| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365 |
- Microsoft (R) COFF/PE Dumper Version 14.29.30148.0
- Copyright (C) Microsoft Corporation. All rights reserved.
- Dump of file findrwx.o
- File Type: COFF OBJECT
- bofstart:
- 0000000000000000: 48 83 EC 28 sub rsp,28h
- 0000000000000004: BA 01 00 00 00 mov edx,1
- 0000000000000009: B9 00 20 00 00 mov ecx,2000h
- 000000000000000E: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$calloc]
- 0000000000000014: 48 89 05 00 00 00 mov qword ptr [output],rax
- 00
- 000000000000001B: 33 C0 xor eax,eax
- 000000000000001D: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax
- 00
- 0000000000000024: B8 01 00 00 00 mov eax,1
- 0000000000000029: 48 83 C4 28 add rsp,28h
- 000000000000002D: C3 ret
- 000000000000002E: CC int 3
- 000000000000002F: CC int 3
- 0000000000000030: CC int 3
- 0000000000000031: CC int 3
- 0000000000000032: CC int 3
- 0000000000000033: CC int 3
- 0000000000000034: CC int 3
- 0000000000000035: CC int 3
- 0000000000000036: CC int 3
- 0000000000000037: CC int 3
- 0000000000000038: CC int 3
- 0000000000000039: CC int 3
- 000000000000003A: CC int 3
- 000000000000003B: CC int 3
- 000000000000003C: CC int 3
- 000000000000003D: CC int 3
- 000000000000003E: CC int 3
- 000000000000003F: CC int 3
- internal_printf:
- 0000000000000040: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 0000000000000045: 48 89 54 24 10 mov qword ptr [rsp+10h],rdx
- 000000000000004A: 4C 89 44 24 18 mov qword ptr [rsp+18h],r8
- 000000000000004F: 4C 89 4C 24 20 mov qword ptr [rsp+20h],r9
- 0000000000000054: 48 83 EC 58 sub rsp,58h
- 0000000000000058: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0
- 00 00
- 0000000000000060: C7 44 24 24 00 00 mov dword ptr [rsp+24h],0
- 00 00
- 0000000000000068: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
- 00 00 00
- 0000000000000071: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0
- 00 00 00
- 000000000000007A: 48 8D 44 24 68 lea rax,[rsp+68h]
- 000000000000007F: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 0000000000000084: 4C 8B 4C 24 28 mov r9,qword ptr [rsp+28h]
- 0000000000000089: 4C 8B 44 24 60 mov r8,qword ptr [rsp+60h]
- 000000000000008E: 33 D2 xor edx,edx
- 0000000000000090: 33 C9 xor ecx,ecx
- 0000000000000092: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$vsnprintf]
- 0000000000000098: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 000000000000009C: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0
- 00 00 00
- 00000000000000A5: 83 7C 24 20 FF cmp dword ptr [rsp+20h],0FFFFFFFFh
- 00000000000000AA: 75 05 jne 00000000000000B1
- 00000000000000AC: E9 C2 01 00 00 jmp 0000000000000273
- 00000000000000B1: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000000B7: 41 B8 00 20 00 00 mov r8d,2000h
- 00000000000000BD: BA 08 00 00 00 mov edx,8
- 00000000000000C2: 48 8B C8 mov rcx,rax
- 00000000000000C5: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 00000000000000CB: 48 89 44 24 40 mov qword ptr [rsp+40h],rax
- 00000000000000D0: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h]
- 00000000000000D5: 48 89 44 24 48 mov qword ptr [rsp+48h],rax
- 00000000000000DA: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 00000000000000E0: 48 8B 4C 24 48 mov rcx,qword ptr [rsp+48h]
- 00000000000000E5: 4C 8B C1 mov r8,rcx
- 00000000000000E8: BA 08 00 00 00 mov edx,8
- 00000000000000ED: 48 8B C8 mov rcx,rax
- 00000000000000F0: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapAlloc]
- 00000000000000F6: 48 89 44 24 30 mov qword ptr [rsp+30h],rax
- 00000000000000FB: 48 8D 44 24 68 lea rax,[rsp+68h]
- 0000000000000100: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 0000000000000105: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h]
- 000000000000010A: 4C 8B 4C 24 28 mov r9,qword ptr [rsp+28h]
- 000000000000010F: 4C 8B 44 24 60 mov r8,qword ptr [rsp+60h]
- 0000000000000114: 48 8B D0 mov rdx,rax
- 0000000000000117: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h]
- 000000000000011C: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$vsnprintf]
- 0000000000000122: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0
- 00 00 00
- 000000000000012B: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize]
- 00
- 0000000000000132: 8B 4C 24 20 mov ecx,dword ptr [rsp+20h]
- 0000000000000136: 03 C8 add ecx,eax
- 0000000000000138: 8B C1 mov eax,ecx
- 000000000000013A: 3D 00 20 00 00 cmp eax,2000h
- 000000000000013F: 7D 3E jge 000000000000017F
- 0000000000000141: 48 63 44 24 20 movsxd rax,dword ptr [rsp+20h]
- 0000000000000146: 0F B7 0D 00 00 00 movzx ecx,word ptr [currentoutsize]
- 00
- 000000000000014D: 48 8B 15 00 00 00 mov rdx,qword ptr [output]
- 00
- 0000000000000154: 48 03 D1 add rdx,rcx
- 0000000000000157: 48 8B CA mov rcx,rdx
- 000000000000015A: 4C 8B C0 mov r8,rax
- 000000000000015D: 48 8B 54 24 30 mov rdx,qword ptr [rsp+30h]
- 0000000000000162: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy]
- 0000000000000168: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize]
- 00
- 000000000000016F: 03 44 24 20 add eax,dword ptr [rsp+20h]
- 0000000000000173: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax
- 00
- 000000000000017A: E9 C8 00 00 00 jmp 0000000000000247
- 000000000000017F: 48 8B 44 24 30 mov rax,qword ptr [rsp+30h]
- 0000000000000184: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 0000000000000189: 83 7C 24 20 00 cmp dword ptr [rsp+20h],0
- 000000000000018E: 0F 8E B3 00 00 00 jle 0000000000000247
- 0000000000000194: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize]
- 00
- 000000000000019B: B9 00 20 00 00 mov ecx,2000h
- 00000000000001A0: 2B C8 sub ecx,eax
- 00000000000001A2: 8B C1 mov eax,ecx
- 00000000000001A4: 89 44 24 24 mov dword ptr [rsp+24h],eax
- 00000000000001A8: 8B 44 24 24 mov eax,dword ptr [rsp+24h]
- 00000000000001AC: 39 44 24 20 cmp dword ptr [rsp+20h],eax
- 00000000000001B0: 7D 08 jge 00000000000001BA
- 00000000000001B2: 8B 44 24 20 mov eax,dword ptr [rsp+20h]
- 00000000000001B6: 89 44 24 24 mov dword ptr [rsp+24h],eax
- 00000000000001BA: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h]
- 00000000000001BF: 0F B7 0D 00 00 00 movzx ecx,word ptr [currentoutsize]
- 00
- 00000000000001C6: 48 8B 15 00 00 00 mov rdx,qword ptr [output]
- 00
- 00000000000001CD: 48 03 D1 add rdx,rcx
- 00000000000001D0: 48 8B CA mov rcx,rdx
- 00000000000001D3: 4C 8B C0 mov r8,rax
- 00000000000001D6: 48 8B 54 24 38 mov rdx,qword ptr [rsp+38h]
- 00000000000001DB: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memcpy]
- 00000000000001E1: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize]
- 00
- 00000000000001E8: 03 44 24 24 add eax,dword ptr [rsp+24h]
- 00000000000001EC: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax
- 00
- 00000000000001F3: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize]
- 00
- 00000000000001FA: 3D 00 20 00 00 cmp eax,2000h
- 00000000000001FF: 75 07 jne 0000000000000208
- 0000000000000201: 33 C9 xor ecx,ecx
- 0000000000000203: E8 00 00 00 00 call printoutput
- 0000000000000208: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h]
- 000000000000020D: 4C 8B C0 mov r8,rax
- 0000000000000210: 33 D2 xor edx,edx
- 0000000000000212: 48 8B 4C 24 40 mov rcx,qword ptr [rsp+40h]
- 0000000000000217: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 000000000000021D: 48 63 44 24 24 movsxd rax,dword ptr [rsp+24h]
- 0000000000000222: 48 8B 4C 24 38 mov rcx,qword ptr [rsp+38h]
- 0000000000000227: 48 03 C8 add rcx,rax
- 000000000000022A: 48 8B C1 mov rax,rcx
- 000000000000022D: 48 89 44 24 38 mov qword ptr [rsp+38h],rax
- 0000000000000232: 8B 44 24 24 mov eax,dword ptr [rsp+24h]
- 0000000000000236: 8B 4C 24 20 mov ecx,dword ptr [rsp+20h]
- 000000000000023A: 2B C8 sub ecx,eax
- 000000000000023C: 8B C1 mov eax,ecx
- 000000000000023E: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 0000000000000242: E9 42 FF FF FF jmp 0000000000000189
- 0000000000000247: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 000000000000024D: 4C 8B 44 24 30 mov r8,qword ptr [rsp+30h]
- 0000000000000252: 33 D2 xor edx,edx
- 0000000000000254: 48 8B C8 mov rcx,rax
- 0000000000000257: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
- 000000000000025D: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$GetProcessHeap]
- 0000000000000263: 4C 8B 44 24 40 mov r8,qword ptr [rsp+40h]
- 0000000000000268: 33 D2 xor edx,edx
- 000000000000026A: 48 8B C8 mov rcx,rax
- 000000000000026D: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$HeapFree]
- 0000000000000273: 48 83 C4 58 add rsp,58h
- 0000000000000277: C3 ret
- 0000000000000278: CC int 3
- 0000000000000279: CC int 3
- 000000000000027A: CC int 3
- 000000000000027B: CC int 3
- 000000000000027C: CC int 3
- 000000000000027D: CC int 3
- 000000000000027E: CC int 3
- 000000000000027F: CC int 3
- printoutput:
- 0000000000000280: 89 4C 24 08 mov dword ptr [rsp+8],ecx
- 0000000000000284: 48 83 EC 38 sub rsp,38h
- 0000000000000288: 48 C7 44 24 20 00 mov qword ptr [rsp+20h],0
- 00 00 00
- 0000000000000291: 0F B7 05 00 00 00 movzx eax,word ptr [currentoutsize]
- 00
- 0000000000000298: 44 8B C0 mov r8d,eax
- 000000000000029B: 48 8B 15 00 00 00 mov rdx,qword ptr [output]
- 00
- 00000000000002A2: 33 C9 xor ecx,ecx
- 00000000000002A4: FF 15 00 00 00 00 call qword ptr [__imp_BeaconOutput]
- 00000000000002AA: 33 C0 xor eax,eax
- 00000000000002AC: 66 89 05 00 00 00 mov word ptr [currentoutsize],ax
- 00
- 00000000000002B3: 41 B8 00 20 00 00 mov r8d,2000h
- 00000000000002B9: 33 D2 xor edx,edx
- 00000000000002BB: 48 8B 0D 00 00 00 mov rcx,qword ptr [output]
- 00
- 00000000000002C2: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$memset]
- 00000000000002C8: 83 7C 24 40 00 cmp dword ptr [rsp+40h],0
- 00000000000002CD: 74 18 je 00000000000002E7
- 00000000000002CF: 48 8B 0D 00 00 00 mov rcx,qword ptr [output]
- 00
- 00000000000002D6: FF 15 00 00 00 00 call qword ptr [__imp_MSVCRT$free]
- 00000000000002DC: 48 C7 05 00 00 00 mov qword ptr [output],0
- 00 00 00 00 00
- 00000000000002E7: 48 83 C4 38 add rsp,38h
- 00000000000002EB: C3 ret
- 00000000000002EC: CC int 3
- 00000000000002ED: CC int 3
- 00000000000002EE: CC int 3
- 00000000000002EF: CC int 3
- 00000000000002F0: CC int 3
- 00000000000002F1: CC int 3
- 00000000000002F2: CC int 3
- 00000000000002F3: CC int 3
- 00000000000002F4: CC int 3
- 00000000000002F5: CC int 3
- 00000000000002F6: CC int 3
- 00000000000002F7: CC int 3
- 00000000000002F8: CC int 3
- 00000000000002F9: CC int 3
- 00000000000002FA: CC int 3
- 00000000000002FB: CC int 3
- 00000000000002FC: CC int 3
- 00000000000002FD: CC int 3
- 00000000000002FE: CC int 3
- 00000000000002FF: CC int 3
- FindRWX:
- 0000000000000300: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 0000000000000305: 48 83 EC 68 sub rsp,68h
- 0000000000000309: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0
- 00 00
- 0000000000000311: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0
- 00 00 00
- 000000000000031A: 48 C7 44 24 30 00 mov qword ptr [rsp+30h],0
- 00 00 00
- 0000000000000323: 48 C7 44 24 38 00 mov qword ptr [rsp+38h],0
- 00 00 00
- 000000000000032C: C7 44 24 40 00 00 mov dword ptr [rsp+40h],0
- 00 00
- 0000000000000334: 48 C7 44 24 48 00 mov qword ptr [rsp+48h],0
- 00 00 00
- 000000000000033D: C7 44 24 50 00 00 mov dword ptr [rsp+50h],0
- 00 00
- 0000000000000345: C7 44 24 54 00 00 mov dword ptr [rsp+54h],0
- 00 00
- 000000000000034D: C7 44 24 58 00 00 mov dword ptr [rsp+58h],0
- 00 00
- 0000000000000355: 48 8D 0D 00 00 00 lea rcx,[$SG102129]
- 00
- 000000000000035C: E8 00 00 00 00 call internal_printf
- 0000000000000361: 48 8D 0D 00 00 00 lea rcx,[$SG102130]
- 00
- 0000000000000368: E8 00 00 00 00 call internal_printf
- 000000000000036D: 41 B9 30 00 00 00 mov r9d,30h
- 0000000000000373: 4C 8D 44 24 30 lea r8,[rsp+30h]
- 0000000000000378: 48 8B 54 24 28 mov rdx,qword ptr [rsp+28h]
- 000000000000037D: 48 8B 4C 24 70 mov rcx,qword ptr [rsp+70h]
- 0000000000000382: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$VirtualQueryEx]
- 0000000000000388: 48 85 C0 test rax,rax
- 000000000000038B: 74 50 je 00000000000003DD
- 000000000000038D: 48 8B 44 24 48 mov rax,qword ptr [rsp+48h]
- 0000000000000392: 48 8B 4C 24 30 mov rcx,qword ptr [rsp+30h]
- 0000000000000397: 48 03 C8 add rcx,rax
- 000000000000039A: 48 8B C1 mov rax,rcx
- 000000000000039D: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 00000000000003A2: 83 7C 24 54 40 cmp dword ptr [rsp+54h],40h
- 00000000000003A7: 75 32 jne 00000000000003DB
- 00000000000003A9: 81 7C 24 50 00 10 cmp dword ptr [rsp+50h],1000h
- 00 00
- 00000000000003B1: 75 28 jne 00000000000003DB
- 00000000000003B3: 81 7C 24 58 00 00 cmp dword ptr [rsp+58h],20000h
- 02 00
- 00000000000003BB: 75 1E jne 00000000000003DB
- 00000000000003BD: 4C 8B 44 24 48 mov r8,qword ptr [rsp+48h]
- 00000000000003C2: 48 8B 54 24 30 mov rdx,qword ptr [rsp+30h]
- 00000000000003C7: 48 8D 0D 00 00 00 lea rcx,[$SG102132]
- 00
- 00000000000003CE: E8 00 00 00 00 call internal_printf
- 00000000000003D3: C7 44 24 20 01 00 mov dword ptr [rsp+20h],1
- 00 00
- 00000000000003DB: EB 90 jmp 000000000000036D
- 00000000000003DD: 8B 44 24 20 mov eax,dword ptr [rsp+20h]
- 00000000000003E1: 48 83 C4 68 add rsp,68h
- 00000000000003E5: C3 ret
- 00000000000003E6: CC int 3
- 00000000000003E7: CC int 3
- 00000000000003E8: CC int 3
- 00000000000003E9: CC int 3
- 00000000000003EA: CC int 3
- 00000000000003EB: CC int 3
- 00000000000003EC: CC int 3
- 00000000000003ED: CC int 3
- 00000000000003EE: CC int 3
- 00000000000003EF: CC int 3
- go:
- 00000000000003F0: 89 54 24 10 mov dword ptr [rsp+10h],edx
- 00000000000003F4: 48 89 4C 24 08 mov qword ptr [rsp+8],rcx
- 00000000000003F9: 48 83 EC 58 sub rsp,58h
- 00000000000003FD: C7 44 24 20 00 00 mov dword ptr [rsp+20h],0
- 00 00
- 0000000000000405: 48 C7 44 24 28 00 mov qword ptr [rsp+28h],0
- 00 00 00
- 000000000000040E: C7 44 24 24 00 00 mov dword ptr [rsp+24h],0
- 00 00
- 0000000000000416: 44 8B 44 24 68 mov r8d,dword ptr [rsp+68h]
- 000000000000041B: 48 8B 54 24 60 mov rdx,qword ptr [rsp+60h]
- 0000000000000420: 48 8D 4C 24 30 lea rcx,[rsp+30h]
- 0000000000000425: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataParse]
- 000000000000042B: 48 8D 4C 24 30 lea rcx,[rsp+30h]
- 0000000000000430: FF 15 00 00 00 00 call qword ptr [__imp_BeaconDataInt]
- 0000000000000436: 89 44 24 20 mov dword ptr [rsp+20h],eax
- 000000000000043A: E8 00 00 00 00 call bofstart
- 000000000000043F: 85 C0 test eax,eax
- 0000000000000441: 75 02 jne 0000000000000445
- 0000000000000443: EB 78 jmp 00000000000004BD
- 0000000000000445: 44 8B 44 24 20 mov r8d,dword ptr [rsp+20h]
- 000000000000044A: 33 D2 xor edx,edx
- 000000000000044C: B9 FF FF 1F 00 mov ecx,1FFFFFh
- 0000000000000451: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$OpenProcess]
- 0000000000000457: 48 89 44 24 28 mov qword ptr [rsp+28h],rax
- 000000000000045C: 48 83 7C 24 28 00 cmp qword ptr [rsp+28h],0
- 0000000000000462: 75 19 jne 000000000000047D
- 0000000000000464: 48 8D 15 00 00 00 lea rdx,[$SG102148]
- 00
- 000000000000046B: B9 0D 00 00 00 mov ecx,0Dh
- 0000000000000470: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 0000000000000476: B8 FF FF FF FF mov eax,0FFFFFFFFh
- 000000000000047B: EB 40 jmp 00000000000004BD
- 000000000000047D: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h]
- 0000000000000482: E8 00 00 00 00 call FindRWX
- 0000000000000487: 89 44 24 24 mov dword ptr [rsp+24h],eax
- 000000000000048B: 83 7C 24 24 00 cmp dword ptr [rsp+24h],0
- 0000000000000490: 75 14 jne 00000000000004A6
- 0000000000000492: 48 8D 15 00 00 00 lea rdx,[$SG102151]
- 00
- 0000000000000499: B9 0D 00 00 00 mov ecx,0Dh
- 000000000000049E: FF 15 00 00 00 00 call qword ptr [__imp_BeaconPrintf]
- 00000000000004A4: EB 0A jmp 00000000000004B0
- 00000000000004A6: B9 01 00 00 00 mov ecx,1
- 00000000000004AB: E8 00 00 00 00 call printoutput
- 00000000000004B0: 48 8B 4C 24 28 mov rcx,qword ptr [rsp+28h]
- 00000000000004B5: FF 15 00 00 00 00 call qword ptr [__imp_KERNEL32$CloseHandle]
- 00000000000004BB: 33 C0 xor eax,eax
- 00000000000004BD: 48 83 C4 58 add rsp,58h
- 00000000000004C1: C3 ret
- Summary
- 18 .bss
- 40 .chks64
- E6 .data
- 8C .debug$S
- 5D .drectve
- 3C .pdata
- 4C2 .text$mn
- 28 .xdata
|
