teebow1e/content.md

## content.md

      
    Raw
  

              content.md
            
          
    Havoc demon.x64.exe — API Hash Table


Extracted dynamically via Frida by hooking get_dll_base_by_hash and get_function_address_by_hash.

DLL Hashes


DLL Name
Hash


ntdll.dll
0x70e61753


KERNEL32.DLL
0xadd31df0


demon.x64.exe
0x00000000


ntdll.dll — Function Hashes


Function
Hash


LdrGetProcedureAddress
0xfce76bb6


LdrLoadDll
0x9e456a43


RtlAllocateHeap
0x3be94c5a


RtlReAllocateHeap
0xaf740371


RtlFreeHeap
0x73a9e4d7


RtlExitUserThread
0x2f6db5e8


RtlExitUserProcess
0x0057c72f


RtlRandom
0x7f1224f5


RtlNtStatusToDosError
0x39d7c890


RtlGetVersion
0x0dde5cdd


RtlCreateTimerQueue
0x50ef3c31


RtlCreateTimer
0x1877faec


RtlQueueWorkItem
0xae92028e


RtlRegisterWait
0x600fe691


RtlDeleteTimerQueue
0xeec188b0


RtlCaptureContext
0xeba8d910


RtlAddVectoredExceptionHandler
0x2df06c89


RtlRemoveVectoredExceptionHandler
0xad1b018e


RtlCopyMappedMemory
0x5b56b302


NtClose
0x40d6e69d


NtCreateEvent
0x28d3233d


NtSetEvent
0xcb87d8b5


NtSetInformationThread
0x0c3c03f1


NtSetInformationVirtualMemory
0x946ac239


NtGetNextThread
0xa410fb9e


NtOpenProcess
0x4b82f718


NtTerminateProcess
0x4ed9dd4f


NtQueryInformationProcess
0x8cdc5dc2


NtQuerySystemInformation
0x7bc23928


NtAllocateVirtualMemory
0xf783b8ec


NtQueueApcThread
0x0a6664b8


NtOpenThread
0x968e0cb1


NtOpenThreadToken
0x803347d2


NtResumeThread
0x5a4bc3d0


NtSuspendThread
0xe43d93e1


NtDuplicateObject
0x4441d859


NtGetContextThread
0x6d22f884


NtSetContextThread
0xffa0bf10


NtWaitForSingleObject
0xe8ac0c3c


NtAlertResumeThread
0x5ba11e28


NtSignalAndWaitForSingleObject
0x78983aed


NtTestAlert
0x858a32df


NtCreateThreadEx
0xaf18cfb0


NtOpenProcessToken
0x350dca99


NtDuplicateToken
0x8e160b23


NtProtectVirtualMemory
0x50e92888


NtTerminateThread
0xccf58808


NtWriteVirtualMemory
0xc3170192


NtContinue
0xfc3a6c2c


NtReadVirtualMemory
0xa3288103


NtFreeVirtualMemory
0x2802c609


NtUnmapViewOfSection
0x6aa412cd


NtQueryVirtualMemory
0x10c0e85d


NtQueryInformationToken
0x0f371fe4


NtQueryInformationThread
0xf5a0461b


NtQueryObject
0xc85dc9b4


NtTraceEvent
0x70c25cd8


KERNEL32.DLL — Function Hashes


Function
Hash


LoadLibraryW
0xb7072ff1


VirtualProtectEx
0x5b6b908a


VirtualProtect
0xe857500d


LocalAlloc
0x72073b5b


LocalReAlloc
0x1c44e892


LocalFree
0x32030e92


CreateRemoteThread
0x252b157d


CreateToolhelp32Snapshot
0xf37ac035


Process32FirstW
0xb06fa1a8


Process32NextW
0x43f6e75f


CreatePipe
0x9694e9e7


CreateProcessW
0xfbaf90cf


GetFullPathNameW
0xa6a2249d


CreateFileW
0x687d2110


GetFileSize
0x7b813820


GetFileSizeEx
0x60afc95d


CreateNamedPipeW
0xa05e2a83


ConvertFiberToThread
0x11b30049


CreateFiberEx
0x7b94a3fe


ReadFile
0x84d15061


VirtualAllocEx
0x5775bd54


WaitForSingleObjectEx
0x512e1b97


GetComputerNameExA
0xec725c53


GetExitCodeProcess
0xa7c5fd39


GetExitCodeThread
0x538852b2


TerminateProcess
0xf3c179ad


ConvertThreadToFiberEx
0xd139cc66


SwitchToFiber
0x14fc3cc2


DeleteFiber
0x99beb7a0


AllocConsole
0x3c2fba83


FreeConsole
0xa4e66f3a


GetConsoleWindow
0x0c2c4270


GetStdHandle
0x9ab85b1c


SetStdHandle
0xe620bba8


WaitNamedPipeW
0x50ac3c84


PeekNamedPipe
0xd5312e5d


DisconnectNamedPipe
0x342bd542


WriteFile
0xf1d207d0


ConnectNamedPipe
0x436e4c62


FreeLibrary
0x4ad9b11c


GetCurrentDirectoryW
0x3d54a9f4


GetFileAttributesW
0xf30aab23


FindFirstFileW
0xf67b31a5


FindNextFileW
0x3626633c


FindClose
0x42ade43c


FileTimeToSystemTime
0x7a047cab


SystemTimeToTzSpecificLocalTime
0x77b0aa6a


RemoveDirectoryW
0xb6af709f


DeleteFileW
0x99bee22f


CreateDirectoryW
0xb717be65


CopyFileW
0x39e8f317


MoveFileExW
0xd356ecf0


SetCurrentDirectoryW
0xcf2ad680


Wow64DisableWow64FsRedirection
0x40750b38


Wow64RevertWow64FsRedirection
0x0c993b9c


GetModuleHandleA
0xd908e1d8


GetSystemTimeAsFileTime
0x7a14b61c


GetLocalTime
0x71842fbf


DuplicateHandle
0x95f45a6c


AttachConsole
0x3f9eed0d


WriteConsoleA
0x271da464


GlobalFree
0x47886698


WinHttpOpen
0x613eace5


WinHttpConnect
0x81e0c81d


WinHttpOpenRequest
0xb06d900e


WinHttpSetOption
0x5b6ad378


WinHttpCloseHandle
0xa7355f15


WinHttpSendRequest
0x7739d0e6


WinHttpAddRequestHeaders
0xa2c0b0e1


WinHttpReceiveResponse
0xae351ae5


WinHttpReadData
0x75064b89


WinHttpQueryHeaders
0xcc1a89c5


WinHttpGetIEProxyConfigForCurrentUser
0x028197a2


WinHttpGetProxyForUrl
0xa2cf3c6f


_vsnprintf
0xe212f2ef


swprintf_s
0x481aa3d4


GetAdaptersInfo
0x37cada45


SafeArrayAccessData
0xf6a0d34f


SafeArrayUnaccessData
0xe981b312


SafeArrayCreate
0x53ec8017


SafeArrayPutElement
0x0311f586


SafeArrayCreateVector
0x6b6a636a


SafeArrayDestroy
0x012b6aed


SysAllocString
0x3351eb46


ShowWindow
0x29bbc91e


GetSystemMetrics
0x287c6401


GetDC
0x0d2b106c


ReleaseDC
0x6fbc050d


WSAStartup
0x142e89c3


WSACleanup
0x32206eb8


WSASocketA
0x08a4d8fa


WSAGetLastError
0x9c1d912e


ioctlsocket
0xd5e978a9


bind
0x7c828162


listen
0xbe7f0354


accept
0xa460acf5


closesocket
0x185953a4


recv
0x7c8b3515


send
0x7c8bc2cf


connect
0xe73478ef


getaddrinfo
0x4b91706c


FreeAddrInfoW
0x0307204e


NetLocalGroupEnum
0x910ca519


NetGroupEnum
0x11254b4e


NetUserEnum
0xeb3b8f20


NetWkstaUserEnum
0x6bec8d0a


NetSessionEnum
0xf155c7e5


NetShareEnum
0x0ef26c94


NetApiBufferFree
0x694e2662


LsaRegisterLogonProcess
0xd8f30a28


LsaLookupAuthenticationPackage
0x876cc00b


LsaDeregisterLogonProcess
0x8aba5ef1


LsaConnectUntrusted
0x1da98b7d


LsaFreeReturnBuffer
0x916b1321


LsaCallAuthenticationPackage
0x6d1a042d


LsaGetLogonSessionData
0x1c698f42


LsaEnumerateLogonSessions
0xbca01141


GetCurrentObject
0xfe6f663f


GetObjectW
0xa04fbb33


CreateCompatibleDC
0xd0b24920


CreateDIBSection
0x2c2309dd


SelectObject
0x96a6b43c


BitBlt
0xa72badc6


DeleteObject
0xe619cf2f


DeleteDC
0xb2fa1ebf


CommandLineToArgvW
0xec6ba0d6


GetTokenInformation
0x10357d2c


CreateProcessWithTokenW
0xf3e5480c


CreateProcessWithLogonW
0xe139fc0a


RevertToSelf
0x7292758a


GetUserNameA
0xfca17e46


LogonUserW
0x5ed5d61a


LookupPrivilegeValueA
0x1e344064


LookupAccountSidA
0xd51fdf8d


LookupAccountSidW
0xd51fdfa3


OpenThreadToken
0xe249d070


OpenProcessToken
0xd9f566f7


AdjustTokenPrivileges
0x677fbb8b


LookupPrivilegeNameA
0x843a85e8


SystemFunction032
0xe58c8805


FreeSid
0xd47b1967


SetSecurityDescriptorSacl
0x5c0cc90b


SetSecurityDescriptorDacl
0x5c048f5c


InitializeSecurityDescriptor
0x31e175ce


AddMandatoryAce
0x9fb18806


InitializeAcl
0x136c4367


AllocateAndInitializeSid
0xa9174a4f


CheckTokenMembership
0x1cf324d0


SetEntriesInAclW
0x0d396389


SetThreadToken
0xc9f4966a


LsaNtStatusToWinError
0x9d5beb66


EqualSid
0x4fa8b17d


ConvertSidToStringSidW
0x2fb2f7d7


GetSidSubAuthorityCount
0xd4c0dda1


GetSidSubAuthority
0x0e5d12f8
DLL Name	Hash
`ntdll.dll`	`0x70e61753`
`KERNEL32.DLL`	`0xadd31df0`
`demon.x64.exe`	`0x00000000`
Function	Hash
`LdrGetProcedureAddress`	`0xfce76bb6`
`LdrLoadDll`	`0x9e456a43`
`RtlAllocateHeap`	`0x3be94c5a`
`RtlReAllocateHeap`	`0xaf740371`
`RtlFreeHeap`	`0x73a9e4d7`
`RtlExitUserThread`	`0x2f6db5e8`
`RtlExitUserProcess`	`0x0057c72f`
`RtlRandom`	`0x7f1224f5`
`RtlNtStatusToDosError`	`0x39d7c890`
`RtlGetVersion`	`0x0dde5cdd`
`RtlCreateTimerQueue`	`0x50ef3c31`
`RtlCreateTimer`	`0x1877faec`
`RtlQueueWorkItem`	`0xae92028e`
`RtlRegisterWait`	`0x600fe691`
`RtlDeleteTimerQueue`	`0xeec188b0`
`RtlCaptureContext`	`0xeba8d910`
`RtlAddVectoredExceptionHandler`	`0x2df06c89`
`RtlRemoveVectoredExceptionHandler`	`0xad1b018e`
`RtlCopyMappedMemory`	`0x5b56b302`
`NtClose`	`0x40d6e69d`
`NtCreateEvent`	`0x28d3233d`
`NtSetEvent`	`0xcb87d8b5`
`NtSetInformationThread`	`0x0c3c03f1`
`NtSetInformationVirtualMemory`	`0x946ac239`
`NtGetNextThread`	`0xa410fb9e`
`NtOpenProcess`	`0x4b82f718`
`NtTerminateProcess`	`0x4ed9dd4f`
`NtQueryInformationProcess`	`0x8cdc5dc2`
`NtQuerySystemInformation`	`0x7bc23928`
`NtAllocateVirtualMemory`	`0xf783b8ec`
`NtQueueApcThread`	`0x0a6664b8`
`NtOpenThread`	`0x968e0cb1`
`NtOpenThreadToken`	`0x803347d2`
`NtResumeThread`	`0x5a4bc3d0`
`NtSuspendThread`	`0xe43d93e1`
`NtDuplicateObject`	`0x4441d859`
`NtGetContextThread`	`0x6d22f884`
`NtSetContextThread`	`0xffa0bf10`
`NtWaitForSingleObject`	`0xe8ac0c3c`
`NtAlertResumeThread`	`0x5ba11e28`
`NtSignalAndWaitForSingleObject`	`0x78983aed`
`NtTestAlert`	`0x858a32df`
`NtCreateThreadEx`	`0xaf18cfb0`
`NtOpenProcessToken`	`0x350dca99`
`NtDuplicateToken`	`0x8e160b23`
`NtProtectVirtualMemory`	`0x50e92888`
`NtTerminateThread`	`0xccf58808`
`NtWriteVirtualMemory`	`0xc3170192`
`NtContinue`	`0xfc3a6c2c`
`NtReadVirtualMemory`	`0xa3288103`
`NtFreeVirtualMemory`	`0x2802c609`
`NtUnmapViewOfSection`	`0x6aa412cd`
`NtQueryVirtualMemory`	`0x10c0e85d`
`NtQueryInformationToken`	`0x0f371fe4`
`NtQueryInformationThread`	`0xf5a0461b`
`NtQueryObject`	`0xc85dc9b4`
`NtTraceEvent`	`0x70c25cd8`
Function	Hash
`LoadLibraryW`	`0xb7072ff1`
`VirtualProtectEx`	`0x5b6b908a`
`VirtualProtect`	`0xe857500d`
`LocalAlloc`	`0x72073b5b`
`LocalReAlloc`	`0x1c44e892`
`LocalFree`	`0x32030e92`
`CreateRemoteThread`	`0x252b157d`
`CreateToolhelp32Snapshot`	`0xf37ac035`
`Process32FirstW`	`0xb06fa1a8`
`Process32NextW`	`0x43f6e75f`
`CreatePipe`	`0x9694e9e7`
`CreateProcessW`	`0xfbaf90cf`
`GetFullPathNameW`	`0xa6a2249d`
`CreateFileW`	`0x687d2110`
`GetFileSize`	`0x7b813820`
`GetFileSizeEx`	`0x60afc95d`
`CreateNamedPipeW`	`0xa05e2a83`
`ConvertFiberToThread`	`0x11b30049`
`CreateFiberEx`	`0x7b94a3fe`
`ReadFile`	`0x84d15061`
`VirtualAllocEx`	`0x5775bd54`
`WaitForSingleObjectEx`	`0x512e1b97`
`GetComputerNameExA`	`0xec725c53`
`GetExitCodeProcess`	`0xa7c5fd39`
`GetExitCodeThread`	`0x538852b2`
`TerminateProcess`	`0xf3c179ad`
`ConvertThreadToFiberEx`	`0xd139cc66`
`SwitchToFiber`	`0x14fc3cc2`
`DeleteFiber`	`0x99beb7a0`
`AllocConsole`	`0x3c2fba83`
`FreeConsole`	`0xa4e66f3a`
`GetConsoleWindow`	`0x0c2c4270`
`GetStdHandle`	`0x9ab85b1c`
`SetStdHandle`	`0xe620bba8`
`WaitNamedPipeW`	`0x50ac3c84`
`PeekNamedPipe`	`0xd5312e5d`
`DisconnectNamedPipe`	`0x342bd542`
`WriteFile`	`0xf1d207d0`
`ConnectNamedPipe`	`0x436e4c62`
`FreeLibrary`	`0x4ad9b11c`
`GetCurrentDirectoryW`	`0x3d54a9f4`
`GetFileAttributesW`	`0xf30aab23`
`FindFirstFileW`	`0xf67b31a5`
`FindNextFileW`	`0x3626633c`
`FindClose`	`0x42ade43c`
`FileTimeToSystemTime`	`0x7a047cab`
`SystemTimeToTzSpecificLocalTime`	`0x77b0aa6a`
`RemoveDirectoryW`	`0xb6af709f`
`DeleteFileW`	`0x99bee22f`
`CreateDirectoryW`	`0xb717be65`
`CopyFileW`	`0x39e8f317`
`MoveFileExW`	`0xd356ecf0`
`SetCurrentDirectoryW`	`0xcf2ad680`
`Wow64DisableWow64FsRedirection`	`0x40750b38`
`Wow64RevertWow64FsRedirection`	`0x0c993b9c`
`GetModuleHandleA`	`0xd908e1d8`
`GetSystemTimeAsFileTime`	`0x7a14b61c`
`GetLocalTime`	`0x71842fbf`
`DuplicateHandle`	`0x95f45a6c`
`AttachConsole`	`0x3f9eed0d`
`WriteConsoleA`	`0x271da464`
`GlobalFree`	`0x47886698`
`WinHttpOpen`	`0x613eace5`
`WinHttpConnect`	`0x81e0c81d`
`WinHttpOpenRequest`	`0xb06d900e`
`WinHttpSetOption`	`0x5b6ad378`
`WinHttpCloseHandle`	`0xa7355f15`
`WinHttpSendRequest`	`0x7739d0e6`
`WinHttpAddRequestHeaders`	`0xa2c0b0e1`
`WinHttpReceiveResponse`	`0xae351ae5`
`WinHttpReadData`	`0x75064b89`
`WinHttpQueryHeaders`	`0xcc1a89c5`
`WinHttpGetIEProxyConfigForCurrentUser`	`0x028197a2`
`WinHttpGetProxyForUrl`	`0xa2cf3c6f`
`_vsnprintf`	`0xe212f2ef`
`swprintf_s`	`0x481aa3d4`
`GetAdaptersInfo`	`0x37cada45`
`SafeArrayAccessData`	`0xf6a0d34f`
`SafeArrayUnaccessData`	`0xe981b312`
`SafeArrayCreate`	`0x53ec8017`
`SafeArrayPutElement`	`0x0311f586`
`SafeArrayCreateVector`	`0x6b6a636a`
`SafeArrayDestroy`	`0x012b6aed`
`SysAllocString`	`0x3351eb46`
`ShowWindow`	`0x29bbc91e`
`GetSystemMetrics`	`0x287c6401`
`GetDC`	`0x0d2b106c`
`ReleaseDC`	`0x6fbc050d`
`WSAStartup`	`0x142e89c3`
`WSACleanup`	`0x32206eb8`
`WSASocketA`	`0x08a4d8fa`
`WSAGetLastError`	`0x9c1d912e`
`ioctlsocket`	`0xd5e978a9`
`bind`	`0x7c828162`
`listen`	`0xbe7f0354`
`accept`	`0xa460acf5`
`closesocket`	`0x185953a4`
`recv`	`0x7c8b3515`
`send`	`0x7c8bc2cf`
`connect`	`0xe73478ef`
`getaddrinfo`	`0x4b91706c`
`FreeAddrInfoW`	`0x0307204e`
`NetLocalGroupEnum`	`0x910ca519`
`NetGroupEnum`	`0x11254b4e`
`NetUserEnum`	`0xeb3b8f20`
`NetWkstaUserEnum`	`0x6bec8d0a`
`NetSessionEnum`	`0xf155c7e5`
`NetShareEnum`	`0x0ef26c94`
`NetApiBufferFree`	`0x694e2662`
`LsaRegisterLogonProcess`	`0xd8f30a28`
`LsaLookupAuthenticationPackage`	`0x876cc00b`
`LsaDeregisterLogonProcess`	`0x8aba5ef1`
`LsaConnectUntrusted`	`0x1da98b7d`
`LsaFreeReturnBuffer`	`0x916b1321`
`LsaCallAuthenticationPackage`	`0x6d1a042d`
`LsaGetLogonSessionData`	`0x1c698f42`
`LsaEnumerateLogonSessions`	`0xbca01141`
`GetCurrentObject`	`0xfe6f663f`
`GetObjectW`	`0xa04fbb33`
`CreateCompatibleDC`	`0xd0b24920`
`CreateDIBSection`	`0x2c2309dd`
`SelectObject`	`0x96a6b43c`
`BitBlt`	`0xa72badc6`
`DeleteObject`	`0xe619cf2f`
`DeleteDC`	`0xb2fa1ebf`
`CommandLineToArgvW`	`0xec6ba0d6`
`GetTokenInformation`	`0x10357d2c`
`CreateProcessWithTokenW`	`0xf3e5480c`
`CreateProcessWithLogonW`	`0xe139fc0a`
`RevertToSelf`	`0x7292758a`
`GetUserNameA`	`0xfca17e46`
`LogonUserW`	`0x5ed5d61a`
`LookupPrivilegeValueA`	`0x1e344064`
`LookupAccountSidA`	`0xd51fdf8d`
`LookupAccountSidW`	`0xd51fdfa3`
`OpenThreadToken`	`0xe249d070`
`OpenProcessToken`	`0xd9f566f7`
`AdjustTokenPrivileges`	`0x677fbb8b`
`LookupPrivilegeNameA`	`0x843a85e8`
`SystemFunction032`	`0xe58c8805`
`FreeSid`	`0xd47b1967`
`SetSecurityDescriptorSacl`	`0x5c0cc90b`
`SetSecurityDescriptorDacl`	`0x5c048f5c`
`InitializeSecurityDescriptor`	`0x31e175ce`
`AddMandatoryAce`	`0x9fb18806`
`InitializeAcl`	`0x136c4367`
`AllocateAndInitializeSid`	`0xa9174a4f`
`CheckTokenMembership`	`0x1cf324d0`
`SetEntriesInAclW`	`0x0d396389`
`SetThreadToken`	`0xc9f4966a`
`LsaNtStatusToWinError`	`0x9d5beb66`
`EqualSid`	`0x4fa8b17d`
`ConvertSidToStringSidW`	`0x2fb2f7d7`
`GetSidSubAuthorityCount`	`0xd4c0dda1`
`GetSidSubAuthority`	`0x0e5d12f8`