From fffdf75c187bec59e730adc84618d0b3bbd0b1f1 Mon Sep 17 00:00:00 2001
From: Christopher Paschen <christopher.paschen@trustedsec.com>
Date: Mon, 17 May 2021 16:06:27 -0500
Subject: [PATCH] initial BOF commit

---
 SA/SA.cna                                  |  27 ++++++
 SA/findLoadedModule/findLoadedModule.x64.o | Bin 0 -> 4172 bytes
 SA/findLoadedModule/findLoadedModule.x86.o | Bin 0 -> 3694 bytes
 src/SA/findLoadedModule/Makefile           |  25 +++++
 src/SA/findLoadedModule/entry.c            | 107 +++++++++++++++++++++
 src/SA/get-netsession/entry.c              |   1 +
 src/common/bofdefs.h                       |  37 +++++--
 7 files changed, 190 insertions(+), 7 deletions(-)
 create mode 100644 SA/findLoadedModule/findLoadedModule.x64.o
 create mode 100644 SA/findLoadedModule/findLoadedModule.x86.o
 create mode 100644 src/SA/findLoadedModule/Makefile
 create mode 100644 src/SA/findLoadedModule/entry.c

diff --git a/SA/SA.cna b/SA/SA.cna
index 0ac448d..8b6fdc7 100644
--- a/SA/SA.cna
+++ b/SA/SA.cna
@@ -1134,3 +1134,30 @@ alias enumLocalSessions{
 	beacon_inline_execute($1, readbof($1, "enumLocalSessions"), "go", $null);
 }
 
+alias findLoadedModule{
+	local('$iswow64 $modname $procname $args');
+	if(-is64 $1 && barch($1) eq "x86")
+	{
+		berror($1, "Unable to run this BOF properly when under WOW64 (32bit proc on 64bit host)");
+		return;
+	}
+	if(size(@_) > 3 || size(@_) < 2){
+		berror($1, "Invalid number of arguments");
+		berror($1, beacon_command_detail("findLoadedModule"));
+		return;
+	}
+	$modname = $2;
+	$procname = iff(-istrue $3, $3, "");
+	$args = bof_pack($1, "zz", $modname, $procname);
+	beacon_inline_execute($1, readbof($1, "findLoadedModule"), "go", $args);
+}
+
+beacon_command_register(
+	"findLoadedModule",
+	"Finds processes loading a specific dll",
+	"Usage:
+	findLoadedModule <part dll name> [opt: part proc name]
+	
+	Searches are done in *<part>* manner, so partial matches will hit
+	If you specify a proc name then only processes matching that partial hit will be searched"
+);
\ No newline at end of file
diff --git a/SA/findLoadedModule/findLoadedModule.x64.o b/SA/findLoadedModule/findLoadedModule.x64.o
new file mode 100644
index 0000000000000000000000000000000000000000..f2eca9bf360584d142248288994eff1d2a3dab12
GIT binary patch
literal 4172
zcmZ`+Z){sv6~9iLq{*5k8x2%~!RzL%>6)Z=J0MI&_%%-ZtiE(+Nt&W<O&t4qv2bnk
z{0wbCbRi4Ul?kd4A3&N$5d$Ieg>4d@2MBNJ`iD(Wbt)MvA4<0mE-7?sq^%3x9=~(%
z%ZnY4tN7jD{hf2qJ@?#m&wGh~zll-%RSRP~1oE<8%Q$KY>^vG6>-I2qMXCxtg+<1D
z<54SGp{D?MH&zgUK^7_XPULdcZ0+bt(mPshkbKZ<?D>Pe*=oIU=#`-NyJl&3GrAyy
zo>{GT61?K<L23&Bf;%2u9m!rnSNa$|ZRUE{ONaw2GN{-cKrC^#L3*h1hIWi!B)K+o
zx@%!{i1b5kry4d8Rp=lwe=TrcPSgrtCZfn74U}9n%k#6Bt<74Ym4uGw*@lf6P$R>S
zjxDI8>Oplx9Ud7yNQ-E&MN)n455Av}7XPu+|0Qry=TG@gf(-L>f%7{5f$!HC4Dt_j
z{vBVRy~r14ZrN>5HNkDY@Og-s9(!B0|E3jsXrR7GTYX9FfWK^C3iDSX9OPFjsdsgL
zRhZNGtFWv=ak1@Ghn(~ujbHG*HN9egj<N5ysDC1Rfznb=s~7Ro`9C#&cKO+a=N{5u
z8f!b%N??HBQn#Jc_@6^xS_rirSkUT4{KBzYVSZbK?_C;S498x_%z{`c<hh#Q0wtzb
zn38WQfBPfb4wQ6$18SjdZ!iC5_VV$c!}~BV2QF%bd$0;Z^|Jkj*b#9wIDr^zj~*U-
zTzyP^Ts^EJ+N*I6sx#+pnkqtrfNK0T?QF=`N0y4$K7=`p{4_$}MLiJ;0sE43Nc@bw
zsK?H@@e^4j4Recjg$ZGPI?Ug6EeiXtY5US_DZhDe_8sdJ_99LqaB(2;4!JHY>HG>d
z5R@BOSfDJSB$>WGUPo~s2>e@x-*bpx@rUFee`9$*#9t}Wozdpt0D0aAT@A@}2wCCe
zAioKx+*M{v)`J><OXD9nVh|k~U(x1TX|w7dF_D!=KD2F(-^3A1t)+9}ncKG2>=Gef
z)}~LBXYiNeE&LT(J$;=P50ogx@K!16<RHJaJRi7N#02;UmZIxla}ucxFY}7y)Le%b
zibZls<t0g8dq&t<!B+ISlur-5CwXjOzczb0zqO##A^fZS3bF@eS7F%KH3&cFTDM@P
zeWrZ;wrwxnh287?nzIlN1i7%{?rZ5eDZr{Tx9+w!X>%QvGQtxnS!$nsFTW8+hrpM+
zVbYy^0wJNjujZgULtOJ9ANEa#`RirtzrwYzA-S=IE^(T;f<-Dsp+d+vxjgUsM(HYx
z1H4_Na&QeHvKOE1qukHeQBAm7p2cR1Sd*3a!ZuxjpgfNgm5mgrt?wlZ-s@rBJ?I<j
zS>v8Mzb6aa-pty+x6yyccuTf9vZ2&?!F#3dUGOc9ti^2fH;j9;^^v*~+4S7m#P0Oy
ztjXUv-jMZ{>Mnq5+rZj9+t~(x(|BXHAwsOD*~^;ERSm{^9S5lA_)-0!{(TtT<n+%Y
zXS#u@e*wSUz|_a;=^Y^ZZy{ZVfvI1{ZxXmO*TP29(TS9ySQ#ai%vnm-%*2db&d5Ea
zbjDd{Prx5n0IL*@bpD88MlC~$rc&!>4CP}qKao$Rjw!BUyjrtcnaEp8JQ+`KwUk6M
z9apSLLotnS<c*wV#FZnNcs^w?wy(ecA*E~Ifst)Wz~8&GS5zPPz1rFVK7*f^eF{&y
z3SOqTh$@TZzT%=V5Y<L6i@4lj7aegCz0yC6pO;O!+|xj)^Wd)HsR(of&n*J&z<J2k
zA}$(p(WHxxyXdDb`h|=B3Usfq*MjrAPaqXY5$GV$7J*Iz-7C=hKt6$xn5<KvPXgU9
zP$v+TPA}UHv{j%%AgbS9_B4>3I}fx?aL)tD86}_x1otM;c7beHx(PYttN}#X=Vd)W
z(#mciX=NXfv@+~+6F|~~-vafBxkVt#adc>R;8!oOM3nV+368!NBuA$&5#0kRrAjY3
z$_t4USL$;)T3t%Xb2*o?OLFwdBoXD1l+vA&T+l@!SE{+3?jp)CIhXF8oO{SckGay`
zM3RzSw2y4Yp70oH%RJT_b2#cIGKriOH7&v(WJ4YD<l|Z!NQ$D+5elEilj_A9vmGO<
z9+DB3Gg(nP)^xrI9jYK}Og|W^Cz5$0gCQDK6UkJ5SCez~9;!0(t6QkzQTa^`<Ith=
zs&19v(^w8V)p8nDeoJE!=!n2nDOP?*Hwc|^Jge8M{D!9YOTFi3c-FSBIuw02*L&`+
zRRBZhNm)w!s$-eFmCeH`%2CN!W;8d65jDvW`Z_(FMl55;oe_1C`B4q?Yz_1K8s_gc
z%*`66r6RU+t)3cYq=qqT7+%BtvW6+uF#o7wZqzWX(k<b+gb&m(!7AnuM)F*JQ&Uqc
zYbMi{a~eQ~nU1E$1estXRwD3);S9PyrsL%|C|)}`fg`K$!AfJXylLWY!dxynWw5ca
z<dN*y;LySTM}~bdybCiihudRBW0~~BG6|~G5~i_k;x}_?#~-P<f8db=1NyF=zI}$}
zc%d25tYg`g5~o%yStZ!Jw#t5N*+{|MXfkf}Pe#q*%wRrcCHEY&RvmGt_L~OY>cg2#
zYSKt$ckLWXN3*%fjJ1Ak8K_-5_a@EUs&GitN7YE!H)NUk3#<Qc&H?)Od)-d^Q<<Eh
zMbmNA!F3`8L67FF0n^Nwj!XtOLI;~zukHk_+BJ87uC&4lX)T0*_9Ia<x4QlsJ8%>?
IH)gT_0ZB`4dH?_b

literal 0
HcmV?d00001

diff --git a/SA/findLoadedModule/findLoadedModule.x86.o b/SA/findLoadedModule/findLoadedModule.x86.o
new file mode 100644
index 0000000000000000000000000000000000000000..ab8777ac255c379372acab825f88495ace4ce7b0
GIT binary patch
literal 3694
zcmaJ^YiJx*6u#STmQYrjmK1ASb<|01v`w=~@KG(MO}9-oiD@>QV0~;i+1X}syA$W3
zHX3YMR~VLs3O;`LLyJ|!{<Wxx5==1`1p9)fF@irLt|p*Z5#Qr??wy(JW~xJG?svcQ
z-E+=8_ukn_SD=Q`b-tFd+c^pbnhfP>gJbbH0Ld)iUm?-oibi712bxkzBPl5U4C8sP
zqjBkW);!TPr0Z_~zuF_D)2bc50dc3_U;Ea!YA^NZman3VTi@mv)=uq`g8?X}f-<sZ
z_8J<To~j8_%ihGi*#~4lGYS1*exZKl``ku)T-GkR_Be?Ef?{xSJM|+IA2PI_r~G&=
zyK>T4E5t!rXs2pOOIQAMed19bW1wV)WBG-9i_zNR^<=UPIZSaVRq8vT?F;$eY%4mq
z^7*Yu@HkgSzp>92w{sB&(1d6Z&krFl<rl(Mbh^k@@wp0<)i2jt@mc#)F+K~I2u)Ha
zZZSFsd(eW13$Qx{D4KJnaGhn&9{t_Ek+J6<U(V-ZowKH{oJa@OP^$C$9q~t$O3|Ec
zoV<HxWzUQwow6=NdYqJj>GYe_rnfW6T<sP&ezE+*Kek<rUo4JKM<%Sxfk$T>XRf?k
zIRD(+Viw(VqDF3QkfhZm*CNsAH<$vdVNO@t46?ycQhs^(F}L8n+SedD!^EN9K+x)@
z0<9&8mNpT!bxs?$aV=St@BhaBIVZ}WUy!WN>`N#iUp99I`0grp&rx+JF}$uKpc@Ti
z>Vf||0(=)HOsVjdu>lbtk!vGgLC?1atr3qQrf5y`NlwPG8!cpx9XwF_`1Iel9Xq<v
zwTxj$QUXCfO<|ZSkXeRpaYx5uNcLH=1Gx8rfyl3g38S+Z4VPY?!wOmT@}hj-KG@a^
zgR_#KV23i=MCEnx&V6lgGVSY|e=q;1ZLF|drWcE2{UnwLiQn%fK7mM-IGkNM=}vj7
zK=dYXh=sJBBRn{W(_y;D4CSHv@C6IXwA7+Z-+uvE`j|Y>&f&8Z7H5hoom&%UkxpQ+
zSomBh%kQGaEbl87X!?kJ6CCX(|BeRga?@Y7J--1Jrm;flEf5vSd}nDTO3v#2w%S<F
zlf}R-@QeV9Nzd06el^3OVz89Y{E6HvOINk8H<#DIj!X|mCQ9SeC3E^iDg>>2*lMFi
zt99}dk-e9P*iLPDX}E<Z`J{d6$X(1_hO_tx-w);eV*0ec<(WThJAZmJPvF=wqTIVd
zU%}$J<WN?T3{}czbVC}|)L})}6@8o3kYWv6BF!lYuu7=p%tMNnG!!YB%`O=cGlyw>
z+RSDTOP(-Qt=udPnTC|gq;j_!QaY1MNydmGY049(q8my|I;5t|tisryj*e~8rae9J
zMk&(V)Y8<9+^@w=$3Mhwz>~@!VhtYJ<{{dj!rBjX9qtg@?{Om@ddfpbfY#v-u@^k<
zEui(B`w~xj1BKWOp7aY4V)vksB1WHw5*`}y(71;z554H2Ge9(#5UayM!Al$HAs`XW
z1QO9M0}0*6<@8%lx;uex;wTPuGe;vpt2oL7-NMn!Kr%-&KoUpa0a4{b>_;Fmf?<Pg
z<lH)-TRG|h64o&w5u*gOiCbR<5?<c%bf<uXmrp(JERf7ctg2zGk)vyYZsVvaouLKi
z*FQF62LnpZ&<-~ZJDl6BbU*-eSQc>E>Xz1;b_&;U6Xo(!6>}$gHK?c1B!<+qZm6R_
zcnl5Og?qk=*$3tXYUPYNsFI9*jhP9i@*9kjTON1}Go&xC#jEoB3(ldTFR<#X^4kmH
zpsBV~ukyPK2|)9@Uj*iW!y*xARy)1w=5ch%2j#PjB~;TGH4XYsav4KQ>U3m0hR`$g
za4s6j*fFO^jbKjrnD>1Qoh<hfqkeL`Xa#dkMFj-Y=wo_)%ridbH6L@z$6WL=Kl_+f
zA_<<SfDJxow~tBtnDHv+74*cq%41_=Ol-@fX0XJlmdP2;x+DM<Etkv+Hq8=oBOSS;
zUqy2lOLXBi-pya2y6E(}uk<S4!=|R;jKQa#8B<sykvTM)NOZ>rI{NzMVZ7MYVVB&g
zB!|`9gJM@y3)7mibnKIQj%SO!gwF?}eLc~x))sk>VmP^UD#_9IW}krQ9Td4e(sEVf
zZiK6}p$tkEo(D52rDG(i^{d@x*2wHUY$)xmeit2@f?utERn3kl+0oXPSS~rLkEljF
z%C;m|QNh-h-5E`<u*W*P26y!Cm1Bm6zr8#DXJillAG?aVBdh94XEK+{D(!8)uqaVi
yQa7TSrfQ1?5)05vd%#~+r=-4Ay|R0P>WqZbUHEUXH>v5~DlXE|r*Z6u4fZdZRbXWR

literal 0
HcmV?d00001

diff --git a/src/SA/findLoadedModule/Makefile b/src/SA/findLoadedModule/Makefile
new file mode 100644
index 0000000..b52b5c7
--- /dev/null
+++ b/src/SA/findLoadedModule/Makefile
@@ -0,0 +1,25 @@
+BOFNAME := findLoadedModule
+COMINCLUDE := -I ../../common
+LIBINCLUDE := -lshlwapi
+CC_x64 := x86_64-w64-mingw32-gcc
+CC_x86 := i686-w64-mingw32-gcc
+CC=x86_64-w64-mingw32-clang
+
+all:
+	$(CC_x64) -o $(BOFNAME).x64.o $(COMINCLUDE) -Os -c entry.c -DBOF 
+	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
+	mkdir -p ../../../SA/$(BOFNAME) 
+	mv $(BOFNAME)*.o ../../../SA/$(BOFNAME)
+
+test:
+	$(CC_x64) entry.c -g $(COMINCLUDE) $(LIBINCLUDE)  -o $(BOFNAME).x64.exe
+	$(CC_x86) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x86.exe
+
+scanbuild:
+	$(CC) entry.c -o $(BOFNAME).scanbuild.exe $(COMINCLUDE) $(LIBINCLUDE)
+
+check:
+	cppcheck --enable=all $(COMINCLUDE) --platform=win64 entry.c
+
+clean:
+	rm $(BOFNAME).*.exe
\ No newline at end of file
diff --git a/src/SA/findLoadedModule/entry.c b/src/SA/findLoadedModule/entry.c
new file mode 100644
index 0000000..1654d8f
--- /dev/null
+++ b/src/SA/findLoadedModule/entry.c
@@ -0,0 +1,107 @@
+#include <windows.h>
+#include "bofdefs.h"
+#include "base.c"
+
+
+BOOL ListModules(DWORD PID, const char * modSearchString)
+{
+	MODULEENTRY32 modinfo = {0};
+	modinfo.dwSize = sizeof(MODULEENTRY32);
+	HANDLE hSnap = INVALID_HANDLE_VALUE;
+	DWORD count = 0;
+	BOOL retVal = FALSE;
+	hSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, PID);
+	BOOL more = KERNEL32$Module32First(hSnap, &modinfo);
+	while(more)
+	{
+		if(SHLWAPI$StrStrIA(modinfo.szExePath, modSearchString))
+		{
+			//May be benificial to print off all hits even within a single process
+			internal_printf("%s\n", modinfo.szExePath);
+			retVal = TRUE;
+			//break;
+		}
+		more = KERNEL32$Module32Next(hSnap, &modinfo);
+	}
+
+	end:
+	if(hSnap != INVALID_HANDLE_VALUE) { KERNEL32$CloseHandle(hSnap); }
+	return retVal;
+
+}
+
+void ListProcesses(const char * procSearchString, const char * modSearchString)
+{
+	//Get snapshop of all procs
+	PROCESSENTRY32 procinfo = {0};
+	procinfo.dwSize = sizeof(PROCESSENTRY32);
+	HANDLE hSnap = INVALID_HANDLE_VALUE;
+	DWORD count = 0;
+	hSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if(hSnap == INVALID_HANDLE_VALUE)
+	{
+		BeaconPrintf(CALLBACK_ERROR, "Unable to list processes: %d", KERNEL32$GetLastError());
+		goto end;
+	}
+	//And now we Enumerate procs and Call up to List Modules with them
+	BOOL more = KERNEL32$Process32First(hSnap, &procinfo);
+	//internal_printf("First call returned : %d\n", more);
+	while(more)
+	{
+		if(!procSearchString || SHLWAPI$StrStrIA(procinfo.szExeFile, procSearchString))
+		{
+			if(ListModules(procinfo.th32ProcessID, modSearchString))
+			{
+				internal_printf("%-10d : %s\n", procinfo.th32ProcessID, procinfo.szExeFile);
+				count++;
+			}
+		}
+		more = KERNEL32$Process32Next(hSnap, &procinfo);
+	}
+	//Check that we exited because we were done and not an error
+	DWORD exitStatus = KERNEL32$GetLastError();
+	if(exitStatus != ERROR_NO_MORE_FILES)
+	{
+		BeaconPrintf(CALLBACK_ERROR, "Unable to enumerate all processes: %d", exitStatus);
+		goto end;
+	}
+
+	if(!count)
+	{
+		internal_printf("Successfully enumerated all processes, but didn't find the requested module");
+	}
+	end:
+	if(hSnap != INVALID_HANDLE_VALUE) { KERNEL32$CloseHandle(hSnap); }
+	return;
+}
+
+#ifdef BOF
+VOID go( 
+	IN PCHAR Buffer, 
+	IN ULONG Length 
+) 
+{
+	if(!bofstart())
+	{
+		return;
+	}
+	datap parser = {0};
+	BeaconDataParse(&parser, Buffer, Length);
+	const char * modSearchString = BeaconDataExtract(&parser, NULL); //Must Be set
+	const char * procSearchString = BeaconDataExtract(&parser, NULL);
+	procSearchString = (procSearchString[0]) ? procSearchString : NULL;
+
+	ListProcesses(procSearchString, modSearchString);
+	printoutput(TRUE);
+};
+
+#else
+
+int main()
+{
+ListProcesses("explorer", "ntdll");
+ListProcesses(NULL, "Kernel32.dll");
+ListProcesses(NULL, "asdfasdfadsf");
+}
+
+#endif
diff --git a/src/SA/get-netsession/entry.c b/src/SA/get-netsession/entry.c
index 2ee46b7..284038d 100644
--- a/src/SA/get-netsession/entry.c
+++ b/src/SA/get-netsession/entry.c
@@ -80,6 +80,7 @@ void NetSessions(wchar_t* hostname){
             NETAPI32$NetApiBufferFree(pBuf);
             pBuf = NULL;
         }
+
     }    
     while (nStatus == ERROR_MORE_DATA);
     // Check again for an allocated buffer.
diff --git a/src/common/bofdefs.h b/src/common/bofdefs.h
index 963dd0c..ce241c7 100644
--- a/src/common/bofdefs.h
+++ b/src/common/bofdefs.h
@@ -6,11 +6,13 @@
 #include <imagehlp.h>
 #include <iphlpapi.h>
 #include <stdio.h>
+#include <tlhelp32.h>
 #include <windns.h>
 #include <dbghelp.h>
 #include <winldap.h>
 #include <winnetwk.h>
 #include <wtsapi32.h>
+#include <shlwapi.h>
 
 //KERNEL32
 #ifdef BOF
@@ -72,6 +74,14 @@ DECLSPEC_IMPORT HGLOBAL KERNEL32$GlobalFree(HGLOBAL hMem);
 DECLSPEC_IMPORT LPTCH WINAPI KERNEL32$GetEnvironmentStrings();
 DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$FreeEnvironmentStringsA(LPSTR);
 WINBASEAPI DWORD WINAPI KERNEL32$ExpandEnvironmentStringsW (LPCWSTR lpSrc, LPWSTR lpDst, DWORD nSize);
+WINBASEAPI HANDLE WINAPI KERNEL32$CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Module32First(HANDLE hSnapshot,LPMODULEENTRY32 lpme);
+WINBASEAPI WINBOOL WINAPI KERNEL32$Module32Next(HANDLE hSnapshot,LPMODULEENTRY32 lpme);
+
+
+
 DECLSPEC_IMPORT WINBASEAPI int WINAPI KERNEL32$lstrlenA(LPCSTR);
 
 //WTSAPI32
@@ -172,6 +182,9 @@ WINUSERAPI LPWSTR WINAPI USER32$CharPrevW(LPCWSTR lpszStart,LPCWSTR lpszCurrent)
 //secur32
 WINBASEAPI BOOLEAN WINAPI SECUR32$GetUserNameExA (int NameFormat, LPSTR lpNameBuffer, PULONG nSize);
 
+//shlwapi
+LWSTDAPI_(LPSTR) SHLWAPI$StrStrIA(LPCSTR lpFirst,LPCSTR lpSrch);
+
 //advapi32
 WINADVAPI WINBOOL WINAPI ADVAPI32$OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
 WINADVAPI WINBOOL WINAPI ADVAPI32$GetTokenInformation (HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength);
@@ -318,6 +331,8 @@ DECLSPEC_IMPORT DWORD WINAPI VERSION$GetFileVersionInfoSizeA(LPCSTR lptstrFilena
 DECLSPEC_IMPORT WINBOOL WINAPI VERSION$GetFileVersionInfoA(LPCSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData);
 DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen);
 
+
+
 #else
 #define intAlloc(size) KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size)
 #define intRealloc(ptr, size) (ptr) ? KERNEL32$HeapReAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, ptr, size) : KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, size)
@@ -360,7 +375,7 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define KERNEL32$DeleteFileW  DeleteFileW 
 #define KERNEL32$CreateFileW  CreateFileW 
 #define KERNEL32$GetFileSize  GetFileSize 
-#define KERNEL32$ReadFile  ReadFile
+#define KERNEL32$ReadFile  ReadFile 
 #define KERNEL32$OpenProcess  OpenProcess 
 #define KERNEL32$GetComputerNameExW  GetComputerNameExW 
 #define KERNEL32$lstrlenW  lstrlenW 
@@ -374,20 +389,30 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define KERNEL32$FindClose  FindClose 
 #define KERNEL32$SetLastError  SetLastError 
 #define KERNEL32$HeapAlloc HeapAlloc
+#define KERNEL32$HeapReAlloc HeapReAlloc
 #define KERNEL32$HeapFree HeapFree
 #define MSVCRT$memset memset
 #define KERNEL32$GlobalAlloc GlobalAlloc
 #define KERNEL32$GlobalFree GlobalFree
 #define KERNEL32$GetEnvironmentStrings GetEnvironmentStrings
 #define KERNEL32$FreeEnvironmentStringsA FreeEnvironmentStringsA
-#define KERNEL32$ExpandEnvironmentStringsW ExpandEnvironmentStringsW
+#define KERNEL32$ExpandEnvironmentStringsW  ExpandEnvironmentStringsW 
+#define KERNEL32$CreateToolhelp32Snapshot CreateToolhelp32Snapshot
+#define KERNEL32$Process32First Process32First
+#define KERNEL32$Process32Next Process32Next
+#define KERNEL32$Module32First Module32First
+#define KERNEL32$Module32Next Module32Next
 #define KERNEL32$lstrlenA lstrlenA
+#define WTSAPI32$WTSEnumerateSessionsA WTSEnumerateSessionsA
+#define WTSAPI32$WTSQuerySessionInformationA WTSQuerySessionInformationA
+#define WTSAPI32$WTSFreeMemory WTSFreeMemory
 #define IPHLPAPI$GetAdaptersInfo  GetAdaptersInfo 
 #define IPHLPAPI$GetAdaptersInfo GetAdaptersInfo
 #define IPHLPAPI$GetIpForwardTable  GetIpForwardTable 
 #define IPHLPAPI$GetNetworkParams GetNetworkParams
 #define IPHLPAPI$GetUdpTable  GetUdpTable 
 #define IPHLPAPI$GetTcpTable  GetTcpTable 
+#define IPHLPAPI$GetIpNetTable GetIpNetTable
 #define MSVCRT$calloc calloc
 #define MSVCRT$memcpy memcpy
 #define MSVCRT$realloc realloc
@@ -399,7 +424,6 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define MSVCRT$wcscpy_s wcscpy_s
 #define MSVCRT$wcslen wcslen
 #define MSVCRT$sprintf  sprintf 
-#define MSVCRT$strncmp strncmp
 #define MSVCRT$wcscmp wcscmp
 #define MSVCRT$wcstok wcstok
 #define MSVCRT$wcsstr wcsstr
@@ -411,12 +435,13 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define MSVCRT$wcsncat wcsncat
 #define MSVCRT$wcsrchr wcsrchr
 #define MSVCRT$wcsrchr wcsrchr
+#define MSVCRT$strcat strcat
 #define MSVCRT$strnlen strnlen
 #define MSVCRT$strlen strlen
 #define MSVCRT$strcmp strcmp
+#define MSVCRT$strncmp strncmp
 #define MSVCRT$strcpy strcpy
 #define MSVCRT$strstr strstr
-#define MSVCRT$strcat strcat
 #define MSVCRT$strtok strtok
 #define MSVCRT$strtok_s strtok_s
 #define MSVCRT$strtoul strtoul
@@ -457,10 +482,8 @@ DECLSPEC_IMPORT WINBOOL WINAPI VERSION$VerQueryValueA(LPCVOID pBlock, LPCSTR lpS
 #define USER32$GetWindowTextA GetWindowTextA
 #define USER32$GetClassNameA GetClassNameA
 #define USER32$CharPrevW CharPrevW
-#define WTSAPI32$WTSEnumerateSessionsA WTSEnumerateSessionsA
-#define WTSAPI32$WTSQuerySessionInformationA WTSQuerySessionInformationA
-#define WTSAPI32$WTSFreeMemory WTSFreeMemory
 #define SECUR32$GetUserNameExA  GetUserNameExA 
+#define SHLWAPI$StrStrIA StrStrIA
 #define ADVAPI32$OpenProcessToken  OpenProcessToken 
 #define ADVAPI32$GetTokenInformation  GetTokenInformation 
 #define ADVAPI32$ConvertSidToStringSidA ConvertSidToStringSidA