Mini Kabibi Habibi
�LJ��9�������
���X���6���9���9�������B���K����CloseHandle�C�ffi2�������=���6���9���9���3���B���K�����gc�ffi�handleV������
���X���6���9���9���9�������B���K����DestroyEnvironmentBlock�userenv
Win32 core/�������=���6���9���9���3���B���K�����gc�ffi�env1�������6���9���9�������B���K����RegCloseKey�C�ffi��������<����X���'�������X���)�������X���6���9���9���9���6���9���9���������������B���7���6�������X���+���=���2� �6���9� �'�
�B���=���6���9���9���6������������ ��9
��B���6���9���9�
�9�������X���+���=���2�
�9���:���=���6���9���9���3���B���K���K���K�����gc�ERROR_SUCCESS�Win32ErrorConstants�RegOpenKeyExA�C
void*[1]�new�ffi hKey�rootKey�GetRootHKEYFromString
KEY_READ�RegistrySamConstants
Win32 core�(�������9�������X���+���X���+���L��� hKey��������n����9���B�������X���6���9�������9���'���B���6���9���'���B���6���9���'���B���6���9���9� �9�
�,�������� ��,
��B�
�6���9���9���9�
�����X���6���9�������9���6���9���'���6���9���9���� ��B���A���A���4���)���:�������)���M�5�6 ��9 � '
��:�������B ��6
��9
�
'���:�������B
��6���9���9���9�
��
���� ���
�,���B� �����6���9���9���9�
�����X� �6���9�������6
��9
�
�� �B
��A���X���6���9�������9���6
��9
�
'�������6���9���9�������B���A
��A���O������:���J���7Failed to enumerate subkeys at index %d. Error: %s�insert
table�RegEnumKeyExA�char[?]�GetWin32ErrorString8Failed to query registry key information. Error: %s�format�string�ERROR_SUCCESS�Win32ErrorConstants
Win32 hKey�RegQueryInfoKeyA�C�unsigned long[1]�new�ffi&ErrorInvalid registry key handle. info�logger core�IsValid���������p����9���B�������X���6���9�������9���'���B���+���L���6���9���'���B���6���9���'���B���6���9���9� �9�
�,�
���������,
��B�
�6���9���9���9�
�����X���6���9�������9���6���9���'���6���9���9���� ��B���A���A���+���L���4���)���:�������)���M�5�6 ��9 � '
��:�������B ��6
��9
�
'���:�������B
��6���9���9���9�
��
���� ���
�,���B� �����6���9���9���9�
�����X� �6���9�������6
��9
�
�� �B
��A���X���6���9�������9���6
��9
�
'�������6���9���9�������B���A
��A���O��L���;Failed to enumerate value names at index %d. Error: %s�insert
table�RegEnumValueA�char[?]�GetWin32ErrorString;Failed to query registry key for value info. Error: %s�format�string�ERROR_SUCCESS�Win32ErrorConstants
Win32 hKey�RegQueryInfoKeyA�C�unsigned long[1]�new�ffi7ErrorInvalid registry key handle in GetValueNames. info�logger core�IsValid�����������9�������X���+���L���
���X���6�������B�������X���+���L���6���9���'���B���6���9���'���B���6���9���'���)���B���6���9���9���9�������+���� ���
������B���6���9� �9�
�9�������X���+���L���X���6���9� �9�
�9�������X���6���9� �9�
�9���:�������X���6���:���D���X���6���9� �9�
�9�������X���6���9� �9�
�9�������X���+���L���:���4�� 6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���6���9� �9�
�9���6���9� �9���9���<���8�������X���+���L���6���9� �9���9���8�������X�)�:���)�������X�"�6���9���'���: ��� � B���6���9���' ��B���6 ��9 � 9 � 9
������+����
����������B ���� �6 ��9 9
9 � � ��X ��+ ��L ��6 ��9 � �
��D ��X�^�+���L���X�[�6���9� �9���9���8�������X�&�:���)�������X���6���9���'���B���6���9���' ��B���6 ��9 � 9 � 9
������+����
����������B ���� �6 ��9 9
9 � � ��X ��+ ��L ��6 ��:
��D ��X�1�+���L���X�.�6���9� �9���9���8�������X�%�:���)�������X���6���9���'���: ��B���6���9���' ��B���6 ��9 � 9 � 9
������+����
����������B ���� �6 ��9 9
9 � � ��X ��+ ��L ��L���X���+���L���X���+���L���K����unsigned __int64[1]�char[?]�BINARY�REG_BINARY�REG_QWORD_LITTLE_ENDIAN�REG_QWORD�REG_MULTI_SZ�REG_DWORD_BIG_ENDIAN�REG_DWORD_LITTLE_ENDIAN�NUMBER�REG_EXPAND_SZ�STRING�RegistryValueTypeMapping�REG_SZ�ERROR_MORE_DATA
tonumber�REG_DWORD�RegistryValueTypeConstants�ERROR_SUCCESS�ERROR_FILE_NOT_FOUND�Win32ErrorConstants
Win32 core�RegQueryValueExA�C�unsigned long[1]�new�ffi�string type hKey�����
���������9���B�������X���6���9�������9���'���B���,���J���6���9���'���B���6���9���'���B���6���9���9� �9�
�����+�������+ ���
��B���6���9���9���9�
�����X���6���9�������9���'���B���,���J���6���9���'���:���B���6���9���9� �9�
�����+ ���
����������B�������6���9���9���9�
�����X���6���9�������9���'���B���,���J���+���:���6���9���9���9�������X���6���9���9���9�������X���6���9���9���9�������X���6���9�������B�������X�5�6���9���9���9�������X���6���9���9���9�������X�
�6���6���9���' ���
��B���:���B�������X���6���9���9���9�������X���6���9���9���9�������X�
�6���6���9���' ���
��B���:���B�������X� �6���9���9���9�������X���+���X���+�����������J����REG_BINARY�unsigned __int64*�REG_QWORD_LITTLE_ENDIAN�REG_QWORD�unsigned long* cast
tonumber�REG_DWORD_LITTLE_ENDIAN�REG_DWORD�string�REG_MULTI_SZ�REG_EXPAND_SZ�REG_SZ�RegistryValueTypeConstants%Error retrieving the value data.�unsigned char[?]2Error determining the size of the value data.�ERROR_SUCCESS�Win32ErrorConstants
Win32 hKey�RegQueryValueExA�C�unsigned long[1]�new�ffi(Error: Invalid registry key handle. info�logger core�IsValidI������
���X���6���9���9���9�������B���K����FindClose
kernel32
Win32 core2�������=���6���9���9���3���B���K�����gc�ffi�handle_������
-���9���6���9���9���9�����������B���C������FindFirstFileA
kernel32
Win32 core�FindHandleP�������6���9���9���9���9�������B���L����handle�FindNextFileA
kernel32
Win32 core�t����&�F6���9���'���B���=���6���9���'���B���=���6���9���'���B���=���6���9���'� �B���=���6���9���'���B���=�
�6���9���'�
�B���6���9���3���B���=���6���9���3���B���=���6���9���3���B���=���9���3���=���9���3���=���9���3���=���9���3���=���9���3���=���6���9���3�!�B���=� �3�#�=�"�3�%�=�$�2���K�����FindNextFile��FindFirstFile��FindHandle��QueryValueWithType��QueryValue��GetValueNames��EnumSubKeys��IsValid�
Registry�
EnvBlock�
class core�Win32Handle�p void* OpenEventA(unsigned long dwDesiredAccess, bool bInheritHandle, const char* lpName);
bool SetEvent(void* hEvent);
unsigned long GetLastError();
unsigned long FormatMessageA(unsigned long dwFlags,
void* lpSource,
unsigned long dwMessageId,
unsigned long dwLanguageId,
char* lpBuffer,
unsigned long nSize,
va_list* Arguments);
void* LocalAlloc(unsigned int uFlags, size_t uBytes);
void* LocalFree(void* hMem);
void* GetModuleHandleA(const char* lpModuleName);
void* LoadResource(void* hModule, void* hResInfo);
void* FindResourceA(void* hModule, const char* lpName, const char* lpType);
void* FindResourceW(void* hModule, wchar_t* lpName, wchar_t* lpType);
void* LockResource(void* hResData);
long RegOpenKeyExA(void* hKey,
const char* lpSubKey,
unsigned long ulOptions,
unsigned long samDesired,
void** phkResult);
long RegQueryValueExA(void* hKey,
const char* lpValueName,
unsigned long* lpReserved,
unsigned long* lpType,
void* lpData,
unsigned long* lpcbData);
long RegCloseKey(void* hKey);
// Defined in verrsrc.h
typedef struct
{
unsigned long dwSignature; /* e.g. 0xfeef04bd */
unsigned long dwStrucVersion; /* e.g. 0x00000042 = "0.42" */
unsigned long dwFileVersionMS; /* e.g. 0x00030075 = "3.75" */
unsigned long dwFileVersionLS; /* e.g. 0x00000031 = "0.31" */
unsigned long dwProductVersionMS; /* e.g. 0x00030010 = "3.10" */
unsigned long dwProductVersionLS; /* e.g. 0x00000031 = "0.31" */
unsigned long dwFileFlagsMask; /* = 0x3F for version "0.42" */
unsigned long dwFileFlags; /* e.g. VFF_DEBUG | VFF_PRERELEASE */
unsigned long dwFileOS; /* e.g. VOS_DOS_WINDOWS16 */
unsigned long dwFileType; /* e.g. VFT_DRIVER */
unsigned long dwFileSubtype; /* e.g. VFT2_DRV_KEYBOARD */
unsigned long dwFileDateMS; /* e.g. 0 */
unsigned long dwFileDateLS; /* e.g. 0 */
} VS_FIXEDFILEINFO;
// Defined in shellapi.h
typedef struct _SHELLEXECUTEINFOA
{
unsigned long cbSize; // in, required, sizeof of this structure
unsigned long fMask; // in, SEE_MASK_XXX values
void* hwnd; // in, optional
const char* lpVerb; // in, optional when unspecified the default verb is choosen
const char* lpFile; // in, either this value or lpIDList must be specified
const char* lpParameters; // in, optional
const char* lpDirectory; // in, optional
int nShow; // in, required
void* hInstApp; // out when SEE_MASK_NOCLOSEPROCESS is specified
void* lpIDList; // in, valid when SEE_MASK_IDLIST is specified, PCIDLIST_ABSOLUTE, for use with SEE_MASK_IDLIST & SEE_MASK_INVOKEIDLIST
const char* lpClass; // in, valid when SEE_MASK_CLASSNAME is specified
void* hkeyClass; // in, valid when SEE_MASK_CLASSKEY is specified
unsigned long dwHotKey; // in, valid when SEE_MASK_HOTKEY is specified
void* hMonitor; // in, valid when SEE_MASK_HMONITOR specified
void* hProcess; // out, valid when SEE_MASK_NOCLOSEPROCESS specified
} SHELLEXECUTEINFOA, *LPSHELLEXECUTEINFOA;
int ShellExecuteExA(SHELLEXECUTEINFOA *pExecInfo);
// http://msdn.microsoft.com/en-us/library/windows/desktop/ms647001(v=vs.85).aspx
typedef struct {
unsigned short wLength;
unsigned short wValueLength;
unsigned short wType;
char szKey[sizeof("VS_VERSION_INFO")*sizeof(wchar_t)];
unsigned short Padding1;
VS_FIXEDFILEINFO Value;
unsigned short Padding2;
unsigned short Children;
} VS_VERSIONINFO;
typedef struct _WTS_PROCESS_INFO {
unsigned long SessionId;
unsigned long ProcessId;
const char* pProcessName;
void* pUserSid;
} WTS_PROCESS_INFO, *PWTS_PROCESS_INFO;
typedef enum _WTS_CONNECTSTATE_CLASS {
WTSActive,
WTSConnected,
WTSConnectQuery,
WTSShadow,
WTSDisconnected,
WTSIdle,
WTSListen,
WTSReset,
WTSDown,
WTSInit
} WTS_CONNECTSTATE_CLASS;
typedef struct _WTS_SESSION_INFO {
unsigned long SessionId;
char* pWinStationName;
WTS_CONNECTSTATE_CLASS State;
} WTS_SESSION_INFO, *PWTS_SESSION_INFO;
void* OpenProcess(unsigned long dwDesiredAccess, int bInheritedHandle, unsigned long dwProcessId);
int CloseHandle(void* hObject);
unsigned long WTSGetActiveConsoleSessionId();
int WTSEnumerateProcessesA(void* hServer,
unsigned long Reserved,
unsigned long Version,
PWTS_PROCESS_INFO* ppProcessInfo,
unsigned long* pCount);
void WTSFreeMemory(void* pMemory);
int WTSEnumerateSessionsA(void* hServer,
unsigned long Reserved,
unsigned long Version,
PWTS_SESSION_INFO *ppSessionInfo,
unsigned long* pCount);
typedef struct _SID_AND_ATTRIBUTES {
void* Sid;
unsigned long Attributes;
} SID_AND_ATTRIBUTES, * PSID_AND_ATTRIBUTES;
typedef struct _TOKEN_USER {
SID_AND_ATTRIBUTES User;
} TOKEN_USER, *PTOKEN_USER;
typedef enum _TOKEN_INFORMATION_CLASS {
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin,
TokenElevationType,
TokenLinkedToken,
TokenElevation,
TokenHasRestrictions,
TokenAccessInformation,
TokenVirtualizationAllowed,
TokenVirtualizationEnabled,
TokenIntegrityLevel,
TokenUIAccess,
TokenMandatoryPolicy,
TokenLogonSid,
MaxTokenInfoClass // MaxTokenInfoClass should always be the last enum
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
int OpenProcessToken(void* ProcessHandle, unsigned long DesiredAccess, void** TokenHandle);
int GetTokenInformation(void* TokenHandle,
TOKEN_INFORMATION_CLASS TokenInformationClass,
void* TokenInformation,
unsigned long TokenInformationLength,
unsigned long* ReturnLength);
int ConvertSidToStringSidA(void* Sid, char** StringSid);
int IsValidSid(void* pSid);
unsigned long GetEnvironmentVariableA(const char* lpName, char* lpBuffer, unsigned long nSize);
typedef struct _SECURITY_ATTRIBUTES {
unsigned long nLength;
void* lpSecurityDescriptor;
int bInheritHandle;
} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;
typedef struct _STARTUPINFO {
unsigned long cb;
char* lpReserved;
char* lpDesktop;
char* lpTitle;
unsigned long dwX;
unsigned long dwY;
unsigned long dwXSize;
unsigned long dwYSize;
unsigned long dwXCountChars;
unsigned long dwYCountChars;
unsigned long dwFillAttribute;
unsigned long dwFlags;
unsigned short wShowWindow;
unsigned short cbReserved2;
char* lpReserved2;
void* hStdInput;
void* hStdOutput;
void* hStdError;
} STARTUPINFO, *LPSTARTUPINFO;
typedef struct _PROCESS_INFORMATION {
void* hProcess;
void* hThread;
unsigned long dwProcessId;
unsigned long dwThreadId;
} PROCESS_INFORMATION, *LPPROCESS_INFORMATION;
int CreateProcessA(const char* lpApplicationName, char* lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes, int bInheritHandles, unsigned long dwCreationFlags,
void* lpEnvironment, const char* lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation);
int CreateProcessAsUserA(void* hToken, const char* lpApplicationName, char* lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes, int bInheritHandles, unsigned long dwCreationFlags, void* lpEnvironment,
const char* lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
typedef enum _SECURITY_IMPERSONATION_LEVEL {
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
} SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL;
typedef enum tagTOKEN_TYPE {
TokenPrimary = 1,
TokenImpersonation
} TOKEN_TYPE, *PTOKEN_TYPE;
int DuplicateTokenEx(void* hExistingToken, unsigned long dwDesiredAccess, LPSECURITY_ATTRIBUTES lpTokenAttributes,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType, void** phNewToken);
int CreateEnvironmentBlock(void** lpEnvironment, void* hToken, int bInherit);
int DestroyEnvironmentBlock(void* lpEnvironment);
typedef int (__stdcall *WNDENUMPROC)(void *hwnd, long lParam);
int EnumWindows(WNDENUMPROC lpEnumFunc, long lParam);
unsigned long GetWindowThreadProcessId(void* hwnd, unsigned long* lpdwProcessId);
int SetWindowPos(void* hwnd, void* hWindInsertAfter, int X, int Y, int cx, int cy, unsigned int uFlags);
void* OpenEventA(unsigned long dwDesiredAccess, int bInheritHandle, const char* lpName);
int SetEvent(void* hEvent);
typedef struct _FILETIME {
unsigned long dwLowDateTime;
unsigned long dwHighDateTime;
} FILETIME, *LPFILETIME;
typedef struct _WIN32_FIND_DATA {
unsigned long dwFileAttributes;
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;
unsigned long nFileSizeHigh;
unsigned long nFileSizeLow;
unsigned long dwReserved0;
unsigned long dwReserved1;
char cFileName[260];
char cAlternateFileName[14];
} WIN32_FIND_DATA, *PWIN32_FIND_DATA, *LPWIN32_FIND_DATA;
void* FindFirstFileA(const char* lpFileName, LPWIN32_FIND_DATA lpFindFileData);
int FindNextFileA(void* hFindFile, LPWIN32_FIND_DATA lpFindFileData);
int FindClose(void* hFindFile);
long GetUserGeoID(unsigned long GeoClass);
int GetGeoInfoA(long Location, unsigned long GeoType, char* lpGeoData, int cchData, unsigned short LangId);
void* OpenMutexA(unsigned long dwDesiredAccess, int bInheritHandle, const char* lpName);
long RegQueryInfoKeyA(
void* hKey,
char* lpClass,
unsigned long* lpcClass,
unsigned long* lpReserved,
unsigned long* lpcSubKeys,
unsigned long* lpcMaxSubKeyLen,
unsigned long* lpcMaxClassLen,
unsigned long* lpcValues,
unsigned long* lpcMaxValueNameLen,
unsigned long* lpcbMaxValueLen,
unsigned long* lpcbSecurityDescriptor,
void* lpftLastWriteTime
);
long RegEnumKeyExA(
void* hKey,
unsigned long dwIndex,
char* lpName,
unsigned long* lpcName,
unsigned long* lpReserved,
char* lpClass,
unsigned long* lpcClass,
void* lpftLastWriteTime
);
long RegEnumValueA(
void* hKey,
unsigned long dwIndex,
char* lpValueName,
unsigned long* lpcValueName,
unsigned long* lpReserved,
unsigned long* lpType,
unsigned char* lpData,
unsigned long* lpcbData
);
cdef
Kernel32
kernel32�User32�user32�Userenv�userenv
Advapi32�advapi
Wtsapi32 load�ffi�wtsapi:������ 6���9���6���9�������)�
�B�������D����lshift�bor�bit4�����������9���'���'���B���L����%1�^%s*(.-)%s*$ gsub��������)6�������B�������X���'���L���)���6���9���'�������B���)���7���6���9���9���6���+�������)�������� ��+
��B��� ���X���+���L���6���9� ���������B���7�
�6���9���9�
�6�
�D��� trim
Win32 core�errorMessage�string�FormatMessageA�C�FORMAT_MESSAGE_FROM_SYSTEM�char[?]�new�ffi��number type������� ��6���9���'���B���6���9���9���9�������9�������B��� ���X���+���L���6���9���9���:���D���
EnvBlock�handle�CreateEnvironmentBlock�userenv
Win32 core
void*[1]�new�ffi�\�������6���9���9���6���9���9���������������B���C����OpenProcess�C�ffi�Win32Handle
Win32 core������ ��6���9���'���B���6���9���9���9�����������B��� ���X���+���L���6���9���9���:���D����Win32Handle
Win32 core�handle�OpenProcessToken�C
void*[1]�new�ffi�����
� ��6���9���'���B���6���9���9���9���9�������� ���
����������B��� ���X���+���L���6���9���9���:���D����Win32Handle�handle�DuplicateTokenEx�advapi
Win32 core
void*[1]�new�ffi�1�������6���9���9�������B���K����RegCloseKey�C�ffi��������J6���6�������B�������X���+���X���+���B���+�������X���6���9���9���9���X�4�����X���6���9���9���9� �X�-���
�X�(�6���9���9���)���B�������X���+���2�$�6���9�
�'���B���6���9���9���6���9���9���9�������� ���
������B���6���9���9���9�������X���+���2�
�:���6���9�������3 ��B���X���+���2���L���2���L���L���L�����gc�ERROR_SUCCESS�Win32ErrorConstants�HKEY_USERS�RegOpenKeyExA�C
void*[1]�new�ffi�GetHKeyUserSidString HKCU�HKEY_CLASSES_ROOT HKCR�HKEY_LOCAL_MACHINE�RegistryKeyConstants
Win32 core HKLM�string type�assertC�������6���9���9���9���:���B���K����WTSFreeMemory�wtsapi
Win32 core���� ���;6���9���6���9���'���B���3���B���6���9���'���B���6���9���9���9� �+���)���)�����������B���
���X�������X���:���)�������X���+���2���L���)���:�������)���M���:���8���
���X�
�:���8���9�
�6���9���9�������X���:���8���9�
�2���L���O��+���2���L����SessionId�WTSActive�C
State�WTSEnumerateSessionsA�wtsapi
Win32 core�unsigned long[1]��PWTS_SESSION_INFO[1]�new�gc�ffi��C�������6���9���9���9���:���B���K����WTSFreeMemory�wtsapi
Win32 core����
���V
���X�������X���+���2�O�6���9���6���9���'���B���3���B���6���9���'���B���6���9���9���9� �+���)���)�������� ��B���
���X�������X���:���)�������X���+���2���L���)���:�������)���M�&�6 ��9 � 9
9 � � ��X ��: ��8 � 9 � �� �X ��: ��8 � 9
��X ��6 ��9 � :
��8
�
9
B ��6
��9
�
�� �B
��6���9�������B����
��X
��:
��8
�
9
�
2���L
��O��+���2���L���L����ProcessId
upper�string�pProcessName�SessionId�ALL_CURRENT_SESSIONS�McUtilsConstants�WTSEnumerateProcessesA�wtsapi
Win32 core�unsigned long[1]��PWTS_PROCESS_INFO[1]�new�gc�ffi���������������X���'���6���9���9�����������B�������X���6���9���9�������6���9���9���9���B�����������X���+���L���L����ALL_CURRENT_SESSIONS�McUtilsConstants
GetPIDOf
Win32 core�explorer.exe������ ��6���9���9���6���9���6���9���9���9���6���9���9���9���B���)�������B���
���X���9�������X���+���L���L����handle�PROCESS_VM_READ�PROCESS_QUERY_INFORMATION�ProcessConstants�bor�bit�OpenProcess
Win32 core����
���O����X���+���L���6���9���9�������6���9���9���9���B���
���X���9�������X���+���L���6���9���'���B���6���9���9� �9�
�9���6���9���9���+���)�������B�������X���+���L���)���6���9�
�6���9���9�������:���B���6���9���9���B���6���9���'���B���6���9���9� �9�
�9���6 ��9 � 9 � �
��:�������B������� ���X���+���L���6���9���'���� ��D����TOKEN_USER* cast�LocalFree�LocalAlloc�gc�TokenUser�C�GetTokenInformation�advapi�unsigned long[1]�new�ffi�handle�TOKEN_QUERY�TokenAccessConstants�OpenProcessToken
Win32 core���������$ ���X� �6���9���9���B�����������X���+���L���6���9���9�������+���B�������X���+���L���6���9���9�������B���6���9���9�������B�������X���+���L���L����GetProcessToken�GetProcessHandleGivenPid!GetProcessIDBasedOnSessionID�GetActiveSessionID
Win32 core�����/�������6���9���9���:���B���K����LocalFree�C�ffi��������,6���9���9�������B���7���6�������X���+���2���6���9���'���B���7���6���9���9���9� �6���9�
�9���6���B���7���6��� ���X���+���2���6���9�
�6���3���B���6���9���6���:���2���D���L���L����string��gc�result�Sid User�ConvertSidToStringSidA�advapi�sidString
char*[1]�new�ffi�processToken�GetTokenUser
Win32 core�+�������6�������X���)���7���K����dwSessionId�/����U�{6���9�������X���6���'���B���6���'���B���6���'���B���7���6���5���5���=� �5�
�=���5���=�
�5���6���9���'���*���B���=���6���9���'���*���B���=���6���9���'���*���B���=���6���9���'���*���B���=���6���9���'���*���B���=���=���5���=���5���=���5���=���5���=���5���=� �5�!�=�"�5�#�=�$�5�%�=�&�5�'�6�(�=�)�=�*�5�+�=�,�5�-�=�.�5�/�=�0�5�1�=�2�3�3�=�4�3�5�=�6�3�7�=�8�3�9�=�:�3�;�=�<�3�=�=�>�3�?�=�@�3�A�=�B�3�C�=�D�3�E�=�F�3�G�=�H�3�I�=�J�3�K�=�L�3�M�=�N�3�O�=�P�3�Q�=�R�3�S�=�T�=���6���9�������9�4�B���K����GetHKeyUserBySessionID��GetHKeyUserSidString��GetTokenUser��GetProcessToken��GetProcessHandleGivenPid�!GetProcessIDBasedOnSessionID�
GetPIDOf��GetActiveSessionID��GetRootHKEYFromString��DuplicateTokenEx��OpenProcessToken��OpenProcess��CreateEnvironmentBlock��GetWin32ErrorString� trim��MAKELANGID�
_init��SYSGEOTYPE��
�GEO_LONGITUDE���GEO_LATITUDE���GEO_NATION���GEO_PARENT�
�GEO_ISO_UN_NUMBER���GEO_OFFICIALLANGUAGES���GEO_TIMEZONES�
�GEO_OFFICIALNAME� �GEO_FRIENDLYNAME��
GEO_LCID���GEO_RFC1766��
GEO_ISO3��
GEO_ISO2���SYSGEOCLASS����GEOCLASS_ALL���GEOCLASS_REGION���GEOCLASS_NATION���SynchronizationFlags����EVENT_MODIFY_STATE���EVENT_ALL_ACCESS���|�ProcessCreateFlags����CREATE_DEFAULT_ERROR_MODE���� %CREATE_PRESERVE_CODE_AUTHZ_LEVEL������CREATE_BREAKAWAY_FROM_JOB����� PROCESS_MODE_BACKGROUND_END�����"PROCESS_MODE_BACKGROUND_BEGIN���@!EXTENDED_STARTUPINFO_PRESENT��� �CREATE_PROTECTED_PROCESS�����INHERIT_CALLER_PRIORITY�����INHERIT_PARENT_AFFINITY���� ABOVE_NORMAL_PRIORITY_CLASS���� BELOW_NORMAL_PRIORITY_CLASS�����CREATE_FORCEDOS��@�CREATE_SHARED_WOW_VDM�� �CREATE_SEPARATE_WOW_VDM����CREATE_UNICODE_ENVIRONMENT����CREATE_NEW_PROCESS_GROUP����REALTIME_PRIORITY_CLASS����HIGH_PRIORITY_CLASS����IDLE_PRIORITY_CLASS�@�NORMAL_PRIORITY_CLASS� �CREATE_NEW_CONSOLE���DETACHED_PROCESS���CREATE_SUSPENDED���DEBUG_ONLY_THIS_PROCESS���DEBUG_PROCESS��!CREATE_IGNORE_SYSTEM_DEFAULT��������PROFILE_SERVER�������PROFILE_KERNEL�������PROFILE_USER�������CREATE_NO_WINDOW����@�ShellExecuteConstants�SEE_MASK_FLAG_DDEWAIT�SEE_MASK_NOASYNC����SEE_MASK_ICON���SEE_MASK_INVOKEIDLIST���SEE_MASK_IDLIST���SEE_MASK_CLASSKEY���SEE_MASK_CLASSNAME���SEE_MASK_DEFAULT���SEE_MASK_HMONITOR������SEE_MASK_NOZONECHECKS������SEE_MASK_NOQUERYCLASSSTORE������SEE_MASK_WAITFORINPUTIDLE������SEE_MASK_FLAG_LOG_USAGE���� �SEE_MASK_ASYNCOK���@�SEE_MASK_NO_CONSOLE�����SEE_MASK_UNICODE�����SEE_MASK_FLAG_NO_UI����SEE_MASK_DOENVSUBST����SEE_MASK_FLAG_DDEWAIT��SEE_MASK_NOASYNC����SEE_MASK_CONNECTNETDRV����SEE_MASK_NOCLOSEPROCESS�@�SEE_MASK_HOTKEY� �StartupInfoFlagValues����STARTF_TITLEISAPPID�� �STARTF_RUNFULLSCREEN� �STARTF_PREVENTPINNING��@�STARTF_FORCEOFFFEEDBACK����STARTF_FORCEONFEEDBACK�@�STARTF_USESTDHANDLES����STARTF_USESIZE���STARTF_USESHOWWINDOW���STARTF_USEPOSITION���STARTF_USEHOTKEY����STARTF_USEFILLATTRIBUTE���STARTF_USECOUNTCHARS���STARTF_UNTRUSTEDSOURCE�����STARTF_TITLEISLINKNAME����ShowWindowConstants����SW_SHOWMAXIMIZED���SW_SHOWMINIMIZED���SW_NORMAL���SW_SHOWNORMAL���SW_HIDE���SW_MAX���SW_FORCEMINIMIZE���SW_SHOWDEFAULT�
�SW_RESTORE� �SW_SHOWNA���SW_SHOWMINNOACTIVE���SW_MINIMIZE���SW_SHOW���SW_SHOWNOACTIVATE���SW_MAXIMIZE���McUtilsConstants����ALL_CURRENT_SESSIONS������������TokenTypeConstants����TokenImpersonation���TokenPrimary��#SecurityImpersonationConstants����SecurityImpersonation���SecurityIdentification���SecurityAnonymous���SecurityDelegation���TokenAccessConstants��
�TOKEN_ALL_ACCESS���<�TOKEN_ADJUST_SESSIONID����TOKEN_ADJUST_DEFAULT����TOKEN_ADJUST_GROUPS�@�TOKEN_ADJUST_PRIVILEGES� �TOKEN_QUERY_SOURCE���TOKEN_QUERY���TOKEN_IMPERSONATE���TOKEN_DUPLICATE���TOKEN_ASSIGN_PRIMARY���ProcessConstants��
�PROCESS_CREATE_PROCESS����PROCESS_DUP_HANDLE�@�PROCESS_VM_WRITE� �PROCESS_VM_READ���PROCESS_VM_OPERATION���PROCESS_SET_SESSIONID���PROCESS_CREATE_THREAD���PROCESS_TERMINATE��&PROCESS_QUERY_LIMITED_INFORMATION�� �PROCESS_SUSPEND_RESUME����PROCESS_QUERY_INFORMATION����PROCESS_SET_INFORMATION����PROCESS_SET_QUOTA����RegistrySamConstants����STANDARD_RIGHTS_READ�����STANDARD_RIGHTS_REQUIRED���<�SYNCHRONIZE���@�WRITE_OWNER��� �WRITE_DAC�����READ_CONTROL�����DELETE�����KEY_ALL_ACCESS���<�KEY_EXECUTE�����KEY_WRITE����
KEY_READ�����KEY_WOW64_RES����KEY_WOW64_64KEY����KEY_WOW64_32KEY����KEY_CREATE_LINK� �KEY_NOTIFY���KEY_ENUMERATE_SUB_KEYS���KEY_CREATE_SUB_KEY���KEY_SET_VALUE���KEY_QUERY_VALUE���GENERIC_ALL�������GENERIC_EXECUTE�������GENERIC_WRITE�������GENERIC_READ��������MAXIMUM_ALLOWED������ACCESS_SYSTEM_SECURITY������SPECIFIC_RIGHTS_ALL�����STANDARD_RIGHTS_ALL���|�STANDARD_RIGHTS_EXECUTE�����STANDARD_RIGHTS_WRITE�����RegistryKeyConstants�HKEY_CURRENT_CONFIG�HKEY_USERS�HKEY_LOCAL_MACHINE�HKEY_CURRENT_USER�HKEY_CLASSES_ROOT����HKEY_CURRENT_CONFIG��HKEY_USERS��HKEY_LOCAL_MACHINE��HKEY_CURRENT_USER��HKEY_CLASSES_ROOT�
void* cast�RegistryValueTypeMapping��� NONE none�NUMBER�number�STRING�string�BINARY�binary�RegistryValueTypeConstants����REG_BINARY���REG_EXPAND_SZ���REG_SZ��
REG_NONE���REG_QWORD_LITTLE_ENDIAN���REG_QWORD��#REG_RESOURCE_REQUIREMENTS_LIST�
!REG_FULL_RESOURCE_DESCRIPTOR� �REG_RESOURCE_LIST���REG_MULTI_SZ��
REG_LINK���REG_DWORD_BIG_ENDIAN���REG_DWORD_LITTLE_ENDIAN���REG_DWORD���Win32ErrorConstants��"�CreateEnvironmentBlock��SynchronizationFlags��GetActiveSessionID��DuplicateTokenEx��RegistryValueTypeConstants�
_init��ShellExecuteConstants��RegistrySamConstants��ProcessConstants�#SecurityImpersonationConstants� trim�
GetPIDOf��GetHKeyUserSidString��Win32ErrorConstants��GetHKeyUserBySessionID��GetWin32ErrorString��SYSGEOTYPE��StartupInfoFlagValues��OpenProcessToken��SYSGEOCLASS��OpenProcess��GetTokenUser��GetRootHKEYFromString��ShowWindowConstants��McUtilsConstants��MAKELANGID��GetProcessToken��TokenTypeConstants��GetProcessHandleGivenPid��RegistryKeyConstants�!GetProcessIDBasedOnSessionID��RegistryValueTypeMapping��ProcessCreateFlags��TokenAccessConstants�����ERROR_INVALID_HANDLE���ERROR_ACCESS_DENIED���ERROR_PATH_NOT_FOUND���ERROR_FILE_NOT_FOUND���ERROR_SUCCESS���ERROR_MORE_DATA����ERROR_ENVVAR_NOT_FOUND����ERROR_INVALID_DATA�
Win32�ffi�core.logger�core.class�require core�_G������������������������������������
������
//84B33CB044C5B251FA149D25978491081F7594FA6BDD649621047EC163396068457D7EABD9392D02E77B72B3DB8CCDA33ECD1542A109C74AB38F249C83D74FF2++