Microsoft (R) COFF/PE Dumper Version 14.29.30148.0 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file findrwx.o File Type: COFF OBJECT bofstart: 0000000000000000: 48 83 EC 28 sub rsp,28h 0000000000000004: BA 01 00 00 00 mov edx,1 0000000000000009: B9 00 20 00 00 mov ecx,2000h 000000000000000E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$calloc] 0000000000000014: 48 89 05 00 00 00 mov qword ptr [output],rax 00 000000000000001B: 33 C0 xor eax,eax 000000000000001D: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax 00 0000000000000024: B8 01 00 00 00 mov eax,1 0000000000000029: 48 83 C4 28 add rsp,28h 000000000000002D: C3 ret 000000000000002E: CC int 3 000000000000002F: CC int 3 0000000000000030: CC int 3 0000000000000031: CC int 3 0000000000000032: CC int 3 0000000000000033: CC int 3 0000000000000034: CC int 3 0000000000000035: CC int 3 0000000000000036: CC int 3 0000000000000037: CC int 3 0000000000000038: CC int 3 0000000000000039: CC int 3 000000000000003A: CC int 3 000000000000003B: CC int 3 000000000000003C: CC int 3 000000000000003D: CC int 3 000000000000003E: CC int 3 000000000000003F: CC int 3 internal_printf: 0000000000000040: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx 0000000000000045: 48 89 54 24 10 mov qword ptr [rsp+10h],rdx 000000000000004A: 4C 89 44 24 18 mov qword ptr [rsp+18h],r8 000000000000004F: 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9 0000000000000054: 48 83 EC 58 sub rsp,58h 0000000000000058: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0 00 00 0000000000000060: C7 44 24 24 00 00 mov dword ptr [rsp+24h],0 00 00 0000000000000068: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0 00 00 00 0000000000000071: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0 00 00 00 000000000000007A: 48 8D 44 24 68 lea rax,[rsp+68h] 000000000000007F: 48 89 44 24 28 mov qword ptr [rsp+28h],rax 0000000000000084: 4C 8B 4C 24 28 mov r9,qword ptr [rsp+28h] 0000000000000089: 4C 8B 44 24 60 mov r8,qword ptr [rsp+60h] 000000000000008E: 33 D2 xor edx,edx 0000000000000090: 33 C9 xor ecx,ecx 0000000000000092: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$vsnprintf] 0000000000000098: 89 44 24 20 mov dword ptr [rsp+20h],eax 000000000000009C: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0 00 00 00 00000000000000A5: 83 7C 24 20 FF cmp dword ptr [rsp+20h],0FFFFFFFFh 00000000000000AA: 75 05 jne 00000000000000B1 00000000000000AC: E9 C2 01 00 00 jmp 0000000000000273 00000000000000B1: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap] 00000000000000B7: 41 B8 00 20 00 00 mov r8d,2000h 00000000000000BD: BA 08 00 00 00 mov edx,8 00000000000000C2: 48 8B C8 mov rcx,rax 00000000000000C5: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc] 00000000000000CB: 48 89 44 24 40 mov qword ptr [rsp+40h],rax 00000000000000D0: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h] 00000000000000D5: 48 89 44 24 48 mov qword ptr [rsp+48h],rax 00000000000000DA: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap] 00000000000000E0: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h] 00000000000000E5: 4C 8B C1 mov r8,rcx 00000000000000E8: BA 08 00 00 00 mov edx,8 00000000000000ED: 48 8B C8 mov rcx,rax 00000000000000F0: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc] 00000000000000F6: 48 89 44 24 30 mov qword ptr [rsp+30h],rax 00000000000000FB: 48 8D 44 24 68 lea rax,[rsp+68h] 0000000000000100: 48 89 44 24 28 mov qword ptr [rsp+28h],rax 0000000000000105: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h] 000000000000010A: 4C 8B 4C 24 28 mov r9,qword ptr [rsp+28h] 000000000000010F: 4C 8B 44 24 60 mov r8,qword ptr [rsp+60h] 0000000000000114: 48 8B D0 mov rdx,rax 0000000000000117: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h] 000000000000011C: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$vsnprintf] 0000000000000122: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0 00 00 00 000000000000012B: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize] 00 0000000000000132: 8B 4C 24 20 mov ecx,dword ptr [rsp+20h] 0000000000000136: 03 C8 add ecx,eax 0000000000000138: 8B C1 mov eax,ecx 000000000000013A: 3D 00 20 00 00 cmp eax,2000h 000000000000013F: 7D 3E jge 000000000000017F 0000000000000141: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h] 0000000000000146: 0F B7 0D 00 00 00 movzx ecx,word ptr [currentoutsize] 00 000000000000014D: 48 8B 15 00 00 00 mov rdx,qword ptr [output] 00 0000000000000154: 48 03 D1 add rdx,rcx 0000000000000157: 48 8B CA mov rcx,rdx 000000000000015A: 4C 8B C0 mov r8,rax 000000000000015D: 48 8B 54 24 30 mov rdx,qword ptr [rsp+30h] 0000000000000162: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy] 0000000000000168: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize] 00 000000000000016F: 03 44 24 20 add eax,dword ptr [rsp+20h] 0000000000000173: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax 00 000000000000017A: E9 C8 00 00 00 jmp 0000000000000247 000000000000017F: 48 8B 44 24 30 mov rax,qword ptr [rsp+30h] 0000000000000184: 48 89 44 24 38 mov qword ptr [rsp+38h],rax 0000000000000189: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0 000000000000018E: 0F 8E B3 00 00 00 jle 0000000000000247 0000000000000194: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize] 00 000000000000019B: B9 00 20 00 00 mov ecx,2000h 00000000000001A0: 2B C8 sub ecx,eax 00000000000001A2: 8B C1 mov eax,ecx 00000000000001A4: 89 44 24 24 mov dword ptr [rsp+24h],eax 00000000000001A8: 8B 44 24 24 mov eax,dword ptr [rsp+24h] 00000000000001AC: 39 44 24 20 cmp dword ptr [rsp+20h],eax 00000000000001B0: 7D 08 jge 00000000000001BA 00000000000001B2: 8B 44 24 20 mov eax,dword ptr [rsp+20h] 00000000000001B6: 89 44 24 24 mov dword ptr [rsp+24h],eax 00000000000001BA: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h] 00000000000001BF: 0F B7 0D 00 00 00 movzx ecx,word ptr [currentoutsize] 00 00000000000001C6: 48 8B 15 00 00 00 mov rdx,qword ptr [output] 00 00000000000001CD: 48 03 D1 add rdx,rcx 00000000000001D0: 48 8B CA mov rcx,rdx 00000000000001D3: 4C 8B C0 mov r8,rax 00000000000001D6: 48 8B 54 24 38 mov rdx,qword ptr [rsp+38h] 00000000000001DB: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy] 00000000000001E1: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize] 00 00000000000001E8: 03 44 24 24 add eax,dword ptr [rsp+24h] 00000000000001EC: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax 00 00000000000001F3: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize] 00 00000000000001FA: 3D 00 20 00 00 cmp eax,2000h 00000000000001FF: 75 07 jne 0000000000000208 0000000000000201: 33 C9 xor ecx,ecx 0000000000000203: E8 00 00 00 00 call printoutput 0000000000000208: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h] 000000000000020D: 4C 8B C0 mov r8,rax 0000000000000210: 33 D2 xor edx,edx 0000000000000212: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h] 0000000000000217: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset] 000000000000021D: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h] 0000000000000222: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h] 0000000000000227: 48 03 C8 add rcx,rax 000000000000022A: 48 8B C1 mov rax,rcx 000000000000022D: 48 89 44 24 38 mov qword ptr [rsp+38h],rax 0000000000000232: 8B 44 24 24 mov eax,dword ptr [rsp+24h] 0000000000000236: 8B 4C 24 20 mov ecx,dword ptr [rsp+20h] 000000000000023A: 2B C8 sub ecx,eax 000000000000023C: 8B C1 mov eax,ecx 000000000000023E: 89 44 24 20 mov dword ptr [rsp+20h],eax 0000000000000242: E9 42 FF FF FF jmp 0000000000000189 0000000000000247: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap] 000000000000024D: 4C 8B 44 24 30 mov r8,qword ptr [rsp+30h] 0000000000000252: 33 D2 xor edx,edx 0000000000000254: 48 8B C8 mov rcx,rax 0000000000000257: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree] 000000000000025D: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap] 0000000000000263: 4C 8B 44 24 40 mov r8,qword ptr [rsp+40h] 0000000000000268: 33 D2 xor edx,edx 000000000000026A: 48 8B C8 mov rcx,rax 000000000000026D: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree] 0000000000000273: 48 83 C4 58 add rsp,58h 0000000000000277: C3 ret 0000000000000278: CC int 3 0000000000000279: CC int 3 000000000000027A: CC int 3 000000000000027B: CC int 3 000000000000027C: CC int 3 000000000000027D: CC int 3 000000000000027E: CC int 3 000000000000027F: CC int 3 printoutput: 0000000000000280: 89 4C 24 08 mov dword ptr [rsp+8],ecx 0000000000000284: 48 83 EC 38 sub rsp,38h 0000000000000288: 48 C7 44 24 20 00 mov qword ptr [rsp+20h],0 00 00 00 0000000000000291: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize] 00 0000000000000298: 44 8B C0 mov r8d,eax 000000000000029B: 48 8B 15 00 00 00 mov rdx,qword ptr [output] 00 00000000000002A2: 33 C9 xor ecx,ecx 00000000000002A4: FF 15 00 00 00 00 call qword ptr [__imp_BeaconOutput] 00000000000002AA: 33 C0 xor eax,eax 00000000000002AC: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax 00 00000000000002B3: 41 B8 00 20 00 00 mov r8d,2000h 00000000000002B9: 33 D2 xor edx,edx 00000000000002BB: 48 8B 0D 00 00 00 mov rcx,qword ptr [output] 00 00000000000002C2: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset] 00000000000002C8: 83 7C 24 40 00 cmp dword ptr [rsp+40h],0 00000000000002CD: 74 18 je 00000000000002E7 00000000000002CF: 48 8B 0D 00 00 00 mov rcx,qword ptr [output] 00 00000000000002D6: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free] 00000000000002DC: 48 C7 05 00 00 00 mov qword ptr [output],0 00 00 00 00 00 00000000000002E7: 48 83 C4 38 add rsp,38h 00000000000002EB: C3 ret 00000000000002EC: CC int 3 00000000000002ED: CC int 3 00000000000002EE: CC int 3 00000000000002EF: CC int 3 00000000000002F0: CC int 3 00000000000002F1: CC int 3 00000000000002F2: CC int 3 00000000000002F3: CC int 3 00000000000002F4: CC int 3 00000000000002F5: CC int 3 00000000000002F6: CC int 3 00000000000002F7: CC int 3 00000000000002F8: CC int 3 00000000000002F9: CC int 3 00000000000002FA: CC int 3 00000000000002FB: CC int 3 00000000000002FC: CC int 3 00000000000002FD: CC int 3 00000000000002FE: CC int 3 00000000000002FF: CC int 3 FindRWX: 0000000000000300: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx 0000000000000305: 48 83 EC 68 sub rsp,68h 0000000000000309: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0 00 00 0000000000000311: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0 00 00 00 000000000000031A: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0 00 00 00 0000000000000323: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0 00 00 00 000000000000032C: C7 44 24 40 00 00 mov dword ptr [rsp+40h],0 00 00 0000000000000334: 48 C7 44 24 48 00 mov qword ptr [rsp+48h],0 00 00 00 000000000000033D: C7 44 24 50 00 00 mov dword ptr [rsp+50h],0 00 00 0000000000000345: C7 44 24 54 00 00 mov dword ptr [rsp+54h],0 00 00 000000000000034D: C7 44 24 58 00 00 mov dword ptr [rsp+58h],0 00 00 0000000000000355: 48 8D 0D 00 00 00 lea rcx,[$SG102129] 00 000000000000035C: E8 00 00 00 00 call internal_printf 0000000000000361: 48 8D 0D 00 00 00 lea rcx,[$SG102130] 00 0000000000000368: E8 00 00 00 00 call internal_printf 000000000000036D: 41 B9 30 00 00 00 mov r9d,30h 0000000000000373: 4C 8D 44 24 30 lea r8,[rsp+30h] 0000000000000378: 48 8B 54 24 28 mov rdx,qword ptr [rsp+28h] 000000000000037D: 48 8B 4C 24 70 mov rcx,qword ptr [rsp+70h] 0000000000000382: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$VirtualQueryEx] 0000000000000388: 48 85 C0 test rax,rax 000000000000038B: 74 50 je 00000000000003DD 000000000000038D: 48 8B 44 24 48 mov rax,qword ptr [rsp+48h] 0000000000000392: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h] 0000000000000397: 48 03 C8 add rcx,rax 000000000000039A: 48 8B C1 mov rax,rcx 000000000000039D: 48 89 44 24 28 mov qword ptr [rsp+28h],rax 00000000000003A2: 83 7C 24 54 40 cmp dword ptr [rsp+54h],40h 00000000000003A7: 75 32 jne 00000000000003DB 00000000000003A9: 81 7C 24 50 00 10 cmp dword ptr [rsp+50h],1000h 00 00 00000000000003B1: 75 28 jne 00000000000003DB 00000000000003B3: 81 7C 24 58 00 00 cmp dword ptr [rsp+58h],20000h 02 00 00000000000003BB: 75 1E jne 00000000000003DB 00000000000003BD: 4C 8B 44 24 48 mov r8,qword ptr [rsp+48h] 00000000000003C2: 48 8B 54 24 30 mov rdx,qword ptr [rsp+30h] 00000000000003C7: 48 8D 0D 00 00 00 lea rcx,[$SG102132] 00 00000000000003CE: E8 00 00 00 00 call internal_printf 00000000000003D3: C7 44 24 20 01 00 mov dword ptr [rsp+20h],1 00 00 00000000000003DB: EB 90 jmp 000000000000036D 00000000000003DD: 8B 44 24 20 mov eax,dword ptr [rsp+20h] 00000000000003E1: 48 83 C4 68 add rsp,68h 00000000000003E5: C3 ret 00000000000003E6: CC int 3 00000000000003E7: CC int 3 00000000000003E8: CC int 3 00000000000003E9: CC int 3 00000000000003EA: CC int 3 00000000000003EB: CC int 3 00000000000003EC: CC int 3 00000000000003ED: CC int 3 00000000000003EE: CC int 3 00000000000003EF: CC int 3 go: 00000000000003F0: 89 54 24 10 mov dword ptr [rsp+10h],edx 00000000000003F4: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx 00000000000003F9: 48 83 EC 58 sub rsp,58h 00000000000003FD: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0 00 00 0000000000000405: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0 00 00 00 000000000000040E: C7 44 24 24 00 00 mov dword ptr [rsp+24h],0 00 00 0000000000000416: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h] 000000000000041B: 48 8B 54 24 60 mov rdx,qword ptr [rsp+60h] 0000000000000420: 48 8D 4C 24 30 lea rcx,[rsp+30h] 0000000000000425: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataParse] 000000000000042B: 48 8D 4C 24 30 lea rcx,[rsp+30h] 0000000000000430: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataInt] 0000000000000436: 89 44 24 20 mov dword ptr [rsp+20h],eax 000000000000043A: E8 00 00 00 00 call bofstart 000000000000043F: 85 C0 test eax,eax 0000000000000441: 75 02 jne 0000000000000445 0000000000000443: EB 78 jmp 00000000000004BD 0000000000000445: 44 8B 44 24 20 mov r8d,dword ptr [rsp+20h] 000000000000044A: 33 D2 xor edx,edx 000000000000044C: B9 FF FF 1F 00 mov ecx,1FFFFFh 0000000000000451: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$OpenProcess] 0000000000000457: 48 89 44 24 28 mov qword ptr [rsp+28h],rax 000000000000045C: 48 83 7C 24 28 00 cmp qword ptr [rsp+28h],0 0000000000000462: 75 19 jne 000000000000047D 0000000000000464: 48 8D 15 00 00 00 lea rdx,[$SG102148] 00 000000000000046B: B9 0D 00 00 00 mov ecx,0Dh 0000000000000470: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf] 0000000000000476: B8 FF FF FF FF mov eax,0FFFFFFFFh 000000000000047B: EB 40 jmp 00000000000004BD 000000000000047D: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h] 0000000000000482: E8 00 00 00 00 call FindRWX 0000000000000487: 89 44 24 24 mov dword ptr [rsp+24h],eax 000000000000048B: 83 7C 24 24 00 cmp dword ptr [rsp+24h],0 0000000000000490: 75 14 jne 00000000000004A6 0000000000000492: 48 8D 15 00 00 00 lea rdx,[$SG102151] 00 0000000000000499: B9 0D 00 00 00 mov ecx,0Dh 000000000000049E: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf] 00000000000004A4: EB 0A jmp 00000000000004B0 00000000000004A6: B9 01 00 00 00 mov ecx,1 00000000000004AB: E8 00 00 00 00 call printoutput 00000000000004B0: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h] 00000000000004B5: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$CloseHandle] 00000000000004BB: 33 C0 xor eax,eax 00000000000004BD: 48 83 C4 58 add rsp,58h 00000000000004C1: C3 ret Summary 18 .bss 40 .chks64 E6 .data 8C .debug$S 5D .drectve 3C .pdata 4C2 .text$mn 28 .xdata