::RmRegisterResources") | |
| idaapi.set_name(0x004110c8, "ntdll::RtlAdjustPrivilege") | |
| idaapi.set_name(0x004110cc, "kernel32::MoveFileW") | |
| idaapi.set_name(0x004110d0, "winhttp::WinHttpReadData") | |
| idaapi.set_name(0x004110d4, "advapi32::CryptAcquireContextW") | |
| idaapi.set_name(0x004110d8, "mpr::WNetOpenEnumW") | |
| idaapi.set_name(0x004110dc, "kernel32::CompareFileTime") | |
| idaapi.set_name(0x004110e0, "user32::GetKeyboardLayoutList") | |
| idaapi.set_name(0x004110e4, "advapi32::CryptGenRandom") | |
| idaapi.set_name(0x004110e8, "user32::GetForegroundWindow") | |
| idaapi.set_name(0x004110ec, "advapi32::AllocateAndInitializeSid") | |
| idaapi.set_name(0x004110f0, "kernel32::LocalFree") | |
| idaapi.set_name(0x004110f4, "advapi32::RegOpenKeyExW") | |
| idaapi.set_name(0x004110f8, "kernel32::CreateIoCompletionPort") | |
| idaapi.set_name(0x004110fc, "user32::DrawTextW") | |
| idaapi.set_name(0x00411100, "kernel32::GetFileSize") | |
| idaapi.set_name(0x00411104, "kernel32::SetThreadExecutionState") | |
| idaapi.set_name(0x00411108, "gdi32::DeleteObject") | |
| idaapi.set_name(0x0041110c, "kernel32::GetComputerNameW") | |
| idaapi.set_name(0x00411110, "kernel32::CreateFileW") | |
| idaapi.set_name(0x00411114, "advapi32::CheckTokenMembership") | |
| idaapi.set_name(0x00411118, "kernel32::Wow64DisableWow64FsRedirection") | |
| idaapi.set_name(0x0041111c, "kernel32::GetProcAddress") | |
| idaapi.set_name(0x00411120, "kernel32::GetNativeSystemInfo") | |
| idaapi.set_name(0x00411124, "advapi32::GetUserNameW") | |
| idaapi.set_name(0x00411128, "kernel32::ReadFile") | |
| idaapi.set_name(0x0041112c, "user32::SystemParametersInfoW") | |
| idaapi.set_name(0x00411130, "ole32::CoInitializeEx") | |
| idaapi.set_name(0x00411134, "kernel32::SetFilePointerEx") | |
| idaapi.set_name(0x00411138, "kernel32::GetUserDefaultUILanguage") | |
| idaapi.set_name(0x0041113c, "advapi32::RegCreateKeyExW") | |
| idaapi.set_name(0x00411140, "kernel32::GetModuleFileNameW") | |
| idaapi.set_name(0x00411144, "shlwapi::StrToIntW") | |
| idaapi.set_name(0x00411148, "advapi32::FreeSid") | |
| idaapi.set_name(0x0041114c, "gdi32::SetBkMode") | |
| idaapi.set_name(0x00411150, "ntdll::RtlInitializeCriticalSection") | |
| idaapi.set_name(0x00411154, "kernel32::GetWindowsDirectoryW") | |
| idaapi.set_name(0x00411158, "kernel32::MulDiv") | |
| idaapi.set_name(0x0041115c, "kernel32::FindNextFileW") | |
| idaapi.set_name(0x00411160, "kernel32::SetFileAttributesW") | |
| idaapi.set_name(0x00411164, "kernel32::CreateMutexW") | |
| idaapi.set_name(0x00411168, "kernel32::GetDriveTypeW") | |
| idaapi.set_name(0x0041116c, "advapi32::OpenServiceW") | |
| idaapi.set_name(0x00411170, "kernel32::GetDiskFreeSpaceExW") | |
| idaapi.set_name(0x00411174, "winhttp::WinHttpQueryDataAvailable") | |
| idaapi.set_name(0x00411178, "rstrtmgr::RmStartSession") | |
| idaapi.set_name(0x0041117c, "kernel32::MoveFileExW") | |
| idaapi.set_name(0x00411180, "kernel32::Sleep") | |
| idaapi.set_name(0x00411184, "kernel32::PostQueuedCompletionStatus") | |
| idaapi.set_name(0x00411188, "kernel32::SetErrorMode") | |
| idaapi.set_name(0x0041118c, "kernel32::WaitForSingleObject") | |
| idaapi.set_name(0x00411190, "ole32::CoCreateInstance") | |
| idaapi.set_name(0x00411194, "kernel32::GetCurrentProcess") | |
| idaapi.set_name(0x00411198, "user32::wsprintfW") | |
| idaapi.set_name(0x0041119c, "shlwapi::PathAddBackslashW") | |
| idaapi.set_name(0x004111a0, "kernel32::HeapCreate") | |
| idaapi.set_name(0x004111a4, "mpr::WNetEnumResourceW") | |
| idaapi.set_name(0x004111a8, "oleaut32::SysFreeString") | |
| idaapi.set_name(0x004111ac, "user32::FillRect") | |
| idaapi.set_name(0x004111b0, "ole32::CreateStreamOnHGlobal") | |
| idaapi.set_name(0x004111b4, "kernel32::GetFileSizeEx") | |
| idaapi.set_name(0x004111b8, "kernel32::CreateProcessW") | |
| idaapi.set_name(0x004111bc, "ntdll::_snwprintf") | |
| idaapi.set_name(0x004111c0, "kernel32::CreateThread") | |
| idaapi.set_name(0x004111c4, "kernel32::MapViewOfFile") | |
| idaapi.set_name(0x004111c8, "kernel32::Process32FirstW") | |
| idaapi.set_name(0x004111cc, "advapi32::GetTokenInformation") | |
| idaapi.set_name(0x004111d0, "kernel32::Wow64RevertWow64FsRedirection") | |
| idaapi.set_name(0x004111d4, "kernel32::MultiByteToWideChar") | |
| idaapi.set_name(0x004111d8, "gdi32::SelectObject") | |
| idaapi.set_name(0x004111dc, "kernel32::HeapDestroy") | |
| idaapi.set_name(0x004111e0, "kernel32::CreateFileMappingW") | |
| idaapi.set_name(0x004111e4, "shlwapi::PathIsDirectoryW") | |
| idaapi.set_name(0x004111e8, "advapi32::RegQueryValueExW") | |
| idaapi.set_name(0x004111ec, "kernel32::FindFirstFileExW") | |
| idaapi.set_name(0x004111f0, "oleaut32::VariantClear") | |
| idaapi.set_name(0x004111f4, "winhttp::WinHttpQueryHeaders") | |
| idaapi.set_name(0x004111f8, "winhttp::WinHttpCloseHandle") | |
| idaapi.set_name(0x004111fc, "kernel32::FindFirstFileW") | |
| idaapi.set_name(0x00411200, "gdi32::CreateCompatibleDC") | |
| idaapi.set_name(0x00411204, "user32::ReleaseDC") | |
| idaapi.set_name(0x00411208, "kernel32::QueryFullProcessImageNameW") | |
| idaapi.set_name(0x0041120c, "winhttp::WinHttpOpenRequest") | |
| idaapi.set_name(0x00411210, "gdi32::CreateCompatibleBitmap") | |
| idaapi.set_name(0x00411214, "advapi32::DeleteService") | |
| idaapi.set_name(0x00411218, "ole32::CoInitializeSecurity") | |
| idaapi.set_name(0x0041121c, "kernel32::VirtualAlloc") | |
| idaapi.set_name(0x00411220, "kernel32::OpenProcess") | |
| idaapi.set_name(0x00411224, "kernel32::CloseHandle") | |
| idaapi.set_name(0x00411228, "kernel32::GetSystemDirectoryW") | |
| idaapi.set_name(0x0041122c, "ntdll::ZwClose") | |
| idaapi.set_name(0x00411230, "shell32::CommandLineToArgvW") | |
| idaapi.set_name(0x00411234, "winmm::timeBeginPeriod") | |
| idaapi.set_name(0x00411238, "gdi32::GetDeviceCaps") | |
| idaapi.set_name(0x0041123c, "kernel32::CreateToolhelp32Snapshot") | |
| idaapi.set_name(0x00411240, "kernel32::WideCharToMultiByte") | |
| idaapi.set_name(0x00411244, "ole32::CoUninitialize") | |
| idaapi.set_name(0x00411248, "rstrtmgr::RmGetList") | |
| idaapi.set_name(0x0041124c, "kernel32::GetFileAttributesW") | |
| idaapi.set_name(0x00411250, "kernel32::SystemTimeToFileTime") | |
| idaapi.set_name(0x00411254, "winhttp::WinHttpSetOption") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [+] Initiate stack address at 0xfffdd000 | |
| [+] Loading sample.exe to 0x400000 | |
| [+] PE entry point at 0x404161 | |
| [+] TEB addr is 0x6000 | |
| [+] PEB addr is 0x6044 | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll to 0x10000000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll to 0x101a3000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/user32.dll to 0x10288000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/user32.dll | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/oleaut32.dll to 0x1041b000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/oleaut32.dll | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/advapi32.dll to 0x104b1000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/advapi32.dll | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cef20 name: advapi32::OpenProcessToken | |
| [x] import 0x00410fb0 = advapi32::OpenProcessToken | |
| idaapi.set_name(0x00410fb0, "advapi32::OpenProcessToken") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10045360 name: ntdll::RtlAllocateHeap | |
| [x] import 0x00410fb4 = ntdll::RtlAllocateHeap | |
| idaapi.set_name(0x00410fb4, "ntdll::RtlAllocateHeap") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4cd0 name: kernel32::GetCommandLineW | |
| [x] import 0x00410fb8 = kernel32::GetCommandLineW | |
| idaapi.set_name(0x00410fb8, "kernel32::GetCommandLineW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1005eba0 name: ntdll::RtlTimeToTimeFields | |
| [x] import 0x00410fbc = ntdll::RtlTimeToTimeFields | |
| idaapi.set_name(0x00410fbc, "ntdll::RtlTimeToTimeFields") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c60d0 name: kernel32::DeleteFileW | |
| [x] import 0x00410fc0 = kernel32::DeleteFileW | |
| idaapi.set_name(0x00410fc0, "kernel32::DeleteFileW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf0e0 name: advapi32::RegSetValueExW | |
| [x] import 0x00410fc4 = advapi32::RegSetValueExW | |
| idaapi.set_name(0x00410fc4, "advapi32::RegSetValueExW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c33c0 name: kernel32::LocalAlloc | |
| [x] import 0x00410fc8 = kernel32::LocalAlloc | |
| idaapi.set_name(0x00410fc8, "kernel32::LocalAlloc") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4870 name: kernel32::GetSystemInfo | |
| [x] import 0x00410fcc = kernel32::GetSystemInfo | |
| idaapi.set_name(0x00410fcc, "kernel32::GetSystemInfo") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shlwapi.dll to 0x1052a000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shlwapi.dll | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1053ed60 name: shlwapi::PathFindExtensionW | |
| [x] import 0x00410fd0 = shlwapi::PathFindExtensionW | |
| idaapi.set_name(0x00410fd0, "shlwapi::PathFindExtensionW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5f80 name: kernel32::OpenMutexW | |
| [x] import 0x00410fd4 = kernel32::OpenMutexW | |
| idaapi.set_name(0x00410fd4, "kernel32::OpenMutexW") | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1053ee50 name: shlwapi::PathFindFileNameW | |
| [x] import 0x00410fd8 = shlwapi::PathFindFileNameW | |
| idaapi.set_name(0x00410fd8, "shlwapi::PathFindFileNameW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6290 name: kernel32::GetFileAttributesExW | |
| [x] import 0x00410fdc = kernel32::GetFileAttributesExW | |
| idaapi.set_name(0x00410fdc, "kernel32::GetFileAttributesExW") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/gdi32.dll to 0x1056f000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/gdi32.dll | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575e50 name: gdi32::SetBkColor | |
| [x] import 0x00410fe0 = gdi32::SetBkColor | |
| idaapi.set_name(0x00410fe0, "gdi32::SetBkColor") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10573680 name: gdi32::CreateFontW | |
| [x] import 0x00410fe4 = gdi32::CreateFontW | |
| idaapi.set_name(0x00410fe4, "gdi32::CreateFontW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bc870 name: kernel32::TerminateProcess | |
| [x] import 0x00410fe8 = kernel32::TerminateProcess | |
| idaapi.set_name(0x00410fe8, "kernel32::TerminateProcess") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c36e0 name: kernel32::Process32NextW | |
| [x] import 0x00410fec = kernel32::Process32NextW | |
| idaapi.set_name(0x00410fec, "kernel32::Process32NextW") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10574250 name: gdi32::SetPixel | |
| [x] import 0x00410ff0 = gdi32::SetPixel | |
| idaapi.set_name(0x00410ff0, "gdi32::SetPixel") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/crypt32.dll to 0x10592000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/crypt32.dll | |
| LoadLibraryA(lpLibFileName = "crypt32.dll") = 0x10592000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x105beff0 name: crypt32::CryptBinaryToStringW | |
| [x] import 0x00410ff4 = crypt32::CryptBinaryToStringW | |
| idaapi.set_name(0x00410ff4, "crypt32::CryptBinaryToStringW") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winhttp.dll to 0x10691000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winhttp.dll | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106bb260 name: winhttp::WinHttpReceiveResponse | |
| [x] import 0x00410ff8 = winhttp::WinHttpReceiveResponse | |
| idaapi.set_name(0x00410ff8, "winhttp::WinHttpReceiveResponse") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1004f920 name: ntdll::RtlDeleteCriticalSection | |
| [x] import 0x00410ffc = ntdll::RtlDeleteCriticalSection | |
| idaapi.set_name(0x00410ffc, "ntdll::RtlDeleteCriticalSection") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102c3760 name: user32::GetDC | |
| [x] import 0x00411000 = user32::GetDC | |
| idaapi.set_name(0x00411000, "user32::GetDC") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d05a0 name: advapi32::CloseServiceHandle | |
| [x] import 0x00411004 = advapi32::CloseServiceHandle | |
| idaapi.set_name(0x00411004, "advapi32::CloseServiceHandle") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d0730 name: advapi32::ImpersonateLoggedOnUser | |
| [x] import 0x00411008 = advapi32::ImpersonateLoggedOnUser | |
| idaapi.set_name(0x00411008, "advapi32::ImpersonateLoggedOnUser") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winmm.dll to 0x10753000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winmm.dll | |
| LoadLibraryA(lpLibFileName = "winmm.dll") = 0x10753000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x107577a0 name: winmm::timeGetTime | |
| [x] import 0x0041100c = winmm::timeGetTime | |
| idaapi.set_name(0x0041100c, "winmm::timeGetTime") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x105757e0 name: gdi32::DeleteDC | |
| [x] import 0x00411010 = gdi32::DeleteDC | |
| idaapi.set_name(0x00411010, "gdi32::DeleteDC") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1003dde0 name: ntdll::RtlLeaveCriticalSection | |
| [x] import 0x00411014 = ntdll::RtlLeaveCriticalSection | |
| idaapi.set_name(0x00411014, "ntdll::RtlLeaveCriticalSection") | |
| LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x1041b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1043a6a0 name: oleaut32::SysAllocString | |
| [x] import 0x00411018 = oleaut32::SysAllocString | |
| idaapi.set_name(0x00411018, "oleaut32::SysAllocString") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6100 name: kernel32::FindClose | |
| [x] import 0x0041101c = kernel32::FindClose | |
| idaapi.set_name(0x0041101c, "kernel32::FindClose") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10071800 name: ntdll::ZwOpenFile | |
| [x] import 0x00411020 = ntdll::ZwOpenFile | |
| idaapi.set_name(0x00411020, "ntdll::ZwOpenFile") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x100e2dd0 name: ntdll::RtlGetLastWin32Error | |
| [x] import 0x00411024 = ntdll::RtlGetLastWin32Error | |
| idaapi.set_name(0x00411024, "ntdll::RtlGetLastWin32Error") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10073b70 name: ntdll::RtlInitUnicodeString | |
| [x] import 0x00411028 = ntdll::RtlInitUnicodeString | |
| idaapi.set_name(0x00411028, "ntdll::RtlInitUnicodeString") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10574ea0 name: gdi32::GetStockObject | |
| [x] import 0x0041102c = gdi32::GetStockObject | |
| idaapi.set_name(0x0041102c, "gdi32::GetStockObject") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c22e0 name: kernel32::GetProcessHeap | |
| [x] import 0x00411030 = kernel32::GetProcessHeap | |
| idaapi.set_name(0x00411030, "kernel32::GetProcessHeap") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575de0 name: gdi32::SetTextColor | |
| [x] import 0x00411034 = gdi32::SetTextColor | |
| idaapi.set_name(0x00411034, "gdi32::SetTextColor") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d3e50 name: advapi32::EnumServicesStatusExW | |
| [x] import 0x00411038 = advapi32::EnumServicesStatusExW | |
| idaapi.set_name(0x00411038, "advapi32::EnumServicesStatusExW") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106b3ef0 name: winhttp::WinHttpOpen | |
| [x] import 0x0041103c = winhttp::WinHttpOpen | |
| idaapi.set_name(0x0041103c, "winhttp::WinHttpOpen") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d0640 name: advapi32::OpenSCManagerW | |
| [x] import 0x00411040 = advapi32::OpenSCManagerW | |
| idaapi.set_name(0x00411040, "advapi32::OpenSCManagerW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf560 name: advapi32::IsValidSid | |
| [x] import 0x00411044 = advapi32::IsValidSid | |
| idaapi.set_name(0x00411044, "advapi32::IsValidSid") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/rstrtmgr.dll to 0x1077b000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/rstrtmgr.dll | |
| LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x107827e0 name: rstrtmgr::RmEndSession | |
| [x] import 0x00411048 = rstrtmgr::RmEndSession | |
| idaapi.set_name(0x00411048, "rstrtmgr::RmEndSession") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4880 name: kernel32::GetSystemDefaultUILanguage | |
| [x] import 0x0041104c = kernel32::GetSystemDefaultUILanguage | |
| idaapi.set_name(0x0041104c, "kernel32::GetSystemDefaultUILanguage") | |
| LoadLibraryA(lpLibFileName = "crypt32.dll") = 0x10592000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x105d9420 name: crypt32::CryptStringToBinaryW | |
| [x] import 0x00411050 = crypt32::CryptStringToBinaryW | |
| idaapi.set_name(0x00411050, "crypt32::CryptStringToBinaryW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104e3910 name: advapi32::ControlService | |
| [x] import 0x00411054 = advapi32::ControlService | |
| idaapi.set_name(0x00411054, "advapi32::ControlService") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3550 name: kernel32::GlobalAlloc | |
| [x] import 0x00411058 = kernel32::GlobalAlloc | |
| idaapi.set_name(0x00411058, "kernel32::GlobalAlloc") | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10546e30 name: shlwapi::SHDeleteValueW | |
| [x] import 0x0041105c = shlwapi::SHDeleteValueW | |
| idaapi.set_name(0x0041105c, "shlwapi::SHDeleteValueW") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575ca0 name: gdi32::GetObjectW | |
| [x] import 0x00411060 = gdi32::GetObjectW | |
| idaapi.set_name(0x00411060, "gdi32::GetObjectW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3530 name: kernel32::UnmapViewOfFile | |
| [x] import 0x00411064 = kernel32::UnmapViewOfFile | |
| idaapi.set_name(0x00411064, "kernel32::UnmapViewOfFile") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cfa10 name: advapi32::RevertToSelf | |
| [x] import 0x00411068 = advapi32::RevertToSelf | |
| idaapi.set_name(0x00411068, "advapi32::RevertToSelf") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106b88f0 name: winhttp::WinHttpConnect | |
| [x] import 0x0041106c = winhttp::WinHttpConnect | |
| idaapi.set_name(0x0041106c, "winhttp::WinHttpConnect") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ole32.dll to 0x107ab000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ole32.dll | |
| LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10861b91 name: ole32::CoSetProxyBlanket | |
| [x] import 0x00411070 = ole32::CoSetProxyBlanket | |
| idaapi.set_name(0x00411070, "ole32::CoSetProxyBlanket") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shell32.dll to 0x1088e000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shell32.dll | |
| LoadLibraryA(lpLibFileName = "shell32.dll") = 0x1088e000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1098d550 name: shell32::ShellExecuteExW | |
| [x] import 0x00411074 = shell32::ShellExecuteExW | |
| idaapi.set_name(0x00411074, "shell32::ShellExecuteExW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c2f20 name: kernel32::GlobalFree | |
| [x] import 0x00411078 = kernel32::GlobalFree | |
| idaapi.set_name(0x00411078, "kernel32::GlobalFree") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10071690 name: ntdll::ZwSetInformationProcess | |
| [x] import 0x0041107c = ntdll::ZwSetInformationProcess | |
| idaapi.set_name(0x0041107c, "ntdll::ZwSetInformationProcess") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c7060 name: kernel32::ExitProcess | |
| [x] import 0x00411080 = kernel32::ExitProcess | |
| idaapi.set_name(0x00411080, "kernel32::ExitProcess") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1003e8c0 name: ntdll::RtlEnterCriticalSection | |
| [x] import 0x00411084 = ntdll::RtlEnterCriticalSection | |
| idaapi.set_name(0x00411084, "ntdll::RtlEnterCriticalSection") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d52c0 name: advapi32::SetFileSecurityW | |
| [x] import 0x00411088 = advapi32::SetFileSecurityW | |
| idaapi.set_name(0x00411088, "advapi32::SetFileSecurityW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x100486e0 name: ntdll::RtlFreeHeap | |
| [x] import 0x0041108c = ntdll::RtlFreeHeap | |
| idaapi.set_name(0x0041108c, "ntdll::RtlFreeHeap") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6510 name: kernel32::WriteFile | |
| [x] import 0x00411090 = kernel32::WriteFile | |
| idaapi.set_name(0x00411090, "kernel32::WriteFile") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6380 name: kernel32::GetTempPathW | |
| [x] import 0x00411094 = kernel32::GetTempPathW | |
| idaapi.set_name(0x00411094, "kernel32::GetTempPathW") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106ac410 name: winhttp::WinHttpCrackUrl | |
| [x] import 0x00411098 = winhttp::WinHttpCrackUrl | |
| idaapi.set_name(0x00411098, "winhttp::WinHttpCrackUrl") | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10540020 name: shlwapi::SHDeleteKeyW | |
| [x] import 0x0041109c = shlwapi::SHDeleteKeyW | |
| idaapi.set_name(0x0041109c, "shlwapi::SHDeleteKeyW") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106b97a0 name: winhttp::WinHttpSendRequest | |
| [x] import 0x004110a0 = winhttp::WinHttpSendRequest | |
| idaapi.set_name(0x004110a0, "winhttp::WinHttpSendRequest") | |
| [+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/mpr.dll to 0x10e3e000 | |
| [+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/mpr.dll | |
| LoadLibraryA(lpLibFileName = "mpr.dll") = 0x10e3e000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10e407b0 name: mpr::WNetCloseEnum | |
| [x] import 0x004110a4 = mpr::WNetCloseEnum | |
| idaapi.set_name(0x004110a4, "mpr::WNetCloseEnum") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf010 name: advapi32::RegCloseKey | |
| [x] import 0x004110a8 = advapi32::RegCloseKey | |
| idaapi.set_name(0x004110a8, "advapi32::RegCloseKey") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10576000 name: gdi32::GetDIBits | |
| [x] import 0x004110ac = gdi32::GetDIBits | |
| idaapi.set_name(0x004110ac, "gdi32::GetDIBits") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x100715c0 name: ntdll::ZwQueryInformationFile | |
| [x] import 0x004110b0 = ntdll::ZwQueryInformationFile | |
| idaapi.set_name(0x004110b0, "ntdll::ZwQueryInformationFile") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5df0 name: kernel32::GetCurrentProcessId | |
| [x] import 0x004110b4 = kernel32::GetCurrentProcessId | |
| idaapi.set_name(0x004110b4, "kernel32::GetCurrentProcessId") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c51e0 name: kernel32::GetQueuedCompletionStatus | |
| [x] import 0x004110b8 = kernel32::GetQueuedCompletionStatus | |
| idaapi.set_name(0x004110b8, "kernel32::GetQueuedCompletionStatus") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c63b0 name: kernel32::GetVolumeInformationW | |
| [x] import 0x004110bc = kernel32::GetVolumeInformationW | |
| idaapi.set_name(0x004110bc, "kernel32::GetVolumeInformationW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5fb0 name: kernel32::ReleaseMutex | |
| [x] import 0x004110c0 = kernel32::ReleaseMutex | |
| idaapi.set_name(0x004110c0, "kernel32::ReleaseMutex") | |
| LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10782a20 name: rstrtmgr::RmRegisterResources | |
| [x] import 0x004110c4 = rstrtmgr::RmRegisterResources | |
| idaapi.set_name(0x004110c4, "rstrtmgr::RmRegisterResources") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10067080 name: ntdll::RtlAdjustPrivilege | |
| [x] import 0x004110c8 = ntdll::RtlAdjustPrivilege | |
| idaapi.set_name(0x004110c8, "ntdll::RtlAdjustPrivilege") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5010 name: kernel32::MoveFileW | |
| [x] import 0x004110cc = kernel32::MoveFileW | |
| idaapi.set_name(0x004110cc, "kernel32::MoveFileW") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106bad60 name: winhttp::WinHttpReadData | |
| [x] import 0x004110d0 = winhttp::WinHttpReadData | |
| idaapi.set_name(0x004110d0, "winhttp::WinHttpReadData") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf850 name: advapi32::CryptAcquireContextW | |
| [x] import 0x004110d4 = advapi32::CryptAcquireContextW | |
| idaapi.set_name(0x004110d4, "advapi32::CryptAcquireContextW") | |
| LoadLibraryA(lpLibFileName = "mpr.dll") = 0x10e3e000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10e408d0 name: mpr::WNetOpenEnumW | |
| [x] import 0x004110d8 = mpr::WNetOpenEnumW | |
| idaapi.set_name(0x004110d8, "mpr::WNetOpenEnumW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6050 name: kernel32::CompareFileTime | |
| [x] import 0x004110dc = kernel32::CompareFileTime | |
| idaapi.set_name(0x004110dc, "kernel32::CompareFileTime") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102c6450 name: user32::GetKeyboardLayoutList | |
| [x] import 0x004110e0 = user32::GetKeyboardLayoutList | |
| idaapi.set_name(0x004110e0, "user32::GetKeyboardLayoutList") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d0540 name: advapi32::CryptGenRandom | |
| [x] import 0x004110e4 = advapi32::CryptGenRandom | |
| idaapi.set_name(0x004110e4, "advapi32::CryptGenRandom") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102c63b0 name: user32::GetForegroundWindow | |
| [x] import 0x004110e8 = user32::GetForegroundWindow | |
| idaapi.set_name(0x004110e8, "user32::GetForegroundWindow") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf580 name: advapi32::AllocateAndInitializeSid | |
| [x] import 0x004110ec = advapi32::AllocateAndInitializeSid | |
| idaapi.set_name(0x004110ec, "advapi32::AllocateAndInitializeSid") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c2490 name: kernel32::LocalFree | |
| [x] import 0x004110f0 = kernel32::LocalFree | |
| idaapi.set_name(0x004110f0, "kernel32::LocalFree") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104ceea0 name: advapi32::RegOpenKeyExW | |
| [x] import 0x004110f4 = advapi32::RegOpenKeyExW | |
| idaapi.set_name(0x004110f4, "advapi32::RegOpenKeyExW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5200 name: kernel32::CreateIoCompletionPort | |
| [x] import 0x004110f8 = kernel32::CreateIoCompletionPort | |
| idaapi.set_name(0x004110f8, "kernel32::CreateIoCompletionPort") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102b1660 name: user32::DrawTextW | |
| [x] import 0x004110fc = user32::DrawTextW | |
| idaapi.set_name(0x004110fc, "user32::DrawTextW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c62c0 name: kernel32::GetFileSize | |
| [x] import 0x00411100 = kernel32::GetFileSize | |
| idaapi.set_name(0x00411100, "kernel32::GetFileSize") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bc620 name: kernel32::SetThreadExecutionState | |
| [x] import 0x00411104 = kernel32::SetThreadExecutionState | |
| idaapi.set_name(0x00411104, "kernel32::SetThreadExecutionState") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x105747d0 name: gdi32::DeleteObject | |
| [x] import 0x00411108 = gdi32::DeleteObject | |
| idaapi.set_name(0x00411108, "gdi32::DeleteObject") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4300 name: kernel32::GetComputerNameW | |
| [x] import 0x0041110c = kernel32::GetComputerNameW | |
| idaapi.set_name(0x0041110c, "kernel32::GetComputerNameW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c60a0 name: kernel32::CreateFileW | |
| [x] import 0x00411110 = kernel32::CreateFileW | |
| idaapi.set_name(0x00411110, "kernel32::CreateFileW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf930 name: advapi32::CheckTokenMembership | |
| [x] import 0x00411114 = advapi32::CheckTokenMembership | |
| idaapi.set_name(0x00411114, "advapi32::CheckTokenMembership") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bb780 name: kernel32::Wow64DisableWow64FsRedirection | |
| [x] import 0x00411118 = kernel32::Wow64DisableWow64FsRedirection | |
| idaapi.set_name(0x00411118, "kernel32::Wow64DisableWow64FsRedirection") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c24b0 name: kernel32::GetProcAddress | |
| [x] import 0x0041111c = kernel32::GetProcAddress | |
| idaapi.set_name(0x0041111c, "kernel32::GetProcAddress") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4e10 name: kernel32::GetNativeSystemInfo | |
| [x] import 0x00411120 = kernel32::GetNativeSystemInfo | |
| idaapi.set_name(0x00411120, "kernel32::GetNativeSystemInfo") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf800 name: advapi32::GetUserNameW | |
| [x] import 0x00411124 = advapi32::GetUserNameW | |
| idaapi.set_name(0x00411124, "advapi32::GetUserNameW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6420 name: kernel32::ReadFile | |
| [x] import 0x00411128 = kernel32::ReadFile | |
| idaapi.set_name(0x00411128, "kernel32::ReadFile") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102b9cf0 name: user32::SystemParametersInfoW | |
| [x] import 0x0041112c = user32::SystemParametersInfoW | |
| idaapi.set_name(0x0041112c, "user32::SystemParametersInfoW") | |
| LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x108612a1 name: ole32::CoInitializeEx | |
| [x] import 0x00411130 = ole32::CoInitializeEx | |
| idaapi.set_name(0x00411130, "ole32::CoInitializeEx") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c64c0 name: kernel32::SetFilePointerEx | |
| [x] import 0x00411134 = kernel32::SetFilePointerEx | |
| idaapi.set_name(0x00411134, "kernel32::SetFilePointerEx") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4ec0 name: kernel32::GetUserDefaultUILanguage | |
| [x] import 0x00411138 = kernel32::GetUserDefaultUILanguage | |
| idaapi.set_name(0x00411138, "kernel32::GetUserDefaultUILanguage") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cf120 name: advapi32::RegCreateKeyExW | |
| [x] import 0x0041113c = advapi32::RegCreateKeyExW | |
| idaapi.set_name(0x0041113c, "advapi32::RegCreateKeyExW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3860 name: kernel32::GetModuleFileNameW | |
| [x] import 0x00411140 = kernel32::GetModuleFileNameW | |
| idaapi.set_name(0x00411140, "kernel32::GetModuleFileNameW") | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1053dd50 name: shlwapi::StrToIntW | |
| [x] import 0x00411144 = shlwapi::StrToIntW | |
| idaapi.set_name(0x00411144, "shlwapi::StrToIntW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cfdc0 name: advapi32::FreeSid | |
| [x] import 0x00411148 = advapi32::FreeSid | |
| idaapi.set_name(0x00411148, "advapi32::FreeSid") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575f10 name: gdi32::SetBkMode | |
| [x] import 0x0041114c = gdi32::SetBkMode | |
| idaapi.set_name(0x0041114c, "gdi32::SetBkMode") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1005e1c0 name: ntdll::RtlInitializeCriticalSection | |
| [x] import 0x00411150 = ntdll::RtlInitializeCriticalSection | |
| idaapi.set_name(0x00411150, "ntdll::RtlInitializeCriticalSection") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bc890 name: kernel32::GetWindowsDirectoryW | |
| [x] import 0x00411154 = kernel32::GetWindowsDirectoryW | |
| idaapi.set_name(0x00411154, "kernel32::GetWindowsDirectoryW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5c90 name: kernel32::MulDiv | |
| [x] import 0x00411158 = kernel32::MulDiv | |
| idaapi.set_name(0x00411158, "kernel32::MulDiv") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c61d0 name: kernel32::FindNextFileW | |
| [x] import 0x0041115c = kernel32::FindNextFileW | |
| idaapi.set_name(0x0041115c, "kernel32::FindNextFileW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6490 name: kernel32::SetFileAttributesW | |
| [x] import 0x00411160 = kernel32::SetFileAttributesW | |
| idaapi.set_name(0x00411160, "kernel32::SetFileAttributesW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5f00 name: kernel32::CreateMutexW | |
| [x] import 0x00411164 = kernel32::CreateMutexW | |
| idaapi.set_name(0x00411164, "kernel32::CreateMutexW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6260 name: kernel32::GetDriveTypeW | |
| [x] import 0x00411168 = kernel32::GetDriveTypeW | |
| idaapi.set_name(0x00411168, "kernel32::GetDriveTypeW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104d0660 name: advapi32::OpenServiceW | |
| [x] import 0x0041116c = advapi32::OpenServiceW | |
| idaapi.set_name(0x0041116c, "advapi32::OpenServiceW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6230 name: kernel32::GetDiskFreeSpaceExW | |
| [x] import 0x00411170 = kernel32::GetDiskFreeSpaceExW | |
| idaapi.set_name(0x00411170, "kernel32::GetDiskFreeSpaceExW") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106ba050 name: winhttp::WinHttpQueryDataAvailable | |
| [x] import 0x00411174 = winhttp::WinHttpQueryDataAvailable | |
| idaapi.set_name(0x00411174, "winhttp::WinHttpQueryDataAvailable") | |
| LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10782cf0 name: rstrtmgr::RmStartSession | |
| [x] import 0x00411178 = rstrtmgr::RmStartSession | |
| idaapi.set_name(0x00411178, "rstrtmgr::RmStartSession") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bc910 name: kernel32::MoveFileExW | |
| [x] import 0x0041117c = kernel32::MoveFileExW | |
| idaapi.set_name(0x0041117c, "kernel32::MoveFileExW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3e60 name: kernel32::Sleep | |
| [x] import 0x00411180 = kernel32::Sleep | |
| idaapi.set_name(0x00411180, "kernel32::Sleep") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c51c0 name: kernel32::PostQueuedCompletionStatus | |
| [x] import 0x00411184 = kernel32::PostQueuedCompletionStatus | |
| idaapi.set_name(0x00411184, "kernel32::PostQueuedCompletionStatus") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3570 name: kernel32::SetErrorMode | |
| [x] import 0x00411188 = kernel32::SetErrorMode | |
| idaapi.set_name(0x00411188, "kernel32::SetErrorMode") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6030 name: kernel32::WaitForSingleObject | |
| [x] import 0x0041118c = kernel32::WaitForSingleObject | |
| idaapi.set_name(0x0041118c, "kernel32::WaitForSingleObject") | |
| LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1086061d name: ole32::CoCreateInstance | |
| [x] import 0x00411190 = ole32::CoCreateInstance | |
| idaapi.set_name(0x00411190, "ole32::CoCreateInstance") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5de0 name: kernel32::GetCurrentProcess | |
| [x] import 0x00411194 = kernel32::GetCurrentProcess | |
| idaapi.set_name(0x00411194, "kernel32::GetCurrentProcess") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102ac7d0 name: user32::wsprintfW | |
| [x] import 0x00411198 = user32::wsprintfW | |
| idaapi.set_name(0x00411198, "user32::wsprintfW") | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1053f480 name: shlwapi::PathAddBackslashW | |
| [x] import 0x0041119c = shlwapi::PathAddBackslashW | |
| idaapi.set_name(0x0041119c, "shlwapi::PathAddBackslashW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c39a0 name: kernel32::HeapCreate | |
| [x] import 0x004111a0 = kernel32::HeapCreate | |
| idaapi.set_name(0x004111a0, "kernel32::HeapCreate") | |
| LoadLibraryA(lpLibFileName = "mpr.dll") = 0x10e3e000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10e40530 name: mpr::WNetEnumResourceW | |
| [x] import 0x004111a4 = mpr::WNetEnumResourceW | |
| idaapi.set_name(0x004111a4, "mpr::WNetEnumResourceW") | |
| LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x1041b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10439860 name: oleaut32::SysFreeString | |
| [x] import 0x004111a8 = oleaut32::SysFreeString | |
| idaapi.set_name(0x004111a8, "oleaut32::SysFreeString") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102a82b0 name: user32::FillRect | |
| [x] import 0x004111ac = user32::FillRect | |
| idaapi.set_name(0x004111ac, "user32::FillRect") | |
| LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10862167 name: ole32::CreateStreamOnHGlobal | |
| [x] import 0x004111b0 = ole32::CreateStreamOnHGlobal | |
| idaapi.set_name(0x004111b0, "ole32::CreateStreamOnHGlobal") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c62d0 name: kernel32::GetFileSizeEx | |
| [x] import 0x004111b4 = kernel32::GetFileSizeEx | |
| idaapi.set_name(0x004111b4, "kernel32::GetFileSizeEx") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bb840 name: kernel32::CreateProcessW | |
| [x] import 0x004111b8 = kernel32::CreateProcessW | |
| idaapi.set_name(0x004111b8, "kernel32::CreateProcessW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10075c40 name: ntdll::_snwprintf | |
| [x] import 0x004111bc = ntdll::_snwprintf | |
| idaapi.set_name(0x004111bc, "ntdll::_snwprintf") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3e70 name: kernel32::CreateThread | |
| [x] import 0x004111c0 = kernel32::CreateThread | |
| idaapi.set_name(0x004111c0, "kernel32::CreateThread") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c24f0 name: kernel32::MapViewOfFile | |
| [x] import 0x004111c4 = kernel32::MapViewOfFile | |
| idaapi.set_name(0x004111c4, "kernel32::MapViewOfFile") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4b60 name: kernel32::Process32FirstW | |
| [x] import 0x004111c8 = kernel32::Process32FirstW | |
| idaapi.set_name(0x004111c8, "kernel32::Process32FirstW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104ceb80 name: advapi32::GetTokenInformation | |
| [x] import 0x004111cc = advapi32::GetTokenInformation | |
| idaapi.set_name(0x004111cc, "advapi32::GetTokenInformation") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101bb760 name: kernel32::Wow64RevertWow64FsRedirection | |
| [x] import 0x004111d0 = kernel32::Wow64RevertWow64FsRedirection | |
| idaapi.set_name(0x004111d0, "kernel32::Wow64RevertWow64FsRedirection") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c0ee0 name: kernel32::MultiByteToWideChar | |
| [x] import 0x004111d4 = kernel32::MultiByteToWideChar | |
| idaapi.set_name(0x004111d4, "kernel32::MultiByteToWideChar") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575bf0 name: gdi32::SelectObject | |
| [x] import 0x004111d8 = gdi32::SelectObject | |
| idaapi.set_name(0x004111d8, "gdi32::SelectObject") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3b50 name: kernel32::HeapDestroy | |
| [x] import 0x004111dc = kernel32::HeapDestroy | |
| idaapi.set_name(0x004111dc, "kernel32::HeapDestroy") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3400 name: kernel32::CreateFileMappingW | |
| [x] import 0x004111e0 = kernel32::CreateFileMappingW | |
| idaapi.set_name(0x004111e0, "kernel32::CreateFileMappingW") | |
| LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x1053ef90 name: shlwapi::PathIsDirectoryW | |
| [x] import 0x004111e4 = shlwapi::PathIsDirectoryW | |
| idaapi.set_name(0x004111e4, "shlwapi::PathIsDirectoryW") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104cedd0 name: advapi32::RegQueryValueExW | |
| [x] import 0x004111e8 = advapi32::RegQueryValueExW | |
| idaapi.set_name(0x004111e8, "advapi32::RegQueryValueExW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6160 name: kernel32::FindFirstFileExW | |
| [x] import 0x004111ec = kernel32::FindFirstFileExW | |
| idaapi.set_name(0x004111ec, "kernel32::FindFirstFileExW") | |
| LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x1041b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10439610 name: oleaut32::VariantClear | |
| [x] import 0x004111f0 = oleaut32::VariantClear | |
| idaapi.set_name(0x004111f0, "oleaut32::VariantClear") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106b4190 name: winhttp::WinHttpQueryHeaders | |
| [x] import 0x004111f4 = winhttp::WinHttpQueryHeaders | |
| idaapi.set_name(0x004111f4, "winhttp::WinHttpQueryHeaders") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106b77b0 name: winhttp::WinHttpCloseHandle | |
| [x] import 0x004111f8 = winhttp::WinHttpCloseHandle | |
| idaapi.set_name(0x004111f8, "winhttp::WinHttpCloseHandle") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c6180 name: kernel32::FindFirstFileW | |
| [x] import 0x004111fc = kernel32::FindFirstFileW | |
| idaapi.set_name(0x004111fc, "kernel32::FindFirstFileW") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575ce0 name: gdi32::CreateCompatibleDC | |
| [x] import 0x00411200 = gdi32::CreateCompatibleDC | |
| idaapi.set_name(0x00411200, "gdi32::CreateCompatibleDC") | |
| LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x102c3100 name: user32::ReleaseDC | |
| [x] import 0x00411204 = user32::ReleaseDC | |
| idaapi.set_name(0x00411204, "user32::ReleaseDC") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101d7330 name: kernel32::QueryFullProcessImageNameW | |
| [x] import 0x00411208 = kernel32::QueryFullProcessImageNameW | |
| idaapi.set_name(0x00411208, "kernel32::QueryFullProcessImageNameW") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106ba660 name: winhttp::WinHttpOpenRequest | |
| [x] import 0x0041120c = winhttp::WinHttpOpenRequest | |
| idaapi.set_name(0x0041120c, "winhttp::WinHttpOpenRequest") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10575fc0 name: gdi32::CreateCompatibleBitmap | |
| [x] import 0x00411210 = gdi32::CreateCompatibleBitmap | |
| idaapi.set_name(0x00411210, "gdi32::CreateCompatibleBitmap") | |
| LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x104e41c0 name: advapi32::DeleteService | |
| [x] import 0x00411214 = advapi32::DeleteService | |
| idaapi.set_name(0x00411214, "advapi32::DeleteService") | |
| LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x108612e0 name: ole32::CoInitializeSecurity | |
| [x] import 0x00411218 = ole32::CoInitializeSecurity | |
| idaapi.set_name(0x00411218, "ole32::CoInitializeSecurity") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c2320 name: kernel32::VirtualAlloc | |
| [x] import 0x0041121c = kernel32::VirtualAlloc | |
| idaapi.set_name(0x0041121c, "kernel32::VirtualAlloc") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c3590 name: kernel32::OpenProcess | |
| [x] import 0x00411220 = kernel32::OpenProcess | |
| idaapi.set_name(0x00411220, "kernel32::OpenProcess") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c5e40 name: kernel32::CloseHandle | |
| [x] import 0x00411224 = kernel32::CloseHandle | |
| idaapi.set_name(0x00411224, "kernel32::CloseHandle") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4010 name: kernel32::GetSystemDirectoryW | |
| [x] import 0x00411228 = kernel32::GetSystemDirectoryW | |
| idaapi.set_name(0x00411228, "kernel32::GetSystemDirectoryW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x100715a0 name: ntdll::ZwClose | |
| [x] import 0x0041122c = ntdll::ZwClose | |
| idaapi.set_name(0x0041122c, "ntdll::ZwClose") | |
| LoadLibraryA(lpLibFileName = "shell32.dll") = 0x1088e000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x109e8380 name: shell32::CommandLineToArgvW | |
| [x] import 0x00411230 = shell32::CommandLineToArgvW | |
| idaapi.set_name(0x00411230, "shell32::CommandLineToArgvW") | |
| LoadLibraryA(lpLibFileName = "winmm.dll") = 0x10753000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10762870 name: winmm::timeBeginPeriod | |
| [x] import 0x00411234 = winmm::timeBeginPeriod | |
| idaapi.set_name(0x00411234, "winmm::timeBeginPeriod") | |
| LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10574f10 name: gdi32::GetDeviceCaps | |
| [x] import 0x00411238 = gdi32::GetDeviceCaps | |
| idaapi.set_name(0x00411238, "gdi32::GetDeviceCaps") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c7080 name: kernel32::CreateToolhelp32Snapshot | |
| [x] import 0x0041123c = kernel32::CreateToolhelp32Snapshot | |
| idaapi.set_name(0x0041123c, "kernel32::CreateToolhelp32Snapshot") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c0f50 name: kernel32::WideCharToMultiByte | |
| [x] import 0x00411240 = kernel32::WideCharToMultiByte | |
| idaapi.set_name(0x00411240, "kernel32::WideCharToMultiByte") | |
| LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x10861d53 name: ole32::CoUninitialize | |
| [x] import 0x00411244 = ole32::CoUninitialize | |
| idaapi.set_name(0x00411244, "ole32::CoUninitialize") | |
| LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x107828b0 name: rstrtmgr::RmGetList | |
| [x] import 0x00411248 = rstrtmgr::RmGetList | |
| idaapi.set_name(0x00411248, "rstrtmgr::RmGetList") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c62a0 name: kernel32::GetFileAttributesW | |
| [x] import 0x0041124c = kernel32::GetFileAttributesW | |
| idaapi.set_name(0x0041124c, "kernel32::GetFileAttributesW") | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x101c4080 name: kernel32::SystemTimeToFileTime | |
| [x] import 0x00411250 = kernel32::SystemTimeToFileTime | |
| idaapi.set_name(0x00411250, "kernel32::SystemTimeToFileTime") | |
| LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000 | |
| [x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax | |
| [x] eax: 0x106b5710 name: winhttp::WinHttpSetOption | |
| [x] import 0x00411254 = winhttp::WinHttpSetOption | |
| idaapi.set_name(0x00411254, "winhttp::WinHttpSetOption") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment