Windows驱动开发入门-安全进阶

任意进程读写

CR3法

CR3寄存器保存页目录表PDBR地址，用CR3可对任意进程特定地址进行强制读写。

#include <ntifs.h>
#include <windef.h>
#include <intrin.h>
#define DIRECTORY_TABLE_BASE 0x028
#pragma intrinsic(_disable)
#pragma intrinsic(_enable)
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
// 关闭写保护
KIRQL Open(){
    KIRQL irql = KeRaiseIrqlToDpcLevel();
    UINT64 cr0 = __readcr0();
    cr0 &= 0xfffffffffffeffff;
    __writecr0(cr0);
    _disable();
    return irql;
}
// 开启写保护
void Close(KIRQL irql){
    UINT64 cr0 = __readcr0();
    cr0 |= 0x10000;
    _enable();
    __writecr0(cr0);
    KeLowerIrql(irql);
}
// 检查内存
ULONG64 CheckAddressVal(PVOID p) {
    if (MmIsAddressValid(p) == FALSE)
        return 0;
    return *(PULONG64)p;
}
// CR3 寄存器读内存
BOOLEAN CR3_ReadWriteProcessMemory(IN PEPROCESS Process, IN PVOID Address, IN UINT32 Length, IN OUT PVOID Buffer){
    ULONG64 pDTB = 0, OldCr3 = 0, vAddr = 0;
    pDTB = CheckAddressVal((UCHAR*)Process + DIRECTORY_TABLE_BASE); // 检查内存
    if (pDTB == 0)
        return FALSE;
    _disable();
    OldCr3 = __readcr3(); // 读取CR3
    __writecr3(pDTB); // 写CR3
    _enable();
    if (MmIsAddressValid(Address)) { // 验证并拷贝内存
        RtlCopyMemory(Address, Buffer, Length); //写
        RtlCopyMemory(Buffer, Address, Length); //读
        DbgPrint("读入数据: %ld", *(PDWORD)Buffer);
        return TRUE;
    }
    _disable();
    __writecr3(OldCr3); // 恢复CR3
    _enable();
    return FALSE;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    // 根据PID打开进程
    PEPROCESS Peprocess = NULL;
    DWORD PID = 6672;
    NTSTATUS nt = PsLookupProcessByProcessId((HANDLE)PID, &Peprocess);
    DWORD buffer = 999;
    BOOLEAN bl = CR3_ReadWriteProcessMemory(Peprocess, (PVOID)0x0009EDC8, 4, &buffer);
    DbgPrint("readbuf = %x \n", buffer);
    DbgPrint("readbuf = %d \n", buffer);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

MDL法

比CR3更稳定，不受寄存器影响。读如下：

#include <ntifs.h>
#include <windef.h>
typedef struct{
    DWORD pid;         // 要读写的进程ID
    DWORD64 address;      // 要读写的地址
    DWORD size;        // 读写长度
    BYTE* data;        // 要读写的数据
}ReadMemoryStruct;
// MDL读内存
BOOL MDLReadMemory(ReadMemoryStruct* data){
    BOOL bRet = TRUE;
    PEPROCESS process = NULL;
    PsLookupProcessByProcessId(data->pid, &process);
    if (process == NULL)
        return FALSE;
    BYTE* GetData;
    __try{
        GetData = ExAllocatePool(PagedPool, data->size);
    }
    __except (1){
        return FALSE;
    }
    KAPC_STATE stack = { 0 };
    KeStackAttachProcess(process, &stack); //附加到对端进程内
    __try{
        ProbeForRead(data->address, data->size, 1); //检查内存是否可读写
        RtlCopyMemory(GetData, data->address, data->size);
    }
    __except (1){
        bRet = FALSE;
    }
    ObDereferenceObject(process);
    KeUnstackDetachProcess(&stack); //解除绑定
    RtlCopyMemory(data->data, GetData, data->size);
    ExFreePool(GetData);
    return bRet;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    ReadMemoryStruct ptr;
    ptr.pid = 6672;
    ptr.address = 0x402c00;
    ptr.size = 100;
    // 分配空间接收数据
    ptr.data = ExAllocatePool(PagedPool, ptr.size);
    // 读内存
    MDLReadMemory(&ptr);
    // 输出数据
    for (size_t i = 0; i < 100; i++)
        DbgPrint("%x \n", ptr.data[i]);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

写如下：

#include <ntifs.h>
#include <windef.h>
typedef struct{
    DWORD pid;         // 要读写的进程ID
    DWORD64 address;      // 要读写的地址
    DWORD size;        // 读写长度
    BYTE* data;        // 要读写的数据
}ReadMemoryStruct;
// MDL写内存
BOOL MDLWriteMemory(ReadMemoryStruct* data){
    BOOL bRet = TRUE;
    PEPROCESS process = NULL;
    PsLookupProcessByProcessId(data->pid, &process);
    if (process == NULL)
        return FALSE;
    BYTE* GetData;
    __try{
        GetData = ExAllocatePool(PagedPool, data->size);
    }
    __except (1){
        return FALSE;
    }
    for (int i = 0; i < data->size; i++)
        GetData[i] = data->data[i];
    KAPC_STATE stack = { 0 };
    KeStackAttachProcess(process, &stack);
    PMDL mdl = IoAllocateMdl(data->address, data->size, 0, 0, NULL);
    if (mdl == NULL)
        return FALSE;
    MmBuildMdlForNonPagedPool(mdl);
    BYTE* ChangeData = NULL;
    __try{
        ChangeData = MmMapLockedPages(mdl, KernelMode); //锁定当前内存页面
        RtlCopyMemory(ChangeData, GetData, data->size);
    }
    __except (1){
        bRet = FALSE;
        goto END;
    }
END:
    IoFreeMdl(mdl); //释放MDL锁
    ExFreePool(GetData);
    KeUnstackDetachProcess(&stack);
    ObDereferenceObject(process);
    return bRet;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    ReadMemoryStruct ptr;
    ptr.pid = 6672;
    ptr.address = 0x402c00;
    ptr.size = 5;
    // 需要写入的数据
    ptr.data = ExAllocatePool(PagedPool, ptr.size);
    // 循环设置
    for (size_t i = 0; i < 5; i++)
        ptr.data[i] = 0x90;
    // 写内存
    MDLWriteMemory(&ptr);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

内存直接拷贝

普通Ke读写：

#include <ntifs.h>
#include <windef.h>
#include <stdlib.h>
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS SourceProcess, PVOID SourceAddress, PEPROCESS TargetProcess, PVOID TargetAddress, SIZE_T BufferSize, KPROCESSOR_MODE PreviousMode, PSIZE_T ReturnSize);
// 定义全局EProcess结构
PEPROCESS Global_Peprocess = NULL;
// 普通Ke内存读取
NTSTATUS KeReadProcessMemory(PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size){
    __try{
        PEPROCESS TargetProcess = PsGetCurrentProcess();
        SIZE_T Result;
        if (NT_SUCCESS(MmCopyVirtualMemory(Global_Peprocess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
            return STATUS_SUCCESS;
        else
            return STATUS_ACCESS_DENIED;
    }
    __except (EXCEPTION_EXECUTE_HANDLER){
        return STATUS_ACCESS_DENIED;
    }
    return STATUS_ACCESS_DENIED;
}
// 普通Ke内存写入
NTSTATUS KeWriteProcessMemory(PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size){
    PEPROCESS SourceProcess = PsGetCurrentProcess();
    PEPROCESS TargetProcess = Global_Peprocess;
    SIZE_T Result;
    if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress,TargetProcess, TargetAddress, Size, KernelMode, &Result)))
        return STATUS_SUCCESS;
    else
        return STATUS_ACCESS_DENIED;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    // 根据PID打开进程
    DWORD PID = 6672;
    NTSTATUS nt = PsLookupProcessByProcessId((HANDLE)PID, &Global_Peprocess);
    DWORD ref_value = 0;
    // 将地址处读取4字节到ref_value中
    NTSTATUS read_nt = KeReadProcessMemory((PVOID)0x0009EDC8, &ref_value, 4);
    DbgPrint("读出数据: %d \n", ref_value);
    //以下是读
    DWORD ref_value = 10;
    // 将地址处写出4字节
    NTSTATUS read_nt = KeWriteProcessMemory((PVOID)0x0009EDC8, &ref_value, 4);
    DbgPrint("写入数据: %d \n", ref_value);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

内存映射

打通R0和R3，这里R3数据映射到R0：

#include <ntifs.h>
#include <windef.h>
// 分配内存
void* RtlAllocateMemory(BOOLEAN InZeroMemory, SIZE_T InSize){
    void* Result = ExAllocatePoolWithTag(NonPagedPool, InSize, 'abcd');
    if (InZeroMemory && (Result != NULL))
        RtlZeroMemory(Result, InSize);
    return Result;
}
// 释放内存
void RtlFreeMemory(void* InPointer){
    ExFreePool(InPointer);
}
//将应用层中的内存复制到内核变量中 SrcAddr r3地址要复制 DstAddr R0申请的地址 Size 拷贝长度
NTSTATUS SafeCopyMemory_R3_to_R0(ULONG_PTR SrcAddr, ULONG_PTR DstAddr, ULONG Size){
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG nRemainSize = PAGE_SIZE - (SrcAddr & 0xFFF);
    ULONG nCopyedSize = 0;
    if (!SrcAddr || !DstAddr || !Size)
        return status;
    while (nCopyedSize < Size){
        PMDL pSrcMdl = NULL;
        PVOID pMappedSrc = NULL;
        if (Size - nCopyedSize < nRemainSize)
            nRemainSize = Size - nCopyedSize;
        // 创建MDL
        pSrcMdl = IoAllocateMdl((PVOID)(SrcAddr & 0xFFFFFFFFFFFFF000), PAGE_SIZE, FALSE, FALSE, NULL);
        if (pSrcMdl){
            __try{
                // 锁定内存页面(UserMode代表应用层)
                MmProbeAndLockPages(pSrcMdl, UserMode, IoReadAccess);
                // 从MDL中得到映射内存地址
                pMappedSrc = MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority); //从MDL中得到映射内存地址
            }
            __except (EXCEPTION_EXECUTE_HANDLER){
            }
        }
        if (pMappedSrc){
            __try{
                // 将MDL中的映射拷贝到pMappedSrc内存中
                RtlCopyMemory((PVOID)DstAddr, (PVOID)((ULONG_PTR)pMappedSrc + (SrcAddr & 0xFFF)), nRemainSize);
            }
            __except (1){
                // 拷贝内存异常
            }
            // 释放锁
            MmUnlockPages(pSrcMdl);
        }
        if (pSrcMdl)
            // 释放MDL
            IoFreeMdl(pSrcMdl);
        if (nCopyedSize)
            nRemainSize = PAGE_SIZE;
        nCopyedSize += nRemainSize;
        SrcAddr += nRemainSize;
        DstAddr += nRemainSize;
    }
    status = STATUS_SUCCESS;
    return status;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PEPROCESS eproc = NULL;
    KAPC_STATE kpc = { 0 };
    __try{
        // HANDLE 进程PID
        status = PsLookupProcessByProcessId((HANDLE)4556, &eproc);
        if (NT_SUCCESS(status)){
            // 附加进程
            KeStackAttachProcess(eproc, &kpc);
            // 开始映射
            // 将用户空间内存映射到内核空间
            PVOID pTempBuffer = NULL;
            ULONG nSize = 0x1024;
            ULONG_PTR ModuleBase = 0x0000000140001000;
            // 分配内存
            pTempBuffer = RtlAllocateMemory(TRUE, nSize);
            if (pTempBuffer){
                // 拷贝数据到R0
                status = SafeCopyMemory_R3_to_R0(ModuleBase, (ULONG_PTR)pTempBuffer, nSize);
                if (NT_SUCCESS(status))
                    DbgPrint("[*] 拷贝应用层数据到内核里 \n");
                // 转成BYTE方便读取
                BYTE* data = pTempBuffer;
                for (size_t i = 0; i < 10; i++)
                    DbgPrint("%02X \n", data[i]);
            }
            // 释放空间
            RtlFreeMemory(pTempBuffer);
            // 脱离进程
            KeUnstackDetachProcess(&kpc);
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER){
        Driver->DriverUnload = UnDriver;
        return STATUS_SUCCESS;
    }
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

R0数据映射到R3：

// 分配内存
void* RtlAllocateMemory(BOOLEAN InZeroMemory, SIZE_T InSize){
    void* Result = ExAllocatePoolWithTag(NonPagedPool, InSize, 'abcd');
    if (InZeroMemory && (Result != NULL))
        RtlZeroMemory(Result, InSize);
    return Result;
}
// 释放内存
void RtlFreeMemory(void* InPointer){
    ExFreePool(InPointer);
}
//将内存中的数据复制到R3中 SrcAddr R0要复制的地址 DstAddr 返回R3的地址 Size 拷贝长度
NTSTATUS SafeCopyMemory_R0_to_R3(PVOID SrcAddr, PVOID DstAddr, ULONG Size){
    PMDL pSrcMdl = NULL, pDstMdl = NULL;
    PUCHAR pSrcAddress = NULL, pDstAddress = NULL;
    NTSTATUS st = STATUS_UNSUCCESSFUL;
    // 分配MDL 源地址
    pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
    if (!pSrcMdl)
        return st;
    // 该 MDL 指定非分页虚拟内存缓冲区，并对其进行更新以描述基础物理页。
    MmBuildMdlForNonPagedPool(pSrcMdl);
    // 获取源地址MDL地址
    pSrcAddress = MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
    if (!pSrcAddress){
        IoFreeMdl(pSrcMdl);
        return st;
    }
    // 分配MDL 目标地址
    pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
    if (!pDstMdl){
        IoFreeMdl(pSrcMdl);
        return st;
    }
    __try{
        // 以写入的方式锁定目标MDL
        MmProbeAndLockPages(pDstMdl, UserMode, IoWriteAccess);
        // 获取目标地址MDL地址
        pDstAddress = MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
    }
    __except (EXCEPTION_EXECUTE_HANDLER){
    }
    if (pDstAddress){
        __try{
            // 将源地址拷贝到目标地址
            RtlCopyMemory(pDstAddress, pSrcAddress, Size);
        }
        __except (1){
            // 拷贝内存异常
        }
        MmUnlockPages(pDstMdl);
        st = STATUS_SUCCESS;
    }
    IoFreeMdl(pDstMdl);
    IoFreeMdl(pSrcMdl);
    return st;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PEPROCESS eproc = NULL;
    KAPC_STATE kpc = { 0 };
    __try{
        // HANDLE 进程PID
        status = PsLookupProcessByProcessId((HANDLE)4556, &eproc);
        if (NT_SUCCESS(status)){
            // 附加进程
            KeStackAttachProcess(eproc, &kpc);
            // 开始映射
            // 将用户空间内存映射到内核空间
            PVOID pTempBuffer = NULL;
            ULONG nSize = 0x1024;
            PVOID ModuleBase = 0x0000000140001000;
            // 分配内存
            pTempBuffer = RtlAllocateMemory(TRUE, nSize);
            if (pTempBuffer){
                memset(pTempBuffer, 0x90, nSize);
                // 设置内存属性 PAGE_EXECUTE_READWRITE
                ZwAllocateVirtualMemory(NtCurrentProcess(), &ModuleBase, 0, &nSize, MEM_RESERVE, PAGE_EXECUTE_READWRITE);
                ZwAllocateVirtualMemory(NtCurrentProcess(), &ModuleBase, 0, &nSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                // 将数据拷贝到R3中
                status = SafeCopyMemory_R0_to_R3(pTempBuffer, &ModuleBase, nSize);
                if (NT_SUCCESS(status))
                    DbgPrint("[*] 拷贝内核数据到应用层 \n");
            }
            // 释放空间
            RtlFreeMemory(pTempBuffer);
            // 脱离进程
            KeUnstackDetachProcess(&kpc);
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER){
        Driver->DriverUnload = UnDriver;
        return STATUS_SUCCESS;
    }
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

遍历进程VAD结构体

VAD叫虚拟地址描述符，是个AVL自平衡二叉树，每个节点代表一段虚拟地址空间。程序中的代码段、数据段、堆段等都各占用一个或多个VAD节点，由一个MMVAD结构完整描述。

VAD结构树在EPROCESS的VadRoot和VadCount计数等，系统不同版本这个位置都会不一样，得自己调，这里以0x658和0x668为例。

当系统用VirtualAllocate申请一段堆内存时，在VAD树上增加一个节点，为MMVAD结构。栈不受VAD管理，由系统直接分配空间，地址记录在TEB中。

3: kd> dt nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x438 ProcessLock      : _EX_PUSH_LOCK
   +0x440 UniqueProcessId  : Ptr64 Void
   +0x448 ActiveProcessLinks : _LIST_ENTRY
   +0x458 RundownProtect   : _EX_RUNDOWN_REF
   +0x460 Flags2           : Uint4B
   +0x460 JobNotReallyActive : Pos 0, 1 Bit
   +0x460 AccountingFolded : Pos 1, 1 Bit
   +0x460 NewProcessReported : Pos 2, 1 Bit
   +0x460 ExitProcessReported : Pos 3, 1 Bit
   +0x460 ReportCommitChanges : Pos 4, 1 Bit
   +0x460 LastReportMemory : Pos 5, 1 Bit
   +0x460 ForceWakeCharge  : Pos 6, 1 Bit
   +0x460 CrossSessionCreate : Pos 7, 1 Bit
   +0x460 NeedsHandleRundown : Pos 8, 1 Bit
   +0x460 RefTraceEnabled  : Pos 9, 1 Bit
   +0x460 PicoCreated      : Pos 10, 1 Bit
   +0x460 EmptyJobEvaluated : Pos 11, 1 Bit
   +0x460 DefaultPagePriority : Pos 12, 3 Bits
   +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x460 ProcessVerifierTarget : Pos 16, 1 Bit
   +0x460 RestrictSetThreadContext : Pos 17, 1 Bit
   +0x460 AffinityPermanent : Pos 18, 1 Bit
   +0x460 AffinityUpdateEnable : Pos 19, 1 Bit
   +0x460 PropagateNode    : Pos 20, 1 Bit
   +0x460 ExplicitAffinity : Pos 21, 1 Bit
   +0x460 ProcessExecutionState : Pos 22, 2 Bits
   +0x460 EnableReadVmLogging : Pos 24, 1 Bit
   +0x460 EnableWriteVmLogging : Pos 25, 1 Bit
   +0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit
   +0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit
   +0x460 ProcessStateChangeRequest : Pos 28, 2 Bits
   +0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit
   +0x460 InPrivate        : Pos 31, 1 Bit
   +0x464 Flags            : Uint4B
   +0x464 CreateReported   : Pos 0, 1 Bit
   +0x464 NoDebugInherit   : Pos 1, 1 Bit
   +0x464 ProcessExiting   : Pos 2, 1 Bit
   +0x464 ProcessDelete    : Pos 3, 1 Bit
   +0x464 ManageExecutableMemoryWrites : Pos 4, 1 Bit
   +0x464 VmDeleted        : Pos 5, 1 Bit
   +0x464 OutswapEnabled   : Pos 6, 1 Bit
   +0x464 Outswapped       : Pos 7, 1 Bit
   +0x464 FailFastOnCommitFail : Pos 8, 1 Bit
   +0x464 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x464 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x464 SetTimerResolution : Pos 12, 1 Bit
   +0x464 BreakOnTermination : Pos 13, 1 Bit
   +0x464 DeprioritizeViews : Pos 14, 1 Bit
   +0x464 WriteWatch       : Pos 15, 1 Bit
   +0x464 ProcessInSession : Pos 16, 1 Bit
   +0x464 OverrideAddressSpace : Pos 17, 1 Bit
   +0x464 HasAddressSpace  : Pos 18, 1 Bit
   +0x464 LaunchPrefetched : Pos 19, 1 Bit
   +0x464 Background       : Pos 20, 1 Bit
   +0x464 VmTopDown        : Pos 21, 1 Bit
   +0x464 ImageNotifyDone  : Pos 22, 1 Bit
   +0x464 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x464 VdmAllowed       : Pos 24, 1 Bit
   +0x464 ProcessRundown   : Pos 25, 1 Bit
   +0x464 ProcessInserted  : Pos 26, 1 Bit
   +0x464 DefaultIoPriority : Pos 27, 3 Bits
   +0x464 ProcessSelfDelete : Pos 30, 1 Bit
   +0x464 SetTimerResolutionLink : Pos 31, 1 Bit
   +0x468 CreateTime       : _LARGE_INTEGER
   +0x470 ProcessQuotaUsage : [2] Uint8B
   +0x480 ProcessQuotaPeak : [2] Uint8B
   +0x490 PeakVirtualSize  : Uint8B
   +0x498 VirtualSize      : Uint8B
   +0x4a0 SessionProcessLinks : _LIST_ENTRY
   +0x4b0 ExceptionPortData : Ptr64 Void
   +0x4b0 ExceptionPortValue : Uint8B
   +0x4b0 ExceptionPortState : Pos 0, 3 Bits
   +0x4b8 Token            : _EX_FAST_REF
   +0x4c0 MmReserved       : Uint8B
   +0x4c8 AddressCreationLock : _EX_PUSH_LOCK
   +0x4d0 PageTableCommitmentLock : _EX_PUSH_LOCK
   +0x4d8 RotateInProgress : Ptr64 _ETHREAD
   +0x4e0 ForkInProgress   : Ptr64 _ETHREAD
   +0x4e8 CommitChargeJob  : Ptr64 _EJOB
   +0x4f0 CloneRoot        : _RTL_AVL_TREE
   +0x4f8 NumberOfPrivatePages : Uint8B
   +0x500 NumberOfLockedPages : Uint8B
   +0x508 Win32Process     : Ptr64 Void
   +0x510 Job              : Ptr64 _EJOB
   +0x518 SectionObject    : Ptr64 Void
   +0x520 SectionBaseAddress : Ptr64 Void
   +0x528 Cookie           : Uint4B
   +0x530 WorkingSetWatch  : Ptr64 _PAGEFAULT_HISTORY
   +0x538 Win32WindowStation : Ptr64 Void
   +0x540 InheritedFromUniqueProcessId : Ptr64 Void
   +0x548 OwnerProcessId   : Uint8B
   +0x550 Peb              : Ptr64 _PEB
   +0x558 Session          : Ptr64 _MM_SESSION_SPACE
   +0x560 Spare1           : Ptr64 Void
   +0x568 QuotaBlock       : Ptr64 _EPROCESS_QUOTA_BLOCK
   +0x570 ObjectTable      : Ptr64 _HANDLE_TABLE
   +0x578 DebugPort        : Ptr64 Void
   +0x580 WoW64Process     : Ptr64 _EWOW64PROCESS
   +0x588 DeviceMap        : Ptr64 Void
   +0x590 EtwDataSource    : Ptr64 Void
   +0x598 PageDirectoryPte : Uint8B
   +0x5a0 ImageFilePointer : Ptr64 _FILE_OBJECT
   +0x5a8 ImageFileName    : [15] UChar
   +0x5b7 PriorityClass    : UChar
   +0x5b8 SecurityPort     : Ptr64 Void
   +0x5c0 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x5c8 JobLinks         : _LIST_ENTRY
   +0x5d8 HighestUserAddress : Ptr64 Void
   +0x5e0 ThreadListHead   : _LIST_ENTRY
   +0x5f0 ActiveThreads    : Uint4B
   +0x5f4 ImagePathHash    : Uint4B
   +0x5f8 DefaultHardErrorProcessing : Uint4B
   +0x5fc LastThreadExitStatus : Int4B
   +0x600 PrefetchTrace    : _EX_FAST_REF
   +0x608 LockedPagesList  : Ptr64 Void
   +0x610 ReadOperationCount : _LARGE_INTEGER
   +0x618 WriteOperationCount : _LARGE_INTEGER
   +0x620 OtherOperationCount : _LARGE_INTEGER
   +0x628 ReadTransferCount : _LARGE_INTEGER
   +0x630 WriteTransferCount : _LARGE_INTEGER
   +0x638 OtherTransferCount : _LARGE_INTEGER
   +0x640 CommitChargeLimit : Uint8B
   +0x648 CommitCharge     : Uint8B
   +0x650 CommitChargePeak : Uint8B
   +0x680 Vm               : _MMSUPPORT_FULL
   +0x7c0 MmProcessLinks   : _LIST_ENTRY
   +0x7d0 ModifiedPageCount : Uint4B
   +0x7d4 ExitStatus       : Int4B
   +0x7d8 VadRoot          : _RTL_AVL_TREE
   +0x7e0 VadHint          : Ptr64 Void
   +0x7e8 VadCount         : Uint8B
   +0x7f0 VadPhysicalPages : Uint8B
   +0x7f8 VadPhysicalPagesLimit : Uint8B
   +0x800 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x820 TimerResolutionLink : _LIST_ENTRY
   +0x830 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
   +0x838 RequestedTimerResolution : Uint4B
   +0x83c SmallestTimerResolution : Uint4B
   +0x840 ExitTime         : _LARGE_INTEGER
   +0x848 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
   +0x850 InvertedFunctionTableLock : _EX_PUSH_LOCK
   +0x858 ActiveThreadsHighWatermark : Uint4B
   +0x85c LargePrivateVadCount : Uint4B
   +0x860 ThreadListLock   : _EX_PUSH_LOCK
   +0x868 WnfContext       : Ptr64 Void
   +0x870 ServerSilo       : Ptr64 _EJOB
   +0x878 SignatureLevel   : UChar
   +0x879 SectionSignatureLevel : UChar
   +0x87a Protection       : _PS_PROTECTION
   +0x87b HangCount        : Pos 0, 3 Bits
   +0x87b GhostCount       : Pos 3, 3 Bits
   +0x87b PrefilterException : Pos 6, 1 Bit
   +0x87c Flags3           : Uint4B
   +0x87c Minimal          : Pos 0, 1 Bit
   +0x87c ReplacingPageRoot : Pos 1, 1 Bit
   +0x87c Crashed          : Pos 2, 1 Bit
   +0x87c JobVadsAreTracked : Pos 3, 1 Bit
   +0x87c VadTrackingDisabled : Pos 4, 1 Bit
   +0x87c AuxiliaryProcess : Pos 5, 1 Bit
   +0x87c SubsystemProcess : Pos 6, 1 Bit
   +0x87c IndirectCpuSets  : Pos 7, 1 Bit
   +0x87c RelinquishedCommit : Pos 8, 1 Bit
   +0x87c HighGraphicsPriority : Pos 9, 1 Bit
   +0x87c CommitFailLogged : Pos 10, 1 Bit
   +0x87c ReserveFailLogged : Pos 11, 1 Bit
   +0x87c SystemProcess    : Pos 12, 1 Bit
   +0x87c HideImageBaseAddresses : Pos 13, 1 Bit
   +0x87c AddressPolicyFrozen : Pos 14, 1 Bit
   +0x87c ProcessFirstResume : Pos 15, 1 Bit
   +0x87c ForegroundExternal : Pos 16, 1 Bit
   +0x87c ForegroundSystem : Pos 17, 1 Bit
   +0x87c HighMemoryPriority : Pos 18, 1 Bit
   +0x87c EnableProcessSuspendResumeLogging : Pos 19, 1 Bit
   +0x87c EnableThreadSuspendResumeLogging : Pos 20, 1 Bit
   +0x87c SecurityDomainChanged : Pos 21, 1 Bit
   +0x87c SecurityFreezeComplete : Pos 22, 1 Bit
   +0x87c VmProcessorHost  : Pos 23, 1 Bit
   +0x87c VmProcessorHostTransition : Pos 24, 1 Bit
   +0x87c AltSyscall       : Pos 25, 1 Bit
   +0x87c TimerResolutionIgnore : Pos 26, 1 Bit
   +0x87c DisallowUserTerminate : Pos 27, 1 Bit
   +0x880 DeviceAsid       : Int4B
   +0x888 SvmData          : Ptr64 Void
   +0x890 SvmProcessLock   : _EX_PUSH_LOCK
   +0x898 SvmLock          : Uint8B
   +0x8a0 SvmProcessDeviceListHead : _LIST_ENTRY
   +0x8b0 LastFreezeInterruptTime : Uint8B
   +0x8b8 DiskCounters     : Ptr64 _PROCESS_DISK_COUNTERS
   +0x8c0 PicoContext      : Ptr64 Void
   +0x8c8 EnclaveTable     : Ptr64 Void
   +0x8d0 EnclaveNumber    : Uint8B
   +0x8d8 EnclaveLock      : _EX_PUSH_LOCK
   +0x8e0 HighPriorityFaultsAllowed : Uint4B
   +0x8e8 EnergyContext    : Ptr64 _PO_PROCESS_ENERGY_CONTEXT
   +0x8f0 VmContext        : Ptr64 Void
   +0x8f8 SequenceNumber   : Uint8B
   +0x900 CreateInterruptTime : Uint8B
   +0x908 CreateUnbiasedInterruptTime : Uint8B
   +0x910 TotalUnbiasedFrozenTime : Uint8B
   +0x918 LastAppStateUpdateTime : Uint8B
   +0x920 LastAppStateUptime : Pos 0, 61 Bits
   +0x920 LastAppState     : Pos 61, 3 Bits
   +0x928 SharedCommitCharge : Uint8B
   +0x930 SharedCommitLock : _EX_PUSH_LOCK
   +0x938 SharedCommitLinks : _LIST_ENTRY
   +0x948 AllowedCpuSets   : Uint8B
   +0x950 DefaultCpuSets   : Uint8B
   +0x948 AllowedCpuSetsIndirect : Ptr64 Uint8B
   +0x950 DefaultCpuSetsIndirect : Ptr64 Uint8B
   +0x958 DiskIoAttribution : Ptr64 Void
   +0x960 DxgProcess       : Ptr64 Void
   +0x968 Win32KFilterSet  : Uint4B
   +0x970 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES
   +0x978 KTimerSets       : Uint4B
   +0x97c KTimer2Sets      : Uint4B
   +0x980 ThreadTimerSets  : Uint4B
   +0x988 VirtualTimerListLock : Uint8B
   +0x990 VirtualTimerListHead : _LIST_ENTRY
   +0x9a0 WakeChannel      : _WNF_STATE_NAME
   +0x9a0 WakeInfo         : _PS_PROCESS_WAKE_INFORMATION
   +0x9d0 MitigationFlags  : Uint4B
   +0x9d0 MitigationFlagsValues : <anonymous-tag>
   +0x9d4 MitigationFlags2 : Uint4B
   +0x9d4 MitigationFlags2Values : <anonymous-tag>
   +0x9d8 PartitionObject  : Ptr64 Void
   +0x9e0 SecurityDomain   : Uint8B
   +0x9e8 ParentSecurityDomain : Uint8B
   +0x9f0 CoverageSamplerContext : Ptr64 Void
   +0x9f8 MmHotPatchContext : Ptr64 Void
   +0xa00 DynamicEHContinuationTargetsTree : _RTL_AVL_TREE
   +0xa08 DynamicEHContinuationTargetsLock : _EX_PUSH_LOCK
3: kd> dt nt!_MMVAD
   +0x000 Core             : _MMVAD_SHORT
   +0x040 u2               : <anonymous-tag>
   +0x048 Subsection       : Ptr64 _SUBSECTION
   +0x050 FirstPrototypePte : Ptr64 _MMPTE
   +0x058 LastContiguousPte : Ptr64 _MMPTE
   +0x060 ViewLinks        : _LIST_ENTRY
   +0x070 VadsProcess      : Ptr64 _EPROCESS
   +0x078 u4               : <anonymous-tag>
   +0x080 FileObject       : Ptr64 _FILE_OBJECT
3: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffc289fa453080
    SessionId: 1  Cid: 12d8    Peb: 00315000  ParentCid: 0d04
    DirBase: 0609e000  ObjectTable: ffffb20bcf1666c0  HandleCount: 562.
    Image: maye.exe
3: kd> !vad ffffc289fa453080+0x7d8
VAD             Level         Start             End              Commit
ffffc289f78d3310  9              10              1f               0 Mapped       READWRITE          Pagefile section, shared commit 0x10
ffffc289fa522b40  8              20              2d               3 Private      READWRITE          
ffffc289f78d89f0  9              30              37               0 Mapped       READONLY           Pagefile section, shared commit 0x11
ffffc289f78d2730  7              40              5c               0 Mapped       READONLY           Pagefile section, shared commit 0x1d
ffffc289fa522be0  8              60              9f              15 Private      READWRITE          
...
ffffc289fa522a50  5           7ffec           7ffec               1 Private      READONLY           
ffffc289fa522d20  7           7fff0           fffff     34359738367 Private      READONLY           
ffffc289f78d2910  6       7ff87b780       7ff87b7d8               5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\wow64.dll
ffffc289f78d2b90  8       7ff87cc20       7ff87cca2               5 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\wow64win.dll
ffffc289f78d1bf0  7       7ff87cff0       7ff87d1e5              16 Mapped  Exe  EXECUTE_WRITECOPY  \Windows\System32\ntdll.dll

Total VADs: 313, average level: 8, maximum depth: 10
Total private commit: 0x800004a6c pages (137439029680 KB)
Total shared commit:  0x53c pages (5360 KB)

vad.h是微软提供的，这里是个例子，实际需要替换成具体系统版本的：

#pragma once
#include <ntifs.h>
typedef struct _MM_GRAPHICS_VAD_FLAGS{     // 15 elements, 0x4 bytes (sizeof)
    /*0x000*/   ULONG32    Lock : 1;          // 0 BitPosition  
    /*0x000*/   ULONG32    LockContended : 1;      // 1 BitPosition  
    /*0x000*/   ULONG32    DeleteInProgress : 1;    // 2 BitPosition  
    /*0x000*/   ULONG32    NoChange : 1;        // 3 BitPosition  
    /*0x000*/   ULONG32    VadType : 3;         // 4 BitPosition  
    /*0x000*/   ULONG32    Protection : 5;       // 7 BitPosition  
    /*0x000*/   ULONG32    PreferredNode : 6;      // 12 BitPosition  
    /*0x000*/   ULONG32    PageSize : 2;        // 18 BitPosition  
    /*0x000*/   ULONG32    PrivateMemoryAlwaysSet : 1; // 20 BitPosition  
    /*0x000*/   ULONG32    WriteWatch : 1;       // 21 BitPosition  
    /*0x000*/   ULONG32    FixedLargePageSize : 1;   // 22 BitPosition  
    /*0x000*/   ULONG32    ZeroFillPagesOptional : 1;  // 23 BitPosition  
    /*0x000*/   ULONG32    GraphicsAlwaysSet : 1;    // 24 BitPosition  
    /*0x000*/   ULONG32    GraphicsUseCoherentBus : 1; // 25 BitPosition  
    /*0x000*/   ULONG32    GraphicsPageProtection : 3; // 26 BitPosition  
}MM_GRAPHICS_VAD_FLAGS, *PMM_GRAPHICS_VAD_FLAGS;
typedef struct _MM_PRIVATE_VAD_FLAGS {    // 15 elements, 0x4 bytes (sizeof)
    /*0x000*/   ULONG32    Lock : 1;          // 0 BitPosition  
    /*0x000*/   ULONG32    LockContended : 1;      // 1 BitPosition  
    /*0x000*/   ULONG32    DeleteInProgress : 1;    // 2 BitPosition  
    /*0x000*/   ULONG32    NoChange : 1;        // 3 BitPosition  
    /*0x000*/   ULONG32    VadType : 3;         // 4 BitPosition  
    /*0x000*/   ULONG32    Protection : 5;       // 7 BitPosition  
    /*0x000*/   ULONG32    PreferredNode : 6;      // 12 BitPosition  
    /*0x000*/   ULONG32    PageSize : 2;        // 18 BitPosition  
    /*0x000*/   ULONG32    PrivateMemoryAlwaysSet : 1; // 20 BitPosition  
    /*0x000*/   ULONG32    WriteWatch : 1;       // 21 BitPosition  
    /*0x000*/   ULONG32    FixedLargePageSize : 1;   // 22 BitPosition  
    /*0x000*/   ULONG32    ZeroFillPagesOptional : 1;  // 23 BitPosition  
    /*0x000*/   ULONG32    Graphics : 1;        // 24 BitPosition  
    /*0x000*/   ULONG32    Enclave : 1;         // 25 BitPosition  
    /*0x000*/   ULONG32    ShadowStack : 1;       // 26 BitPosition  
}MM_PRIVATE_VAD_FLAGS, *PMM_PRIVATE_VAD_FLAGS;
typedef struct _MMVAD_FLAGS {      // 9 elements, 0x4 bytes (sizeof)
    /*0x000*/   ULONG32    Lock : 1;       // 0 BitPosition     
    /*0x000*/   ULONG32    LockContended : 1;   // 1 BitPosition     
    /*0x000*/   ULONG32    DeleteInProgress : 1; // 2 BitPosition     
    /*0x000*/   ULONG32    NoChange : 1;     // 3 BitPosition     
    /*0x000*/   ULONG32    VadType : 3;      // 4 BitPosition     
    /*0x000*/   ULONG32    Protection : 5;    // 7 BitPosition     
    /*0x000*/   ULONG32    PreferredNode : 6;   // 12 BitPosition     
    /*0x000*/   ULONG32    PageSize : 2;     // 18 BitPosition     
    /*0x000*/   ULONG32    PrivateMemory : 1;   // 20 BitPosition     
}MMVAD_FLAGS, *PMMVAD_FLAGS;
typedef struct _MM_SHARED_VAD_FLAGS{       // 11 elements, 0x4 bytes (sizeof)
    /*0x000*/   ULONG32    Lock : 1;           // 0 BitPosition 
    /*0x000*/   ULONG32    LockContended : 1;       // 1 BitPosition 
    /*0x000*/   ULONG32    DeleteInProgress : 1;     // 2 BitPosition 
    /*0x000*/   ULONG32    NoChange : 1;         // 3 BitPosition 
    /*0x000*/   ULONG32    VadType : 3;          // 4 BitPosition 
    /*0x000*/   ULONG32    Protection : 5;        // 7 BitPosition 
    /*0x000*/   ULONG32    PreferredNode : 6;       // 12 BitPosition 
    /*0x000*/   ULONG32    PageSize : 2;         // 18 BitPosition 
    /*0x000*/   ULONG32    PrivateMemoryAlwaysClear : 1; // 20 BitPosition 
    /*0x000*/   ULONG32    PrivateFixup : 1;       // 21 BitPosition 
    /*0x000*/   ULONG32    HotPatchAllowed : 1;      // 22 BitPosition 
}MM_SHARED_VAD_FLAGS, *PMM_SHARED_VAD_FLAGS;
typedef struct _MMVAD_FLAGS2 {      // 7 elements, 0x4 bytes (sizeof)
    /*0x000*/   ULONG32    FileOffset : 24;     // 0 BitPosition    
    /*0x000*/   ULONG32    Large : 1;        // 24 BitPosition    
    /*0x000*/   ULONG32    TrimBehind : 1;     // 25 BitPosition    
    /*0x000*/   ULONG32    Inherit : 1;       // 26 BitPosition    
    /*0x000*/   ULONG32    NoValidationNeeded : 1; // 27 BitPosition    
    /*0x000*/   ULONG32    PrivateDemandZero : 1;  // 28 BitPosition    
    /*0x000*/   ULONG32    Spare : 3;        // 29 BitPosition    
}MMVAD_FLAGS2, *PMMVAD_FLAGS2;
typedef struct _MMVAD_SHORT{
    RTL_BALANCED_NODE VadNode;
    UINT32 StartingVpn;        /*0x18*/
    UINT32 EndingVpn;         /*0x01C*/
    UCHAR StartingVpnHigh;
    UCHAR EndingVpnHigh;
    UCHAR CommitChargeHigh;
    UCHAR SpareNT64VadUChar;
    INT32 ReferenceCount;
    EX_PUSH_LOCK PushLock;       /*0x028*/
    struct{
        union{
            ULONG_PTR flag;
            MM_PRIVATE_VAD_FLAGS PrivateVadFlags;           
             /*0x030*/
            MMVAD_FLAGS  VadFlags;
            MM_GRAPHICS_VAD_FLAGS GraphicsVadFlags;
            MM_SHARED_VAD_FLAGS  SharedVadFlags;
        }Flags;
    }u1;
    PVOID EventList;             /*0x038*/
}MMVAD_SHORT, *PMMVAD_SHORT;
typedef struct _MMADDRESS_NODE{
    ULONG64 u1;
    struct _MMADDRESS_NODE* LeftChild;
    struct _MMADDRESS_NODE* RightChild;
    ULONG64 StartingVpn;
    ULONG64 EndingVpn;
}MMADDRESS_NODE, *PMMADDRESS_NODE;
typedef struct _MMEXTEND_INFO{   // 2 elements, 0x10 bytes (sizeof)
    /*0x000*/   UINT64    CommittedSize;
    /*0x008*/   ULONG32    ReferenceCount;
    /*0x00C*/   UINT8     _PADDING0_[0x4];
}MMEXTEND_INFO, *PMMEXTEND_INFO;
struct _SEGMENT{
    struct _CONTROL_AREA* ControlArea;
    ULONG TotalNumberOfPtes;
    ULONG SegmentFlags;
    ULONG64 NumberOfCommittedPages;
    ULONG64 SizeOfSegment;
    union{
        struct _MMEXTEND_INFO* ExtendInfo;
        void* BasedAddress;
    }u;
    ULONG64 SegmentLock;
    ULONG64 u1;
    ULONG64 u2;
    PVOID* PrototypePte;
    ULONGLONG ThePtes[0x1];
};
typedef struct _EX_FAST_REF{
    union{
        PVOID Object;
        ULONG_PTR RefCnt : 3;
        ULONG_PTR Value;
    };
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA{            // 17 elements, 0x80 bytes (sizeof)
    /*0x000*/   struct _SEGMENT* Segment;
    union{                      // 2 elements, 0x10 bytes (sizeof)
        /*0x008*/     struct _LIST_ENTRY ListHead;        // 2 elements, 0x10 bytes (sizeof) 
        /*0x008*/     VOID*     AweContext;
    };
    /*0x018*/   UINT64    NumberOfSectionReferences;
    /*0x020*/   UINT64    NumberOfPfnReferences;
    /*0x028*/   UINT64    NumberOfMappedViews;
    /*0x030*/   UINT64    NumberOfUserReferences;
    /*0x038*/   ULONG32 u;           // 2 elements, 0x4 bytes (sizeof) 
    /*0x03C*/   ULONG32 u1;           // 2 elements, 0x4 bytes (sizeof) 
    /*0x040*/   struct _EX_FAST_REF FilePointer;        // 3 elements, 0x8 bytes (sizeof) 
    // 4 elements, 0x8 bytes (sizeof) 
}CONTROL_AREA, *PCONTROL_AREA;
typedef struct _SUBSECTION_{
    struct _CONTROL_AREA* ControlArea;
}SUBSECTION, *PSUBSECTION;
typedef struct _MMVAD{
    MMVAD_SHORT Core;
    union{         /*0x040*/
        UINT32 LongFlags2;
        //现在用不到省略
        MMVAD_FLAGS2 VadFlags2;
    }u2;
    PSUBSECTION Subsection;        /*0x048*/
    PVOID FirstPrototypePte;     /*0x050*/
    PVOID LastContiguousPte;     /*0x058*/
    LIST_ENTRY ViewLinks;      /*0x060*/
    PEPROCESS VadsProcess;      /*0x070*/
    PVOID u4;            /*0x078*/
    PVOID FileObject;        /*0x080*/
}MMVAD, *PMMVAD;
typedef struct _RTL_AVL_TREE {    // 1 elements, 0x8 bytes (sizeof)
    /*0x000*/   struct _RTL_BALANCED_NODE* Root;
}RTL_AVL_TREE, *PRTL_AVL_TREE;
typedef struct _VAD_INFO_{
    ULONG_PTR pVad;
    ULONG_PTR startVpn;
    ULONG_PTR endVpn;
    ULONG_PTR pFileObject;
    ULONG_PTR flags;
}VAD_INFO, *PVAD_INFO;
typedef struct _ALL_VADS_{
    ULONG nCnt;
    VAD_INFO VadInfos[1];
}ALL_VADS, *PALL_VADS;
typedef struct _MMSECTION_FLAGS{             // 27 elements, 0x4 bytes (sizeof)
    /*0x000*/   UINT32    BeingDeleted : 1;           // 0 BitPosition         
    /*0x000*/   UINT32    BeingCreated : 1;           // 1 BitPosition         
    /*0x000*/   UINT32    BeingPurged : 1;            // 2 BitPosition         
    /*0x000*/   UINT32    NoModifiedWriting : 1;         // 3 BitPosition         
    /*0x000*/   UINT32    FailAllIo : 1;             // 4 BitPosition         
    /*0x000*/   UINT32    Image : 1;               // 5 BitPosition         
    /*0x000*/   UINT32    Based : 1;               // 6 BitPosition         
    /*0x000*/   UINT32    File : 1;               // 7 BitPosition         
    /*0x000*/   UINT32    AttemptingDelete : 1;         // 8 BitPosition         
    /*0x000*/   UINT32    PrefetchCreated : 1;          // 9 BitPosition         
    /*0x000*/   UINT32    PhysicalMemory : 1;          // 10 BitPosition         
    /*0x000*/   UINT32    ImageControlAreaOnRemovableMedia : 1; // 11 BitPosition         
    /*0x000*/   UINT32    Reserve : 1;              // 12 BitPosition         
    /*0x000*/   UINT32    Commit : 1;              // 13 BitPosition         
    /*0x000*/   UINT32    NoChange : 1;             // 14 BitPosition         
    /*0x000*/   UINT32    WasPurged : 1;             // 15 BitPosition         
    /*0x000*/   UINT32    UserReference : 1;           // 16 BitPosition         
    /*0x000*/   UINT32    GlobalMemory : 1;           // 17 BitPosition         
    /*0x000*/   UINT32    DeleteOnClose : 1;           // 18 BitPosition         
    /*0x000*/   UINT32    FilePointerNull : 1;          // 19 BitPosition         
    /*0x000*/   ULONG32    PreferredNode : 6;           // 20 BitPosition         
    /*0x000*/   UINT32    GlobalOnlyPerSession : 1;       // 26 BitPosition         
    /*0x000*/   UINT32    UserWritable : 1;           // 27 BitPosition         
    /*0x000*/   UINT32    SystemVaAllocated : 1;         // 28 BitPosition         
    /*0x000*/   UINT32    PreferredFsCompressionBoundary : 1;  // 29 BitPosition         
    /*0x000*/   UINT32    UsingFileExtents : 1;         // 30 BitPosition    
    /*0x000*/   UINT32    PageSize64K : 1;            // 31 BitPosition         
}MMSECTION_FLAGS, *PMMSECTION_FLAGS;
typedef struct _SECTION {             // 9 elements, 0x40 bytes (sizeof)
    /*0x000*/   struct _RTL_BALANCED_NODE SectionNode;    // 6 elements, 0x18 bytes (sizeof)
    /*0x018*/   UINT64    StartingVpn;
    /*0x020*/   UINT64    EndingVpn;
    /*0x028*/   union {
        PCONTROL_AREA  ControlArea;
        PVOID  FileObject;
    }u1;          // 4 elements, 0x8 bytes (sizeof) 
    /*0x030*/   UINT64    SizeOfSection;
    /*0x038*/   union {
        ULONG32 LongFlags;
        MMSECTION_FLAGS Flags;
    }u;           // 2 elements, 0x4 bytes (sizeof) 
    struct{                    // 3 elements, 0x4 bytes (sizeof) 
    /*0x03C*/     ULONG32    InitialPageProtection : 12; // 0 BitPosition         
    /*0x03C*/     ULONG32    SessionId : 19;       // 12 BitPosition         
    /*0x03C*/     ULONG32    NoValidationNeeded : 1;   // 31 BitPosition         
    };
}SECTION, *PSECTION;

实现：

#include "vad.h"
#include <ntifs.h>
// 定义VAD相对于EProcess头部偏移值
#define eprocess_offset_VadRoot 0x658
#define eprocess_offset_VadCount 0x668
VOID EnumVad(PMMVAD Root, PALL_VADS pBuffer, ULONG nCnt){
    if (!Root || !pBuffer || !nCnt)
        return;
    __try{
        if (nCnt > pBuffer->nCnt){
            // 得到起始页与结束页
            ULONG64 endptr = (ULONG64)Root->Core.EndingVpnHigh;
            endptr = endptr << 32;
            ULONG64 startptr = (ULONG64)Root->Core.StartingVpnHigh;
            startptr = startptr << 32;
            // 得到根节点
            pBuffer->VadInfos[pBuffer->nCnt].pVad = (ULONG_PTR)Root;
            // 起始页: startingVpn * 0x1000
            pBuffer->VadInfos[pBuffer->nCnt].startVpn = (startptr | Root->Core.StartingVpn) << PAGE_SHIFT;
            // 结束页: EndVpn * 0x1000 + 0xfff
            pBuffer->VadInfos[pBuffer->nCnt].endVpn = ((endptr | Root->Core.EndingVpn) << PAGE_SHIFT) + 0xfff;
            // VAD标志 928 = Mapped  1049088 = Private  ....
            pBuffer->VadInfos[pBuffer->nCnt].flags = Root->Core.u1.Flags.flag;
            // 验证节点可读性
            if (MmIsAddressValid(Root->Subsection) && MmIsAddressValid(Root->Subsection->ControlArea))
                if (MmIsAddressValid((PVOID)((Root->Subsection->ControlArea->FilePointer.Value >> 4) << 4)))
                    pBuffer->VadInfos[pBuffer->nCnt].pFileObject = ((Root->Subsection->ControlArea->FilePointer.Value >> 4) << 4);
            pBuffer->nCnt++;
        }
        if (MmIsAddressValid(Root->Core.VadNode.Left))
            // 递归枚举左子树
            EnumVad((PMMVAD)Root->Core.VadNode.Left, pBuffer, nCnt);
        if (MmIsAddressValid(Root->Core.VadNode.Right))
            // 递归枚举右子树
            EnumVad((PMMVAD)Root->Core.VadNode.Right, pBuffer, nCnt);
    }
    __except (1){}
}
BOOLEAN EnumProcessVad(ULONG Pid, PALL_VADS pBuffer, ULONG nCnt){
    PEPROCESS Peprocess = 0;
    PRTL_AVL_TREE Table = NULL;
    PMMVAD Root = NULL;
    // 通过进程PID得到进程EProcess
    if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)Pid, &Peprocess))){
        // 与偏移相加得到VAD头节点
        Table = (PRTL_AVL_TREE)((UCHAR*)Peprocess + eprocess_offset_VadRoot);
        if (!MmIsAddressValid(Table) || !eprocess_offset_VadRoot)
            return FALSE;
        __try{
            // 取出头节点
            Root = (PMMVAD)Table->Root;
            if (nCnt > pBuffer->nCnt){
                // 得到起始页与结束页
                ULONG64 endptr = (ULONG64)Root->Core.EndingVpnHigh;
                endptr = endptr << 32;
                ULONG64 startptr = (ULONG64)Root->Core.StartingVpnHigh;
                startptr = startptr << 32;
                pBuffer->VadInfos[pBuffer->nCnt].pVad = (ULONG_PTR)Root;
                // 起始页: startingVpn * 0x1000
                pBuffer->VadInfos[pBuffer->nCnt].startVpn = (startptr | Root->Core.StartingVpn) << PAGE_SHIFT;
                // 结束页: EndVpn * 0x1000 + 0xfff
                pBuffer->VadInfos[pBuffer->nCnt].endVpn = (endptr | Root->Core.EndingVpn) << PAGE_SHIFT;
                pBuffer->VadInfos[pBuffer->nCnt].flags = Root->Core.u1.Flags.flag;
                if (MmIsAddressValid(Root->Subsection) && MmIsAddressValid(Root->Subsection->ControlArea))
                    if (MmIsAddressValid((PVOID)((Root->Subsection->ControlArea->FilePointer.Value >> 4) << 4)))
                        pBuffer->VadInfos[pBuffer->nCnt].pFileObject = ((Root->Subsection->ControlArea->FilePointer.Value >> 4) << 4);
                pBuffer->nCnt++;
            }
            // 枚举左子树
            if (Table->Root->Left)
                EnumVad((MMVAD*)Table->Root->Left, pBuffer, nCnt);
            // 枚举右子树
            if (Table->Root->Right)
                EnumVad((MMVAD*)Table->Root->Right, pBuffer, nCnt);
        }
        __finally{
            ObDereferenceObject(Peprocess);
        }
    }
    else
        return FALSE;
    return TRUE;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    typedef struct{
        ULONG nPid;
        ULONG nSize;
        PALL_VADS pBuffer;
    }VADProcess;
    __try{
        VADProcess vad = { 0 };
        vad.nPid = 4520;
        // 默认有1000个线程
        vad.nSize = sizeof(VAD_INFO) * 0x5000 + sizeof(ULONG);
        // 分配临时空间
        vad.pBuffer = (PALL_VADS)ExAllocatePool(PagedPool, vad.nSize);
        // 根据传入长度得到枚举数量
        ULONG nCount = (vad.nSize - sizeof(ULONG)) / sizeof(VAD_INFO);
        // 枚举VAD
        EnumProcessVad(vad.nPid, vad.pBuffer, nCount);
        // 输出VAD
        for (size_t i = 0; i < vad.pBuffer->nCnt; i++){
            DbgPrint("StartVPN = %p | ", vad.pBuffer->VadInfos[i].startVpn);
            DbgPrint("EndVPN = %p | ", vad.pBuffer->VadInfos[i].endVpn);
            DbgPrint("PVAD = %p | ", vad.pBuffer->VadInfos[i].pVad);
            DbgPrint("Flags = %d | ", vad.pBuffer->VadInfos[i].flags);
            DbgPrint("pFileObject = %p \n", vad.pBuffer->VadInfos[i].pFileObject);
        }
    }
    __except (1){}
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

获取驱动加载状态

这里实现判断当前驱动是否加载成功，成功则输出该驱动详细路径信息。

NtQuerySystemInformation可查询到很多系统信息状态：

typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(
    IN ULONG SystemInformationClass,
    OUT PVOID  SystemInformation,
    IN ULONG_PTR   SystemInformationLength,
    OUT PULONG_PTR  ReturnLength OPTIONAL
);

返回的结构有SYSTEM_MODULE_INFORMATION，可得到模块入口信息模块名等。

typedef struct _SYSTEM_MODULE_INFORMATION {
    HANDLE Section;
    PVOID MappedBase;
    PVOID Base;
    ULONG Size;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;

还有SYSTEM_INFORMATION_CLASS结构，这里只用到SystemModuleInformation类型：

typedef enum _SYSTEM_INFORMATION_CLASS
{
    SystemBasicInformation = 0x0,
    SystemProcessorInformation = 0x1,
    SystemPerformanceInformation = 0x2,
    SystemTimeOfDayInformation = 0x3,
    SystemPathInformation = 0x4,
    SystemProcessInformation = 0x5,
    SystemCallCountInformation = 0x6,
    SystemDeviceInformation = 0x7,
    SystemProcessorPerformanceInformation = 0x8,
    SystemFlagsInformation = 0x9,
    SystemCallTimeInformation = 0xa,
    SystemModuleInformation = 0xb,
    SystemLocksInformation = 0xc,
    SystemStackTraceInformation = 0xd,
    SystemPagedPoolInformation = 0xe,
    SystemNonPagedPoolInformation = 0xf,
    SystemHandleInformation = 0x10,
    SystemObjectInformation = 0x11,
    SystemPageFileInformation = 0x12,
    SystemVdmInstemulInformation = 0x13,
    SystemVdmBopInformation = 0x14,
    SystemFileCacheInformation = 0x15,
    SystemPoolTagInformation = 0x16,
    SystemInterruptInformation = 0x17,
    SystemDpcBehaviorInformation = 0x18,
    SystemFullMemoryInformation = 0x19,
    SystemLoadGdiDriverInformation = 0x1a,
    SystemUnloadGdiDriverInformation = 0x1b,
    SystemTimeAdjustmentInformation = 0x1c,
    SystemSummaryMemoryInformation = 0x1d,
    SystemMirrorMemoryInformation = 0x1e,
    SystemPerformanceTraceInformation = 0x1f,
    SystemObsolete0 = 0x20,
    SystemExceptionInformation = 0x21,
    SystemCrashDumpStateInformation = 0x22,
    SystemKernelDebuggerInformation = 0x23,
    SystemContextSwitchInformation = 0x24,
    SystemRegistryQuotaInformation = 0x25,
    SystemExtendServiceTableInformation = 0x26,
    SystemPrioritySeperation = 0x27,
    SystemVerifierAddDriverInformation = 0x28,
    SystemVerifierRemoveDriverInformation = 0x29,
    SystemProcessorIdleInformation = 0x2a,
    SystemLegacyDriverInformation = 0x2b,
    SystemCurrentTimeZoneInformation = 0x2c,
    SystemLookasideInformation = 0x2d,
    SystemTimeSlipNotification = 0x2e,
    SystemSessionCreate = 0x2f,
    SystemSessionDetach = 0x30,
    SystemSessionInformation = 0x31,
    SystemRangeStartInformation = 0x32,
    SystemVerifierInformation = 0x33,
    SystemVerifierThunkExtend = 0x34,
    SystemSessionProcessInformation = 0x35,
    SystemLoadGdiDriverInSystemSpace = 0x36,
    SystemNumaProcessorMap = 0x37,
    SystemPrefetcherInformation = 0x38,
    SystemExtendedProcessInformation = 0x39,
    SystemRecommendedSharedDataAlignment = 0x3a,
    SystemComPlusPackage = 0x3b,
    SystemNumaAvailableMemory = 0x3c,
    SystemProcessorPowerInformation = 0x3d,
    SystemEmulationBasicInformation = 0x3e,
    SystemEmulationProcessorInformation = 0x3f,
    SystemExtendedHandleInformation = 0x40,
    SystemLostDelayedWriteInformation = 0x41,
    SystemBigPoolInformation = 0x42,
    SystemSessionPoolTagInformation = 0x43,
    SystemSessionMappedViewInformation = 0x44,
    SystemHotpatchInformation = 0x45,
    SystemObjectSecurityMode = 0x46,
    SystemWatchdogTimerHandler = 0x47,
    SystemWatchdogTimerInformation = 0x48,
    SystemLogicalProcessorInformation = 0x49,
    SystemWow64SharedInformationObsolete = 0x4a,
    SystemRegisterFirmwareTableInformationHandler = 0x4b,
    SystemFirmwareTableInformation = 0x4c,
    SystemModuleInformationEx = 0x4d,
    SystemVerifierTriageInformation = 0x4e,
    SystemSuperfetchInformation = 0x4f,
    SystemMemoryListInformation = 0x50,
    SystemFileCacheInformationEx = 0x51,
    SystemThreadPriorityClientIdInformation = 0x52,
    SystemProcessorIdleCycleTimeInformation = 0x53,
    SystemVerifierCancellationInformation = 0x54,
    SystemProcessorPowerInformationEx = 0x55,
    SystemRefTraceInformation = 0x56,
    SystemSpecialPoolInformation = 0x57,
    SystemProcessIdInformation = 0x58,
    SystemErrorPortInformation = 0x59,
    SystemBootEnvironmentInformation = 0x5a,
    SystemHypervisorInformation = 0x5b,
    SystemVerifierInformationEx = 0x5c,
    SystemTimeZoneInformation = 0x5d,
    SystemImageFileExecutionOptionsInformation = 0x5e,
    SystemCoverageInformation = 0x5f,
    SystemPrefetchPatchInformation = 0x60,
    SystemVerifierFaultsInformation = 0x61,
    SystemSystemPartitionInformation = 0x62,
    SystemSystemDiskInformation = 0x63,
    SystemProcessorPerformanceDistribution = 0x64,
    SystemNumaProximityNodeInformation = 0x65,
    SystemDynamicTimeZoneInformation = 0x66,
    SystemCodeIntegrityInformation = 0x67,
    SystemProcessorMicrocodeUpdateInformation = 0x68,
    SystemProcessorBrandString = 0x69,
    SystemVirtualAddressInformation = 0x6a,
    SystemLogicalProcessorAndGroupInformation = 0x6b,
    SystemProcessorCycleTimeInformation = 0x6c,
    SystemStoreInformation = 0x6d,
    SystemRegistryAppendString = 0x6e,
    SystemAitSamplingValue = 0x6f,
    SystemVhdBootInformation = 0x70,
    SystemCpuQuotaInformation = 0x71,
    SystemNativeBasicInformation = 0x72,
    SystemErrorPortTimeouts = 0x73,
    SystemLowPriorityIoInformation = 0x74,
    SystemBootEntropyInformation = 0x75,
    SystemVerifierCountersInformation = 0x76,
    SystemPagedPoolInformationEx = 0x77,
    SystemSystemPtesInformationEx = 0x78,
    SystemNodeDistanceInformation = 0x79,
    SystemAcpiAuditInformation = 0x7a,
    SystemBasicPerformanceInformation = 0x7b,
    SystemQueryPerformanceCounterInformation = 0x7c,
    SystemSessionBigPoolInformation = 0x7d,
    SystemBootGraphicsInformation = 0x7e,
    SystemScrubPhysicalMemoryInformation = 0x7f,
    SystemBadPageInformation = 0x80,
    SystemProcessorProfileControlArea = 0x81,
    SystemCombinePhysicalMemoryInformation = 0x82,
    SystemEntropyInterruptTimingInformation = 0x83,
    SystemConsoleInformation = 0x84,
    SystemPlatformBinaryInformation = 0x85,
    SystemThrottleNotificationInformation = 0x86,
    SystemHypervisorProcessorCountInformation = 0x87,
    SystemDeviceDataInformation = 0x88,
    SystemDeviceDataEnumerationInformation = 0x89,
    SystemMemoryTopologyInformation = 0x8a,
    SystemMemoryChannelInformation = 0x8b,
    SystemBootLogoInformation = 0x8c,
    SystemProcessorPerformanceInformationEx = 0x8d,
    SystemSpare0 = 0x8e,
    SystemSecureBootPolicyInformation = 0x8f,
    SystemPageFileInformationEx = 0x90,
    SystemSecureBootInformation = 0x91,
    SystemEntropyInterruptTimingRawInformation = 0x92,
    SystemPortableWorkspaceEfiLauncherInformation = 0x93,
    SystemFullProcessInformation = 0x94,
    SystemKernelDebuggerInformationEx = 0x95,
    SystemBootMetadataInformation = 0x96,
    SystemSoftRebootInformation = 0x97,
    SystemElamCertificateInformation = 0x98,
    SystemOfflineDumpConfigInformation = 0x99,
    SystemProcessorFeaturesInformation = 0x9a,
    SystemRegistryReconciliationInformation = 0x9b,
    MaxSystemInfoClass = 0x9c,
} SYSTEM_INFORMATION_CLASS;

判断当前驱动是否加载成功的具体方法：

1. 通过mGetSystemRoutineAddress得到动态的地址。
2. 动态调用m_NtQuerySystemInformation得到参数。
3. 判断自身是否被加载，如果是输出路径。

实现：

#include <ntifs.h>
#include <windef.h>
#include <stdlib.h>
typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(
    IN ULONG SystemInformationClass,
    OUT PVOID  SystemInformation,
    IN ULONG_PTR   SystemInformationLength,
    OUT PULONG_PTR  ReturnLength OPTIONAL
);
typedef struct _SYSTEM_MODULE_INFORMATION {
    HANDLE Section;
    PVOID MappedBase;
    PVOID Base;
    ULONG Size;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS{
    SystemBasicInformation = 0x0,
    SystemProcessorInformation = 0x1,
    SystemPerformanceInformation = 0x2,
    SystemTimeOfDayInformation = 0x3,
    SystemPathInformation = 0x4,
    SystemProcessInformation = 0x5,
    SystemCallCountInformation = 0x6,
    SystemDeviceInformation = 0x7,
    SystemProcessorPerformanceInformation = 0x8,
    SystemFlagsInformation = 0x9,
    SystemCallTimeInformation = 0xa,
    SystemModuleInformation = 0xb,
    SystemLocksInformation = 0xc,
} SYSTEM_INFORMATION_CLASS;
// 判断当前Driver是否加载成功
ULONG JudgeLoadDriver(){
    NTQUERYSYSTEMINFORMATION m_NtQuerySystemInformation = NULL;
    UNICODE_STRING NtQuerySystemInformation_Name;
    PSYSTEM_MODULE_INFORMATION ModuleEntry;
    ULONG_PTR RetLength, BaseAddr, EndAddr;
    ULONG ModuleNumbers, Index;
    NTSTATUS Status;
    PVOID Buffer;
    RtlInitUnicodeString(&NtQuerySystemInformation_Name,L"NtQuerySystemInformation");
    m_NtQuerySystemInformation =(NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&NtQuerySystemInformation_Name);
    if (m_NtQuerySystemInformation == NULL){
        DbgPrint("获取NtQuerySystemInformation函数失败！\n");
        return 1;
    }
    RetLength = 0;
    Status = m_NtQuerySystemInformation(SystemModuleInformation, NULL, 0,&RetLength);
    if (Status < 0 && Status != STATUS_INFO_LENGTH_MISMATCH){
        DbgPrint("NtQuerySystemInformation调用失败！错误码是：%x\n", Status);
        return 1;
    }
    Buffer = ExAllocatePoolWithTag(NonPagedPool, RetLength, 'lysh');
    if (Buffer == NULL){
        DbgPrint("分配内存失败！\n");
        return 1;
    }
    Status = m_NtQuerySystemInformation(SystemModuleInformation, Buffer,RetLength, &RetLength);
    if (Status < 0){
        DbgPrint("NtQuerySystemInformation调用失败 %x\n", Status);
        return 1;
    }
    ModuleNumbers = *(ULONG*)Buffer;
    ModuleEntry = (PSYSTEM_MODULE_INFORMATION)((ULONG_PTR)Buffer + 8);
    for (Index = 0; Index < ModuleNumbers; ++Index){
        BaseAddr = (ULONG_PTR)ModuleEntry->Base;
        EndAddr = BaseAddr + ModuleEntry->Size;
        if (BaseAddr <= (ULONG_PTR)JudgeLoadDriver && (ULONG_PTR)JudgeLoadDriver<= EndAddr){
            DbgPrint("模块名称是：%s\n", ModuleEntry->ImageName);
            return 2;
        }
        ++ModuleEntry;
    }
    return 0;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    ULONG ul = JudgeLoadDriver();
    DbgPrint("驱动状态: %d \n", ul);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

获取ntoskrnl模块基地址

从用户模式调用Native API时，previous mode为用户态。从内核模式调用时为内核态。previous为用户态时Native API对参数进行严格检查，为内核态不会。

内核模式Zw和Nt系列API本质不同。Nt系列直接调用对应函数，Zw系列用KiSystemService跳转到对应函数。Nt系列不改变previous mode，Zw改previous mode为内核态。驱动开发时用Zw系列可避免额外参数列表检查，提高效率。

#include <ntifs.h>
static PVOID g_KernelBase = 0;
static ULONG g_KernelSize = 0;
#pragma pack(4)
typedef struct _PEB32{
    UCHAR InheritedAddressSpace;
    UCHAR ReadImageFileExecOptions;
    UCHAR BeingDebugged;
    UCHAR BitField;
    ULONG Mutant;
    ULONG ImageBaseAddress;
    ULONG Ldr;
    ULONG ProcessParameters;
    ULONG SubSystemData;
    ULONG ProcessHeap;
    ULONG FastPebLock;
    ULONG AtlThunkSListPtr;
    ULONG IFEOKey;
    ULONG CrossProcessFlags;
    ULONG UserSharedInfoPtr;
    ULONG SystemReserved;
    ULONG AtlThunkSListPtr32;
    ULONG ApiSetMap;
} PEB32, * PPEB32;
typedef struct _PEB_LDR_DATA32{
    ULONG Length;
    UCHAR Initialized;
    ULONG SsHandle;
    LIST_ENTRY32 InLoadOrderModuleList;
    LIST_ENTRY32 InMemoryOrderModuleList;
    LIST_ENTRY32 InInitializationOrderModuleList;
} PEB_LDR_DATA32, * PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY32{
    LIST_ENTRY32 InLoadOrderLinks;
    LIST_ENTRY32 InMemoryOrderLinks;
    LIST_ENTRY32 InInitializationOrderLinks;
    ULONG DllBase;
    ULONG EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING32 FullDllName;
    UNICODE_STRING32 BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    LIST_ENTRY32 HashLinks;
    ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32;
#pragma pack()
typedef struct _RTL_PROCESS_MODULE_INFORMATION{
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR  FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES{
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef enum _SYSTEM_INFORMATION_CLASS{
    SystemModuleInformation = 0xb,
} SYSTEM_INFORMATION_CLASS;
// 取出KernelBase基地址
PVOID UtilKernelBase(OUT PULONG pSize){
    NTSTATUS status = STATUS_SUCCESS;
    ULONG bytes = 0;
    PRTL_PROCESS_MODULES pMods = 0;
    PVOID checkPtr = 0;
    UNICODE_STRING routineName;
    if (g_KernelBase != 0){
        if (pSize)
            *pSize = g_KernelSize;
        return g_KernelBase;
    }
    RtlInitUnicodeString(&routineName, L"NtOpenFile");
    checkPtr = MmGetSystemRoutineAddress(&routineName);
    if (checkPtr == 0)
        return 0;
    __try{
        status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes,&bytes);
        if (bytes == 0){
            DbgPrint("Invalid SystemModuleInformation size\n");
            return 0;
        }
        pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPoolNx,bytes, "aaaaaaa");
        RtlZeroMemory(pMods, bytes);
        status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes,&bytes);
        if (NT_SUCCESS(status)){
            PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
            for (ULONG i = 0; i < pMods->NumberOfModules; i++)
                if (checkPtr >= pMod[i].ImageBase && checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase +pMod[i].ImageSize)){
                    g_KernelBase = pMod[i].ImageBase;
                    g_KernelSize = pMod[i].ImageSize;
                    if (pSize)
                        *pSize = g_KernelSize;
                    break;
                }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER){
        return 0;
    }
    if (pMods)
        ExFreePoolWithTag(pMods, "aaaaaaa");
    return g_KernelBase;
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    PULONG ulong = 0;
    UtilKernelBase(ulong);
    DbgPrint("ntoskrnl.exe 模块基址: 0x%p \n", g_KernelBase);
    DbgPrint("模块大小: 0x%p \n", g_KernelSize);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

获取进程参数

官方peb.h，按需修改：

#pragma once
#include <ntifs.h>
typedef struct _CURDIR {       // 2 elements, 0x18 bytes (sizeof)
    /*0x000*/   struct _UNICODE_STRING DosPath; // 3 elements, 0x10 bytes (sizeof)
    /*0x010*/   VOID* Handle;
}CURDIR, * PCURDIR;
typedef struct _RTL_DRIVE_LETTER_CURDIR {// 4 elements, 0x18 bytes (sizeof)
    /*0x000*/   UINT16    Flags;
    /*0x002*/   UINT16    Length;
    /*0x004*/   ULONG32    TimeStamp;
    /*0x008*/   struct _STRING DosPath;       // 3 elements, 0x10 bytes (sizeof)
}RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
typedef enum _SYSTEM_DLL_TYPE { // 7 elements, 0x4 bytes
    PsNativeSystemDll = 0 /*0x0*/,
    PsWowX86SystemDll = 1 /*0x1*/,
    PsWowArm32SystemDll = 2 /*0x2*/,
    PsWowAmd64SystemDll = 3 /*0x3*/,
    PsWowChpeX86SystemDll = 4 /*0x4*/,
    PsVsmEnclaveRuntimeDll = 5 /*0x5*/,
    PsSystemDllTotalTypes = 6 /*0x6*/
}SYSTEM_DLL_TYPE, * PSYSTEM_DLL_TYPE;
typedef struct _EWOW64PROCESS {    // 3 elements, 0x10 bytes (sizeof)
    /*0x000*/   VOID* Peb;
    /*0x008*/   UINT16    Machine;
    /*0x00A*/   UINT8     _PADDING0_[0x2];
    /*0x00C*/   enum _SYSTEM_DLL_TYPE NtdllType;
}EWOW64PROCESS, * PEWOW64PROCESS;
typedef struct _RTL_USER_PROCESS_PARAMETERS {        // 37 elements, 0x440 bytes(sizeof)
    /*0x000*/   ULONG32    MaximumLength;
    /*0x004*/   ULONG32    Length;
    /*0x008*/   ULONG32    Flags;
    /*0x00C*/   ULONG32    DebugFlags;
    /*0x010*/   VOID* ConsoleHandle;
    /*0x018*/   ULONG32    ConsoleFlags;
    /*0x01C*/   UINT8     _PADDING0_[0x4];
    /*0x020*/   VOID* StandardInput;
    /*0x028*/   VOID* StandardOutput;
    /*0x030*/   VOID* StandardError;
    /*0x038*/   struct _CURDIR CurrentDirectory;            // 2 elements, 0x18 bytes(sizeof)
    /*0x050*/   struct _UNICODE_STRING DllPath;             // 3 elements, 0x10 bytes(sizeof)
    /*0x060*/   struct _UNICODE_STRING ImagePathName;          // 3 elements, 0x10 bytes(sizeof)
    /*0x070*/   struct _UNICODE_STRING CommandLine;           // 3 elements, 0x10 bytes(sizeof)
    /*0x080*/   VOID* Environment;
    /*0x088*/   ULONG32    StartingX;
    /*0x08C*/   ULONG32    StartingY;
    /*0x090*/   ULONG32    CountX;
    /*0x094*/   ULONG32    CountY;
    /*0x098*/   ULONG32    CountCharsX;
    /*0x09C*/   ULONG32    CountCharsY;
    /*0x0A0*/   ULONG32    FillAttribute;
    /*0x0A4*/   ULONG32    WindowFlags;
    /*0x0A8*/   ULONG32    ShowWindowFlags;
    /*0x0AC*/   UINT8     _PADDING1_[0x4];
    /*0x0B0*/   struct _UNICODE_STRING WindowTitle;           // 3 elements, 0x10 bytes(sizeof)
    /*0x0C0*/   struct _UNICODE_STRING DesktopInfo;           // 3 elements, 0x10 bytes(sizeof)
    /*0x0D0*/   struct _UNICODE_STRING ShellInfo;            // 3 elements, 0x10 bytes(sizeof)
    /*0x0E0*/   struct _UNICODE_STRING RuntimeData;           // 3 elements, 0x10 bytes(sizeof)
    /*0x0F0*/   struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
    /*0x3F0*/   UINT64    EnvironmentSize;
    /*0x3F8*/   UINT64    EnvironmentVersion;
    /*0x400*/   VOID* PackageDependencyData;
    /*0x408*/   ULONG32    ProcessGroupId;
    /*0x40C*/   ULONG32    LoaderThreads;
    /*0x410*/   struct _UNICODE_STRING RedirectionDllName;       // 3 elements, 0x10 bytes(sizeof)
    /*0x420*/   struct _UNICODE_STRING HeapPartitionName;        // 3 elements, 0x10 bytes(sizeof)
    /*0x430*/   UINT64* DefaultThreadpoolCpuSetMasks;
    /*0x438*/   ULONG32    DefaultThreadpoolCpuSetMaskCount;
    /*0x43C*/   UINT8     _PADDING2_[0x4];
}RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB_LDR_DATA {               // 9 elements, 0x58 bytes(sizeof)
    /*0x000*/   ULONG32    Length;
    /*0x004*/   UINT8     Initialized;
    /*0x005*/   UINT8     _PADDING0_[0x3];
    /*0x008*/   VOID* SsHandle;
    /*0x010*/   struct _LIST_ENTRY InLoadOrderModuleList;      // 2 elements, 0x10 bytes(sizeof)
    /*0x020*/   struct _LIST_ENTRY InMemoryOrderModuleList;     // 2 elements, 0x10 bytes(sizeof)
    /*0x030*/   struct _LIST_ENTRY InInitializationOrderModuleList; // 2 elements, 0x10 bytes(sizeof)
    /*0x040*/   VOID* EntryInProgress;
    /*0x048*/   UINT8     ShutdownInProgress;
    /*0x049*/   UINT8     _PADDING1_[0x7];
    /*0x050*/   VOID* ShutdownThreadId;
}PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _PEB64 {
    UCHAR InheritedAddressSpace;
    UCHAR ReadImageFileExecOptions;
    UCHAR BeingDebugged;
    UCHAR BitField;
    ULONG64 Mutant;
    ULONG64 ImageBaseAddress;
    PPEB_LDR_DATA Ldr;
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    ULONG64 SubSystemData;
    ULONG64 ProcessHeap;
    ULONG64 FastPebLock;
    ULONG64 AtlThunkSListPtr;
    ULONG64 IFEOKey;
    ULONG64 CrossProcessFlags;
    ULONG64 UserSharedInfoPtr;
    ULONG SystemReserved;
    ULONG AtlThunkSListPtr32;
    ULONG64 ApiSetMap;
} PEB64, * PPEB64;
#pragma pack(4)
typedef struct _PEB32 {
    UCHAR InheritedAddressSpace;
    UCHAR ReadImageFileExecOptions;
    UCHAR BeingDebugged;
    UCHAR BitField;
    ULONG Mutant;
    ULONG ImageBaseAddress;
    ULONG Ldr;
    ULONG ProcessParameters;
    ULONG SubSystemData;
    ULONG ProcessHeap;
    ULONG FastPebLock;
    ULONG AtlThunkSListPtr;
    ULONG IFEOKey;
    ULONG CrossProcessFlags;
    ULONG UserSharedInfoPtr;
    ULONG SystemReserved;
    ULONG AtlThunkSListPtr32;
    ULONG ApiSetMap;
} PEB32, * PPEB32;
typedef struct _PEB_LDR_DATA32 {
    ULONG Length;
    BOOLEAN Initialized;
    ULONG SsHandle;
    LIST_ENTRY32 InLoadOrderModuleList;
    LIST_ENTRY32 InMemoryOrderModuleList;
    LIST_ENTRY32 InInitializationOrderModuleList;
    ULONG EntryInProgress;
} PEB_LDR_DATA32, * PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY32 {
    LIST_ENTRY32 InLoadOrderLinks;
    LIST_ENTRY32 InMemoryOrderModuleList;
    LIST_ENTRY32 InInitializationOrderModuleList;
    ULONG DllBase;
    ULONG EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING32 FullDllName;
    UNICODE_STRING32 BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    union {
        LIST_ENTRY32 HashLinks;
        ULONG SectionPointer;
    }u1;
    ULONG CheckSum;
    union {
        ULONG TimeDateStamp;
        ULONG LoadedImports;
    }u2;
    ULONG EntryPointActivationContext;
    ULONG PatchInformation;
} LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32;
#pragma pack()

实现：

#include "peb.h"
#include <ntifs.h>
// 定义导出
NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);
VOID UnDriver(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PEPROCESS eproc = NULL;
    KAPC_STATE kpc = { 0 };
    PPEB64 pPeb64 = NULL;
    __try{
        // HANDLE)4656 进程PID
        status = PsLookupProcessByProcessId((HANDLE)4656, &eproc);
        // 得到64位PEB
        pPeb64 = (PPEB64)PsGetProcessPeb(eproc);
        DbgPrint("PEB64 = %p \n", pPeb64);
        if (pPeb64 != 0){
            // 验证可读性
            ProbeForRead(pPeb64, sizeof(PEB32), 1);
            // 附加进程
            KeStackAttachProcess(eproc, &kpc);
            DbgPrint("进程基地址: 0x%p \n", pPeb64->ImageBaseAddress);
            DbgPrint("ProcessHeap = 0x%p \n", pPeb64->ProcessHeap);
            DbgPrint("BeingDebugged = %d \n", pPeb64->BeingDebugged);
            // 脱离进程
            KeUnstackDetachProcess(&kpc);
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER){
        Driver->DriverUnload = UnDriver;
        return STATUS_SUCCESS;
    }
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

特征码搜索

实现：

PVOID SearchSpecialCode(PVOID pSearchBeginAddr, ULONG ulSearchLength, PUCHAR pSpecialCode, ULONG ulSpecialCodeLength) { //扫描的内核内存起始地址、需扫描的长度、特征码、特征码长度
    PVOID pDestAddr = NULL;
    PUCHAR pBeginAddr = (PUCHAR)pSearchBeginAddr;
    PUCHAR pEndAddr = pBeginAddr + ulSearchLength;
    PUCHAR i = NULL;
    ULONG j = 0;
    for (i = pBeginAddr; i <= pEndAddr; i++) {
        // 遍历特征码
        for (j = 0; j < ulSpecialCodeLength; j++) {
            // 判断地址是否有效
            if (FALSE == MmIsAddressValid((PVOID)(i + j)))
                break;
            // 匹配特征码
            if (*(PUCHAR)(i + j) != pSpecialCode[j])
                break;
        }
        // 匹配成功
        if (j >= ulSpecialCodeLength) {
            pDestAddr = (PVOID)i;
            break;
        }
    }
    return pDestAddr;
}

用法大约为：

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    // 得到基址
    PUCHAR IoInitializeTimer = GetIoInitializeTimerAddress();
    DbgPrint("IoInitializeTimer Address = %p \n", IoInitializeTimer);
    // ---------------------------------------------------
    // 开始定位特征
    // 设置起始位置
    PUCHAR StartSearchAddress = (PUCHAR)IoInitializeTimer;
    // 设置结束位置
    PUCHAR EndSearchAddress = StartSearchAddress + 0x7e;
    DbgPrint("[搜索区间] 起始地址: 0x%X --> 结束地址: 0x%X \n",StartSearchAddress, EndSearchAddress);
    // 设置搜索长度
    LONGLONG size = EndSearchAddress - StartSearchAddress;
    DbgPrint("[搜索长度] 长度: %d \n", size);
    PVOID ptr;
    // 指定特征码
    UCHAR pSpecialCode[256] = { 0 };
    // 指定特征码长度
    ULONG ulSpecialCodeLength = 3;
    pSpecialCode[0] = 0x48;
    pSpecialCode[1] = 0x8d;
    pSpecialCode[2] = 0x0d;
    // 开始搜索,找到后返回首地址
    ptr = SearchSpecialCode(StartSearchAddress, size, pSpecialCode,ulSpecialCodeLength);
    DbgPrint("搜索特征码首地址: 0x%p \n", ptr);
    // 提取特征
    // fffff802`06185c00 488d0dd9ddcdff lea   rcx,[nt!IopTimerQueueHead(fffff802`05e639e0)]
    ULONG64 iOffset = 0;
    ULONG64 IopTimerQueueHead = 0;
    __try{
        // 拷贝内存跳过lea,向后四字节
        RtlCopyMemory(&iOffset, (ULONG64)ptr + 3, 4);
        // 取出后面的IopTimerQueueHead内存地址
        IopTimerQueueHead = iOffset + (ULONG64)ptr + 7;
        DbgPrint("提取数据: 0x%p \n", IopTimerQueueHead);
    }
    __except (1){
        DbgPrint("拷贝内存异常 \n");
    }
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

PE代码段解析与特征码搜索

这里扫描内核PE的.text代码段，得到某个特征的内存位置。这里是一些需要的头文件结构体：

//myheader.h
#include <ntifs.h>
#include <ntimage.h>
typedef struct _KLDR_DATA_TABLE_ENTRY{
    LIST_ENTRY64 InLoadOrderLinks;
    ULONG64 __Undefined1;
    ULONG64 __Undefined2;
    ULONG64 __Undefined3;
    ULONG64 NonPagedDebugInfo;
    ULONG64 DllBase;
    ULONG64 EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG  Flags;
    USHORT  LoadCount;
    USHORT  __Undefined5;
    ULONG64 __Undefined6;
    ULONG  CheckSum;
    ULONG  __padding1;
    ULONG  TimeDateStamp;
    ULONG  __padding2;
}KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY;
typedef struct _RTL_PROCESS_MODULE_INFORMATION{
    HANDLE Section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR  FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES{
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef enum _SYSTEM_INFORMATION_CLASS{
    SystemBasicInformation = 0x0,
    SystemProcessorInformation = 0x1,
    SystemPerformanceInformation = 0x2,
    SystemTimeOfDayInformation = 0x3,
    SystemPathInformation = 0x4,
    SystemProcessInformation = 0x5,
    SystemCallCountInformation = 0x6,
    SystemDeviceInformation = 0x7,
    SystemProcessorPerformanceInformation = 0x8,
    SystemFlagsInformation = 0x9,
    SystemCallTimeInformation = 0xa,
    SystemModuleInformation = 0xb,
    SystemLocksInformation = 0xc,
    SystemStackTraceInformation = 0xd,
    SystemPagedPoolInformation = 0xe,
    SystemNonPagedPoolInformation = 0xf,
    SystemHandleInformation = 0x10,
    SystemObjectInformation = 0x11,
    SystemPageFileInformation = 0x12,
    SystemVdmInstemulInformation = 0x13,
    SystemVdmBopInformation = 0x14,
    SystemFileCacheInformation = 0x15,
    SystemPoolTagInformation = 0x16,
    SystemInterruptInformation = 0x17,
    SystemDpcBehaviorInformation = 0x18,
    SystemFullMemoryInformation = 0x19,
    SystemLoadGdiDriverInformation = 0x1a,
    SystemUnloadGdiDriverInformation = 0x1b,
    SystemTimeAdjustmentInformation = 0x1c,
    SystemSummaryMemoryInformation = 0x1d,
    SystemMirrorMemoryInformation = 0x1e,
    SystemPerformanceTraceInformation = 0x1f,
    SystemObsolete0 = 0x20,
    SystemExceptionInformation = 0x21,
    SystemCrashDumpStateInformation = 0x22,
    SystemKernelDebuggerInformation = 0x23,
    SystemContextSwitchInformation = 0x24,
    SystemRegistryQuotaInformation = 0x25,
    SystemExtendServiceTableInformation = 0x26,
    SystemPrioritySeperation = 0x27,
    SystemVerifierAddDriverInformation = 0x28,
    SystemVerifierRemoveDriverInformation = 0x29,
    SystemProcessorIdleInformation = 0x2a,
    SystemLegacyDriverInformation = 0x2b,
    SystemCurrentTimeZoneInformation = 0x2c,
    SystemLookasideInformation = 0x2d,
    SystemTimeSlipNotification = 0x2e,
    SystemSessionCreate = 0x2f,
    SystemSessionDetach = 0x30,
    SystemSessionInformation = 0x31,
    SystemRangeStartInformation = 0x32,
    SystemVerifierInformation = 0x33,
    SystemVerifierThunkExtend = 0x34,
    SystemSessionProcessInformation = 0x35,
    SystemLoadGdiDriverInSystemSpace = 0x36,
    SystemNumaProcessorMap = 0x37,
    SystemPrefetcherInformation = 0x38,
    SystemExtendedProcessInformation = 0x39,
    SystemRecommendedSharedDataAlignment = 0x3a,
    SystemComPlusPackage = 0x3b,
    SystemNumaAvailableMemory = 0x3c,
    SystemProcessorPowerInformation = 0x3d,
    SystemEmulationBasicInformation = 0x3e,
    SystemEmulationProcessorInformation = 0x3f,
    SystemExtendedHandleInformation = 0x40,
    SystemLostDelayedWriteInformation = 0x41,
    SystemBigPoolInformation = 0x42,
    SystemSessionPoolTagInformation = 0x43,
    SystemSessionMappedViewInformation = 0x44,
    SystemHotpatchInformation = 0x45,
    SystemObjectSecurityMode = 0x46,
    SystemWatchdogTimerHandler = 0x47,
    SystemWatchdogTimerInformation = 0x48,
    SystemLogicalProcessorInformation = 0x49,
    SystemWow64SharedInformationObsolete = 0x4a,
    SystemRegisterFirmwareTableInformationHandler = 0x4b,
    SystemFirmwareTableInformation = 0x4c,
    SystemModuleInformationEx = 0x4d,
    SystemVerifierTriageInformation = 0x4e,
    SystemSuperfetchInformation = 0x4f,
    SystemMemoryListInformation = 0x50,
    SystemFileCacheInformationEx = 0x51,
    SystemThreadPriorityClientIdInformation = 0x52,
    SystemProcessorIdleCycleTimeInformation = 0x53,
    SystemVerifierCancellationInformation = 0x54,
    SystemProcessorPowerInformationEx = 0x55,
    SystemRefTraceInformation = 0x56,
    SystemSpecialPoolInformation = 0x57,
    SystemProcessIdInformation = 0x58,
    SystemErrorPortInformation = 0x59,
    SystemBootEnvironmentInformation = 0x5a,
    SystemHypervisorInformation = 0x5b,
    SystemVerifierInformationEx = 0x5c,
    SystemTimeZoneInformation = 0x5d,
    SystemImageFileExecutionOptionsInformation = 0x5e,
    SystemCoverageInformation = 0x5f,
    SystemPrefetchPatchInformation = 0x60,
    SystemVerifierFaultsInformation = 0x61,
    SystemSystemPartitionInformation = 0x62,
    SystemSystemDiskInformation = 0x63,
    SystemProcessorPerformanceDistribution = 0x64,
    SystemNumaProximityNodeInformation = 0x65,
    SystemDynamicTimeZoneInformation = 0x66,
    SystemCodeIntegrityInformation = 0x67,
    SystemProcessorMicrocodeUpdateInformation = 0x68,
    SystemProcessorBrandString = 0x69,
    SystemVirtualAddressInformation = 0x6a,
    SystemLogicalProcessorAndGroupInformation = 0x6b,
    SystemProcessorCycleTimeInformation = 0x6c,
    SystemStoreInformation = 0x6d,
    SystemRegistryAppendString = 0x6e,
    SystemAitSamplingValue = 0x6f,
    SystemVhdBootInformation = 0x70,
    SystemCpuQuotaInformation = 0x71,
    SystemNativeBasicInformation = 0x72,
    SystemErrorPortTimeouts = 0x73,
    SystemLowPriorityIoInformation = 0x74,
    SystemBootEntropyInformation = 0x75,
    SystemVerifierCountersInformation = 0x76,
    SystemPagedPoolInformationEx = 0x77,
    SystemSystemPtesInformationEx = 0x78,
    SystemNodeDistanceInformation = 0x79,
    SystemAcpiAuditInformation = 0x7a,
    SystemBasicPerformanceInformation = 0x7b,
    SystemQueryPerformanceCounterInformation = 0x7c,
    SystemSessionBigPoolInformation = 0x7d,
    SystemBootGraphicsInformation = 0x7e,
    SystemScrubPhysicalMemoryInformation = 0x7f,
    SystemBadPageInformation = 0x80,
    SystemProcessorProfileControlArea = 0x81,
    SystemCombinePhysicalMemoryInformation = 0x82,
    SystemEntropyInterruptTimingInformation = 0x83,
    SystemConsoleInformation = 0x84,
    SystemPlatformBinaryInformation = 0x85,
    SystemThrottleNotificationInformation = 0x86,
    SystemHypervisorProcessorCountInformation = 0x87,
    SystemDeviceDataInformation = 0x88,
    SystemDeviceDataEnumerationInformation = 0x89,
    SystemMemoryTopologyInformation = 0x8a,
    SystemMemoryChannelInformation = 0x8b,
    SystemBootLogoInformation = 0x8c,
    SystemProcessorPerformanceInformationEx = 0x8d,
    SystemSpare0 = 0x8e,
    SystemSecureBootPolicyInformation = 0x8f,
    SystemPageFileInformationEx = 0x90,
    SystemSecureBootInformation = 0x91,
    SystemEntropyInterruptTimingRawInformation = 0x92,
    SystemPortableWorkspaceEfiLauncherInformation = 0x93,
    SystemFullProcessInformation = 0x94,
    SystemKernelDebuggerInformationEx = 0x95,
    SystemBootMetadataInformation = 0x96,
    SystemSoftRebootInformation = 0x97,
    SystemElamCertificateInformation = 0x98,
    SystemOfflineDumpConfigInformation = 0x99,
    SystemProcessorFeaturesInformation = 0x9a,
    SystemRegistryReconciliationInformation = 0x9b,
    MaxSystemInfoClass = 0x9c,
} SYSTEM_INFORMATION_CLASS;
// 声明函数
NTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(_In_ PVOID Base);
NTSTATUS NTAPI ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef VOID(__cdecl* PMiProcessLoaderEntry)(PKLDR_DATA_TABLE_ENTRY section, IN LOGICAL Insert);
typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(IN ULONG SystemInformationClass, OUT PVOID SystemInformation, IN ULONG_PTR SystemInformationLength, OUT PULONG_PTR ReturnLength OPTIONAL);

对于特征码搜索的部分如下，以搜索IoInitializeTimer为例。

#include "myheader.h"
PVOID GetIoInitializeTimerAddress() {
    PVOID VariableAddress = 0;
    UNICODE_STRING uioiTime = { 0 };
    RtlInitUnicodeString(&uioiTime, L"IoInitializeTimer");
    VariableAddress = (PVOID)MmGetSystemRoutineAddress(&uioiTime);
    if (VariableAddress != 0)
        return VariableAddress;
    return 0;
}
// 对指定内存执行特征码扫描
/*
    pattern 字符串特征值
    len 特征码长度
    base 扫描的内存基地址
    size 需要向下扫描的长度
    ppFound 扫描到首地址后返回的内存地址
*/
NTSTATUS UtilSearchPattern(IN PUCHAR pattern, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound) {
    // 计算匹配长度 特征码扫描
    NT_ASSERT(ppFound != 0 && pattern != 0 && base != 0);
    if (ppFound == 0 || pattern == 0 || base == 0)
        return STATUS_INVALID_PARAMETER;
    __try {
        for (ULONG_PTR i = 0; i < size - len; i++) {
            BOOLEAN found = TRUE;
            for (ULONG_PTR j = 0; j < len; j++)
                if (pattern[j] != ((PUCHAR)base)[i + j]) {
                    found = FALSE;
                    break;
                }
            if (found != FALSE) {
                *ppFound = (PUCHAR)base + i;
                DbgPrint("特征码匹配地址: %p \n", (PUCHAR)base + i);
                return STATUS_SUCCESS;
            }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        return STATUS_UNHANDLED_EXCEPTION;
    }
    return STATUS_NOT_FOUND;
}
VOID UnDriver(PDRIVER_OBJECT driver) {
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) {
    // 返回匹配长度5
    CHAR pattern[] = "\x48\x89\x6c\x24\x10";
    PVOID* find_address = NULL;
    int pattern_size = sizeof(pattern) - 1;
    DbgPrint("匹配长度: %d \n", pattern_size);
    // 得到基地址
    PVOID address = GetIoInitializeTimerAddress();
    // 扫描特征
    NTSTATUS nt = UtilSearchPattern((PUCHAR)pattern, pattern_size, address, 128, &find_address);
    DbgPrint("[返回地址 => ] 0x%p \n", (ULONG64)find_address);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

接着拿ntoskrnl内核地址，用RtlImageNtHeader解析内核PE结构。完整实现为：

#include "myheader.h"
// 定义全局变量
static PVOID g_KernelBase = 0;
static ULONG g_KernelSize = 0;
// 得到KernelBase基地址
PVOID ToolsUtilKernelBase(OUT PULONG pSize) {
    NTSTATUS status = STATUS_SUCCESS;
    ULONG bytes = 0;
    PRTL_PROCESS_MODULES pMods = 0;
    PVOID checkPtr = 0;
    UNICODE_STRING routineName;
    if (g_KernelBase != 0) {
        if (pSize)
            *pSize = g_KernelSize;
        return g_KernelBase;
    }
    RtlInitUnicodeString(&routineName, L"NtOpenFile");
    checkPtr = MmGetSystemRoutineAddress(&routineName);
    if (checkPtr == 0)
        return 0;
    __try {
        status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
        if (bytes == 0)
            return 0;
        pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPoolNx, bytes, L"aaaaaaa");
        RtlZeroMemory(pMods, bytes);
        status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
        if (NT_SUCCESS(status)) {
            PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
            for (ULONG i = 0; i < pMods->NumberOfModules; i++)
                if (checkPtr >= pMod[i].ImageBase && checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize)) {
                    g_KernelBase = pMod[i].ImageBase;
                    g_KernelSize = pMod[i].ImageSize;
                    if (pSize)
                        *pSize = g_KernelSize;
                    break;
                }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        return 0;
    }
    if (pMods)
        ExFreePoolWithTag(pMods, L"aaaaaaa");
    DbgPrint("KernelBase = > %p \n", g_KernelBase);
    return g_KernelBase;
}
// 对指定内存执行特征码扫描
NTSTATUS UtilSearchPattern(IN PUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound) {
    NT_ASSERT(ppFound != 0 && pattern != 0 && base != 0);
    if (ppFound == 0 || pattern == 0 || base == 0)
        return STATUS_INVALID_PARAMETER;
    __try {
        for (ULONG_PTR i = 0; i < size - len; i++) {
            BOOLEAN found = TRUE;
            for (ULONG_PTR j = 0; j < len; j++)
                if (pattern[j] != wildcard && pattern[j] != ((PUCHAR)base)[i + j]) {
                    found = FALSE;
                    break;
                }
            if (found != FALSE) {
                *ppFound = (PUCHAR)base + i;
                DbgPrint("特征码匹配地址: %p \n", (PUCHAR)base + i);
                return STATUS_SUCCESS;
            }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        return STATUS_UNHANDLED_EXCEPTION;
    }
    return STATUS_NOT_FOUND;
}
// 扫描代码段中的指令片段
NTSTATUS ComUtilScanSection(IN PCCHAR section, IN PUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, OUT PVOID* ppFound) {
    NT_ASSERT(ppFound != 0);
    if (ppFound == 0)
        return STATUS_INVALID_PARAMETER;
    // 获取内核第一个模块的基地址
    PVOID base = ToolsUtilKernelBase(0);
    if (!base)
        return STATUS_NOT_FOUND;
    // 得到NT头部PE32+结构
    PIMAGE_NT_HEADERS64 pHdr = RtlImageNtHeader(base);
    if (!pHdr)
        return STATUS_INVALID_IMAGE_FORMAT;
    // 首先寻找代码段
    PIMAGE_SECTION_HEADER pFirstSection = (PIMAGE_SECTION_HEADER)(pHdr + 1);
    for (PIMAGE_SECTION_HEADER pSection = pFirstSection; pSection < pFirstSection + pHdr->FileHeader.NumberOfSections; pSection++) {
        ANSI_STRING Section, Text;
        RtlInitAnsiString(&Section, section);
        RtlInitAnsiString(&Text, (PCCHAR)pSection->Name);
        // 判断是不是我们要找的.text节
        if (RtlCompareString(&Section, &Text, TRUE) == 0)
            // 如果是则开始匹配特征码
            return UtilSearchPattern(pattern, wildcard, len, (PUCHAR)base + pSection->VirtualAddress, pSection->Misc.VirtualSize, ppFound);
    }
    return STATUS_NOT_FOUND;
}
VOID UnDriver(PDRIVER_OBJECT driver) {
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) {
    PMiProcessLoaderEntry m_MiProcessLoaderEntry = NULL;
    RTL_OSVERSIONINFOW Version = { 0 };
    Version.dwOSVersionInfoSize = sizeof(Version);
    RtlGetVersion(&Version);
    //获取内核版本号
    DbgPrint("主版本: %d -->次版本: %d --> 编译版本: %d", Version.dwMajorVersion, Version.dwMinorVersion, Version.dwBuildNumber);
    if (Version.dwMajorVersion == 10)
        // 如果是 win10 18363 则匹配特征
        if (Version.dwBuildNumber == 18363) {
            CHAR pattern[] = "\x48\x89\x5c\x24\x08";
            int pattern_size = sizeof(pattern) - 1;
            ComUtilScanSection(".text", (PUCHAR)pattern, 0xCC, pattern_size, (PVOID*)&m_MiProcessLoaderEntry);
            DbgPrint("输出首地址: %p", m_MiProcessLoaderEntry);
        }
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

内核Inline Hook

首先要实现一个动态计算汇编指令长度的功能，这里用LDE64引擎，是BeaEngine引擎的一部分。手动编译这个项目并提取二进制Shellcode：https://github.com/BeaEngine/lde64 。编写头文件大概为：

//lde64.h
// 反汇编引擎
unsigned char szShellCode[12800] = {
    0x55, 0x48, 0x83, 0xEC, 0x2B, 0x48, 0x89, 0xE5, 0x51, 0x52, 0x56, 0xE8, 0x00, 0x21, 0x00, 0x00,
    0xEF, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE5, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x2A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x65, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x25, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE5, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x98, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x58, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x65, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x18, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x25, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xD8, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x97, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x87, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x77, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x67, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5F, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x28, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x18, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x08, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xF8, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x70, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x50, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x30, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x16, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA8, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB5, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x85, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x75, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x65, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x55, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x45, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x35, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x25, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x15, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5E, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x68, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBF, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8F, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7F, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAE, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x70, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x50, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xF1, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x55, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5F, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x45, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE0, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD8, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xD0, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC8, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC5, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE6, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB0, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA8, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x85, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x75, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x65, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x55, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x70, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x50, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5E, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x06, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2E, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDA, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA8, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9D, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x68, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x50, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xF2, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB5, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8A, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD6, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3A, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x05, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xF5, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xED, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE5, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDD, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xD5, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCD, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEE, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE6, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB8, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAD, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x48, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE7, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFB, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x30, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x91, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAB, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD8, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xD0, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC8, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA8, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDC, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x38, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x28, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8F, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7F, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x70, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB9, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBF, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBF, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAB, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7D, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x01, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2E, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFE, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF6, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEE, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE6, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDE, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD6, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCE, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC6, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBE, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB6, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xF0, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3E, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB0, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFE, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB5, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBF, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB0, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA8, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6F, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE7, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x67, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDB, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x67, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x37, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDF, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD7, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBF, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAF, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9F, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8B, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6B, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x53, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0F, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFF, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0B, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFB, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF3, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEB, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE3, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCB, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBB, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB3, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x53, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0B, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x05, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCB, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBB, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB3, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAB, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9B, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6B, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5B, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x53, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0B, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFB, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0B, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFB, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0B, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFB, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF3, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xED, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9D, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x85, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7D, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAC, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x94, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB3, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x3C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x1C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0D, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xDC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5E, 0x51, 0x8F, 0x45, 0x23, 0x89, 0x55, 0x1E, 0xC6, 0x45, 0x22, 0x00, 0xC7, 0x45, 0x02, 0x20,
    0x00, 0x00, 0x00, 0xC7, 0x45, 0x06, 0x20, 0x00, 0x00, 0x00, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x07,
    0xC7, 0x45, 0x06, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F, 0xB6, 0x08, 0x48,
    0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0x5E, 0x5A, 0x59, 0x48, 0x83, 0xF8, 0xFF, 0x74,
    0x07, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x29, 0xC8, 0x48, 0x83, 0xC4, 0x2B, 0x5D, 0xC3, 0xC7, 0x45,
    0x1A, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x01, 0x25, 0xC7, 0x00,
    0x00, 0x00, 0xB9, 0x40, 0x00, 0x00, 0x00, 0x48, 0x31, 0xD2, 0xF7, 0xF1, 0x89, 0x45, 0x0A, 0x83,
    0xF8, 0x01, 0x75, 0x04, 0x83, 0x45, 0x1A, 0x01, 0x83, 0xF8, 0x02, 0x75, 0x04, 0x83, 0x45, 0x1A,
    0x04, 0x89, 0x55, 0x0E, 0xC1, 0xE0, 0x06, 0x48, 0x01, 0xF0, 0x48, 0x05, 0x00, 0x20, 0x00, 0x00,
    0x48, 0x8D, 0x04, 0xD0, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6,
    0x40, 0x01, 0x83, 0xE0, 0x38, 0xC1, 0xE8, 0x03, 0x89, 0x45, 0x16, 0xC3, 0xC3, 0x83, 0x7D, 0x06,
    0x20, 0x7C, 0x23, 0x83, 0x45, 0x1A, 0x01, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x02, 0x83,
    0xE0, 0x07, 0x89, 0x45, 0x12, 0x83, 0x7D, 0x12, 0x05, 0x75, 0x0A, 0x83, 0x7D, 0x0A, 0x00, 0x75,
    0x04, 0x83, 0x45, 0x1A, 0x04, 0xC3, 0xC3, 0x83, 0x7D, 0x06, 0x20, 0x7C, 0x05, 0x83, 0x45, 0x1A,
    0x04, 0xC3, 0xC3, 0x83, 0x7D, 0x06, 0x10, 0x75, 0x05, 0x83, 0x45, 0x1A, 0x02, 0xC3, 0xC3, 0xE8,
    0x5A, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3,
    0x48, 0xFF, 0x45, 0x23, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0x83, 0x7D, 0x02, 0x10, 0x75,
    0x06, 0xE8, 0xD9, 0xFF, 0xFF, 0xFF, 0xC3, 0xE8, 0x51, 0x02, 0x00, 0x00, 0xC3, 0x83, 0x7D, 0x1E,
    0x40, 0x75, 0x06, 0xE8, 0x45, 0x02, 0x00, 0x00, 0xC3, 0x48, 0xFF, 0x45, 0x23, 0xC3, 0x83, 0x7D,
    0x02, 0x20, 0x7C, 0x06, 0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x03, 0xC3,
    0x83, 0x7D, 0x02, 0x40, 0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x09, 0xC3, 0x83, 0x7D, 0x02, 0x20,
    0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x03, 0xC3, 0xE8, 0x8C,
    0xFF, 0xFF, 0xFF, 0x48, 0xFF, 0x45, 0x23, 0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x24, 0xC7, 0x45,
    0x02, 0x40, 0x00, 0x00, 0x00, 0x48, 0xFF, 0x45, 0x23, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F, 0xB6,
    0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC7, 0x45, 0x02, 0x20, 0x00, 0x00,
    0x00, 0xC3, 0x48, 0xFF, 0x45, 0x23, 0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x25, 0x48, 0xFF, 0x45,
    0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D, 0x22, 0x0F, 0x75, 0x06, 0xE8, 0xBE, 0x01, 0x00, 0x00, 0xC3,
    0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F, 0xB6, 0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF,
    0xD0, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x01, 0xC3, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D,
    0x22, 0x0F, 0x75, 0x06, 0xE8, 0x94, 0x01, 0x00, 0x00, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F,
    0xB6, 0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC3, 0x83, 0x7D, 0x02, 0x20,
    0x7C, 0x0B, 0xE8, 0xF8, 0xFE, 0xFF, 0xFF, 0x48, 0x83, 0x45, 0x23, 0x04, 0xC3, 0xE8, 0xED, 0xFE,
    0xFF, 0xFF, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x06, 0xE8, 0x5A,
    0x01, 0x00, 0x00, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x04, 0xC3,
    0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x06, 0xE8, 0x3C, 0x01, 0x00,
    0x00, 0xC3, 0xE8, 0xB8, 0xFE, 0xFF, 0xFF, 0xC3, 0xE8, 0x11, 0xFE, 0xFF, 0xFF, 0x83, 0x7D, 0x0A,
    0x03, 0x75, 0x06, 0xE8, 0xA7, 0xFE, 0xFF, 0xFF, 0xC3, 0xE8, 0x1F, 0x01, 0x00, 0x00, 0xC3, 0x48,
    0x83, 0x45, 0x23, 0x03, 0xC3, 0x83, 0x7D, 0x06, 0x40, 0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x09,
    0xC3, 0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0x83, 0x7D, 0x06, 0x10, 0x75, 0x06, 0x48, 0x83, 0x45,
    0x23, 0x03, 0xC3, 0x83, 0x7D, 0x06, 0x20, 0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0x48,
    0x83, 0x45, 0x23, 0x09, 0xC3, 0x80, 0x7D, 0x00, 0x01, 0x75, 0x06, 0xE8, 0x5F, 0xFE, 0xFF, 0xFF,
    0xC3, 0xE8, 0xD7, 0x00, 0x00, 0x00, 0xC3, 0x80, 0x7D, 0x00, 0x01, 0x75, 0x06, 0xE8, 0x4D, 0xFE,
    0xFF, 0xFF, 0xC3, 0x80, 0x7D, 0x01, 0x01, 0x75, 0x06, 0xE8, 0x41, 0xFE, 0xFF, 0xFF, 0xC3, 0x83,
    0x7D, 0x02, 0x10, 0x75, 0x06, 0xE8, 0x35, 0xFE, 0xFF, 0xFF, 0xC3, 0xE8, 0xAD, 0x00, 0x00, 0x00,
    0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x06, 0xE8, 0xA1, 0x00, 0x00, 0x00, 0xC3, 0x83, 0x7D, 0x02,
    0x20, 0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x07, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0xC3,
    0x83, 0x7D, 0x02, 0x10, 0x74, 0x11, 0xE8, 0x63, 0xFD, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45,
    0x23, 0x48, 0x83, 0x45, 0x23, 0x06, 0xC3, 0xE8, 0x52, 0xFD, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01,
    0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x04, 0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x06, 0xE8, 0x5A,
    0x00, 0x00, 0x00, 0xC3, 0x83, 0x7D, 0x02, 0x20, 0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x07, 0xC3,
    0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0xE8, 0x6F, 0xFD, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75,
    0x06, 0xE8, 0xB9, 0xFD, 0xFF, 0xFF, 0xC3, 0xE8, 0x31, 0x00, 0x00, 0x00, 0xC3, 0x83, 0x7D, 0x1E,
    0x40, 0x75, 0x06, 0x48, 0x83, 0x45, 0x23, 0x05, 0xC3, 0x83, 0x7D, 0x02, 0x20, 0x75, 0x06, 0x48,
    0x83, 0x45, 0x23, 0x05, 0xC3, 0x48, 0x83, 0x45, 0x23, 0x03, 0xC3, 0x80, 0x7D, 0x00, 0x01, 0x75,
    0x06, 0xE8, 0x89, 0xFD, 0xFF, 0xFF, 0xC3, 0xE8, 0x01, 0x00, 0x00, 0x00, 0xC3, 0x48, 0xB8, 0xFF,
    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x06, 0xE8, 0xEA,
    0xFF, 0xFF, 0xFF, 0xC3, 0xE8, 0x66, 0xFD, 0xFF, 0xFF, 0x48, 0x83, 0x45, 0x23, 0x01, 0xC3, 0x83,
    0x7D, 0x02, 0x20, 0x7C, 0x0B, 0xE8, 0x55, 0xFD, 0xFF, 0xFF, 0x48, 0x83, 0x45, 0x23, 0x04, 0xC3,
    0xE8, 0x4A, 0xFD, 0xFF, 0xFF, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8, 0x9E, 0xFC, 0xFF, 0xFF,
    0xE8, 0xE5, 0xFC, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x0C, 0x8B, 0x45, 0x1A, 0x01, 0x45,
    0x23, 0x48, 0x83, 0x45, 0x23, 0x03, 0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x06, 0xE8, 0x9B, 0xFF,
    0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0x83,
    0x7D, 0x02, 0x20, 0x7C, 0x34, 0xE8, 0x64, 0xFC, 0xFF, 0xFF, 0xE8, 0xAB, 0xFC, 0xFF, 0xFF, 0x83,
    0x7D, 0x16, 0x00, 0x75, 0x0C, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x06,
    0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x06, 0xE8, 0x61, 0xFF, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A,
    0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8, 0x30, 0xFC, 0xFF, 0xFF, 0xE8, 0x77,
    0xFC, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x0C, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48,
    0x83, 0x45, 0x23, 0x04, 0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x06, 0xE8, 0x2D, 0xFF, 0xFF, 0xFF,
    0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8, 0xFC, 0xFB,
    0xFF, 0xFF, 0xE8, 0x43, 0xFC, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x01, 0x7E, 0x06, 0xE8, 0x0B, 0xFF,
    0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8,
    0x26, 0xFC, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x06, 0x7E, 0x06, 0xE8, 0xEE, 0xFE, 0xFF, 0xFF, 0xC3,
    0xE8, 0xC9, 0xFB, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02,
    0xC3, 0xE8, 0xB8, 0xFB, 0xFF, 0xFF, 0xE8, 0xFF, 0xFB, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x05, 0x7E,
    0x06, 0xE8, 0xC7, 0xFE, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45,
    0x23, 0x02, 0xC3, 0xE8, 0x96, 0xFB, 0xFF, 0xFF, 0xE8, 0xDD, 0xFB, 0xFF, 0xFF, 0x83, 0x7D, 0x16,
    0x00, 0x75, 0x1A, 0x83, 0x7D, 0x0A, 0x03, 0x0F, 0x85, 0xAC, 0x00, 0x00, 0x00, 0x83, 0x7D, 0x0E,
    0x04, 0x0F, 0x8E, 0xA2, 0x00, 0x00, 0x00, 0xE8, 0x91, 0xFE, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16,
    0x01, 0x75, 0x1A, 0x83, 0x7D, 0x0A, 0x03, 0x0F, 0x85, 0x8C, 0x00, 0x00, 0x00, 0x83, 0x7D, 0x0E,
    0x01, 0x0F, 0x8E, 0x82, 0x00, 0x00, 0x00, 0xE8, 0x71, 0xFE, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16,
    0x02, 0x75, 0x10, 0x83, 0x7D, 0x0A, 0x03, 0x0F, 0x85, 0x6C, 0x00, 0x00, 0x00, 0xE8, 0x5B, 0xFE,
    0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03, 0x75, 0x0C, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x5A, 0xE8,
    0x49, 0xFE, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x04, 0x75, 0x0C, 0x83, 0x7D, 0x0A, 0x03, 0x75,
    0x48, 0xE8, 0x37, 0xFE, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x05, 0x75, 0x06, 0xE8, 0x2B, 0xFE,
    0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x06, 0x75, 0x0C, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x2A, 0xE8,
    0x19, 0xFE, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x07, 0x75, 0x1E, 0x83, 0x7D, 0x0A, 0x03, 0x75,
    0x18, 0x83, 0x7D, 0x1E, 0x40, 0x75, 0x0C, 0x83, 0x7D, 0x0E, 0x00, 0x74, 0x0C, 0xE8, 0xFB, 0xFD,
    0xFF, 0xFF, 0xC3, 0xE8, 0xF5, 0xFD, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48,
    0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8, 0xC4, 0xFA, 0xFF, 0xFF, 0xE8, 0x0B, 0xFB, 0xFF, 0xFF, 0x83,
    0x7D, 0x16, 0x04, 0x7D, 0x06, 0xE8, 0xD3, 0xFD, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45,
    0x23, 0x48, 0x83, 0x45, 0x23, 0x03, 0xC3, 0xE8, 0xA2, 0xFA, 0xFF, 0xFF, 0xE8, 0xE9, 0xFA, 0xFF,
    0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x06, 0xE8, 0xB1, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16,
    0x02, 0x75, 0x06, 0xE8, 0xA5, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03, 0x75, 0x06, 0xE8,
    0x99, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x04, 0x75, 0x06, 0xE8, 0x8D, 0xFD, 0xFF, 0xFF,
    0xC3, 0x83, 0x7D, 0x16, 0x05, 0x75, 0x06, 0xE8, 0x81, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16,
    0x07, 0x7E, 0x06, 0xE8, 0x75, 0xFD, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48,
    0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8, 0x90, 0xFA, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x06,
    0xE8, 0x58, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x06, 0xE8, 0x4C, 0xFD, 0xFF,
    0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x02, 0x75, 0x11, 0xE8, 0x21, 0xFA, 0xFF, 0xFF, 0x83, 0x7D, 0x0A,
    0x03, 0x74, 0x52, 0xE8, 0x35, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03, 0x75, 0x06, 0xE8,
    0x29, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x04, 0x75, 0x11, 0xE8, 0xFE, 0xF9, 0xFF, 0xFF,
    0x83, 0x7D, 0x0A, 0x03, 0x74, 0x2F, 0xE8, 0x12, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x05,
    0x75, 0x06, 0xE8, 0x06, 0xFD, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x06, 0x75, 0x11, 0xE8, 0xDB,
    0xF9, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x74, 0x0C, 0xE8, 0xEF, 0xFC, 0xFF, 0xFF, 0xC3, 0xE8,
    0xE9, 0xFC, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x03,
    0xC3, 0xE8, 0x04, 0xFA, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x06, 0xE8, 0xCC, 0xFC, 0xFF,
    0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x06, 0xE8, 0xC0, 0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D,
    0x16, 0x02, 0x75, 0x11, 0xE8, 0x95, 0xF9, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x74, 0x52, 0xE8,
    0xA9, 0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03, 0x75, 0x06, 0xE8, 0x9D, 0xFC, 0xFF, 0xFF,
    0xC3, 0x83, 0x7D, 0x16, 0x04, 0x75, 0x11, 0xE8, 0x72, 0xF9, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03,
    0x74, 0x2F, 0xE8, 0x86, 0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x05, 0x75, 0x06, 0xE8, 0x7A,
    0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x06, 0x75, 0x11, 0xE8, 0x4F, 0xF9, 0xFF, 0xFF, 0x83,
    0x7D, 0x0A, 0x03, 0x74, 0x0C, 0xE8, 0x63, 0xFC, 0xFF, 0xFF, 0xC3, 0xE8, 0x5D, 0xFC, 0xFF, 0xFF,
    0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x03, 0xC3, 0xE8, 0x78, 0xF9,
    0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x06, 0xE8, 0x40, 0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D,
    0x16, 0x01, 0x75, 0x06, 0xE8, 0x34, 0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x02, 0x75, 0x15,
    0xE8, 0x09, 0xF9, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x0F, 0x84, 0x7B, 0x00, 0x00, 0x00, 0xE8,
    0x19, 0xFC, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03, 0x75, 0x1D, 0x83, 0x7D, 0x02, 0x10, 0x75,
    0x11, 0xE8, 0xE8, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x74, 0x5E, 0xE8, 0xFC, 0xFB, 0xFF,
    0xFF, 0xC3, 0xE8, 0xF6, 0xFB, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x04, 0x75, 0x06, 0xE8, 0xEA,
    0xFB, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x05, 0x75, 0x06, 0xE8, 0xDE, 0xFB, 0xFF, 0xFF, 0xC3,
    0x83, 0x7D, 0x16, 0x06, 0x75, 0x11, 0xE8, 0xB3, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x74,
    0x29, 0xE8, 0xC7, 0xFB, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x07, 0x75, 0x17, 0x83, 0x7D, 0x02,
    0x10, 0x75, 0x11, 0xE8, 0x96, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x74, 0x0C, 0xE8, 0xAA,
    0xFB, 0xFF, 0xFF, 0xC3, 0xE8, 0xA4, 0xFB, 0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23,
    0x48, 0x83, 0x45, 0x23, 0x03, 0xC3, 0xE8, 0xBF, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75,
    0x15, 0xE8, 0x68, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x0F, 0x85, 0xA0, 0x00, 0x00, 0x00,
    0xE8, 0x78, 0xFB, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x15, 0xE8, 0x4D, 0xF8, 0xFF,
    0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x0F, 0x85, 0x85, 0x00, 0x00, 0x00, 0xE8, 0x5D, 0xFB, 0xFF, 0xFF,
    0xC3, 0x83, 0x7D, 0x16, 0x02, 0x75, 0x15, 0xE8, 0x32, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03,
    0x0F, 0x85, 0x6A, 0x00, 0x00, 0x00, 0xE8, 0x42, 0xFB, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03,
    0x75, 0x11, 0xE8, 0x17, 0xF8, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x53, 0xE8, 0x2B, 0xFB,
    0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x04, 0x75, 0x06, 0xE8, 0x1F, 0xFB, 0xFF, 0xFF, 0xC3, 0x83,
    0x7D, 0x16, 0x05, 0x75, 0x11, 0xE8, 0xF4, 0xF7, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x30,
    0xE8, 0x08, 0xFB, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x06, 0x75, 0x11, 0xE8, 0xDD, 0xF7, 0xFF,
    0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x19, 0xE8, 0xF1, 0xFA, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16,
    0x07, 0x7F, 0x07, 0xE8, 0xC6, 0xF7, 0xFF, 0xFF, 0xEB, 0x06, 0xE8, 0xDE, 0xFA, 0xFF, 0xFF, 0xC3,
    0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xE8, 0xF9, 0xF7, 0xFF,
    0xFF, 0x83, 0x7D, 0x16, 0x00, 0x75, 0x11, 0xE8, 0xA2, 0xF7, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03,
    0x75, 0x51, 0xE8, 0xB6, 0xFA, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x11, 0xE8, 0x8B,
    0xF7, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x3A, 0xE8, 0x9F, 0xFA, 0xFF, 0xFF, 0xC3, 0x83,
    0x7D, 0x16, 0x02, 0x75, 0x11, 0xE8, 0x74, 0xF7, 0xFF, 0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x23,
    0xE8, 0x88, 0xFA, 0xFF, 0xFF, 0xC3, 0x83, 0x7D, 0x16, 0x03, 0x75, 0x11, 0xE8, 0x5D, 0xF7, 0xFF,
    0xFF, 0x83, 0x7D, 0x0A, 0x03, 0x75, 0x0C, 0xE8, 0x71, 0xFA, 0xFF, 0xFF, 0xC3, 0xE8, 0x6B, 0xFA,
    0xFF, 0xFF, 0xC3, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0x48,
    0xFF, 0x45, 0x23, 0xC7, 0x45, 0x02, 0x10, 0x00, 0x00, 0x00, 0xFE, 0x45, 0x22, 0x80, 0x7D, 0x22,
    0x0F, 0x75, 0x06, 0xE8, 0x45, 0xFA, 0xFF, 0xFF, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F, 0xB6,
    0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC7, 0x45, 0x02, 0x20, 0x00, 0x00,
    0x00, 0xC3, 0x48, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D, 0x22, 0x0F, 0x75, 0x06, 0xE8,
    0x19, 0xFA, 0xFF, 0xFF, 0xC3, 0x8B, 0x4D, 0x06, 0xD1, 0xE9, 0x89, 0x5D, 0x06, 0x48, 0x8B, 0x45,
    0x23, 0x48, 0x0F, 0xB6, 0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0x8B, 0x5D,
    0x06, 0xD1, 0xE1, 0x89, 0x4D, 0x06, 0xC3, 0x48, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D,
    0x22, 0x0F, 0x75, 0x06, 0xE8, 0xE4, 0xF9, 0xFF, 0xFF, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6,
    0x00, 0x3C, 0xA4, 0x74, 0x12, 0x3C, 0xA7, 0x74, 0x0E, 0x3C, 0xAE, 0x74, 0x0A, 0x3C, 0xAF, 0x74,
    0x06, 0x3C, 0x0F, 0x74, 0x02, 0xEB, 0x04, 0xC6, 0x45, 0x00, 0x01, 0x48, 0x8B, 0x45, 0x23, 0x48,
    0x0F, 0xB6, 0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC6, 0x45, 0x00, 0x00,
    0xC3, 0x48, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D, 0x22, 0x0F, 0x75, 0x06, 0xE8, 0x9A,
    0xF9, 0xFF, 0xFF, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x00, 0x3C, 0x90, 0x74, 0x3E, 0x3C,
    0xA4, 0x74, 0x3A, 0x3C, 0xA5, 0x74, 0x36, 0x3C, 0xA6, 0x74, 0x32, 0x3C, 0xA7, 0x74, 0x2E, 0x3C,
    0xAA, 0x74, 0x2A, 0x3C, 0xAB, 0x74, 0x26, 0x3C, 0xAC, 0x74, 0x22, 0x3C, 0xAD, 0x74, 0x1E, 0x3C,
    0xAE, 0x74, 0x1A, 0x3C, 0xAF, 0x74, 0x16, 0x3C, 0x6C, 0x74, 0x12, 0x3C, 0x6D, 0x74, 0x0E, 0x3C,
    0x6E, 0x74, 0x0A, 0x3C, 0x6F, 0x74, 0x06, 0x3C, 0x0F, 0x74, 0x02, 0xEB, 0x04, 0xC6, 0x45, 0x01,
    0x01, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F, 0xB6, 0x08, 0x48, 0x8D, 0x04, 0xCE, 0x48, 0x03, 0x00,
    0xFF, 0xD0, 0xC6, 0x45, 0x01, 0x00, 0xC3, 0x48, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D,
    0x22, 0x0F, 0x75, 0x06, 0xE8, 0x24, 0xF9, 0xFF, 0xFF, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F,
    0xB6, 0x08, 0x48, 0x8D, 0x84, 0xCE, 0x00, 0x08, 0x00, 0x00, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC3,
    0x48, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22, 0x80, 0x7D, 0x22, 0x0F, 0x75, 0x06, 0xE8, 0xFB, 0xF8,
    0xFF, 0xFF, 0xC3, 0x48, 0x8B, 0x45, 0x23, 0x48, 0x0F, 0xB6, 0x08, 0x48, 0x8D, 0x84, 0xCE, 0x00,
    0x10, 0x00, 0x00, 0x48, 0x03, 0x00, 0xFF, 0xD0, 0xC3, 0x48, 0xFF, 0x45, 0x23, 0xFE, 0x45, 0x22,
    0x80, 0x7D, 0x22, 0x0F, 0x75, 0x06, 0xE8, 0xD2, 0xF8, 0xFF, 0xFF, 0xC3, 0x48, 0x8B, 0x45, 0x23,
    0x48, 0x0F, 0xB6, 0x08, 0x48, 0x8D, 0x84, 0xCE, 0x00, 0x18, 0x00, 0x00, 0x48, 0x03, 0x00, 0xFF,
    0xD0, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40,
    0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x11, 0xE8, 0xCD, 0xF5, 0xFF, 0xFF, 0x83, 0x7D, 0x16,
    0x07, 0x7E, 0x06, 0xE8, 0x95, 0xF8, 0xFF, 0xFF, 0xC3, 0xE8, 0x70, 0xF5, 0xFF, 0xFF, 0x8B, 0x45,
    0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00,
    0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x17,
    0xE8, 0x95, 0xF5, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x01, 0x75, 0x69, 0x83, 0x7D, 0x16, 0x07, 0x7E,
    0x63, 0xE8, 0x57, 0xF8, 0xFF, 0xFF, 0xC3, 0x3D, 0xC0, 0x00, 0x00, 0x00, 0x7C, 0x56, 0x89, 0xC2,
    0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83, 0xE1, 0x0F, 0x83, 0xFA, 0x0D, 0x75, 0x0B, 0x83, 0xF9, 0x00,
    0x74, 0x42, 0xE8, 0x36, 0xF8, 0xFF, 0xFF, 0xC3, 0x83, 0xFA, 0x0E, 0x75, 0x37, 0x83, 0xF9, 0x02,
    0x75, 0x06, 0xE8, 0x26, 0xF8, 0xFF, 0xFF, 0xC3, 0x83, 0xF9, 0x03, 0x75, 0x06, 0xE8, 0x1B, 0xF8,
    0xFF, 0xFF, 0xC3, 0x83, 0xF9, 0x06, 0x75, 0x06, 0xE8, 0x10, 0xF8, 0xFF, 0xFF, 0xC3, 0x83, 0xF9,
    0x07, 0x75, 0x06, 0xE8, 0x05, 0xF8, 0xFF, 0xFF, 0xC3, 0x83, 0xF9, 0x0F, 0x75, 0x06, 0xE8, 0xFA,
    0xF7, 0xFF, 0xFF, 0xC3, 0xE8, 0xD5, 0xF4, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48,
    0x83, 0x45, 0x23, 0x02, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x23,
    0x0F, 0xB6, 0x40, 0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x11, 0xE8, 0xFA, 0xF4, 0xFF, 0xFF,
    0x83, 0x7D, 0x16, 0x07, 0x7E, 0x32, 0xE8, 0xC2, 0xF7, 0xFF, 0xFF, 0xC3, 0x3D, 0xC0, 0x00, 0x00,
    0x00, 0x7C, 0x25, 0x89, 0xC2, 0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83, 0xE1, 0x0F, 0x83, 0xFA, 0x0E,
    0x75, 0x0B, 0x83, 0xF9, 0x09, 0x74, 0x11, 0xE8, 0xA1, 0xF7, 0xFF, 0xFF, 0xC3, 0x83, 0xFA, 0x0F,
    0x75, 0x06, 0xE8, 0x96, 0xF7, 0xFF, 0xFF, 0xC3, 0xE8, 0x71, 0xF4, 0xFF, 0xFF, 0x8B, 0x45, 0x1A,
    0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00, 0x00,
    0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x1F, 0xE8,
    0x96, 0xF4, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x04, 0x74, 0x0E, 0x83, 0x7D, 0x16, 0x06, 0x74, 0x08,
    0x83, 0x7D, 0x16, 0x07, 0x7F, 0x02, 0xEB, 0x41, 0xE8, 0x50, 0xF7, 0xFF, 0xFF, 0xC3, 0x3D, 0xC0,
    0x00, 0x00, 0x00, 0x7C, 0x34, 0x89, 0xC2, 0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83, 0xE1, 0x0F, 0x83,
    0xFA, 0x0E, 0x75, 0x15, 0x83, 0xF9, 0x08, 0x7D, 0x20, 0x83, 0xF9, 0x03, 0x74, 0x1B, 0x83, 0xF9,
    0x02, 0x74, 0x16, 0xE8, 0x25, 0xF7, 0xFF, 0xFF, 0xC3, 0x83, 0xFA, 0x0F, 0x75, 0x0B, 0x83, 0xF9,
    0x08, 0x7C, 0x06, 0xE8, 0x15, 0xF7, 0xFF, 0xFF, 0xC3, 0xE8, 0xF0, 0xF3, 0xFF, 0xFF, 0x8B, 0x45,
    0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00,
    0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x11,
    0xE8, 0x15, 0xF4, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x07, 0x7E, 0x22, 0xE8, 0xDD, 0xF6, 0xFF, 0xFF,
    0xC3, 0x3D, 0xC0, 0x00, 0x00, 0x00, 0x7C, 0x15, 0x89, 0xC2, 0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83,
    0xE1, 0x0F, 0x83, 0xFA, 0x0D, 0x75, 0x06, 0xE8, 0xC1, 0xF6, 0xFF, 0xFF, 0xC3, 0xE8, 0x9C, 0xF3,
    0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xC7, 0x45,
    0x1A, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x01, 0x3D, 0xBF, 0x00,
    0x00, 0x00, 0x7F, 0x19, 0xE8, 0xC1, 0xF3, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x05, 0x74, 0x08, 0x83,
    0x7D, 0x16, 0x07, 0x7F, 0x02, 0xEB, 0x32, 0xE8, 0x81, 0xF6, 0xFF, 0xFF, 0xC3, 0x3D, 0xC0, 0x00,
    0x00, 0x00, 0x7C, 0x25, 0x89, 0xC2, 0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83, 0xE1, 0x0F, 0x83, 0xFA,
    0x0C, 0x75, 0x0B, 0x83, 0xF9, 0x08, 0x7C, 0x11, 0xE8, 0x60, 0xF6, 0xFF, 0xFF, 0xC3, 0x83, 0xFA,
    0x0F, 0x75, 0x06, 0xE8, 0x55, 0xF6, 0xFF, 0xFF, 0xC3, 0xE8, 0x30, 0xF3, 0xFF, 0xFF, 0x8B, 0x45,
    0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00,
    0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6, 0x40, 0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x11,
    0xE8, 0x55, 0xF3, 0xFF, 0xFF, 0x83, 0x7D, 0x16, 0x07, 0x7E, 0x27, 0xE8, 0x1D, 0xF6, 0xFF, 0xFF,
    0xC3, 0x3D, 0xC0, 0x00, 0x00, 0x00, 0x7C, 0x1A, 0x89, 0xC2, 0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83,
    0xE1, 0x0F, 0x83, 0xFA, 0x0D, 0x75, 0x0B, 0x83, 0xF9, 0x09, 0x74, 0x06, 0xE8, 0xFC, 0xF5, 0xFF,
    0xFF, 0xC3, 0xE8, 0xD7, 0xF2, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45, 0x23, 0x48, 0x83, 0x45,
    0x23, 0x02, 0xC3, 0xC7, 0x45, 0x1A, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x23, 0x0F, 0xB6,
    0x40, 0x01, 0x3D, 0xBF, 0x00, 0x00, 0x00, 0x7F, 0x11, 0xE8, 0xFC, 0xF2, 0xFF, 0xFF, 0x83, 0x7D,
    0x16, 0x07, 0x7E, 0x52, 0xE8, 0xC4, 0xF5, 0xFF, 0xFF, 0xC3, 0x3D, 0xC0, 0x00, 0x00, 0x00, 0x7C,
    0x45, 0x89, 0xC2, 0xC1, 0xEA, 0x04, 0x89, 0xC1, 0x83, 0xE1, 0x0F, 0x83, 0xFA, 0x0C, 0x75, 0x06,
    0xE8, 0xA8, 0xF5, 0xFF, 0xFF, 0xC3, 0x83, 0xFA, 0x0D, 0x75, 0x06, 0xE8, 0x9D, 0xF5, 0xFF, 0xFF,
    0xC3, 0x83, 0xFA, 0x0E, 0x75, 0x10, 0x83, 0xF9, 0x00, 0x74, 0x1B, 0x83, 0xF9, 0x08, 0x7D, 0x16,
    0xE8, 0x88, 0xF5, 0xFF, 0xFF, 0xC3, 0x83, 0xFA, 0x0F, 0x75, 0x0B, 0x83, 0xF9, 0x08, 0x7C, 0x06,
    0xE8, 0x78, 0xF5, 0xFF, 0xFF, 0xC3, 0xE8, 0x53, 0xF2, 0xFF, 0xFF, 0x8B, 0x45, 0x1A, 0x01, 0x45,
    0x23, 0x48, 0x83, 0x45, 0x23, 0x02, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};

Inline Hook需要填充jmp跨4G跳转，占用14字节长度。这里要找出完整的指令长度，不然把某语句截断后可能导致执行异常，指令长度要大于14。

#include "lde64.h"
#include <ntifs.h>
// 计算地址处指令有多少字节
// address = 地址
// bits 32位驱动传入0 64传入64
typedef INT(*LDE_DISASM)(PVOID address, INT bits);
LDE_DISASM lde_disasm;
// 初始化引擎
VOID lde_init(){
    lde_disasm = ExAllocatePool(NonPagedPool, 12800);
    memcpy(lde_disasm, szShellCode, 12800);
}
VOID UnDriver(PDRIVER_OBJECT driver){
}
// 得到完整指令长度,避免截断
ULONG GetFullPatchSize(PUCHAR Address){
    ULONG LenCount = 0, Len = 0;
    // 至少需要14字节
    while (LenCount <= 14){
        Len = lde_disasm(Address, 64);
        Address = Address + Len;
        LenCount = LenCount + Len;
    }
    return LenCount;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){
    // 初始化反汇编引擎
    lde_init();
    UNICODE_STRING unstr;
    PVOID addr;
    RtlInitUnicodeString(&unstr, L"PsLookupProcessByProcessId");
    addr = MmGetSystemRoutineAddress(&unstr);
    DbgPrint("获取内存地址: 0x%p \n", addr);
    ULONG count = GetFullPatchSize(addr);
    DbgPrint("完整指令长度: %d \n", count);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

下面例如保护calc.exe进程，无法被任务管理器结束掉。

#include "lde64.h"
#include <ntifs.h>
#include <windef.h>
#include <intrin.h>
#pragma intrinsic(_disable)
#pragma intrinsic(_enable)
// 汇编计算方法
// 计算地址处指令有多少字节
// address = 地址
// bits 32位驱动传入0 64传入64
typedef INT(*LDE_DISASM)(PVOID address, INT bits);
LDE_DISASM lde_disasm;
// 初始化引擎
VOID lde_init() {
    lde_disasm = ExAllocatePool(NonPagedPool, 12800);
    memcpy(lde_disasm, szShellCode, 12800);
}
// 得到完整指令长度,避免截断
ULONG GetFullPatchSize(PUCHAR Address) {
    ULONG LenCount = 0, Len = 0;
    // 至少需要14字节
    while (LenCount <= 14) {
        Len = lde_disasm(Address, 64);
        Address = Address + Len;
        LenCount = LenCount + Len;
    }
    return LenCount;
}
// Hook函数封装
// 定义指针方便调用
typedef NTSTATUS(__fastcall* PSLOOKUPPROCESSBYPROCESSID)(HANDLE ProcessId, PEPROCESS* Process);
ULONG64 protect_eprocess = 0; // 需要保护进程的eprocess
ULONG patch_size = 0;       // 被修改了几个字节
PUCHAR head_n_byte = NULL;       // 前几个字节数组
PVOID original_address = NULL; // 原函数地址
KIRQL WPOFFx64() {
    KIRQL irql = KeRaiseIrqlToDpcLevel();
    UINT64 cr0 = __readcr0();
    cr0 &= 0xfffffffffffeffff;
    __writecr0(cr0);
    _disable();
    return irql;
}
VOID WPONx64(KIRQL irql) {
    UINT64 cr0 = __readcr0();
    cr0 |= 0x10000;
    _enable();
    __writecr0(cr0);
    KeLowerIrql(irql);
}
// 动态获取内存地址
PVOID GetProcessAddress(PCWSTR FunctionName) {
    UNICODE_STRING UniCodeFunctionName;
    RtlInitUnicodeString(&UniCodeFunctionName, FunctionName);
    return MmGetSystemRoutineAddress(&UniCodeFunctionName);
}
/*
InlineHookAPI 挂钩地址
参数1：待HOOK函数地址
参数2：代理函数地址
参数3：接收原始函数地址的指针
参数4：接收补丁长度的指针
返回：原来头N字节的数据
*/
PVOID KernelHook(IN PVOID ApiAddress, IN PVOID Proxy_ApiAddress, OUT PVOID* Original_ApiAddress, OUT ULONG* PatchSize) {
    KIRQL irql;
    UINT64 tmpv;
    PVOID head_n_byte, ori_func;
    // 保存跳转指令 JMP QWORD PTR [本条指令结束后的地址]
    UCHAR jmp_code[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
    // 保存原始指令
    UCHAR jmp_code_orifunc[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
    // 获取函数地址处指令长度
    *PatchSize = GetFullPatchSize((PUCHAR)ApiAddress);
    // 分配空间
    head_n_byte = ExAllocatePoolWithTag(NonPagedPool, *PatchSize, "LyShark");
    irql = WPOFFx64();
    // 跳转地址拷贝到原函数上
    RtlCopyMemory(head_n_byte, ApiAddress, *PatchSize);
    WPONx64(irql);
    // 构建跳转
    // 1.原始机器码+跳转机器码
    ori_func = ExAllocatePoolWithTag(NonPagedPool, *PatchSize + 14, "LyShark");
    RtlFillMemory(ori_func, *PatchSize + 14, 0x90);
    // 2.跳转到没被打补丁的那个字节
    tmpv = (ULONG64)ApiAddress + *PatchSize;
    RtlCopyMemory(jmp_code_orifunc + 6, &tmpv, 8);
    RtlCopyMemory((PUCHAR)ori_func, head_n_byte, *PatchSize);
    RtlCopyMemory((PUCHAR)ori_func + *PatchSize, jmp_code_orifunc, 14);
    *Original_ApiAddress = ori_func;
    // 3.得到代理地址
    tmpv = (UINT64)Proxy_ApiAddress;
    RtlCopyMemory(jmp_code + 6, &tmpv, 8);
    //4.打补丁
    irql = WPOFFx64();
    RtlFillMemory(ApiAddress, *PatchSize, 0x90);
    RtlCopyMemory(ApiAddress, jmp_code, 14);
    WPONx64(irql);
    return head_n_byte;
}
/*
InlineHookAPI 恢复挂钩地址
参数1：被HOOK函数地址
参数2：原始数据
参数3：补丁长度
*/
VOID KernelUnHook(IN PVOID ApiAddress, IN PVOID OriCode, IN ULONG PatchSize) {
    KIRQL irql;
    irql = WPOFFx64();
    RtlCopyMemory(ApiAddress, OriCode, PatchSize);
    WPONx64(irql);
}
// 实现我们自己的代理函数
NTSTATUS MyPsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process) {
    NTSTATUS st;
    st = ((PSLOOKUPPROCESSBYPROCESSID)original_address)(ProcessId, Process);
    if (NT_SUCCESS(st))
        // 判断是否是需要保护的进程
        if (*Process == (PEPROCESS)protect_eprocess) {
            *Process = 0;
            DbgPrint("[lyshark] 拦截结束进程 \n");
            st = STATUS_ACCESS_DENIED;
        }
    return st;
}
VOID UnDriver(PDRIVER_OBJECT driver) {
    // 恢复Hook
    KernelUnHook(GetProcessAddress(L"PsLookupProcessByProcessId"), head_n_byte, patch_size);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) {
    // 初始化反汇编引擎
    lde_init();
    // 设置需要保护进程EProcess
    /*
    kd> !process 0 0 lyshark.exe
    PROCESS ffff9a0a44ec4080
    SessionId: 1 Cid: 05b8  Peb: 0034d000 ParentCid: 13f0
    DirBase: 12a7d2002 ObjectTable: ffffd60bc036f080 HandleCount: 159.
    Image: lyshark.exe
    */
    protect_eprocess = 0xffff9a0a44ec4080;
    // Hook挂钩函数
    head_n_byte = KernelHook(GetProcessAddress(L"PsLookupProcessByProcessId"), (PVOID)MyPsLookupProcessByProcessId, &original_address, &patch_size);
    DbgPrint("挂钩保护完成 --> 修改字节: %d | 原函数地址: 0x%p \n", patch_size, original_address);
    for (size_t i = 0; i < patch_size; i++)
        DbgPrint("[byte] = %x", head_n_byte[i]);
    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}

FileObject文件回调

这是一些需要用到的定义，使用时要改成系统对应的结构：

//myheader.h
#include <ntddk.h>
#include <ntstrsafe.h>
typedef struct _CALLBACK_ENTRY {
    LIST_ENTRY CallbackList;
    OB_OPERATION  Operations;
    ULONG Active;
    PVOID Handle;
    POBJECT_TYPE ObjectType;
    POB_PRE_OPERATION_CALLBACK  PreOperation;
    POB_POST_OPERATION_CALLBACK PostOperation;
    ULONG unknown;
} CALLBACK_ENTRY, * PCALLBACK_ENTRY;
typedef struct _LDR_DATA { // 24 elements, 0xE0 bytes (sizeof)
    /*0x000*/   struct _LIST_ENTRY InLoadOrderLinks;           // 2 elements, 0x10 bytes(sizeof)
    /*0x010*/   struct _LIST_ENTRY InMemoryOrderLinks;          // 2 elements, 0x10 bytes(sizeof)
    /*0x020*/   struct _LIST_ENTRY InInitializationOrderLinks;      // 2 elements, 0x10 bytes(sizeof)
    /*0x030*/   VOID* DllBase;
    /*0x038*/   VOID* EntryPoint;
    /*0x040*/   ULONG32    SizeOfImage;
    /*0x044*/   UINT8     _PADDING0_[0x4];
    /*0x048*/   struct _UNICODE_STRING FullDllName;            // 3 elements, 0x10 bytes(sizeof)
    /*0x058*/   struct _UNICODE_STRING BaseDllName;            // 3 elements, 0x10 bytes(sizeof)
    /*0x068*/   ULONG32    Flags;
    /*0x06C*/   UINT16    LoadCount;
    /*0x06E*/   UINT16    TlsIndex;
    union {// 2 elements, 0x10 bytes(sizeof)
        /*0x070*/     struct _LIST_ENTRY HashLinks;
        // 2 elements, 0x10 bytes (sizeof)
        struct {// 2 elements, 0x10 bytes(sizeof)
            /*0x070*/       VOID* SectionPointer;
            /*0x078*/       ULONG32    CheckSum;
            /*0x07C*/       UINT8     _PADDING1_[0x4];
        };
    };
    union {// 2 elements, 0x8bytes(sizeof)
        /*0x080*/     ULONG32    TimeDateStamp;
        /*0x080*/     VOID* LoadedImports;
    };
    /*0x088*/   struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
    /*0x090*/   VOID* PatchInformation;
    /*0x098*/   struct _LIST_ENTRY ForwarderLinks;            // 2 elements, 0x10 bytes(sizeof)
    /*0x0A8*/   struct _LIST_ENTRY ServiceTagLinks;            // 2 elements, 0x10 bytes(sizeof)
    /*0x0B8*/   struct _LIST_ENTRY StaticLinks;              // 2 elements, 0x10 bytes(sizeof)
    /*0x0C8*/   VOID* ContextInformation;
    /*0x0D0*/   UINT64    OriginalBase;
    /*0x0D8*/   union _LARGE_INTEGER LoadTime;              // 4
    elements, 0x8 bytes(sizeof)
}LDR_DATA, * PLDR_DATA;
typedef struct _OBJECT_TYPE_INITIALIZER {
    // 25 elements, 0x70 bytes (sizeof)
    /*0x000*/   UINT16    Length;
    union { // 2 elements, 0x1 bytes (sizeof)
        /*0x002*/     UINT8     ObjectTypeFlags;
        struct { // 7 elements, 0x1 bytes (sizeof)
            /*0x002*/       UINT8     CaseInsensitive : 1; // 0 BitPosition
            /*0x002*/       UINT8     UnnamedObjectsOnly : 1; // 1 BitPosition
            /*0x002*/       UINT8     UseDefaultObject : 1; // 2 BitPosition
            /*0x002*/       UINT8     SecurityRequired : 1; // 3 BitPosition
            /*0x002*/       UINT8     MaintainHandleCount : 1; // 4 BitPosition
            /*0x002*/       UINT8     MaintainTypeList : 1; // 5 BitPosition
            /*0x002*/       UINT8     SupportsObjectCallbacks : 1; // 6 BitPosition
        };
    };
    /*0x004*/   ULONG32    ObjectTypeCode;
    /*0x008*/   ULONG32    InvalidAttributes;
    /*0x00C*/   struct _GENERIC_MAPPING GenericMapping;
    // 4 elements, 0x10 bytes (sizeof)
    /*0x01C*/   ULONG32    ValidAccessMask;
    /*0x020*/   ULONG32    RetainAccess;
    /*0x024*/   enum _POOL_TYPE PoolType;
    /*0x028*/   ULONG32    DefaultPagedPoolCharge;
    /*0x02C*/   ULONG32    DefaultNonPagedPoolCharge;
    /*0x030*/   PVOID DumpProcedure;
    /*0x038*/   PVOID OpenProcedure;
    /*0x040*/   PVOID CloseProcedure;
    /*0x048*/   PVOID DeleteProcedure;
    /*0x050*/   PVOID ParseProcedure;
    /*0x058*/   PVOID SecurityProcedure;
    /*0x060*/   PVOID QueryNameProcedure;
    /*0x068*/   PVOID OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, * POBJECT_TYPE_INITIALIZER;
typedef struct _EX_PUSH_LOCK {        // 7 elements, 0x8 bytes (sizeof)
    union {// 3 elements, 0x8 bytes (sizeof)
        struct {               // 5 elements, 0x8 bytes (sizeof)
            /*0x000*/       UINT64    Locked : 1;     // 0 BitPosition
            /*0x000*/       UINT64    Waiting : 1;     // 1 BitPosition
            /*0x000*/       UINT64    Waking : 1;     // 2 BitPosition
            /*0x000*/       UINT64    MultipleShared : 1; // 3 BitPosition
            /*0x000*/       UINT64    Shared : 60;     // 4 BitPosition
        };
        /*0x000*/     UINT64    Value;
        /*0x000*/     VOID* Ptr;
    };
}EX_PUSH_LOCK, * PEX_PUSH_LOCK;
typedef struct _MY_OBJECT_TYPE {// 12 elements, 0xD0 bytes (sizeof)
    /*0x000*/   struct _LIST_ENTRY TypeList;        // 2 elements, 0x10 bytes(sizeof)
    /*0x010*/   struct _UNICODE_STRING Name;        // 3 elements, 0x10 bytes(sizeof)
    /*0x020*/   VOID* DefaultObject;
    /*0x028*/   UINT8     Index;
    /*0x029*/   UINT8     _PADDING0_[0x3];
    /*0x02C*/   ULONG32    TotalNumberOfObjects;
    /*0x030*/   ULONG32    TotalNumberOfHandles;
    /*0x034*/   ULONG32    HighWaterNumberOfObjects;
    /*0x038*/   ULONG32    HighWaterNumberOfHandles;
    /*0x03C*/   UINT8     _PADDING1_[0x4];
    /*0x040*/   struct _OBJECT_TYPE_INITIALIZER TypeInfo; // 25 elements, 0x70 bytes(sizeof)
    /*0x0B0*/   struct _EX_PUSH_LOCK TypeLock;       // 7 elements, 0x8 bytes(sizeof)
    /*0x0B8*/   ULONG32    Key;
    /*0x0BC*/   UINT8     _PADDING2_[0x4];
    /*0x0C0*/   struct _LIST_ENTRY CallbackList;      // 2 elements, 0x10 bytes(sizeof)
}MY_OBJECT_TYPE, * PMY_OBJECT_TYPE;

实现为：

#include "myheader.h"
PVOID obHandle;
DRIVER_INITIALIZE DriverEntry;
// 文件回调
OB_PREOP_CALLBACK_STATUS FileObjectpreCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) {
    UNICODE_STRING DosName;
    PFILE_OBJECT fileo = OperationInformation->Object;
    HANDLE CurrentProcessId = PsGetCurrentProcessId();
    UNREFERENCED_PARAMETER(RegistrationContext);
    if (OperationInformation->ObjectType != *IoFileObjectType)
        return OB_PREOP_SUCCESS;
    // 过滤无效指针
    if (fileo->FileName.Buffer == NULL || !MmIsAddressValid(fileo->FileName.Buffer) || fileo->DeviceObject == NULL || !MmIsAddressValid(fileo->DeviceObject))
        return OB_PREOP_SUCCESS;
    // 过滤无效路径
    if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") || !_wcsicmp(fileo->FileName.Buffer, L"?") || !_wcsicmp(fileo->FileName.Buffer, L"\\.\\.") || !_wcsicmp(fileo->FileName.Buffer, L"\\"))
        return OB_PREOP_SUCCESS;
    // 将对象转为DOS路径
    RtlVolumeDeviceToDosName(fileo->DeviceObject, &DosName);
    DbgPrint("进程PID = %ld | 文件路径 = %wZ%wZ \n", (ULONG64)CurrentProcessId, &DosName, &fileo->FileName);
    return OB_PREOP_SUCCESS;
}
VOID EnableObType(POBJECT_TYPE ObjectType) {
    PMY_OBJECT_TYPE myobtype = (PMY_OBJECT_TYPE)ObjectType;
    myobtype->TypeInfo.SupportsObjectCallbacks = 1;
}
VOID UnDriver(PDRIVER_OBJECT driver) {
    UNREFERENCED_PARAMETER(driver);
    ObUnRegisterCallbacks(obHandle);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath) {
    NTSTATUS status = STATUS_SUCCESS;
    PLDR_DATA ldr;
    OB_CALLBACK_REGISTRATION obRegFileCallBack;
    OB_OPERATION_REGISTRATION opRegFileCallBack;
    // enable IoFileObjectType
    EnableObType(*IoFileObjectType);
    // bypass MmVerifyCallbackFunction
    ldr = (PLDR_DATA)Driver->DriverSection;
    ldr->Flags |= 0x20;
    // 初始化回调
    memset(&obRegFileCallBack, 0, sizeof(obRegFileCallBack));
    obRegFileCallBack.Version = ObGetFilterVersion();
    obRegFileCallBack.OperationRegistrationCount = 1;
    obRegFileCallBack.RegistrationContext = NULL;
    RtlInitUnicodeString(&obRegFileCallBack.Altitude, L"321000");
    obRegFileCallBack.OperationRegistration = &opRegFileCallBack;
    memset(&opRegFileCallBack, 0, sizeof(opRegFileCallBack));
    opRegFileCallBack.ObjectType = IoFileObjectType;
    opRegFileCallBack.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
    opRegFileCallBack.PreOperation = (POB_PRE_OPERATION_CALLBACK)&FileObjectpreCall;
    status = ObRegisterCallbacks(&obRegFileCallBack, &obHandle);
    if (!NT_SUCCESS(status)) {
        DbgPrint("注册回调错误 \n");
        status = STATUS_UNSUCCESSFUL;
    }
    UNREFERENCED_PARAMETER(RegistryPath);
    Driver->DriverUnload = &UnDriver;
    return status;
}

阻止某文件打开的方法：

// 文件回调
OB_PREOP_CALLBACK_STATUS FileObjectpreCall(PVOID RegistrationContext,POB_PRE_OPERATION_INFORMATION OperationInformation){
    UNICODE_STRING DosName;
    PFILE_OBJECT fileo = OperationInformation->Object;
    HANDLE CurrentProcessId = PsGetCurrentProcessId();
    UNREFERENCED_PARAMETER(RegistrationContext);
    if (OperationInformation->ObjectType != *IoFileObjectType)
        return OB_PREOP_SUCCESS;
    // 过滤无效指针
    if (fileo->FileName.Buffer == NULL ||!MmIsAddressValid(fileo->FileName.Buffer) ||fileo->DeviceObject == NULL ||!MmIsAddressValid(fileo->DeviceObject))
        return OB_PREOP_SUCCESS;
    // 过滤无效路径
    if (!_wcsicmp(fileo->FileName.Buffer, L"\\Endpoint") ||!_wcsicmp(fileo->FileName.Buffer, L"?") ||!_wcsicmp(fileo->FileName.Buffer, L"\\.\\.") ||!_wcsicmp(fileo->FileName.Buffer, L"\\"))
        return OB_PREOP_SUCCESS;
    // 阻止打开xxx.txt文本
    if (wcsstr(_wcslwr(fileo->FileName.Buffer), L"xxx.txt")){
        if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
            OperationInformation->Parameters -> CreateHandleInformation.DesiredAccess = 0;
        if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
            OperationInformation->Parameters -> DuplicateHandleInformation.DesiredAccess = 0;
        DbgPrint("[已拦截 xxx 文件打开 \n");
    }
    return OB_PREOP_SUCCESS;
}