-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathqilin_rename_jump_fx.py
More file actions
184 lines (181 loc) · 6.81 KB
/
qilin_rename_jump_fx.py
File metadata and controls
184 lines (181 loc) · 6.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
import idaapi
import idc
address_to_name = {
0x101E318C: "mw_WriteFileEx",
0x101E3194: "mw_WriteConsoleW",
0x101E319C: "mw_Wow64RevertWow64FsRedirection",
0x101E31A4: "mw_Wow64DisableWow64FsRedirection",
0x101E31AC: "mw_WideCharToMultiByte",
0x101E31B4: "mw_RtlWakeAllConditionVariable",
0x101E31BC: "mw_WaitForSingleObjectEx",
0x101E31C4: "mw_WaitForSingleObject",
0x101E31CC: "mw_WaitForMultipleObjects",
0x101E31D4: "mw_UnmapViewOfFile",
0x101E31DC: "mw_RtlTryAcquireSRWLockExclusive",
0x101E31E4: "mw_TlsSetValue",
0x101E31EC: "mw_TlsGetValue",
0x101E31F4: "mw_TlsFree",
0x101E31FC: "mw_TlsAlloc",
0x101E3204: "mw_TerminateProcess",
0x101E320C: "mw_SwitchToThread",
0x101E3214: "mw_SleepEx",
0x101E321C: "mw_SleepConditionVariableSRW",
0x101E3224: "mw_Sleep",
0x101E322C: "mw_SetThreadToken",
0x101E3234: "mw_SetThreadStackGuarantee",
0x101E323C: "mw_SetLastError",
0x101E3244: "mw_SetFilePointerEx",
0x101E324C: "mw_SetFileAttributesW",
0x101E3254: "mw_SetErrorMode",
0x101E325C: "mw_RtlCaptureContext",
0x101E3264: "mw_RtlReleaseSRWLockShared",
0x101E326C: "mw_RtlReleaseSRWLockExclusive",
0x101E3274: "mw_ReleaseMutex",
0x101E327C: "mw_ReadFileEx",
0x101E3284: "mw_ReadFile",
0x101E328C: "mw_ReadConsoleW",
0x101E3294: "mw_QueryPerformanceFrequency",
0x101E329C: "mw_QueryPerformanceCounter",
0x101E32A4: "mw_OpenProcess",
0x101E32AC: "mw_MultiByteToWideChar",
0x101E32B4: "mw_MoveFileExW",
0x101E32BC: "mw_Module32NextW",
0x101E32C4: "mw_Module32FirstW",
0x101E32CC: "mw_MapViewOfFile",
0x101E32D4: "mw_LocalFree",
0x101E32DC: "mw_LoadLibraryA",
0x101E32E4: "mw_IsWow64Process",
0x101E32EC: "mw_InitOnceComplete",
0x101E32F4: "mw_InitOnceBeginInitialize",
0x101E32FC: "mw_RtlReAllocateHeap",
0x101E3304: "mw_HeapFree",
0x101E330C: "mw_RtlAllocateHeap",
0x101E3314: "mw_GetWindowsDirectoryW",
0x101E331C: "mw_GetVolumePathNamesForVolumeNameW",
0x101E3324: "mw_GetTempPathW",
0x101E332C: "mw_GetSystemTimeAsFileTime",
0x101E3334: "mw_GetSystemInfo",
0x101E333C: "mw_GetSystemDirectoryW",
0x101E3344: "mw_GetStdHandle",
0x101E334C: "mw_GetProcessId",
0x101E3354: "mw_GetProcessHeap",
0x101E335C: "mw_GetProcAddress",
0x101E3364: "mw_GetOverlappedResult",
0x101E336C: "mw_GetModuleHandleW",
0x101E3374: "mw_GetModuleHandleA",
0x101E337C: "mw_GetModuleFileNameW",
0x101E3384: "mw_GetLogicalDrives",
0x101E338C: "mw_GetLastError",
0x101E3394: "mw_GetFullPathNameW",
0x101E339C: "mw_GetFileInformationByHandleEx",
0x101E33A4: "mw_GetFileInformationByHandle",
0x101E33AC: "mw_GetFileAttributesW",
0x101E33B4: "mw_GetExitCodeProcess",
0x101E33BC: "mw_GetErrorMode",
0x101E33C4: "mw_GetEnvironmentVariableW",
0x101E33CC: "mw_GetEnvironmentStringsW",
0x101E33D4: "mw_GetDriveTypeW",
0x101E33DC: "mw_GetCurrentThread",
0x101E33E4: "mw_GetCurrentProcessId",
0x101E33EC: "mw_GetCurrentProcess",
0x101E33F4: "mw_GetCurrentDirectoryW",
0x101E33FC: "mw_GetConsoleMode",
0x101E3404: "mw_GetComputerNameExW",
0x101E340C: "mw_GetCommandLineW",
0x101E3414: "mw_FreeEnvironmentStringsW",
0x101E341C: "mw_FreeConsole",
0x101E3424: "mw_FormatMessageW",
0x101E342C: "mw_FlushFileBuffers",
0x101E3434: "mw_FindVolumeClose",
0x101E343C: "mw_FindNextVolumeW",
0x101E3444: "mw_FindNextFileW",
0x101E344C: "mw_FindFirstVolumeW",
0x101E3454: "mw_FindFirstFileW",
0x101E345C: "mw_FindClose",
0x101E3464: "mw_ExitProcess",
0x101E346C: "mw_DuplicateHandle",
0x101E3474: "mw_DeviceIoControl",
0x101E347C: "mw_CreateToolhelp32Snapshot",
0x101E3484: "mw_CreateThread",
0x101E348C: "mw_CreateProcessW",
0x101E3494: "mw_CreateNamedPipeW",
0x101E349C: "mw_CreateMutexW",
0x101E34A4: "mw_CreateMutexA",
0x101E34AC: "mw_CreateFileW",
0x101E34B4: "mw_CreateFileMappingA",
0x101E34BC: "mw_CreateEventW",
0x101E34C4: "mw_CreateDirectoryW",
0x101E34CC: "mw_CompareStringOrdinal",
0x101E34D4: "mw_CloseHandle",
0x101E34DC: "mw_CancelIo",
0x101E34E4: "mw_RtlAcquireSRWLockShared",
0x101E34EC: "mw_RtlAcquireSRWLockExclusive",
0x101E34F4: "mw_WSACleanup",
0x101E34FC: "mw_WSAGetLastError",
0x101E3504: "mw_WSAStartup",
0x101E350C: "mw_FreeAddrInfoW",
0x101E3514: "mw_getaddrinfo",
0x101E351C: "mw_ExitWindowsEx",
0x101E3524: "mw_SystemParametersInfoW",
0x101E352C: "mw_SHGetKnownFolderPath",
0x101E3534: "mw_ShellExecuteA",
0x101E353C: "mw_SetupDiDestroyDeviceInfoList",
0x101E3544: "mw_SetupDiEnumDeviceInfo",
0x101E354C: "mw_SetupDiEnumDeviceInterfaces",
0x101E3554: "mw_SetupDiGetClassDevsW",
0x101E355C: "mw_SetupDiGetDeviceInstanceIdW",
0x101E3564: "mw_SetupDiGetDeviceInterfaceDetailW",
0x101E356C: "mw_RmEndSession",
0x101E3574: "mw_RmGetList",
0x101E357C: "mw_RmRegisterResources",
0x101E3584: "mw_RmStartSession",
0x101E358C: "mw_EnumProcesses",
0x101E3594: "mw_GetProcessImageFileNameW",
0x101E359C: "mw_CoCreateInstance",
0x101E35A4: "mw_CoInitialize",
0x101E35AC: "mw_CoTaskMemFree",
0x101E35B4: "mw_CoUninitialize",
0x101E35BC: "mw_RtlNtStatusToDosError",
0x101E35C4: "mw_NetApiBufferFree",
0x101E35CC: "mw_NetShareEnum",
0x101E35D4: "mw_NetUserSetInfo",
0x101E35DC: "mw_WNetCloseEnum",
0x101E35E4: "mw_WNetEnumResourceW",
0x101E35EC: "mw_WNetGetLastErrorA",
0x101E35F4: "mw_WNetOpenEnumW",
0x101E35FC: "mw_GetAdaptersAddresses",
0x101E3604: "mw_BCryptGenRandom",
0x101E360C: "mw_AdjustTokenPrivileges",
0x101E3614: "mw_ChangeServiceConfigW",
0x101E361C: "mw_ControlService",
0x101E3624: "mw_DuplicateTokenEx",
0x101E362C: "mw_EnumDependentServicesW",
0x101E3634: "mw_EnumServicesStatusW",
0x101E363C: "mw_GetTokenInformation",
0x101E3644: "mw_GetUserNameW",
0x101E364C: "mw_LookupPrivilegeValueA",
0x101E3654: "mw_LookupPrivilegeValueW",
0x101E365C: "mw_OpenProcessToken",
0x101E3664: "mw_OpenSCManagerW",
0x101E366C: "mw_OpenServiceW",
0x101E3674: "mw_QueryServiceStatusEx",
0x101E367C: "mw_RegCloseKey",
0x101E3684: "mw_RegDeleteValueW",
0x101E368C: "mw_RegEnumValueW",
0x101E3694: "mw_RegOpenKeyExW",
0x101E369C: "mw_RegSetValueExW",
0x101E36A4: "mw_RevertToSelf",
0x101E36AC: "mw_SystemFunction036",
0x101E36B4: "mw_ZwWriteFile",
0x101E36BC: "mw_ZwSetInformationProcess",
0x101E36C4: "mw_NtReadFile"
}
def rename_functions():
for address, name in address_to_name.items():
# Make sure the address is a function
if idaapi.get_func(address):
# Rename function
idaapi.set_name(address, name, idaapi.SN_NOWARN)
if __name__ == "__main__":
rename_functions()
print("Booyah.")