|
|
@@ -0,0 +1,438 @@
|
|
|
+Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
|
|
|
+Copyright (C) Microsoft Corporation. All rights reserved.
|
|
|
+
|
|
|
+
|
|
|
+Dump of file finddotnet.o
|
|
|
+
|
|
|
+File Type: COFF OBJECT
|
|
|
+
|
|
|
+BeaconPrintToStreamW:
|
|
|
+ 0000000000000000: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
|
|
|
+ 0000000000000005: 48 89 54 24 10 mov qword ptr [rsp+10h],rdx
|
|
|
+ 000000000000000A: 4C 89 44 24 18 mov qword ptr [rsp+18h],r8
|
|
|
+ 000000000000000F: 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9
|
|
|
+ 0000000000000014: 48 83 EC 58 sub rsp,58h
|
|
|
+ 0000000000000018: C7 44 24 30 01 00 mov dword ptr [rsp+30h],1
|
|
|
+ 00 00
|
|
|
+ 0000000000000020: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0
|
|
|
+ 00 00
|
|
|
+ 0000000000000028: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],1
|
|
|
+ 00 01
|
|
|
+ 0000000000000030: 77 28 ja 000000000000005A
|
|
|
+ 0000000000000032: 4C 8D 05 00 00 00 lea r8,[g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000039: BA 01 00 00 00 mov edx,1
|
|
|
+ 000000000000003E: 33 C9 xor ecx,ecx
|
|
|
+ 0000000000000040: FF 15 00 00 00 00 call qword ptr [__imp_OLE32$CreateStreamOnHGlobal]
|
|
|
+ 0000000000000046: 89 44 24 30 mov dword ptr [rsp+30h],eax
|
|
|
+ 000000000000004A: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
|
|
|
+ 000000000000004F: 7D 09 jge 000000000000005A
|
|
|
+ 0000000000000051: 8B 44 24 30 mov eax,dword ptr [rsp+30h]
|
|
|
+ 0000000000000055: E9 01 01 00 00 jmp 000000000000015B
|
|
|
+ 000000000000005A: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],1
|
|
|
+ 00 01
|
|
|
+ 0000000000000062: 77 2E ja 0000000000000092
|
|
|
+ 0000000000000064: BA 02 00 00 00 mov edx,2
|
|
|
+ 0000000000000069: B9 00 20 00 00 mov ecx,2000h
|
|
|
+ 000000000000006E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$calloc]
|
|
|
+ 0000000000000074: 48 89 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],rax
|
|
|
+ 00
|
|
|
+ 000000000000007B: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
|
|
|
+ 00 00
|
|
|
+ 0000000000000083: 75 0D jne 0000000000000092
|
|
|
+ 0000000000000085: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h
|
|
|
+ 00 80
|
|
|
+ 000000000000008D: E9 9D 00 00 00 jmp 000000000000012F
|
|
|
+ 0000000000000092: 48 8D 44 24 68 lea rax,[rsp+68h]
|
|
|
+ 0000000000000097: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
|
|
|
+ 000000000000009C: 48 8B 44 24 38 mov rax,qword ptr [rsp+38h]
|
|
|
+ 00000000000000A1: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
|
|
|
+ 00000000000000A6: 4C 8B 4C 24 60 mov r9,qword ptr [rsp+60h]
|
|
|
+ 00000000000000AB: 41 B8 FF 1F 00 00 mov r8d,1FFFh
|
|
|
+ 00000000000000B1: BA 00 20 00 00 mov edx,2000h
|
|
|
+ 00000000000000B6: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
|
|
|
+ 00
|
|
|
+ 00000000000000BD: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$_vsnwprintf_s]
|
|
|
+ 00000000000000C3: 85 C0 test eax,eax
|
|
|
+ 00000000000000C5: 75 0A jne 00000000000000D1
|
|
|
+ 00000000000000C7: C7 44 24 30 05 40 mov dword ptr [rsp+30h],80004005h
|
|
|
+ 00 80
|
|
|
+ 00000000000000CF: EB 5E jmp 000000000000012F
|
|
|
+ 00000000000000D1: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0
|
|
|
+ 00 00
|
|
|
+ 00000000000000D9: 74 4C je 0000000000000127
|
|
|
+ 00000000000000DB: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
|
|
|
+ 00
|
|
|
+ 00000000000000E2: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
|
|
|
+ 00000000000000E8: 8B C0 mov eax,eax
|
|
|
+ 00000000000000EA: 48 D1 E0 shl rax,1
|
|
|
+ 00000000000000ED: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 00000000000000F4: 48 8B 09 mov rcx,qword ptr [rcx]
|
|
|
+ 00000000000000F7: 48 89 4C 24 40 mov qword ptr [rsp+40h],rcx
|
|
|
+ 00000000000000FC: 4C 8D 4C 24 34 lea r9,[rsp+34h]
|
|
|
+ 0000000000000101: 44 8B C0 mov r8d,eax
|
|
|
+ 0000000000000104: 48 8B 15 00 00 00 mov rdx,qword ptr [g_lpwPrintBuffer]
|
|
|
+ 00
|
|
|
+ 000000000000010B: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000112: 48 8B 44 24 40 mov rax,qword ptr [rsp+40h]
|
|
|
+ 0000000000000117: FF 50 20 call qword ptr [rax+20h]
|
|
|
+ 000000000000011A: 89 44 24 30 mov dword ptr [rsp+30h],eax
|
|
|
+ 000000000000011E: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
|
|
|
+ 0000000000000123: 7D 02 jge 0000000000000127
|
|
|
+ 0000000000000125: EB 08 jmp 000000000000012F
|
|
|
+ 0000000000000127: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0
|
|
|
+ 00 00
|
|
|
+ 000000000000012F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
|
|
|
+ 00 00
|
|
|
+ 0000000000000137: 74 15 je 000000000000014E
|
|
|
+ 0000000000000139: 41 B8 00 40 00 00 mov r8d,4000h
|
|
|
+ 000000000000013F: 33 D2 xor edx,edx
|
|
|
+ 0000000000000141: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
|
|
|
+ 00
|
|
|
+ 0000000000000148: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
|
|
|
+ 000000000000014E: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
|
|
|
+ 00 00 00
|
|
|
+ 0000000000000157: 8B 44 24 30 mov eax,dword ptr [rsp+30h]
|
|
|
+ 000000000000015B: 48 83 C4 58 add rsp,58h
|
|
|
+ 000000000000015F: C3 ret
|
|
|
+ 0000000000000160: CC int 3
|
|
|
+ 0000000000000161: CC int 3
|
|
|
+ 0000000000000162: CC int 3
|
|
|
+ 0000000000000163: CC int 3
|
|
|
+ 0000000000000164: CC int 3
|
|
|
+ 0000000000000165: CC int 3
|
|
|
+ 0000000000000166: CC int 3
|
|
|
+ 0000000000000167: CC int 3
|
|
|
+ 0000000000000168: CC int 3
|
|
|
+ 0000000000000169: CC int 3
|
|
|
+ 000000000000016A: CC int 3
|
|
|
+ 000000000000016B: CC int 3
|
|
|
+ 000000000000016C: CC int 3
|
|
|
+ 000000000000016D: CC int 3
|
|
|
+ 000000000000016E: CC int 3
|
|
|
+ 000000000000016F: CC int 3
|
|
|
+BeaconOutputStreamW:
|
|
|
+ 0000000000000170: 40 57 push rdi
|
|
|
+ 0000000000000172: 48 81 EC A0 00 00 sub rsp,0A0h
|
|
|
+ 00
|
|
|
+ 0000000000000179: 48 8D 44 24 50 lea rax,[rsp+50h]
|
|
|
+ 000000000000017E: 48 8B F8 mov rdi,rax
|
|
|
+ 0000000000000181: 33 C0 xor eax,eax
|
|
|
+ 0000000000000183: B9 50 00 00 00 mov ecx,50h
|
|
|
+ 0000000000000188: F3 AA rep stos byte ptr [rdi]
|
|
|
+ 000000000000018A: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0
|
|
|
+ 00 00 00
|
|
|
+ 0000000000000193: C7 44 24 28 00 00 mov dword ptr [rsp+28h],0
|
|
|
+ 00 00
|
|
|
+ 000000000000019B: 48 C7 44 24 20 00 mov qword ptr [rsp+20h],0
|
|
|
+ 00 00 00
|
|
|
+ 00000000000001A4: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 00000000000001AB: 48 8B 00 mov rax,qword ptr [rax]
|
|
|
+ 00000000000001AE: 41 B8 01 00 00 00 mov r8d,1
|
|
|
+ 00000000000001B4: 48 8D 54 24 50 lea rdx,[rsp+50h]
|
|
|
+ 00000000000001B9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 00000000000001C0: FF 50 60 call qword ptr [rax+60h]
|
|
|
+ 00000000000001C3: 85 C0 test eax,eax
|
|
|
+ 00000000000001C5: 7D 05 jge 00000000000001CC
|
|
|
+ 00000000000001C7: E9 13 01 00 00 jmp 00000000000002DF
|
|
|
+ 00000000000001CC: 8B 44 24 60 mov eax,dword ptr [rsp+60h]
|
|
|
+ 00000000000001D0: 48 89 44 24 30 mov qword ptr [rsp+30h],rax
|
|
|
+ 00000000000001D5: 48 8B 44 24 30 mov rax,qword ptr [rsp+30h]
|
|
|
+ 00000000000001DA: 48 FF C0 inc rax
|
|
|
+ 00000000000001DD: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
|
|
|
+ 00000000000001E2: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
|
|
|
+ 00000000000001E8: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
|
|
|
+ 00000000000001ED: 4C 8B C1 mov r8,rcx
|
|
|
+ 00000000000001F0: BA 08 00 00 00 mov edx,8
|
|
|
+ 00000000000001F5: 48 8B C8 mov rcx,rax
|
|
|
+ 00000000000001F8: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
|
|
|
+ 00000000000001FE: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
|
|
|
+ 0000000000000203: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0
|
|
|
+ 0000000000000209: 74 6B je 0000000000000276
|
|
|
+ 000000000000020B: 48 C7 44 24 40 00 mov qword ptr [rsp+40h],0
|
|
|
+ 00 00 00
|
|
|
+ 0000000000000214: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 000000000000021B: 48 8B 00 mov rax,qword ptr [rax]
|
|
|
+ 000000000000021E: 45 33 C9 xor r9d,r9d
|
|
|
+ 0000000000000221: 45 33 C0 xor r8d,r8d
|
|
|
+ 0000000000000224: 48 8B 54 24 40 mov rdx,qword ptr [rsp+40h]
|
|
|
+ 0000000000000229: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000230: FF 50 28 call qword ptr [rax+28h]
|
|
|
+ 0000000000000233: 85 C0 test eax,eax
|
|
|
+ 0000000000000235: 7D 02 jge 0000000000000239
|
|
|
+ 0000000000000237: EB 3D jmp 0000000000000276
|
|
|
+ 0000000000000239: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000240: 48 8B 00 mov rax,qword ptr [rax]
|
|
|
+ 0000000000000243: 4C 8D 4C 24 28 lea r9,[rsp+28h]
|
|
|
+ 0000000000000248: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
|
|
|
+ 000000000000024D: 48 8B 54 24 20 mov rdx,qword ptr [rsp+20h]
|
|
|
+ 0000000000000252: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000259: FF 50 18 call qword ptr [rax+18h]
|
|
|
+ 000000000000025C: 85 C0 test eax,eax
|
|
|
+ 000000000000025E: 7D 02 jge 0000000000000262
|
|
|
+ 0000000000000260: EB 14 jmp 0000000000000276
|
|
|
+ 0000000000000262: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h]
|
|
|
+ 0000000000000267: 48 8D 15 00 00 00 lea rdx,[$SG105371]
|
|
|
+ 00
|
|
|
+ 000000000000026E: 33 C9 xor ecx,ecx
|
|
|
+ 0000000000000270: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
|
|
|
+ 0000000000000276: 48 83 3D 00 00 00 cmp qword ptr [g_lpStream],0
|
|
|
+ 00 00
|
|
|
+ 000000000000027E: 74 1F je 000000000000029F
|
|
|
+ 0000000000000280: 48 8B 05 00 00 00 mov rax,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000287: 48 8B 00 mov rax,qword ptr [rax]
|
|
|
+ 000000000000028A: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpStream]
|
|
|
+ 00
|
|
|
+ 0000000000000291: FF 50 10 call qword ptr [rax+10h]
|
|
|
+ 0000000000000294: 48 C7 05 00 00 00 mov qword ptr [g_lpStream],0
|
|
|
+ 00 00 00 00 00
|
|
|
+ 000000000000029F: 48 83 3D 00 00 00 cmp qword ptr [g_lpwPrintBuffer],0
|
|
|
+ 00 00
|
|
|
+ 00000000000002A7: 74 18 je 00000000000002C1
|
|
|
+ 00000000000002A9: 48 8B 0D 00 00 00 mov rcx,qword ptr [g_lpwPrintBuffer]
|
|
|
+ 00
|
|
|
+ 00000000000002B0: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
|
|
|
+ 00000000000002B6: 48 C7 05 00 00 00 mov qword ptr [g_lpwPrintBuffer],0
|
|
|
+ 00 00 00 00 00
|
|
|
+ 00000000000002C1: 48 83 7C 24 20 00 cmp qword ptr [rsp+20h],0
|
|
|
+ 00000000000002C7: 74 16 je 00000000000002DF
|
|
|
+ 00000000000002C9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
|
|
|
+ 00000000000002CF: 4C 8B 44 24 20 mov r8,qword ptr [rsp+20h]
|
|
|
+ 00000000000002D4: 33 D2 xor edx,edx
|
|
|
+ 00000000000002D6: 48 8B C8 mov rcx,rax
|
|
|
+ 00000000000002D9: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
|
|
|
+ 00000000000002DF: 48 81 C4 A0 00 00 add rsp,0A0h
|
|
|
+ 00
|
|
|
+ 00000000000002E6: 5F pop rdi
|
|
|
+ 00000000000002E7: C3 ret
|
|
|
+ 00000000000002E8: CC int 3
|
|
|
+ 00000000000002E9: CC int 3
|
|
|
+ 00000000000002EA: CC int 3
|
|
|
+ 00000000000002EB: CC int 3
|
|
|
+ 00000000000002EC: CC int 3
|
|
|
+ 00000000000002ED: CC int 3
|
|
|
+ 00000000000002EE: CC int 3
|
|
|
+ 00000000000002EF: CC int 3
|
|
|
+FindDotNet:
|
|
|
+ 00000000000002F0: 40 56 push rsi
|
|
|
+ 00000000000002F2: 57 push rdi
|
|
|
+ 00000000000002F3: 48 81 EC 68 04 00 sub rsp,468h
|
|
|
+ 00
|
|
|
+ 00000000000002FA: C7 44 24 70 00 00 mov dword ptr [rsp+70h],0
|
|
|
+ 00 00
|
|
|
+ 0000000000000302: C7 44 24 30 00 00 mov dword ptr [rsp+30h],0
|
|
|
+ 00 00
|
|
|
+ 000000000000030A: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
|
|
|
+ 00 00 00
|
|
|
+ 0000000000000313: 48 8D 44 24 40 lea rax,[rsp+40h]
|
|
|
+ 0000000000000318: 48 8B F8 mov rdi,rax
|
|
|
+ 000000000000031B: 33 C0 xor eax,eax
|
|
|
+ 000000000000031D: B9 10 00 00 00 mov ecx,10h
|
|
|
+ 0000000000000322: F3 AA rep stos byte ptr [rdi]
|
|
|
+ 0000000000000324: C7 44 24 34 00 00 mov dword ptr [rsp+34h],0
|
|
|
+ 00 00
|
|
|
+ 000000000000032C: 48 8D 0D 00 00 00 lea rcx,[$SG105407]
|
|
|
+ 00
|
|
|
+ 0000000000000333: FF 15 00 00 00 00 call qword ptr [__imp_GetModuleHandleA]
|
|
|
+ 0000000000000339: 48 8D 15 00 00 00 lea rdx,[$SG105406]
|
|
|
+ 00
|
|
|
+ 0000000000000340: 48 8B C8 mov rcx,rax
|
|
|
+ 0000000000000343: FF 15 00 00 00 00 call qword ptr [__imp_GetProcAddress]
|
|
|
+ 0000000000000349: 48 89 44 24 58 mov qword ptr [rsp+58h],rax
|
|
|
+ 000000000000034E: 48 8D 0D 00 00 00 lea rcx,[$SG105409]
|
|
|
+ 00
|
|
|
+ 0000000000000355: FF 15 00 00 00 00 call qword ptr [__imp_GetModuleHandleA]
|
|
|
+ 000000000000035B: 48 8D 15 00 00 00 lea rdx,[$SG105408]
|
|
|
+ 00
|
|
|
+ 0000000000000362: 48 8B C8 mov rcx,rax
|
|
|
+ 0000000000000365: FF 15 00 00 00 00 call qword ptr [__imp_GetProcAddress]
|
|
|
+ 000000000000036B: 48 89 44 24 60 mov qword ptr [rsp+60h],rax
|
|
|
+ 0000000000000370: 48 83 7C 24 58 00 cmp qword ptr [rsp+58h],0
|
|
|
+ 0000000000000376: 74 08 je 0000000000000380
|
|
|
+ 0000000000000378: 48 83 7C 24 60 00 cmp qword ptr [rsp+60h],0
|
|
|
+ 000000000000037E: 75 1C jne 000000000000039C
|
|
|
+ 0000000000000380: 48 8D 15 00 00 00 lea rdx,[$SG105412]
|
|
|
+ 00
|
|
|
+ 0000000000000387: B9 0D 00 00 00 mov ecx,0Dh
|
|
|
+ 000000000000038C: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
|
|
|
+ 0000000000000392: B8 FF FF FF FF mov eax,0FFFFFFFFh
|
|
|
+ 0000000000000397: E9 17 02 00 00 jmp 00000000000005B3
|
|
|
+ 000000000000039C: 48 8D 84 24 B0 00 lea rax,[rsp+0B0h]
|
|
|
+ 00 00
|
|
|
+ 00000000000003A4: 48 8D 0D 00 00 00 lea rcx,[$SG105413]
|
|
|
+ 00
|
|
|
+ 00000000000003AB: 48 8B F8 mov rdi,rax
|
|
|
+ 00000000000003AE: 48 8B F1 mov rsi,rcx
|
|
|
+ 00000000000003B1: B9 56 00 00 00 mov ecx,56h
|
|
|
+ 00000000000003B6: F3 A4 rep movs byte ptr [rdi],byte ptr [rsi]
|
|
|
+ 00000000000003B8: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
|
|
|
+ 00000000000003BE: 41 B8 F4 01 00 00 mov r8d,1F4h
|
|
|
+ 00000000000003C4: BA 08 00 00 00 mov edx,8
|
|
|
+ 00000000000003C9: 48 8B C8 mov rcx,rax
|
|
|
+ 00000000000003CC: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
|
|
|
+ 00000000000003D2: 48 89 44 24 48 mov qword ptr [rsp+48h],rax
|
|
|
+ 00000000000003D7: 48 8D 0D 00 00 00 lea rcx,[$SG105414]
|
|
|
+ 00
|
|
|
+ 00000000000003DE: E8 00 00 00 00 call BeaconPrintToStreamW
|
|
|
+ 00000000000003E3: 48 8D 0D 00 00 00 lea rcx,[$SG105415]
|
|
|
+ 00
|
|
|
+ 00000000000003EA: E8 00 00 00 00 call BeaconPrintToStreamW
|
|
|
+ 00000000000003EF: 48 8D 44 24 38 lea rax,[rsp+38h]
|
|
|
+ 00000000000003F4: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
|
|
|
+ 00000000000003F9: 45 33 C9 xor r9d,r9d
|
|
|
+ 00000000000003FC: 45 33 C0 xor r8d,r8d
|
|
|
+ 00000000000003FF: BA 00 00 00 02 mov edx,2000000h
|
|
|
+ 0000000000000404: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
|
|
|
+ 0000000000000409: FF 54 24 58 call qword ptr [rsp+58h]
|
|
|
+ 000000000000040D: 85 C0 test eax,eax
|
|
|
+ 000000000000040F: 0F 85 9A 01 00 00 jne 00000000000005AF
|
|
|
+ 0000000000000415: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
|
|
|
+ 000000000000041A: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessId]
|
|
|
+ 0000000000000420: 89 44 24 30 mov dword ptr [rsp+30h],eax
|
|
|
+ 0000000000000424: 83 7C 24 30 00 cmp dword ptr [rsp+30h],0
|
|
|
+ 0000000000000429: 75 02 jne 000000000000042D
|
|
|
+ 000000000000042B: EB C2 jmp 00000000000003EF
|
|
|
+ 000000000000042D: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
|
|
|
+ 0000000000000432: 48 8D 15 00 00 00 lea rdx,[$SG105417]
|
|
|
+ 00
|
|
|
+ 0000000000000439: 48 8D 8C 24 10 01 lea rcx,[rsp+110h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000441: FF 15 00 00 00 00 call qword ptr [__imp_USER32$wsprintfW]
|
|
|
+ 0000000000000447: 41 B8 F4 01 00 00 mov r8d,1F4h
|
|
|
+ 000000000000044D: 33 D2 xor edx,edx
|
|
|
+ 000000000000044F: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
|
|
|
+ 0000000000000454: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
|
|
|
+ 000000000000045A: 48 8D 8C 24 B0 00 lea rcx,[rsp+0B0h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000462: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
|
|
|
+ 0000000000000468: 48 D1 E0 shl rax,1
|
|
|
+ 000000000000046B: 4C 8B C0 mov r8,rax
|
|
|
+ 000000000000046E: 48 8D 94 24 B0 00 lea rdx,[rsp+0B0h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000476: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
|
|
|
+ 000000000000047B: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy]
|
|
|
+ 0000000000000481: 48 8D 94 24 10 01 lea rdx,[rsp+110h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000489: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
|
|
|
+ 000000000000048E: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$lstrcatW]
|
|
|
+ 0000000000000494: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
|
|
|
+ 0000000000000499: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$wcslen]
|
|
|
+ 000000000000049F: 48 D1 E0 shl rax,1
|
|
|
+ 00000000000004A2: 66 89 44 24 40 mov word ptr [rsp+40h],ax
|
|
|
+ 00000000000004A7: 0F B7 44 24 40 movzx eax,word ptr [rsp+40h]
|
|
|
+ 00000000000004AC: FF C0 inc eax
|
|
|
+ 00000000000004AE: 66 89 44 24 42 mov word ptr [rsp+42h],ax
|
|
|
+ 00000000000004B3: C7 84 24 80 00 00 mov dword ptr [rsp+80h],30h
|
|
|
+ 00 30 00 00 00
|
|
|
+ 00000000000004BE: 48 C7 84 24 88 00 mov qword ptr [rsp+88h],0
|
|
|
+ 00 00 00 00 00 00
|
|
|
+ 00000000000004CA: C7 84 24 98 00 00 mov dword ptr [rsp+98h],40h
|
|
|
+ 00 40 00 00 00
|
|
|
+ 00000000000004D5: 48 8D 44 24 40 lea rax,[rsp+40h]
|
|
|
+ 00000000000004DA: 48 89 84 24 90 00 mov qword ptr [rsp+90h],rax
|
|
|
+ 00 00
|
|
|
+ 00000000000004E2: 48 C7 84 24 A0 00 mov qword ptr [rsp+0A0h],0
|
|
|
+ 00 00 00 00 00 00
|
|
|
+ 00000000000004EE: 48 C7 84 24 A8 00 mov qword ptr [rsp+0A8h],0
|
|
|
+ 00 00 00 00 00 00
|
|
|
+ 00000000000004FA: 48 C7 44 24 68 00 mov qword ptr [rsp+68h],0
|
|
|
+ 00 00 00
|
|
|
+ 0000000000000503: 4C 8D 84 24 80 00 lea r8,[rsp+80h]
|
|
|
+ 00 00
|
|
|
+ 000000000000050B: BA 01 00 00 00 mov edx,1
|
|
|
+ 0000000000000510: 48 8D 4C 24 68 lea rcx,[rsp+68h]
|
|
|
+ 0000000000000515: FF 54 24 60 call qword ptr [rsp+60h]
|
|
|
+ 0000000000000519: 89 44 24 50 mov dword ptr [rsp+50h],eax
|
|
|
+ 000000000000051D: 83 7C 24 50 00 cmp dword ptr [rsp+50h],0
|
|
|
+ 0000000000000522: 0F 8C 82 00 00 00 jl 00000000000005AA
|
|
|
+ 0000000000000528: 48 8B 4C 24 68 mov rcx,qword ptr [rsp+68h]
|
|
|
+ 000000000000052D: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$CloseHandle]
|
|
|
+ 0000000000000533: 41 B8 04 01 00 00 mov r8d,104h
|
|
|
+ 0000000000000539: 48 8D 94 24 50 01 lea rdx,[rsp+150h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000541: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
|
|
|
+ 0000000000000546: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$K32GetProcessImageFileNameA]
|
|
|
+ 000000000000054C: 48 8D 8C 24 50 01 lea rcx,[rsp+150h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000554: FF 15 00 00 00 00 call qword ptr [__imp_SHLWAPI$PathFindFileNameA]
|
|
|
+ 000000000000055A: 48 89 44 24 78 mov qword ptr [rsp+78h],rax
|
|
|
+ 000000000000055F: C7 44 24 28 00 01 mov dword ptr [rsp+28h],100h
|
|
|
+ 00 00
|
|
|
+ 0000000000000567: 48 8D 84 24 60 02 lea rax,[rsp+260h]
|
|
|
+ 00 00
|
|
|
+ 000000000000056F: 48 89 44 24 20 mov qword ptr [rsp+20h],rax
|
|
|
+ 0000000000000574: 41 B9 FF FF FF FF mov r9d,0FFFFFFFFh
|
|
|
+ 000000000000057A: 4C 8B 44 24 78 mov r8,qword ptr [rsp+78h]
|
|
|
+ 000000000000057F: 33 D2 xor edx,edx
|
|
|
+ 0000000000000581: 33 C9 xor ecx,ecx
|
|
|
+ 0000000000000583: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$MultiByteToWideChar]
|
|
|
+ 0000000000000589: 44 8B 44 24 30 mov r8d,dword ptr [rsp+30h]
|
|
|
+ 000000000000058E: 48 8D 94 24 60 02 lea rdx,[rsp+260h]
|
|
|
+ 00 00
|
|
|
+ 0000000000000596: 48 8D 0D 00 00 00 lea rcx,[$SG105419]
|
|
|
+ 00
|
|
|
+ 000000000000059D: E8 00 00 00 00 call BeaconPrintToStreamW
|
|
|
+ 00000000000005A2: C7 44 24 34 01 00 mov dword ptr [rsp+34h],1
|
|
|
+ 00 00
|
|
|
+ 00000000000005AA: E9 40 FE FF FF jmp 00000000000003EF
|
|
|
+ 00000000000005AF: 8B 44 24 34 mov eax,dword ptr [rsp+34h]
|
|
|
+ 00000000000005B3: 48 81 C4 68 04 00 add rsp,468h
|
|
|
+ 00
|
|
|
+ 00000000000005BA: 5F pop rdi
|
|
|
+ 00000000000005BB: 5E pop rsi
|
|
|
+ 00000000000005BC: C3 ret
|
|
|
+ 00000000000005BD: CC int 3
|
|
|
+ 00000000000005BE: CC int 3
|
|
|
+ 00000000000005BF: CC int 3
|
|
|
+ 00000000000005C0: CC int 3
|
|
|
+ 00000000000005C1: CC int 3
|
|
|
+ 00000000000005C2: CC int 3
|
|
|
+ 00000000000005C3: CC int 3
|
|
|
+ 00000000000005C4: CC int 3
|
|
|
+ 00000000000005C5: CC int 3
|
|
|
+ 00000000000005C6: CC int 3
|
|
|
+ 00000000000005C7: CC int 3
|
|
|
+ 00000000000005C8: CC int 3
|
|
|
+ 00000000000005C9: CC int 3
|
|
|
+ 00000000000005CA: CC int 3
|
|
|
+ 00000000000005CB: CC int 3
|
|
|
+ 00000000000005CC: CC int 3
|
|
|
+ 00000000000005CD: CC int 3
|
|
|
+ 00000000000005CE: CC int 3
|
|
|
+ 00000000000005CF: CC int 3
|
|
|
+go:
|
|
|
+ 00000000000005D0: 48 83 EC 38 sub rsp,38h
|
|
|
+ 00000000000005D4: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0
|
|
|
+ 00 00
|
|
|
+ 00000000000005DC: E8 00 00 00 00 call FindDotNet
|
|
|
+ 00000000000005E1: 89 44 24 20 mov dword ptr [rsp+20h],eax
|
|
|
+ 00000000000005E5: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0
|
|
|
+ 00000000000005EA: 75 14 jne 0000000000000600
|
|
|
+ 00000000000005EC: 48 8D 15 00 00 00 lea rdx,[$SG105427]
|
|
|
+ 00
|
|
|
+ 00000000000005F3: B9 0D 00 00 00 mov ecx,0Dh
|
|
|
+ 00000000000005F8: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
|
|
|
+ 00000000000005FE: EB 05 jmp 0000000000000605
|
|
|
+ 0000000000000600: E8 00 00 00 00 call BeaconOutputStreamW
|
|
|
+ 0000000000000605: 33 C0 xor eax,eax
|
|
|
+ 0000000000000607: 48 83 C4 38 add rsp,38h
|
|
|
+ 000000000000060B: C3 ret
|
|
|
+
|
|
|
+ Summary
|
|
|
+
|
|
|
+ 38 .chks64
|
|
|
+ 1DE .data
|
|
|
+ 94 .debug$S
|
|
|
+ A8 .drectve
|
|
|
+ 30 .pdata
|
|
|
+ 60C .text$mn
|
|
|
+ 28 .xdata
|
unknown