Skip to content

Instantly share code, notes, and snippets.

@y0ug

y0ug/_IAT_qiling.py

Last active Nov 2, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Using Qiling to resolve obfuscated import on windows
Raw
_IAT_qiling.py
# Emulate sample to resolv obfuscated import with qiling
# Just one way to do it, this method is kind of slow.
# You need to have all the required DLL in the 'rootfs'
# Classic getprocaddress by hash we hook after the call
# read EAX and resolv the name from ql.loader.import_symbols
# compute the address of the mov operand
# generate the idapython code
# python3 IAT_qiling.py sample.exe | tee addr_ida.py
# idapython is in addr_ida.py at the end
#.text:00406A0C push edi
#.text:00406A0D mov esi, ebx
#.text:00406A0F
#.text:00406A0F loc_406A0F: ; CODE XREF: sub_406A02+28↓j
#.text:00406A0F push dword_410FB0[esi]
#.text:00406A15 call GetProcAddrCrc
#.text:00406A1A mov dword_410FB0[esi], eax
#.text:00406A20 add esi, 4
#.text:00406A23 pop ecx
#.text:00406A24 cmp esi, 2A8h
#.text:00406A2A jb short loc_406A0F
#.text:00406A2C lea eax, [ebp+var_78]
from qiling import *
from qiling.const import D_INFO, D_RPRT, D_DRPT
from capstone import Cs , CS_ARCH_X86, CS_MODE_32, CS_MODE_64
import sys
import os
targets = {
'dbg': [ 0x408ce4, 0x408cf6 ],
'def': [ 0x406a1a, 0x406a2c]
}
t = targets['def']
md = Cs(CS_ARCH_X86, CS_MODE_32)
md.detail = True
def addr_get_name(ql, addr):
try:
info = ql.loader.import_symbols[addr]
return f'{info["dll"]}::{info["name"].decode()}'
except Exception as ex:
print(ex)
return "error::error"
def hook_code(ql, addr, size):
if addr == t[0]:
buf = ql.mem.read(addr, size)
ins = list(md.disasm(buf, addr))[0]
ql.nprint(f"[x] __ 0x{ins.address:x}:\t{ins.mnemonic}\t{ins.op_str}")
eax = ql.reg.read("EAX")
import_name = addr_get_name(ql,eax)
ql.nprint(f"[x] eax: 0x{eax:08x} name: {import_name}")
# get written addr
# mov dword_410FB0[esi], eax
write_reg = ins.reg_name(list(ins.operands)[0].value.mem.base) # ESI
write_index = list(ins.operands)[0].value.mem.disp # 0x410fb0
write_addr = ql.reg.read(write_reg) + write_index # final addr
ql.nprint(f'[x] import 0x{write_addr:08x} = {import_name}')
print(f'idaapi.set_name(0x{write_addr:08x}, "{import_name}")', flush=True)
elif addr == t[1]:
ql.emu_stop()
def sandbox(filepath):
ql = Qiling([filepath],
os.path.expandvars('$HOME/.local/src/qiling/examples/rootfs/x86_windows'))
ql.hook_code(hook_code)
ql.run()
if __name__ == "__main__":
sandbox(sys.argv[1])
Raw
addr_ida.py
idaapi.set_name(0x00410fb0, "advapi32::OpenProcessToken")
idaapi.set_name(0x00410fb4, "ntdll::RtlAllocateHeap")
idaapi.set_name(0x00410fb8, "kernel32::GetCommandLineW")
idaapi.set_name(0x00410fbc, "ntdll::RtlTimeToTimeFields")
idaapi.set_name(0x00410fc0, "kernel32::DeleteFileW")
idaapi.set_name(0x00410fc4, "advapi32::RegSetValueExW")
idaapi.set_name(0x00410fc8, "kernel32::LocalAlloc")
idaapi.set_name(0x00410fcc, "kernel32::GetSystemInfo")
idaapi.set_name(0x00410fd0, "shlwapi::PathFindExtensionW")
idaapi.set_name(0x00410fd4, "kernel32::OpenMutexW")
idaapi.set_name(0x00410fd8, "shlwapi::PathFindFileNameW")
idaapi.set_name(0x00410fdc, "kernel32::GetFileAttributesExW")
idaapi.set_name(0x00410fe0, "gdi32::SetBkColor")
idaapi.set_name(0x00410fe4, "gdi32::CreateFontW")
idaapi.set_name(0x00410fe8, "kernel32::TerminateProcess")
idaapi.set_name(0x00410fec, "kernel32::Process32NextW")
idaapi.set_name(0x00410ff0, "gdi32::SetPixel")
idaapi.set_name(0x00410ff4, "crypt32::CryptBinaryToStringW")
idaapi.set_name(0x00410ff8, "winhttp::WinHttpReceiveResponse")
idaapi.set_name(0x00410ffc, "ntdll::RtlDeleteCriticalSection")
idaapi.set_name(0x00411000, "user32::GetDC")
idaapi.set_name(0x00411004, "advapi32::CloseServiceHandle")
idaapi.set_name(0x00411008, "advapi32::ImpersonateLoggedOnUser")
idaapi.set_name(0x0041100c, "winmm::timeGetTime")
idaapi.set_name(0x00411010, "gdi32::DeleteDC")
idaapi.set_name(0x00411014, "ntdll::RtlLeaveCriticalSection")
idaapi.set_name(0x00411018, "oleaut32::SysAllocString")
idaapi.set_name(0x0041101c, "kernel32::FindClose")
idaapi.set_name(0x00411020, "ntdll::ZwOpenFile")
idaapi.set_name(0x00411024, "ntdll::RtlGetLastWin32Error")
idaapi.set_name(0x00411028, "ntdll::RtlInitUnicodeString")
idaapi.set_name(0x0041102c, "gdi32::GetStockObject")
idaapi.set_name(0x00411030, "kernel32::GetProcessHeap")
idaapi.set_name(0x00411034, "gdi32::SetTextColor")
idaapi.set_name(0x00411038, "advapi32::EnumServicesStatusExW")
idaapi.set_name(0x0041103c, "winhttp::WinHttpOpen")
idaapi.set_name(0x00411040, "advapi32::OpenSCManagerW")
idaapi.set_name(0x00411044, "advapi32::IsValidSid")
idaapi.set_name(0x00411048, "rstrtmgr::RmEndSession")
idaapi.set_name(0x0041104c, "kernel32::GetSystemDefaultUILanguage")
idaapi.set_name(0x00411050, "crypt32::CryptStringToBinaryW")
idaapi.set_name(0x00411054, "advapi32::ControlService")
idaapi.set_name(0x00411058, "kernel32::GlobalAlloc")
idaapi.set_name(0x0041105c, "shlwapi::SHDeleteValueW")
idaapi.set_name(0x00411060, "gdi32::GetObjectW")
idaapi.set_name(0x00411064, "kernel32::UnmapViewOfFile")
idaapi.set_name(0x00411068, "advapi32::RevertToSelf")
idaapi.set_name(0x0041106c, "winhttp::WinHttpConnect")
idaapi.set_name(0x00411070, "ole32::CoSetProxyBlanket")
idaapi.set_name(0x00411074, "shell32::ShellExecuteExW")
idaapi.set_name(0x00411078, "kernel32::GlobalFree")
idaapi.set_name(0x0041107c, "ntdll::ZwSetInformationProcess")
idaapi.set_name(0x00411080, "kernel32::ExitProcess")
idaapi.set_name(0x00411084, "ntdll::RtlEnterCriticalSection")
idaapi.set_name(0x00411088, "advapi32::SetFileSecurityW")
idaapi.set_name(0x0041108c, "ntdll::RtlFreeHeap")
idaapi.set_name(0x00411090, "kernel32::WriteFile")
idaapi.set_name(0x00411094, "kernel32::GetTempPathW")
idaapi.set_name(0x00411098, "winhttp::WinHttpCrackUrl")
idaapi.set_name(0x0041109c, "shlwapi::SHDeleteKeyW")
idaapi.set_name(0x004110a0, "winhttp::WinHttpSendRequest")
idaapi.set_name(0x004110a4, "mpr::WNetCloseEnum")
idaapi.set_name(0x004110a8, "advapi32::RegCloseKey")
idaapi.set_name(0x004110ac, "gdi32::GetDIBits")
idaapi.set_name(0x004110b0, "ntdll::ZwQueryInformationFile")
idaapi.set_name(0x004110b4, "kernel32::GetCurrentProcessId")
idaapi.set_name(0x004110b8, "kernel32::GetQueuedCompletionStatus")
idaapi.set_name(0x004110bc, "kernel32::GetVolumeInformationW")
idaapi.set_name(0x004110c0, "kernel32::ReleaseMutex")
idaapi.set_name(0x004110c4, "rstrtmgr::RmRegisterResources")
idaapi.set_name(0x004110c8, "ntdll::RtlAdjustPrivilege")
idaapi.set_name(0x004110cc, "kernel32::MoveFileW")
idaapi.set_name(0x004110d0, "winhttp::WinHttpReadData")
idaapi.set_name(0x004110d4, "advapi32::CryptAcquireContextW")
idaapi.set_name(0x004110d8, "mpr::WNetOpenEnumW")
idaapi.set_name(0x004110dc, "kernel32::CompareFileTime")
idaapi.set_name(0x004110e0, "user32::GetKeyboardLayoutList")
idaapi.set_name(0x004110e4, "advapi32::CryptGenRandom")
idaapi.set_name(0x004110e8, "user32::GetForegroundWindow")
idaapi.set_name(0x004110ec, "advapi32::AllocateAndInitializeSid")
idaapi.set_name(0x004110f0, "kernel32::LocalFree")
idaapi.set_name(0x004110f4, "advapi32::RegOpenKeyExW")
idaapi.set_name(0x004110f8, "kernel32::CreateIoCompletionPort")
idaapi.set_name(0x004110fc, "user32::DrawTextW")
idaapi.set_name(0x00411100, "kernel32::GetFileSize")
idaapi.set_name(0x00411104, "kernel32::SetThreadExecutionState")
idaapi.set_name(0x00411108, "gdi32::DeleteObject")
idaapi.set_name(0x0041110c, "kernel32::GetComputerNameW")
idaapi.set_name(0x00411110, "kernel32::CreateFileW")
idaapi.set_name(0x00411114, "advapi32::CheckTokenMembership")
idaapi.set_name(0x00411118, "kernel32::Wow64DisableWow64FsRedirection")
idaapi.set_name(0x0041111c, "kernel32::GetProcAddress")
idaapi.set_name(0x00411120, "kernel32::GetNativeSystemInfo")
idaapi.set_name(0x00411124, "advapi32::GetUserNameW")
idaapi.set_name(0x00411128, "kernel32::ReadFile")
idaapi.set_name(0x0041112c, "user32::SystemParametersInfoW")
idaapi.set_name(0x00411130, "ole32::CoInitializeEx")
idaapi.set_name(0x00411134, "kernel32::SetFilePointerEx")
idaapi.set_name(0x00411138, "kernel32::GetUserDefaultUILanguage")
idaapi.set_name(0x0041113c, "advapi32::RegCreateKeyExW")
idaapi.set_name(0x00411140, "kernel32::GetModuleFileNameW")
idaapi.set_name(0x00411144, "shlwapi::StrToIntW")
idaapi.set_name(0x00411148, "advapi32::FreeSid")
idaapi.set_name(0x0041114c, "gdi32::SetBkMode")
idaapi.set_name(0x00411150, "ntdll::RtlInitializeCriticalSection")
idaapi.set_name(0x00411154, "kernel32::GetWindowsDirectoryW")
idaapi.set_name(0x00411158, "kernel32::MulDiv")
idaapi.set_name(0x0041115c, "kernel32::FindNextFileW")
idaapi.set_name(0x00411160, "kernel32::SetFileAttributesW")
idaapi.set_name(0x00411164, "kernel32::CreateMutexW")
idaapi.set_name(0x00411168, "kernel32::GetDriveTypeW")
idaapi.set_name(0x0041116c, "advapi32::OpenServiceW")
idaapi.set_name(0x00411170, "kernel32::GetDiskFreeSpaceExW")
idaapi.set_name(0x00411174, "winhttp::WinHttpQueryDataAvailable")
idaapi.set_name(0x00411178, "rstrtmgr::RmStartSession")
idaapi.set_name(0x0041117c, "kernel32::MoveFileExW")
idaapi.set_name(0x00411180, "kernel32::Sleep")
idaapi.set_name(0x00411184, "kernel32::PostQueuedCompletionStatus")
idaapi.set_name(0x00411188, "kernel32::SetErrorMode")
idaapi.set_name(0x0041118c, "kernel32::WaitForSingleObject")
idaapi.set_name(0x00411190, "ole32::CoCreateInstance")
idaapi.set_name(0x00411194, "kernel32::GetCurrentProcess")
idaapi.set_name(0x00411198, "user32::wsprintfW")
idaapi.set_name(0x0041119c, "shlwapi::PathAddBackslashW")
idaapi.set_name(0x004111a0, "kernel32::HeapCreate")
idaapi.set_name(0x004111a4, "mpr::WNetEnumResourceW")
idaapi.set_name(0x004111a8, "oleaut32::SysFreeString")
idaapi.set_name(0x004111ac, "user32::FillRect")
idaapi.set_name(0x004111b0, "ole32::CreateStreamOnHGlobal")
idaapi.set_name(0x004111b4, "kernel32::GetFileSizeEx")
idaapi.set_name(0x004111b8, "kernel32::CreateProcessW")
idaapi.set_name(0x004111bc, "ntdll::_snwprintf")
idaapi.set_name(0x004111c0, "kernel32::CreateThread")
idaapi.set_name(0x004111c4, "kernel32::MapViewOfFile")
idaapi.set_name(0x004111c8, "kernel32::Process32FirstW")
idaapi.set_name(0x004111cc, "advapi32::GetTokenInformation")
idaapi.set_name(0x004111d0, "kernel32::Wow64RevertWow64FsRedirection")
idaapi.set_name(0x004111d4, "kernel32::MultiByteToWideChar")
idaapi.set_name(0x004111d8, "gdi32::SelectObject")
idaapi.set_name(0x004111dc, "kernel32::HeapDestroy")
idaapi.set_name(0x004111e0, "kernel32::CreateFileMappingW")
idaapi.set_name(0x004111e4, "shlwapi::PathIsDirectoryW")
idaapi.set_name(0x004111e8, "advapi32::RegQueryValueExW")
idaapi.set_name(0x004111ec, "kernel32::FindFirstFileExW")
idaapi.set_name(0x004111f0, "oleaut32::VariantClear")
idaapi.set_name(0x004111f4, "winhttp::WinHttpQueryHeaders")
idaapi.set_name(0x004111f8, "winhttp::WinHttpCloseHandle")
idaapi.set_name(0x004111fc, "kernel32::FindFirstFileW")
idaapi.set_name(0x00411200, "gdi32::CreateCompatibleDC")
idaapi.set_name(0x00411204, "user32::ReleaseDC")
idaapi.set_name(0x00411208, "kernel32::QueryFullProcessImageNameW")
idaapi.set_name(0x0041120c, "winhttp::WinHttpOpenRequest")
idaapi.set_name(0x00411210, "gdi32::CreateCompatibleBitmap")
idaapi.set_name(0x00411214, "advapi32::DeleteService")
idaapi.set_name(0x00411218, "ole32::CoInitializeSecurity")
idaapi.set_name(0x0041121c, "kernel32::VirtualAlloc")
idaapi.set_name(0x00411220, "kernel32::OpenProcess")
idaapi.set_name(0x00411224, "kernel32::CloseHandle")
idaapi.set_name(0x00411228, "kernel32::GetSystemDirectoryW")
idaapi.set_name(0x0041122c, "ntdll::ZwClose")
idaapi.set_name(0x00411230, "shell32::CommandLineToArgvW")
idaapi.set_name(0x00411234, "winmm::timeBeginPeriod")
idaapi.set_name(0x00411238, "gdi32::GetDeviceCaps")
idaapi.set_name(0x0041123c, "kernel32::CreateToolhelp32Snapshot")
idaapi.set_name(0x00411240, "kernel32::WideCharToMultiByte")
idaapi.set_name(0x00411244, "ole32::CoUninitialize")
idaapi.set_name(0x00411248, "rstrtmgr::RmGetList")
idaapi.set_name(0x0041124c, "kernel32::GetFileAttributesW")
idaapi.set_name(0x00411250, "kernel32::SystemTimeToFileTime")
idaapi.set_name(0x00411254, "winhttp::WinHttpSetOption")
Raw
output.txt
[+] Initiate stack address at 0xfffdd000
[+] Loading sample.exe to 0x400000
[+] PE entry point at 0x404161
[+] TEB addr is 0x6000
[+] PEB addr is 0x6044
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll to 0x10000000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ntdll.dll
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll to 0x101a3000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/kernel32.dll
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/user32.dll to 0x10288000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/user32.dll
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/oleaut32.dll to 0x1041b000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/oleaut32.dll
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/advapi32.dll to 0x104b1000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/advapi32.dll
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cef20 name: advapi32::OpenProcessToken
[x] import 0x00410fb0 = advapi32::OpenProcessToken
idaapi.set_name(0x00410fb0, "advapi32::OpenProcessToken")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10045360 name: ntdll::RtlAllocateHeap
[x] import 0x00410fb4 = ntdll::RtlAllocateHeap
idaapi.set_name(0x00410fb4, "ntdll::RtlAllocateHeap")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4cd0 name: kernel32::GetCommandLineW
[x] import 0x00410fb8 = kernel32::GetCommandLineW
idaapi.set_name(0x00410fb8, "kernel32::GetCommandLineW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1005eba0 name: ntdll::RtlTimeToTimeFields
[x] import 0x00410fbc = ntdll::RtlTimeToTimeFields
idaapi.set_name(0x00410fbc, "ntdll::RtlTimeToTimeFields")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c60d0 name: kernel32::DeleteFileW
[x] import 0x00410fc0 = kernel32::DeleteFileW
idaapi.set_name(0x00410fc0, "kernel32::DeleteFileW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf0e0 name: advapi32::RegSetValueExW
[x] import 0x00410fc4 = advapi32::RegSetValueExW
idaapi.set_name(0x00410fc4, "advapi32::RegSetValueExW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c33c0 name: kernel32::LocalAlloc
[x] import 0x00410fc8 = kernel32::LocalAlloc
idaapi.set_name(0x00410fc8, "kernel32::LocalAlloc")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4870 name: kernel32::GetSystemInfo
[x] import 0x00410fcc = kernel32::GetSystemInfo
idaapi.set_name(0x00410fcc, "kernel32::GetSystemInfo")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shlwapi.dll to 0x1052a000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shlwapi.dll
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1053ed60 name: shlwapi::PathFindExtensionW
[x] import 0x00410fd0 = shlwapi::PathFindExtensionW
idaapi.set_name(0x00410fd0, "shlwapi::PathFindExtensionW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5f80 name: kernel32::OpenMutexW
[x] import 0x00410fd4 = kernel32::OpenMutexW
idaapi.set_name(0x00410fd4, "kernel32::OpenMutexW")
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1053ee50 name: shlwapi::PathFindFileNameW
[x] import 0x00410fd8 = shlwapi::PathFindFileNameW
idaapi.set_name(0x00410fd8, "shlwapi::PathFindFileNameW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6290 name: kernel32::GetFileAttributesExW
[x] import 0x00410fdc = kernel32::GetFileAttributesExW
idaapi.set_name(0x00410fdc, "kernel32::GetFileAttributesExW")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/gdi32.dll to 0x1056f000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/gdi32.dll
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575e50 name: gdi32::SetBkColor
[x] import 0x00410fe0 = gdi32::SetBkColor
idaapi.set_name(0x00410fe0, "gdi32::SetBkColor")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10573680 name: gdi32::CreateFontW
[x] import 0x00410fe4 = gdi32::CreateFontW
idaapi.set_name(0x00410fe4, "gdi32::CreateFontW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bc870 name: kernel32::TerminateProcess
[x] import 0x00410fe8 = kernel32::TerminateProcess
idaapi.set_name(0x00410fe8, "kernel32::TerminateProcess")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c36e0 name: kernel32::Process32NextW
[x] import 0x00410fec = kernel32::Process32NextW
idaapi.set_name(0x00410fec, "kernel32::Process32NextW")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10574250 name: gdi32::SetPixel
[x] import 0x00410ff0 = gdi32::SetPixel
idaapi.set_name(0x00410ff0, "gdi32::SetPixel")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/crypt32.dll to 0x10592000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/crypt32.dll
LoadLibraryA(lpLibFileName = "crypt32.dll") = 0x10592000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x105beff0 name: crypt32::CryptBinaryToStringW
[x] import 0x00410ff4 = crypt32::CryptBinaryToStringW
idaapi.set_name(0x00410ff4, "crypt32::CryptBinaryToStringW")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winhttp.dll to 0x10691000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winhttp.dll
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106bb260 name: winhttp::WinHttpReceiveResponse
[x] import 0x00410ff8 = winhttp::WinHttpReceiveResponse
idaapi.set_name(0x00410ff8, "winhttp::WinHttpReceiveResponse")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1004f920 name: ntdll::RtlDeleteCriticalSection
[x] import 0x00410ffc = ntdll::RtlDeleteCriticalSection
idaapi.set_name(0x00410ffc, "ntdll::RtlDeleteCriticalSection")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102c3760 name: user32::GetDC
[x] import 0x00411000 = user32::GetDC
idaapi.set_name(0x00411000, "user32::GetDC")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d05a0 name: advapi32::CloseServiceHandle
[x] import 0x00411004 = advapi32::CloseServiceHandle
idaapi.set_name(0x00411004, "advapi32::CloseServiceHandle")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d0730 name: advapi32::ImpersonateLoggedOnUser
[x] import 0x00411008 = advapi32::ImpersonateLoggedOnUser
idaapi.set_name(0x00411008, "advapi32::ImpersonateLoggedOnUser")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winmm.dll to 0x10753000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/winmm.dll
LoadLibraryA(lpLibFileName = "winmm.dll") = 0x10753000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x107577a0 name: winmm::timeGetTime
[x] import 0x0041100c = winmm::timeGetTime
idaapi.set_name(0x0041100c, "winmm::timeGetTime")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x105757e0 name: gdi32::DeleteDC
[x] import 0x00411010 = gdi32::DeleteDC
idaapi.set_name(0x00411010, "gdi32::DeleteDC")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1003dde0 name: ntdll::RtlLeaveCriticalSection
[x] import 0x00411014 = ntdll::RtlLeaveCriticalSection
idaapi.set_name(0x00411014, "ntdll::RtlLeaveCriticalSection")
LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x1041b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1043a6a0 name: oleaut32::SysAllocString
[x] import 0x00411018 = oleaut32::SysAllocString
idaapi.set_name(0x00411018, "oleaut32::SysAllocString")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6100 name: kernel32::FindClose
[x] import 0x0041101c = kernel32::FindClose
idaapi.set_name(0x0041101c, "kernel32::FindClose")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10071800 name: ntdll::ZwOpenFile
[x] import 0x00411020 = ntdll::ZwOpenFile
idaapi.set_name(0x00411020, "ntdll::ZwOpenFile")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x100e2dd0 name: ntdll::RtlGetLastWin32Error
[x] import 0x00411024 = ntdll::RtlGetLastWin32Error
idaapi.set_name(0x00411024, "ntdll::RtlGetLastWin32Error")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10073b70 name: ntdll::RtlInitUnicodeString
[x] import 0x00411028 = ntdll::RtlInitUnicodeString
idaapi.set_name(0x00411028, "ntdll::RtlInitUnicodeString")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10574ea0 name: gdi32::GetStockObject
[x] import 0x0041102c = gdi32::GetStockObject
idaapi.set_name(0x0041102c, "gdi32::GetStockObject")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c22e0 name: kernel32::GetProcessHeap
[x] import 0x00411030 = kernel32::GetProcessHeap
idaapi.set_name(0x00411030, "kernel32::GetProcessHeap")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575de0 name: gdi32::SetTextColor
[x] import 0x00411034 = gdi32::SetTextColor
idaapi.set_name(0x00411034, "gdi32::SetTextColor")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d3e50 name: advapi32::EnumServicesStatusExW
[x] import 0x00411038 = advapi32::EnumServicesStatusExW
idaapi.set_name(0x00411038, "advapi32::EnumServicesStatusExW")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106b3ef0 name: winhttp::WinHttpOpen
[x] import 0x0041103c = winhttp::WinHttpOpen
idaapi.set_name(0x0041103c, "winhttp::WinHttpOpen")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d0640 name: advapi32::OpenSCManagerW
[x] import 0x00411040 = advapi32::OpenSCManagerW
idaapi.set_name(0x00411040, "advapi32::OpenSCManagerW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf560 name: advapi32::IsValidSid
[x] import 0x00411044 = advapi32::IsValidSid
idaapi.set_name(0x00411044, "advapi32::IsValidSid")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/rstrtmgr.dll to 0x1077b000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/rstrtmgr.dll
LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x107827e0 name: rstrtmgr::RmEndSession
[x] import 0x00411048 = rstrtmgr::RmEndSession
idaapi.set_name(0x00411048, "rstrtmgr::RmEndSession")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4880 name: kernel32::GetSystemDefaultUILanguage
[x] import 0x0041104c = kernel32::GetSystemDefaultUILanguage
idaapi.set_name(0x0041104c, "kernel32::GetSystemDefaultUILanguage")
LoadLibraryA(lpLibFileName = "crypt32.dll") = 0x10592000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x105d9420 name: crypt32::CryptStringToBinaryW
[x] import 0x00411050 = crypt32::CryptStringToBinaryW
idaapi.set_name(0x00411050, "crypt32::CryptStringToBinaryW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104e3910 name: advapi32::ControlService
[x] import 0x00411054 = advapi32::ControlService
idaapi.set_name(0x00411054, "advapi32::ControlService")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3550 name: kernel32::GlobalAlloc
[x] import 0x00411058 = kernel32::GlobalAlloc
idaapi.set_name(0x00411058, "kernel32::GlobalAlloc")
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10546e30 name: shlwapi::SHDeleteValueW
[x] import 0x0041105c = shlwapi::SHDeleteValueW
idaapi.set_name(0x0041105c, "shlwapi::SHDeleteValueW")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575ca0 name: gdi32::GetObjectW
[x] import 0x00411060 = gdi32::GetObjectW
idaapi.set_name(0x00411060, "gdi32::GetObjectW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3530 name: kernel32::UnmapViewOfFile
[x] import 0x00411064 = kernel32::UnmapViewOfFile
idaapi.set_name(0x00411064, "kernel32::UnmapViewOfFile")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cfa10 name: advapi32::RevertToSelf
[x] import 0x00411068 = advapi32::RevertToSelf
idaapi.set_name(0x00411068, "advapi32::RevertToSelf")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106b88f0 name: winhttp::WinHttpConnect
[x] import 0x0041106c = winhttp::WinHttpConnect
idaapi.set_name(0x0041106c, "winhttp::WinHttpConnect")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ole32.dll to 0x107ab000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/ole32.dll
LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10861b91 name: ole32::CoSetProxyBlanket
[x] import 0x00411070 = ole32::CoSetProxyBlanket
idaapi.set_name(0x00411070, "ole32::CoSetProxyBlanket")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shell32.dll to 0x1088e000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/shell32.dll
LoadLibraryA(lpLibFileName = "shell32.dll") = 0x1088e000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1098d550 name: shell32::ShellExecuteExW
[x] import 0x00411074 = shell32::ShellExecuteExW
idaapi.set_name(0x00411074, "shell32::ShellExecuteExW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c2f20 name: kernel32::GlobalFree
[x] import 0x00411078 = kernel32::GlobalFree
idaapi.set_name(0x00411078, "kernel32::GlobalFree")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10071690 name: ntdll::ZwSetInformationProcess
[x] import 0x0041107c = ntdll::ZwSetInformationProcess
idaapi.set_name(0x0041107c, "ntdll::ZwSetInformationProcess")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c7060 name: kernel32::ExitProcess
[x] import 0x00411080 = kernel32::ExitProcess
idaapi.set_name(0x00411080, "kernel32::ExitProcess")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1003e8c0 name: ntdll::RtlEnterCriticalSection
[x] import 0x00411084 = ntdll::RtlEnterCriticalSection
idaapi.set_name(0x00411084, "ntdll::RtlEnterCriticalSection")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d52c0 name: advapi32::SetFileSecurityW
[x] import 0x00411088 = advapi32::SetFileSecurityW
idaapi.set_name(0x00411088, "advapi32::SetFileSecurityW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x100486e0 name: ntdll::RtlFreeHeap
[x] import 0x0041108c = ntdll::RtlFreeHeap
idaapi.set_name(0x0041108c, "ntdll::RtlFreeHeap")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6510 name: kernel32::WriteFile
[x] import 0x00411090 = kernel32::WriteFile
idaapi.set_name(0x00411090, "kernel32::WriteFile")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6380 name: kernel32::GetTempPathW
[x] import 0x00411094 = kernel32::GetTempPathW
idaapi.set_name(0x00411094, "kernel32::GetTempPathW")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106ac410 name: winhttp::WinHttpCrackUrl
[x] import 0x00411098 = winhttp::WinHttpCrackUrl
idaapi.set_name(0x00411098, "winhttp::WinHttpCrackUrl")
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10540020 name: shlwapi::SHDeleteKeyW
[x] import 0x0041109c = shlwapi::SHDeleteKeyW
idaapi.set_name(0x0041109c, "shlwapi::SHDeleteKeyW")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106b97a0 name: winhttp::WinHttpSendRequest
[x] import 0x004110a0 = winhttp::WinHttpSendRequest
idaapi.set_name(0x004110a0, "winhttp::WinHttpSendRequest")
[+] Loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/mpr.dll to 0x10e3e000
[+] Done with loading /home/dudley/.local/src/qiling/examples/rootfs/x86_windows/Windows/SysWOW64/mpr.dll
LoadLibraryA(lpLibFileName = "mpr.dll") = 0x10e3e000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10e407b0 name: mpr::WNetCloseEnum
[x] import 0x004110a4 = mpr::WNetCloseEnum
idaapi.set_name(0x004110a4, "mpr::WNetCloseEnum")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf010 name: advapi32::RegCloseKey
[x] import 0x004110a8 = advapi32::RegCloseKey
idaapi.set_name(0x004110a8, "advapi32::RegCloseKey")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10576000 name: gdi32::GetDIBits
[x] import 0x004110ac = gdi32::GetDIBits
idaapi.set_name(0x004110ac, "gdi32::GetDIBits")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x100715c0 name: ntdll::ZwQueryInformationFile
[x] import 0x004110b0 = ntdll::ZwQueryInformationFile
idaapi.set_name(0x004110b0, "ntdll::ZwQueryInformationFile")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5df0 name: kernel32::GetCurrentProcessId
[x] import 0x004110b4 = kernel32::GetCurrentProcessId
idaapi.set_name(0x004110b4, "kernel32::GetCurrentProcessId")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c51e0 name: kernel32::GetQueuedCompletionStatus
[x] import 0x004110b8 = kernel32::GetQueuedCompletionStatus
idaapi.set_name(0x004110b8, "kernel32::GetQueuedCompletionStatus")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c63b0 name: kernel32::GetVolumeInformationW
[x] import 0x004110bc = kernel32::GetVolumeInformationW
idaapi.set_name(0x004110bc, "kernel32::GetVolumeInformationW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5fb0 name: kernel32::ReleaseMutex
[x] import 0x004110c0 = kernel32::ReleaseMutex
idaapi.set_name(0x004110c0, "kernel32::ReleaseMutex")
LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10782a20 name: rstrtmgr::RmRegisterResources
[x] import 0x004110c4 = rstrtmgr::RmRegisterResources
idaapi.set_name(0x004110c4, "rstrtmgr::RmRegisterResources")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10067080 name: ntdll::RtlAdjustPrivilege
[x] import 0x004110c8 = ntdll::RtlAdjustPrivilege
idaapi.set_name(0x004110c8, "ntdll::RtlAdjustPrivilege")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5010 name: kernel32::MoveFileW
[x] import 0x004110cc = kernel32::MoveFileW
idaapi.set_name(0x004110cc, "kernel32::MoveFileW")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106bad60 name: winhttp::WinHttpReadData
[x] import 0x004110d0 = winhttp::WinHttpReadData
idaapi.set_name(0x004110d0, "winhttp::WinHttpReadData")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf850 name: advapi32::CryptAcquireContextW
[x] import 0x004110d4 = advapi32::CryptAcquireContextW
idaapi.set_name(0x004110d4, "advapi32::CryptAcquireContextW")
LoadLibraryA(lpLibFileName = "mpr.dll") = 0x10e3e000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10e408d0 name: mpr::WNetOpenEnumW
[x] import 0x004110d8 = mpr::WNetOpenEnumW
idaapi.set_name(0x004110d8, "mpr::WNetOpenEnumW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6050 name: kernel32::CompareFileTime
[x] import 0x004110dc = kernel32::CompareFileTime
idaapi.set_name(0x004110dc, "kernel32::CompareFileTime")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102c6450 name: user32::GetKeyboardLayoutList
[x] import 0x004110e0 = user32::GetKeyboardLayoutList
idaapi.set_name(0x004110e0, "user32::GetKeyboardLayoutList")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d0540 name: advapi32::CryptGenRandom
[x] import 0x004110e4 = advapi32::CryptGenRandom
idaapi.set_name(0x004110e4, "advapi32::CryptGenRandom")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102c63b0 name: user32::GetForegroundWindow
[x] import 0x004110e8 = user32::GetForegroundWindow
idaapi.set_name(0x004110e8, "user32::GetForegroundWindow")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf580 name: advapi32::AllocateAndInitializeSid
[x] import 0x004110ec = advapi32::AllocateAndInitializeSid
idaapi.set_name(0x004110ec, "advapi32::AllocateAndInitializeSid")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c2490 name: kernel32::LocalFree
[x] import 0x004110f0 = kernel32::LocalFree
idaapi.set_name(0x004110f0, "kernel32::LocalFree")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104ceea0 name: advapi32::RegOpenKeyExW
[x] import 0x004110f4 = advapi32::RegOpenKeyExW
idaapi.set_name(0x004110f4, "advapi32::RegOpenKeyExW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5200 name: kernel32::CreateIoCompletionPort
[x] import 0x004110f8 = kernel32::CreateIoCompletionPort
idaapi.set_name(0x004110f8, "kernel32::CreateIoCompletionPort")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102b1660 name: user32::DrawTextW
[x] import 0x004110fc = user32::DrawTextW
idaapi.set_name(0x004110fc, "user32::DrawTextW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c62c0 name: kernel32::GetFileSize
[x] import 0x00411100 = kernel32::GetFileSize
idaapi.set_name(0x00411100, "kernel32::GetFileSize")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bc620 name: kernel32::SetThreadExecutionState
[x] import 0x00411104 = kernel32::SetThreadExecutionState
idaapi.set_name(0x00411104, "kernel32::SetThreadExecutionState")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x105747d0 name: gdi32::DeleteObject
[x] import 0x00411108 = gdi32::DeleteObject
idaapi.set_name(0x00411108, "gdi32::DeleteObject")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4300 name: kernel32::GetComputerNameW
[x] import 0x0041110c = kernel32::GetComputerNameW
idaapi.set_name(0x0041110c, "kernel32::GetComputerNameW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c60a0 name: kernel32::CreateFileW
[x] import 0x00411110 = kernel32::CreateFileW
idaapi.set_name(0x00411110, "kernel32::CreateFileW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf930 name: advapi32::CheckTokenMembership
[x] import 0x00411114 = advapi32::CheckTokenMembership
idaapi.set_name(0x00411114, "advapi32::CheckTokenMembership")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bb780 name: kernel32::Wow64DisableWow64FsRedirection
[x] import 0x00411118 = kernel32::Wow64DisableWow64FsRedirection
idaapi.set_name(0x00411118, "kernel32::Wow64DisableWow64FsRedirection")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c24b0 name: kernel32::GetProcAddress
[x] import 0x0041111c = kernel32::GetProcAddress
idaapi.set_name(0x0041111c, "kernel32::GetProcAddress")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4e10 name: kernel32::GetNativeSystemInfo
[x] import 0x00411120 = kernel32::GetNativeSystemInfo
idaapi.set_name(0x00411120, "kernel32::GetNativeSystemInfo")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf800 name: advapi32::GetUserNameW
[x] import 0x00411124 = advapi32::GetUserNameW
idaapi.set_name(0x00411124, "advapi32::GetUserNameW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6420 name: kernel32::ReadFile
[x] import 0x00411128 = kernel32::ReadFile
idaapi.set_name(0x00411128, "kernel32::ReadFile")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102b9cf0 name: user32::SystemParametersInfoW
[x] import 0x0041112c = user32::SystemParametersInfoW
idaapi.set_name(0x0041112c, "user32::SystemParametersInfoW")
LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x108612a1 name: ole32::CoInitializeEx
[x] import 0x00411130 = ole32::CoInitializeEx
idaapi.set_name(0x00411130, "ole32::CoInitializeEx")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c64c0 name: kernel32::SetFilePointerEx
[x] import 0x00411134 = kernel32::SetFilePointerEx
idaapi.set_name(0x00411134, "kernel32::SetFilePointerEx")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4ec0 name: kernel32::GetUserDefaultUILanguage
[x] import 0x00411138 = kernel32::GetUserDefaultUILanguage
idaapi.set_name(0x00411138, "kernel32::GetUserDefaultUILanguage")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cf120 name: advapi32::RegCreateKeyExW
[x] import 0x0041113c = advapi32::RegCreateKeyExW
idaapi.set_name(0x0041113c, "advapi32::RegCreateKeyExW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3860 name: kernel32::GetModuleFileNameW
[x] import 0x00411140 = kernel32::GetModuleFileNameW
idaapi.set_name(0x00411140, "kernel32::GetModuleFileNameW")
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1053dd50 name: shlwapi::StrToIntW
[x] import 0x00411144 = shlwapi::StrToIntW
idaapi.set_name(0x00411144, "shlwapi::StrToIntW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cfdc0 name: advapi32::FreeSid
[x] import 0x00411148 = advapi32::FreeSid
idaapi.set_name(0x00411148, "advapi32::FreeSid")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575f10 name: gdi32::SetBkMode
[x] import 0x0041114c = gdi32::SetBkMode
idaapi.set_name(0x0041114c, "gdi32::SetBkMode")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1005e1c0 name: ntdll::RtlInitializeCriticalSection
[x] import 0x00411150 = ntdll::RtlInitializeCriticalSection
idaapi.set_name(0x00411150, "ntdll::RtlInitializeCriticalSection")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bc890 name: kernel32::GetWindowsDirectoryW
[x] import 0x00411154 = kernel32::GetWindowsDirectoryW
idaapi.set_name(0x00411154, "kernel32::GetWindowsDirectoryW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5c90 name: kernel32::MulDiv
[x] import 0x00411158 = kernel32::MulDiv
idaapi.set_name(0x00411158, "kernel32::MulDiv")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c61d0 name: kernel32::FindNextFileW
[x] import 0x0041115c = kernel32::FindNextFileW
idaapi.set_name(0x0041115c, "kernel32::FindNextFileW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6490 name: kernel32::SetFileAttributesW
[x] import 0x00411160 = kernel32::SetFileAttributesW
idaapi.set_name(0x00411160, "kernel32::SetFileAttributesW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5f00 name: kernel32::CreateMutexW
[x] import 0x00411164 = kernel32::CreateMutexW
idaapi.set_name(0x00411164, "kernel32::CreateMutexW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6260 name: kernel32::GetDriveTypeW
[x] import 0x00411168 = kernel32::GetDriveTypeW
idaapi.set_name(0x00411168, "kernel32::GetDriveTypeW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104d0660 name: advapi32::OpenServiceW
[x] import 0x0041116c = advapi32::OpenServiceW
idaapi.set_name(0x0041116c, "advapi32::OpenServiceW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6230 name: kernel32::GetDiskFreeSpaceExW
[x] import 0x00411170 = kernel32::GetDiskFreeSpaceExW
idaapi.set_name(0x00411170, "kernel32::GetDiskFreeSpaceExW")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106ba050 name: winhttp::WinHttpQueryDataAvailable
[x] import 0x00411174 = winhttp::WinHttpQueryDataAvailable
idaapi.set_name(0x00411174, "winhttp::WinHttpQueryDataAvailable")
LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10782cf0 name: rstrtmgr::RmStartSession
[x] import 0x00411178 = rstrtmgr::RmStartSession
idaapi.set_name(0x00411178, "rstrtmgr::RmStartSession")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bc910 name: kernel32::MoveFileExW
[x] import 0x0041117c = kernel32::MoveFileExW
idaapi.set_name(0x0041117c, "kernel32::MoveFileExW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3e60 name: kernel32::Sleep
[x] import 0x00411180 = kernel32::Sleep
idaapi.set_name(0x00411180, "kernel32::Sleep")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c51c0 name: kernel32::PostQueuedCompletionStatus
[x] import 0x00411184 = kernel32::PostQueuedCompletionStatus
idaapi.set_name(0x00411184, "kernel32::PostQueuedCompletionStatus")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3570 name: kernel32::SetErrorMode
[x] import 0x00411188 = kernel32::SetErrorMode
idaapi.set_name(0x00411188, "kernel32::SetErrorMode")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6030 name: kernel32::WaitForSingleObject
[x] import 0x0041118c = kernel32::WaitForSingleObject
idaapi.set_name(0x0041118c, "kernel32::WaitForSingleObject")
LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1086061d name: ole32::CoCreateInstance
[x] import 0x00411190 = ole32::CoCreateInstance
idaapi.set_name(0x00411190, "ole32::CoCreateInstance")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5de0 name: kernel32::GetCurrentProcess
[x] import 0x00411194 = kernel32::GetCurrentProcess
idaapi.set_name(0x00411194, "kernel32::GetCurrentProcess")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102ac7d0 name: user32::wsprintfW
[x] import 0x00411198 = user32::wsprintfW
idaapi.set_name(0x00411198, "user32::wsprintfW")
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1053f480 name: shlwapi::PathAddBackslashW
[x] import 0x0041119c = shlwapi::PathAddBackslashW
idaapi.set_name(0x0041119c, "shlwapi::PathAddBackslashW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c39a0 name: kernel32::HeapCreate
[x] import 0x004111a0 = kernel32::HeapCreate
idaapi.set_name(0x004111a0, "kernel32::HeapCreate")
LoadLibraryA(lpLibFileName = "mpr.dll") = 0x10e3e000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10e40530 name: mpr::WNetEnumResourceW
[x] import 0x004111a4 = mpr::WNetEnumResourceW
idaapi.set_name(0x004111a4, "mpr::WNetEnumResourceW")
LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x1041b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10439860 name: oleaut32::SysFreeString
[x] import 0x004111a8 = oleaut32::SysFreeString
idaapi.set_name(0x004111a8, "oleaut32::SysFreeString")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102a82b0 name: user32::FillRect
[x] import 0x004111ac = user32::FillRect
idaapi.set_name(0x004111ac, "user32::FillRect")
LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10862167 name: ole32::CreateStreamOnHGlobal
[x] import 0x004111b0 = ole32::CreateStreamOnHGlobal
idaapi.set_name(0x004111b0, "ole32::CreateStreamOnHGlobal")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c62d0 name: kernel32::GetFileSizeEx
[x] import 0x004111b4 = kernel32::GetFileSizeEx
idaapi.set_name(0x004111b4, "kernel32::GetFileSizeEx")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bb840 name: kernel32::CreateProcessW
[x] import 0x004111b8 = kernel32::CreateProcessW
idaapi.set_name(0x004111b8, "kernel32::CreateProcessW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10075c40 name: ntdll::_snwprintf
[x] import 0x004111bc = ntdll::_snwprintf
idaapi.set_name(0x004111bc, "ntdll::_snwprintf")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3e70 name: kernel32::CreateThread
[x] import 0x004111c0 = kernel32::CreateThread
idaapi.set_name(0x004111c0, "kernel32::CreateThread")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c24f0 name: kernel32::MapViewOfFile
[x] import 0x004111c4 = kernel32::MapViewOfFile
idaapi.set_name(0x004111c4, "kernel32::MapViewOfFile")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4b60 name: kernel32::Process32FirstW
[x] import 0x004111c8 = kernel32::Process32FirstW
idaapi.set_name(0x004111c8, "kernel32::Process32FirstW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104ceb80 name: advapi32::GetTokenInformation
[x] import 0x004111cc = advapi32::GetTokenInformation
idaapi.set_name(0x004111cc, "advapi32::GetTokenInformation")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101bb760 name: kernel32::Wow64RevertWow64FsRedirection
[x] import 0x004111d0 = kernel32::Wow64RevertWow64FsRedirection
idaapi.set_name(0x004111d0, "kernel32::Wow64RevertWow64FsRedirection")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c0ee0 name: kernel32::MultiByteToWideChar
[x] import 0x004111d4 = kernel32::MultiByteToWideChar
idaapi.set_name(0x004111d4, "kernel32::MultiByteToWideChar")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575bf0 name: gdi32::SelectObject
[x] import 0x004111d8 = gdi32::SelectObject
idaapi.set_name(0x004111d8, "gdi32::SelectObject")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3b50 name: kernel32::HeapDestroy
[x] import 0x004111dc = kernel32::HeapDestroy
idaapi.set_name(0x004111dc, "kernel32::HeapDestroy")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3400 name: kernel32::CreateFileMappingW
[x] import 0x004111e0 = kernel32::CreateFileMappingW
idaapi.set_name(0x004111e0, "kernel32::CreateFileMappingW")
LoadLibraryA(lpLibFileName = "shlwapi.dll") = 0x1052a000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x1053ef90 name: shlwapi::PathIsDirectoryW
[x] import 0x004111e4 = shlwapi::PathIsDirectoryW
idaapi.set_name(0x004111e4, "shlwapi::PathIsDirectoryW")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104cedd0 name: advapi32::RegQueryValueExW
[x] import 0x004111e8 = advapi32::RegQueryValueExW
idaapi.set_name(0x004111e8, "advapi32::RegQueryValueExW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6160 name: kernel32::FindFirstFileExW
[x] import 0x004111ec = kernel32::FindFirstFileExW
idaapi.set_name(0x004111ec, "kernel32::FindFirstFileExW")
LoadLibraryA(lpLibFileName = "oleaut32.dll") = 0x1041b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10439610 name: oleaut32::VariantClear
[x] import 0x004111f0 = oleaut32::VariantClear
idaapi.set_name(0x004111f0, "oleaut32::VariantClear")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106b4190 name: winhttp::WinHttpQueryHeaders
[x] import 0x004111f4 = winhttp::WinHttpQueryHeaders
idaapi.set_name(0x004111f4, "winhttp::WinHttpQueryHeaders")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106b77b0 name: winhttp::WinHttpCloseHandle
[x] import 0x004111f8 = winhttp::WinHttpCloseHandle
idaapi.set_name(0x004111f8, "winhttp::WinHttpCloseHandle")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c6180 name: kernel32::FindFirstFileW
[x] import 0x004111fc = kernel32::FindFirstFileW
idaapi.set_name(0x004111fc, "kernel32::FindFirstFileW")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575ce0 name: gdi32::CreateCompatibleDC
[x] import 0x00411200 = gdi32::CreateCompatibleDC
idaapi.set_name(0x00411200, "gdi32::CreateCompatibleDC")
LoadLibraryA(lpLibFileName = "user32.dll") = 0x10288000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x102c3100 name: user32::ReleaseDC
[x] import 0x00411204 = user32::ReleaseDC
idaapi.set_name(0x00411204, "user32::ReleaseDC")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101d7330 name: kernel32::QueryFullProcessImageNameW
[x] import 0x00411208 = kernel32::QueryFullProcessImageNameW
idaapi.set_name(0x00411208, "kernel32::QueryFullProcessImageNameW")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106ba660 name: winhttp::WinHttpOpenRequest
[x] import 0x0041120c = winhttp::WinHttpOpenRequest
idaapi.set_name(0x0041120c, "winhttp::WinHttpOpenRequest")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10575fc0 name: gdi32::CreateCompatibleBitmap
[x] import 0x00411210 = gdi32::CreateCompatibleBitmap
idaapi.set_name(0x00411210, "gdi32::CreateCompatibleBitmap")
LoadLibraryA(lpLibFileName = "advapi32.dll") = 0x104b1000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x104e41c0 name: advapi32::DeleteService
[x] import 0x00411214 = advapi32::DeleteService
idaapi.set_name(0x00411214, "advapi32::DeleteService")
LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x108612e0 name: ole32::CoInitializeSecurity
[x] import 0x00411218 = ole32::CoInitializeSecurity
idaapi.set_name(0x00411218, "ole32::CoInitializeSecurity")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c2320 name: kernel32::VirtualAlloc
[x] import 0x0041121c = kernel32::VirtualAlloc
idaapi.set_name(0x0041121c, "kernel32::VirtualAlloc")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c3590 name: kernel32::OpenProcess
[x] import 0x00411220 = kernel32::OpenProcess
idaapi.set_name(0x00411220, "kernel32::OpenProcess")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c5e40 name: kernel32::CloseHandle
[x] import 0x00411224 = kernel32::CloseHandle
idaapi.set_name(0x00411224, "kernel32::CloseHandle")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4010 name: kernel32::GetSystemDirectoryW
[x] import 0x00411228 = kernel32::GetSystemDirectoryW
idaapi.set_name(0x00411228, "kernel32::GetSystemDirectoryW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x100715a0 name: ntdll::ZwClose
[x] import 0x0041122c = ntdll::ZwClose
idaapi.set_name(0x0041122c, "ntdll::ZwClose")
LoadLibraryA(lpLibFileName = "shell32.dll") = 0x1088e000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x109e8380 name: shell32::CommandLineToArgvW
[x] import 0x00411230 = shell32::CommandLineToArgvW
idaapi.set_name(0x00411230, "shell32::CommandLineToArgvW")
LoadLibraryA(lpLibFileName = "winmm.dll") = 0x10753000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10762870 name: winmm::timeBeginPeriod
[x] import 0x00411234 = winmm::timeBeginPeriod
idaapi.set_name(0x00411234, "winmm::timeBeginPeriod")
LoadLibraryA(lpLibFileName = "gdi32.dll") = 0x1056f000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10574f10 name: gdi32::GetDeviceCaps
[x] import 0x00411238 = gdi32::GetDeviceCaps
idaapi.set_name(0x00411238, "gdi32::GetDeviceCaps")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c7080 name: kernel32::CreateToolhelp32Snapshot
[x] import 0x0041123c = kernel32::CreateToolhelp32Snapshot
idaapi.set_name(0x0041123c, "kernel32::CreateToolhelp32Snapshot")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c0f50 name: kernel32::WideCharToMultiByte
[x] import 0x00411240 = kernel32::WideCharToMultiByte
idaapi.set_name(0x00411240, "kernel32::WideCharToMultiByte")
LoadLibraryA(lpLibFileName = "ole32.dll") = 0x107ab000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x10861d53 name: ole32::CoUninitialize
[x] import 0x00411244 = ole32::CoUninitialize
idaapi.set_name(0x00411244, "ole32::CoUninitialize")
LoadLibraryA(lpLibFileName = "rstrtmgr.dll") = 0x1077b000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x107828b0 name: rstrtmgr::RmGetList
[x] import 0x00411248 = rstrtmgr::RmGetList
idaapi.set_name(0x00411248, "rstrtmgr::RmGetList")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c62a0 name: kernel32::GetFileAttributesW
[x] import 0x0041124c = kernel32::GetFileAttributesW
idaapi.set_name(0x0041124c, "kernel32::GetFileAttributesW")
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x101c4080 name: kernel32::SystemTimeToFileTime
[x] import 0x00411250 = kernel32::SystemTimeToFileTime
idaapi.set_name(0x00411250, "kernel32::SystemTimeToFileTime")
LoadLibraryA(lpLibFileName = "winhttp.dll") = 0x10691000
[x] __ 0x406a1a: mov dword ptr [esi + 0x410fb0], eax
[x] eax: 0x106b5710 name: winhttp::WinHttpSetOption
[x] import 0x00411254 = winhttp::WinHttpSetOption
idaapi.set_name(0x00411254, "winhttp::WinHttpSetOption")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.