apihashreplace.py

"""

Shellcode API detection and replacement script -
Written by Huntress Labs ThreatOps Team
Can be used to detect and/or modify hashes used by
cobaltstrike/msfvenom/metasploit

"""


import random,sys,re
matchlist = []

#Read in architecture as an argument
try: 
    arch = str(sys.argv[1]).strip()
    print("Architecture: " + arch)
except:
    print("No input args")
    print("python hashreplace.py <32 or 64 arch> <input file.bin>")
    sys.exit(1)

    
#Exit if input arch is not recognized
if arch not in ["32","64","x86","x64"]:
    print("bad arch selected, try again")
    print("Options are 32,64,x86,x64")
    sys.exit(1)

#Read in original shellcode as second argument
fname = sys.argv[2].strip()
f = open(fname, "rb")
originalShellcode = f.read()
f.close()

#Hardcoded api lists to check against
#Eventually this should be changed to support more libraries, or to load and parse exports from a provided DLL file. 
ws2_list = ["WSApSetPostRoutine","FreeAddrInfoEx","FreeAddrInfoExW","FreeAddrInfoW","GetAddrInfoExA","GetAddrInfoExCancel","GetAddrInfoExOverlappedResult","GetAddrInfoExW","GetAddrInfoW","GetHostNameW","GetNameInfoW","InetNtopW","InetPtonW","SetAddrInfoExA","SetAddrInfoExW","WEP","WPUCompleteOverlappedRequest","WPUGetProviderPathEx","WSAAccept","WSAAddressToStringA","WSAAddressToStringW","WSAAdvertiseProvider","WSAAsyncGetHostByAddr","WSAAsyncGetHostByName","WSAAsyncGetProtoByName","WSAAsyncGetProtoByNumber","WSAAsyncGetServByName","WSAAsyncGetServByPort","WSAAsyncSelect","WSACancelAsyncRequest","WSACancelBlockingCall","WSACleanup","WSACloseEvent","WSAConnect","WSAConnectByList","WSAConnectByNameA","WSAConnectByNameW","WSACreateEvent","WSADuplicateSocketA","WSADuplicateSocketW","WSAEnumNameSpaceProvidersA","WSAEnumNameSpaceProvidersExA","WSAEnumNameSpaceProvidersExW","WSAEnumNameSpaceProvidersW","WSAEnumNetworkEvents","WSAEnumProtocolsA","WSAEnumProtocolsW","WSAEventSelect","WSAGetLastError","WSAGetOverlappedResult","WSAGetQOSByName","WSAGetServiceClassInfoA","WSAGetServiceClassInfoW","WSAGetServiceClassNameByClassIdA","WSAGetServiceClassNameByClassIdW","WSAHtonl","WSAHtons","WSAInstallServiceClassA","WSAInstallServiceClassW","WSAIoctl","WSAIsBlocking","WSAJoinLeaf","WSALookupServiceBeginA","WSALookupServiceBeginW","WSALookupServiceEnd","WSALookupServiceNextA","WSALookupServiceNextW","WSANSPIoctl","WSANtohl","WSANtohs","WSAPoll","WSAProviderCompleteAsyncCall","WSAProviderConfigChange","WSARecv","WSARecvDisconnect","WSARecvFrom","WSARemoveServiceClass","WSAResetEvent","WSASend","WSASendDisconnect","WSASendMsg","WSASendTo","WSASetBlockingHook","WSASetEvent","WSASetLastError","WSASetServiceA","WSASetServiceW","WSASocketA","WSASocketW","WSAStartup","WSAStringToAddressA","WSAStringToAddressW","WSAUnadvertiseProvider","WSAUnhookBlockingHook","WSAWaitForMultipleEvents","WSCDeinstallProvider","WSCDeinstallProviderEx","WSCEnableNSProvider","WSCEnumProtocols","WSCEnumProtocolsEx","WSCGetApplicationCategory","WSCGetApplicationCategoryEx","WSCGetProviderInfo","WSCGetProviderPath","WSCInstallNameSpace","WSCInstallNameSpaceEx2","WSCInstallNameSpaceEx","WSCInstallProvider","WSCInstallProviderAndChains","WSCInstallProviderEx","WSCSetApplicationCategory","WSCSetApplicationCategoryEx","WSCSetProviderInfo","WSCUnInstallNameSpace","WSCUnInstallNameSpaceEx2","WSCUpdateProvider","WSCUpdateProviderEx","WSCWriteNameSpaceOrder","WSCWriteProviderOrder","WSCWriteProviderOrderEx","WahCloseApcHelper","WahCloseHandleHelper","WahCloseNotificationHandleHelper","WahCloseSocketHandle","WahCloseThread","WahCompleteRequest","WahCreateHandleContextTable","WahCreateNotificationHandle","WahCreateSocketHandle","WahDestroyHandleContextTable","WahDisableNonIFSHandleSupport","WahEnableNonIFSHandleSupport","WahEnumerateHandleContexts","WahInsertHandleContext","WahNotifyAllProcesses","WahOpenApcHelper","WahOpenCurrentThread","WahOpenHandleHelper","WahOpenNotificationHandleHelper","WahQueueUserApc","WahReferenceContextByHandle","WahRemoveHandleContext","WahWaitForNotification","WahWriteLSPEvent","__WSAFDIsSet","accept","bind","closesocket","connect","freeaddrinfo","getaddrinfo","gethostbyaddr","gethostbyname","gethostname","getnameinfo","getpeername","getprotobyname","getprotobynumber","getservbyname","getservbyport","getsockname","getsockopt","htonl","htons","inet_addr","inet_ntoa","inet_ntop","inet_pton","ioctlsocket","listen","ntohl","ntohs","recv","recvfrom","select","send","sendto","setsockopt","shutdown","socket"]
k32_list = ["BaseThreadInitThunk","InterlockedPushListSList","NTDLL.RtlInterlockedPushListSList","Wow64Transition","AcquireSRWLockExclusive","NTDLL.RtlAcquireSRWLockExclusive","AcquireSRWLockShared","NTDLL.RtlAcquireSRWLockShared","ActivateActCtx","ActivateActCtxWorker","AddAtomA","AddAtomW","AddConsoleAliasA","AddConsoleAliasW","AddDllDirectory","api-ms-win-core-libraryloader-l1-1-0.AddDllDirectory","AddIntegrityLabelToBoundaryDescriptor","AddLocalAlternateComputerNameA","AddLocalAlternateComputerNameW","AddRefActCtx","AddRefActCtxWorker","AddResourceAttributeAce","AddSIDToBoundaryDescriptor","AddScopedPolicyIDAce","AddSecureMemoryCacheCallback","AddVectoredContinueHandler","NTDLL.RtlAddVectoredContinueHandler","AddVectoredExceptionHandler","NTDLL.RtlAddVectoredExceptionHandler","AdjustCalendarDate","AllocConsole","AllocateUserPhysicalPages","AllocateUserPhysicalPagesNuma","AppPolicyGetClrCompat","kernelbase.AppPolicyGetClrCompat","AppPolicyGetCreateFileAccess","kernelbase.AppPolicyGetCreateFileAccess","AppPolicyGetLifecycleManagement","kernelbase.AppPolicyGetLifecycleManagement","AppPolicyGetMediaFoundationCodecLoading","kernelbase.AppPolicyGetMediaFoundationCodecLoading","AppPolicyGetProcessTerminationMethod","kernelbase.AppPolicyGetProcessTerminationMethod","AppPolicyGetShowDeveloperDiagnostic","kernelbase.AppPolicyGetShowDeveloperDiagnostic","AppPolicyGetThreadInitializationType","kernelbase.AppPolicyGetThreadInitializationType","AppPolicyGetWindowingModel","kernelbase.AppPolicyGetWindowingModel","AppXGetOSMaxVersionTested","kernelbase.AppXGetOSMaxVersionTested","ApplicationRecoveryFinished","ApplicationRecoveryInProgress","AreFileApisANSI","AssignProcessToJobObject","AttachConsole","BackupRead","BackupSeek","BackupWrite","BaseCheckAppcompatCache","BaseCheckAppcompatCacheEx","BaseCheckAppcompatCacheExWorker","BaseCheckAppcompatCacheWorker","BaseCheckElevation","BaseCleanupAppcompatCacheSupport","BaseCleanupAppcompatCacheSupportWorker","BaseDestroyVDMEnvironment","BaseDllReadWriteIniFile","BaseDumpAppcompatCache","BaseDumpAppcompatCacheWorker","BaseElevationPostProcessing","BaseFlushAppcompatCache","BaseFlushAppcompatCacheWorker","BaseFormatObjectAttributes","BaseFormatTimeOut","BaseFreeAppCompatDataForProcessWorker","BaseGenerateAppCompatData","BaseGetNamedObjectDirectory","BaseInitAppcompatCacheSupport","BaseInitAppcompatCacheSupportWorker","BaseIsAppcompatInfrastructureDisabled","BaseIsAppcompatInfrastructureDisabledWorker","BaseIsDosApplication","BaseQueryModuleData","BaseReadAppCompatDataForProcessWorker","BaseSetLastNTError","BaseUpdateAppcompatCache","BaseUpdateAppcompatCacheWorker","BaseUpdateVDMEntry","BaseVerifyUnicodeString","BaseWriteErrorElevationRequiredEvent","Basep8BitStringToDynamicUnicodeString","BasepAllocateActivationContextActivationBlock","BasepAnsiStringToDynamicUnicodeString","BasepAppContainerEnvironmentExtension","BasepAppXExtension","BasepCheckAppCompat","BasepCheckWebBladeHashes","BasepCheckWinSaferRestrictions","BasepConstructSxsCreateProcessMessage","BasepCopyEncryption","BasepFinishPackageActivationForSxS","BasepFreeActivationContextActivationBlock","BasepFreeAppCompatData","BasepGetAppCompatData","BasepGetComputerNameFromNtPath","BasepGetExeArchType","BasepGetPackageActivationTokenForSxS","BasepInitAppCompatData","BasepIsProcessAllowed","BasepMapModuleHandle","BasepNotifyLoadStringResource","BasepPostSuccessAppXExtension","BasepProcessInvalidImage","BasepQueryAppCompat","BasepQueryModuleChpeSettings","BasepReleaseAppXContext","BasepReleaseSxsCreateProcessUtilityStruct","BasepReportFault","BasepSetFileEncryptionCompression","Beep","BeginUpdateResourceA","BeginUpdateResourceW","BindIoCompletionCallback","BuildCommDCBA","BuildCommDCBAndTimeoutsA","BuildCommDCBAndTimeoutsW","BuildCommDCBW","CallNamedPipeA","CallNamedPipeW","CallbackMayRunLong","CancelDeviceWakeupRequest","CancelIo","CancelIoEx","CancelSynchronousIo","CancelThreadpoolIo","NTDLL.TpCancelAsyncIoOperation","CancelTimerQueueTimer","CancelWaitableTimer","CeipIsOptedIn","kernelbase.CeipIsOptedIn","ChangeTimerQueueTimer","CheckAllowDecryptedRemoteDestinationPolicy","CheckElevation","CheckElevationEnabled","CheckForReadOnlyResource","CheckForReadOnlyResourceFilter","CheckIsMSIXPackage","kernelbase.CheckIsMSIXPackage","CheckNameLegalDOS8Dot3A","CheckNameLegalDOS8Dot3W","CheckRemoteDebuggerPresent","CheckTokenCapability","CheckTokenMembershipEx","ClearCommBreak","ClearCommError","CloseConsoleHandle","CloseHandle","ClosePackageInfo","kernelbase.ClosePackageInfo","ClosePrivateNamespace","CloseProfileUserMapping","ClosePseudoConsole","CloseState","kernelbase.CloseState","CloseThreadpool","NTDLL.TpReleasePool","CloseThreadpoolCleanupGroup","NTDLL.TpReleaseCleanupGroup","CloseThreadpoolCleanupGroupMembers","NTDLL.TpReleaseCleanupGroupMembers","CloseThreadpoolIo","NTDLL.TpReleaseIoCompletion","CloseThreadpoolTimer","NTDLL.TpReleaseTimer","CloseThreadpoolWait","NTDLL.TpReleaseWait","CloseThreadpoolWork","NTDLL.TpReleaseWork","CmdBatNotification","CommConfigDialogA","CommConfigDialogW","CompareCalendarDates","CompareFileTime","CompareStringA","CompareStringEx","CompareStringOrdinal","CompareStringW","ConnectNamedPipe","ConsoleMenuControl","ContinueDebugEvent","ConvertCalDateTimeToSystemTime","ConvertDefaultLocale","ConvertFiberToThread","ConvertNLSDayOfWeekToWin32DayOfWeek","ConvertSystemTimeToCalDateTime","ConvertThreadToFiber","ConvertThreadToFiberEx","CopyContext","CopyFile2","CopyFileA","CopyFileExA","CopyFileExW","CopyFileTransactedA","CopyFileTransactedW","CopyFileW","CopyLZFile","CreateActCtxA","CreateActCtxW","CreateActCtxWWorker","CreateBoundaryDescriptorA","CreateBoundaryDescriptorW","CreateConsoleScreenBuffer","CreateDirectoryA","CreateDirectoryExA","CreateDirectoryExW","CreateDirectoryTransactedA","CreateDirectoryTransactedW","CreateDirectoryW","CreateEnclave","api-ms-win-core-enclave-l1-1-0.CreateEnclave","CreateEventA","CreateEventExA","CreateEventExW","CreateEventW","CreateFiber","CreateFiberEx","CreateFile2","CreateFileA","CreateFileMappingA","CreateFileMappingFromApp","api-ms-win-core-memory-l1-1-1.CreateFileMappingFromApp","CreateFileMappingNumaA","CreateFileMappingNumaW","CreateFileMappingW","CreateFileTransactedA","CreateFileTransactedW","CreateFileW","CreateHardLinkA","CreateHardLinkTransactedA","CreateHardLinkTransactedW","CreateHardLinkW","CreateIoCompletionPort","CreateJobObjectA","CreateJobObjectW","CreateJobSet","CreateMailslotA","CreateMailslotW","CreateMemoryResourceNotification","CreateMutexA","CreateMutexExA","CreateMutexExW","CreateMutexW","CreateNamedPipeA","CreateNamedPipeW","CreatePipe","CreatePrivateNamespaceA","CreatePrivateNamespaceW","CreateProcessA","CreateProcessAsUserA","CreateProcessAsUserW","CreateProcessInternalA","CreateProcessInternalW","CreateProcessW","CreatePseudoConsole","CreateRemoteThread","CreateRemoteThreadEx","api-ms-win-core-processthreads-l1-1-0.CreateRemoteThreadEx","CreateSemaphoreA","CreateSemaphoreExA","CreateSemaphoreExW","CreateSemaphoreW","CreateSocketHandle","CreateSymbolicLinkA","CreateSymbolicLinkTransactedA","CreateSymbolicLinkTransactedW","CreateSymbolicLinkW","CreateTapePartition","CreateThread","CreateThreadpool","CreateThreadpoolCleanupGroup","CreateThreadpoolIo","CreateThreadpoolTimer","CreateThreadpoolWait","CreateThreadpoolWork","CreateTimerQueue","CreateTimerQueueTimer","CreateToolhelp32Snapshot","CreateWaitableTimerA","CreateWaitableTimerExA","CreateWaitableTimerExW","CreateWaitableTimerW","CtrlRoutine","kernelbase.CtrlRoutine","DeactivateActCtx","DeactivateActCtxWorker","DebugActiveProcess","DebugActiveProcessStop","DebugBreak","DebugBreakProcess","DebugSetProcessKillOnExit","DecodePointer","NTDLL.RtlDecodePointer","DecodeSystemPointer","NTDLL.RtlDecodeSystemPointer","DefineDosDeviceA","DefineDosDeviceW","DelayLoadFailureHook","DeleteAtom","DeleteBoundaryDescriptor","DeleteCriticalSection","NTDLL.RtlDeleteCriticalSection","DeleteFiber","DeleteFileA","DeleteFileTransactedA","DeleteFileTransactedW","DeleteFileW","DeleteProcThreadAttributeList","api-ms-win-core-processthreads-l1-1-0.DeleteProcThreadAttributeList","DeleteSynchronizationBarrier","DeleteTimerQueue","DeleteTimerQueueEx","DeleteTimerQueueTimer","DeleteVolumeMountPointA","DeleteVolumeMountPointW","DeviceIoControl","DisableThreadLibraryCalls","DisableThreadProfiling","DisassociateCurrentThreadFromCallback","NTDLL.TpDisassociateCallback","DiscardVirtualMemory","api-ms-win-core-memory-l1-1-2.DiscardVirtualMemory","DisconnectNamedPipe","DnsHostnameToComputerNameA","DnsHostnameToComputerNameExW","DnsHostnameToComputerNameW","DosDateTimeToFileTime","DosPathToSessionPathA","DosPathToSessionPathW","DuplicateConsoleHandle","DuplicateEncryptionInfoFileExt","DuplicateHandle","EnableThreadProfiling","EncodePointer","NTDLL.RtlEncodePointer","EncodeSystemPointer","NTDLL.RtlEncodeSystemPointer","EndUpdateResourceA","EndUpdateResourceW","EnterCriticalSection","NTDLL.RtlEnterCriticalSection","EnterSynchronizationBarrier","EnumCalendarInfoA","EnumCalendarInfoExA","EnumCalendarInfoExEx","EnumCalendarInfoExW","EnumCalendarInfoW","EnumDateFormatsA","EnumDateFormatsExA","EnumDateFormatsExEx","EnumDateFormatsExW","EnumDateFormatsW","EnumLanguageGroupLocalesA","EnumLanguageGroupLocalesW","EnumResourceLanguagesA","EnumResourceLanguagesExA","EnumResourceLanguagesExW","EnumResourceLanguagesW","EnumResourceNamesA","EnumResourceNamesExA","EnumResourceNamesExW","EnumResourceNamesW","EnumResourceTypesA","EnumResourceTypesExA","EnumResourceTypesExW","EnumResourceTypesW","EnumSystemCodePagesA","EnumSystemCodePagesW","EnumSystemFirmwareTables","EnumSystemGeoID","EnumSystemGeoNames","EnumSystemLanguageGroupsA","EnumSystemLanguageGroupsW","EnumSystemLocalesA","EnumSystemLocalesEx","EnumSystemLocalesW","EnumTimeFormatsA","EnumTimeFormatsEx","EnumTimeFormatsW","EnumUILanguagesA","EnumUILanguagesW","EnumerateLocalComputerNamesA","EnumerateLocalComputerNamesW","EraseTape","EscapeCommFunction","ExitProcess","ExitThread","NTDLL.RtlExitUserThread","ExitVDM","ExpandEnvironmentStringsA","ExpandEnvironmentStringsW","ExpungeConsoleCommandHistoryA","ExpungeConsoleCommandHistoryW","FatalAppExitA","FatalAppExitW","FatalExit","FileTimeToDosDateTime","FileTimeToLocalFileTime","FileTimeToSystemTime","FillConsoleOutputAttribute","FillConsoleOutputCharacterA","FillConsoleOutputCharacterW","FindActCtxSectionGuid","FindActCtxSectionGuidWorker","FindActCtxSectionStringA","FindActCtxSectionStringW","FindActCtxSectionStringWWorker","FindAtomA","FindAtomW","FindClose","FindCloseChangeNotification","FindFirstChangeNotificationA","FindFirstChangeNotificationW","FindFirstFileA","FindFirstFileExA","FindFirstFileExW","FindFirstFileNameTransactedW","FindFirstFileNameW","FindFirstFileTransactedA","FindFirstFileTransactedW","FindFirstFileW","FindFirstStreamTransactedW","FindFirstStreamW","api-ms-win-core-file-l1-2-2.FindFirstStreamW","FindFirstVolumeA","FindFirstVolumeMountPointA","FindFirstVolumeMountPointW","FindFirstVolumeW","FindNLSString","FindNLSStringEx","FindNextChangeNotification","FindNextFileA","FindNextFileNameW","FindNextFileW","FindNextStreamW","api-ms-win-core-file-l1-2-2.FindNextStreamW","FindNextVolumeA","FindNextVolumeMountPointA","FindNextVolumeMountPointW","FindNextVolumeW","FindPackagesByPackageFamily","kernelbase.FindPackagesByPackageFamily","FindResourceA","FindResourceExA","FindResourceExW","FindResourceW","FindStringOrdinal","FindVolumeClose","FindVolumeMountPointClose","FlsAlloc","FlsFree","FlsGetValue","FlsSetValue","FlushConsoleInputBuffer","FlushFileBuffers","FlushInstructionCache","FlushProcessWriteBuffers","NTDLL.NtFlushProcessWriteBuffers","FlushViewOfFile","FoldStringA","FoldStringW","FormatApplicationUserModelId","kernelbase.FormatApplicationUserModelId","FormatMessageA","FormatMessageW","FreeConsole","FreeEnvironmentStringsA","FreeEnvironmentStringsW","FreeLibrary","FreeLibraryAndExitThread","FreeLibraryWhenCallbackReturns","NTDLL.TpCallbackUnloadDllOnCompletion","FreeMemoryJobObject","FreeResource","FreeUserPhysicalPages","GenerateConsoleCtrlEvent","GetACP","GetActiveProcessorCount","GetActiveProcessorGroupCount","GetAppContainerAce","GetAppContainerNamedObjectPath","GetApplicationRecoveryCallback","GetApplicationRecoveryCallbackWorker","GetApplicationRestartSettings","GetApplicationRestartSettingsWorker","GetApplicationUserModelId","kernelbase.GetApplicationUserModelId","GetAtomNameA","GetAtomNameW","GetBinaryType","GetBinaryTypeA","GetBinaryTypeW","GetCPInfo","GetCPInfoExA","GetCPInfoExW","GetCachedSigningLevel","GetCalendarDateFormat","GetCalendarDateFormatEx","GetCalendarDaysInMonth","GetCalendarDifferenceInDays","GetCalendarInfoA","GetCalendarInfoEx","GetCalendarInfoW","GetCalendarMonthsInYear","GetCalendarSupportedDateRange","GetCalendarWeekNumber","GetComPlusPackageInstallStatus","GetCommConfig","GetCommMask","GetCommModemStatus","GetCommProperties","GetCommState","GetCommTimeouts","GetCommandLineA","GetCommandLineW","GetCompressedFileSizeA","GetCompressedFileSizeTransactedA","GetCompressedFileSizeTransactedW","GetCompressedFileSizeW","GetComputerNameA","GetComputerNameExA","GetComputerNameExW","GetComputerNameW","GetConsoleAliasA","GetConsoleAliasExesA","GetConsoleAliasExesLengthA","GetConsoleAliasExesLengthW","GetConsoleAliasExesW","GetConsoleAliasW","GetConsoleAliasesA","GetConsoleAliasesLengthA","GetConsoleAliasesLengthW","GetConsoleAliasesW","GetConsoleCP","GetConsoleCharType","GetConsoleCommandHistoryA","GetConsoleCommandHistoryLengthA","GetConsoleCommandHistoryLengthW","GetConsoleCommandHistoryW","GetConsoleCursorInfo","GetConsoleCursorMode","GetConsoleDisplayMode","GetConsoleFontInfo","GetConsoleFontSize","GetConsoleHardwareState","GetConsoleHistoryInfo","GetConsoleInputExeNameA","kernelbase.GetConsoleInputExeNameA","GetConsoleInputExeNameW","kernelbase.GetConsoleInputExeNameW","GetConsoleInputWaitHandle","GetConsoleKeyboardLayoutNameA","GetConsoleKeyboardLayoutNameW","GetConsoleMode","GetConsoleNlsMode","GetConsoleOriginalTitleA","GetConsoleOriginalTitleW","GetConsoleOutputCP","GetConsoleProcessList","GetConsoleScreenBufferInfo","GetConsoleScreenBufferInfoEx","GetConsoleSelectionInfo","GetConsoleTitleA","GetConsoleTitleW","GetConsoleWindow","GetCurrencyFormatA","GetCurrencyFormatEx","GetCurrencyFormatW","GetCurrentActCtx","GetCurrentActCtxWorker","GetCurrentApplicationUserModelId","kernelbase.GetCurrentApplicationUserModelId","GetCurrentConsoleFont","GetCurrentConsoleFontEx","GetCurrentDirectoryA","GetCurrentDirectoryW","GetCurrentPackageFamilyName","kernelbase.GetCurrentPackageFamilyName","GetCurrentPackageFullName","kernelbase.GetCurrentPackageFullName","GetCurrentPackageId","kernelbase.GetCurrentPackageId","GetCurrentPackageInfo","kernelbase.GetCurrentPackageInfo","GetCurrentPackagePath","kernelbase.GetCurrentPackagePath","GetCurrentProcess","GetCurrentProcessId","GetCurrentProcessorNumber","NTDLL.RtlGetCurrentProcessorNumber","GetCurrentProcessorNumberEx","NTDLL.RtlGetCurrentProcessorNumberEx","GetCurrentThread","GetCurrentThreadId","GetCurrentThreadStackLimits","api-ms-win-core-processthreads-l1-1-0.GetCurrentThreadStackLimits","GetDateFormatA","GetDateFormatAWorker","GetDateFormatEx","GetDateFormatW","GetDateFormatWWorker","GetDefaultCommConfigA","GetDefaultCommConfigW","GetDevicePowerState","GetDiskFreeSpaceA","GetDiskFreeSpaceExA","GetDiskFreeSpaceExW","GetDiskFreeSpaceW","GetDiskSpaceInformationA","api-ms-win-core-file-l1-2-3.GetDiskSpaceInformationA","GetDiskSpaceInformationW","api-ms-win-core-file-l1-2-3.GetDiskSpaceInformationW","GetDllDirectoryA","GetDllDirectoryW","GetDriveTypeA","GetDriveTypeW","GetDurationFormat","GetDurationFormatEx","GetDynamicTimeZoneInformation","GetEnabledXStateFeatures","GetEncryptedFileVersionExt","GetEnvironmentStrings","GetEnvironmentStringsA","GetEnvironmentStringsW","GetEnvironmentVariableA","GetEnvironmentVariableW","GetEraNameCountedString","GetErrorMode","GetExitCodeProcess","GetExitCodeThread","GetExpandedNameA","GetExpandedNameW","GetFileAttributesA","GetFileAttributesExA","GetFileAttributesExW","GetFileAttributesTransactedA","GetFileAttributesTransactedW","GetFileAttributesW","GetFileBandwidthReservation","GetFileInformationByHandle","GetFileInformationByHandleEx","GetFileMUIInfo","GetFileMUIPath","GetFileSize","GetFileSizeEx","GetFileTime","GetFileType","GetFinalPathNameByHandleA","GetFinalPathNameByHandleW","GetFirmwareEnvironmentVariableA","GetFirmwareEnvironmentVariableExA","GetFirmwareEnvironmentVariableExW","GetFirmwareEnvironmentVariableW","GetFirmwareType","GetFullPathNameA","GetFullPathNameTransactedA","GetFullPathNameTransactedW","GetFullPathNameW","GetGeoInfoA","GetGeoInfoEx","GetGeoInfoW","GetHandleContext","GetHandleInformation","GetLargePageMinimum","GetLargestConsoleWindowSize","GetLastError","GetLocalTime","GetLocaleInfoA","GetLocaleInfoEx","GetLocaleInfoW","GetLogicalDriveStringsA","GetLogicalDriveStringsW","GetLogicalDrives","GetLogicalProcessorInformation","GetLogicalProcessorInformationEx","api-ms-win-core-sysinfo-l1-1-0.GetLogicalProcessorInformationEx","GetLongPathNameA","GetLongPathNameTransactedA","GetLongPathNameTransactedW","GetLongPathNameW","GetMailslotInfo","GetMaximumProcessorCount","GetMaximumProcessorGroupCount","GetMemoryErrorHandlingCapabilities","GetModuleFileNameA","GetModuleFileNameW","GetModuleHandleA","GetModuleHandleExA","GetModuleHandleExW","GetModuleHandleW","GetNLSVersion","GetNLSVersionEx","GetNamedPipeAttribute","GetNamedPipeClientComputerNameA","GetNamedPipeClientComputerNameW","GetNamedPipeClientProcessId","GetNamedPipeClientSessionId","GetNamedPipeHandleStateA","GetNamedPipeHandleStateW","GetNamedPipeInfo","api-ms-win-core-namedpipe-l1-2-1.GetNamedPipeInfo","GetNamedPipeServerProcessId","GetNamedPipeServerSessionId","GetNativeSystemInfo","GetNextVDMCommand","GetNumaAvailableMemoryNode","GetNumaAvailableMemoryNodeEx","GetNumaHighestNodeNumber","GetNumaNodeNumberFromHandle","GetNumaNodeProcessorMask","GetNumaNodeProcessorMaskEx","GetNumaProcessorNode","GetNumaProcessorNodeEx","GetNumaProximityNode","GetNumaProximityNodeEx","GetNumberFormatA","GetNumberFormatEx","GetNumberFormatW","GetNumberOfConsoleFonts","GetNumberOfConsoleInputEvents","GetNumberOfConsoleMouseButtons","GetOEMCP","GetOverlappedResult","GetOverlappedResultEx","api-ms-win-core-io-l1-1-1.GetOverlappedResultEx","GetPackageApplicationIds","kernelbase.GetPackageApplicationIds","GetPackageFamilyName","kernelbase.GetPackageFamilyName","GetPackageFullName","kernelbase.GetPackageFullName","GetPackageId","kernelbase.GetPackageId","GetPackageInfo","kernelbase.GetPackageInfo","GetPackagePath","kernelbase.GetPackagePath","GetPackagePathByFullName","kernelbase.GetPackagePathByFullName","GetPackagesByPackageFamily","kernelbase.GetPackagesByPackageFamily","GetPhysicallyInstalledSystemMemory","GetPriorityClass","GetPrivateProfileIntA","GetPrivateProfileIntW","GetPrivateProfileSectionA","GetPrivateProfileSectionNamesA","GetPrivateProfileSectionNamesW","GetPrivateProfileSectionW","GetPrivateProfileStringA","GetPrivateProfileStringW","GetPrivateProfileStructA","GetPrivateProfileStructW","GetProcAddress","GetProcessAffinityMask","GetProcessDEPPolicy","GetProcessDefaultCpuSets","api-ms-win-core-processthreads-l1-1-3.GetProcessDefaultCpuSets","GetProcessGroupAffinity","GetProcessHandleCount","GetProcessHeap","GetProcessHeaps","GetProcessId","GetProcessIdOfThread","GetProcessInformation","GetProcessIoCounters","GetProcessMitigationPolicy","api-ms-win-core-processthreads-l1-1-1.GetProcessMitigationPolicy","GetProcessPreferredUILanguages","GetProcessPriorityBoost","GetProcessShutdownParameters","GetProcessTimes","GetProcessVersion","GetProcessWorkingSetSize","GetProcessWorkingSetSizeEx","GetProcessorSystemCycleTime","api-ms-win-core-sysinfo-l1-2-2.GetProcessorSystemCycleTime","GetProductInfo","GetProfileIntA","GetProfileIntW","GetProfileSectionA","GetProfileSectionW","GetProfileStringA","GetProfileStringW","GetQueuedCompletionStatus","GetQueuedCompletionStatusEx","GetShortPathNameA","GetShortPathNameW","GetStagedPackagePathByFullName","kernelbase.GetStagedPackagePathByFullName","GetStartupInfoA","GetStartupInfoW","GetStateFolder","kernelbase.GetStateFolder","GetStdHandle","GetStringScripts","GetStringTypeA","GetStringTypeExA","GetStringTypeExW","GetStringTypeW","GetSystemAppDataKey","kernelbase.GetSystemAppDataKey","GetSystemCpuSetInformation","api-ms-win-core-processthreads-l1-1-3.GetSystemCpuSetInformation","GetSystemDEPPolicy","GetSystemDefaultLCID","GetSystemDefaultLangID","GetSystemDefaultLocaleName","GetSystemDefaultUILanguage","GetSystemDirectoryA","GetSystemDirectoryW","GetSystemFileCacheSize","GetSystemFirmwareTable","GetSystemInfo","GetSystemPowerStatus","GetSystemPreferredUILanguages","GetSystemRegistryQuota","GetSystemTime","GetSystemTimeAdjustment","GetSystemTimeAsFileTime","GetSystemTimePreciseAsFileTime","GetSystemTimes","GetSystemWindowsDirectoryA","GetSystemWindowsDirectoryW","GetSystemWow64DirectoryA","GetSystemWow64DirectoryW","GetTapeParameters","GetTapePosition","GetTapeStatus","GetTempFileNameA","GetTempFileNameW","GetTempPathA","GetTempPathW","GetThreadContext","GetThreadDescription","api-ms-win-core-processthreads-l1-1-3.GetThreadDescription","GetThreadErrorMode","GetThreadGroupAffinity","GetThreadIOPendingFlag","GetThreadId","GetThreadIdealProcessorEx","GetThreadInformation","GetThreadLocale","GetThreadPreferredUILanguages","GetThreadPriority","GetThreadPriorityBoost","GetThreadSelectedCpuSets","api-ms-win-core-processthreads-l1-1-3.GetThreadSelectedCpuSets","GetThreadSelectorEntry","GetThreadTimes","GetThreadUILanguage","GetTickCount64","GetTickCount","GetTimeFormatA","GetTimeFormatAWorker","GetTimeFormatEx","GetTimeFormatW","GetTimeFormatWWorker","GetTimeZoneInformation","GetTimeZoneInformationForYear","GetUILanguageInfo","GetUserDefaultGeoName","GetUserDefaultLCID","GetUserDefaultLangID","GetUserDefaultLocaleName","GetUserDefaultUILanguage","GetUserGeoID","GetUserPreferredUILanguages","GetVDMCurrentDirectories","GetVersion","GetVersionExA","GetVersionExW","GetVolumeInformationA","GetVolumeInformationByHandleW","GetVolumeInformationW","GetVolumeNameForVolumeMountPointA","GetVolumeNameForVolumeMountPointW","GetVolumePathNameA","GetVolumePathNameW","GetVolumePathNamesForVolumeNameA","GetVolumePathNamesForVolumeNameW","GetWindowsDirectoryA","GetWindowsDirectoryW","GetWriteWatch","GetXStateFeaturesMask","GlobalAddAtomA","GlobalAddAtomExA","GlobalAddAtomExW","GlobalAddAtomW","GlobalAlloc","GlobalCompact","GlobalDeleteAtom","GlobalFindAtomA","GlobalFindAtomW","GlobalFix","GlobalFlags","GlobalFree","GlobalGetAtomNameA","GlobalGetAtomNameW","GlobalHandle","GlobalLock","GlobalMemoryStatus","GlobalMemoryStatusEx","GlobalReAlloc","GlobalSize","GlobalUnWire","GlobalUnfix","GlobalUnlock","GlobalWire","Heap32First","Heap32ListFirst","Heap32ListNext","Heap32Next","HeapAlloc","NTDLL.RtlAllocateHeap","HeapCompact","HeapCreate","HeapDestroy","HeapFree","HeapLock","HeapQueryInformation","HeapReAlloc","NTDLL.RtlReAllocateHeap","HeapSetInformation","HeapSize","NTDLL.RtlSizeHeap","HeapSummary","HeapUnlock","HeapValidate","HeapWalk","IdnToAscii","IdnToNameprepUnicode","IdnToUnicode","InitAtomTable","InitOnceBeginInitialize","api-ms-win-core-synch-l1-2-0.InitOnceBeginInitialize","InitOnceComplete","api-ms-win-core-synch-l1-2-0.InitOnceComplete","InitOnceExecuteOnce","api-ms-win-core-synch-l1-2-0.InitOnceExecuteOnce","InitOnceInitialize","NTDLL.RtlRunOnceInitialize","InitializeConditionVariable","NTDLL.RtlInitializeConditionVariable","InitializeContext2","InitializeContext","InitializeCriticalSection","NTDLL.RtlInitializeCriticalSection","InitializeCriticalSectionAndSpinCount","InitializeCriticalSectionEx","InitializeEnclave","api-ms-win-core-enclave-l1-1-0.InitializeEnclave","InitializeProcThreadAttributeList","api-ms-win-core-processthreads-l1-1-0.InitializeProcThreadAttributeList","InitializeSListHead","NTDLL.RtlInitializeSListHead","InitializeSRWLock","NTDLL.RtlInitializeSRWLock","InitializeSynchronizationBarrier","InstallELAMCertificateInfo","api-ms-win-core-sysinfo-l1-2-1.InstallELAMCertificateInfo","InterlockedCompareExchange64","NTDLL.RtlInterlockedCompareExchange64","InterlockedCompareExchange","InterlockedDecrement","InterlockedExchange","InterlockedExchangeAdd","InterlockedFlushSList","NTDLL.RtlInterlockedFlushSList","InterlockedIncrement","InterlockedPopEntrySList","NTDLL.RtlInterlockedPopEntrySList","InterlockedPushEntrySList","NTDLL.RtlInterlockedPushEntrySList","InterlockedPushListSListEx","NTDLL.RtlInterlockedPushListSListEx","InvalidateConsoleDIBits","IsBadCodePtr","IsBadHugeReadPtr","IsBadHugeWritePtr","IsBadReadPtr","IsBadStringPtrA","IsBadStringPtrW","IsBadWritePtr","IsCalendarLeapDay","IsCalendarLeapMonth","IsCalendarLeapYear","IsDBCSLeadByte","IsDBCSLeadByteEx","IsDebuggerPresent","IsEnclaveTypeSupported","api-ms-win-core-enclave-l1-1-0.IsEnclaveTypeSupported","IsNLSDefinedString","IsNativeVhdBoot","IsNormalizedString","IsProcessCritical","api-ms-win-core-processthreads-l1-1-2.IsProcessCritical","IsProcessInJob","IsProcessorFeaturePresent","IsSystemResumeAutomatic","IsThreadAFiber","IsThreadpoolTimerSet","NTDLL.TpIsTimerSet","IsUserCetAvailableInEnvironment","api-ms-win-core-sysinfo-l1-2-6.IsUserCetAvailableInEnvironment","IsValidCalDateTime","IsValidCodePage","IsValidLanguageGroup","IsValidLocale","IsValidLocaleName","IsValidNLSVersion","IsWow64GuestMachineSupported","api-ms-win-core-wow64-l1-1-2.IsWow64GuestMachineSupported","IsWow64Process2","api-ms-win-core-wow64-l1-1-1.IsWow64Process2","IsWow64Process","K32EmptyWorkingSet","K32EnumDeviceDrivers","K32EnumPageFilesA","K32EnumPageFilesW","K32EnumProcessModules","K32EnumProcessModulesEx","K32EnumProcesses","K32GetDeviceDriverBaseNameA","K32GetDeviceDriverBaseNameW","K32GetDeviceDriverFileNameA","K32GetDeviceDriverFileNameW","K32GetMappedFileNameA","K32GetMappedFileNameW","K32GetModuleBaseNameA","K32GetModuleBaseNameW","K32GetModuleFileNameExA","K32GetModuleFileNameExW","K32GetModuleInformation","K32GetPerformanceInfo","K32GetProcessImageFileNameA","K32GetProcessImageFileNameW","K32GetProcessMemoryInfo","K32GetWsChanges","K32GetWsChangesEx","K32InitializeProcessForWsWatch","K32QueryWorkingSet","K32QueryWorkingSetEx","LCIDToLocaleName","LCMapStringA","LCMapStringEx","LCMapStringW","LZClose","LZCloseFile","LZCopy","LZCreateFileW","LZDone","LZInit","LZOpenFileA","LZOpenFileW","LZRead","LZSeek","LZStart","LeaveCriticalSection","NTDLL.RtlLeaveCriticalSection","LeaveCriticalSectionWhenCallbackReturns","NTDLL.TpCallbackLeaveCriticalSectionOnCompletion","LoadAppInitDlls","LoadEnclaveData","api-ms-win-core-enclave-l1-1-0.LoadEnclaveData","LoadLibraryA","LoadLibraryExA","LoadLibraryExW","LoadLibraryW","LoadModule","LoadPackagedLibrary","LoadResource","LoadStringBaseExW","LoadStringBaseW","LocalAlloc","LocalCompact","LocalFileTimeToFileTime","LocalFileTimeToLocalSystemTime","api-ms-win-core-timezone-l1-1-1.LocalFileTimeToLocalSystemTime","LocalFlags","LocalFree","LocalHandle","LocalLock","LocalReAlloc","LocalShrink","LocalSize","LocalSystemTimeToLocalFileTime","api-ms-win-core-timezone-l1-1-1.LocalSystemTimeToLocalFileTime","LocalUnlock","LocaleNameToLCID","LocateXStateFeature","LockFile","LockFileEx","LockResource","MapUserPhysicalPages","MapUserPhysicalPagesScatter","MapViewOfFile","MapViewOfFileEx","MapViewOfFileExNuma","MapViewOfFileFromApp","api-ms-win-core-memory-l1-1-1.MapViewOfFileFromApp","Module32First","Module32FirstW","Module32Next","Module32NextW","MoveFileA","MoveFileExA","MoveFileExW","MoveFileTransactedA","MoveFileTransactedW","MoveFileW","MoveFileWithProgressA","MoveFileWithProgressW","MulDiv","MultiByteToWideChar","NeedCurrentDirectoryForExePathA","NeedCurrentDirectoryForExePathW","NlsCheckPolicy","NlsGetCacheUpdateCount","NlsUpdateLocale","NlsUpdateSystemLocale","NormalizeString","NotifyMountMgr","NotifyUILanguageChange","NtVdm64CreateProcessInternalW","OOBEComplete","OfferVirtualMemory","api-ms-win-core-memory-l1-1-2.OfferVirtualMemory","OpenConsoleW","OpenConsoleWStub","OpenEventA","OpenEventW","OpenFile","OpenFileById","OpenFileMappingA","OpenFileMappingW","OpenJobObjectA","OpenJobObjectW","OpenMutexA","OpenMutexW","OpenPackageInfoByFullName","kernelbase.OpenPackageInfoByFullName","OpenPrivateNamespaceA","OpenPrivateNamespaceW","OpenProcess","OpenProcessToken","api-ms-win-core-processthreads-l1-1-0.OpenProcessToken","OpenProfileUserMapping","OpenSemaphoreA","OpenSemaphoreW","OpenState","kernelbase.OpenState","OpenStateExplicit","kernelbase.OpenStateExplicit","OpenThread","OpenThreadToken","api-ms-win-core-processthreads-l1-1-0.OpenThreadToken","OpenWaitableTimerA","OpenWaitableTimerW","OutputDebugStringA","OutputDebugStringW","PackageFamilyNameFromFullName","kernelbase.PackageFamilyNameFromFullName","PackageFamilyNameFromId","kernelbase.PackageFamilyNameFromId","PackageFullNameFromId","kernelbase.PackageFullNameFromId","PackageIdFromFullName","kernelbase.PackageIdFromFullName","PackageNameAndPublisherIdFromFamilyName","kernelbase.PackageNameAndPublisherIdFromFamilyName","ParseApplicationUserModelId","kernelbase.ParseApplicationUserModelId","PeekConsoleInputA","PeekConsoleInputW","PeekNamedPipe","PostQueuedCompletionStatus","PowerClearRequest","PowerCreateRequest","PowerSetRequest","PrefetchVirtualMemory","api-ms-win-core-memory-l1-1-1.PrefetchVirtualMemory","PrepareTape","PrivCopyFileExW","PrivMoveFileIdentityW","Process32First","Process32FirstW","Process32Next","Process32NextW","ProcessIdToSessionId","PssCaptureSnapshot","PssDuplicateSnapshot","PssFreeSnapshot","PssQuerySnapshot","PssWalkMarkerCreate","PssWalkMarkerFree","PssWalkMarkerGetPosition","PssWalkMarkerRewind","PssWalkMarkerSeek","PssWalkMarkerSeekToBeginning","PssWalkMarkerSetPosition","PssWalkMarkerTell","PssWalkSnapshot","PulseEvent","PurgeComm","QueryActCtxSettingsW","QueryActCtxSettingsWWorker","QueryActCtxW","QueryActCtxWWorker","QueryDepthSList","NTDLL.RtlQueryDepthSList","QueryDosDeviceA","QueryDosDeviceW","QueryFullProcessImageNameA","QueryFullProcessImageNameW","QueryIdleProcessorCycleTime","QueryIdleProcessorCycleTimeEx","QueryInformationJobObject","QueryIoRateControlInformationJobObject","QueryMemoryResourceNotification","QueryPerformanceCounter","QueryPerformanceFrequency","QueryProcessAffinityUpdateMode","QueryProcessCycleTime","QueryProtectedPolicy","api-ms-win-core-processthreads-l1-1-2.QueryProtectedPolicy","QueryThreadCycleTime","QueryThreadProfiling","QueryThreadpoolStackInformation","QueryUnbiasedInterruptTime","QueueUserAPC","QueueUserWorkItem","QuirkGetData2Worker","QuirkGetDataWorker","QuirkIsEnabled2Worker","QuirkIsEnabled3Worker","QuirkIsEnabledForPackage2Worker","QuirkIsEnabledForPackage3Worker","QuirkIsEnabledForPackage4Worker","QuirkIsEnabledForPackageWorker","QuirkIsEnabledForProcessWorker","QuirkIsEnabledWorker","RaiseException","RaiseFailFastException","kernelbase.RaiseFailFastException","RaiseInvalid16BitExeError","ReOpenFile","ReadConsoleA","ReadConsoleInputA","ReadConsoleInputExA","kernelbase.ReadConsoleInputExA","ReadConsoleInputExW","kernelbase.ReadConsoleInputExW","ReadConsoleInputW","ReadConsoleOutputA","ReadConsoleOutputAttribute","ReadConsoleOutputCharacterA","ReadConsoleOutputCharacterW","ReadConsoleOutputW","ReadConsoleW","ReadDirectoryChangesExW","ReadDirectoryChangesW","ReadFile","ReadFileEx","ReadFileScatter","ReadProcessMemory","ReadThreadProfilingData","ReclaimVirtualMemory","api-ms-win-core-memory-l1-1-2.ReclaimVirtualMemory","RegCloseKey","RegCopyTreeW","RegCreateKeyExA","RegCreateKeyExW","RegDeleteKeyExA","RegDeleteKeyExW","RegDeleteTreeA","RegDeleteTreeW","RegDeleteValueA","RegDeleteValueW","RegDisablePredefinedCacheEx","RegEnumKeyExA","RegEnumKeyExW","RegEnumValueA","RegEnumValueW","RegFlushKey","RegGetKeySecurity","RegGetValueA","RegGetValueW","RegLoadKeyA","RegLoadKeyW","RegLoadMUIStringA","RegLoadMUIStringW","RegNotifyChangeKeyValue","RegOpenCurrentUser","RegOpenKeyExA","RegOpenKeyExW","RegOpenUserClassesRoot","RegQueryInfoKeyA","RegQueryInfoKeyW","RegQueryValueExA","RegQueryValueExW","RegRestoreKeyA","RegRestoreKeyW","RegSaveKeyExA","RegSaveKeyExW","RegSetKeySecurity","RegSetValueExA","RegSetValueExW","RegUnLoadKeyA","RegUnLoadKeyW","RegisterApplicationRecoveryCallback","RegisterApplicationRestart","RegisterBadMemoryNotification","RegisterConsoleIME","RegisterConsoleOS2","RegisterConsoleVDM","RegisterWaitForInputIdle","RegisterWaitForSingleObject","RegisterWaitForSingleObjectEx","RegisterWaitUntilOOBECompleted","RegisterWowBaseHandlers","RegisterWowExec","ReleaseActCtx","ReleaseActCtxWorker","ReleaseMutex","ReleaseMutexWhenCallbackReturns","NTDLL.TpCallbackReleaseMutexOnCompletion","ReleaseSRWLockExclusive","NTDLL.RtlReleaseSRWLockExclusive","ReleaseSRWLockShared","NTDLL.RtlReleaseSRWLockShared","ReleaseSemaphore","ReleaseSemaphoreWhenCallbackReturns","NTDLL.TpCallbackReleaseSemaphoreOnCompletion","RemoveDirectoryA","RemoveDirectoryTransactedA","RemoveDirectoryTransactedW","RemoveDirectoryW","RemoveDllDirectory","api-ms-win-core-libraryloader-l1-1-0.RemoveDllDirectory","RemoveLocalAlternateComputerNameA","RemoveLocalAlternateComputerNameW","RemoveSecureMemoryCacheCallback","RemoveVectoredContinueHandler","NTDLL.RtlRemoveVectoredContinueHandler","RemoveVectoredExceptionHandler","NTDLL.RtlRemoveVectoredExceptionHandler","ReplaceFile","ReplaceFileA","ReplaceFileW","ReplacePartitionUnit","RequestDeviceWakeup","RequestWakeupLatency","ResetEvent","ResetWriteWatch","ResizePseudoConsole","ResolveDelayLoadedAPI","NTDLL.LdrResolveDelayLoadedAPI","ResolveDelayLoadsFromDll","NTDLL.LdrResolveDelayLoadsFromDll","ResolveLocaleName","RestoreLastError","NTDLL.RtlRestoreLastWin32Error","ResumeThread","RtlCaptureContext","RtlCaptureStackBackTrace","RtlFillMemory","RtlMoveMemory","NTDLL.RtlMoveMemory","RtlPcToFileHeader","RtlUnwind","RtlZeroMemory","NTDLL.RtlZeroMemory","ScrollConsoleScreenBufferA","ScrollConsoleScreenBufferW","SearchPathA","SearchPathW","SetCachedSigningLevel","SetCalendarInfoA","SetCalendarInfoW","SetComPlusPackageInstallStatus","SetCommBreak","SetCommConfig","SetCommMask","SetCommState","SetCommTimeouts","SetComputerNameA","SetComputerNameEx2W","SetComputerNameExA","SetComputerNameExW","SetComputerNameW","SetConsoleActiveScreenBuffer","SetConsoleCP","SetConsoleCtrlHandler","SetConsoleCursor","SetConsoleCursorInfo","SetConsoleCursorMode","SetConsoleCursorPosition","SetConsoleDisplayMode","SetConsoleFont","SetConsoleHardwareState","SetConsoleHistoryInfo","SetConsoleIcon","SetConsoleInputExeNameA","kernelbase.SetConsoleInputExeNameA","SetConsoleInputExeNameW","kernelbase.SetConsoleInputExeNameW","SetConsoleKeyShortcuts","SetConsoleLocalEUDC","SetConsoleMaximumWindowSize","SetConsoleMenuClose","SetConsoleMode","SetConsoleNlsMode","SetConsoleNumberOfCommandsA","SetConsoleNumberOfCommandsW","SetConsoleOS2OemFormat","SetConsoleOutputCP","SetConsolePalette","SetConsoleScreenBufferInfoEx","SetConsoleScreenBufferSize","SetConsoleTextAttribute","SetConsoleTitleA","SetConsoleTitleW","SetConsoleWindowInfo","SetCriticalSectionSpinCount","NTDLL.RtlSetCriticalSectionSpinCount","SetCurrentConsoleFontEx","SetCurrentDirectoryA","SetCurrentDirectoryW","SetDefaultCommConfigA","SetDefaultCommConfigW","SetDefaultDllDirectories","api-ms-win-core-libraryloader-l1-1-0.SetDefaultDllDirectories","SetDllDirectoryA","SetDllDirectoryW","SetDynamicTimeZoneInformation","SetEndOfFile","SetEnvironmentStringsA","SetEnvironmentStringsW","SetEnvironmentVariableA","SetEnvironmentVariableW","SetErrorMode","SetEvent","SetEventWhenCallbackReturns","NTDLL.TpCallbackSetEventOnCompletion","SetFileApisToANSI","SetFileApisToOEM","SetFileAttributesA","SetFileAttributesTransactedA","SetFileAttributesTransactedW","SetFileAttributesW","SetFileBandwidthReservation","SetFileCompletionNotificationModes","SetFileInformationByHandle","SetFileIoOverlappedRange","SetFilePointer","SetFilePointerEx","SetFileShortNameA","SetFileShortNameW","SetFileTime","SetFileValidData","SetFirmwareEnvironmentVariableA","SetFirmwareEnvironmentVariableExA","SetFirmwareEnvironmentVariableExW","SetFirmwareEnvironmentVariableW","SetHandleContext","SetHandleCount","SetHandleInformation","SetInformationJobObject","SetIoRateControlInformationJobObject","SetLastConsoleEventActive","kernelbase.SetLastConsoleEventActive","SetLastError","SetLocalPrimaryComputerNameA","SetLocalPrimaryComputerNameW","SetLocalTime","SetLocaleInfoA","SetLocaleInfoW","SetMailslotInfo","SetMessageWaitingIndicator","SetNamedPipeAttribute","SetNamedPipeHandleState","SetPriorityClass","SetProcessAffinityMask","SetProcessAffinityUpdateMode","SetProcessDEPPolicy","SetProcessDefaultCpuSets","api-ms-win-core-processthreads-l1-1-3.SetProcessDefaultCpuSets","SetProcessDynamicEHContinuationTargets","api-ms-win-core-processthreads-l1-1-4.SetProcessDynamicEHContinuationTargets","SetProcessDynamicEnforcedCetCompatibleRanges","api-ms-win-core-processthreads-l1-1-4.SetProcessDynamicEnforcedCetCompatibleRanges","SetProcessInformation","SetProcessMitigationPolicy","api-ms-win-core-processthreads-l1-1-1.SetProcessMitigationPolicy","SetProcessPreferredUILanguages","SetProcessPriorityBoost","SetProcessShutdownParameters","SetProcessWorkingSetSize","SetProcessWorkingSetSizeEx","SetProtectedPolicy","api-ms-win-core-processthreads-l1-1-2.SetProtectedPolicy","SetSearchPathMode","SetStdHandle","SetStdHandleEx","SetSystemFileCacheSize","SetSystemPowerState","SetSystemTime","SetSystemTimeAdjustment","SetTapeParameters","SetTapePosition","SetTermsrvAppInstallMode","SetThreadAffinityMask","SetThreadContext","SetThreadDescription","api-ms-win-core-processthreads-l1-1-3.SetThreadDescription","SetThreadErrorMode","SetThreadExecutionState","SetThreadGroupAffinity","SetThreadIdealProcessor","SetThreadIdealProcessorEx","SetThreadInformation","SetThreadLocale","SetThreadPreferredUILanguages","SetThreadPriority","SetThreadPriorityBoost","SetThreadSelectedCpuSets","api-ms-win-core-processthreads-l1-1-3.SetThreadSelectedCpuSets","SetThreadStackGuarantee","SetThreadToken","api-ms-win-core-processthreads-l1-1-0.SetThreadToken","SetThreadUILanguage","SetThreadpoolStackInformation","SetThreadpoolThreadMaximum","NTDLL.TpSetPoolMaxThreads","SetThreadpoolThreadMinimum","SetThreadpoolTimer","NTDLL.TpSetTimer","SetThreadpoolTimerEx","NTDLL.TpSetTimerEx","SetThreadpoolWait","NTDLL.TpSetWait","SetThreadpoolWaitEx","NTDLL.TpSetWaitEx","SetTimeZoneInformation","SetTimerQueueTimer","SetUnhandledExceptionFilter","SetUserGeoID","SetUserGeoName","SetVDMCurrentDirectories","SetVolumeLabelA","SetVolumeLabelW","SetVolumeMountPointA","SetVolumeMountPointW","SetVolumeMountPointWStub","SetWaitableTimer","SetWaitableTimerEx","api-ms-win-core-synch-l1-1-0.SetWaitableTimerEx","SetXStateFeaturesMask","SetupComm","ShowConsoleCursor","SignalObjectAndWait","SizeofResource","Sleep","SleepConditionVariableCS","api-ms-win-core-synch-l1-2-0.SleepConditionVariableCS","SleepConditionVariableSRW","api-ms-win-core-synch-l1-2-0.SleepConditionVariableSRW","SleepEx","SortCloseHandle","SortGetHandle","StartThreadpoolIo","NTDLL.TpStartAsyncIoOperation","SubmitThreadpoolWork","NTDLL.TpPostWork","SuspendThread","SwitchToFiber","SwitchToThread","SystemTimeToFileTime","SystemTimeToTzSpecificLocalTime","SystemTimeToTzSpecificLocalTimeEx","api-ms-win-core-timezone-l1-1-0.SystemTimeToTzSpecificLocalTimeEx","TerminateJobObject","TerminateProcess","TerminateThread","TermsrvAppInstallMode","TermsrvConvertSysRootToUserDir","TermsrvCreateRegEntry","TermsrvDeleteKey","TermsrvDeleteValue","TermsrvGetPreSetValue","TermsrvGetWindowsDirectoryA","TermsrvGetWindowsDirectoryW","TermsrvOpenRegEntry","TermsrvOpenUserClasses","TermsrvRestoreKey","TermsrvSetKeySecurity","TermsrvSetValueKey","TermsrvSyncUserIniFileExt","Thread32First","Thread32Next","TlsAlloc","TlsFree","TlsGetValue","TlsSetValue","Toolhelp32ReadProcessMemory","TransactNamedPipe","TransmitCommChar","TryAcquireSRWLockExclusive","NTDLL.RtlTryAcquireSRWLockExclusive","TryAcquireSRWLockShared","NTDLL.RtlTryAcquireSRWLockShared","TryEnterCriticalSection","NTDLL.RtlTryEnterCriticalSection","TrySubmitThreadpoolCallback","TzSpecificLocalTimeToSystemTime","TzSpecificLocalTimeToSystemTimeEx","api-ms-win-core-timezone-l1-1-0.TzSpecificLocalTimeToSystemTimeEx","UTRegister","UTUnRegister","UnhandledExceptionFilter","UnlockFile","UnlockFileEx","UnmapViewOfFile","UnmapViewOfFileEx","api-ms-win-core-memory-l1-1-1.UnmapViewOfFileEx","UnregisterApplicationRecoveryCallback","UnregisterApplicationRestart","UnregisterBadMemoryNotification","UnregisterConsoleIME","UnregisterWait","UnregisterWaitEx","UnregisterWaitUntilOOBECompleted","UpdateCalendarDayOfWeek","UpdateProcThreadAttribute","api-ms-win-core-processthreads-l1-1-0.UpdateProcThreadAttribute","UpdateResourceA","UpdateResourceW","VDMConsoleOperation","VDMOperationStarted","VerLanguageNameA","VerLanguageNameW","VerSetConditionMask","NTDLL.VerSetConditionMask","VerifyConsoleIoHandle","VerifyScripts","VerifyVersionInfoA","VerifyVersionInfoW","VirtualAlloc","VirtualAllocEx","VirtualAllocExNuma","VirtualFree","VirtualFreeEx","VirtualLock","VirtualProtect","VirtualProtectEx","VirtualQuery","VirtualQueryEx","VirtualUnlock","WTSGetActiveConsoleSessionId","WaitCommEvent","WaitForDebugEvent","WaitForDebugEventEx","api-ms-win-core-debug-l1-1-2.WaitForDebugEventEx","WaitForMultipleObjects","WaitForMultipleObjectsEx","WaitForSingleObject","WaitForSingleObjectEx","WaitForThreadpoolIoCallbacks","NTDLL.TpWaitForIoCompletion","WaitForThreadpoolTimerCallbacks","NTDLL.TpWaitForTimer","WaitForThreadpoolWaitCallbacks","NTDLL.TpWaitForWait","WaitForThreadpoolWorkCallbacks","NTDLL.TpWaitForWork","WaitNamedPipeA","WaitNamedPipeW","WakeAllConditionVariable","NTDLL.RtlWakeAllConditionVariable","WakeConditionVariable","NTDLL.RtlWakeConditionVariable","WerGetFlags","WerGetFlagsWorker","WerRegisterAdditionalProcess","WerRegisterAppLocalDump","WerRegisterCustomMetadata","WerRegisterExcludedMemoryBlock","WerRegisterFile","WerRegisterFileWorker","WerRegisterMemoryBlock","WerRegisterMemoryBlockWorker","WerRegisterRuntimeExceptionModule","WerRegisterRuntimeExceptionModuleWorker","WerSetFlags","WerSetFlagsWorker","WerUnregisterAdditionalProcess","WerUnregisterAppLocalDump","WerUnregisterCustomMetadata","WerUnregisterExcludedMemoryBlock","WerUnregisterFile","WerUnregisterFileWorker","WerUnregisterMemoryBlock","WerUnregisterMemoryBlockWorker","WerUnregisterRuntimeExceptionModule","WerUnregisterRuntimeExceptionModuleWorker","WerpGetDebugger","WerpInitiateRemoteRecovery","WerpLaunchAeDebug","WerpNotifyLoadStringResourceWorker","WerpNotifyUseStringResourceWorker","WideCharToMultiByte","WinExec","Wow64DisableWow64FsRedirection","Wow64EnableWow64FsRedirection","Wow64GetThreadContext","Wow64GetThreadSelectorEntry","Wow64RevertWow64FsRedirection","Wow64SetThreadContext","Wow64SuspendThread","WriteConsoleA","WriteConsoleInputA","WriteConsoleInputVDMA","WriteConsoleInputVDMW","WriteConsoleInputW","WriteConsoleOutputA","WriteConsoleOutputAttribute","WriteConsoleOutputCharacterA","WriteConsoleOutputCharacterW","WriteConsoleOutputW","WriteConsoleW","WriteFile","WriteFileEx","WriteFileGather","WritePrivateProfileSectionA","WritePrivateProfileSectionW","WritePrivateProfileStringA","WritePrivateProfileStringW","WritePrivateProfileStructA","WritePrivateProfileStructW","WriteProcessMemory","WriteProfileSectionA","WriteProfileSectionW","WriteProfileStringA","WriteProfileStringW","WriteTapemark","ZombifyActCtx","ZombifyActCtxWorker","_hread","_hwrite","_lclose","_lcreat","_llseek","_lopen","_lread","_lwrite","lstrcat","lstrcatA","lstrcatW","lstrcmp","lstrcmpA","lstrcmpW","lstrcmpi","lstrcmpiA","lstrcmpiW","lstrcpy","lstrcpyA","lstrcpyW","lstrcpyn","lstrcpynA","lstrcpynW","lstrlen","lstrlenA","lstrlenW","timeBeginPeriod","timeEndPeriod","timeGetDevCaps","timeGetSystemTime","timeGetTime"]
winnet_list = ["DispatchAPICall","AppCacheCheckManifest","AppCacheCloseHandle","AppCacheCreateAndCommitFile","AppCacheDeleteGroup","AppCacheDeleteIEGroup","AppCacheDuplicateHandle","AppCacheFinalize","AppCacheFreeDownloadList","AppCacheFreeGroupList","AppCacheFreeIESpace","AppCacheFreeSpace","AppCacheGetDownloadList","AppCacheGetFallbackUrl","AppCacheGetGroupList","AppCacheGetIEGroupList","AppCacheGetInfo","AppCacheGetManifestUrl","AppCacheLookup","CommitUrlCacheEntryA","CommitUrlCacheEntryBinaryBlob","CommitUrlCacheEntryW","CreateMD5SSOHash","CreateUrlCacheContainerA","CreateUrlCacheContainerW","CreateUrlCacheEntryA","CreateUrlCacheEntryExW","CreateUrlCacheEntryW","CreateUrlCacheGroup","DeleteIE3Cache","DeleteUrlCacheContainerA","DeleteUrlCacheContainerW","DeleteUrlCacheEntry","DeleteUrlCacheEntryA","DeleteUrlCacheEntryW","DeleteUrlCacheGroup","DeleteWpadCacheForNetworks","DetectAutoProxyUrl","DllCanUnloadNow","DllGetClassObject","DllInstall","DllRegisterServer","DllUnregisterServer","FindCloseUrlCache","FindFirstUrlCacheContainerA","FindFirstUrlCacheContainerW","FindFirstUrlCacheEntryA","FindFirstUrlCacheEntryExA","FindFirstUrlCacheEntryExW","FindFirstUrlCacheEntryW","FindFirstUrlCacheGroup","FindNextUrlCacheContainerA","FindNextUrlCacheContainerW","FindNextUrlCacheEntryA","FindNextUrlCacheEntryExA","FindNextUrlCacheEntryExW","FindNextUrlCacheEntryW","FindNextUrlCacheGroup","ForceNexusLookup","ForceNexusLookupExW","FreeUrlCacheSpaceA","FreeUrlCacheSpaceW","FtpCommandA","FtpCommandW","FtpCreateDirectoryA","FtpCreateDirectoryW","FtpDeleteFileA","FtpDeleteFileW","FtpFindFirstFileA","FtpFindFirstFileW","FtpGetCurrentDirectoryA","FtpGetCurrentDirectoryW","FtpGetFileA","FtpGetFileEx","FtpGetFileSize","FtpGetFileW","FtpOpenFileA","FtpOpenFileW","FtpPutFileA","FtpPutFileEx","FtpPutFileW","FtpRemoveDirectoryA","FtpRemoveDirectoryW","FtpRenameFileA","FtpRenameFileW","FtpSetCurrentDirectoryA","FtpSetCurrentDirectoryW","GetProxyDllInfo","GetUrlCacheConfigInfoA","GetUrlCacheConfigInfoW","GetUrlCacheEntryBinaryBlob","GetUrlCacheEntryInfoA","GetUrlCacheEntryInfoExA","GetUrlCacheEntryInfoExW","GetUrlCacheEntryInfoW","GetUrlCacheGroupAttributeA","GetUrlCacheGroupAttributeW","GetUrlCacheHeaderData","GopherCreateLocatorA","GopherCreateLocatorW","GopherFindFirstFileA","GopherFindFirstFileW","GopherGetAttributeA","GopherGetAttributeW","GopherGetLocatorTypeA","GopherGetLocatorTypeW","GopherOpenFileA","GopherOpenFileW","HttpAddRequestHeadersA","HttpAddRequestHeadersW","HttpCheckDavCompliance","HttpCloseDependencyHandle","HttpDuplicateDependencyHandle","HttpEndRequestA","HttpEndRequestW","HttpGetServerCredentials","HttpGetTunnelSocket","HttpIndicatePageLoadComplete","HttpIsHostHstsEnabled","HttpOpenDependencyHandle","HttpOpenRequestA","HttpOpenRequestW","HttpPushClose","HttpPushEnable","HttpPushWait","HttpQueryInfoA","HttpQueryInfoW","HttpSendRequestA","HttpSendRequestExA","HttpSendRequestExW","HttpSendRequestW","HttpWebSocketClose","HttpWebSocketCompleteUpgrade","HttpWebSocketQueryCloseStatus","HttpWebSocketReceive","HttpWebSocketSend","HttpWebSocketShutdown","IncrementUrlCacheHeaderData","InternetAlgIdToStringA","InternetAlgIdToStringW","InternetAttemptConnect","InternetAutodial","InternetAutodialCallback","InternetAutodialHangup","InternetCanonicalizeUrlA","InternetCanonicalizeUrlW","InternetCheckConnectionA","InternetCheckConnectionW","InternetClearAllPerSiteCookieDecisions","InternetCloseHandle","InternetCombineUrlA","InternetCombineUrlW","InternetConfirmZoneCrossing","InternetConfirmZoneCrossingA","InternetConfirmZoneCrossingW","InternetConnectA","InternetConnectW","InternetConvertUrlFromWireToWideChar","InternetCrackUrlA","InternetCrackUrlW","InternetCreateUrlA","InternetCreateUrlW","InternetDial","InternetDialA","InternetDialW","InternetEnumPerSiteCookieDecisionA","InternetEnumPerSiteCookieDecisionW","InternetErrorDlg","InternetFindNextFileA","InternetFindNextFileW","InternetFortezzaCommand","InternetFreeCookies","InternetFreeProxyInfoList","InternetGetCertByURL","InternetGetCertByURLA","InternetGetConnectedState","InternetGetConnectedStateEx","InternetGetConnectedStateExA","InternetGetConnectedStateExW","InternetGetCookieA","InternetGetCookieEx2","InternetGetCookieExA","InternetGetCookieExW","InternetGetCookieW","InternetGetLastResponseInfoA","InternetGetLastResponseInfoW","InternetGetPerSiteCookieDecisionA","InternetGetPerSiteCookieDecisionW","InternetGetProxyForUrl","InternetGetSecurityInfoByURL","InternetGetSecurityInfoByURLA","InternetGetSecurityInfoByURLW","InternetGoOnline","InternetGoOnlineA","InternetGoOnlineW","InternetHangUp","InternetInitializeAutoProxyDll","InternetLockRequestFile","InternetOpenA","InternetOpenUrlA","InternetOpenUrlW","InternetOpenW","InternetQueryDataAvailable","InternetQueryFortezzaStatus","InternetQueryOptionA","InternetQueryOptionW","InternetReadFile","InternetReadFileExA","InternetReadFileExW","InternetSecurityProtocolToStringA","InternetSecurityProtocolToStringW","InternetSetCookieA","InternetSetCookieEx2","InternetSetCookieExA","InternetSetCookieExW","InternetSetCookieW","InternetSetDialState","InternetSetDialStateA","InternetSetDialStateW","InternetSetFilePointer","InternetSetOptionA","InternetSetOptionExA","InternetSetOptionExW","InternetSetOptionW","InternetSetPerSiteCookieDecisionA","InternetSetPerSiteCookieDecisionW","InternetSetStatusCallback","InternetSetStatusCallbackA","InternetSetStatusCallbackW","InternetShowSecurityInfoByURL","InternetShowSecurityInfoByURLA","InternetShowSecurityInfoByURLW","InternetTimeFromSystemTime","InternetTimeFromSystemTimeA","InternetTimeFromSystemTimeW","InternetTimeToSystemTime","InternetTimeToSystemTimeA","InternetTimeToSystemTimeW","InternetUnlockRequestFile","InternetWriteFile","InternetWriteFileExA","InternetWriteFileExW","IsHostInProxyBypassList","IsUrlCacheEntryExpiredA","IsUrlCacheEntryExpiredW","LoadUrlCacheContent","ParseX509EncodedCertificateForListBoxEntry","PrivacyGetZonePreferenceW","PrivacySetZonePreferenceW","ReadUrlCacheEntryStream","ReadUrlCacheEntryStreamEx","RegisterUrlCacheNotification","ResumeSuspendedDownload","RetrieveUrlCacheEntryFileA","RetrieveUrlCacheEntryFileW","RetrieveUrlCacheEntryStreamA","RetrieveUrlCacheEntryStreamW","RunOnceUrlCache","SetUrlCacheConfigInfoA","SetUrlCacheConfigInfoW","SetUrlCacheEntryGroup","SetUrlCacheEntryGroupA","SetUrlCacheEntryGroupW","SetUrlCacheEntryInfoA","SetUrlCacheEntryInfoW","SetUrlCacheGroupAttributeA","SetUrlCacheGroupAttributeW","SetUrlCacheHeaderData","ShowCertificate","ShowClientAuthCerts","ShowSecurityInfo","ShowX509EncodedCertificate","UnlockUrlCacheEntryFile","UnlockUrlCacheEntryFileA","UnlockUrlCacheEntryFileW","UnlockUrlCacheEntryStream","UpdateUrlCacheContentPath","UrlCacheCheckEntriesExist","UrlCacheCloseEntryHandle","UrlCacheContainerSetEntryMaximumAge","UrlCacheCreateContainer","UrlCacheFindFirstEntry","UrlCacheFindNextEntry","UrlCacheFreeEntryInfo","UrlCacheFreeGlobalSpace","UrlCacheGetContentPaths","UrlCacheGetEntryInfo","UrlCacheGetGlobalCacheSize","UrlCacheGetGlobalLimit","UrlCacheReadEntryStream","UrlCacheReloadSettings","UrlCacheRetrieveEntryFile","UrlCacheRetrieveEntryStream","UrlCacheServer","UrlCacheSetGlobalLimit","UrlCacheUpdateEntryExtraData","UrlZonesDetach","_GetFileExtensionFromUrl"]
dnsapi_list = ["DnsGetDomainName","DnsIsAMailboxType","DnsIsNSECType","DnsIsStatusRcode","DnsMapRcodeToStatus","DnsStatusString","DnsUnicodeToUtf8","DnsUtf8ToUnicode","Dns_ReadPacketName","Dns_ReadPacketNameAllocate","Dns_SkipPacketName","Dns_WriteDottedNameToPacket","AdaptiveTimeout_ClearInterfaceSpecificConfiguration","AdaptiveTimeout_ResetAdaptiveTimeout","AddRefQueryBlobEx","BreakRecordsIntoBlob","Coalesce_UpdateNetVersion","CombineRecordsInBlob","DeRefQueryBlobEx","DelaySortDAServerlist","DnsAcquireContextHandle_A","DnsAcquireContextHandle_W","DnsAllocateRecord","DnsApiAlloc","DnsApiAllocZero","DnsApiFree","DnsApiHeapReset","DnsApiRealloc","DnsApiSetDebugGlobals","DnsAsyncRegisterHostAddrs","DnsAsyncRegisterInit","DnsAsyncRegisterTerm","DnsCancelQuery","DnsCheckNrptRuleIntegrity","DnsCheckNrptRules","DnsCleanupTcpConnections","DnsConnectionDeletePolicyEntries","DnsConnectionDeletePolicyEntriesPrivate","DnsConnectionDeleteProxyInfo","DnsConnectionFreeNameList","DnsConnectionFreeProxyInfo","DnsConnectionFreeProxyInfoEx","DnsConnectionFreeProxyList","DnsConnectionGetHandleForHostUrlPrivate","DnsConnectionGetNameList","DnsConnectionGetProxyInfo","DnsConnectionGetProxyInfoForHostUrl","DnsConnectionGetProxyList","DnsConnectionSetPolicyEntries","DnsConnectionSetPolicyEntriesPrivate","DnsConnectionSetProxyInfo","DnsConnectionUpdateIfIndexTable","DnsCopyStringEx","DnsCreateReverseNameStringForIpAddress","DnsCreateStandardDnsNameCopy","DnsCreateStringCopy","DnsDeRegisterLocal","DnsDhcpRegisterAddrs","DnsDhcpRegisterHostAddrs","DnsDhcpRegisterInit","DnsDhcpRegisterTerm","DnsDhcpRemoveRegistrations","DnsDhcpSrvRegisterHostAddr","DnsDhcpSrvRegisterHostAddrEx","DnsDhcpSrvRegisterHostName","DnsDhcpSrvRegisterHostNameEx","DnsDhcpSrvRegisterInit","DnsDhcpSrvRegisterInitEx","DnsDhcpSrvRegisterInitialize","DnsDhcpSrvRegisterTerm","DnsDisableIdnEncoding","DnsDowncaseDnsNameLabel","DnsExtractRecordsFromMessage_UTF8","DnsExtractRecordsFromMessage_W","DnsFindAuthoritativeZone","DnsFlushResolverCache","DnsFlushResolverCacheEntry_A","DnsFlushResolverCacheEntry_UTF8","DnsFlushResolverCacheEntry_W","DnsFree","DnsFreeAdaptersInfo","DnsFreeConfigStructure","DnsFreeNrptRule","DnsFreeNrptRuleNamesList","DnsFreePolicyConfig","DnsFreeProxyName","DnsGetAdaptersInfo","DnsGetApplicationIdentifier","DnsGetBufferLengthForStringCopy","DnsGetCacheDataTable","DnsGetCacheDataTableEx","DnsGetDnsServerList","DnsGetInterfaceSettings","DnsGetLastFailedUpdateInfo","DnsGetNrptRuleNamesList","DnsGetPolicyTableInfo","DnsGetPolicyTableInfoPrivate","DnsGetPrimaryDomainName_A","DnsGetProxyInfoPrivate","DnsGetProxyInformation","DnsGetQueryRetryTimeouts","DnsGetSettings","DnsGlobals","DnsIpv6AddressToString","DnsIpv6StringToAddress","DnsIsStringCountValidForTextType","DnsLogEvent","DnsModifyRecordsInSet_A","DnsModifyRecordsInSet_UTF8","DnsModifyRecordsInSet_W","DnsNameCompareEx_A","DnsNameCompareEx_UTF8","DnsNameCompareEx_W","DnsNameCompare_A","DnsNameCompare_UTF8","DnsNameCompare_W","DnsNameCopy","DnsNameCopyAllocate","DnsNetworkInfo_CreateFromFAZ","DnsNetworkInformation_CreateFromFAZ","DnsNotifyResolver","DnsNotifyResolverClusterIp","DnsNotifyResolverEx","DnsQueryConfig","DnsQueryConfigAllocEx","DnsQueryConfigDword","DnsQueryEx","DnsQueryExA","DnsQueryExUTF8","DnsQueryExW","DnsQuery_A","DnsQuery_UTF8","DnsQuery_W","DnsRecordBuild_UTF8","DnsRecordBuild_W","DnsRecordCompare","DnsRecordCopyEx","DnsRecordListFree","DnsRecordListUnmapV4MappedAAAAInPlace","DnsRecordSetCompare","DnsRecordSetCopyEx","DnsRecordSetDetach","DnsRecordStringForType","DnsRecordStringForWritableType","DnsRecordTypeForName","DnsRegisterLocal","DnsReleaseContextHandle","DnsRemoveNrptRule","DnsRemoveRegistrations","DnsReplaceRecordSetA","DnsReplaceRecordSetUTF8","DnsReplaceRecordSetW","DnsResetQueryRetryTimeouts","DnsResolverOp","DnsResolverQueryHvsi","DnsScreenLocalAddrsForRegistration","DnsServiceBrowse","DnsServiceBrowseCancel","DnsServiceConstructInstance","DnsServiceCopyInstance","DnsServiceDeRegister","DnsServiceFreeInstance","DnsServiceRegister","DnsServiceRegisterCancel","DnsServiceResolve","DnsServiceResolveCancel","DnsSetConfigDword","DnsSetConfigValue","DnsSetInterfaceSettings","DnsSetNrptRule","DnsSetNrptRules","DnsSetQueryRetryTimeouts","DnsSetSettings","DnsStartMulticastQuery","DnsStopMulticastQuery","DnsStringCopyAllocateEx","DnsTraceServerConfig","DnsUpdate","DnsUpdateMachinePresence","DnsUpdateTest_A","DnsUpdateTest_UTF8","DnsUpdateTest_W","DnsValidateNameOrIp_TempW","DnsValidateName_A","DnsValidateName_UTF8","DnsValidateName_W","DnsValidateServerArray_A","DnsValidateServerArray_W","DnsValidateServerStatus","DnsValidateServer_A","DnsValidateServer_W","DnsValidateUtf8Byte","DnsWriteQuestionToBuffer_UTF8","DnsWriteQuestionToBuffer_W","DnsWriteReverseNameStringForIpAddress","Dns_AddRecordsToMessage","Dns_AllocateMsgBuf","Dns_BuildPacket","Dns_CacheServiceCleanup","Dns_CacheServiceInit","Dns_CacheServiceStopIssued","Dns_CleanupWinsock","Dns_CloseConnection","Dns_CloseSocket","Dns_CreateMulticastSocket","Dns_CreateSocket","Dns_CreateSocketEx","Dns_ExtractRecordsFromMessage","Dns_FindAuthoritativeZoneLib","Dns_FreeMsgBuf","Dns_GetRandomXid","Dns_InitializeMsgBuf","Dns_InitializeMsgRemoteSockaddr","Dns_InitializeWinsock","Dns_OpenTcpConnectionAndSend","Dns_ParseMessage","Dns_ParsePacketRecord","Dns_PingAdapterServers","Dns_ReadRecordStructureFromPacket","Dns_RecvTcp","Dns_ResetNetworkInfo","Dns_SendAndRecvUdp","Dns_SendEx","Dns_SetRecordDatalength","Dns_SetRecordsSection","Dns_SetRecordsTtl","Dns_SkipToRecord","Dns_UpdateLib","Dns_UpdateLibEx","Dns_WriteQuestionToMessage","Dns_WriteRecordStructureToPacketEx","ExtraInfo_Init","Faz_AreServerListsInSameNameSpace","FlushDnsPolicyUnreachableStatus","GetCurrentTimeInSeconds","HostsFile_Close","HostsFile_Open","HostsFile_ReadLine","IpHelp_IsAddrOnLink","Local_GetRecordsForLocalName","Local_GetRecordsForLocalNameEx","NetInfo_Build","NetInfo_Clean","NetInfo_Copy","NetInfo_CopyNetworkIndex","NetInfo_CreatePerNetworkNetinfo","NetInfo_Free","NetInfo_GetAdapterByAddress","NetInfo_GetAdapterByInterfaceIndex","NetInfo_GetAdapterByName","NetInfo_IsAddrConfig","NetInfo_IsForUpdate","NetInfo_IsTcpipConfigChange","NetInfo_ResetServerPriorities","NetInfo_UpdateDnsInterfaceConfigChange","NetInfo_UpdateNetworkProperties","NetInfo_UpdateServerReachability","QueryDirectEx","Query_Cancel","Query_Main","Reg_FreeUpdateInfo","Reg_GetValueEx","Reg_ReadGlobalsEx","Reg_ReadUpdateInfo","Security_ContextListTimeout","Send_AndRecvUdpWithParam","Send_MessagePrivate","Send_MessagePrivateEx","Send_OpenTcpConnectionAndSend","Socket_CacheCleanup","Socket_CacheInit","Socket_CleanupWinsock","Socket_ClearMessageSockets","Socket_CloseEx","Socket_CloseMessageSockets","Socket_Create","Socket_CreateMulticast","Socket_InitWinsock","Socket_JoinMulticast","Socket_RecvFrom","Socket_SetMulticastInterface","Socket_SetMulticastLoopBack","Socket_SetTtl","Socket_TcpListen","Trace_Reset","Update_ReplaceAddressRecordsW","Util_IsIp6Running","Util_IsRunningOnXboxOne","WriteDnsNrptRulesToRegistry"]



#calculate a 32bit ror
def ror(total, j):
    #calculate 32 bit ror
    #j%32 to avoid negative rotations
    #0xffffffff to ensure values are 32-bit aligned
    return ((total >> (j%32)) | (total << (32-(j%32)))) & 0xffffffff


#calculate hash
def gethash(name, r):
    result = 0
    for i in name:
        result = ror(result,r)
        result += i
    #ensure result is 32-bit aligned
    return result & 0xffffffff


#compute the api hashes for a given dll/export/ror
def computeHashes(dllname, export_list, r):
    #ensure dll has correct encoding/padding
    pad = dllname + "\0"
    dlln = pad.upper().encode('utf-16-le')
    dllhash = gethash(dlln, r)
    hashDict = {}
    
    for i in export_list:
        h = gethash((i+"\0").encode('utf-8'), r)
        final = (dllhash + h) & 0xffffffff
        hashDict[i] = final

    return hashDict


def main():
    #convert input into a bytearray
    Shellcode = bytearray(originalShellcode)
    

    #Detect existing ror values
    try:
        if arch in ["32", "x86"]:
            detectror = re.search(b'\xc1\xcf', Shellcode)
        elif arch in ["64","x64"]:
            detectror = re.search(b'\xc1\xc9', Shellcode)
        Offset = detectror.start()+2
        oldror = Shellcode[Offset]
        print("Detected Ror Value Of {}".format(hex(oldror)))
    except:
        #assume default of 13/0xd
        print("Assuming Default Ror Value Of 0xd/13")
        oldror = 13

    #generate new single byte ROR value
    newror = random.randint(1,255)
    #reset if new value clashes with 13
    while (newror % 32 == 13):
        newror = random.randint(1,255)
    
    #create dictionaries of old hash values
    old_k32 = computeHashes("kernel32.dll", k32_list, oldror)
    old_ws2 = computeHashes("ws2_32.dll",ws2_list, oldror)
    old_winnet = computeHashes("wininet.dll",winnet_list, oldror)
    old_dnsapi = computeHashes("dnsapi.dll",dnsapi_list, oldror)
    #create dictionaries of new hash values
    new_k32 = computeHashes("kernel32.dll", k32_list, newror)
    new_ws2 = computeHashes("ws2_32.dll",ws2_list, newror)
    new_winnet = computeHashes("wininet.dll",winnet_list, newror)
    new_dnsapi = computeHashes("dnsapi.dll",dnsapi_list, newror)


     
    #Replace kernel32.dll hashes
    for i in old_k32.keys():
        o = old_k32[i].to_bytes(4,'little')
        n = new_k32[i].to_bytes(4,'little')
        Shellcode = Shellcode.replace(o,n)
        if o in originalShellcode:
            matchlist.append(str(i))

    #Replace ws2_32.dll hashes
    for i in old_ws2.keys():
        o = old_ws2[i].to_bytes(4,'little')
        n = new_ws2[i].to_bytes(4,'little')
        Shellcode = Shellcode.replace(o,n)
        if o in originalShellcode:
            matchlist.append(str(i))
    #Replace wininet.dll hashes
    for i in old_winnet.keys():
        o = old_winnet[i].to_bytes(4,'little')
        n = new_winnet[i].to_bytes(4,'little')
        Shellcode = Shellcode.replace(o,n)
        if o in originalShellcode:
            matchlist.append(str(i))
    #replace dnsapi.dll hashes
    for i in old_dnsapi.keys():
        o = old_dnsapi[i].to_bytes(4,'little')
        n = new_dnsapi[i].to_bytes(4,'little')
        Shellcode = Shellcode.replace(o,n)
        if o in originalShellcode:
            matchlist.append(str(i))

    if len(matchlist) == 0:
        print("No api's found with ror value of {}".format(oldror))
        print("Double check that your shellcode uses ror based hashing")
        sys.exit(1)

    else:
        print("{} Hashes Detected\n".format(len(matchlist)))
        print("Detected: " + str(matchlist))
        print("")
    
    #Update the old ror values
    if arch in ["32","x86"]:
        Shellcode = Shellcode.replace(b'\xc1\xcf' + oldror.to_bytes(1,'little') , b'\xc1\xcf'+newror.to_bytes(1,'little'))
    elif arch in ["64","x64"]:
        Shellcode = Shellcode.replace(b'\xc1\xc9' + oldror.to_bytes(1,'little'), b'\xc1\xc9'+newror.to_bytes(1,'little'))
    else:
        print("Unknown architecture, exiting")
        sys.exit(1)
    
    #save new shellcode to a file
    try:
        newName = fname + "_" + str(hex(newror)) + ".bin"
        f = open(newName, "wb")
        f.write(Shellcode)
    except:
        print("Unable to write new code to file")
        sys.exit(1)

    
    print("New ror value is {}".format(hex(newror)))
    print("Wrote {} bytes to file {}".format(len(Shellcode),newName))
    f.close()
    
    return True

#call main by default
if __name__ == "__main__":
    main()