From 96a9f9647c0c69a485490db978325804934ed18e Mon Sep 17 00:00:00 2001 From: khz_df Date: Mon, 6 May 2019 17:05:33 +0800 Subject: [PATCH] =?UTF-8?q?=E3=80=90=E5=90=84=E7=A7=8D=E5=8F=8D=E8=B0=83?= =?UTF-8?q?=E8=AF=95=E6=8A=80=E6=9C=AF=E5=8E=9F=E7=90=86=E4=B8=8E=E5=AE=9E?= =?UTF-8?q?=E4=BE=8B=20VC=E7=89=88=E3=80=91https://github.com/wanttobeno/A?= =?UTF-8?q?ntiDebuggers=20=EF=BC=9Bhttps://bbs.pediy.com/thread-114767.htm?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 58 + course/ScyllaHide/DetectOD/About.cpp | 43 + course/ScyllaHide/DetectOD/About.h | 46 + course/ScyllaHide/DetectOD/DetectOD.cpp | 74 ++ course/ScyllaHide/DetectOD/DetectOD.h | 49 + course/ScyllaHide/DetectOD/DetectOD.rc | 239 ++++ course/ScyllaHide/DetectOD/DetectOD.sln | 20 + course/ScyllaHide/DetectOD/DetectOD.vcxproj | 169 +++ .../DetectOD/DetectOD.vcxproj.filters | 69 + course/ScyllaHide/DetectOD/DetectODDlg.cpp | 1138 +++++++++++++++++ course/ScyllaHide/DetectOD/DetectODDlg.h | 82 ++ course/ScyllaHide/DetectOD/ReadMe.txt | 88 ++ course/ScyllaHide/DetectOD/StdAfx.cpp | 8 + course/ScyllaHide/DetectOD/StdAfx.h | 27 + course/ScyllaHide/DetectOD/res/DetectOD.ico | Bin 0 -> 1078 bytes course/ScyllaHide/DetectOD/res/DetectOD.rc2 | 13 + course/ScyllaHide/DetectOD/res/User.ico | Bin 0 -> 3638 bytes course/ScyllaHide/DetectOD/res/dog.ico | Bin 0 -> 96542 bytes course/ScyllaHide/DetectOD/res/home.ico | Bin 0 -> 93310 bytes course/ScyllaHide/DetectOD/resource.h | 51 + course/ScyllaHide/DetectOD/tlssup.c | 21 + 21 files changed, 2195 insertions(+) create mode 100644 .gitignore create mode 100644 course/ScyllaHide/DetectOD/About.cpp create mode 100644 course/ScyllaHide/DetectOD/About.h create mode 100644 course/ScyllaHide/DetectOD/DetectOD.cpp create mode 100644 course/ScyllaHide/DetectOD/DetectOD.h create mode 100644 course/ScyllaHide/DetectOD/DetectOD.rc create mode 100644 course/ScyllaHide/DetectOD/DetectOD.sln create mode 100644 course/ScyllaHide/DetectOD/DetectOD.vcxproj create mode 100644 course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters create mode 100644 course/ScyllaHide/DetectOD/DetectODDlg.cpp create mode 100644 course/ScyllaHide/DetectOD/DetectODDlg.h create mode 100644 course/ScyllaHide/DetectOD/ReadMe.txt create mode 100644 course/ScyllaHide/DetectOD/StdAfx.cpp create mode 100644 course/ScyllaHide/DetectOD/StdAfx.h create mode 100644 course/ScyllaHide/DetectOD/res/DetectOD.ico create mode 100644 course/ScyllaHide/DetectOD/res/DetectOD.rc2 create mode 100644 course/ScyllaHide/DetectOD/res/User.ico create mode 100644 course/ScyllaHide/DetectOD/res/dog.ico create mode 100644 course/ScyllaHide/DetectOD/res/home.ico create mode 100644 course/ScyllaHide/DetectOD/resource.h create mode 100644 course/ScyllaHide/DetectOD/tlssup.c diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5118f1f --- /dev/null +++ b/.gitignore @@ -0,0 +1,58 @@ +# Prerequisites +*.d + +# Compiled Object files +*.slo +*.lo +*.o +*.obj + +# Precompiled Headers +*.gch +*.pch + +# Compiled Dynamic libraries +*.so +*.dylib +*.dll + +# Fortran module files +*.mod +*.smod + +# Compiled Static libraries +*.lai +*.la +*.a +*.lib + +# Executables +*.exe +*.out +*.app + +#¹ýÂËÊý¾Ý¿âÎļþ¡¢sln½â¾ö·½°¸Îļþ¡¢ÅäÖÃÎļþ +*.suo +*.user +*.sdf +*.mdb +*.ldb +*.config +*.pdb +*.ilk +*.ipdb +*.iobj +*.aps +*.opensdf +*.exp + +#¹ýÂËÎļþ¼ÐDebug,Release,obj +.vs/ +.bak/ +ipch/ +Debug/ +Debug_cef/ +Release/ +obj/ +AutoLogin_VS2012/bin/bin.rar +Heart/Tangram/SHARE diff --git a/course/ScyllaHide/DetectOD/About.cpp b/course/ScyllaHide/DetectOD/About.cpp new file mode 100644 index 0000000..32af8a7 --- /dev/null +++ b/course/ScyllaHide/DetectOD/About.cpp @@ -0,0 +1,43 @@ +// About.cpp : implementation file +// + +#include "stdafx.h" +#include "DetectOD.h" +#include "About.h" + +#ifdef _DEBUG +#define new DEBUG_NEW +#undef THIS_FILE +static char THIS_FILE[] = __FILE__; +#endif + +///////////////////////////////////////////////////////////////////////////// +// CAbout dialog + + +CAbout::CAbout(CWnd* pParent /*=NULL*/) + : CDialog(CAbout::IDD, pParent) +{ + //{{AFX_DATA_INIT(CAbout) + // NOTE: the ClassWizard will add member initialization here + //}}AFX_DATA_INIT +} + + +void CAbout::DoDataExchange(CDataExchange* pDX) +{ + CDialog::DoDataExchange(pDX); + //{{AFX_DATA_MAP(CAbout) + // NOTE: the ClassWizard will add DDX and DDV calls here + //}}AFX_DATA_MAP +} + + +BEGIN_MESSAGE_MAP(CAbout, CDialog) + //{{AFX_MSG_MAP(CAbout) + // NOTE: the ClassWizard will add message map macros here + //}}AFX_MSG_MAP +END_MESSAGE_MAP() + +///////////////////////////////////////////////////////////////////////////// +// CAbout message handlers diff --git a/course/ScyllaHide/DetectOD/About.h b/course/ScyllaHide/DetectOD/About.h new file mode 100644 index 0000000..c56ed32 --- /dev/null +++ b/course/ScyllaHide/DetectOD/About.h @@ -0,0 +1,46 @@ +#if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_) +#define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_ + +#if _MSC_VER > 1000 +#pragma once +#endif // _MSC_VER > 1000 +// About.h : header file +// + +///////////////////////////////////////////////////////////////////////////// +// CAbout dialog + +class CAbout : public CDialog +{ +// Construction +public: + CAbout(CWnd* pParent = NULL); // standard constructor + +// Dialog Data + //{{AFX_DATA(CAbout) + enum { IDD = IDD_DETECTOD_DIALOG }; + // NOTE: the ClassWizard will add data members here + //}}AFX_DATA + + +// Overrides + // ClassWizard generated virtual function overrides + //{{AFX_VIRTUAL(CAbout) + protected: + virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support + //}}AFX_VIRTUAL + +// Implementation +protected: + + // Generated message map functions + //{{AFX_MSG(CAbout) + // NOTE: the ClassWizard will add member functions here + //}}AFX_MSG + DECLARE_MESSAGE_MAP() +}; + +//{{AFX_INSERT_LOCATION}} +// Microsoft Visual C++ will insert additional declarations immediately before the previous line. + +#endif // !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_) diff --git a/course/ScyllaHide/DetectOD/DetectOD.cpp b/course/ScyllaHide/DetectOD/DetectOD.cpp new file mode 100644 index 0000000..01e2ac2 --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectOD.cpp @@ -0,0 +1,74 @@ +// DetectOD.cpp : Defines the class behaviors for the application. +// + +#include "stdafx.h" +#include "DetectOD.h" +#include "DetectODDlg.h" + +#ifdef _DEBUG +#define new DEBUG_NEW +#undef THIS_FILE +static char THIS_FILE[] = __FILE__; +#endif + +///////////////////////////////////////////////////////////////////////////// +// CDetectODApp + +BEGIN_MESSAGE_MAP(CDetectODApp, CWinApp) + //{{AFX_MSG_MAP(CDetectODApp) + // NOTE - the ClassWizard will add and remove mapping macros here. + // DO NOT EDIT what you see in these blocks of generated code! + //}}AFX_MSG + ON_COMMAND(ID_HELP, CWinApp::OnHelp) +END_MESSAGE_MAP() + +///////////////////////////////////////////////////////////////////////////// +// CDetectODApp construction + +CDetectODApp::CDetectODApp() +{ + // TODO: add construction code here, + // Place all significant initialization in InitInstance +} + +///////////////////////////////////////////////////////////////////////////// +// The one and only CDetectODApp object + +CDetectODApp theApp; + +///////////////////////////////////////////////////////////////////////////// +// CDetectODApp initialization + +BOOL CDetectODApp::InitInstance() +{ + AfxEnableControlContainer(); + + // Standard initialization + // If you are not using these features and wish to reduce the size + // of your final executable, you should remove from the following + // the specific initialization routines you do not need. + +#ifdef _AFXDLL + Enable3dControls(); // Call this when using MFC in a shared DLL +#else + Enable3dControlsStatic(); // Call this when linking to MFC statically +#endif + + CDetectODDlg dlg; + m_pMainWnd = &dlg; + int nResponse = dlg.DoModal(); + if (nResponse == IDOK) + { + // TODO: Place code here to handle when the dialog is + // dismissed with OK + } + else if (nResponse == IDCANCEL) + { + // TODO: Place code here to handle when the dialog is + // dismissed with Cancel + } + + // Since the dialog has been closed, return FALSE so that we exit the + // application, rather than start the application's message pump. + return FALSE; +} diff --git a/course/ScyllaHide/DetectOD/DetectOD.h b/course/ScyllaHide/DetectOD/DetectOD.h new file mode 100644 index 0000000..eb49f3a --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectOD.h @@ -0,0 +1,49 @@ +// DetectOD.h : main header file for the DETECTOD application +// + +#if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_) +#define AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_ + +#if _MSC_VER > 1000 +#pragma once +#endif // _MSC_VER > 1000 + +#ifndef __AFXWIN_H__ + #error include 'stdafx.h' before including this file for PCH +#endif + +#include "resource.h" // main symbols + +///////////////////////////////////////////////////////////////////////////// +// CDetectODApp: +// See DetectOD.cpp for the implementation of this class +// + +class CDetectODApp : public CWinApp +{ +public: + CDetectODApp(); + +// Overrides + // ClassWizard generated virtual function overrides + //{{AFX_VIRTUAL(CDetectODApp) + public: + virtual BOOL InitInstance(); + //}}AFX_VIRTUAL + +// Implementation + + //{{AFX_MSG(CDetectODApp) + // NOTE - the ClassWizard will add and remove member functions here. + // DO NOT EDIT what you see in these blocks of generated code ! + //}}AFX_MSG + DECLARE_MESSAGE_MAP() +}; + + +///////////////////////////////////////////////////////////////////////////// + +//{{AFX_INSERT_LOCATION}} +// Microsoft Visual C++ will insert additional declarations immediately before the previous line. + +#endif // !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_) diff --git a/course/ScyllaHide/DetectOD/DetectOD.rc b/course/ScyllaHide/DetectOD/DetectOD.rc new file mode 100644 index 0000000..bb27b1c --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectOD.rc @@ -0,0 +1,239 @@ +//Microsoft Developer Studio generated resource script. +// +#include "resource.h" + +#define APSTUDIO_READONLY_SYMBOLS +///////////////////////////////////////////////////////////////////////////// +// +// Generated from the TEXTINCLUDE 2 resource. +// +#include "afxres.h" + +///////////////////////////////////////////////////////////////////////////// +#undef APSTUDIO_READONLY_SYMBOLS + +///////////////////////////////////////////////////////////////////////////// +// Chinese (Öйú) resources + +#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS) +#ifdef _WIN32 +LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED +#pragma code_page(936) +#endif //_WIN32 + +#ifdef APSTUDIO_INVOKED +///////////////////////////////////////////////////////////////////////////// +// +// TEXTINCLUDE +// + +1 TEXTINCLUDE DISCARDABLE +BEGIN + "resource.h\0" +END + +2 TEXTINCLUDE DISCARDABLE +BEGIN + "#include ""afxres.h""\r\n" + "\0" +END + +3 TEXTINCLUDE DISCARDABLE +BEGIN + "#define _AFX_NO_SPLITTER_RESOURCES\r\n" + "#define _AFX_NO_OLE_RESOURCES\r\n" + "#define _AFX_NO_TRACKER_RESOURCES\r\n" + "#define _AFX_NO_PROPERTY_RESOURCES\r\n" + "\r\n" + "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n" + "#ifdef _WIN32\r\n" + "LANGUAGE 4, 2\r\n" + "#pragma code_page(936)\r\n" + "#endif //_WIN32\r\n" + "#include ""res\\DetectOD.rc2"" // non-Microsoft Visual C++ edited resources\r\n" + "#include ""l.chs\\afxres.rc"" // Standard components\r\n" + "#endif\r\n" + "\0" +END + +#endif // APSTUDIO_INVOKED + + +///////////////////////////////////////////////////////////////////////////// +// +// Icon +// + +// Icon with lowest ID value placed first to ensure application icon +// remains consistent on all systems. +IDR_MAINFRAME ICON DISCARDABLE "res\\DetectOD.ico" +IDI_DOG ICON DISCARDABLE "res\\dog.ico" +IDI_ICON2 ICON DISCARDABLE "res\\home.ico" + +///////////////////////////////////////////////////////////////////////////// +// +// Dialog +// + +IDD_ABOUTBOX DIALOG DISCARDABLE 0, 0, 235, 55 +STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU +CAPTION "¹ØÓÚ ·´µ÷ÊÔʵÀý" +FONT 9, "ËÎÌå" +BEGIN + ICON IDI_ICON2,IDC_MYICON,11,16,20,20,SS_NOTIFY + LTEXT "¹Ù·½ÍøÕ¾£ºÐ´Ò⻥ÁªÍø",IDC_COMEON,56,31,88,8,SS_NOTIFY | + NOT WS_GROUP + DEFPUSHBUTTON "È·¶¨",IDOK,178,7,50,14,WS_GROUP + CTEXT "http://ucooper.com",IDC_MYPAGE,40,17,106,8,SS_NOTIFY +END + +IDD_DETECTOD_DIALOG DIALOGEX 0, 0, 443, 200 +STYLE DS_MODALFRAME | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION | + WS_SYSMENU +EXSTYLE WS_EX_APPWINDOW +CAPTION "·´µ÷ÊÔʵÀý дÒ⻥ÁªÍø ucooper.com" +FONT 9, "ËÎÌå" +BEGIN + DEFPUSHBUTTON "¹Ø ±Õ(&C)",IDOK,375,18,61,18 + PUSHBUTTON "´°¿ÚÀàÃû",IDC_WNDCLS,13,6,46,18 + PUSHBUTTON "IsDebuggerPresent",IDC_ISDEBUGGERPRESENT,13,31,97,18 + PUSHBUTTON "EnumWindow",IDC_ENUMWINDOW,63,6,47,18 + PUSHBUTTON "ö¾Ù½ø³Ì",IDC_EnumProcess,13,55,96,18 + PUSHBUTTON "¸¸½ø³ÌExplorer",IDC_Explorer,13,79,96,18 + PUSHBUTTON "GetTickCount",IDC_GetTickCount,13,103,96,18 + PUSHBUTTON "GetStartupInfo",IDC_GetStartupInfo,13,127,96,18 + PUSHBUTTON "PebFlags",IDC_PEBFLAGS,13,151,97,18 + PUSHBUTTON "CheckRemoteDebuggerPresent", + IDC_CHECKREMOTEDEBUGGERPRESENT,7,175,109,18 + PUSHBUTTON "ZwQueryInformationProcess", + IDC_ZwQueryInformationProcess,127,6,109,18 + PUSHBUTTON "SetUnhandledExceptionFilter", + IDC_SetUnhandledExceptionFilter,127,175,109,18 + PUSHBUTTON "SeDebugPrivilege",IDC_SeDebugPrivilege,127,31,109,18 + PUSHBUTTON "NTQueryObject",IDC_NTQueryObject,127,55,109,18 + PUSHBUTTON "¶Ïµã¼ì²â",IDC_DectectBreakpoints,127,79,109,18 + PUSHBUTTON "º¯Êý¶Ïµã¼ì²â",IDC_DectectFuncBreakpoints,127,103,109,18 + PUSHBUTTON "BlockInput",IDC_BlockInput,127,151,109,18 + PUSHBUTTON "CheckSum",IDC_CHECKSUM,127,127,109,18 + PUSHBUTTON "EnableWindow",IDC_EnableWindow,253,6,109,18 + PUSHBUTTON "ZwSetInformationThread",IDC_ZwSetInformationThread,253, + 31,109,18 + PUSHBUTTON "OutputDebugString",IDC_OutputDebugString,253,55,109,18 + PUSHBUTTON "GetEntryPoint",IDC_GetEntryPoint,253,152,109,18 + PUSHBUTTON "µ¥²½Òì³£",IDC_TrapFlag,253,80,109,18 + PUSHBUTTON "±£»¤Ò³Guard Pages",IDC_GuardPages,253,103,109,18 + PUSHBUTTON "HardwareBreakpoint",IDC_HARDWAREBREAKPOINT,253,127,109, + 18 + PUSHBUTTON "¹Ø ÓÚ(&A)",IDC_ABOUT,375,47,61,18 + CTEXT "Ö§³ÖÎÒ£¬Çë·ÃÎÊÎҵĸöÈËÕ¾µã www.ucooper.com",IDC_MYPAGE2, + 257,183,183,10,SS_NOTIFY +END + + +#ifndef _MAC +///////////////////////////////////////////////////////////////////////////// +// +// Version +// + +VS_VERSION_INFO VERSIONINFO + FILEVERSION 1,0,0,1 + PRODUCTVERSION 1,0,0,1 + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x1L +#else + FILEFLAGS 0x0L +#endif + FILEOS 0x4L + FILETYPE 0x1L + FILESUBTYPE 0x0L +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "080404B0" + BEGIN + VALUE "CompanyName", "\0" + VALUE "FileDescription", "DetectOD Microsoft »ù´¡ÀàÓ¦ÓóÌÐò\0" + VALUE "FileVersion", "1, 0, 0, 1\0" + VALUE "InternalName", "DetectOD\0" + VALUE "LegalCopyright", "°æȨËùÓÐ (C) 2010\0" + VALUE "LegalTrademarks", "\0" + VALUE "OriginalFilename", "DetectOD.EXE\0" + VALUE "ProductName", "DetectOD Ó¦ÓóÌÐò\0" + VALUE "ProductVersion", "1, 0, 0, 1\0" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x804, 1200 + END +END + +#endif // !_MAC + + +///////////////////////////////////////////////////////////////////////////// +// +// DESIGNINFO +// + +#ifdef APSTUDIO_INVOKED +GUIDELINES DESIGNINFO DISCARDABLE +BEGIN + IDD_ABOUTBOX, DIALOG + BEGIN + LEFTMARGIN, 7 + RIGHTMARGIN, 228 + TOPMARGIN, 7 + BOTTOMMARGIN, 48 + END + + IDD_DETECTOD_DIALOG, DIALOG + BEGIN + LEFTMARGIN, 7 + RIGHTMARGIN, 436 + TOPMARGIN, 6 + BOTTOMMARGIN, 193 + END +END +#endif // APSTUDIO_INVOKED + + +///////////////////////////////////////////////////////////////////////////// +// +// String Table +// + +STRINGTABLE DISCARDABLE +BEGIN + IDS_ABOUTBOX "¹ØÓÚ DetectOD(&A)..." +END + +#endif // Chinese (Öйú) resources +///////////////////////////////////////////////////////////////////////////// + + + +#ifndef APSTUDIO_INVOKED +///////////////////////////////////////////////////////////////////////////// +// +// Generated from the TEXTINCLUDE 3 resource. +// +#define _AFX_NO_SPLITTER_RESOURCES +#define _AFX_NO_OLE_RESOURCES +#define _AFX_NO_TRACKER_RESOURCES +#define _AFX_NO_PROPERTY_RESOURCES + +#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS) +#ifdef _WIN32 +LANGUAGE 4, 2 +#pragma code_page(936) +#endif //_WIN32 +#include "res\DetectOD.rc2" // non-Microsoft Visual C++ edited resources +#include "l.chs\afxres.rc" // Standard components +#endif + +///////////////////////////////////////////////////////////////////////////// +#endif // not APSTUDIO_INVOKED + diff --git a/course/ScyllaHide/DetectOD/DetectOD.sln b/course/ScyllaHide/DetectOD/DetectOD.sln new file mode 100644 index 0000000..d070977 --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectOD.sln @@ -0,0 +1,20 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2012 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DetectOD", "DetectOD.vcxproj", "{0CD6F28B-6A93-42AB-A435-46223134EB03}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Win32 = Debug|Win32 + Release|Win32 = Release|Win32 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {0CD6F28B-6A93-42AB-A435-46223134EB03}.Debug|Win32.ActiveCfg = Debug|Win32 + {0CD6F28B-6A93-42AB-A435-46223134EB03}.Debug|Win32.Build.0 = Debug|Win32 + {0CD6F28B-6A93-42AB-A435-46223134EB03}.Release|Win32.ActiveCfg = Release|Win32 + {0CD6F28B-6A93-42AB-A435-46223134EB03}.Release|Win32.Build.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/course/ScyllaHide/DetectOD/DetectOD.vcxproj b/course/ScyllaHide/DetectOD/DetectOD.vcxproj new file mode 100644 index 0000000..376f127 --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectOD.vcxproj @@ -0,0 +1,169 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + + + + MFCProj + {0CD6F28B-6A93-42AB-A435-46223134EB03} + 10.0.17763.0 + + + + Application + v141 + Dynamic + MultiByte + + + Application + v141 + Dynamic + MultiByte + + + + + + + + + + + + + + + .\Debug\ + .\Debug\ + true + + + .\Release\ + .\Release\ + false + + + + MultiThreadedDebugDLL + Default + true + Disabled + true + TurnOffAllWarnings + true + true + EditAndContinue + WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) + .\Debug\ + true + .\Debug\DetectOD.pch + Use + stdafx.h + .\Debug\ + .\Debug\ + EnableFastChecks + + + true + _DEBUG;%(PreprocessorDefinitions) + .\Debug\DetectOD.tlb + true + Win32 + + + 0x0804 + _DEBUG;%(PreprocessorDefinitions) + + + true + .\Debug\DetectOD.bsc + + + true + true + Windows + .\Debug\DetectOD.exe + + + + + MultiThreadedDLL + Default + false + Disabled + true + Level3 + WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) + .\Release\ + .\Release\DetectOD.pch + Use + stdafx.h + .\Release\ + .\Release\ + + + true + NDEBUG;%(PreprocessorDefinitions) + .\Release\DetectOD.tlb + true + Win32 + + + 0x0804 + NDEBUG;%(PreprocessorDefinitions) + + + true + .\Release\DetectOD.bsc + + + true + Windows + .\Release\DetectOD.exe + + + + + + + Create + stdafx.h + Create + stdafx.h + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters b/course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters new file mode 100644 index 0000000..00a660b --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters @@ -0,0 +1,69 @@ + + + + + {482dc496-684c-4bef-b2aa-7fe4a3c1f3b9} + cpp;c;cxx;rc;def;r;odl;idl;hpj;bat + + + {8240ba4f-278d-4fef-b682-382d3baf9fd9} + h;hpp;hxx;hm;inl + + + {235672e2-eb7d-4e1d-bddc-f8475e3f06a2} + ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe + + + + + Source Files + + + Source Files + + + Source Files + + + + + Source Files + + + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + + + Resource Files + + + Resource Files + + + Resource Files + + + Resource Files + + + + + + + + Resource Files + + + \ No newline at end of file diff --git a/course/ScyllaHide/DetectOD/DetectODDlg.cpp b/course/ScyllaHide/DetectOD/DetectODDlg.cpp new file mode 100644 index 0000000..00f637a --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectODDlg.cpp @@ -0,0 +1,1138 @@ +// DetectODDlg.cpp : implementation file +// + +#include "stdafx.h" +#include "DetectOD.h" +#include "DetectODDlg.h" +#include "Shlwapi.h" +#include "tlhelp32.h" +#include "Windows.h" +// #include "Winable.h" +#include +#include "eh.h" +#ifdef _DEBUG +#define new DEBUG_NEW +#undef THIS_FILE +static char THIS_FILE[] = __FILE__; +#endif +typedef LONG NTSTATUS; + +static DWORD NewEip; +///////////////////////////////////////////////////////////////////////////// +// CAboutDlg dialog used for App About + +class CAboutDlg : public CDialog +{ +public: + CAboutDlg(); + +// Dialog Data + //{{AFX_DATA(CAboutDlg) + enum { IDD = IDD_ABOUTBOX }; + //}}AFX_DATA + + // ClassWizard generated virtual function overrides + //{{AFX_VIRTUAL(CAboutDlg) + protected: + virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support + //}}AFX_VIRTUAL + +// Implementation +protected: + //{{AFX_MSG(CAboutDlg) + afx_msg void OnMypage(); + afx_msg void OnMouseMove(UINT nFlags, CPoint point); + virtual BOOL OnInitDialog(); + afx_msg void OnComeon(); + afx_msg void OnMyicon(); + //}}AFX_MSG + DECLARE_MESSAGE_MAP() +}; + +CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD) +{ + //{{AFX_DATA_INIT(CAboutDlg) + //}}AFX_DATA_INIT +} + +void CAboutDlg::DoDataExchange(CDataExchange* pDX) +{ + CDialog::DoDataExchange(pDX); + //{{AFX_DATA_MAP(CAboutDlg) + //}}AFX_DATA_MAP +} + +BEGIN_MESSAGE_MAP(CAboutDlg, CDialog) + //{{AFX_MSG_MAP(CAboutDlg) + ON_BN_CLICKED(IDC_MYPAGE, OnMypage) + ON_WM_MOUSEMOVE() + ON_BN_CLICKED(IDC_COMEON, OnComeon) + ON_BN_CLICKED(IDC_MYICON, OnMyicon) + //}}AFX_MSG_MAP +END_MESSAGE_MAP() + +///////////////////////////////////////////////////////////////////////////// +// CDetectODDlg dialog + +CDetectODDlg::CDetectODDlg(CWnd* pParent /*=NULL*/) + : CDialog(CDetectODDlg::IDD, pParent) +{ + //{{AFX_DATA_INIT(CDetectODDlg) + // NOTE: the ClassWizard will add member initialization here + //}}AFX_DATA_INIT + // Note that LoadIcon does not require a subsequent DestroyIcon in Win32 + m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME); +} + +void CDetectODDlg::DoDataExchange(CDataExchange* pDX) +{ + CDialog::DoDataExchange(pDX); + //{{AFX_DATA_MAP(CDetectODDlg) + // NOTE: the ClassWizard will add DDX and DDV calls here + //}}AFX_DATA_MAP +} + +BEGIN_MESSAGE_MAP(CDetectODDlg, CDialog) + //{{AFX_MSG_MAP(CDetectODDlg) + ON_WM_SYSCOMMAND() + ON_WM_PAINT() + ON_WM_QUERYDRAGICON() + ON_BN_CLICKED(IDC_WNDCLS, OnWndcls) + ON_BN_CLICKED(IDC_ISDEBUGGERPRESENT, OnIsdebuggerpresent) + ON_BN_CLICKED(IDC_ENUMWINDOW, OnEnumwindow) + ON_BN_CLICKED(IDC_EnumProcess, OnEnumProcess) + ON_BN_CLICKED(IDC_Explorer, OnExplorer) + ON_BN_CLICKED(IDC_GetTickCount, OnGetTickCount) + ON_BN_CLICKED(IDC_GetStartupInfo, OnGetStartupInfo) + ON_BN_CLICKED(IDC_PEBFLAGS, OnPebflags) + ON_BN_CLICKED(IDC_CHECKREMOTEDEBUGGERPRESENT, OnCheckremotedebuggerpresent) + ON_BN_CLICKED(IDC_SetUnhandledExceptionFilter, OnSetUnhandledExceptionFilter) + ON_BN_CLICKED(IDC_ZwQueryInformationProcess, OnZwQueryInformationProcess) + ON_BN_CLICKED(IDC_SeDebugPrivilege, OnSeDebugPrivilege) + ON_BN_CLICKED(IDC_NTQueryObject, OnNTQueryObject) + ON_BN_CLICKED(IDC_DectectBreakpoints, OnDectectBreakpoints) + ON_BN_CLICKED(IDC_DectectFuncBreakpoints, OnDectectFuncBreakpoints) + ON_BN_CLICKED(IDC_BlockInput, OnBlockInput) + ON_BN_CLICKED(IDC_CHECKSUM, OnChecksum) + ON_BN_CLICKED(IDC_EnableWindow, OnEnableWindow) + ON_BN_CLICKED(IDC_ZwSetInformationThread, OnZwSetInformationThread) + ON_BN_CLICKED(IDC_OutputDebugString, OnOutputDebugString) + ON_BN_CLICKED(IDC_GetEntryPoint, OnGetEntryPoint) + ON_BN_CLICKED(IDC_TrapFlag, OnTrapFlag) + ON_BN_CLICKED(IDC_GuardPages, OnGuardPages) + ON_BN_CLICKED(IDC_HARDWAREBREAKPOINT, OnHardwarebreakpoint) + ON_BN_CLICKED(IDC_ABOUT, OnAbout) + ON_BN_CLICKED(IDC_MYPAGE2, OnMypage2) + //}}AFX_MSG_MAP +END_MESSAGE_MAP() + +///////////////////////////////////////////////////////////////////////////// +// CDetectODDlg message handlers + +BOOL CDetectODDlg::OnInitDialog() +{ + CDialog::OnInitDialog(); + + // Add "About..." menu item to system menu. + + // IDM_ABOUTBOX must be in the system command range. + ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX); + ASSERT(IDM_ABOUTBOX < 0xF000); + + CMenu* pSysMenu = GetSystemMenu(FALSE); + if (pSysMenu != NULL) + { + CString strAboutMenu; + strAboutMenu.LoadString(IDS_ABOUTBOX); + if (!strAboutMenu.IsEmpty()) + { + pSysMenu->AppendMenu(MF_SEPARATOR); + pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu); + } + } + + // Set the icon for this dialog. The framework does this automatically + // when the application's main window is not a dialog +// SetIcon(m_hIcon, TRUE); // Set big icon +// SetIcon(m_hIcon, FALSE); // Set small icon + + // TODO: Add extra initialization here + SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG)))); + return TRUE; // return TRUE unless you set the focus to a control +} + +void CDetectODDlg::OnSysCommand(UINT nID, LPARAM lParam) +{ + if ((nID & 0xFFF0) == IDM_ABOUTBOX) + { + CAboutDlg dlgAbout; + dlgAbout.DoModal(); + } + else + { + CDialog::OnSysCommand(nID, lParam); + } +} + +// If you add a minimize button to your dialog, you will need the code below +// to draw the icon. For MFC applications using the document/view model, +// this is automatically done for you by the framework. + +void CDetectODDlg::OnPaint() +{ + if (IsIconic()) + { + CPaintDC dc(this); // device context for painting + + SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0); + + // Center icon in client rectangle + int cxIcon = GetSystemMetrics(SM_CXICON); + int cyIcon = GetSystemMetrics(SM_CYICON); + CRect rect; + GetClientRect(&rect); + int x = (rect.Width() - cxIcon + 1) / 2; + int y = (rect.Height() - cyIcon + 1) / 2; + + // Draw the icon + dc.DrawIcon(x, y, m_hIcon); + } + else + { + CDialog::OnPaint(); + } +} + +// The system calls this to obtain the cursor to display while the user drags +// the minimized window. +HCURSOR CDetectODDlg::OnQueryDragIcon() +{ + return (HCURSOR) m_hIcon; +} + +void CDetectODDlg::OnWndcls() +{ + // TODO: Add your control notification handler code here + HWND hWnd; + if(hWnd=::FindWindow("OllyDbg",NULL)) + { + MessageBox("·¢ÏÖOD"); + }else{ + MessageBox("û·¢ÏÖOD"); + } + +} +void CDetectODDlg::OnIsdebuggerpresent() +{ + // TODO: Add your control notification handler code here + if(IsDebuggerPresent()) + { + MessageBox("·¢ÏÖOD"); + } + else + { + MessageBox("ûÓÐOD"); + } +} +/***************************************************/ +BOOL CALLBACK EnumWindowsProc( + HWND hwnd, // handle to parent window + LPARAM lParam // application-defined value + ) +{ + char ch[100]; + CString str="Ollydbg"; + if(IsWindowVisible(hwnd)) + { + ::GetWindowText(hwnd,ch,100); + //AfxMessageBox(ch); + if(::StrStrI(ch,str)) + { + AfxMessageBox("·¢ÏÖOD"); + return FALSE; + } + } + return TRUE; +} + +void CDetectODDlg::OnEnumwindow() +{ + // TODO: Add your control notification handler code here + EnumWindows(EnumWindowsProc,NULL); + AfxMessageBox("ö¾Ù´°¿Ú½áÊø£¬Î´Ìáʾ·¢ÏÖOD£¬ÔòûÓÐOD"); +} + +/***************************************************/ +void CDetectODDlg::OnEnumProcess() +{ + // TODO: Add your control notification handler code here + + HANDLE hwnd; + PROCESSENTRY32 tp32; //½á¹¹Ìå + CString str="OLLYDBG.EXE"; + BOOL bFindOD=FALSE; + hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); + if(INVALID_HANDLE_VALUE!=hwnd) + { + Process32First(hwnd,&tp32); + do{ + if(0==lstrcmpi(str,tp32.szExeFile)) + { + AfxMessageBox("·¢ÏÖOD"); + bFindOD=TRUE; + break; + } + }while(Process32Next(hwnd,&tp32)); + if(!bFindOD) + AfxMessageBox("ûÓÐOD"); + } + CloseHandle(hwnd); +} + +void CDetectODDlg::OnExplorer() +{ + // TODO: Add your control notification handler code here + HANDLE hwnd; + PROCESSENTRY32 tp32; //½á¹¹Ìå + CString str="Explorer.EXE"; + + DWORD ExplorerID; + DWORD SelfID; + DWORD SelfParentID; + SelfID=GetCurrentProcessId(); + ::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID); + hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); + if(INVALID_HANDLE_VALUE!=hwnd) + { + Process32First(hwnd,&tp32); + do{ + if(0==lstrcmp(str,tp32.szExeFile)) + { + // ExplorerID=tp32.th32ProcessID; + // AfxMessageBox("aaa"); + } + if(SelfID==tp32.th32ProcessID) + { + SelfParentID=tp32.th32ParentProcessID; + } + }while(Process32Next(hwnd,&tp32)); + + str.Format("±¾½ø³Ì£º%d ¸¸½ø³Ì£º%d Explorer½ø³Ì: %d ",SelfID,SelfParentID,ExplorerID); + MessageBox(str); + if(ExplorerID==SelfParentID) + { + AfxMessageBox("ûÓÐOD"); + } + else + { + AfxMessageBox("·¢ÏÖOD"); + } + } + CloseHandle(hwnd); +} + +void CDetectODDlg::OnGetTickCount() +{ + // TODO: Add your control notification handler code here + DWORD dTime1; + DWORD dTime2; + dTime1=GetTickCount(); + GetCurrentProcessId(); + GetCurrentProcessId(); + GetCurrentProcessId(); + GetCurrentProcessId(); + dTime2=GetTickCount(); + if(dTime2-dTime1>100) + { + AfxMessageBox("·¢ÏÖOD"); + } + else{ + AfxMessageBox("ûÓÐOD"); + } +} + +void CDetectODDlg::OnGetStartupInfo() +{ + // TODO: Add your control notification handler code here + STARTUPINFO info={0}; + GetStartupInfo(&info); + if(info.dwX!=0 || info.dwY!=0 || info.dwXCountChars!=0 || info.dwYCountChars!=0 + || info.dwFillAttribute!=0 || info.dwXSize!=0 || info.dwYSize!=0) + { + AfxMessageBox("·¢ÏÖOD"); + } + else{ + AfxMessageBox("ûÓÐOD"); + } + +} + +//********************************************** +// typedef ULONG NTSTATUS; +typedef ULONG PPEB; +typedef ULONG KAFFINITY; +typedef ULONG KPRIORITY; + +typedef struct _PROCESS_BASIC_INFORMATION { // Information Class 0 +NTSTATUS ExitStatus; +PPEB PebBaseAddress; +KAFFINITY AffinityMask; +KPRIORITY BasePriority; +ULONG UniqueProcessId; +ULONG InheritedFromUniqueProcessId; +} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; + +typedef enum _PROCESSINFOCLASS { +ProcessBasicInformation, // 0 Y N +ProcessQuotaLimits, // 1 Y Y +ProcessIoCounters, // 2 Y N +ProcessVmCounters, // 3 Y N +ProcessTimes, // 4 Y N +ProcessBasePriority, // 5 N Y +ProcessRaisePriority, // 6 N Y +ProcessDebugPort, // 7 Y Y +ProcessExceptionPort, // 8 N Y +ProcessAccessToken, // 9 N Y +ProcessLdtInformation, // 10 Y Y +ProcessLdtSize, // 11 N Y +ProcessDefaultHardErrorMode, // 12 Y Y +ProcessIoPortHandlers, // 13 N Y +ProcessPooledUsageAndLimits, // 14 Y N +ProcessWorkingSetWatch, // 15 Y Y +ProcessUserModeIOPL, // 16 N Y +ProcessEnableAlignmentFaultFixup, // 17 N Y +ProcessPriorityClass, // 18 N Y +ProcessWx86Information, // 19 Y N +ProcessHandleCount, // 20 Y N +ProcessAffinityMask, // 21 N Y +ProcessPriorityBoost, // 22 Y Y +ProcessDeviceMap,// 23 Y Y +ProcessSessionInformation, // 24 Y Y +ProcessForegroundInformation, // 25 N Y +ProcessWow64Information // 26 Y N +} PROCESSINFOCLASS; + + +typedef NTSTATUS (_stdcall *ZwQueryInformationProcess)( +HANDLE ProcessHandle, +PROCESSINFOCLASS ProcessInformationClass, +PVOID ProcessInformation, +ULONG ProcessInformationLength, +PULONG ReturnLength +); //¶¨Ò庯ÊýÖ¸Õë + +void CDetectODDlg::OnPebflags() +{ + // TODO: Add your control notification handler code here + + //¶¨Ò庯ÊýÖ¸Õë±äÁ¿ + ZwQueryInformationProcess MyZwQueryInformationProcess; + + HANDLE hProcess = NULL; + PROCESS_BASIC_INFORMATION pbi = {0}; + ULONG peb = 0; + ULONG cnt = 0; + ULONG PebBase = 0; + ULONG AddrBase; + BOOL bFoundOD=FALSE; + WORD flag; + DWORD dwFlag; + DWORD bytesrw; + DWORD ProcessId=GetCurrentProcessId(); + hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId); + if (hProcess != NULL) { + //º¯ÊýÖ¸Õë±äÁ¿¸³Öµ + MyZwQueryInformationProcess=(ZwQueryInformationProcess)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQueryInformationProcess"); + //º¯ÊýÖ¸Õë±äÁ¿µ÷Óà + if (MyZwQueryInformationProcess( + hProcess, + ProcessBasicInformation, + &pbi, + sizeof(PROCESS_BASIC_INFORMATION), + &cnt) == 0) + { + PebBase = (ULONG)pbi.PebBaseAddress; + AddrBase=PebBase; + if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x68),&flag,2,&bytesrw) && bytesrw==2) + { //PEB.NtGlobalFlag + if(0x70==flag){ + bFoundOD=TRUE; + } + } + if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x18),&dwFlag,4,&bytesrw) && bytesrw==4) + { + AddrBase=dwFlag; + } + if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x0c),&flag,2,&bytesrw) && bytesrw==2) + {//PEB.ProcessHeap.Flags + if(2!=flag){ + bFoundOD=TRUE; + } + } + if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x10),&flag,2,&bytesrw) && bytesrw==2) + {//PEB.ProcessHeap.ForceFlags + if(0!=flag){ + bFoundOD=TRUE; + } + } + if(bFoundOD==FALSE) + { + AfxMessageBox("ûÓÐOD"); + } + else + { + AfxMessageBox("·¢ÏÖOD"); + } + } + CloseHandle(hProcess); + } +} + +//******************************************************************* +typedef BOOL (WINAPI *CHECK_REMOTE_DEBUGGER_PRESENT)(HANDLE, PBOOL); + +void CDetectODDlg::OnCheckremotedebuggerpresent() +{ + // TODO: Add your control notification handler code here + HANDLE hProcess; + HINSTANCE hModule; + BOOL bDebuggerPresent = FALSE; + CHECK_REMOTE_DEBUGGER_PRESENT CheckRemoteDebuggerPresent; + hModule = GetModuleHandleA("Kernel32"); + CheckRemoteDebuggerPresent = + (CHECK_REMOTE_DEBUGGER_PRESENT)GetProcAddress(hModule, "CheckRemoteDebuggerPresent"); + hProcess = GetCurrentProcess(); + CheckRemoteDebuggerPresent(hProcess,&bDebuggerPresent); + if(bDebuggerPresent==TRUE) + { + AfxMessageBox("·¢ÏÖOD"); + } + else + { + AfxMessageBox("ûÓÐOD"); + } +} +//******************************************************** +typedef NTSTATUS (_stdcall *ZW_QUERY_INFORMATION_PROCESS)( +HANDLE ProcessHandle, +PROCESSINFOCLASS ProcessInformationClass, //¸Ã²ÎÊýÒ²ÐèÒªÉÏÃæÉùÃ÷µÄÊý¾Ý½á¹¹ +PVOID ProcessInformation, +ULONG ProcessInformationLength, +PULONG ReturnLength +); //¶¨Ò庯ÊýÖ¸Õë + +void CDetectODDlg::OnZwQueryInformationProcess() +{ + // TODO: Add your control notification handler code here + HANDLE hProcess; + HINSTANCE hModule; + DWORD dwResult; + ZW_QUERY_INFORMATION_PROCESS MyFunc; + hModule = GetModuleHandle("ntdll.dll"); + MyFunc=(ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,"ZwQueryInformationProcess"); + hProcess = GetCurrentProcess(); + MyFunc( + hProcess, + ProcessDebugPort, + &dwResult, + 4, + NULL); + if(dwResult!=0) + { + AfxMessageBox("·¢ÏÖOD"); + } + else + { + AfxMessageBox("ûÓÐOD"); + } +} +//******************************************************** +static DWORD lpOldHandler; +typedef LPTOP_LEVEL_EXCEPTION_FILTER (_stdcall *pSetUnhandledExceptionFilter)( + LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter + ); +pSetUnhandledExceptionFilter lpSetUnhandledExceptionFilter; + +LONG WINAPI TopUnhandledExceptionFilter( + struct _EXCEPTION_POINTERS *ExceptionInfo +) +{ + _asm pushad + AfxMessageBox("»Øµ÷º¯Êý"); + lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler); + ExceptionInfo->ContextRecord->Eip=NewEip;//תÒƵ½°²È«Î»Öà + _asm popad + return EXCEPTION_CONTINUE_EXECUTION; +} + +void CDetectODDlg::OnSetUnhandledExceptionFilter() +{ + bool isDebugged=0; + // TODO: Add your control notification handler code here + lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")), + "SetUnhandledExceptionFilter"); + lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter); + _asm{ //»ñÈ¡Õâ¸ö°²È«µØÖ· + call me //·½Ê½Ò»£¬ÐèÒªNewEip¼ÓÉÏÒ»¸öÆ«ÒÆÖµ +me: + pop NewEip //·½Ê½Ò»½áÊø + mov NewEip,offset safe //·½Ê½¶þ£¬¸ü¼òµ¥ + int 3 //´¥·¢Òì³£ + } + AfxMessageBox("¼ì²âµ½OD"); + isDebugged=1; + _asm{ +safe: + } + if(1==isDebugged){ + + }else{ + AfxMessageBox("ûÓÐOD"); + } +} +//******************************************************** +void CDetectODDlg::OnSeDebugPrivilege() +{ + // TODO: Add your control notification handler code here + HANDLE hProcessSnap; + HANDLE hProcess; + PROCESSENTRY32 tp32; //½á¹¹Ìå + CString str="csrss.exe"; + hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); + if(INVALID_HANDLE_VALUE!=hProcessSnap) + { + Process32First(hProcessSnap,&tp32); + do{ + if(0==lstrcmpi(str,tp32.szExeFile)) + { + hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,NULL,tp32.th32ProcessID); + if(NULL!=hProcess) + { + AfxMessageBox("·¢ÏÖOD"); + } + else + { + AfxMessageBox("ûÓÐOD"); + } + CloseHandle(hProcess); + } + }while(Process32Next(hProcessSnap,&tp32)); + } + CloseHandle(hProcessSnap); +} + +//*************************************************************** +#ifndef STATUS_INFO_LENGTH_MISMATCH +#define STATUS_INFO_LENGTH_MISMATCH ((UINT32)0xC0000004L) +#endif + +typedef enum _POOL_TYPE { + NonPagedPool, + PagedPool, + NonPagedPoolMustSucceed, + DontUseThisType, + NonPagedPoolCacheAligned, + PagedPoolCacheAligned, + NonPagedPoolCacheAlignedMustS +} POOL_TYPE; + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING; +typedef UNICODE_STRING *PUNICODE_STRING; +typedef const UNICODE_STRING *PCUNICODE_STRING; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, // Result is OBJECT_BASIC_INFORMATION structure + ObjectNameInformation, // Result is OBJECT_NAME_INFORMATION structure + ObjectTypeInformation, // Result is OBJECT_TYPE_INFORMATION structure + ObjectAllTypesInformation, // Result is OBJECT_ALL_INFORMATION structure + ObjectDataInformation // Result is OBJECT_DATA_INFORMATION structure + +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef struct _OBJECT_TYPE_INFORMATION { + UNICODE_STRING TypeName; + ULONG TotalNumberOfHandles; + ULONG TotalNumberOfObjects; + WCHAR Unused1[8]; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterNumberOfObjects; + WCHAR Unused2[8]; + ACCESS_MASK InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ACCESS_MASK ValidAttributes; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + USHORT MaintainTypeList; + POOL_TYPE PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_ALL_INFORMATION { + ULONG NumberOfObjectsTypes; + OBJECT_TYPE_INFORMATION ObjectTypeInformation[1]; +} OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION; + +typedef struct _OBJECT_ALL_TYPES_INFORMATION { + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation[1]; +} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; + +typedef UINT32 (__stdcall *ZwQueryObject_t) ( + IN HANDLE ObjectHandle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation, + IN ULONG Length, + OUT PULONG ResultLength ); + +void CDetectODDlg::OnNTQueryObject() +{ + // TODO: Add your control notification handler code here + // µ÷ÊÔÆ÷±ØÐëÕýÔÚµ÷ÊÔ²ÅÄܼì²âµ½£¬½ö´ò¿ªODÊǼì²â²»µ½µÄ + HMODULE hNtDLL; + DWORD dwSize; + UINT i; + UCHAR KeyType=0; + OBJECT_ALL_TYPES_INFORMATION *Types; + OBJECT_TYPE_INFORMATION *t; + ZwQueryObject_t ZwQueryObject; + + hNtDLL = GetModuleHandle("ntdll.dll"); + if(hNtDLL){ + ZwQueryObject = (ZwQueryObject_t)GetProcAddress(hNtDLL, "ZwQueryObject"); + UINT32 iResult = ZwQueryObject(NULL, ObjectAllTypesInformation, NULL, NULL, &dwSize); + if(iResult==STATUS_INFO_LENGTH_MISMATCH) + { + Types = (OBJECT_ALL_TYPES_INFORMATION*)VirtualAlloc(NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); + if (Types == NULL) return; + if (iResult=ZwQueryObject(NULL,ObjectAllTypesInformation, Types, dwSize, &dwSize)) return; + for (t=Types->TypeInformation,i=0;iNumberOfTypes;i++) + { + if ( !_wcsicmp(t->TypeName.Buffer,L"DebugObject")) //±È½ÏÁ½¸öÊÇ·ñÏàµÈ£¬Õâ¸öLºÜÌØÊ⣬±¾µØµÄÒâ˼ + { + if(t->TotalNumberOfHandles > 0 || t->TotalNumberOfObjects > 0) + { + AfxMessageBox("·¢ÏÖOD"); + VirtualFree (Types,0,MEM_RELEASE); + return; + } + break; // Found Anyways + } + t=(OBJECT_TYPE_INFORMATION *)((char *)t->TypeName.Buffer+((t->TypeName.MaximumLength+3)&~3)); + } + } + AfxMessageBox("ûÓÐOD!"); + VirtualFree (Types,0,MEM_RELEASE); + } +} +/*********************************************************/ +BOOL DetectBreakpoints() +{ + BOOL bFoundOD; + bFoundOD=FALSE; + __asm + { + jmp CodeEnd + CodeStart: mov eax,ecx ;±»±£»¤µÄ³ÌÐò¶Î + nop + push eax + push ecx + pop ecx + pop eax + CodeEnd: + cld ;¼ì²â´úÂ뿪ʼ + mov edi,offset CodeStart + mov edx,offset CodeStart + mov ecx,offset CodeEnd + sub ecx,edx + + mov al,0CCH + repne scasb + jnz ODNotFound + mov bFoundOD,1 + ODNotFound: + } + return bFoundOD; +} +void CDetectODDlg::OnDectectBreakpoints() +{ + // TODO: Add your control notification handler code here + if(DetectBreakpoints()) + { + AfxMessageBox("·¢ÏÖOD"); + } + else + { + AfxMessageBox("ûÓÐOD"); + } +} +/*********************************************************/ +BOOL DetectFuncBreakpoints() +{ + BOOL bFoundOD; + bFoundOD=FALSE; + DWORD dwAddr; + dwAddr=(DWORD)::GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"); + __asm + { + cld ;¼ì²â´úÂ뿪ʼ + mov edi,dwAddr + mov ecx,100 ;100bytes + mov al,0CCH + repne scasb + jnz ODNotFound + mov bFoundOD,1 + ODNotFound: + } + return bFoundOD; +} +void CDetectODDlg::OnDectectFuncBreakpoints() +{ + // TODO: Add your control notification handler code here + if(DetectFuncBreakpoints()) + { + AfxMessageBox("·¢ÏÖOD"); + } + else + { + AfxMessageBox("ûÓÐOD"); + } +} + +void CDetectODDlg::OnBlockInput() +{ // #include "Winable.h" + // TODO: Add your control notification handler code here + DWORD dwNoUse; + DWORD dwNoUse2; + ::BlockInput(TRUE); + dwNoUse=2; + dwNoUse2=3; + dwNoUse=dwNoUse2; + ::BlockInput(FALSE); +} +/*********************************************************/ +BOOL CheckSum() +{ + BOOL bFoundOD; + bFoundOD=FALSE; + DWORD CHECK_SUM=5555; //ÕýȷУÑéÖµ + DWORD dwAddr; + dwAddr=(DWORD)CheckSum; + __asm + { + ;¼ì²â´úÂ뿪ʼ + mov esi,dwAddr + mov ecx,100 + xor eax,eax + checksum_loop: + movzx ebx,byte ptr [esi] + add eax,ebx + rol eax,1 + inc esi + loop checksum_loop + + cmp eax,CHECK_SUM + jz ODNotFound + mov bFoundOD,1 + ODNotFound: + } + return bFoundOD; +} +void CDetectODDlg::OnChecksum() +{ + // TODO: Add your control notification handler code here + if(CheckSum()) + { + AfxMessageBox("·¢ÏÖOD"); + } + else + { + AfxMessageBox("ûÓÐOD"); + } +} +/*********************************************************/ + +void CDetectODDlg::OnEnableWindow() +{ + // TODO: Add your control notification handler code here + CWnd *wnd; + wnd=GetForegroundWindow(); + wnd->EnableWindow(FALSE); + DWORD dwNoUse; + DWORD dwNoUse2; + dwNoUse=2; + dwNoUse2=3; + dwNoUse=dwNoUse2; + wnd->EnableWindow(TRUE); +} +/*********************************************************/ +typedef enum _THREADINFOCLASS { +ThreadBasicInformation, // 0 Y N +ThreadTimes, // 1 Y N +ThreadPriority, // 2 N Y +ThreadBasePriority, // 3 N Y +ThreadAffinityMask, // 4 N Y +ThreadImpersonationToken, // 5 N Y +ThreadDescriptorTableEntry, // 6 Y N +ThreadEnableAlignmentFaultFixup, // 7 N Y +ThreadEventPair, // 8 N Y +ThreadQuerySetWin32StartAddress, // 9 Y Y +ThreadZeroTlsCell, // 10 N Y +ThreadPerformanceCount, // 11 Y N +ThreadAmILastThread, // 12 Y N +ThreadIdealProcessor, // 13 N Y +ThreadPriorityBoost, // 14 Y Y +ThreadSetTlsArrayAddress, // 15 N Y +ThreadIsIoPending, // 16 Y N +ThreadHideFromDebugger // 17 N Y +} THREAD_INFO_CLASS; + +typedef NTSTATUS (NTAPI *ZwSetInformationThread)( +IN HANDLE ThreadHandle, +IN THREAD_INFO_CLASS ThreadInformaitonClass, +IN PVOID ThreadInformation, +IN ULONG ThreadInformationLength +); + +void CDetectODDlg::OnZwSetInformationThread() +{ + // TODO: Add your control notification handler code here + CString str="ÀûÓÃÎÒ¶¨Î»"; + HANDLE hwnd; + HMODULE hModule; + hwnd=GetCurrentThread(); + hModule=LoadLibrary("ntdll.dll"); + ZwSetInformationThread myFunc; + myFunc=(ZwSetInformationThread)GetProcAddress(hModule,"ZwSetInformationThread"); + myFunc(hwnd,ThreadHideFromDebugger,NULL,NULL); +} +/*********************************************************/ +void CDetectODDlg::OnOutputDebugString() +{ + // TODO: Add your control notification handler code here + ::OutputDebugString("%s%s%s"); +} +/*********************************************************/ +void CDetectODDlg::OnGetEntryPoint() +{ + // TODO: Add your control notification handler code here + IMAGE_DOS_HEADER *dos_head=(IMAGE_DOS_HEADER *)GetModuleHandle(NULL); + PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew); + DWORD EP=(nt_head->OptionalHeader.AddressOfEntryPoint); + CString str; + str.Format("%x",EP); + AfxMessageBox(str); + + BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head); + for(unsigned long index=0;index<20;index++){ + if(OEP[index]==0xcc){ + ExitProcess(0); + } + } + +} +/**************************************************************/ +void terminateFunc() +{ + AfxMessageBox("set_terminateÖ¸¶¨µÄº¯Êý\n"); + exit(0); +} +void CDetectODDlg::OnButton1() +{ + // TODO: Add your control notification handler code here + + set_terminate(terminateFunc); + try{ + div(10,0); + }catch(int){ + AfxMessageBox("½ö²¶»ñÕûÐÍÒì³£"); + }catch(...){ + terminate(); //ËùÓÐÆäËüÒì³£ + } + AfxMessageBox("°¡¹þ"); +} +//******************************************************** + +void CDetectODDlg::OnTrapFlag() +{ + try{ + _asm{ + pushfd //´¥·¢µ¥²½Òì³£ + or dword ptr [esp],100h ;TF=1 + popfd + } + AfxMessageBox("¼ì²âµ½OD"); + }catch(...){ + AfxMessageBox("ûÓÐOD"); + } +} +//******************************************************** +static bool isDebugged=1; +LONG WINAPI TopUnhandledExceptionFilter2( + struct _EXCEPTION_POINTERS *ExceptionInfo +) +{ + _asm pushad + AfxMessageBox("»Øµ÷º¯Êý"); + lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler); + ExceptionInfo->ContextRecord->Eip=NewEip; + isDebugged=0; + _asm popad + return EXCEPTION_CONTINUE_EXECUTION; +} + +void CDetectODDlg::OnGuardPages() +{ + // TODO: Add your control notification handler code here + + ULONG dwOldType; + DWORD dwPageSize; + LPVOID lpvBase; // »ñÈ¡ÄÚ´æµÄ»ùµØÖ· + SYSTEM_INFO sSysInfo; // ϵͳÐÅÏ¢ + GetSystemInfo(&sSysInfo); // »ñȡϵͳÐÅÏ¢ + dwPageSize=sSysInfo.dwPageSize; //ϵͳÄÚ´æÒ³´óС + + lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")), + "SetUnhandledExceptionFilter"); + lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter2); + + // ·ÖÅäÄÚ´æ + lpvBase = VirtualAlloc(NULL,dwPageSize,MEM_COMMIT,PAGE_READWRITE); + if (lpvBase==NULL) AfxMessageBox("ÄÚ´æ·ÖÅäʧ°Ü"); + _asm{ + mov NewEip,offset safe //·½Ê½¶þ£¬¸ü¼òµ¥ + mov eax,lpvBase + push eax + mov byte ptr [eax],0C3H //дһ¸ö RETN µ½±£ÁôÄڴ棬ÒÔ±ãÏÂÃæµÄµ÷Óà + } + if(0==::VirtualProtect(lpvBase,dwPageSize,PAGE_EXECUTE_READ | PAGE_GUARD,&dwOldType)){ + AfxMessageBox("Ö´ÐÐʧ°Ü"); + } + _asm{ + pop ecx + call ecx //µ÷ÓÃʱѹջ +safe: + pop ecx //¶Ñջƽºâ£¬µ¯³öµ÷ÓÃʱµÄѹջ + } + if(1==isDebugged){ + AfxMessageBox("·¢ÏÖOD"); + }else{ + AfxMessageBox("ûÓÐOD"); + } + VirtualFree(lpvBase,dwPageSize,MEM_DECOMMIT); +} +//******************************************************** +static bool isDebuggedHBP=0; +LONG WINAPI TopUnhandledExceptionFilterHBP( + struct _EXCEPTION_POINTERS *ExceptionInfo +) +{ + _asm pushad + AfxMessageBox("»Øµ÷º¯Êý±»µ÷ÓÃ"); + ExceptionInfo->ContextRecord->Eip=NewEip; + if(0!=ExceptionInfo->ContextRecord->Dr0||0!=ExceptionInfo->ContextRecord->Dr1|| + 0!=ExceptionInfo->ContextRecord->Dr2||0!=ExceptionInfo->ContextRecord->Dr3) + isDebuggedHBP=1; //¼ì²âÓÐÎÞÓ²¼þ¶Ïµã + ExceptionInfo->ContextRecord->Dr0=0; //½ûÓÃÓ²¼þ¶Ïµã£¬ÖÃ0 + ExceptionInfo->ContextRecord->Dr1=0; + ExceptionInfo->ContextRecord->Dr2=0; + ExceptionInfo->ContextRecord->Dr3=0; + ExceptionInfo->ContextRecord->Dr6=0; + ExceptionInfo->ContextRecord->Dr7=0; + ExceptionInfo->ContextRecord->Eip=NewEip; //תÒƵ½°²È«Î»Öà + _asm popad + return EXCEPTION_CONTINUE_EXECUTION; +} + +void CDetectODDlg::OnHardwarebreakpoint() +{ + // TODO: Add your control notification handler code here + + lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")), + "SetUnhandledExceptionFilter"); + lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilterHBP); + + _asm{ + mov NewEip,offset safe //·½Ê½¶þ£¬¸ü¼òµ¥ + int 3 + mov isDebuggedHBP,1 //µ÷ÊÔʱ¿ÉÄÜÒ²²»»á´¥·¢Ò쳣ȥ¼ì²âÓ²¼þ¶Ïµã +safe: + } + if(1==isDebuggedHBP){ + AfxMessageBox("·¢ÏÖOD"); + }else{ + AfxMessageBox("ûÓÐOD"); + } +} +//******************************************************** + +void CDetectODDlg::OnCancel() +{ + // TODO: Add extra cleanup here + CDialog::OnCancel(); +} + +void CAboutDlg::OnMypage() +{ + // TODO: Add your control notification handler code here + ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); +} + +void CDetectODDlg::OnAbout() +{ + // TODO: Add your control notification handler code here + CAboutDlg dlg; + dlg.DoModal(); +} + +void CAboutDlg::OnMouseMove(UINT nFlags, CPoint point) +{ + // TODO: Add your message handler code here and/or call default + CRect rect(60,20,100,100); + if(rect.PtInRect(point)){ + SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(NULL,IDC_HELP))); + }else{ + SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(AfxGetApp()->m_hInstance,IDC_ARROW))); + } + CDialog::OnMouseMove(nFlags, point); +} + +BOOL CAboutDlg::OnInitDialog() +{ + CDialog::OnInitDialog(); + + // TODO: Add extra initialization here + SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG)))); + return TRUE; // return TRUE unless you set the focus to a control + // EXCEPTION: OCX Property Pages should return FALSE +} + +void CDetectODDlg::OnOK() +{ + // TODO: Add extra validation here + + CDialog::OnOK(); +} + +void CAboutDlg::OnComeon() +{ + // TODO: Add your control notification handler code here + ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); +} + +void CAboutDlg::OnMyicon() +{ + // TODO: Add your control notification handler code here + ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); +} + +void CDetectODDlg::OnMypage2() +{ + // TODO: Add your control notification handler code here + ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); +} diff --git a/course/ScyllaHide/DetectOD/DetectODDlg.h b/course/ScyllaHide/DetectOD/DetectODDlg.h new file mode 100644 index 0000000..47dc580 --- /dev/null +++ b/course/ScyllaHide/DetectOD/DetectODDlg.h @@ -0,0 +1,82 @@ +// DetectODDlg.h : header file +// + +#if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_) +#define AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_ + +#if _MSC_VER > 1000 +#pragma once +#endif // _MSC_VER > 1000 + +///////////////////////////////////////////////////////////////////////////// +// CDetectODDlg dialog + +class CDetectODDlg : public CDialog +{ +// Construction +public: + CDetectODDlg(CWnd* pParent = NULL); // standard constructor + +// Dialog Data + //{{AFX_DATA(CDetectODDlg) + enum { IDD = IDD_DETECTOD_DIALOG }; + // NOTE: the ClassWizard will add data members here + //}}AFX_DATA + + // ClassWizard generated virtual function overrides + //{{AFX_VIRTUAL(CDetectODDlg) + protected: + virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support + //}}AFX_VIRTUAL + +// Implementation +protected: + HICON m_hIcon; + + // Generated message map functions + //{{AFX_MSG(CDetectODDlg) + virtual BOOL OnInitDialog(); + afx_msg void OnSysCommand(UINT nID, LPARAM lParam); + afx_msg void OnPaint(); + afx_msg HCURSOR OnQueryDragIcon(); + afx_msg void OnWndcls(); + afx_msg void OnTest(); + afx_msg void OnIsdebuggerpresent(); + afx_msg void OnEnumwindow(); + afx_msg void OnEnumProcess(); + afx_msg void OnExplorer(); + afx_msg void OnGetTickCount(); + afx_msg void OnGetStartupInfo(); + afx_msg void OnPebflags(); + afx_msg void OnCheckremotedebuggerpresent(); + afx_msg void OnZwqueryinfomationprocess(); + afx_msg void OnSetUnhandledExceptionFilter(); + afx_msg void OnZwQueryInformationProcess(); + afx_msg void OnSeDebugPrivilege(); + afx_msg void OnNTQueryObject(); + afx_msg void OnDectectBreakpoints(); + afx_msg void OnDectectFuncBreakpoints(); + afx_msg void OnBlockInput(); + afx_msg void OnChecksum(); + afx_msg void OnEnableWindow(); + afx_msg void OnZwSetInformationThread(); + afx_msg void OnOutputDebugString(); + afx_msg void OnGetEntryPoint(); + afx_msg void OnButton1(); + afx_msg void OnButton2(); + afx_msg void OnTrapFlag(); + afx_msg void OnGuardPages(); + afx_msg void OnHardwarebreakpoint(); + virtual void OnCancel(); + afx_msg void OnAbout(); + virtual void OnOK(); + afx_msg void OnMypage2(); + //}}AFX_MSG + DECLARE_MESSAGE_MAP() + +}; + +//{{AFX_INSERT_LOCATION}} +// Microsoft Visual C++ will insert additional declarations immediately before the previous line. + +#endif // !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_) diff --git a/course/ScyllaHide/DetectOD/ReadMe.txt b/course/ScyllaHide/DetectOD/ReadMe.txt new file mode 100644 index 0000000..6952c36 --- /dev/null +++ b/course/ScyllaHide/DetectOD/ReadMe.txt @@ -0,0 +1,88 @@ +======================================================================== + MICROSOFT FOUNDATION CLASS LIBRARY : DetectOD +======================================================================== + + +AppWizard has created this DetectOD application for you. This application +not only demonstrates the basics of using the Microsoft Foundation classes +but is also a starting point for writing your application. + +This file contains a summary of what you will find in each of the files that +make up your DetectOD application. + +DetectOD.dsp + This file (the project file) contains information at the project level and + is used to build a single project or subproject. Other users can share the + project (.dsp) file, but they should export the makefiles locally. + +DetectOD.h + This is the main header file for the application. It includes other + project specific headers (including Resource.h) and declares the + CDetectODApp application class. + +DetectOD.cpp + This is the main application source file that contains the application + class CDetectODApp. + +DetectOD.rc + This is a listing of all of the Microsoft Windows resources that the + program uses. It includes the icons, bitmaps, and cursors that are stored + in the RES subdirectory. This file can be directly edited in Microsoft + Visual C++. + +DetectOD.clw + This file contains information used by ClassWizard to edit existing + classes or add new classes. ClassWizard also uses this file to store + information needed to create and edit message maps and dialog data + maps and to create prototype member functions. + +res\DetectOD.ico + This is an icon file, which is used as the application's icon. This + icon is included by the main resource file DetectOD.rc. + +res\DetectOD.rc2 + This file contains resources that are not edited by Microsoft + Visual C++. You should place all resources not editable by + the resource editor in this file. + + + + +///////////////////////////////////////////////////////////////////////////// + +AppWizard creates one dialog class: + +DetectODDlg.h, DetectODDlg.cpp - the dialog + These files contain your CDetectODDlg class. This class defines + the behavior of your application's main dialog. The dialog's + template is in DetectOD.rc, which can be edited in Microsoft + Visual C++. + + +///////////////////////////////////////////////////////////////////////////// +Other standard files: + +StdAfx.h, StdAfx.cpp + These files are used to build a precompiled header (PCH) file + named DetectOD.pch and a precompiled types file named StdAfx.obj. + +Resource.h + This is the standard header file, which defines new resource IDs. + Microsoft Visual C++ reads and updates this file. + +///////////////////////////////////////////////////////////////////////////// +Other notes: + +AppWizard uses "TODO:" to indicate parts of the source code you +should add to or customize. + +If your application uses MFC in a shared DLL, and your application is +in a language other than the operating system's current language, you +will need to copy the corresponding localized resources MFC42XXX.DLL +from the Microsoft Visual C++ CD-ROM onto the system or system32 directory, +and rename it to be MFCLOC.DLL. ("XXX" stands for the language abbreviation. +For example, MFC42DEU.DLL contains resources translated to German.) If you +don't do this, some of the UI elements of your application will remain in the +language of the operating system. + +///////////////////////////////////////////////////////////////////////////// diff --git a/course/ScyllaHide/DetectOD/StdAfx.cpp b/course/ScyllaHide/DetectOD/StdAfx.cpp new file mode 100644 index 0000000..9309224 --- /dev/null +++ b/course/ScyllaHide/DetectOD/StdAfx.cpp @@ -0,0 +1,8 @@ +// stdafx.cpp : source file that includes just the standard includes +// DetectOD.pch will be the pre-compiled header +// stdafx.obj will contain the pre-compiled type information + +#include "stdafx.h" + + + diff --git a/course/ScyllaHide/DetectOD/StdAfx.h b/course/ScyllaHide/DetectOD/StdAfx.h new file mode 100644 index 0000000..fe8af2f --- /dev/null +++ b/course/ScyllaHide/DetectOD/StdAfx.h @@ -0,0 +1,27 @@ +// stdafx.h : include file for standard system include files, +// or project specific include files that are used frequently, but +// are changed infrequently +// + +#if !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_) +#define AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_ + +#if _MSC_VER > 1000 +#pragma once +#endif // _MSC_VER > 1000 + +#define VC_EXTRALEAN // Exclude rarely-used stuff from Windows headers + +#include // MFC core and standard components +#include // MFC extensions +#include // MFC Automation classes +#include // MFC support for Internet Explorer 4 Common Controls +#ifndef _AFX_NO_AFXCMN_SUPPORT +#include // MFC support for Windows Common Controls +#endif // _AFX_NO_AFXCMN_SUPPORT + + +//{{AFX_INSERT_LOCATION}} +// Microsoft Visual C++ will insert additional declarations immediately before the previous line. + +#endif // !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_) diff --git a/course/ScyllaHide/DetectOD/res/DetectOD.ico b/course/ScyllaHide/DetectOD/res/DetectOD.ico new file mode 100644 index 0000000000000000000000000000000000000000..7eef0bcbe6580a6f464d688906172c2d9de44262 GIT binary patch literal 1078 zcmc&zF>b>!3}jLb9s)T}@Kod(893@u8ajANzT`op9^o+)S?=nU(FD@%0s)Sg^oyC8{H z9myetc;MEP)59v(LMa~xK8Yu^jIR*H22uCFiq5%C{s7(PJi>o15i^bmX4(vPxWAio z9ryY#AU_jfnd047-@`)XzL?%iS$gQyFP{44kS9X)fN{{QoL~hO-&=q&20Zr*cxFAt PkaNE{wR~2C$NfnjhSXWT literal 0 HcmV?d00001 diff --git a/course/ScyllaHide/DetectOD/res/DetectOD.rc2 b/course/ScyllaHide/DetectOD/res/DetectOD.rc2 new file mode 100644 index 0000000..3b0edfb --- /dev/null +++ b/course/ScyllaHide/DetectOD/res/DetectOD.rc2 @@ -0,0 +1,13 @@ +// +// DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly +// + +#ifdef APSTUDIO_INVOKED + #error this file is not editable by Microsoft Visual C++ +#endif //APSTUDIO_INVOKED + + +///////////////////////////////////////////////////////////////////////////// +// Add manually edited resources here... + +///////////////////////////////////////////////////////////////////////////// diff --git a/course/ScyllaHide/DetectOD/res/User.ico b/course/ScyllaHide/DetectOD/res/User.ico new file mode 100644 index 0000000000000000000000000000000000000000..c4ca15e61fc9ea159480f5badc63c6dd61fc5570 GIT binary patch literal 3638 zcmeHKJ8hKn+0O|6I%{zgY9^YzrjgtLw2)Pl9?SP-c3kSgpyLFN;t2RLmQr5Z}rCQxc(Fc`q{0+d_{R0VX)K@iX{ zn=rfqitPdHRu`hvL$iB_&fOhqjte0K>TT9|5|(Acwr!YJ6<({2qSJ?Ed#E}sbbN_c zAQAXJs?{nQjRu@f0LO7qt8pKtGCa@Y>^|TQAe!7)(}(W)y!O%bS}^QB+@^4<%lYkJ7vFsF zSN0Om%A2J>Zigc@~F>0N!m`VMtcajB_IqR^1s zgM{f)`M=adZ@&zq&kDl#`Q-$j2jfS}tE*0?Q{SbMmLBKxKJ(IXa&{#rt=a ziXucjJDQfo>sOh~idKnwwA2k{zvhFv8hLi(`%R?MsYG%3<~^zGMvflF{SO3xR7QKY?1`j@KE+wu!uyf-ffc RCn(-6dtT3C$e1r@>`zXU9T@-s literal 0 HcmV?d00001 diff --git a/course/ScyllaHide/DetectOD/res/dog.ico b/course/ScyllaHide/DetectOD/res/dog.ico new file mode 100644 index 0000000000000000000000000000000000000000..4b41db2a9e4d321495c8489d5734d2caf626b0ae GIT binary patch literal 96542 zcmeHQ2S60b(jIb91W`c+6+tna0TW4*pn#yLh=_uKsF+WJ5|yYRK|xT!teA5aa~5;X zS@G0UFZsXs{&)Wc=l^P!S(bHS7X|cmN1K_Q>8Y-+s;;i8?&)S21xAZ8Gt>hapTh83Jhba$uK%Pg5PcNyIx%e?=yH`ompRxVa&DY{nFp+ z4D;B4-WU8n3-~Fm=zYQOaViYs@g1MPF|!`9_5xNy0zEfk+Nvus{nQ1NjxY>EJJ;RPGf;k!i`PMUgr^Me`e^MHLhk6#0gSCl-X1 zX;IfWpH!EjBF; zFN82^`$S1+QIs2LffpD?DJ@l)n_(;qEQ`YN0>h{m>=3!HzCSHC%EF=x!>ENPi`-X; zOwQk*Oc*K@iB^}XR_ z5B>b2)O`g-;pOi#%*5o_0*kZ^A8~;xpu4`2MWWQBcP;j0L>7RyAeHE$5SbC35tYBs zj45A&0+^Fu6jgwVh-PP$lA|nRBlm+AO6Bf1w%ngK+ah(3j#&P*wA9$>3}0YVPU4kf zV|CPv3id?yuqsEsc2Sl(K*^^l7Gha;bV;>H3sj0O+K(q?ccGztBQ0}>?hButU!JNE z#@NU`T_9rRYsL7cTEspG=~0v_3LOyDEW#r#qBFujAio*_6j_{;|??0;A031E!+q_ocu8 z5;+rG`d!hP#q;0roX$^iK1t^UT-Y5`C32K5fF1g?3&eYEsAvqxN{S1RXQ}U63 zP6bcUuW%>)#bu54Ga)ES2dVT>F=KQT!uVe}Co`dn(Ph7t5*5r8lFL-RLJ`wN!IJ65 z=TJ(s3T^N&rZEpvKQ*$*r+|T8cU$m2bIs9{Vi=qNF?=)UzLIK346*aIdZFEY> zvC*jop-ft-DpZ3G?1_fz%eS&r%Yw8b9maxh(*|jl`FLh&R*H{O)Se;>hDj?e9@X&; zPhgk=iyow6g$Fc7TE<}EPo>CMH1M((u2xh~u&+RY2g+zb+odHiLZFcrkwvkgLNY2Z zM%Q7Pufyk8iVRUgqqfu$6rf;f*+oA&nXeN%hUDbr#swJz`SPJ-@_UGOI(Ru;v@hc` zik~5Lg2Nt?+0CAPZ%nBLQhhG{#ngx7)@Ofb6d=(Gka9jL;aZ73hLiwF&qOQIMg}B? zPg%I8#J%`CGE(}BA^m{T1P94^Ver7(TfoYHHB&~^%mirL&Rm7?6ii5el?wLxU+o+5qjZH35KU*AYUkJh*dGNcb7 z!(m~uKQ=)rlFP0hotzeera%WeuY4n>RA|919kpmPp?oP6S?2HHvZ2$p3{Q9K>>*=m!9A^i~H;`CFp-`(si8OOb8kw z@q9+M3JyHM|LWm0v=di~j?Q+vP}pM?Vuo|$o<3F~_!&NH7stT;JqN0B_w&s-;}eFZ zdV^fV)kq?6zvUH&p2{f#{m^gpFzNC}i$AWtdB zY;eh^zaa1Lai88T?_a13fWj9M9@I9Fp8xWWaZWnGGX|w+{&~0Y+n6!7_5_>>jAlJO#w}(oU_~&V=|>nvRZYe%=?K#)xRB8^HD~N5EuT5=rYE^YZ>Q=wMWpcKXtaCDoSqRc#$c^&0> z03TJ*p^&L(jC$xbXRIT(0?%TU6U-=T>N3t@g^XJq?xpMntT@o&JYycV5wP|$Zh&tZ zyb*MDWP+AGMj7dhqM|C}0ov&~eh*%lgGS8(?*!llF{Yq*z4nfPxs1^St=&NDt{!2G zxpy4sJRJ1B&2;*HE8__II>zip{p=WB(AFDtQw80+P9U0rU!a*kXjTt2GX~AtgO+v? zJAunu#tk$Z4%!5P4qZWm_NcpV^Y(Zr5AR$@eh=_U7xg*73`bo&P>1GSof$jeEmCX4$(Hm1k>-Ou3o#f=*mRsrkq0S?cF9%H}4> zX%nX>wKBPJmi2QPMRN`0*N=T$$;7Lj8E5HE`IS65d=vnGoTV*cCHc^@jH^FxoT8?ZPHwKgCE>=P$Z?W016Ev| zpGO=W?)o+g_>27dL2*D%;*qO`>{)SHNO6{UH7*WSMKKlR&$S`Qejdn@i z9-8hQv$E9GJRmkPxeY^=adBDt5;8-`b2A&pWpz~2jC0p?ckgIM&;j2vPGWVrhx)p4V>;GF z{*EO11RnUr`GGw2xLhgRQ${x~t``u%KV2KjQZKhYe$rLx!M{U4WAGzR*S3!?=&Gy7 zQ3vz{5%l$a=+Ngt2;LBY=ikN|+36nSn>fxL9&sM}kpi@M@MSM>xj_O;z~}hRyo)A#NkugBClC`L$UnCEl@vB4Y|3dW=R4Ylk3(% z0FKCCc5sg}fexArDoaH5P{2({R9ni0i?Ymu-yC>95BH874+tk4LeWi-@q_xtHhlG5|gRUukdbc~^P0F2^v zo8;Q)X6brJZkT1SqxC?bp7gUIg~xB;EKZtnCt4PkbfdSw#834|+Q}H(1#v#AvHvoGj|!ipUVAsrXLU#`wcRTH(1;Z#BGclf;;4i(C6i zdR|5*bz3${YUO2^#5AhcPz(tz165U3F9QQ@Z7;(*3;`>5)HhT$Frfdcss^fhS{;C_ z=wYJmC3r-CRlN)i4KPun?C5Cdh1=Q&sv6pOc@$ljt79uw0}XBMmKuPq-89MAP}R#w z?73=74Fe4g1y$8XNl8h1IF$j%RYz@AgO)8-wKZDWG{tixFYR*0CnYu1R&Ci*TT??r z9gp!GBq}>_r;ee4wgGUc*E1=}6wi$)8xAfLclOdosj7yp>8_!d-lz`ajXJc7q#SgI z2WE_GQ()ueh5z_t*f0stO@+@XZ&E{|BuD^KdZ{+#Zt?F^-lPtAARxA0$7Xu;+_daD ze(2Q$CArtNl9D2|nDX#VBf$W`CkP#rlCkxjoA7!#CuP0@pQ5g$QGf# zk>ciLpHSSDV(DZbEJL?Uqu^#fB;7PPPu&K4cHH zcSPJDeK+;nWUElTn(Pv?S;$r)JB92D8Ux_t*xVQbV&fDe=WGkT=3LC4>zw^S_6EhI$)=+51F|c~ zz91Vq> z*K&_c98CK-2WuPZFbynJNLJJ3G^(>nFa?ss=kR<5h8 ztmUBPU}RKgfoL1mRn}5-(5l-*yN82=i4Y}?x@u}_3Tkz=w1agVlud>AwY8Mh)U?#p z>I4UyJCqe09BfioK|xJHSvxqmJB*al0|anInaXvwbc2I^4ePj?c6TK@m68l~#??qe zBV|Kn<$9=`@IEer$IxA6WkZJ^_%TcX5f=c+9d%mhbQjI9gF53dGzA8t`3+ECde9)a zEoP9G5+pcS$6MLebr3x;GH~VbWr95&dMh^|5&{|qWrc^4R$XNW2aN`X%JpcRw(KC- zb&V7Z0Q>VD)Q?dh$p}g4Z&TmJA0qvjby6{-XNPg&;dxwN<~a8@qo~)F>54JN<{okA zE1EKn>6e+V5$Fq&E;FXy=}c4SFpSNjugiPPDAqIO{7ttUTsOy9sbW3G5is2Vr@em; z(-dQz<`H|5&zNzZdz~>Io&(qzAC5bL@y`iN`=C7B$GEbwBmCyAjInnL`ikZ#^EzXW zJdPx1mLI!s_p{TBfi@Na6)7<;?hkAzZHQP2h~MGMX{cWrd6lXnJ*?*I$G*#nmU3qP!TJv!=CS5#IJz!%U|aNW4Am5O@ZPb{~7 z^Y*?AuIicg031ctIy5JWt4os(_FkE%4b7ZB5q`7IPJv4weCIL>aJ0X3HTGYkT(=Rf z+d7U2T>7y4P@44mDMhrl^BGn6yvNXJ0I6$Y(|YV?EmH?vx9Q~x=nB` z`+o&RWtVBIM=pElFg~|skG`FJ60M>R7}*CZDXXHyk;@+qN;#;asRe-TokxyZ^}My+ zP}zYar@pDh@cEa0@qfWp|3!EG3vT-1I_IKS`Z4c0r$^-90DJ+?-Mk`$*Z$ab@HE-s z8+7V5c=i#$yz9erFAdMV%>BRQJO7gJf-8P`*YFqR`YpKDKVfG><1RL%(nl4RwCf!x zBYY$Ce!h9vM-<%PfCDVxqm)a-axUUOF7U`V|GHoP^?*gUJ!c;oG;2Q!)oa~d7Wmpt zS`C`Hf5gIDM2-2Ehvk;S#I z)1XC%p;>1}6xb3)uqB0 z0LNbq?M5Dndmx-cv(9;Eo%NY_vEQttgXa{FUis8);1ppt5U6+P@}T99dritOyD4%d zR-*8U;C{f82VSX1`o(SrJBBZ~3W*vxbAKa~vZ<}g>U9Rq+!wIuj$8ElE`!2sMrZVz zxWIAZ0))fN226o=RnefpuK=15xbTix>G-LsqbHh8$DoZ*_F3QgXmQsAm)`eZe8+#` zZTt^ddJ4{<<#W6J@k6m*E7^@;rjd=jlC_gdMPdZNN2 zWQ1?w8y~Rvo)}ocPl#Wi&=n0^nllv?PkRQXLBfSS0#wtmoD1OQuz43+*$iHASDp0L)z^R6OV5q$mOliRgXHebf6%U4(BE?Sa& z znmRUU*~2pagAaWo);+4zxOKQR+L!$N+jIRs)8@4bDtuqJ%W(P_WK>o9@4L@m?H-tV zq=;+}>VGh6h;7`)B5VJNQ(L5!Er0&$azVDgbM&To49pApkKt#|4m7dxT6F74$&JeB z{OHx&Z7qD}zcv}Uf;Aqw{7*(nH)-XDP0K5LNA%g{`%jJzUvTXX2BW$1gH}9d+qg{F zVbiPkB+-2G>rdykBpTlP;nhyhv=i${|ML2u&i+g8u^s!3-+BJ#ouiW8D{0^yg&&vs_vGi3_jJ z%F0_%84dM%g@hW5@n5rx_m;G*d2=dzkAIe3xGjIgqPzbUEq^p@QGHYE0=W%PIq!HH ze#-e!@%ePvT>loOKi3Xnj}4f4;ANBV>|-i}ukSo96Yc(YzU|Yw#gMsgD2`Lvd;GJu zPX4ih%O981JtLPrU^@(o*qt_S!CXF{{9H4#uzKsRC`^R7*qWs4<7k^>lpBP#EfcCuuW>V~j*E@738=z0b`dgT28eCb~@@Jne6N!0ir;J?s zpd9^)2Ld19!hejd234lVi<`Q~?KTNq@wX`dVGsOWx69B~viR`*;`gi+^*uP*gAL%B ze*7mby%r%={S)^*O- z;Kca4O}`7X>*Xld9a7@=Pu~1|-X&&Bk~sYZ?O!_oAHV)-YcsF856Sm0$N#|P?;E=( zT$9%RuReTsXlV9@bK<@Sl}|RHZnL(D(qM?n2I3g0_$Y<7pSc;&wE&Ue0fd2m|{-3yfbK|g_OE;*m5pDl;J!<6> zR%QPPaviy=C!vxGfJGxKY;o#&{YhzfVbor-T-+2722p{#~(-uMOO_T=| zkAeRG6Z(H%MfI7SR+wZQu=HoKwokI~zDfUts~2zIJ6zGbbbsE;E%W^sm-+sp<&Q)= zZs!rU{>-&oGQ|;~`wxs*bni9!F=RhFg%v(ht#246pU+gW4p_T=SHy@#cm5Rj{fG}- zJdXN*Tkq_Oc-YV;I1K!MCz=0=S1#XuaIm6x>3;uFktu;+G zA4>%rKt71cnMe@h-KVtpG%ms@oi$4hczp*(7Gs?*lX9wJ7JGhMAvUzt=r7`TUmB$s; zi^hBhPfi|BF@C*{>Hj`a8xrsxcDeeH4MAgAnYjz-i*KQm3J06locCB|Q>`MDj4XRiEHJth0Z(L~VFvJ0b5<|HR!tR;2r>JmP=vscSDe zxOz+$#a+_%{TDx8@yWSzg`Y#f<4bX^fwK<1XwtD4Ei)u<|DeH{t2b75^o&fA6!YWh z_9dLLatCW3n08d9j`lcd^H8rncyhq6;P#K=wu}h>rOspf7UYAz?{e(p9N1^-y0hYK z%0j{hl#f52WNRUSv;VSg=W z^2K}F^`2xqe*R(cb|OmmFXftS6R(Wp?>Y~OJ)o?vl~QUq1W5We;PAy;+a!%)68{H* z{|22LWtxldweVWJ9^|VlHE21eU&8KZUkZO^#e-xOYeN0E!=P#V6qQtHqvUZJIk_34 zbsUqmXLdQ?5B3AWrx=oR)P}3sOIFL|Lx{rsTCOpFZ%%V-@9BflmSm;*mzaSFp3*OV_dbeOh{MBLZ>-sX?>F9tzblD8 zU-LcsCZ}~T|5z*%`#)H#?gQG0)9Ro0TTQ<$>4C9Wrg7ZhwBt|2$FRA$(t>M$v~luJ zfBN>97hf~4#p_06;eGukeNXZGisEbkG=7WY3!V0dN&}O0b*=hw{ut}=%`GqE6kG62 zJNClOKcv$6tKzi#r~f8dA2?!yZ{O)#C64Qh)A1ks8}UV#=nYRWM`RVv6%en7Abz;^ z!j}C<^Z)5QtqT4pE?%B#KY8(4N&TTXjsE$+FTNiF-vH~Te!zdMMvU>_Y1_Z0zW?c) zpU-voiOm5${#)C9KIRdzL+4%Kl6Urb;Wgc_Z8_uO8}qOJ+1`2dyl<)RPt98y?2)|h zPGxcRn&JiV9?PAx97MS^kGf$o!}CWsm&ALd&li#v3@_>Cw@Qoo9<)30Es$)Sj2c;pthgKgN_ zLdbWX|8#EWI+pc@KKYnfHH{rvk4!&_HLUhkg@*s+ydC>ZoQNGEDxA+FYx^Nyk}e;T zbxxSLejWF*JBP$}Ot7n>|4Bv%%sRj}?c7@;?|C_JjabWl4=gM0l#k>E`?RoKyr!+b zTk>MpKbfahz~fnVD=j!38i{r=H&10KA3vt!V# z!?Yn$h5YCFL%iYnL-#~wfOt0`?F8#MeJ_hWa@cN@*RegOY+$iv4%e?^MYdqWQ)eW7M@2lr zW<)~UykE*OmJ-?N;`TZ5-vc(BUDQt2Y{F{xyD`hzcB7WEoyHY%GJqYQxIRHTpC$Jb z6q9hDv7Oa!VI~v*Ne0|wH-rBlejij34m9T1Ys#|A$1hx2`>pVQ)$ZfTn9ub~J>Rbng+9QpTWs$cMO?e@5WIqIKYAJ4Y5XeII(!Su z^Iu$VRKyF>`-B_jf3Y3=PnMbY#Q)x*%h;;KGW_yyvX;I{J8wNL+4HUNfA!uINm#$} zz9jw=uLfnDW*uYqaQd8hN~!zz>scr0d3wh4ljH#3&~ZAz2{O-q)zs0XC+ z$+>h`(wwfU@Sk|b$pGv;viHcJr@n&D*rbphn0|^o^L+^2_sl%a*#woz0F6O;rX6Js z%{{8j|CaW?umMlXqywn_81wnjePqNpWBZYgd-&?@4y>VeNYYqeRrEjKX6YU33;1?U zXU;ExERb#3a~kwQ_-58NatG@I|3DxE7b>(1$tELTj@oloQ=|61*uk@p$`l8{o`kGx z^rpL;iVhciE4sh5p2g*5Kfef8xv0Wx>Gi@9Ck+p1> ziK|(2_y)buuaGS%3Ww}SULTN7_DVm_8X=}vRo+v6HT~A?pjiiH;y=v+au_%7+_%*C z^K$MVvmgR-uU|#^E_zM;;C*xAGx3Y;LelG`&)sJo;rK}QpEvkNJm=r1Yx4ccHz1oq zwEa_@m+vF^eu3nH#sWz0$R{Bi{$qI0y`xwMKHy&P|HE(8dHlFDgZvFI*!$j)F*De3HO+sLk0F_-e{173GM;Y}-`KgNhtKo` zzk-{;i}PFjH}R6%J@LNlq_v!%&-r=q^RaO>^!y=?*W&ya=!~*~(SUlt9`I=>Zs`HSaGRnNTtPyFU( zgk+~OINpfaOTks9=Q8s@dEaXt6Z0`&3%^C{QQGb|OQGjaI}aSL=sUNP?H8ZV@|kyG z>+pFOpH{}V>Uc&v!+v7EO#GEnC$?SR@ub@;9sd!GFRXc%oxdnr74g6A7cetx&<_KRN* z-hJ^C&5_(FE#3d|*S!}Wzul0v_kPCE?6YY@=bbw;Ecc?sSko}r1SSst)xv*szhu^@ zl75EdwUqzVCyqe!A2n`#f|ZR8tusVxPSM(BwEom&q)?=ADT!aBXcF>`MGBmiIcFZp zL~Y9h*1Ncf@~0q4qvgfg#*Jj`+0VaizVP_X#;L1sq+#B`V)O|=5kH7uS}nUt!&#>1 z?y;L>ng8>*ZSdSHL@SlL4Q3kIjVSCoEPj8t;fV)(j>#(S7r*m4tvw`5Y0n)EQ}`|Lwcd2b!n)Ld~AXpcL8O@BUQ?KJiqig+J0sAx_s}!Vj1w3Rxg&(Y{>Rc z*j=UhpQ3!L?rZdS?+2wFd)Eh3%Ud~(+{Q4k}PT)ozlE`b?m>jI_1N zWThpoZ6O1V?(f)t=!=`@2)xr}z+Gzl?>Hco8$TA0U(3p)+Q>(?r|0Y=zcjTNyq;kc zDHcB_Gk5+c#i3|zZNQ=RbEVPfi;H#B+OoiVw+y&Ts~g*EQa=1XDf2#HZ`KB%D=&k- zIl9I=hON4*)wop}>OOYdKWQ{7t_i^*~Y6DK`w}{u(>ouIZe*4aava~~dw?yMS z3#8EJm#HzaU*z|Vz&l3@?owq#vvC{NZThw^+V&$`kLIOY1J!f;vmPwTjVezT;|@afjQ`@gugElP3!z5(0CC!QO#B-@4NrS_e%;|X-Y6j}EnBELZj|F6}?_=7C+Dw?NMcYQMd@eL2w zZmxK5nwsQqWw2>ZtvGg-&?2Rx@o7;S(zOi!pGnx-)R3d7g1`=T9i&7T&rlYPN6GUN$WXR#+#acM&B2>P2b9@)Ndx0_k5i?4+^7w z2-!gJzr9D;HhZT&<7D9h=CDQs#ycL4g!2Je;M8`WQvSFy>5UkJSp`7)<~ic?){0hMiw}=ou@kZZ$3PZ6|7zQ z<@kN1!)YBFl?E-U%zygs)hpu!8Ld^82M@*rTvFsahSK(RZJ}xGD?(Vc*4|y!#T${A&4c*tIY1 zIr?SkeylA_>(;=%QH31;N6Nzc(mW+7kLIt5mqGmhB7Of))&J(hX0QRD zxQ1O-+O=$XtCj!5s=$Bt?Dbm-;PoRh8TcyOfBlwbY~Ps8UtrAd)A`>I>mLMQKeH*3 zF%ebaKk}A1_jU6XgzlrP!tljoS&h>!(PwSA0@j3 z5c6YSFI>5%%Igw6di4hL%*xHD`5nK%)b(vPehiHiHFa5=ar0SPw^ufuTz-Uc9sCm8KXCde{qBi``h;mjiG&)KbCK$dSEumV8E!+7e5wG4Zl|m z{7zS;ohWK(v(}@txENVwJowztXiovx=#4C+rX#ZqQ2fsa>*e|{y!$>TdA8JjjHU60 z`d6A8(%Z%LkhHv?>p6J8wkrHLwj5B!wttyhL$>FbZ1%eWVQh<@KAdkxbgt>SA~d$w zFMb!RBg3~X9s7UJ`HlVyZ?agEWySFemnD9i_Az{d96bM+_iE!Ev##Bwja>@ckBXKa z#!ad1%hvA`{W0HK_`ax|=@@lqvG!4o%K-HS^nH`%$P8AqSyz@(tyc~oO{{ff4cVkT zg0Y|bZ0xLzPj36Q!Mo}xwx=&_g zqAKK5Ba^P|V5}WN>$S?-25AgcwQ+mEteF4w%+Si49WA3yk+tlq=A%Bsui(b--eKtz zzU02TI(RJ!#^cv-w=(JtDNgl)4Coql#2U@VOUL+R_v8Oj{73)e6t+74{)^W;B+=(< zzeh6f7QbU#on{?{{3qRP(t9*Fw(~J|dcdOFtfA!)RzX2g2=fE^QdD7$dyQmAt#~4{ zUa4x^mX@DvP<#iJdh6-)Z))FBahc9P^dN$0H4yte^-tKvtphBLc9lIRTY5n9{z~mX z9m6)lHHRyMRa4K%KN&Lj%=TSJPfro2$G7&I;#C1l?*F?wXTH|bmBbw%}!-t=I$EcR*pezpQ)=q zpWg@GW4-fDMW-%&Gk$(WJQuzH@a3EB0ZSiTs2YD|w+X)lxMb@OoOyWuwMWmUi`HF! zEm-^H(2W<u!$a*OIT5Hj6e%^T%mUfvAt5Wze2m6ZeznmIFTa$T+%m+ada|I00QYZ7=qN6vTIbzaFY@194m zxgLTwlq%e#rn+|KguR=APbFbna%Tyv@tbcd<57Qhe=Ja!_H( zzUtz&BshZj(q*gKRGV`YbK9XHd+c=4{k$!uA+3Q!uw2&t!oAw^!PUWlM`L zj|Si6_FXmbU0fGD`0>}gX{&Ec$NG&AW#ES_Jp1H4-q~kvd(J)H1)qu1RC z9h!A64)f=if^UbbA`|d8|HA$x_pm103F!5$0ZZ@A*mwFO#c28U&cC)c^flLq=h>&6 z<$C?gY2#nBtjg;qmovEx$Ynq-19BOV%Ya-4Tn6Ma@D0lV<|WGyIR)etkW)ZT0XYTa6!^v{&=&PILkdJvV2tpW zVG>$%r*ePfb5iAVa^*50yA0fXQc~pD-#biJnmv8<^EvFP`o*lRiuLg0`^Ic~b*T8P zOy8ea_$Fl;TMf#lJ-B79a}DMzwhhi&F{-eHbs9Q;fk-(eTBZ(>8S@uririyq-&3D? z7alo>uXu9p!Q=g+&pyXB?PWG_*1=P>Z-b>@f^e_Bdq4cR(`3||KeXC7u0x&|JZ|@2 zyxE1dF5Y;i9{%r~1?B6;=c&!}{TDy(@X0#+HgL&()^YNpOMKb*u4P~A(QE!P@JRac z=-CUx{iAP}yeh)l>;I*_cl6p=#`F0<*ZI=jhs!Y6`+xnh?vrcey8ApHC$HRE+iKM6 zzfFP)+4#8yOZfZO9zQ>X@BaP@T>60RGAMMLcpJEM_rc-YPoH1s^Vjrw-L8YtShMI) z+WV<*^oECgd3me1&NK;H#kLx=o{dajDEz)?*U8I^=(|N)E4pV;`bpYHn}3JS_@4Ph z{bt|IptZF`@7L7z;4#z2)Aw_PziZUG`;e#0D67PN$b?9f(d$^W0oE@xDUUBdCVSPa z5e2uf{?2XIIda`?tbetKe@1%PfAQTvZO6>LcJ9XQ<^25`JQsHzJS{U|@jc*wlXZz$ z^H9g2O=$gQ?Sh&+jNaDi`)zEyF{}R8Y-W~NeC2u}_FK#EF>Lxm+IxiRJRoWBvm1|} z74i68y7%}ftxbmAWIF2hhR_MrLO2YbmuN3!^C zlFsi3&D#IYDk%L*YrCQA`$lj2fpDj_4f@6Hczpim9U+~w*X&s~a@k{U?TaQI>?YO} z-UOG{ed_2wagjgP>lA*UgYPYAeI#1Li)7q){v{-=k%;=yx}N@6vq|vH?j;UK?5p}( zqkfZ6?19ATUGJ$m1tXU|;-0yW_&%nl@W1!N%bjg{2j+vee-pk!{44mzwCs8L?@77u z&l7h4)T~RNrTdSc%CH|dZ#~Htt#_HbVtu)OuNv!8+}>r(9HJAgm0O0}$E~MB-$)a_ z*pq3c{n&YzY5m2abI<(y+Jh$tsu5>C?p@*$7%~~(;r*M|O_c?AT1!H7JqeO0qH*BT z`<$HNTS890hGd@leNf85f6=;NeWNzqpnkEs@h4lsEoRddNo$W0UVP%~MeVn5@?q9v z_6e@8w6;9$d(wUAbhgXD5Ud-1M#w`!ySd7>kuF{l!v3y0>yW-=!+3my`-h-yQd^}q zDv)Wfxo6n{z;p1NGeW)){sYoZvYwg6T)U+;58FEV3%|8*Wj_pS<6IZQ;Od`u?fsPa zjG5JmHxJ7;ID0z3U+fUz>ptr!>zQ$ytB2dnBdpnk)vQ(c7VO1&9(29J)q|@a$qf1{ z%Mr;!+~IJu${O`p*m0cv5YI?Y4W51U7wF|xe3{jG?j5=`k;5POkX&>OUcoxV?B;OA zcW-Q;_xW^E(3vjfvlaq{E`dx7@+lC-9C zuZj7PdBGmQ)c5urm9Y!9&l$eV>O4Pr`^y%{|6P&=U+|mc-!oj98r)Nml zkh~M_c2PUo9w8gqevqyD&A%&0dy*eY_QBZ0xO6Q-vO~-Ugv_r_oOxK_=_OkS$MNv{ zuDD>YQNo>c3CWMihQ<~neV%nmILKOtZRXkr$(U38LDp{aVpc&>NizOpOYsLR zvg_OeLKFEitLa=aXMSE9Xtf22_B6ZPV|e@lZfy>fN$uA;{s2dB@CNdKfVBwS#P&nm zCOIQrZ{Zs+5qF}$!-NGK{i(g<`_Vt1Db@g3~8-*C+($j>{p+y9b2A^fSIYHjZ$5q|}&aqlv14QIR3T1EpB_q>fx zNS<&T`^Qi@u+7ayDt7N5@mjQ)hsR%N)VfFdq0^FMHrNA*_Hnw+m+R#0a^z$1A2D(iwH+bOqSq!p2bb!e z@^&f7US)~1$59v3%RPLi7iZ?qPZ#&23zn~pM_EF?N5sxp{W16h##~XHMX%xig1#dD zgA}~W>Qw4efJej+>%i1&3zn`(7R7Ju#L3e|%KG!vrK_h!pUZj;7%N2J2>GC_UWeK% z=c|rP4Lb*KsKl*!Sz}PMc zf9lW3zToX79ye)c^5d)nQ&_dSx-980b?rvb&k3w`P{!Ef7v^-;3_E( z-rdia!JnISaNu+%XM>dXbJTwkeR*6Zo&6EF=o^E*wIuBA0lV+V&3g}s$M8#*tz93} z%CyZkNw~>!4><4O@ustqsygcuxmLJ-H1*N6eyID5ZCKxRKV*v547(_?9+a1CF7f`{ zsD~T$=#16mA4{LHVxPR)s?1Dw;!xhNxV`<%X_n1vW{KyX_ds|b# z%&%!--mhH!B-MlXKsJ2f(udHU7O-4#brJHXquY3{T?=grAu}hATJ@Z> z)5LM1*bmuo-G)T7Rskuj_ncE4e<=P~(Y`HIZ;HRWMQ_@?zxZN}#ux?67&4 zHcO_dApS$NB)e?{Y_>jOD_ETt9a-DanWeH;Y9A55prcT)f7wr%pLgN*{lMy?u?%oF zBG#|~b@*GH2co~JJ@au2*ved;sNUq;1NZlc4<8SoyLKST`yA^S6|X*BG7fe_9^!5i z*Ze2hfIme2DcQ+fTSlDghEvFr_&F=Kj)TpgEd#A;tSyw5U3~uWn>57PV-Q!_3msGf z9teFn==fg|*S=gFkj9KFOVVJ-pVy%7EtR(_(HMQD z{P>I%pm|!2k!Y?KKTj)A<3of#hPT!64#ff`!TA(BlZS^rsCQZVCGF*Z^Ydf~c3Y>w zl&Zv^co?GR%|(Z&4xL;4JI4JF-+lgSS3~Qd-4uJc|MKOl6lb#bzMi#QGH*b%am9u05jme?UPNMu-h1-{O_m19K#aQ+n_=QCjb8-$_ ze!oxDrZ;_O9%BLL0Bo5PBbPsB+d28uxMInW(9CR)gk7&>jr9YMO>G_hW|93teKgq< zz}rY*1v-5k^w=}V#zk<{EJfC znCu#|BPp)S`Gz=C3~kV?1OFb9apHe^2Bwm~BsI2i`QGEW!LyINB%BF%8hh}6d-LY^A6!XB{jVQ3F?f;}wf!e2WNpO7imfAi@NF+=B^e(9Yph;R2tIaCLi#DlC` z>M6ud(uMv*i*Bx*&F7K0yF?b=(p)y+71hdi$Sr^HlVbkPi3f!7|ACojSwpivLio+$ zs}TNA+K0E_jBRhb3<}$^Y~7|dT$}pdr_K+Uw7`( zHI;`?aVH<}T~f?#1m>@RW^8@<$nAOuu*Q}iiM9^C#^K#};xI*j<9RXZz;>nQ&T2@rtQ2v1>))iC+VD48f=PLf@$M9DL8zL)hVb_#E@=tu}HunT^fYF2}xEvdwkE1#6Gns`~O^~7B1g^>fD5?z~;-i z^Wvw4!*VZ24V!oI6zK62>hs&+)Wg5_kKcKtPxy-I^HyviU$)Zr%)_eWT#-K^(f5H| z)aXHWm=2N=5^sk&DC39NQAvF&)NPf$BR+rd*3%N<9Jk8eqi1KX-dfq%aS}IYG-&LU zB(k3j`$laN)q9n}2$`N1)^_-uQ_g*d`Z9+7)(#ml-o1OsmWMP?aLI;UtEG&YZPe-E zn`s+=;{RF=&$(;loA<1RN8FK~(+~famNjog>tS=YCuc9tt)Tp3W#eAc98)g5cbRjO zbPb~hWSLzkkV)_ZTXJRqy zlzEFa9+ZT=)0+UsRklai_D3{tOw#-NPF)ypn|S)2S;S$sOXOje&fTMqKwqhGI?H_8 zZnmjw#7eyTLA&Jkp=FrF#*R~V*rZ&2+a==AJFDc2|7jhtP}nc^2;0G`x9uAT`fa&e z@`C0V2koLj6*)*aS9@ig1K|8%yqwcBju ziQTws&j+?B?sNT@p8W*Yef|@+Px>|1G4&$rn*D&)cbLH8#b~xzCtfc98}BDGih3yf z8r#@$GSU?A^8p8k=+V$7n6+{k7{cclKNsJ;UuZMq=r69>7{eZ##F$2 z>)u~Y`h=1Wu2kpjxbQ5xSL)@B&U0_S0q*~97nt|Z)Hi!>O7@}vyemZBQA@TYl{Acy7?y^`FeP7YOPY@~8O`^`Fbu-jk6IcH~QXEXA??;iVkzVGM0@9TG8ANPGf&k=+= z!o5O^7J{^_dQcETu;u8e?B62@?H&?@C!Ub^_c;iH?r}kQ_+fc}NL@jQY9I&!0rLJ! z_tX*UJujHjdja=1t7A&<0o>oMjxoKd_X(L?LQSxDeI0!DEu>kfF!#Cbi1^xz;NC_@yU?<5L3{b^yX zzRaO8J;^}~A0nja^@3N=R6&fMF8C&iLR&Y3kfzr;By%Ug;@1q={vM*CbI` zXAp(t(o*3q4^fCKMLJ304x%o_A;~XTaOzYlh%v!}Xvh`Bs0l(nCzK&I*1^{+#Uaa} z7gEY_{ajC>I5J3x)|U!S9Sy>~DA8f5UUcvnFA9Nw;C$>4d66(Twq zf_xml3_@PUtP;Y<#|UC-wBXjKP*{*F3NN{f4!XiDht@qsA-1qgXw*&=y7(d;Lx%8l zdr{b$EIRxyipXP{5a^pMcup6EwS}UPo0W$0j>0oS9mK2@2VJnAAVvadal)s5qVSHF zC?twVCv=d57&*z|=X6nM+))(%i84j|g$tg6qL74qdh|?ln42LwH2FvrygV}madVI` zK3Npfk^j=dEJ2L$bBNGEhT?T$7@qyB0r#Qa5>XeW$&sipKZp9Siw=H1$wFwfD8x?> z7j)s%h2-E+p(FAjhWa?9A^nU%2g-(4?=LUmAtiBXwOcq+Wi$dXo@q(vEhL9K>Dd>X63tk>+4q`^4Lkh|_ z#wS$>@`)A1gX;xDMzWAxXb_sai4L0zMF;2hg~Ef)k^TY?VN5XA8A*Z@>b$+D=#W)v za1a-G3lVvuFcs;D@!;r~WT7w%T#WQ}5YrPK#Hi`Qq)<_C@1qkEA^Y(thnNakhI%_R z=?M9tE;f!|D(LZCF@BLC7M@1kjS)nBszaMTqC=cP6z;?GJy7q#S&)UBD6G+of_I-( z2QenlVGQcLox4Fefj01g59${AyBw=VgrWX>j)zQ8e}h?WrDZ}pPt79INgq3+W}A+t~~lqE(8KB$8Wka45- zqJ#Sw(V>1vq@_<2rlZ_qgs&i`$DN=0EWo*Ntq9wmuF zgLdF|p$?iz5a`Zcx_95byLyycnQSe%}6 z!vDCud)Lkzx-P$vU(qdlilxQrsollTJoC)%;@}M%54FFq^FKpkk33`Lp5}X`rI%A? z@t$72_7v}Vx7{Jv!R>voxF)xI45ut^@n|kD8BR_a^493ID;r+!)6U1$xBWkRWnj_X zF;`uhJ9YQKwui^utDRl@yxa#%yDMX)Bs?@XtWg&ar`^itFQtRWjeGfJ+~WEcCxOLy zLyU3pa4MF!Lz|TPG#kfDpN%1FLPI$fh!2|c%E~58n9yf%XNPbp!A|P+J9mcf z?05DZUc#N?cJd87ADD2UtY=T$(Q{m%&!j`);p+8gI-E`U)_LK@ppl!LJB6RwiRBfy z2?v^GXJ_~9*>l{>yQD)qcdFMva<1i1y&t{Nph1J73oa#|d4-oY*%1-r_D;YvBK~@? z!x?E&uiyNA(1;!dLxvO-bZg*$F0n(u4*mMMohaKoE`pZ>6JGDvL0XjS=PVg<|A-MI zhF~cuXz<~=ClV7A&o(-7;zafv<8ja4?0@i)#KeBm^+{dk?VmSq#fla39X$%ZJ9qYp zvuDpXdLRn7oIn{~)SrDqTIB1Kx^!7PkMF=U@Q@xY?rr%RmQkb5>d$}H=9?2IcD;t% zu|!MPH*K0E-LYcDJo%0uch7G*N?IOyi@4*(&epaa^aVC zkMmMk=$+2m~)Oma#Cys^a%er;zdU|^D9qwbFt=|-NHE;jn zDLd2~`hKzKV1q0_KlOV0QgcV-^!iC_QNR1Qb?kcycU<~<$D0Xl8{D|@^UptL$?4Ol zpGtSg583+m*e+Ps?*H@6-!5J9>btt(j2=A-y4{fO@I!X6e2PVR$Z^l<0Vlh#MD{OT z?dZ7v&4fpLNIdC=TYi?VR&G%4IR0h8T{*ZRY3;`e_uSL4_5BL9z{MNtb3 zg}a_lg3#A?nf<{>`z2yY)G}SIK0&_2bNltX+>==9jX!S8)RMVqcDecl=?>3hp9G{f zm3V@3$ajpexLhhTms`5y?U`>+K6OfShvn6#9LaaQaQWKjxIw+c%H^gU@gv^tC9&>;4Nxq|^%gvrp_q`v7{dnvp+)(l5W{>#2?)!P~AOGCu)&D~$ z=g%)!Sn)3T&~?ED8zL18cVm5>5+t9gnBY4-M3f+6U57}xjn^()nURUT0RgPLQsXu0nd!9@cyii@Lr`-bKJCFPe1#AHjZtv<{HhcO}Tr zdniH4SEihA|6;j3bXAbccU@ZFO`;%|8|wfR6XoXm@FxnOOsQTHa0^#lCcw*8c~$ZM z9H%-0u7IsL6@Iuwh)+~huun{2V4AoT@nR|bat}AR^b9e=t5Z^zUerZ|q{BxK3eFIp z7ZZbYh|$*SGExiMdy8TdXG2PqzRW9a`XmuCo^Mj2p{=urnC6!vCi;4(HW4Goiw0fl z`%wnbS4@czo!rXG;J@Ff-%fngkd~jUo`^y@L2P zt$oizuSlJ^PAtqwcJ~$ELYx&R#s-SPomM2V#l z@pxWpOcwn2lqNkzF{w-}M%)yQILB#Bh&azHP+W?b%LB1eAbfhUleZYqs9jlByv`ts z$>Coi&M{<_m41oLM?{Yg4KEG%6A=fvA%V!ePme&Al!<{2oJCJD+-t3v7N47f!jdw7&T^?Qy=kHH(xOcv0o@OICZ_9kg>F5wfGJ2h@!ni5ke#->dV6cM+!5JS8Qy}i;r z;|og@A8`_Og@rn=CY?kPF>(rG-!WOCK|x}KkC;+uFd!aH?&KvlM?c6W^fNdk-hEK7 zPZtsEk7?pAiij7T8atP^k17Vq5Z8!_!QLIg{dOMW7{64p9r_whL>t5p5dW3>1c}#M zcPgEZzLPMqFsr8+J3YOAYjN;`DAa#yEUxv9Zw@}9pF%`Ghlto&3ymj2<i6=1)cPZLx_3a7qJ(N4CtSrcq49D4|H)t98B)J~ z{rm5^ikoC5`jNaezV^{a9Y5>(>#tjf45`0%+D9F+NKa^k<<#Xi*BZAub*jybUsHSE z*t+lVPi-z={_Hd9eD~je>puFurd4soO|~^cmIRk`8Ga3di0=!C#FxncVfrU zSQzD8Jd-e?4Gi*r6SI&KV5BbNx_v|@;p3nE6 zIR%_qm0JzWQo|=a%+tH9Y2@?+4}f zbjp;~l;8^FFp{r88kw&rw7s%s zpwr#+=gjhc_0?TjM?d8P@CA{-<0;Sd3QIZb@#f>r7i`(@h6;IgmwcMf^Cd|`!@@>9 z_E_69Z?;{Z?dBG$oRt&cE0WqRc|HHJ#~$;zau#)FIxRhcFR1(Fq;J2-$0Z(D+G(fY4;4|OYdT20~ix_`W#1o!7QFI-ar{_sK`f}2qXE}76U z6K+_7Al$7*0QOY~*apx8FR*vS9+89qtP^l96XyUIq~#CajjqFe5e2wV=_EVk! zxKG`dpW@J5ybt~9A?VW#hRq5zq{bT9Px0=P;>NZkIZKy>esNuCbV%a`Ix!gTf~ePL z>7Z+MVp4GXL|tK%dhNuhPVTxi=xk9RJU$8b)fs(;e(*tj-F)Cfq{bM~PZ|Y31o}DI z3EH%0`#y&H(6xrfokX9~!i*I7E*a4OtzqY3D_}^|6Ghmxz{KE)_OLzBw39@GKFu9A zxfFeZqBmR>^!Yc2zYq(5pdR``OIv%0W$-mb-Gaan=<5jhBS#4JDWBoTd*(eMpQ!}Z91 zRvP;NS!KzQ&0$kT*u+BEk#?d!!;k$G*rW#V$ui*Ih~7csbSL++#Ej6828qZD#woRU-OtMc6ARF(uRuKAo6? zOW9Bun8)FN@gPQ9Kb?NbXgB!+OLd8h$#$`#7F}^`!8hp!6ef;2Z z6^h>Q58~llJ(5~jSO{C(1oku({#F!x<*caj;UfHj6!;Ef;7fLbU4|!;k_A5_7Cwz0 zw%8MXR1+~hHrUfoYz!M81%J{Beq7IFhy}ie7z>%fkBES;>aNQ|O(#b-8Xqji!Zu6( zhghmh@`McFw~U7`Jp_JCDD3#h@N*k^qYkr53nz)us=;vBc6T#-*es{`Oo%>ntmF~;GW%{e!A(eA1%25r-ug*Udib- z=H=;q35^^3Eq8Hg`1w6wCM59jFkTYe!@|5`UVd|x&s|f(zWL@G9FL9d{=)dR?pVG0 z$va6db2@iNKNF6(d+5F&`VD_$%a(c{x@_FIv7tvjS65dYpEc?G_ugvtQpDc9zGF8` zcyq%)zHL{p9nsqjyd51q-<$sFbDf^t-FG5-fjb2S;qq}0hK8L59r@tIx}qes9r&-4R}J2Tt^Q zrFqMD2P6m&1!M{?3B`hc=2d};k)-5CvK@OEaFp)42mf0v zoD>$=3I~iiMv1YLf~IGP)5mxu8g%I?9%#GXX<1p~bf5TS=-(!=OQr2P=@uA5{R&}r z^oakOb6i-M7M}<`UJv7fouJqKvLeIvky)jZElM>Qd|=bu8abDi!k#4~7HQqy1Lt6) zU>Dj$kH=t)uQ7C4DaNCF!p4cPl?_t#g<>P$1ENk7U5+HZM(%n$Gc?7&)dj#sM24w$>q@7hxO6aGwD5RD5(`lt)OG_z3K8a;i?( z8g@d2F^R@qVn%cfVxb7O8SP*zL@_?30rYJQY-TXxFT^`3X&k#jw}rz#W{FY0Vjn-T z3^D7Ni1AVGL0O_W#ydq!&qx;+_$Ahdu7r+_6x+G!y`GJa}uG8Jz!hY5W7Yq zuGgoQmU+TvdBgUJzQJN+*dyrmjE)?OA&%z$1TnTubQTjAH1_n$Xn=kM*7c7dmP|pv zMO0uo>I7ODcFU^|`~c|x&@`Qn?NbU%|0LF>r@>bgY9IX5y01m0DKMShu8efp31g*FRz^e zzK6H#0p38Cvd_m8m2E!H`T4J0tm>@yv6xQudG@oF zcYXEY7epBKe5TLXukZGH@%io@I>3HR7}Ne=?LK(>#gE>qI{^mb)VaZHjVAt|^OGIhxV8DjvG+YK zpLn9>1OE_&HVyA>)8^lfow|P9vg!R@-h7i9HXL^EuvVWs)VZf|UJ1L`Ey2~hqCSVQQF zro`MGY$e%eTG`p)0uk%YoQ+==o>9kXv%-o|U&Gu!v8EPIXonFnn9wb$L`wxKASw&q=< zP^gtqsFgKX@6RuxwEW`#3OjKp$)Ac&qivl&YnS}EtsCX9aDb29q`b}V&!i|&YAKRs zEK#6xVKMlyBkw95%r_h=DAN5$+KD?s{#0!R0wlm zPE`WicUAAR+$Es$3-H;I>YxbsS-~36YdNqCk6EDs@#NQ=<$~zta6oCVHX}XFqz{VTp&hm%sOCS)lbik>68>obH1qIm@0okhv z$0Pg>6OBs3`*3??j6Fa!`IyWHEf-Y#py~zY!fF8D{yV#0ZC?Ib zXDKg@%yAt1c7kQCwt1HQWmN7(=mdN3ujo1re+u%?)2afZl?r|Wl}7KC;R_Bhmi2CPkJ<%n?(uY zK1uG1>{)qhcYjZ=NHgw$euaC7`LBj%s!&87?3rCkEvX+2J?I}*69cH(x(pK?-Nfg*swft!b=?3oYwu;KQmZ3q8S^NVRs5%e~&80~p% zGSN2*Sni9Vf>y#lEWx8^gL>biXk&2R8Xr{M@Dp^yd_^~C{YJJAj5B&9CiC|!)-%yg zZn>Sf)$%9Z;gOVcgl-O~T;`67%bIr2vS+YPSI<{xZNZ(yf~&L^Z!52b{1?I9V3{+< z0&~%&tm*~TKB#`ed|W#XS^4&0#kNBA8|K1fY5m6K-~j1yvzDK^M~fuAnR|2q)-`S? zZl(MwJ0*;=VHB-FhvU@&w-1(o2`Wnh%O8y~7j{Jlo>c`lco|=Gjn+Z_j5%oE6QR!; z6982&ux?O!z-vn`uxR70BOieR&pqA8<3i3@`>5@_^SB=>%;I zVabIb(e62>U@Xs*`9wvU%Nx#wsT#IOmnXG~57ppw4_=A-YAb%KhU;ld&%uHe{$bpz{#V>z&G zmGQJ9eVKJ&XH{)Mjmke`?@r2qlVdM3aji{Q;ZhMApep-|tou=kxlqd1IA_l>E4<-2 zEC%x546KDNp91*@Dp(00jdcU-1=T)OhYRd4a$Gq9l;pUAbpvxCEeG7T)SXq+l_RUd zftr#(o!R3EAc#$}jSQT>85G0T8|9A*WclYnLEFnYJFYuiWS}jViDCdA1DJLcHb4RM zLDdUd9%#9s>IC*3RU2W=R|o}t)wn{9BP97VZ>{js&SOPr3wGOq8k7I&-C=ZkH&qJ~ zZ{o|oFbR{rQjt@K{|d0BEUm3Bb>4CcWi`1`XUAI1_;P0|aH zJ@Y`z1@;wKCusFTWn5T@v^lPrjVULpuTXXd9Jj_xK2|k->1vM-s1f-ek2_1pcaYsU zfom&;6)t7N30HN0v7-C)QF+zjT?O})oI6bMSBc^k4$MY((`lT5LQq)M302miM!jdDJJWY{y&dwWwC#=n0++a(!*SeS8PG3hl0O;7Cc zOyhl3;Gi|Wf|FT@{SzR62DkqZ$Y>5Yz*vV^fR9N~>;v<`9xkYU0>=-_;KD>8j+~9O zIj&d?`Llgs*u~{a^_`?k2iz9Gxgb&SVpu9h(U}$7wTm$9?RGa`KWq9wGYe%RVQe;D&mqJjnGp5=MX?ubbU3BAH8Ux z-H<(VAO`Z751(&7I4}=jnX_Jy>;u-SpI{FcR-wIrhw%fB_f-yz0tc82+{eKBVP8H- zPzA1<^d2~F)PctB+av$fn4OdwL$NMuqsdX8x1JW6tWNCEZh=lS$W!k|2A=I>==)eDuYT|1!9ns$Nj-gHencKiFmeE{KDU4N1=v0$=R@ICN0(aX%q^Ec9gc26hc{7;;t0~S2DX7(`4_=x zvi(1iP(A)x;p~m$@w5-}->ZP<>@LA0mVg7R;IpZELCXUp7p&+6t*^j(ACO zX#GZxA$h(xk1KIZ!M>#$N9Z$-D7v&fH_dctWx5jQ1v{6U>HnksYtdM20d04`g1svd zI6;nEA>WvpaCj;Mc(Fz02JYDouISM|B;Q|Y|JhKaRpp+I>obe>bPyH7*bRHmHlM*f zNQC@ZC#YZ!s61eQp{iWq*n(xx<4bA`QF3CB4L)x)*O^-V$=eos&`$9S)s;UbuWL$ zAAyXS13U)27IB#ba9|hO|3Mr-pg~o*VCgGtgg?n~#Y%8XjUlcc-C>oNMjfi*YK6zx zUjlBq{P(U5Bi89!>{=qX^^H@|nLSkl@L;1AD16u-vYMi%Y^C6_`)HO1OZ<0H&hmva zHzbaL6RblH!r$lie{{Qb{#oOs9mi53TNT?37?aDB`vBH~2OINcy}%q$p>hFQsGMG~ z^cA!=g1NA<0C5G15DgxvF+|0>bS-#p16Fk4Eth{%#39LNXTN>Nd|AFxfv7ZKgEfE? z8)T#}Ttbt5Q>fD?1=P?5zmV0Ar~%_`4cg+TyBN+yg9c_$`XcE5P0$}IP9&nSA`a5> z&+hG2xX&C{)8gqUAomU60drwHIHB4Hwh<~1cwJR4tVMbpTWl&e^($D_ zr4{iu8G6tLZn^wf$Ftm{Ak($q%UCxV4Mu|~Y%4gma50S?c8pqlc!L_XCkc+OL=u<- z43!63E+{-`+WrRRE`txKwJ9t^=3foqYT6D$G(qqvB_u%qN2850xa~8T3tPbp$rpsr zXD=62KY`b(-^g}_Z9k7OsQrzWoUHQxKGcT{yXOI;xPlh;@P@VoyGr_e&3AB;CYfU` z_7y%{iTIJ0`Nxr~`(=8*1Ic)o=s5){4;oqWz(vsq7CiXSy?{zrBW_S_3)_!G=mq9t zIV{I9`%#2g;y5aT!8}NYj@}I2%-94DFeE-GT+s3%p%m%_*B``vTD@=p`zo})!Y(DY z;J6~L1owhVsRnFRhsV}+-mR7YYX6b6+8>Uw25Yb_@!>l<7#vO$h99LD-zR$EJq3{e z3n~YAZHousgQO2!G&(`C4PFD!XzUAg5Brham!R!Cvbhbe>@JTYj3b{QbSDEU4_M!G zzfX+91BnX?A5`5CZNUe=eg||1_aAV3XHGCw9wgy7`x9zh!Cc_$ju#=JD)80jwMh}T zR{pEL4Wm`xA~^OlL&A*J)Zg{W5V2uag`=BIPWVYx26I5+fy4!s z2NmfA4G*4E`~$WRDi0i8%zcEY?>C_#!Pcz%UIzCm?Fv-@eZa9u6;PJC)hK_J2fRKA z*~CE)us_IL(DK2O3*~GD_@MP2w7#SoTd?g1o9SFmW;OU5j(e=)*2+I(9GsVNv^g+} zKKQhRUip})sRD@uHN^vPLiG`>@gRNfeE1shK_q|+TW8DtP2A^X72rog#W)Q)Xl1W% zvpq-!*eBQpThDf(T6{ng*Ybg5z=KGak(-GpRDrJ*UMuUsTPA;6HrDm<%tbWFD~p#kq7Nf`aq2tI`_z@ z(s1|ytNmoK4;nWQLRnaKpzUN_zhXBBR6el3z;WXN*b4UV*w$CZ2aYcxabtgD9?QQ< zyoHX7uMh#YI6$3SojE5c>rJ0 zsy?vb!H|Kc;EQ|$ytg$+}K;?$Y1754~By)nnxfN_=kwC&)ho!8We{9o@) z0k8KW0tW~jkkAtA+rfj1Vup(J0rOyk|2oMpW#5z{z=aJ{;i!e&9H3*b9N9|w=Z{gg zL0@Itzf_7k*RF#3t?C#XEYx~jgS zHfAvLK_@Huz0p^J6&`4Hf@&MA>I3Kn)mOYJ9@yb4YI)$+ zLr+&0A|6;eMh5dhnrku(LD?+^b1Y#AT}g?d{H#>UDlMvz4}89AoMaB$;3S{p@zIS_ z1_*X8prBd&=j=gY05Jz_^1wnTs61dl!IrOR$?#2nD_;7vV2cMfe8p<$V_HfVEH5Q!Y zxfaqGj3(~o{Z$jIE&q0&kUygW9ylv@!Ke@H;XyCx5?t5Wo2WNTvL{s3AW-&mfVT%i zB>h3%z9>cyG}jKF%YH*S9=Mr!U@c~_*00#A^EEm(12%DykBr4wuf{{A`Dkn_Z!vBK z*Ep_aIY+>^HN!Y5{yjD`r0e6YXu#twDGb=DAOLGeOS?c8_TL4vXAY>Sln3BLMZTgd zIP?ij@L&wljX;z0K~)b&IOdJ)51m3ZBv3vlap60e3;n?b4{)Ii#Kir~#+U)JH|hgy zS0!d(4qOR=54do+4CVsQQQ>;5GEjgGmB89u$0{AO!O7LADE4QySdM)Ki$}-M3vI6x zB^k1@G>_NWiS_5 zfAajbnn0C#R7LJ_UYDW0FGU#`;pRx5GM`$tFEPoyl}7&Rwuu8_DhJBRe-IsF4%p3u z{xT2Tp|^*lNZ&1#;Wr=OHbmDO%X<*y`Z>@CDyuh&&=+fN=X{*?0b>~M^;UI)!iCR4 zb@mUe`ihXfQ6GG4g$JF>&qbIpct2jc8L9xrXwe8+53B zv~XGOqtVU>L4Lhq%iX^s>c&8pyQlz9+!%1jK4w4!eQ+(yU$qZLE+8GRNhW{5$O9{O zLE?gz2iUgeE6yDegO7O(F@ftjFy<^y=p5AF23c}hDE zhRh+CUO2}1gaP-HQ6Ue&1(gRzod7DU`hax;#{|}Vg+bsK$BdR^(5g1sa*a+; zK|5CE&+FyLc$H+1jNXdtIX+zsrMQrN6vaM1q&YZQ1t=Ul0LA-1Mq?4f^WdDF?c51 z6V?f%W*|Pm^PJH~U>tw$uF(nIWSwA(2U=h8jc$kuW`b}k2iPX?9D-XRQ+w0oF$<&I zRr$;76H}+vRGU|2FRiV~pLIZop)|7ts^onWX`$6_9SOzsES9{XoHm}OvVtr!jRC>QtEr0PpFPLsXUN$0&IeIZqlpn zHhe{e2lGe8nB>nq;QnHJWOp;yu&rUgZa#F55#XM}fmz;L=_zNTr`{y0&j1G)HO&KC z@@EbV3?$cqkUw*vG9L70yTD*wpy&fLA3@azSljC>a-YHXi}0PCh4@zXd=nQ~7q~-Z z+B+vjI~T#4KG-~NDL4Q}SJeYNc6>APwRLYe(w>ig2qR1!NJpFhz%5sL_f?WVbHENB zuwJN!Z8%h!{1pxi01t?v@}R$B7uX*(vkMkJf>j>a@D+`*Bh;emBY1&(fuV>s7t37W zJ|^Y@>wynZjp~?_st?S@pjCZ+ePM3ckT_tI2h0a6K7tt!Pz_a$ z8HUfmw^GqWr=Y(<<-#QBg>T>wbQq*?ptrd`FylcFP22#RU`-z|2d>P5Qc*b&QiCx8 z>yx>VGeecXvQD2mg*tc1A;)$ky#sB051Kik!U_*0+o0Nos@sOM&=(KeD}RLp>zM;u z9vE$dst@e(6(N7gE+{;ZxS-kwG&!w*pzTlMIN--+a$lp$g~`whqY)pr{~WUa)CLdi znTr6u(5oL}0xbtvUN;jHaGU3`2C2_ck-vrmvxjdXewRUdpTPz1yD=+H~9xzAHi14pydMFhVK`n-!THe$FUq- z2nQDwoiGaHO*}Tu^HD5$V6Ts$#*Y5p922k&P{47aEqh+kIqp}S3x87E->mT9)RZao zarYegUHJCOdo8zz2SsT2#&5${MgGhe$lehsVh-5k0c^G!J6hvGb$vx1R|td+n7IVrnC3ly+TFxmxM`oOlYxD!5tBg;`;sw#iJ4{~pz<$#t4 zo`H7w2&#X;Yk!kYF!K>6R_r4TgpV0J(ZlC0sy$`RQx2k>@!yXSGiDW>{tO0to1Kz zeZ>*z51t=o;=vs7U^a9D+XC(%dJ`OAnDL+j+h7(uYJA1ceJ`Sq7%`iX1K81=!s z=I=k-;K5nM3$E7WZF%fw<*#r+iV3XAUVE%U9!##fuc(a~I0g*egznU6@Bmzx4=%86 z2wWuh4{=<;^G{VSsQRFsZD8L(@eeFxhDpQrnK)1h54a!clfF69+%z6zkj9%79yGPW z18ehEt-a%9iwBKdjIrZ-*aW-2{minfA^98QLan?j+E#gB%~z~2W~jthWFK%TT=pfv zVsK#*xWM{g(mc#x@swl3D)Yd?SKKlY&V{N6)U|~^nC}~7Hr}Lt5577)(0)6~s1G`r zd<6CTD9{B(fHAJKZ08m2*M$5zZOFP@Oi+>h)#FAUOtCL!u+^`~=R(ltmu&$LVq_k$ zPGJAQ4>p45v9hLs*RLJa|)y7s}ZM3my#hIzzh=8(sZ0zUu`Cr z-q%d?Qryk^mtXB-8iTgf2ln!yqIaCY1FLbJEtzZ2)uj9t4p@x~?d5|d53Ko$w&o%X zohHkE)pkth0hTLVm=E3HgLsuWphD6IcJiRYenksk(cZZT74iUjfqg^?R`h|y1KC$R zgl{WW7}sfKY-_uw<*#sHroHm6=(-AdV27_b4&63u)uB zK&5eEMY7i(S9wq+U(p}q!|?s1c41n70=n!JF0ejWgxH`5y6Bh#5)U+7u+#@e9w2rw z#tg6p(mStg6BxZUU=G;gfzq#NZS2wLBdGp?bsiMKH*l>?rd2tA3*}#>m_RFYYumPX zP|;k3S*!7?R-%aqtP|KS%!LcrWfbI(xIhAPzzPp+`ige)z-$Z}^0#OHaygwK`->c>*dIR>LODM!eWz2;`5rpi&;# z@)4@T1N1W+=P+CNipIG~@EH{z6d`69V6Qx@dfly*Kj#JVt#VvwFDF!;pvDZ=e8tbf z7xn=+CxHj}9Du|H=!7-!4Q4JU!aP^${id4af#f4pU>CIgigx&lJ7E_bt18o~Tz{+O z&v}77yV@($>ReYL4-{W<=nPr*TlRtnz$WGauo||&556M5=jOs-U0_2W*zGH7b%He> z*zyrf`XHbxa;)yPw?qD%H^_Blb!1zWdsH46eMQJ$9eW%xOV$C~lJN^Y-I&Yrt0K0(h_%wqPi(;rHEa@j&}s4Auo!^#S@8%k?YTuMcJ-Zme-1 z&lVSMr~DNT?5s?FHFe&|gDIx|;fdl;}%I~{X$OFYT*y4e; zn8DbuSTPTZ5I1(UC8t|;?r)Gk#{_nb7uFOHI31M>>?-@R6j)!qI( z3dZczG4{c!X4S>?^OA#`GQtw`<`zir8jOLD$hrUk2f_eHwJdk~`c7*9mURUVus)axoCR)stmwZOC`Bzl03NP4RFqj_!3f5!IJW)Z|t`5}uSr2jg|IzZctVc`v z*Y2Bt53{yDYU`tx1GOBeD^_ zyQW88mG=dIB?T!t98*(FP|mB5RCkp^D9PcdTnH(5@-;4;qMAGoNrh08$G()uO!->r ze}7z`pxJl9et?brhB&V|EoHfqeN%REAu?3izNR?R^*6h(sSYWWBQysu%la#l?Q6_I4}#2^QyXZeMUQzh7u*vHy_8{@oV) zcUkUd3TDe)miuPnLzA-HH?I%jF7x^l?lP}WG)c3^VL!m^z}*)651BPT0ZrUIgZ}1x zgGw;V5Hx^UhAi6`_-d9xZr|Gc_+wv_K}kO(m@beMOr~jH(omWjYKYsl8Fb-&O$K>a zlR;TUnldD*CryT=eOeKkY=%Dz%V zCWRg#)qt8jDGyX~i<{&UyQsIzB{JPES3yJ5={tGrC6u)VFaW3{IO2cn3(COusTQ?$ zaQit>eC9qXJ~N7nPag%2VS7ICG4SXe&&lF5ZpbI{ok3J`UIuR$W0G0%89fjM3DutEENf_MI!d@LgV^?#<$&KkxZl z%95X6p9)X^LPe+l0*Hz*nX}|iDD6U`OWD}xV+^VOl`@>B8<5G?{J&_So@j;s#*MA{ zS5NOND4BPrFwZ@=Kv(aUm*v7A_fX#Pk(7Vp0zhUc(V_11f0WMWXVX&D{g~g0e!%TBA+`X_xg5uH@ekoQ zfKaaBbC{ETf&MzK&;6bBe@w>xZSk!8Zb~-i54zHyDS4EQhm->*eCjaylk;x?c-wdl zGM5eL7zgQ8K@KfO5x>R!&=qJVQ3j&OBFrg8vzc=i-=sw`$Ku@*e-t@VUq)rQIFNHh zq@2{VKp4_~yUOLr+}DiGCFcP|=a4ufO9MXsC(32W0ngEHvrw7Z^U^*aOQy8KJX(Yz z{(w2pYmx7$i&z)qI|&*rLHQ=2N>=7vr>ohx@J|%>PaMdWaD&bt^sG`D&g@x1XOhT> z3~ZYLAL}@ev`g^d0_dQOz2$Kh$AFaLi?j&MJP175gu34dY(N>JkpFc6mxbjKh`Ie6 zbFa{ib0~Kv$R^bt*PnzU%G~#YU1dm5Xh7+^iUBgiDeRw0l#!l*y5;}66u^o{cs&g^}=-{VUb<=Ke}}${jrsdII3=M z!!h6(aC8f}nJVW$6YYZckHwk;$1b1VOS}KV`{BrcR6gc;V|xe6upM%URqzY)?F)MT za2)Rl2=w0EUkUM{l= z$m`F-EUBK?LQL^!v(Q))pxtRdmj!uG2DXA*>jC{45GiQ|PM{1bxI8i@R+|6lA46yZ zE?YN&PRv_CKa5VMx4V?k(=J4hIuktx{QFI!`&tqW=y!&$Z-5*U=F89gZ5b*Qypn)z zgi?0lpL7Bb{T*$V^Ue8>2H!WJEWF-aBx4Qa!|nRg(d{y4IV}m`LL$JN z*d6X|EB_ySmiNXt!&5IdaTDp;5AnMco$<}tkCfl1_<*SK`||G)NZ*-8IUG^8dT&9u zOaT8kO+W@AhxkRnLU|oKmr9PsOZh*E2Xi_8KwTd!gNV?Ucc465l=5r?cMjp)m4nb1 zJCM#!v^z6|a((o*mVbORp)S77@BeCdy7FQd&2PJQmA{wQ>|>MzWqG-i^qo}WZ|!h7 z8lnu(zH@`(`K6ucacI|2aoZsaUNg4+LM4CfAl-!w$}GJ|r$v#{kqNatN0H}4*P)hi zEbV$3UE2-*#fHdr!S!K=1>LRY|1*l<@58n3jqir`lz+om{k>Z0Hz}2JG}V>^^5Nf% zY1|RN?SeAA_Q7RJ5B>>_a6B60Y*cKp3BTg_uR$bk3!%UEM3CWV9O=&=qpXX1I&@YE@$O9bTq>9c9z{(AsgV!lS;kCxy$R*m_#?0Aj-G+*zond|Q=vV|=byjN&~^a6{p}%tr>S)xe6tmD z;BRug_XSaRUwj7$+44ZPdVNjw4z6cTF(jFw9Q=Lu`e+k_`yZnli-*BE_EVla9nZD~ zl!K3RS)u|VH<+eq9Fu_js%2dhfV4)^)nyaJem##ba%f87PqZYT$6JzvS{D9}J%6wA zt^P7T@RsxIjikRsH4XY6-#Yq^h<`J681{!iWxk7hIPd&zN&co}Gqewu%Ts6*Q@-2* zhi4F+Vt?cf`C5k?Bp{#b6mXucfy=QT59Z&%S}_Vv-*DRW?J|1f-F$kmh35BYThd(o z=G^mK27Eu`Kzr14H(btn^+vS}#JVS_+zs{JWi*i+&V4)*?^xj&{|@|cl*1J=Yli&4 z+SODJZs*T_fbYG3y%J@BpjM*{Ymu1cZ*p1NUyBOj{Ur^LH;nd{q61ulJbaYEiy~}x5 ze;0T?=btg)2l}4BhsNJg?~5{ghCK3b?DS^Nb2(7&((i7f94rs!7XRj|FR04jM1HNi z={L4nXT1n+wRJC{GgH2Wfk2)rk^vu&!~>Ti(a-^;n>n6_^f^NRY7ILN)Nf<+H|`gz z`R6s>yNcj%ISoKLq~8wWa-jK0zZHaRNODoi!M`K?HB{ux2w4uSf1N&&zt_#*;N`yA@-+Brki83hsQ02k5MYGiQnjc1LZ(@ zz!?>5u-#Idf4oQZ0Pq`skH}aKR1b5iFP8%{QGYv|dDRp6Zjt6{_b?EURVRH zzxaFO&%5DWjX9sAJ$@s%W6n3%`4T9$h5hJ4&=~R=aER)=5ng%Yok;zk%NioQ1qUpv}9wjr=zR(gEqcDybY$AN(6G61Oz+;P%}YW#Zp# z>#Vqg@1z*p2|WA9(T=+9wLW5Op3h0B%PZId?J8Q}04v9c8dx zmwqo#DF^>{Y6Ac=$$ZM0psCB-0PQj4y)|I=-2wi7B-)7d%|NvrpCRwu#y`h#{*592 zotc4tav6-a5anozGBpLCqQ)=7ho&KzdA%s_Ctn)<#UXmG6Y>l+h3-{<<3svg50phJ z2g;?$V-?C!Pn%C$+sJMeKi(Y&Mfh8kVZY*=W5ZDY9{8r@0J$7*u{=-? z>9|-vfc@`yQFq9q&aKF2WoaVs{{r3zz5-?d;Xn+q2RII#1Wxq-fliG(F@ zzTrR9Dy+xC7km@-f7809vOLzFzqReLwtj2tw}v>t$q4w*d@bH3?_U>Or1Ql*=@Zu_ z@U;M@6Fr3gc+yoJtfk3V{(>OQp>k2y4Fy4(#ARchiTeeduWX&5T*oWEURo^IcPYo~ zlwSw%AskQ8u5o=P?>}V9r<8wxr95ORAD8oP?Bh==H&3^7;r#?b@aJ_V!0W4+E68hU zsciki2A-$o2)F`ugeUO7AOt)ht<3(D)BD^0FFwr^MvQ+on-5MlgA7@8@vP|)c;d}3 zm<%H48M74dho>k-I9*VbeWV8Y)=M{m%0R@ONJN!yJJN$H|b*1O9yEApS4Y z9bJ`kBPg9Vme9J3w6cH}Ws~0@6qj90*#~*51paVk`Q`L)Ja~;UZ21p^*JpN9?r|zQ z#}feLzcas;WFN(tF@}{ff{elZ^%rSF3C+r+z2`5`**zGl=MjAT&vO9G7mQ$IklOfn zawm^z=boUvQ+yD+ClfGYTbTXF@(Z-`0&Ty-1JxLFUtdhK&(YC8v*_dw9*)Lnz5HjM zJRObU!BhU*%A?H~Y{po${uJr{;8Qq)ztqh+IVU6XXj3sI{KW&x7)ze^2l=Ja+4Jf2 zM+{;37=IWz=CNb*C1nF)U>D^e4mlTn4xp+$n4{s%u@>4Lzh++6& zFJdqzjxf%L;Y$4Nlm0a6@0zi6;}2^->T{t%2OfHJY){X&r~2*4v0d5k!Aoe@Odeaq zu-eYWe_p(B2t#J5`HTFNUyEpc0grHAP1(fbPPh!CXY!w#KKgLbE%>q@xj^D**Ke0*1KZhBTpUcsroJm`V57{bBdc0{tKrR@OjK0uU;jsuqg^pQ8YkE9O< z)2m(hLHK*JJ&o`@L=mHD(=;A5!C1?NX*>cD^#g5~LKsHEsLQ4q{OD+0@b&4rKfU~x z;r?dIBV0TQ-T2*nxr5tt5_$OX1_m5@e@z$yLXQLn8J>QRX8FX>iea4Qy2;$7x)vMq z-(((9z~9<$ZY=c;8L{C7=gSYb;OH#O3rq_2X_=^tOH$ zK-fmNH+osSeoY?!GzqG{TdT68HpH2Ftb?W;Tjo!IzW>3d`0(78VAo_+hT z2V2pTtqC2aa^~gqQ3Qlk=v_bu9Qs4irHh{F-V+I92N?4Bc_q1zq88nm08P5lyS<8Z zLE~u6SRQdfw!^36vk75#PSa(vcBddgeIgiRYr zU-_HDHHP2XLpLIN*QYP%e%$wmFvrlj)ASP>HRMQKz|5h8(w_Z@UjCQ~fX+dX8Qp?- z%CoMfG__l%^wkI9DO_XU(V|WKbB&-Gn2dg;7QN|}PpDZBYWWGbP4s@@$Fbz6XcH{I zUH%a`g3iQ2Q)zu7&0WhKJ#G8*A9_Ji7K{&|I~q^nw#hvul`qyG@dM#!hY}9c&k^+2 zK*G<4pce*DK_3jdS|Jxa!v4kTBl=CI2@Cn-#TeV@Jc4^m(9s|l$NrR!S6Y1pdIZKV zpolmMj-)Ss;E!B#-%@p#@{d3p!6SyvG;0 znFvP`5SnNafPEDLwgE&q0!K$28A%AhIsxZ0aSm`nTKoQyq%G->9S1PE3%Hbn`L?IzZR}quI8C$9iZl`Z{Xqz~ zW}m)sdF}bD8})gaLonaFIpU3q`!~=1?uH=Z8pjM0cs}yQKjpd8%CQnS{&UY_$nSzY zKW+g|e-D=`Asdm9?%;Jq5lILmnt*2;QR+vNGOC*v<5^mxGR8HYA@ zWgnjoV=(2=O3VdZj5)AKSC2~Od6InY;CecpbCzQtX+GiZYnV1t3^^bRS(%X4A>7OJ zK~p#D;OF0Kmj1r*VESz~UD_~*4$NOktAE%+hnB9zd|Si=>byP7157K*qhC=kJjV|{ ztb~|S%oRGhSDq)hANTBEn?(oKnQ=Hjd`8NGiE-54y@(pX%=4VRM(xUIS1`)57d|h~ zM}vEvajB5v|H4=W$`D(Edb*4$J6M;bqO7~Z&~d(u=kpz>q-91Pwdzqe>fPRk8;&1h z>=aPvLGjpi^Y<>%>Cj(5kXh0^tjmXEC=1Uxe(gGeEwmfhfBgoP?OiR;^MVUbI~Q;q zYUB=&6Snw7o|D1zGI)HAZ9b1_!b74?-T$PbWj|nE)K94J8Pa^C>xdbyVh&Ov=09Fc zOOWRv!4IcxI3M#JYh7ddZ3p1DLIz<@3#Ju(@-@aUzr~m=fO%}v931$_G^GC#5+lZd zm{a6=Hauo8&7t@XWBA|W_%sl99O)MPKqEc&m)!pf9e?CCa^dH69Zgqw{!G6BdHzY) zudt1A>0uc2YJ+iHp6}D}1H1z=Y%2!3Mwrjd;OAiOC9Qz_JSLo)w!KJqH#5#zSj6eW zO&Z2y$kLnyq|5U|c%IIe)A5eR&+@oETxDqv$hvWm-+&sPwFZPHdfNe7T2-wTdP=UIW=BI>h z#=H|ygMTl)bzjH?&uR9FJO>4iEQc~8{MZ?Al9jI)cQ^sR*JhljLHWKb~ zJzMEnJBPHN0=@y_fTKVT#-0kl4xz&75p-_wR9XW!vpxLSyR6;+Uv}&~%0t)hh6#t( z$b=u20Dme#0>4IX0^Be36f?L7U50%AZrsD~?7JWhfB1TwqO|C!R%cyFj>|6j{*b=#Exfz-fYr3J z_IpY1X7M{o1!wTy#8JGPbb!)z=P4)?b9ZtuzI+_(&Oom^I5dA5L0Dg59jM($}>*k98~?8-_Qb;G9CG~4IPcfdlXPAMzDrLBbU&8|6TO8_aQpH;aAxG z<*=bE=?LCy+K&7AeF%OpsOXQKJVzZyIue=_^D6t6KIG|jdZ&}yU-X0v=9@dCeRj^H z;;1=jxFM8(<^UbJ@)!M9hBROouO_d90bT$jIbYJ1Z}g*8JWqz_#=SED_6hp%$#7(xsrU{=QrO#m7dXI+=#4Q~L z!G^vEAIN71?84WuJvbN{fc4j82%AV>_uoyAw75aAWigl^_J6DoSpTD&M4Au!70kNp zK+I2r4qiSE`CUI6>3l_dewalropkg-E8{#nXmUx<^W2X#wk4d7CnPgz5$16qjn{gJ z6z#u^rjOV`&%qu(i+sJ%fzCI0+k7qr?r#EI9t1td`rCIlehX{`^eO7(m7aj2w_9|h z9q8M5oS$n6-2X993~*>mlb2$i46@(ZN19VofbI-0%X=*Maqp8rZ{P>$#-#|3m-x)2 zp$Lzkw7j;4_UWpBEM?vuMhSJ6Q9zyL#{=pts}rEA8lh~IAQ*1&2o;V|0yJ~xL(o|b K@pSsf$o~g0js>0o literal 0 HcmV?d00001 diff --git a/course/ScyllaHide/DetectOD/resource.h b/course/ScyllaHide/DetectOD/resource.h new file mode 100644 index 0000000..739809c --- /dev/null +++ b/course/ScyllaHide/DetectOD/resource.h @@ -0,0 +1,51 @@ +//{{NO_DEPENDENCIES}} +// Microsoft Developer Studio generated include file. +// Used by DetectOD.rc +// +#define IDC_ABOUT 3 +#define IDM_ABOUTBOX 0x0010 +#define IDD_ABOUTBOX 100 +#define IDS_ABOUTBOX 101 +#define IDD_DETECTOD_DIALOG 102 +#define IDR_MAINFRAME 128 +#define IDI_DOG 129 +#define IDI_ICON2 133 +#define IDC_WNDCLS 1000 +#define IDC_ISDEBUGGERPRESENT 1002 +#define IDC_ENUMWINDOW 1003 +#define IDC_EnumProcess 1004 +#define IDC_Explorer 1005 +#define IDC_GetTickCount 1006 +#define IDC_GetStartupInfo 1007 +#define IDC_PEBFLAGS 1008 +#define IDC_CHECKREMOTEDEBUGGERPRESENT 1009 +#define IDC_ZwQueryInformationProcess 1010 +#define IDC_SetUnhandledExceptionFilter 1014 +#define IDC_MYPAGE 1014 +#define IDC_SeDebugPrivilege 1015 +#define IDC_COMEON 1015 +#define IDC_MYICON 1016 +#define IDC_MYPAGE2 1016 +#define IDC_NTQueryObject 1017 +#define IDC_DectectBreakpoints 1018 +#define IDC_DectectFuncBreakpoints 1019 +#define IDC_BlockInput 1020 +#define IDC_CHECKSUM 1021 +#define IDC_EnableWindow 1022 +#define IDC_ZwSetInformationThread 1023 +#define IDC_OutputDebugString 1024 +#define IDC_GetEntryPoint 1025 +#define IDC_TrapFlag 1026 +#define IDC_GuardPages 1027 +#define IDC_HARDWAREBREAKPOINT 1028 + +// Next default values for new objects +// +#ifdef APSTUDIO_INVOKED +#ifndef APSTUDIO_READONLY_SYMBOLS +#define _APS_NEXT_RESOURCE_VALUE 134 +#define _APS_NEXT_COMMAND_VALUE 32771 +#define _APS_NEXT_CONTROL_VALUE 1017 +#define _APS_NEXT_SYMED_VALUE 101 +#endif +#endif diff --git a/course/ScyllaHide/DetectOD/tlssup.c b/course/ScyllaHide/DetectOD/tlssup.c new file mode 100644 index 0000000..b573314 --- /dev/null +++ b/course/ScyllaHide/DetectOD/tlssup.c @@ -0,0 +1,21 @@ +// tlssup.cÎļþ´úÂ룺 +#include +#include + +int _tls_index=0; + +#pragma data_seg(".tls") +int _tls_start=0; +#pragma data_seg(".tls$ZZZ") +int _tls_end=0; +#pragma data_seg(".CRT$XLA") +int __xl_a=0; +#pragma data_seg(".CRT$XLZ") +int __xl_z=0; + +#pragma data_seg(".rdata$T") + +extern PIMAGE_TLS_CALLBACK my_tls_callbacktbl[]; + +IMAGE_TLS_DIRECTORY32 _tls_used={(DWORD)&_tls_start,(DWORD)&_tls_end,(DWORD)&_tls_index,(DWORD)my_tls_callbacktbl,0,0}; + -- GitLab