Skip to content

Instantly share code, notes, and snippets.

@matterpreter

matterpreter/Count-PInvokes.ipynb

Created February 24, 2022 20:17
Show Gist options
  • Save matterpreter/985f446c1bf645207193ee160d43a1e0 to your computer and use it in GitHub Desktop.
Save matterpreter/985f446c1bf645207193ee160d43a1e0 to your computer and use it in GitHub Desktop.
Download ZIP
Display the source blob
Display the rendered blob
Raw
Count-PInvokes.ipynb
{
"cells": [
{
"cell_type": "markdown",
"id": "aa461eb6",
"metadata": {},
"source": [
"The following 100 repositories were chosen at random from public tooling catalogues and untargeted searching of GitHub."
]
},
{
"cell_type": "code",
"execution_count": 1,
"id": "a49832ad",
"metadata": {},
"outputs": [],
"source": [
"repos = [\n",
" '0xbadjuju/TellMeYourSecrets',\n",
" '0xbadjuju/Tokenvator',\n",
" '0xthirteen/SharpMove',\n",
" '0xthirteen/SharpRDP',\n",
" '0xthirteen/SharpStay',\n",
" 'airzero24/WMIReg',\n",
" 'anthemtotheego/SharpExec',\n",
" 'b4rtik/SharpKatz',\n",
" 'b4rtik/SharpMiniDump',\n",
" 'bats3c/ADCSPwn',\n",
" 'BeichenDream/BadPotato',\n",
" 'BloodHoundAD/SharpHound3',\n",
" 'bohops/SharpRDPHijack',\n",
" 'carlospolop/PEASS-ng',\n",
" 'CCob/SharpBlock',\n",
" 'CCob/SweetPotato',\n",
" 'checkymander/Sharp-SMBExec',\n",
" 'chrismaddalena/SharpCloud',\n",
" 'cobbr/Covenant',\n",
" 'cobbr/SharpSploit',\n",
" 'cube0x0/SharpMapExec',\n",
" 'dev-2null/ADCollector',\n",
" 'djhohnstein/SharpChromium',\n",
" 'djhohnstein/SharpSearch',\n",
" 'djhohnstein/SharpShares',\n",
" 'djhohnstein/WireTap',\n",
" 'dsnezhkov/TruffleSnout',\n",
" 'eladshamir/Internal-Monologue',\n",
" 'eladshamir/Whisker',\n",
" 'FatRodzianko/SharpBypassUAC',\n",
" 'fireeye/ADFSDump',\n",
" 'fireeye/SharPersist',\n",
" 'Flangvik/BetterSafetyKatz',\n",
" 'Flangvik/DeployPrinterNightmare',\n",
" 'Flangvik/SharpAppLocker',\n",
" 'FortyNorthSecurity/EDD',\n",
" 'FortyNorthSecurity/SqlClient',\n",
" 'FSecureLABS/SharpClipHistory',\n",
" 'FSecureLABS/SharpGPOAbuse',\n",
" 'fullmetalcache/SharpFiles',\n",
" 'FuzzySecurity/Dendrobate',\n",
" 'FuzzySecurity/Sharp-Suite',\n",
" 'FuzzySecurity/StandIn',\n",
" 'G0ldenGunSec/SharpSecDump',\n",
" 'GhostPack/Certify',\n",
" 'GhostPack/ForgeCert',\n",
" 'GhostPack/LockLess',\n",
" 'GhostPack/Rubeus',\n",
" 'GhostPack/SafetyKatz',\n",
" 'GhostPack/Seatbelt',\n",
" 'GhostPack/SharpDPAPI',\n",
" 'GhostPack/SharpDump',\n",
" 'GhostPack/SharpUp',\n",
" 'GhostPack/SharpWMI',\n",
" 'HunnicCyber/SharpSniper',\n",
" 'infosecn1nja/SharpDoor',\n",
" 'JamesCooteUK/SharpSphere',\n",
" 'jfmaes/SharpHandler',\n",
" 'jnqpblc/SharpDir',\n",
" 'jnqpblc/SharpReg',\n",
" 'jnqpblc/SharpSpray',\n",
" 'jnqpblc/SharpSvc',\n",
" 'jnqpblc/SharpTask',\n",
" 'juliourena/SharpNoPSExec',\n",
" 'Kevin-Robertson/InveighZero',\n",
" 'Kudaes/LOLBITS',\n",
" 'l0ss/Grouper2',\n",
" 'leftp/SpoolSamplerNET',\n",
" 'leftp/VmdkReader',\n",
" 'matterpreter/OffensiveCSharp',\n",
" 'matterpreter/SHAPESHIFTER',\n",
" 'matterpreter/Shhmon',\n",
" 'mgeeky/SharpWebServer',\n",
" 'mgeeky/Stracciatella',\n",
" 'mitchmoser/AtYourService',\n",
" 'mvelazc0/PurpleSharp',\n",
" 'MythicAgents/Apollo',\n",
" 'MythicAgents/Athena',\n",
" 'nccgroup/nccfsas',\n",
" 'NetSPI/DAFT',\n",
" 'outflanknl/SharpHide',\n",
" 'pkb1s/SharpAllowedToAct',\n",
" 'PwnDexter/SharpEDRChecker',\n",
" 'r3nhat/SharpWifiGrabber',\n",
" 'rasta-mouse/TikiTorch',\n",
" 'rasta-mouse/Watson',\n",
" 'RedLectroid/SearchOutlook',\n",
" 'rvrsh3ll/SharpCOM',\n",
" 'rvrsh3ll/SharpPrinter',\n",
" 'shantanu561993/SharpChisel',\n",
" 'shantanu561993/SharpLoginPrompt',\n",
" 'slyd0g/SharpCrashEventLog',\n",
" 'SnaffCon/Snaffler',\n",
" 'swisskyrepo/SharpLAPS',\n",
" 'tevora-threat/SharpView',\n",
" 'tomcarver16/ADSearch',\n",
" 'tyranid/ExploitRemotingService',\n",
" 'ustayready/SharpHose',\n",
" 'V1V1/SharpScribbles',\n",
" 'vivami/SauronEye'\n",
"]"
]
},
{
"cell_type": "markdown",
"id": "71da36a0",
"metadata": {},
"source": [
"These repositories are cloned so that a local copy can be accessed to work around GitHub's search rate limiting"
]
},
{
"cell_type": "code",
"execution_count": 2,
"id": "8030e2bd",
"metadata": {},
"outputs": [],
"source": [
"import git\n",
"\n",
"def clone_git_repos(path):\n",
" for repo in repos:\n",
" try:\n",
" git.Git(path).clone('https://github.com/' + repo)\n",
" #print('Cloned ' + repo)\n",
" except:\n",
" print('Failed to clone ' + repo)\n",
" pass\n",
" \n",
"clone_git_repos('D:\\\\Temp\\\\repos')"
]
},
{
"cell_type": "markdown",
"id": "7e51ae1a",
"metadata": {},
"source": [
"Next, we enumerate all `.CS` files in the cloned repositories."
]
},
{
"cell_type": "code",
"execution_count": 3,
"id": "2c8a850d",
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Enumerated 3457 files\n"
]
}
],
"source": [
"import os\n",
"\n",
"def get_cs_files(path):\n",
" target_files = []\n",
" \n",
" for root, dirs, files in os.walk(path, topdown=True):\n",
" for name in files:\n",
" if (name.endswith('.cs')):\n",
" target_files.append(os.path.join(root, name))\n",
" \n",
" return target_files\n",
" \n",
"cs_files = get_cs_files('D:\\\\Temp\\\\repos')\n",
"print('Enumerated ' + str(len(cs_files)) + ' files')"
]
},
{
"cell_type": "markdown",
"id": "486992ad",
"metadata": {},
"source": [
"The array of file paths is trimmed of all files which don't contain the [`DllImportAttribute`](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.dllimportattribute?view=net-6.0) attribute"
]
},
{
"cell_type": "code",
"execution_count": 4,
"id": "54024a5b",
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"1776 files contain 'DllImport' string\n"
]
}
],
"source": [
"for cs_file in cs_files:\n",
" with open(cs_file, encoding='utf8') as current_file:\n",
" if 'DllImport' not in current_file.read():\n",
" cs_files.remove(cs_file)\n",
" current_file.close()\n",
" \n",
"print(str(len(cs_files)) + ' files contain \\'DllImport\\' string')"
]
},
{
"cell_type": "markdown",
"id": "0aff73bf",
"metadata": {},
"source": [
"Next, we parse out the DLL and function names from the files. EasyHook and SQLite are excluded from this search due to its odd formatting, shown below, and use of `EntryPoint` respectively:\n",
" \n",
"```\n",
"private const String DllName = \"msvcp_win32.dll\";\n",
"\n",
"[DllImport(DllName, CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode)]\n",
"public static extern String RtlGetLastErrorStringCopy();\n",
"```"
]
},
{
"cell_type": "code",
"execution_count": 5,
"id": "f9d73ba5",
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Enumerated 1284 imported functions\n"
]
}
],
"source": [
"def extract_func_names():\n",
" imports = []\n",
" \n",
" i_cs_files = iter(cs_files)\n",
"\n",
" for cs_file in i_cs_files:\n",
" if 'EasyHook' in cs_file:\n",
" continue\n",
" if 'SQLite' in cs_file:\n",
" continue\n",
"\n",
" with open(cs_file, encoding='utf8') as current_file:\n",
" print_line = False\n",
" extern_func = ''\n",
"\n",
" for line in current_file:\n",
" if print_line:\n",
" if 'extern' not in line:\n",
" # Function declarations contain the extern modifier, so skip until we find it\n",
" continue\n",
"\n",
" function_name = line.split('(')[0]\n",
" extern_func = extern_func + function_name.split(' ')[-1]\n",
" imports.append(extern_func)\n",
" print_line = False\n",
"\n",
" if 'DllImport' in line:\n",
" try:\n",
" module_name = line.split('DllImport(\"')[1]\n",
" if (module_name.startswith('/')):\n",
" # Skip invalid imports\n",
" continue\n",
" # Trim the string to only include the DLL name\n",
" extern_func = module_name.partition('\"')[0].strip('.dll') + '!'\n",
" print_line = True\n",
" except: \n",
" # This may fail due to formatting inside the file\n",
" pass\n",
"\n",
" current_file.close()\n",
" \n",
" return imports\n",
" \n",
"imported_funcs = extract_func_names()\n",
"\n",
"print('Enumerated ' + str(len(imported_funcs)) + ' imported functions')"
]
},
{
"cell_type": "markdown",
"id": "ff7e310c",
"metadata": {},
"source": [
"Finally, we count the instances of each imported function sorted by most common."
]
},
{
"cell_type": "code",
"execution_count": 6,
"id": "e7adfe78",
"metadata": {},
"outputs": [
{
"name": "stdout",
"output_type": "stream",
"text": [
"Import Count\n",
"------------------------------------------------------------ -------\n",
"kernel32!CloseHandle 29\n",
"Netapi32!NetApiBufferFree 19\n",
"Rpcrt4!NdrClientCall2x64 16\n",
"advapi32!GetTokenInformation 16\n",
"kernel32!GetProcAddress 15\n",
"advapi32!ImpersonateLoggedOnUser 15\n",
"kernel32!OpenProcess 13\n",
"kernel32!LoadLibrary 12\n",
"advapi32!OpenProcessToken 12\n",
"Netapi32!NetShareEnum 11\n",
"advapi32!RevertToSelf 11\n",
"advapi32!OpenSCManager 11\n",
"advapi32!OpenService 11\n",
"advapi32!CloseServiceHandle 11\n",
"kernel32!GetLastError 10\n",
"kernel32!GetCurrentProcess 10\n",
"kernel32!GetModuleHandle 10\n",
"kernel32!WaitForSingleObject 10\n",
"advapi32!ConvertSidToStringSid 10\n",
"secur32!InitializeSecurityContext 10\n",
"nt!NtQueryInformationProcess 9\n",
"advapi32!DuplicateTokenEx 9\n",
"kernel32!ReadProcessMemory 9\n",
"advapi32!RegOpenKeyEx 9\n",
"advapi32!DeleteService 9\n",
"kernel32!LocalFree 8\n",
"kernel32!CreateThread 8\n",
"user32!GetWindowText 8\n",
"advapi32!LogonUser 8\n",
"advapi32!LookupAccountSid 8\n",
"advapi32!CreateProcessWithLogonW 8\n",
"advapi32!LookupPrivilegeValue 8\n",
"netapi32!NetWkstaUserEnum 7\n",
"kernel32!VirtualAlloc 7\n",
"user32!GetForegroundWindow 7\n",
"user32!CallNextHookEx 7\n",
"advapi32!CreateProcessAsUserW 7\n",
"advapi32!CreateProcessWithTokenW 7\n",
"advapi32!AdjustTokenPrivileges 7\n",
"advapi32!LookupPrivilegeName 7\n",
"advapi32!RegQueryValueEx 7\n",
"advapi32!RegQueryInfoKey 7\n",
"Secur32!LsaGetLogonSessionData 7\n",
"advapi32!DuplicateToken 7\n",
"secur32!AcquireCredentialsHandle 7\n",
"advapi32!StartService 7\n",
"netapi32!NetSessionEnum 6\n",
"kernel32!VirtualProtect 6\n",
"user32!GetWindowTextLength 6\n",
"advapi32!LsaNtStatusToWinError 6\n",
"advapi32!LsaFreeMemory 6\n",
"kernel32!GetCurrentThread 6\n",
"kernel32!IsWow64Process 6\n",
"kernel32!OpenThread 6\n",
"advapi32!AllocateAndInitializeSid 6\n",
"bghelp!MiniDumpWriteDump 6\n",
"kernel32!WriteProcessMemory 6\n",
"advapi32!ChangeServiceConfig 6\n",
"kernel32!DuplicateHandle 5\n",
"user32!SetWindowsHookEx 5\n",
"user32!UnhookWindowsHookEx 5\n",
"Netapi32!DsGetDcName 5\n",
"kernel32!OpenProcessToken 5\n",
"netapi32!NetApiBufferFree 5\n",
"advapi32!CreateProcessAsUser 5\n",
"advapi32!LogonUserA 5\n",
"advapi32!CreateService 5\n",
"kernel32!VirtualAllocEx 5\n",
"shell32!CommandLineToArgvW 4\n",
"kernel32!ReadFile 4\n",
"kernel32!CreatePipe 4\n",
"user32!GetKeyState 4\n",
"samlib!SamOpenDomain 4\n",
"advapi32!LsaOpenPolicy 4\n",
"advapi32!LsaClose 4\n",
"advapi32!SetThreadToken 4\n",
"advapi32!OpenThreadToken 4\n",
"nt!NtCreateSection 4\n",
"nt!NtMapViewOfSection 4\n",
"nt!NtUnmapViewOfSection 4\n",
"nt!NtCreateThreadEx 4\n",
"kernel32!GetSystemInfo 4\n",
"kernel32!OpenThreadToken 4\n",
"advapi32!CredFree 4\n",
"advapi32!ImpersonateSelf 4\n",
"secur32!AcceptSecurityContext 4\n",
"nt!NtQuerySystemInformation 4\n",
"kernel32!CreateFile 4\n",
"Netapi32!NetGetJoinInformation 4\n",
"secur32!DeleteSecurityContext 4\n",
"secur32!FreeCredentialsHandle 4\n",
"Secur32!LsaEnumerateLogonSessions 4\n",
"secur32!LsaFreeReturnBuffer 4\n",
"wtsapi32!WTSCloseServer 4\n",
"wtsapi32!WTSFreeMemory 4\n",
"mpr!WNetAddConnection2 4\n",
"mpr!WNetCancelConnection2 4\n",
"advapi32!ControlService 4\n",
"advapi32!QueryServiceConfig 4\n",
"cryptdll.D!CDLocateCSystem 4\n",
"Advapi32!IsTextUnicode 4\n",
"advapi32!RegCloseKey 4\n",
"Advapi32!CreateService 4\n",
"Netapi32!DsEnumerateDomainTrusts 3\n",
"Rpcrt4!RpcBindingFromStringBinding 3\n",
"Rpcrt4!NdrClientCall2x86 3\n",
"Rpcrt4!RpcBindingFree 3\n",
"Rpcrt4!RpcStringBindingCompose 3\n",
"Rpcrt4!RpcBindingSetOption 3\n",
"kernel32!GetStdHandle 3\n",
"kernel32!FreeLibrary 3\n",
"user32!AddClipboardFormatListener 3\n",
"user32!SetParent 3\n",
"Netapi32!NetLocalGroupEnum 3\n",
"samlib!SamConnect 3\n",
"samlib!SamFreeMemory 3\n",
"samlib!SamCloseHandle 3\n",
"kernel32!SetHandleInformation 3\n",
"advapi32!GetSidSubAuthority 3\n",
"advapi32!GetSidSubAuthorityCount 3\n",
"nt!NtFilterToken 3\n",
"nt!NtSetInformationToken 3\n",
"kernel32!GlobalSize 3\n",
"kernel32!ReadProcessMemory64 3\n",
"kernel32!SearchPath 3\n",
"kernel32!VirtualQueryEx32 3\n",
"kernel32!VirtualQueryEx64 3\n",
"kernel32!GetNativeSystemInfo 3\n",
"netapi32!NetLocalGroupEnum 3\n",
"netapi32!NetLocalGroupGetMembers 3\n",
"advapi32!CredEnumerateW 3\n",
"advapi32!CredReadW 3\n",
"advapi32!CredWriteW 3\n",
"advapi32!PrivilegeCheck 3\n",
"activeds!Init 3\n",
"activeds!Set 3\n",
"activeds!Get 3\n",
"activeds!InitEx 3\n",
"activeds!put_ChaseReferral 3\n",
"kernel32!GetPrivateProfileString 3\n",
"secur32!LsaLookupAuthenticationPackage 3\n",
"secur32!LsaCallAuthenticationPackage 3\n",
"secur32!LsaConnectUntrusted 3\n",
"secur32!LsaDeregisterLogonProcess 3\n",
"Wtsapi32!WTSQuerySessionInformation 3\n",
"wtsapi32!WTSOpenServer 3\n",
"wtsapi32!WTSEnumerateSessionsEx 3\n",
"kernel32!CreateProcess 3\n",
"kernel32!WTSGetActiveConsoleSessionId 3\n",
"kernel32!VirtualProtectEx 3\n",
"kernel32!ResumeThread 3\n",
"kernel32!LocalAlloc 3\n",
"kernel32!CopyMemory 3\n",
"Secur32!FreeContextBuffer 3\n",
"advapi32!CryptAcquireContext 3\n",
"user32!GetWindowThreadProcessId 3\n",
"nt!RtlZeroMemory 3\n",
"nt!RtlInitUnicodeString 3\n",
"Netapi32!NetWkstaGetInfo 3\n",
"NetApi32!DsGetSiteName 2\n",
"NetAPI32!NetLocalGroupGetMembers 2\n",
"kernel32!SetStdHandle 2\n",
"kernel32!GetCommandLine 2\n",
"kernel32!VirtualFree 2\n",
"user32!GetAsyncKeyState 2\n",
"advapi32!LookupAccountName 2\n",
"samlib!SamOpenAlias 2\n",
"samlib!SamGetMembersInAlias 2\n",
"winspool.drv!ClosePrinter 2\n",
"userenv!CreateEnvironmentBlock 2\n",
"Rpcrt4!RpcBindingSetAuthInfoEx 2\n",
"Rpcrt4!RpcBindingSetAuthInfo 2\n",
"Netapi32!NetLocalGroupGetMembers 2\n",
"nt!NtQueryObject 2\n",
"kernel32!CreateFileMapping 2\n",
"kernel32!MapViewOfFile 2\n",
"kernel32!WriteFile 2\n",
"kernel32!GetFileSizeEx 2\n",
"psapi!GetModuleInformation 2\n",
"kernel32!CreateRemoteThread 2\n",
"ole32!CoTaskMemFree 2\n",
"credui!CredUnPackAuthenticationBuffer 2\n",
"credui!CredUIPromptForWindowsCredentials 2\n",
"kernel32!RtlZeroMemory 2\n",
"advapi32!QueryServiceObjectSecurity 2\n",
"advapi32!GetNamedSecurityInfo 2\n",
"advapi32!ConvertSecurityDescriptorToStringSecurityDescriptor 2\n",
"iphlpapi!GetExtendedTcpTable 2\n",
"iphlpapi!GetExtendedUdpTable 2\n",
"IpHlpApi!GetIpNetTable 2\n",
"IpHlpApi!FreeMibTable 2\n",
"kernel32!FindFirstFile 2\n",
"kernel32!FindNextFile 2\n",
"kernel32!FindClose 2\n",
"kernel32!GetPrivateProfileSection 2\n",
"Netapi32!NetUserEnum 2\n",
"netapi32!NetFreeAadJoinInformation 2\n",
"netapi32!NetGetAadJoinInformation 2\n",
"psapi!EnumDeviceDrivers 2\n",
"psapi!GetDeviceDriverFileName 2\n",
"psapi!GetDeviceDriverBaseName 2\n",
"samlib!SamLookupDomainInSamServer 2\n",
"samlib!SamEnumerateDomainsInSamServer 2\n",
"User32!GetLastInputInfo 2\n",
"user32!SetProcessDPIAware 2\n",
"vaultcli!VaultOpenVault 2\n",
"vaultcli!VaultEnumerateVaults 2\n",
"vaultcli!VaultEnumerateItems 2\n",
"vaultcli!VaultGetItem_WIN8 2\n",
"vaultcli!VaultGetItem_WIN7 2\n",
"wlanapi!WlanGetProfile 2\n",
"wlanapi!WlanGetProfileList 2\n",
"kernel32!UpdateProcThreadAttribute 2\n",
"kernel32!InitializeProcThreadAttributeList 2\n",
"advapi32!OpenSCManagerW 2\n",
"kernel32!SuspendThread 2\n",
"kernel32!SetThreadContext 2\n",
"kernel32!GetThreadContext 2\n",
"cryptdll.D!CDLocateCheckSum 2\n",
"Netapi32!DsGetDcName 2\n",
"kernel32!GetSystemTime 2\n",
"secur32!LsaRegisterLogonProcess 2\n",
"advapi32!CryptSetProvParam 2\n",
"CRYPT32.DLL!CertSetCertificateContextProperty 2\n",
"nt!RtlNtStatusToDosError 2\n",
"kernel32!VirtualFreeEx 2\n",
"nt!NtLoadDriver 2\n",
"advapi32!LsaRetrievePrivateData 2\n",
"shlwapi!PathIsUNC 2\n",
"netapi32!NetWkstaGetInfo 2\n",
"secur32.D!AcceptSecurityContext 2\n",
"advapi32!GetSecurityInfo 2\n",
"kernel32!GetCurrentThreadId 2\n",
"NETAPI32!NetApiBufferFree 1\n",
"ntdsapi!DsGetDomainControllerInfo 1\n",
"NTDSAPI!DsFreeDomainControllerInfo 1\n",
"ADVAPI32.DLL!LogonUser 1\n",
"userenv!GetAppliedGPOList 1\n",
"kernel32!AllocConsole 1\n",
"kernel32!AttachConsole 1\n",
"kernel32!CreateNamedPipeA 1\n",
"Kernel32!CreateFileA 1\n",
"kernel32!ClosePipe 1\n",
"user32!ShowWindow 1\n",
"kernel32!LoadLibraryA 1\n",
"kernel32!GetModuleHandleA 1\n",
"ibc!geteuid 1\n",
"User32!IsClipboardFormatAvailable 1\n",
"User32!GetClipboardData 1\n",
"kernel32!GlobalLock 1\n",
"kernel32!GlobalUnlock 1\n",
"user32!OpenClipboard 1\n",
"user32!CloseClipboard 1\n",
"Kernel32!GlobalSize 1\n",
"advapi32!LsaEnumerateTrustedDomains 1\n",
"advapi32!LsaQueryForestTrustInformation 1\n",
"advapi32!LsaLookupSids 1\n",
"advapi32!LsaLookupNames 1\n",
"Netapi32!NetStatisticsGet 1\n",
"winspool.drv!OpenPrinter 1\n",
"kernel32!CreateNamedPipeW 1\n",
"kernel32!ConnectNamedPipe 1\n",
"kernel32!GetNamedPipeHandleState 1\n",
"advapi32!ImpersonateNamedPipeClient 1\n",
"KernelBase!CreateFileW 1\n",
"winspool.drv!GetPrinterDriverDirectory 1\n",
"winspool.drv!AddPrinter 1\n",
"winspool.drv!AddPrinterDriverEx 1\n",
"ole32!CreateObjrefMoniker 1\n",
"ole32!CreateBindCtx 1\n",
"kernel32!QueryDosDevice 1\n",
"kernel32!UnmapViewOfFile 1\n",
"kernel32!GetFileType 1\n",
"netapi32!I_NetServerReqChallenge 1\n",
"netapi32!I_NetServerAuthenticate2 1\n",
"netapi32!I_NetServerPasswordSet2 1\n",
"Httpapi!HttpQueryServiceConfiguration 1\n",
"Httpapi!HttpInitialize 1\n",
"kernel32!Wow64DisableWow64FsRedirection 1\n",
"kernel32!Wow64RevertWow64FsRedirection 1\n",
"kernel32!CreateDirectory 1\n",
"kernel32!CopyFile 1\n",
"kernel32!DeleteFileW 1\n",
"kernel32!RemoveDirectory 1\n",
"shell32!ShellExecuteEx 1\n",
"Advapi32!CredRead 1\n",
"Advapi32!CredWrite 1\n",
"Advapi32!CredFree 1\n",
"Advapi32!CredDelete 1\n",
"Advapi32!CredEnumerate 1\n",
"advapi32!bool 1\n",
"Kernel32!CloseHandle 1\n",
"Kernel32!GetCurrentProcess 1\n",
"Kernel32!GetCurrentThread 1\n",
"Kernel32!GlobalLock 1\n",
"Kernel32!GlobalUnlock 1\n",
"Kernel32!FreeLibrary 1\n",
"Netapi32!NetServerGetInfo 1\n",
"Netapi32!NetServerEnum 1\n",
"ntdsapi!DsBind 1\n",
"ntdsapi!DsCrackNames 1\n",
"ntdsapi!DsFreeNameResult 1\n",
"ntdsapi!DsUnBind 1\n",
"samlib!SamQueryInformationDomain 1\n",
"samlib!SamSetInformationDomain 1\n",
"secur32!int 1\n",
"secur32!LsaCallAuthenticationPackage_KERB_RETRIEVE_TKT 1\n",
"wlanapi!WlanOpenHandle 1\n",
"wlanapi!WlanCloseHandle 1\n",
"wlanapi!WlanEnumInterfaces 1\n",
"wlanapi!WlanFreeMemory 1\n",
"wlanapi!WlanConnect 1\n",
"kernel32!CreateProcessA 1\n",
"Dbghelp!MiniDumpWriteDump 1\n",
"netapi32!NetUserAdd 1\n",
"NetApi32!NetLocalGroupAddMembers 1\n",
"NetApi32!NetUserDel 1\n",
"kernel32!QueueUserAPC 1\n",
"advapi32!I_QueryTagInformation 1\n",
"advapi32!LsaEnumerateAccountsWithUserRight 1\n",
"advapi32!CredEnumerate 1\n",
"advapi32!CryptReleaseContext 1\n",
"advapi32!CryptCreateHash 1\n",
"advapi32!CryptDestroyHash 1\n",
"advapi32!CryptHashData 1\n",
"advapi32!CryptDeriveKey 1\n",
"advapi32!CryptDestroyKey 1\n",
"advapi32!CryptDecrypt 1\n",
"mpr!WNetGetConnection 1\n",
"rpcrt4!RpcStringBindingCompose 1\n",
"rpcrt4!RpcBindingFromStringBinding 1\n",
"rpcrt4!RpcBindingToStringBinding 1\n",
"rpcrt4!RpcMgmtEpEltInqBegin 1\n",
"rpcrt4!RpcMgmtEpEltInqNext 1\n",
"rpcrt4!RpcStringFree 1\n",
"rpcrt4!RpcMgmtEpEltInqDone 1\n",
"rpcrt4!RpcBindingFree 1\n",
"Secur32!EnumerateSecurityPackages 1\n",
"shlwapi!IsOS 1\n",
"vaultcli!VaultCloseVault 1\n",
"vaultcli!VaultFree 1\n",
"user32!MessageBoxA 1\n",
"user32!EnumWindows 1\n",
"user32!EnumChildWindows 1\n",
"user32!EnumProps 1\n",
"user32!GetProp 1\n",
"user32!SetProp 1\n",
"user32!PostMessage 1\n",
"user32!GetParent 1\n",
"user32!GetClassName 1\n",
"nt!RtlGetVersion 1\n",
"kernel32!GetFileTime 1\n",
"kernel32!SetFileTime 1\n",
"nt!NtFreeVirtualMemory 1\n",
"crypt32!CryptProtectData 1\n",
"crypt32!CryptUnprotectData 1\n",
"SspiCli!SspiPrepareForCredRead 1\n",
"Credui!CredUnPackAuthenticationBufferW 1\n",
"kernel32! 1\n",
"nt!RtlCreateProcessParametersEx 1\n",
"nt!NtOpenProcess 1\n",
"nt!NtOpenThread 1\n",
"nt!NtQueueApcThread 1\n",
"nt!RtlUnicodeStringToAnsiString 1\n",
"nt!LdrGetDllHandle 1\n",
"nt!LdrGetProcedureAddress 1\n",
"nt!NtAlertResumeThread 1\n",
"nt!NtQueryInformationThread 1\n",
"nt!NtOpenProcessToken 1\n",
"nt!NtAdjustPrivilegesToken 1\n",
"nt!NtClose 1\n",
"nt!NtOpenDirectoryObject 1\n",
"nt!NtQueryDirectoryObject 1\n",
"nt!RtlDosPathNameToRelativeNtPathName_U 1\n",
"nt!NtUnloadDriver 1\n",
"nt!NtCreateFile 1\n",
"nt!NtDeviceIoControlFile 1\n",
"bghelp!SymInitialize 1\n",
"bghelp!SymGetSymFromAddr64 1\n",
"psapi!GetMappedFileNameW 1\n",
"kernel32!VirtualQuery 1\n",
"user32!FindWindow 1\n",
"nt!NtUpdateWnfStateData 1\n",
"kernel32!WaitForDebugEvent 1\n",
"kernel32!ContinueDebugEvent 1\n",
"Kernel32!GetFinalPathNameByHandle 1\n",
"kernel32!GetExitCodeProcess 1\n",
"kernel32!Wow64GetThreadContext 1\n",
"kernel32!Wow64SetThreadContext 1\n",
"nt!NtSetInformationProcess 1\n",
"nt!NtQueryInformationFile 1\n",
"main!mainDelegate 1\n",
"advapi32!OpenEventLog 1\n",
"advapi32!ElfClearEventLogFileW 1\n",
"Ncrypt!NCryptOpenStorageProvider 1\n",
"Ncrypt!NCryptImportKey 1\n",
"Ncrypt!NCryptExportKey 1\n",
"Ncrypt!NCryptSetProperty 1\n",
"Ncrypt!NCryptFinalizeKey 1\n",
"Ncrypt!NCryptFreeObject 1\n",
"kernel32!QueryFullProcessImageName 1\n",
"nt!NtSetValueKey 1\n",
"nt!NtDeleteValueKey 1\n",
"secur32!TranslateName 1\n",
"NetAPI32!NetSessionEnum 1\n",
"user32!SetWindowPos 1\n",
"user32.D!EnumWindows 1\n",
"Advapi32!RevertToSelf 1\n",
"!OpenProcessToken 1\n",
"!DuplicateToken 1\n",
"!ImpersonateLoggedOnUser 1\n",
"!GetLastError 1\n",
"!CloseHandle 1\n",
"!RevertToSelf 1\n",
"!SetThreadToken 1\n",
"bcrypt!BCryptCloseAlgorithmProvider 1\n",
"bcrypt!BCryptDestroyKey 1\n",
"bcrypt!BCryptDecrypt 1\n",
"bcrypt!BCryptOpenAlgorithmProvider 1\n",
"bcrypt!BCryptSetProperty 1\n",
"bcrypt!BCryptGenerateSymmetricKey 1\n",
"bcrypt!BCryptGetProperty 1\n",
"kernel32!PeekNamedPipe 1\n",
"kernel32!GetConsoleOutputCP 1\n",
"iphlpapi!SendARP 1\n",
"wtsapi32!WTSEnumerateSessions 1\n",
"wtsapi32!WTSConnectSession 1\n",
"wtsapi32!WTSDisconnectSession 1\n",
"wtsapi32!WTSQuerySessionInformation 1\n",
"advapi32!RegSaveKey 1\n",
"advapi32!RegConnectRegistry 1\n",
"Advapi32!RegGetValue 1\n",
"advapi32!QueryServiceStatusEx 1\n",
"secur32.D!ImpersonateSecurityContext 1\n",
"secur32.D!QueryContextAttributes 1\n",
"secur32.D!EncryptMessage 1\n",
"secur32.D!DecryptMessage 1\n",
"secur32.D!MakeSignature 1\n",
"secur32.D!VerifySignature 1\n",
"kernel32!TerminateThread 1\n",
"kernel32!PssCaptureSnapshot 1\n",
"kernel32!PssFreeSnapshot 1\n",
"kernel32!PssQuerySnapshot 1\n",
"kernel32!GetProcessId 1\n",
"wtsapi32!WTSOpenServerEx 1\n",
"wtsapi32!WTSFreeMemoryEx 1\n",
"Wlanapi!WlanOpenHandle 1\n",
"Wlanapi!WlanCloseHandle 1\n",
"Wlanapi!WlanEnumInterfaces 1\n",
"fltlib!FilterUnload 1\n",
"fltlib!FilterFindFirst 1\n",
"fltlib!FilterFindNext 1\n",
"fltlib!FilterFindClose 1\n",
"kernel32!ZeroMemory 1\n",
"advapi32!GetInheritanceSource 1\n",
"advapi32!FreeInheritedFromArray 1\n",
"authz!AuthzInitializeRemoteResourceManager 1\n",
"authz!AuthzInitializeResourceManager 1\n",
"authz!AuthzInitializeContextFromSid 1\n",
"authz!AuthzAccessCheck 1\n",
"authz!AuthzFreeContext 1\n",
"advapi32!GetSecurityDescriptorLength 1\n",
"authz!AuthzFreeResourceManager 1\n",
"psapi!EnumProcessModulesEx 1\n",
"psapi!GetModuleFileNameEx 1\n",
"ole32!CreateILockBytesOnHGlobal 1\n",
"ole32!StgCreateDocfileOnILockBytes 1\n",
"ole32!CoGetInstanceFromIStorage 1\n",
"secur32!QuerySecurityContextToken 1\n",
"kernel32!DeviceIoControl 1\n",
"user32!OpenWindowStationW 1\n",
"advapi32!CreateWellKnownSid 1\n",
"advapi32!SetEntriesInAclW 1\n",
"advapi32!SetSecurityInfo 1\n",
"User32!OpenDesktopA 1\n",
"winmm!mciSendString 1\n",
"user32!PeekMessage 1\n",
"core!GetModuleHandle 1\n"
]
}
],
"source": [
"from collections import Counter\n",
"from tabulate import tabulate\n",
"\n",
"ctr = Counter(imported_funcs).most_common()\n",
"\n",
"print(tabulate(ctr, headers=[\"Import\", \"Count\"]))"
]
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.9.10"
}
},
"nbformat": 4,
"nbformat_minor": 5
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment