From 4c8fef7d647eeeea5cc37db1e76d23e567621332 Mon Sep 17 00:00:00 2001
From: CPunch <sethtstubbs@gmail.com>
Date: Fri, 8 Jul 2022 14:43:13 -0500
Subject: [PATCH] Use FreeLibrary(), not CloseHandle()

---
 bot/win/winobf.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/bot/win/winobf.c b/bot/win/winobf.c
index d553461..b5363e1 100644
--- a/bot/win/winobf.c
+++ b/bot/win/winobf.c
@@ -86,6 +86,13 @@ void *findByHash(LPCSTR module, uint32_t hash)
     if ((hLibrary = LoadLibraryA(module)) == NULL)
         return NULL;
 
+    /* 
+        the rest of this function just does the same thing GetProcAddress() does, but using
+        our hash function to find the right function. this is also more obfuscated to the
+        REer, however they would probably immediately recognize what this function is doing
+        just from the LoadLibraryA() call.
+    */
+
     /* grab DOS headers & verify */
     pDOSHdr = (PIMAGE_DOS_HEADER)hLibrary;
     if (pDOSHdr->e_magic != IMAGE_DOS_SIGNATURE)
@@ -120,7 +127,7 @@ void *findByHash(LPCSTR module, uint32_t hash)
 
 _findByHashFail:
     /* function was not found, close the library handle since we don't need it anymore */
-    CloseHandle(hLibrary);
+    FreeLibrary(hLibrary);
     return NULL;
 }
 
@@ -131,6 +138,12 @@ _findByHashFail:
 _ShellExecuteA oShellExecuteA;
 _CreatePseudoConsole oCreatePseudoConsole;
 
+/* todo api:
+    ClosePseudoConsole
+    CreateProcessA
+    GetEnvironmentVariable
+*/
+
 void laikaO_init()
 {
     uint32_t hash;